bcc533b35d454bf21f3996870927c7a252d6699287de8d4373edc949ffd2e73e

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 12:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-07-03_751d2ecd123864ea30c8a7c8cdd1430e_goldeneye.exe
Size

344KB
MD5

751d2ecd123864ea30c8a7c8cdd1430e
SHA1

bab6b8212a1198c8a15899e8d109644cc5dcd13c
SHA256

bcc533b35d454bf21f3996870927c7a252d6699287de8d4373edc949ffd2e73e
SHA512

3dc43ecd6a109cebc8f76dc539e15b49301bd7c0b67aac9be1a2cb13e699851d573d03c528b366e9688e56cc5f85fc65dc8d44ad1f2d4507a9f4e6e540b2189b
SSDEEP

3072:mEGh0oNlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGXlqOe2MUVg3v2IneKcAEcA

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65DC2F89-B270-420e-8C89-7DB1EADF9256}	{27A966C3-7E7A-4c23-A6DD-E595E8B2948A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D164534-B601-4947-A4D7-9F10BE4707F5}\stubpath = "C:\\Windows\\{4D164534-B601-4947-A4D7-9F10BE4707F5}.exe"	{CE4D871A-C685-49de-86EA-E9E5E7A99664}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24FC3806-C887-4d76-8C49-21BBC4827FDE}\stubpath = "C:\\Windows\\{24FC3806-C887-4d76-8C49-21BBC4827FDE}.exe"	{1ECD1994-3BE4-4b59-99BE-56B488FDD40F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27A966C3-7E7A-4c23-A6DD-E595E8B2948A}\stubpath = "C:\\Windows\\{27A966C3-7E7A-4c23-A6DD-E595E8B2948A}.exe"	{FEEF7B7B-FED6-4284-A3CA-6FE692507A89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE4D871A-C685-49de-86EA-E9E5E7A99664}\stubpath = "C:\\Windows\\{CE4D871A-C685-49de-86EA-E9E5E7A99664}.exe"	{65DC2F89-B270-420e-8C89-7DB1EADF9256}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24FC3806-C887-4d76-8C49-21BBC4827FDE}	{1ECD1994-3BE4-4b59-99BE-56B488FDD40F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE31F2A0-36B1-4ec4-A1E9-10EDF02D974D}	{71B876AE-8626-4c05-8832-4B86B4455FFA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FEEF7B7B-FED6-4284-A3CA-6FE692507A89}\stubpath = "C:\\Windows\\{FEEF7B7B-FED6-4284-A3CA-6FE692507A89}.exe"	{517DF83A-8E2E-4ca3-896F-1187D38C746D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27A966C3-7E7A-4c23-A6DD-E595E8B2948A}	{FEEF7B7B-FED6-4284-A3CA-6FE692507A89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DA4536D-5E73-4774-AD67-4BEC44C52362}\stubpath = "C:\\Windows\\{6DA4536D-5E73-4774-AD67-4BEC44C52362}.exe"	{24FC3806-C887-4d76-8C49-21BBC4827FDE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71B876AE-8626-4c05-8832-4B86B4455FFA}\stubpath = "C:\\Windows\\{71B876AE-8626-4c05-8832-4B86B4455FFA}.exe"	2024-07-03_751d2ecd123864ea30c8a7c8cdd1430e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE4D871A-C685-49de-86EA-E9E5E7A99664}	{65DC2F89-B270-420e-8C89-7DB1EADF9256}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D164534-B601-4947-A4D7-9F10BE4707F5}	{CE4D871A-C685-49de-86EA-E9E5E7A99664}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{517DF83A-8E2E-4ca3-896F-1187D38C746D}\stubpath = "C:\\Windows\\{517DF83A-8E2E-4ca3-896F-1187D38C746D}.exe"	{AE31F2A0-36B1-4ec4-A1E9-10EDF02D974D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FEEF7B7B-FED6-4284-A3CA-6FE692507A89}	{517DF83A-8E2E-4ca3-896F-1187D38C746D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65DC2F89-B270-420e-8C89-7DB1EADF9256}\stubpath = "C:\\Windows\\{65DC2F89-B270-420e-8C89-7DB1EADF9256}.exe"	{27A966C3-7E7A-4c23-A6DD-E595E8B2948A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1ECD1994-3BE4-4b59-99BE-56B488FDD40F}	{4D164534-B601-4947-A4D7-9F10BE4707F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1ECD1994-3BE4-4b59-99BE-56B488FDD40F}\stubpath = "C:\\Windows\\{1ECD1994-3BE4-4b59-99BE-56B488FDD40F}.exe"	{4D164534-B601-4947-A4D7-9F10BE4707F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71B876AE-8626-4c05-8832-4B86B4455FFA}	2024-07-03_751d2ecd123864ea30c8a7c8cdd1430e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE31F2A0-36B1-4ec4-A1E9-10EDF02D974D}\stubpath = "C:\\Windows\\{AE31F2A0-36B1-4ec4-A1E9-10EDF02D974D}.exe"	{71B876AE-8626-4c05-8832-4B86B4455FFA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{517DF83A-8E2E-4ca3-896F-1187D38C746D}	{AE31F2A0-36B1-4ec4-A1E9-10EDF02D974D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DA4536D-5E73-4774-AD67-4BEC44C52362}	{24FC3806-C887-4d76-8C49-21BBC4827FDE}.exe

Deletes itself 1 IoCs

pid	Process
292	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3060	{71B876AE-8626-4c05-8832-4B86B4455FFA}.exe
2728	{AE31F2A0-36B1-4ec4-A1E9-10EDF02D974D}.exe
2800	{517DF83A-8E2E-4ca3-896F-1187D38C746D}.exe
2564	{FEEF7B7B-FED6-4284-A3CA-6FE692507A89}.exe
2852	{27A966C3-7E7A-4c23-A6DD-E595E8B2948A}.exe
1632	{65DC2F89-B270-420e-8C89-7DB1EADF9256}.exe
2236	{CE4D871A-C685-49de-86EA-E9E5E7A99664}.exe
2752	{4D164534-B601-4947-A4D7-9F10BE4707F5}.exe
692	{1ECD1994-3BE4-4b59-99BE-56B488FDD40F}.exe
1292	{24FC3806-C887-4d76-8C49-21BBC4827FDE}.exe
1088	{6DA4536D-5E73-4774-AD67-4BEC44C52362}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{71B876AE-8626-4c05-8832-4B86B4455FFA}.exe	2024-07-03_751d2ecd123864ea30c8a7c8cdd1430e_goldeneye.exe
File created	C:\Windows\{27A966C3-7E7A-4c23-A6DD-E595E8B2948A}.exe	{FEEF7B7B-FED6-4284-A3CA-6FE692507A89}.exe
File created	C:\Windows\{1ECD1994-3BE4-4b59-99BE-56B488FDD40F}.exe	{4D164534-B601-4947-A4D7-9F10BE4707F5}.exe
File created	C:\Windows\{6DA4536D-5E73-4774-AD67-4BEC44C52362}.exe	{24FC3806-C887-4d76-8C49-21BBC4827FDE}.exe
File created	C:\Windows\{24FC3806-C887-4d76-8C49-21BBC4827FDE}.exe	{1ECD1994-3BE4-4b59-99BE-56B488FDD40F}.exe
File created	C:\Windows\{AE31F2A0-36B1-4ec4-A1E9-10EDF02D974D}.exe	{71B876AE-8626-4c05-8832-4B86B4455FFA}.exe
File created	C:\Windows\{517DF83A-8E2E-4ca3-896F-1187D38C746D}.exe	{AE31F2A0-36B1-4ec4-A1E9-10EDF02D974D}.exe
File created	C:\Windows\{FEEF7B7B-FED6-4284-A3CA-6FE692507A89}.exe	{517DF83A-8E2E-4ca3-896F-1187D38C746D}.exe
File created	C:\Windows\{65DC2F89-B270-420e-8C89-7DB1EADF9256}.exe	{27A966C3-7E7A-4c23-A6DD-E595E8B2948A}.exe
File created	C:\Windows\{CE4D871A-C685-49de-86EA-E9E5E7A99664}.exe	{65DC2F89-B270-420e-8C89-7DB1EADF9256}.exe
File created	C:\Windows\{4D164534-B601-4947-A4D7-9F10BE4707F5}.exe	{CE4D871A-C685-49de-86EA-E9E5E7A99664}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2224	2024-07-03_751d2ecd123864ea30c8a7c8cdd1430e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3060	{71B876AE-8626-4c05-8832-4B86B4455FFA}.exe
Token: SeIncBasePriorityPrivilege	2728	{AE31F2A0-36B1-4ec4-A1E9-10EDF02D974D}.exe
Token: SeIncBasePriorityPrivilege	2800	{517DF83A-8E2E-4ca3-896F-1187D38C746D}.exe
Token: SeIncBasePriorityPrivilege	2564	{FEEF7B7B-FED6-4284-A3CA-6FE692507A89}.exe
Token: SeIncBasePriorityPrivilege	2852	{27A966C3-7E7A-4c23-A6DD-E595E8B2948A}.exe
Token: SeIncBasePriorityPrivilege	1632	{65DC2F89-B270-420e-8C89-7DB1EADF9256}.exe
Token: SeIncBasePriorityPrivilege	2236	{CE4D871A-C685-49de-86EA-E9E5E7A99664}.exe
Token: SeIncBasePriorityPrivilege	2752	{4D164534-B601-4947-A4D7-9F10BE4707F5}.exe
Token: SeIncBasePriorityPrivilege	692	{1ECD1994-3BE4-4b59-99BE-56B488FDD40F}.exe
Token: SeIncBasePriorityPrivilege	1292	{24FC3806-C887-4d76-8C49-21BBC4827FDE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 3060	2224	2024-07-03_751d2ecd123864ea30c8a7c8cdd1430e_goldeneye.exe	28
PID 2224 wrote to memory of 3060	2224	2024-07-03_751d2ecd123864ea30c8a7c8cdd1430e_goldeneye.exe	28
PID 2224 wrote to memory of 3060	2224	2024-07-03_751d2ecd123864ea30c8a7c8cdd1430e_goldeneye.exe	28
PID 2224 wrote to memory of 3060	2224	2024-07-03_751d2ecd123864ea30c8a7c8cdd1430e_goldeneye.exe	28
PID 2224 wrote to memory of 292	2224	2024-07-03_751d2ecd123864ea30c8a7c8cdd1430e_goldeneye.exe	29
PID 2224 wrote to memory of 292	2224	2024-07-03_751d2ecd123864ea30c8a7c8cdd1430e_goldeneye.exe	29
PID 2224 wrote to memory of 292	2224	2024-07-03_751d2ecd123864ea30c8a7c8cdd1430e_goldeneye.exe	29
PID 2224 wrote to memory of 292	2224	2024-07-03_751d2ecd123864ea30c8a7c8cdd1430e_goldeneye.exe	29
PID 3060 wrote to memory of 2728	3060	{71B876AE-8626-4c05-8832-4B86B4455FFA}.exe	30
PID 3060 wrote to memory of 2728	3060	{71B876AE-8626-4c05-8832-4B86B4455FFA}.exe	30
PID 3060 wrote to memory of 2728	3060	{71B876AE-8626-4c05-8832-4B86B4455FFA}.exe	30
PID 3060 wrote to memory of 2728	3060	{71B876AE-8626-4c05-8832-4B86B4455FFA}.exe	30
PID 3060 wrote to memory of 2712	3060	{71B876AE-8626-4c05-8832-4B86B4455FFA}.exe	31
PID 3060 wrote to memory of 2712	3060	{71B876AE-8626-4c05-8832-4B86B4455FFA}.exe	31
PID 3060 wrote to memory of 2712	3060	{71B876AE-8626-4c05-8832-4B86B4455FFA}.exe	31
PID 3060 wrote to memory of 2712	3060	{71B876AE-8626-4c05-8832-4B86B4455FFA}.exe	31
PID 2728 wrote to memory of 2800	2728	{AE31F2A0-36B1-4ec4-A1E9-10EDF02D974D}.exe	32
PID 2728 wrote to memory of 2800	2728	{AE31F2A0-36B1-4ec4-A1E9-10EDF02D974D}.exe	32
PID 2728 wrote to memory of 2800	2728	{AE31F2A0-36B1-4ec4-A1E9-10EDF02D974D}.exe	32
PID 2728 wrote to memory of 2800	2728	{AE31F2A0-36B1-4ec4-A1E9-10EDF02D974D}.exe	32
PID 2728 wrote to memory of 2704	2728	{AE31F2A0-36B1-4ec4-A1E9-10EDF02D974D}.exe	33
PID 2728 wrote to memory of 2704	2728	{AE31F2A0-36B1-4ec4-A1E9-10EDF02D974D}.exe	33
PID 2728 wrote to memory of 2704	2728	{AE31F2A0-36B1-4ec4-A1E9-10EDF02D974D}.exe	33
PID 2728 wrote to memory of 2704	2728	{AE31F2A0-36B1-4ec4-A1E9-10EDF02D974D}.exe	33
PID 2800 wrote to memory of 2564	2800	{517DF83A-8E2E-4ca3-896F-1187D38C746D}.exe	36
PID 2800 wrote to memory of 2564	2800	{517DF83A-8E2E-4ca3-896F-1187D38C746D}.exe	36
PID 2800 wrote to memory of 2564	2800	{517DF83A-8E2E-4ca3-896F-1187D38C746D}.exe	36
PID 2800 wrote to memory of 2564	2800	{517DF83A-8E2E-4ca3-896F-1187D38C746D}.exe	36
PID 2800 wrote to memory of 2680	2800	{517DF83A-8E2E-4ca3-896F-1187D38C746D}.exe	37
PID 2800 wrote to memory of 2680	2800	{517DF83A-8E2E-4ca3-896F-1187D38C746D}.exe	37
PID 2800 wrote to memory of 2680	2800	{517DF83A-8E2E-4ca3-896F-1187D38C746D}.exe	37
PID 2800 wrote to memory of 2680	2800	{517DF83A-8E2E-4ca3-896F-1187D38C746D}.exe	37
PID 2564 wrote to memory of 2852	2564	{FEEF7B7B-FED6-4284-A3CA-6FE692507A89}.exe	38
PID 2564 wrote to memory of 2852	2564	{FEEF7B7B-FED6-4284-A3CA-6FE692507A89}.exe	38
PID 2564 wrote to memory of 2852	2564	{FEEF7B7B-FED6-4284-A3CA-6FE692507A89}.exe	38
PID 2564 wrote to memory of 2852	2564	{FEEF7B7B-FED6-4284-A3CA-6FE692507A89}.exe	38
PID 2564 wrote to memory of 2964	2564	{FEEF7B7B-FED6-4284-A3CA-6FE692507A89}.exe	39
PID 2564 wrote to memory of 2964	2564	{FEEF7B7B-FED6-4284-A3CA-6FE692507A89}.exe	39
PID 2564 wrote to memory of 2964	2564	{FEEF7B7B-FED6-4284-A3CA-6FE692507A89}.exe	39
PID 2564 wrote to memory of 2964	2564	{FEEF7B7B-FED6-4284-A3CA-6FE692507A89}.exe	39
PID 2852 wrote to memory of 1632	2852	{27A966C3-7E7A-4c23-A6DD-E595E8B2948A}.exe	40
PID 2852 wrote to memory of 1632	2852	{27A966C3-7E7A-4c23-A6DD-E595E8B2948A}.exe	40
PID 2852 wrote to memory of 1632	2852	{27A966C3-7E7A-4c23-A6DD-E595E8B2948A}.exe	40
PID 2852 wrote to memory of 1632	2852	{27A966C3-7E7A-4c23-A6DD-E595E8B2948A}.exe	40
PID 2852 wrote to memory of 2552	2852	{27A966C3-7E7A-4c23-A6DD-E595E8B2948A}.exe	41
PID 2852 wrote to memory of 2552	2852	{27A966C3-7E7A-4c23-A6DD-E595E8B2948A}.exe	41
PID 2852 wrote to memory of 2552	2852	{27A966C3-7E7A-4c23-A6DD-E595E8B2948A}.exe	41
PID 2852 wrote to memory of 2552	2852	{27A966C3-7E7A-4c23-A6DD-E595E8B2948A}.exe	41
PID 1632 wrote to memory of 2236	1632	{65DC2F89-B270-420e-8C89-7DB1EADF9256}.exe	42
PID 1632 wrote to memory of 2236	1632	{65DC2F89-B270-420e-8C89-7DB1EADF9256}.exe	42
PID 1632 wrote to memory of 2236	1632	{65DC2F89-B270-420e-8C89-7DB1EADF9256}.exe	42
PID 1632 wrote to memory of 2236	1632	{65DC2F89-B270-420e-8C89-7DB1EADF9256}.exe	42
PID 1632 wrote to memory of 808	1632	{65DC2F89-B270-420e-8C89-7DB1EADF9256}.exe	43
PID 1632 wrote to memory of 808	1632	{65DC2F89-B270-420e-8C89-7DB1EADF9256}.exe	43
PID 1632 wrote to memory of 808	1632	{65DC2F89-B270-420e-8C89-7DB1EADF9256}.exe	43
PID 1632 wrote to memory of 808	1632	{65DC2F89-B270-420e-8C89-7DB1EADF9256}.exe	43
PID 2236 wrote to memory of 2752	2236	{CE4D871A-C685-49de-86EA-E9E5E7A99664}.exe	44
PID 2236 wrote to memory of 2752	2236	{CE4D871A-C685-49de-86EA-E9E5E7A99664}.exe	44
PID 2236 wrote to memory of 2752	2236	{CE4D871A-C685-49de-86EA-E9E5E7A99664}.exe	44
PID 2236 wrote to memory of 2752	2236	{CE4D871A-C685-49de-86EA-E9E5E7A99664}.exe	44
PID 2236 wrote to memory of 532	2236	{CE4D871A-C685-49de-86EA-E9E5E7A99664}.exe	45
PID 2236 wrote to memory of 532	2236	{CE4D871A-C685-49de-86EA-E9E5E7A99664}.exe	45
PID 2236 wrote to memory of 532	2236	{CE4D871A-C685-49de-86EA-E9E5E7A99664}.exe	45
PID 2236 wrote to memory of 532	2236	{CE4D871A-C685-49de-86EA-E9E5E7A99664}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-07-03_751d2ecd123864ea30c8a7c8cdd1430e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-03_751d2ecd123864ea30c8a7c8cdd1430e_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\{71B876AE-8626-4c05-8832-4B86B4455FFA}.exe
  C:\Windows\{71B876AE-8626-4c05-8832-4B86B4455FFA}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\{AE31F2A0-36B1-4ec4-A1E9-10EDF02D974D}.exe
    C:\Windows\{AE31F2A0-36B1-4ec4-A1E9-10EDF02D974D}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\{517DF83A-8E2E-4ca3-896F-1187D38C746D}.exe
      C:\Windows\{517DF83A-8E2E-4ca3-896F-1187D38C746D}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\{FEEF7B7B-FED6-4284-A3CA-6FE692507A89}.exe
        
        C:\Windows\{FEEF7B7B-FED6-4284-A3CA-6FE692507A89}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2564
      - C:\Windows\{27A966C3-7E7A-4c23-A6DD-E595E8B2948A}.exe
        
        C:\Windows\{27A966C3-7E7A-4c23-A6DD-E595E8B2948A}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\{65DC2F89-B270-420e-8C89-7DB1EADF9256}.exe
        
        C:\Windows\{65DC2F89-B270-420e-8C89-7DB1EADF9256}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\{CE4D871A-C685-49de-86EA-E9E5E7A99664}.exe
        
        C:\Windows\{CE4D871A-C685-49de-86EA-E9E5E7A99664}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\{4D164534-B601-4947-A4D7-9F10BE4707F5}.exe
        
        C:\Windows\{4D164534-B601-4947-A4D7-9F10BE4707F5}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
        
        C:\Windows\{1ECD1994-3BE4-4b59-99BE-56B488FDD40F}.exe
        
        C:\Windows\{1ECD1994-3BE4-4b59-99BE-56B488FDD40F}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:692
        
        C:\Windows\{24FC3806-C887-4d76-8C49-21BBC4827FDE}.exe
        
        C:\Windows\{24FC3806-C887-4d76-8C49-21BBC4827FDE}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1292
        
        C:\Windows\{6DA4536D-5E73-4774-AD67-4BEC44C52362}.exe
        
        C:\Windows\{6DA4536D-5E73-4774-AD67-4BEC44C52362}.exe
        12⤵
        Executes dropped EXE
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24FC3~1.EXE > nul
        12⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1ECD1~1.EXE > nul
        11⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D164~1.EXE > nul
        10⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE4D8~1.EXE > nul
        9⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65DC2~1.EXE > nul
        8⤵
        
        PID:808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27A96~1.EXE > nul
        7⤵
        
        PID:2552
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FEEF7~1.EXE > nul
        6⤵
        
        PID:2964
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{517DF~1.EXE > nul
        5⤵
        
        PID:2680
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AE31F~1.EXE > nul
      4⤵
      PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{71B87~1.EXE > nul
    3⤵
    PID:2712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1ECD1994-3BE4-4b59-99BE-56B488FDD40F}.exe

Filesize
344KB

MD5
15346c8aecf192e3db57b7318d50d798

SHA1
2e11f280e8b45d0b9778f24eed7e0909f7b25d2e

SHA256
b89c3cba7bbbdad47b233482a0b94cd7caffeece7d06a7e8041d4cb51547a241

SHA512
b80fcdd4d9f4b7ab110dd5f73cd3b7bc972e852b862d1dc7c18ff44998c3bf9fb1b26eb11c83a352671ed7425aab388c5d395cc9ae614242b6c8b6a446fb5042

Download Submit
C:\Windows\{24FC3806-C887-4d76-8C49-21BBC4827FDE}.exe

Filesize
344KB

MD5
2595be4ac129e05f85c55423a953dbbb

SHA1
39acc9a4e25bd0ef56a2e0bd70a1735df65bc635

SHA256
e42c84ffd18a4ba51c89dc50b4fbb4d739ac0be26946fc47e79e40de603131ed

SHA512
636aa20180097657f7a3e4b23b69b325da3f8ee1e94186f75bdf574978e2ee8371ecf3e80cf99455f7794c91760dfec05dd12e2b6c68c1074d7c492c605d5635

Download Submit
C:\Windows\{27A966C3-7E7A-4c23-A6DD-E595E8B2948A}.exe

Filesize
344KB

MD5
8a221b8c6f9a683f5ee686938ef87cd0

SHA1
938de40df9c442c661403c70bade1ab0fa4c67af

SHA256
d603da6054207b1c59aa0c6708b289a624d32ee130e3b2ec6945357a7d9c694b

SHA512
064457db5b001e83aff6c1eb372d45c691fcb82346721fb7aba5a784537b98947f0ae5abab85c8d873ef015aa812a8949929a1bedcd268d6795b05a906594bf2

Download Submit
C:\Windows\{4D164534-B601-4947-A4D7-9F10BE4707F5}.exe

Filesize
344KB

MD5
4ec4ae13054d06790c956ca81fdf62d6

SHA1
11776eda81871efb1d3d987b0e590c760ec6cda3

SHA256
bd0da74b7180f241c502b9e8caa6c278225995010f1fe8020bf22f7b97da00d5

SHA512
badde8cb1c8a3e7164b51ff05bdf1ae91932eeb407fb7276ab4ae0b279f34bd32655fb56162b6db98c48a5a5376e7d2e500760dc7c7d4db05475b2d09c65a489

Download Submit
C:\Windows\{517DF83A-8E2E-4ca3-896F-1187D38C746D}.exe

Filesize
344KB

MD5
5b00b5700d991d08a3b48490a0d62de7

SHA1
ae5e21a12c9b3d3c8549e619c052f9862a6e1b14

SHA256
6abe7b11750fbb6788d329561c5941243cf2532bfbe1e4efe044c74c86e9f964

SHA512
63c1f255a7a1fb101599741a2ce19c4ec011046edc5208c6f7e13729c247f44f09a22e573a7c31c0a317074a4bb0eb16bd845641105f888a5518423df7d35eaa

Download Submit
C:\Windows\{65DC2F89-B270-420e-8C89-7DB1EADF9256}.exe

Filesize
344KB

MD5
34566b0b9e2bf3d10f16fa9adf6e8142

SHA1
07ceac8b6e617a07c736f7c09ce36b015b3cb980

SHA256
a237423f5eb8e7ee8e932c1e07266f90c2a634e70d501c8c5d83796595c9a242

SHA512
46bb5e6c3678d0f1b320b802883549757ff47e28bf02c34ad204ddb77446a8aacc44651c13c5aa65996dd1b8bdfaeb2a2c5b222c6b00be09335ee70d3dfe08b0

Download Submit
C:\Windows\{6DA4536D-5E73-4774-AD67-4BEC44C52362}.exe

Filesize
344KB

MD5
365e652150b52d6778afb358d1363a69

SHA1
fe26e7c441d8dba96b754b2b92fd2b7d9b14616e

SHA256
4be8f47f33dfd166b29f35ec8382c096f9578a7958674db48c2194909b3604fa

SHA512
4a08e1043da8666b75f257897ac4ba5042425b8d2e7d6d8557230089370b85aa6b1cb9081d7a1c972895034b838be897e923dc27c9198841101e04b45819799f

Download Submit
C:\Windows\{71B876AE-8626-4c05-8832-4B86B4455FFA}.exe

Filesize
344KB

MD5
b4e313309d19ab683503a93177251529

SHA1
398734f54224fc28a17ca629d693343d908b4b31

SHA256
1ff673ea9a9751d1f2bceee09411890e1acf2f0f92da8ee631cfd16215a7957b

SHA512
fa73999075471af2186c3d18f81931cc3870186a28febf35bccf16cb12ca48fe0c5eb6719b09c79fdfc9285be97bf3fbdb38de0b05f3a397246499e85b51bf71

Download Submit
C:\Windows\{AE31F2A0-36B1-4ec4-A1E9-10EDF02D974D}.exe

Filesize
344KB

MD5
13261724e03ed4cb4ee72251c225a8cf

SHA1
35142aca318c921145789d0ff3edf8b7c0f27f3a

SHA256
8a3a938bb6052165924727772225ef700712f6e77965debde0bffef691c15ff8

SHA512
9b0cc16a8f526bd215c9e5051d14b1b2bc4fe4928ca4d565dbfe059a3267c052d0a8285412d0bbe6403cf3853a829f0579a370416154f0173e50b8c173a9851e

Download Submit
C:\Windows\{CE4D871A-C685-49de-86EA-E9E5E7A99664}.exe

Filesize
344KB

MD5
dbde611c92c85db7fddb8a00306a6ae4

SHA1
4c49ba1eefc50906d50c8b6e0abc9b78661e4320

SHA256
6554da76f499b5965a0a65497d9e5eab92e7bdb2a3c93031699f80d2aaea8876

SHA512
430baa0308869dfe98358ae55926fcb937c7019235c5d8a81d56443128ebffdbf4646149e7287c4a2a206222b9c051f0f4f14fcb17e47feb2167677bd75fec4d

Download Submit
C:\Windows\{FEEF7B7B-FED6-4284-A3CA-6FE692507A89}.exe

Filesize
344KB

MD5
8f76feaec06c4be0cdbd165458f24544

SHA1
89b2adda4f897c6a461d386d0418172aa05ced32

SHA256
68f18f42028240369e2ccabe88e68e259718a07c2a54f2d42b0ba95f0de27ea3

SHA512
b202fca156623d7e583cbe92735edd99678d74c4256272a90d05c0ec231da27c8737802bae1fe2d5c88a847f9c8a1ee99fcf00d56bf7d8cf1a7b2255daa2bedb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads