679668450e11539b95be483adc6f19e9f095d17b2c2f917d38248388059601a1

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
03-07-2024 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-03_f200c57927c7b4539e2364139d927063_goldeneye.exe
Size

380KB
MD5

f200c57927c7b4539e2364139d927063
SHA1

a2c884ccee6337877a10974c8749b7bfafe41bcd
SHA256

679668450e11539b95be483adc6f19e9f095d17b2c2f917d38248388059601a1
SHA512

adc5fa926d42993a52050f07745e0dbbf55bd81384054fe030af00cb022a5cce2b56ce1cf7a0170b6ac0385670e4a845b214f21a4fb30a15e9d8673008f8fbd4
SSDEEP

3072:mEGh0oGlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGol7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{057703AB-C13F-4369-98FF-6FA08C521768}\stubpath = "C:\\Windows\\{057703AB-C13F-4369-98FF-6FA08C521768}.exe"	2024-07-03_f200c57927c7b4539e2364139d927063_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41EB7AF2-2167-4c55-9DB8-9503FC52116D}\stubpath = "C:\\Windows\\{41EB7AF2-2167-4c55-9DB8-9503FC52116D}.exe"	{057703AB-C13F-4369-98FF-6FA08C521768}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75183488-BA08-4e73-9635-AA65D6D04359}\stubpath = "C:\\Windows\\{75183488-BA08-4e73-9635-AA65D6D04359}.exe"	{3F124F92-EB77-4787-81A9-52C82EF37AF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F831CAE-3093-4144-88A5-4A3D4748F9F9}	{844A84ED-E06E-4044-81D1-6732D9D2B1A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F831CAE-3093-4144-88A5-4A3D4748F9F9}\stubpath = "C:\\Windows\\{2F831CAE-3093-4144-88A5-4A3D4748F9F9}.exe"	{844A84ED-E06E-4044-81D1-6732D9D2B1A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E95B6501-C71E-4636-A777-2BC0C3DC0912}	{2F831CAE-3093-4144-88A5-4A3D4748F9F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{530B9110-A318-4607-BDDF-0EA19704BC86}	{AC2AEF14-8303-4c6c-9483-DAADD2272764}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{057703AB-C13F-4369-98FF-6FA08C521768}	2024-07-03_f200c57927c7b4539e2364139d927063_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F124F92-EB77-4787-81A9-52C82EF37AF4}\stubpath = "C:\\Windows\\{3F124F92-EB77-4787-81A9-52C82EF37AF4}.exe"	{41EB7AF2-2167-4c55-9DB8-9503FC52116D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49E1767D-9A07-4303-8E06-70EB3D50FD0B}	{75183488-BA08-4e73-9635-AA65D6D04359}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49E1767D-9A07-4303-8E06-70EB3D50FD0B}\stubpath = "C:\\Windows\\{49E1767D-9A07-4303-8E06-70EB3D50FD0B}.exe"	{75183488-BA08-4e73-9635-AA65D6D04359}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC2AEF14-8303-4c6c-9483-DAADD2272764}\stubpath = "C:\\Windows\\{AC2AEF14-8303-4c6c-9483-DAADD2272764}.exe"	{E95B6501-C71E-4636-A777-2BC0C3DC0912}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41EB7AF2-2167-4c55-9DB8-9503FC52116D}	{057703AB-C13F-4369-98FF-6FA08C521768}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F124F92-EB77-4787-81A9-52C82EF37AF4}	{41EB7AF2-2167-4c55-9DB8-9503FC52116D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75183488-BA08-4e73-9635-AA65D6D04359}	{3F124F92-EB77-4787-81A9-52C82EF37AF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{844A84ED-E06E-4044-81D1-6732D9D2B1A5}	{49E1767D-9A07-4303-8E06-70EB3D50FD0B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E95B6501-C71E-4636-A777-2BC0C3DC0912}\stubpath = "C:\\Windows\\{E95B6501-C71E-4636-A777-2BC0C3DC0912}.exe"	{2F831CAE-3093-4144-88A5-4A3D4748F9F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC2AEF14-8303-4c6c-9483-DAADD2272764}	{E95B6501-C71E-4636-A777-2BC0C3DC0912}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A9D1692-BC47-4a74-A652-84808EDE162F}\stubpath = "C:\\Windows\\{1A9D1692-BC47-4a74-A652-84808EDE162F}.exe"	{530B9110-A318-4607-BDDF-0EA19704BC86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{844A84ED-E06E-4044-81D1-6732D9D2B1A5}\stubpath = "C:\\Windows\\{844A84ED-E06E-4044-81D1-6732D9D2B1A5}.exe"	{49E1767D-9A07-4303-8E06-70EB3D50FD0B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{530B9110-A318-4607-BDDF-0EA19704BC86}\stubpath = "C:\\Windows\\{530B9110-A318-4607-BDDF-0EA19704BC86}.exe"	{AC2AEF14-8303-4c6c-9483-DAADD2272764}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A9D1692-BC47-4a74-A652-84808EDE162F}	{530B9110-A318-4607-BDDF-0EA19704BC86}.exe

Deletes itself 1 IoCs

pid	Process
1876	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3036	{057703AB-C13F-4369-98FF-6FA08C521768}.exe
2896	{41EB7AF2-2167-4c55-9DB8-9503FC52116D}.exe
2504	{3F124F92-EB77-4787-81A9-52C82EF37AF4}.exe
2968	{75183488-BA08-4e73-9635-AA65D6D04359}.exe
2796	{49E1767D-9A07-4303-8E06-70EB3D50FD0B}.exe
1736	{844A84ED-E06E-4044-81D1-6732D9D2B1A5}.exe
2800	{2F831CAE-3093-4144-88A5-4A3D4748F9F9}.exe
1436	{E95B6501-C71E-4636-A777-2BC0C3DC0912}.exe
1456	{AC2AEF14-8303-4c6c-9483-DAADD2272764}.exe
588	{530B9110-A318-4607-BDDF-0EA19704BC86}.exe
852	{1A9D1692-BC47-4a74-A652-84808EDE162F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{530B9110-A318-4607-BDDF-0EA19704BC86}.exe	{AC2AEF14-8303-4c6c-9483-DAADD2272764}.exe
File created	C:\Windows\{057703AB-C13F-4369-98FF-6FA08C521768}.exe	2024-07-03_f200c57927c7b4539e2364139d927063_goldeneye.exe
File created	C:\Windows\{49E1767D-9A07-4303-8E06-70EB3D50FD0B}.exe	{75183488-BA08-4e73-9635-AA65D6D04359}.exe
File created	C:\Windows\{AC2AEF14-8303-4c6c-9483-DAADD2272764}.exe	{E95B6501-C71E-4636-A777-2BC0C3DC0912}.exe
File created	C:\Windows\{844A84ED-E06E-4044-81D1-6732D9D2B1A5}.exe	{49E1767D-9A07-4303-8E06-70EB3D50FD0B}.exe
File created	C:\Windows\{2F831CAE-3093-4144-88A5-4A3D4748F9F9}.exe	{844A84ED-E06E-4044-81D1-6732D9D2B1A5}.exe
File created	C:\Windows\{E95B6501-C71E-4636-A777-2BC0C3DC0912}.exe	{2F831CAE-3093-4144-88A5-4A3D4748F9F9}.exe
File created	C:\Windows\{1A9D1692-BC47-4a74-A652-84808EDE162F}.exe	{530B9110-A318-4607-BDDF-0EA19704BC86}.exe
File created	C:\Windows\{41EB7AF2-2167-4c55-9DB8-9503FC52116D}.exe	{057703AB-C13F-4369-98FF-6FA08C521768}.exe
File created	C:\Windows\{3F124F92-EB77-4787-81A9-52C82EF37AF4}.exe	{41EB7AF2-2167-4c55-9DB8-9503FC52116D}.exe
File created	C:\Windows\{75183488-BA08-4e73-9635-AA65D6D04359}.exe	{3F124F92-EB77-4787-81A9-52C82EF37AF4}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2848	2024-07-03_f200c57927c7b4539e2364139d927063_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3036	{057703AB-C13F-4369-98FF-6FA08C521768}.exe
Token: SeIncBasePriorityPrivilege	2896	{41EB7AF2-2167-4c55-9DB8-9503FC52116D}.exe
Token: SeIncBasePriorityPrivilege	2504	{3F124F92-EB77-4787-81A9-52C82EF37AF4}.exe
Token: SeIncBasePriorityPrivilege	2968	{75183488-BA08-4e73-9635-AA65D6D04359}.exe
Token: SeIncBasePriorityPrivilege	2796	{49E1767D-9A07-4303-8E06-70EB3D50FD0B}.exe
Token: SeIncBasePriorityPrivilege	1736	{844A84ED-E06E-4044-81D1-6732D9D2B1A5}.exe
Token: SeIncBasePriorityPrivilege	2800	{2F831CAE-3093-4144-88A5-4A3D4748F9F9}.exe
Token: SeIncBasePriorityPrivilege	1436	{E95B6501-C71E-4636-A777-2BC0C3DC0912}.exe
Token: SeIncBasePriorityPrivilege	1456	{AC2AEF14-8303-4c6c-9483-DAADD2272764}.exe
Token: SeIncBasePriorityPrivilege	588	{530B9110-A318-4607-BDDF-0EA19704BC86}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 3036	2848	2024-07-03_f200c57927c7b4539e2364139d927063_goldeneye.exe	28
PID 2848 wrote to memory of 3036	2848	2024-07-03_f200c57927c7b4539e2364139d927063_goldeneye.exe	28
PID 2848 wrote to memory of 3036	2848	2024-07-03_f200c57927c7b4539e2364139d927063_goldeneye.exe	28
PID 2848 wrote to memory of 3036	2848	2024-07-03_f200c57927c7b4539e2364139d927063_goldeneye.exe	28
PID 2848 wrote to memory of 1876	2848	2024-07-03_f200c57927c7b4539e2364139d927063_goldeneye.exe	29
PID 2848 wrote to memory of 1876	2848	2024-07-03_f200c57927c7b4539e2364139d927063_goldeneye.exe	29
PID 2848 wrote to memory of 1876	2848	2024-07-03_f200c57927c7b4539e2364139d927063_goldeneye.exe	29
PID 2848 wrote to memory of 1876	2848	2024-07-03_f200c57927c7b4539e2364139d927063_goldeneye.exe	29
PID 3036 wrote to memory of 2896	3036	{057703AB-C13F-4369-98FF-6FA08C521768}.exe	30
PID 3036 wrote to memory of 2896	3036	{057703AB-C13F-4369-98FF-6FA08C521768}.exe	30
PID 3036 wrote to memory of 2896	3036	{057703AB-C13F-4369-98FF-6FA08C521768}.exe	30
PID 3036 wrote to memory of 2896	3036	{057703AB-C13F-4369-98FF-6FA08C521768}.exe	30
PID 3036 wrote to memory of 2604	3036	{057703AB-C13F-4369-98FF-6FA08C521768}.exe	31
PID 3036 wrote to memory of 2604	3036	{057703AB-C13F-4369-98FF-6FA08C521768}.exe	31
PID 3036 wrote to memory of 2604	3036	{057703AB-C13F-4369-98FF-6FA08C521768}.exe	31
PID 3036 wrote to memory of 2604	3036	{057703AB-C13F-4369-98FF-6FA08C521768}.exe	31
PID 2896 wrote to memory of 2504	2896	{41EB7AF2-2167-4c55-9DB8-9503FC52116D}.exe	32
PID 2896 wrote to memory of 2504	2896	{41EB7AF2-2167-4c55-9DB8-9503FC52116D}.exe	32
PID 2896 wrote to memory of 2504	2896	{41EB7AF2-2167-4c55-9DB8-9503FC52116D}.exe	32
PID 2896 wrote to memory of 2504	2896	{41EB7AF2-2167-4c55-9DB8-9503FC52116D}.exe	32
PID 2896 wrote to memory of 2760	2896	{41EB7AF2-2167-4c55-9DB8-9503FC52116D}.exe	33
PID 2896 wrote to memory of 2760	2896	{41EB7AF2-2167-4c55-9DB8-9503FC52116D}.exe	33
PID 2896 wrote to memory of 2760	2896	{41EB7AF2-2167-4c55-9DB8-9503FC52116D}.exe	33
PID 2896 wrote to memory of 2760	2896	{41EB7AF2-2167-4c55-9DB8-9503FC52116D}.exe	33
PID 2504 wrote to memory of 2968	2504	{3F124F92-EB77-4787-81A9-52C82EF37AF4}.exe	36
PID 2504 wrote to memory of 2968	2504	{3F124F92-EB77-4787-81A9-52C82EF37AF4}.exe	36
PID 2504 wrote to memory of 2968	2504	{3F124F92-EB77-4787-81A9-52C82EF37AF4}.exe	36
PID 2504 wrote to memory of 2968	2504	{3F124F92-EB77-4787-81A9-52C82EF37AF4}.exe	36
PID 2504 wrote to memory of 2104	2504	{3F124F92-EB77-4787-81A9-52C82EF37AF4}.exe	37
PID 2504 wrote to memory of 2104	2504	{3F124F92-EB77-4787-81A9-52C82EF37AF4}.exe	37
PID 2504 wrote to memory of 2104	2504	{3F124F92-EB77-4787-81A9-52C82EF37AF4}.exe	37
PID 2504 wrote to memory of 2104	2504	{3F124F92-EB77-4787-81A9-52C82EF37AF4}.exe	37
PID 2968 wrote to memory of 2796	2968	{75183488-BA08-4e73-9635-AA65D6D04359}.exe	38
PID 2968 wrote to memory of 2796	2968	{75183488-BA08-4e73-9635-AA65D6D04359}.exe	38
PID 2968 wrote to memory of 2796	2968	{75183488-BA08-4e73-9635-AA65D6D04359}.exe	38
PID 2968 wrote to memory of 2796	2968	{75183488-BA08-4e73-9635-AA65D6D04359}.exe	38
PID 2968 wrote to memory of 1848	2968	{75183488-BA08-4e73-9635-AA65D6D04359}.exe	39
PID 2968 wrote to memory of 1848	2968	{75183488-BA08-4e73-9635-AA65D6D04359}.exe	39
PID 2968 wrote to memory of 1848	2968	{75183488-BA08-4e73-9635-AA65D6D04359}.exe	39
PID 2968 wrote to memory of 1848	2968	{75183488-BA08-4e73-9635-AA65D6D04359}.exe	39
PID 2796 wrote to memory of 1736	2796	{49E1767D-9A07-4303-8E06-70EB3D50FD0B}.exe	40
PID 2796 wrote to memory of 1736	2796	{49E1767D-9A07-4303-8E06-70EB3D50FD0B}.exe	40
PID 2796 wrote to memory of 1736	2796	{49E1767D-9A07-4303-8E06-70EB3D50FD0B}.exe	40
PID 2796 wrote to memory of 1736	2796	{49E1767D-9A07-4303-8E06-70EB3D50FD0B}.exe	40
PID 2796 wrote to memory of 1648	2796	{49E1767D-9A07-4303-8E06-70EB3D50FD0B}.exe	41
PID 2796 wrote to memory of 1648	2796	{49E1767D-9A07-4303-8E06-70EB3D50FD0B}.exe	41
PID 2796 wrote to memory of 1648	2796	{49E1767D-9A07-4303-8E06-70EB3D50FD0B}.exe	41
PID 2796 wrote to memory of 1648	2796	{49E1767D-9A07-4303-8E06-70EB3D50FD0B}.exe	41
PID 1736 wrote to memory of 2800	1736	{844A84ED-E06E-4044-81D1-6732D9D2B1A5}.exe	42
PID 1736 wrote to memory of 2800	1736	{844A84ED-E06E-4044-81D1-6732D9D2B1A5}.exe	42
PID 1736 wrote to memory of 2800	1736	{844A84ED-E06E-4044-81D1-6732D9D2B1A5}.exe	42
PID 1736 wrote to memory of 2800	1736	{844A84ED-E06E-4044-81D1-6732D9D2B1A5}.exe	42
PID 1736 wrote to memory of 776	1736	{844A84ED-E06E-4044-81D1-6732D9D2B1A5}.exe	43
PID 1736 wrote to memory of 776	1736	{844A84ED-E06E-4044-81D1-6732D9D2B1A5}.exe	43
PID 1736 wrote to memory of 776	1736	{844A84ED-E06E-4044-81D1-6732D9D2B1A5}.exe	43
PID 1736 wrote to memory of 776	1736	{844A84ED-E06E-4044-81D1-6732D9D2B1A5}.exe	43
PID 2800 wrote to memory of 1436	2800	{2F831CAE-3093-4144-88A5-4A3D4748F9F9}.exe	44
PID 2800 wrote to memory of 1436	2800	{2F831CAE-3093-4144-88A5-4A3D4748F9F9}.exe	44
PID 2800 wrote to memory of 1436	2800	{2F831CAE-3093-4144-88A5-4A3D4748F9F9}.exe	44
PID 2800 wrote to memory of 1436	2800	{2F831CAE-3093-4144-88A5-4A3D4748F9F9}.exe	44
PID 2800 wrote to memory of 2328	2800	{2F831CAE-3093-4144-88A5-4A3D4748F9F9}.exe	45
PID 2800 wrote to memory of 2328	2800	{2F831CAE-3093-4144-88A5-4A3D4748F9F9}.exe	45
PID 2800 wrote to memory of 2328	2800	{2F831CAE-3093-4144-88A5-4A3D4748F9F9}.exe	45
PID 2800 wrote to memory of 2328	2800	{2F831CAE-3093-4144-88A5-4A3D4748F9F9}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-07-03_f200c57927c7b4539e2364139d927063_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-03_f200c57927c7b4539e2364139d927063_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\{057703AB-C13F-4369-98FF-6FA08C521768}.exe
  C:\Windows\{057703AB-C13F-4369-98FF-6FA08C521768}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\{41EB7AF2-2167-4c55-9DB8-9503FC52116D}.exe
    C:\Windows\{41EB7AF2-2167-4c55-9DB8-9503FC52116D}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\{3F124F92-EB77-4787-81A9-52C82EF37AF4}.exe
      C:\Windows\{3F124F92-EB77-4787-81A9-52C82EF37AF4}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2504
    - - C:\Windows\{75183488-BA08-4e73-9635-AA65D6D04359}.exe
        
        C:\Windows\{75183488-BA08-4e73-9635-AA65D6D04359}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2968
      - C:\Windows\{49E1767D-9A07-4303-8E06-70EB3D50FD0B}.exe
        
        C:\Windows\{49E1767D-9A07-4303-8E06-70EB3D50FD0B}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\{844A84ED-E06E-4044-81D1-6732D9D2B1A5}.exe
        
        C:\Windows\{844A84ED-E06E-4044-81D1-6732D9D2B1A5}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\{2F831CAE-3093-4144-88A5-4A3D4748F9F9}.exe
        
        C:\Windows\{2F831CAE-3093-4144-88A5-4A3D4748F9F9}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\{E95B6501-C71E-4636-A777-2BC0C3DC0912}.exe
        
        C:\Windows\{E95B6501-C71E-4636-A777-2BC0C3DC0912}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
        
        C:\Windows\{AC2AEF14-8303-4c6c-9483-DAADD2272764}.exe
        
        C:\Windows\{AC2AEF14-8303-4c6c-9483-DAADD2272764}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
        
        C:\Windows\{530B9110-A318-4607-BDDF-0EA19704BC86}.exe
        
        C:\Windows\{530B9110-A318-4607-BDDF-0EA19704BC86}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:588
        
        C:\Windows\{1A9D1692-BC47-4a74-A652-84808EDE162F}.exe
        
        C:\Windows\{1A9D1692-BC47-4a74-A652-84808EDE162F}.exe
        12⤵
        Executes dropped EXE
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{530B9~1.EXE > nul
        12⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AC2AE~1.EXE > nul
        11⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E95B6~1.EXE > nul
        10⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F831~1.EXE > nul
        9⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{844A8~1.EXE > nul
        8⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49E17~1.EXE > nul
        7⤵
        
        PID:1648
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75183~1.EXE > nul
        6⤵
        
        PID:1848
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F124~1.EXE > nul
        5⤵
        
        PID:2104
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{41EB7~1.EXE > nul
      4⤵
      PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{05770~1.EXE > nul
    3⤵
    PID:2604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{057703AB-C13F-4369-98FF-6FA08C521768}.exe

Filesize
380KB

MD5
3884a4386e53b907c7caac3e0fa91ecb

SHA1
8debaf6bef15a22d27fc4a141481437cf535f5cd

SHA256
63ceb48588a22e6964c2c0dbb46dd7b5f9e7086558b6fcd172f717a2a6a65775

SHA512
8543325e204a9b23b646efc4883c4a6b8e49d1387e72efc8837db8e54b6fb2c99be42f90dc01a6b36f0a15733e92546e940fe856ded9749be4b61e22ef02ff67

Download Submit
C:\Windows\{1A9D1692-BC47-4a74-A652-84808EDE162F}.exe

Filesize
380KB

MD5
a61db3f602e998036f5d2f8d4eef2171

SHA1
e8c57d0ccba14fae5dd052979c596a1be69a0bf2

SHA256
e8f05d8ca5baed3c2075bd5d6cb23d63c49f48621a326b3538e629faeecf7e50

SHA512
025c21f6cf8736fff24ca092a109560b77467c21b02cdd981ca2b1331f7f827404e4a6ac0b81d680b169839764f21911a5f64802761625e68b048cfb7d486194

Download Submit
C:\Windows\{2F831CAE-3093-4144-88A5-4A3D4748F9F9}.exe

Filesize
380KB

MD5
c629a6140e80fce8476835fc40f6d866

SHA1
ef2cf993c8e490bcfe60f49293a07660e1d4d479

SHA256
3da7853e879065a641ccea1d71d3f5995ef38bea33b0a7cc4af5e878dc6d32f0

SHA512
eecebf0b33f8cfa374d06684922f748b9c432cb7aeb931b75025f758c766a7ebeb658a1e25a036f2d135aecddab8fa87b3c855055bb1dc0742daedbbcb9b508c

Download Submit
C:\Windows\{3F124F92-EB77-4787-81A9-52C82EF37AF4}.exe

Filesize
380KB

MD5
5697740065a1eadd018b99a7bea0e537

SHA1
827f962598218cc4c591b730299d176b894d464a

SHA256
74eabcd70c572dd1f18ee1d55c6f33224896bf3442e61836101815bda6629ddd

SHA512
001a06b93dcdda8f6fab12f9237de55641715e9561232e5051743c639bcad031f7c988f78464e53257187b5d4004ecba78aaccf40a0c8f34590a53d0cd4a0e87

Download Submit
C:\Windows\{41EB7AF2-2167-4c55-9DB8-9503FC52116D}.exe

Filesize
380KB

MD5
912ce1a17fb2700e546cae3ea498f58c

SHA1
16498e5ce9d26541184ab0515e6b061e8720a486

SHA256
c3908a00bbaee0aae5625c9f4824b18d668cf67d574403ba7fd989489d349cc2

SHA512
5c72d343957c080d6fda0f51717cbf5168f77036ebd0b5568a4cd84510466774dee17bcb9e227117bf7b2cc76b689a2599425bbcf6fa9e6e3a7992d1ae83e0fc

Download Submit
C:\Windows\{49E1767D-9A07-4303-8E06-70EB3D50FD0B}.exe

Filesize
380KB

MD5
caaa1f5a946925df5f7492752b5e0a9a

SHA1
6c72a3d71b7e642958c87dd7ce9ad02e14d035f2

SHA256
685b36f0b8d502f8fe828de63432f721cf9ae54020ca5c4c978131fceb2f6640

SHA512
10a7dfb460256a461d352689b707476b41b77c27d414036652358772ce1f1c6094cc8c737e8be2ab88fc76bb7c4f6da2e23890393b5c38382825c5445b2c6c96

Download Submit
C:\Windows\{530B9110-A318-4607-BDDF-0EA19704BC86}.exe

Filesize
380KB

MD5
b78c2064c7dfd52d057108226c95958f

SHA1
5d4137695d613c0e123b48df1574980e3c8155e1

SHA256
3c833a4f2ff0400794df0e01c6a281c41fdaaf8e840b503f1405c450af77cc98

SHA512
9ec3404d20e01307cd27d68dca54ee629994a935eb796dd3e30ae08a52181790f960bd5409de62662de74d255c03f15dea4e18c8e8b7f364480803eddbd91d43

Download Submit
C:\Windows\{75183488-BA08-4e73-9635-AA65D6D04359}.exe

Filesize
380KB

MD5
91582390d777a4bf6d3ba5d4b0dc0451

SHA1
30671dfb32fee0ff4647be99f8c66fce5d060390

SHA256
afc2216ddf551d0f0c30cac4a79c24f759ac8631f971009ddb5a785fcb52a02e

SHA512
edd8d437b41b13f7e398f4f6fd3be039987136f9291779be346fcc29dec6aab2c3734f099cdf8dd6a24f52d8cc3c0cecaf201f30e636f10b6a4fc9c41e53b43e

Download Submit
C:\Windows\{844A84ED-E06E-4044-81D1-6732D9D2B1A5}.exe

Filesize
380KB

MD5
cf535fc6f1769386a5e4b3d2b9941e1b

SHA1
2fb8cebc2e81fc6f70e744295583986ac6b1767a

SHA256
dab0905575d6cdca18c21af095fb36c084248284ee18733ff1eda34f2513980b

SHA512
5021c7778299e5d7b418aa6e6bdcb325ca90cbe8b36482394cf68792bf6d73d87f878a0c5e369d91fb5b9cd613d5bc65c23da3d458b914ba493ed6135e5a3218

Download Submit
C:\Windows\{AC2AEF14-8303-4c6c-9483-DAADD2272764}.exe

Filesize
380KB

MD5
fe3e1e698b1732e5e8b2b9cd4d17dc61

SHA1
7252397a3160da1a541cfa93002b26dfacb9d456

SHA256
6fc3374afa0311cac7c7173307c60acdc3e90b7fdd617288344322c6ee6192cf

SHA512
8a86a596bd231f240a379401ea21e948a0171f7e4c1c79d0fa2046120889d893d194b2ac774e8c9ee64590768fc7cd99da89232b495cff629c71cbceedaa9f24

Download Submit
C:\Windows\{E95B6501-C71E-4636-A777-2BC0C3DC0912}.exe

Filesize
380KB

MD5
0ec5907e69a4b9c9f86226a628cf1805

SHA1
05fb8109a672712e15817f13d667d73eb50256b6

SHA256
107acf0fa4f6678ac4a53c906e314d60dd7819a625d8b8a8e9396f19a1d9f134

SHA512
45e1a04239932aa6e1b383427942a1fbc7a1da0052d6f1d76cb7b147b3274bfa6daf9c5a14a653403c99f89256e6cc8c799d8ef8571334a239d986a44d251205

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads