f6cf2feff6978c3e63c9c343ecf87d42d279cf95d6cf3010b8507bd9ad02e33d

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 11:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-07-03_a88c678467be4c4b663e3428ad3d1070_goldeneye.exe
Size

408KB
MD5

a88c678467be4c4b663e3428ad3d1070
SHA1

0bda26dd5b0abd8d177e5bd8561f9651141fbf9a
SHA256

f6cf2feff6978c3e63c9c343ecf87d42d279cf95d6cf3010b8507bd9ad02e33d
SHA512

6e2a1bd160a8e5e3fa226d7fb313963a2d80800a1d222ca347d717598db9bdf79a9f00789aea651fa56829c76ee4fd9be2aa9f699be7227f94785fd4091eb458
SSDEEP

3072:CEGh0ool3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGWldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{598DAF23-DB53-4b1e-A95A-202332FD5B2C}	{68B23B5C-A0B0-4f8d-A032-1DC25825780F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{598DAF23-DB53-4b1e-A95A-202332FD5B2C}\stubpath = "C:\\Windows\\{598DAF23-DB53-4b1e-A95A-202332FD5B2C}.exe"	{68B23B5C-A0B0-4f8d-A032-1DC25825780F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A3DBF9D-7BF5-496d-A6E4-C1C6D8C748A9}\stubpath = "C:\\Windows\\{0A3DBF9D-7BF5-496d-A6E4-C1C6D8C748A9}.exe"	2024-07-03_a88c678467be4c4b663e3428ad3d1070_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C04D8A0-E4D5-4141-A7F6-1752AB7D856C}	{0A3DBF9D-7BF5-496d-A6E4-C1C6D8C748A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02CFDD3F-F33E-4018-B771-14DC8460EED6}	{6C04D8A0-E4D5-4141-A7F6-1752AB7D856C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E37B5500-2EFA-4527-B9C9-D14E3BB1A0A7}	{02CFDD3F-F33E-4018-B771-14DC8460EED6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E37B5500-2EFA-4527-B9C9-D14E3BB1A0A7}\stubpath = "C:\\Windows\\{E37B5500-2EFA-4527-B9C9-D14E3BB1A0A7}.exe"	{02CFDD3F-F33E-4018-B771-14DC8460EED6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D86F28C9-F3DF-4731-A6D0-5F9E8DD516A6}	{E37B5500-2EFA-4527-B9C9-D14E3BB1A0A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F66230CF-323D-48fc-BB96-63EAA7AA3A6D}\stubpath = "C:\\Windows\\{F66230CF-323D-48fc-BB96-63EAA7AA3A6D}.exe"	{598DAF23-DB53-4b1e-A95A-202332FD5B2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{108C23E4-42CA-4776-9DF5-C4580A6FE4EE}	{29422451-0E83-4378-B24E-B596B7084689}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A3DBF9D-7BF5-496d-A6E4-C1C6D8C748A9}	2024-07-03_a88c678467be4c4b663e3428ad3d1070_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02CFDD3F-F33E-4018-B771-14DC8460EED6}\stubpath = "C:\\Windows\\{02CFDD3F-F33E-4018-B771-14DC8460EED6}.exe"	{6C04D8A0-E4D5-4141-A7F6-1752AB7D856C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{108C23E4-42CA-4776-9DF5-C4580A6FE4EE}\stubpath = "C:\\Windows\\{108C23E4-42CA-4776-9DF5-C4580A6FE4EE}.exe"	{29422451-0E83-4378-B24E-B596B7084689}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1989A39B-A9F5-47ef-8FB2-994DDF3678E8}	{108C23E4-42CA-4776-9DF5-C4580A6FE4EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D86F28C9-F3DF-4731-A6D0-5F9E8DD516A6}\stubpath = "C:\\Windows\\{D86F28C9-F3DF-4731-A6D0-5F9E8DD516A6}.exe"	{E37B5500-2EFA-4527-B9C9-D14E3BB1A0A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68B23B5C-A0B0-4f8d-A032-1DC25825780F}	{D86F28C9-F3DF-4731-A6D0-5F9E8DD516A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F66230CF-323D-48fc-BB96-63EAA7AA3A6D}	{598DAF23-DB53-4b1e-A95A-202332FD5B2C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29422451-0E83-4378-B24E-B596B7084689}\stubpath = "C:\\Windows\\{29422451-0E83-4378-B24E-B596B7084689}.exe"	{F66230CF-323D-48fc-BB96-63EAA7AA3A6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1989A39B-A9F5-47ef-8FB2-994DDF3678E8}\stubpath = "C:\\Windows\\{1989A39B-A9F5-47ef-8FB2-994DDF3678E8}.exe"	{108C23E4-42CA-4776-9DF5-C4580A6FE4EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C04D8A0-E4D5-4141-A7F6-1752AB7D856C}\stubpath = "C:\\Windows\\{6C04D8A0-E4D5-4141-A7F6-1752AB7D856C}.exe"	{0A3DBF9D-7BF5-496d-A6E4-C1C6D8C748A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68B23B5C-A0B0-4f8d-A032-1DC25825780F}\stubpath = "C:\\Windows\\{68B23B5C-A0B0-4f8d-A032-1DC25825780F}.exe"	{D86F28C9-F3DF-4731-A6D0-5F9E8DD516A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29422451-0E83-4378-B24E-B596B7084689}	{F66230CF-323D-48fc-BB96-63EAA7AA3A6D}.exe

Deletes itself 1 IoCs

pid	Process
2892	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2444	{0A3DBF9D-7BF5-496d-A6E4-C1C6D8C748A9}.exe
2780	{6C04D8A0-E4D5-4141-A7F6-1752AB7D856C}.exe
2804	{02CFDD3F-F33E-4018-B771-14DC8460EED6}.exe
2396	{E37B5500-2EFA-4527-B9C9-D14E3BB1A0A7}.exe
2864	{D86F28C9-F3DF-4731-A6D0-5F9E8DD516A6}.exe
1664	{68B23B5C-A0B0-4f8d-A032-1DC25825780F}.exe
2320	{598DAF23-DB53-4b1e-A95A-202332FD5B2C}.exe
2844	{F66230CF-323D-48fc-BB96-63EAA7AA3A6D}.exe
1184	{29422451-0E83-4378-B24E-B596B7084689}.exe
2384	{108C23E4-42CA-4776-9DF5-C4580A6FE4EE}.exe
912	{1989A39B-A9F5-47ef-8FB2-994DDF3678E8}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{0A3DBF9D-7BF5-496d-A6E4-C1C6D8C748A9}.exe	2024-07-03_a88c678467be4c4b663e3428ad3d1070_goldeneye.exe
File created	C:\Windows\{6C04D8A0-E4D5-4141-A7F6-1752AB7D856C}.exe	{0A3DBF9D-7BF5-496d-A6E4-C1C6D8C748A9}.exe
File created	C:\Windows\{02CFDD3F-F33E-4018-B771-14DC8460EED6}.exe	{6C04D8A0-E4D5-4141-A7F6-1752AB7D856C}.exe
File created	C:\Windows\{D86F28C9-F3DF-4731-A6D0-5F9E8DD516A6}.exe	{E37B5500-2EFA-4527-B9C9-D14E3BB1A0A7}.exe
File created	C:\Windows\{E37B5500-2EFA-4527-B9C9-D14E3BB1A0A7}.exe	{02CFDD3F-F33E-4018-B771-14DC8460EED6}.exe
File created	C:\Windows\{68B23B5C-A0B0-4f8d-A032-1DC25825780F}.exe	{D86F28C9-F3DF-4731-A6D0-5F9E8DD516A6}.exe
File created	C:\Windows\{598DAF23-DB53-4b1e-A95A-202332FD5B2C}.exe	{68B23B5C-A0B0-4f8d-A032-1DC25825780F}.exe
File created	C:\Windows\{F66230CF-323D-48fc-BB96-63EAA7AA3A6D}.exe	{598DAF23-DB53-4b1e-A95A-202332FD5B2C}.exe
File created	C:\Windows\{29422451-0E83-4378-B24E-B596B7084689}.exe	{F66230CF-323D-48fc-BB96-63EAA7AA3A6D}.exe
File created	C:\Windows\{108C23E4-42CA-4776-9DF5-C4580A6FE4EE}.exe	{29422451-0E83-4378-B24E-B596B7084689}.exe
File created	C:\Windows\{1989A39B-A9F5-47ef-8FB2-994DDF3678E8}.exe	{108C23E4-42CA-4776-9DF5-C4580A6FE4EE}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2180	2024-07-03_a88c678467be4c4b663e3428ad3d1070_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2444	{0A3DBF9D-7BF5-496d-A6E4-C1C6D8C748A9}.exe
Token: SeIncBasePriorityPrivilege	2780	{6C04D8A0-E4D5-4141-A7F6-1752AB7D856C}.exe
Token: SeIncBasePriorityPrivilege	2804	{02CFDD3F-F33E-4018-B771-14DC8460EED6}.exe
Token: SeIncBasePriorityPrivilege	2396	{E37B5500-2EFA-4527-B9C9-D14E3BB1A0A7}.exe
Token: SeIncBasePriorityPrivilege	2864	{D86F28C9-F3DF-4731-A6D0-5F9E8DD516A6}.exe
Token: SeIncBasePriorityPrivilege	1664	{68B23B5C-A0B0-4f8d-A032-1DC25825780F}.exe
Token: SeIncBasePriorityPrivilege	2320	{598DAF23-DB53-4b1e-A95A-202332FD5B2C}.exe
Token: SeIncBasePriorityPrivilege	2844	{F66230CF-323D-48fc-BB96-63EAA7AA3A6D}.exe
Token: SeIncBasePriorityPrivilege	1184	{29422451-0E83-4378-B24E-B596B7084689}.exe
Token: SeIncBasePriorityPrivilege	2384	{108C23E4-42CA-4776-9DF5-C4580A6FE4EE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2444	2180	2024-07-03_a88c678467be4c4b663e3428ad3d1070_goldeneye.exe	28
PID 2180 wrote to memory of 2444	2180	2024-07-03_a88c678467be4c4b663e3428ad3d1070_goldeneye.exe	28
PID 2180 wrote to memory of 2444	2180	2024-07-03_a88c678467be4c4b663e3428ad3d1070_goldeneye.exe	28
PID 2180 wrote to memory of 2444	2180	2024-07-03_a88c678467be4c4b663e3428ad3d1070_goldeneye.exe	28
PID 2180 wrote to memory of 2892	2180	2024-07-03_a88c678467be4c4b663e3428ad3d1070_goldeneye.exe	29
PID 2180 wrote to memory of 2892	2180	2024-07-03_a88c678467be4c4b663e3428ad3d1070_goldeneye.exe	29
PID 2180 wrote to memory of 2892	2180	2024-07-03_a88c678467be4c4b663e3428ad3d1070_goldeneye.exe	29
PID 2180 wrote to memory of 2892	2180	2024-07-03_a88c678467be4c4b663e3428ad3d1070_goldeneye.exe	29
PID 2444 wrote to memory of 2780	2444	{0A3DBF9D-7BF5-496d-A6E4-C1C6D8C748A9}.exe	30
PID 2444 wrote to memory of 2780	2444	{0A3DBF9D-7BF5-496d-A6E4-C1C6D8C748A9}.exe	30
PID 2444 wrote to memory of 2780	2444	{0A3DBF9D-7BF5-496d-A6E4-C1C6D8C748A9}.exe	30
PID 2444 wrote to memory of 2780	2444	{0A3DBF9D-7BF5-496d-A6E4-C1C6D8C748A9}.exe	30
PID 2444 wrote to memory of 2644	2444	{0A3DBF9D-7BF5-496d-A6E4-C1C6D8C748A9}.exe	31
PID 2444 wrote to memory of 2644	2444	{0A3DBF9D-7BF5-496d-A6E4-C1C6D8C748A9}.exe	31
PID 2444 wrote to memory of 2644	2444	{0A3DBF9D-7BF5-496d-A6E4-C1C6D8C748A9}.exe	31
PID 2444 wrote to memory of 2644	2444	{0A3DBF9D-7BF5-496d-A6E4-C1C6D8C748A9}.exe	31
PID 2780 wrote to memory of 2804	2780	{6C04D8A0-E4D5-4141-A7F6-1752AB7D856C}.exe	32
PID 2780 wrote to memory of 2804	2780	{6C04D8A0-E4D5-4141-A7F6-1752AB7D856C}.exe	32
PID 2780 wrote to memory of 2804	2780	{6C04D8A0-E4D5-4141-A7F6-1752AB7D856C}.exe	32
PID 2780 wrote to memory of 2804	2780	{6C04D8A0-E4D5-4141-A7F6-1752AB7D856C}.exe	32
PID 2780 wrote to memory of 2876	2780	{6C04D8A0-E4D5-4141-A7F6-1752AB7D856C}.exe	33
PID 2780 wrote to memory of 2876	2780	{6C04D8A0-E4D5-4141-A7F6-1752AB7D856C}.exe	33
PID 2780 wrote to memory of 2876	2780	{6C04D8A0-E4D5-4141-A7F6-1752AB7D856C}.exe	33
PID 2780 wrote to memory of 2876	2780	{6C04D8A0-E4D5-4141-A7F6-1752AB7D856C}.exe	33
PID 2804 wrote to memory of 2396	2804	{02CFDD3F-F33E-4018-B771-14DC8460EED6}.exe	36
PID 2804 wrote to memory of 2396	2804	{02CFDD3F-F33E-4018-B771-14DC8460EED6}.exe	36
PID 2804 wrote to memory of 2396	2804	{02CFDD3F-F33E-4018-B771-14DC8460EED6}.exe	36
PID 2804 wrote to memory of 2396	2804	{02CFDD3F-F33E-4018-B771-14DC8460EED6}.exe	36
PID 2804 wrote to memory of 2208	2804	{02CFDD3F-F33E-4018-B771-14DC8460EED6}.exe	37
PID 2804 wrote to memory of 2208	2804	{02CFDD3F-F33E-4018-B771-14DC8460EED6}.exe	37
PID 2804 wrote to memory of 2208	2804	{02CFDD3F-F33E-4018-B771-14DC8460EED6}.exe	37
PID 2804 wrote to memory of 2208	2804	{02CFDD3F-F33E-4018-B771-14DC8460EED6}.exe	37
PID 2396 wrote to memory of 2864	2396	{E37B5500-2EFA-4527-B9C9-D14E3BB1A0A7}.exe	38
PID 2396 wrote to memory of 2864	2396	{E37B5500-2EFA-4527-B9C9-D14E3BB1A0A7}.exe	38
PID 2396 wrote to memory of 2864	2396	{E37B5500-2EFA-4527-B9C9-D14E3BB1A0A7}.exe	38
PID 2396 wrote to memory of 2864	2396	{E37B5500-2EFA-4527-B9C9-D14E3BB1A0A7}.exe	38
PID 2396 wrote to memory of 2992	2396	{E37B5500-2EFA-4527-B9C9-D14E3BB1A0A7}.exe	39
PID 2396 wrote to memory of 2992	2396	{E37B5500-2EFA-4527-B9C9-D14E3BB1A0A7}.exe	39
PID 2396 wrote to memory of 2992	2396	{E37B5500-2EFA-4527-B9C9-D14E3BB1A0A7}.exe	39
PID 2396 wrote to memory of 2992	2396	{E37B5500-2EFA-4527-B9C9-D14E3BB1A0A7}.exe	39
PID 2864 wrote to memory of 1664	2864	{D86F28C9-F3DF-4731-A6D0-5F9E8DD516A6}.exe	40
PID 2864 wrote to memory of 1664	2864	{D86F28C9-F3DF-4731-A6D0-5F9E8DD516A6}.exe	40
PID 2864 wrote to memory of 1664	2864	{D86F28C9-F3DF-4731-A6D0-5F9E8DD516A6}.exe	40
PID 2864 wrote to memory of 1664	2864	{D86F28C9-F3DF-4731-A6D0-5F9E8DD516A6}.exe	40
PID 2864 wrote to memory of 1040	2864	{D86F28C9-F3DF-4731-A6D0-5F9E8DD516A6}.exe	41
PID 2864 wrote to memory of 1040	2864	{D86F28C9-F3DF-4731-A6D0-5F9E8DD516A6}.exe	41
PID 2864 wrote to memory of 1040	2864	{D86F28C9-F3DF-4731-A6D0-5F9E8DD516A6}.exe	41
PID 2864 wrote to memory of 1040	2864	{D86F28C9-F3DF-4731-A6D0-5F9E8DD516A6}.exe	41
PID 1664 wrote to memory of 2320	1664	{68B23B5C-A0B0-4f8d-A032-1DC25825780F}.exe	42
PID 1664 wrote to memory of 2320	1664	{68B23B5C-A0B0-4f8d-A032-1DC25825780F}.exe	42
PID 1664 wrote to memory of 2320	1664	{68B23B5C-A0B0-4f8d-A032-1DC25825780F}.exe	42
PID 1664 wrote to memory of 2320	1664	{68B23B5C-A0B0-4f8d-A032-1DC25825780F}.exe	42
PID 1664 wrote to memory of 1612	1664	{68B23B5C-A0B0-4f8d-A032-1DC25825780F}.exe	43
PID 1664 wrote to memory of 1612	1664	{68B23B5C-A0B0-4f8d-A032-1DC25825780F}.exe	43
PID 1664 wrote to memory of 1612	1664	{68B23B5C-A0B0-4f8d-A032-1DC25825780F}.exe	43
PID 1664 wrote to memory of 1612	1664	{68B23B5C-A0B0-4f8d-A032-1DC25825780F}.exe	43
PID 2320 wrote to memory of 2844	2320	{598DAF23-DB53-4b1e-A95A-202332FD5B2C}.exe	44
PID 2320 wrote to memory of 2844	2320	{598DAF23-DB53-4b1e-A95A-202332FD5B2C}.exe	44
PID 2320 wrote to memory of 2844	2320	{598DAF23-DB53-4b1e-A95A-202332FD5B2C}.exe	44
PID 2320 wrote to memory of 2844	2320	{598DAF23-DB53-4b1e-A95A-202332FD5B2C}.exe	44
PID 2320 wrote to memory of 1420	2320	{598DAF23-DB53-4b1e-A95A-202332FD5B2C}.exe	45
PID 2320 wrote to memory of 1420	2320	{598DAF23-DB53-4b1e-A95A-202332FD5B2C}.exe	45
PID 2320 wrote to memory of 1420	2320	{598DAF23-DB53-4b1e-A95A-202332FD5B2C}.exe	45
PID 2320 wrote to memory of 1420	2320	{598DAF23-DB53-4b1e-A95A-202332FD5B2C}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-07-03_a88c678467be4c4b663e3428ad3d1070_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-03_a88c678467be4c4b663e3428ad3d1070_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\{0A3DBF9D-7BF5-496d-A6E4-C1C6D8C748A9}.exe
  C:\Windows\{0A3DBF9D-7BF5-496d-A6E4-C1C6D8C748A9}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\{6C04D8A0-E4D5-4141-A7F6-1752AB7D856C}.exe
    C:\Windows\{6C04D8A0-E4D5-4141-A7F6-1752AB7D856C}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\{02CFDD3F-F33E-4018-B771-14DC8460EED6}.exe
      C:\Windows\{02CFDD3F-F33E-4018-B771-14DC8460EED6}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2804
    - - C:\Windows\{E37B5500-2EFA-4527-B9C9-D14E3BB1A0A7}.exe
        
        C:\Windows\{E37B5500-2EFA-4527-B9C9-D14E3BB1A0A7}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2396
      - C:\Windows\{D86F28C9-F3DF-4731-A6D0-5F9E8DD516A6}.exe
        
        C:\Windows\{D86F28C9-F3DF-4731-A6D0-5F9E8DD516A6}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\{68B23B5C-A0B0-4f8d-A032-1DC25825780F}.exe
        
        C:\Windows\{68B23B5C-A0B0-4f8d-A032-1DC25825780F}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\{598DAF23-DB53-4b1e-A95A-202332FD5B2C}.exe
        
        C:\Windows\{598DAF23-DB53-4b1e-A95A-202332FD5B2C}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\{F66230CF-323D-48fc-BB96-63EAA7AA3A6D}.exe
        
        C:\Windows\{F66230CF-323D-48fc-BB96-63EAA7AA3A6D}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\{29422451-0E83-4378-B24E-B596B7084689}.exe
        
        C:\Windows\{29422451-0E83-4378-B24E-B596B7084689}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1184
        
        C:\Windows\{108C23E4-42CA-4776-9DF5-C4580A6FE4EE}.exe
        
        C:\Windows\{108C23E4-42CA-4776-9DF5-C4580A6FE4EE}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
        
        C:\Windows\{1989A39B-A9F5-47ef-8FB2-994DDF3678E8}.exe
        
        C:\Windows\{1989A39B-A9F5-47ef-8FB2-994DDF3678E8}.exe
        12⤵
        Executes dropped EXE
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{108C2~1.EXE > nul
        12⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29422~1.EXE > nul
        11⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6623~1.EXE > nul
        10⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{598DA~1.EXE > nul
        9⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68B23~1.EXE > nul
        8⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D86F2~1.EXE > nul
        7⤵
        
        PID:1040
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E37B5~1.EXE > nul
        6⤵
        
        PID:2992
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02CFD~1.EXE > nul
        5⤵
        
        PID:2208
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6C04D~1.EXE > nul
      4⤵
      PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0A3DB~1.EXE > nul
    3⤵
    PID:2644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02CFDD3F-F33E-4018-B771-14DC8460EED6}.exe

Filesize
408KB

MD5
955f4ea99d36af51218f57e45a73c577

SHA1
2895d6c10fd44a26472d6a9a4db645de7bbff50e

SHA256
468bfec8e8d6fe956d7ed5bf114b9009a3e16e90da73734e7205329e028296e4

SHA512
73a7141f33fb655e4d8eea674c8c309a82798c5d40ed7e9917a3506a54980d8269a29bd8197d7171d8ea503c5a8629d27a94b62e453aaa2d6557e5de90842341

Download Submit
C:\Windows\{0A3DBF9D-7BF5-496d-A6E4-C1C6D8C748A9}.exe

Filesize
408KB

MD5
5ab5d8cc3e92ccaa092910834dab1041

SHA1
d342371aedd7346e235310d1b7da6074f97761ac

SHA256
8a1be174ef2d46d56cb7dccc094431f6783f381d1ad08a6b65a80baeada936a1

SHA512
d891b5c437592ff851e1433f693f929d76b8200992115919eb7accb21b266544159524227c182fed44f81ee732a8ab21f64fd5a0881edfdbc2ca9e7dbe7cac15

Download Submit
C:\Windows\{108C23E4-42CA-4776-9DF5-C4580A6FE4EE}.exe

Filesize
408KB

MD5
c8a139cff9a45899174ec65e4954922b

SHA1
e8c1d57ae6c827171024df86a2d796e0a9984781

SHA256
9234f1dc9b9c33fc202133621c618031a6c768dd5bec5609efaac89b5a6be385

SHA512
2e33b6f5634cfadc866a79a942085350e29af72935060d70f170ddb39dec047c0298d93e30869ee6f62cef766ea4ad4e29d1e940109845a347f77ebda214a8df

Download Submit
C:\Windows\{1989A39B-A9F5-47ef-8FB2-994DDF3678E8}.exe

Filesize
408KB

MD5
2f54c82744c38edacb71b5b0886f8111

SHA1
4965ed59e533893fc092312e1a81e11487015fe6

SHA256
3d7cdcf62a88530e65692e0ca197c0d55d8dd63261d66ae6792759132e54b0e5

SHA512
e8f4d0b06e4cf114d433462d3c6cf6f0a1eedff6cad22a1297f2acbdb76349a3bfe166b21fe1581b5e0e527a310850c45ce7dad1a9309521f0886f9954703791

Download Submit
C:\Windows\{29422451-0E83-4378-B24E-B596B7084689}.exe

Filesize
408KB

MD5
93205ba687389e2d282981ec1bd2a355

SHA1
5a6826e8cb71a0404bc91df02bfbf4b417f556a7

SHA256
a48e8aa466be460324fd6dd2779020b822a2d0f4a3eb1215fbd6a39a4ec5aa9a

SHA512
eb6e4bad8f2187f9bcd5083a99e06bced403be3d42e1b828718e76a4184f1f366570efdf0480ac9ffdec7a8256765ff6199efd6f6c812eeee75f350c07bfac47

Download Submit
C:\Windows\{598DAF23-DB53-4b1e-A95A-202332FD5B2C}.exe

Filesize
408KB

MD5
5676d5f999487d31707962b2dd235a26

SHA1
0c97b0651305c76581d9a5d777418769e35ec938

SHA256
15f8c94ef958ae04a43a94c53f391a54305b1fc02dd604884cb34d3839981ead

SHA512
8a498b5dfea3ee9d3676e9c89e98c8f1a884edbbe2d7102c686d47c15ca18dd5da8a2c3eae23433510a63f6ab8a8ce873d2f93a19464a4a0781361ad4e047bc6

Download Submit
C:\Windows\{68B23B5C-A0B0-4f8d-A032-1DC25825780F}.exe

Filesize
408KB

MD5
4c8d2b9e8686e056144e970d3385f9f4

SHA1
fb62bb4550a9f627068977688d0c907367a7dfd7

SHA256
9647242201601cdefd413e03325bb5006909dfefdd89d6779129fdbc7d96e4af

SHA512
86d305f49b744b7c3dde2895ae4fa1938b096c360659c4a8f4e1091a06de524eb1beca5cfff05e1e3fd47b9e26d9b5e783a7a6eac31795fd5f967ed1f35d7210

Download Submit
C:\Windows\{6C04D8A0-E4D5-4141-A7F6-1752AB7D856C}.exe

Filesize
408KB

MD5
9a79c66b8dba0f5b3aebbb457e6da43b

SHA1
cb031606067f7817d98f65970e05d4136be9c131

SHA256
ea2c7b5386e39c5b86f75934c546721578b42179051cc32e687b3bc345ad62c3

SHA512
e9cc4e02d8a7f26d9e7d4fcd908c7acb9692be0a7228978db01dcb14db9e95e7e66fef6d74504218c96751bfffa773d44711e55a61a2a928cafd78701f128530

Download Submit
C:\Windows\{D86F28C9-F3DF-4731-A6D0-5F9E8DD516A6}.exe

Filesize
408KB

MD5
141cb58915bd33bb34e8c9c274c3f1c4

SHA1
537c091f3348c869eb7605efba384b6ce91b1cb9

SHA256
3a97e910d547aa14cf50d4dc052984f289c0edd18e9f5a0abe2ef77c51e2bc3b

SHA512
2c165b794583a73416861fde493a2db0929ab399cd5397108cd0b066121e288ce05e6e04e59c22647b9c3279ad2b45545f286eb2b374ee882810b938e41942de

Download Submit
C:\Windows\{E37B5500-2EFA-4527-B9C9-D14E3BB1A0A7}.exe

Filesize
408KB

MD5
7b4f53ca64f598886fcb3551f2d1d4a4

SHA1
396950cc569a02fc0ad5b076a58c9ab5929dedee

SHA256
36cae3e28628a283d40be8e9937c750713d711e00ac3b44d48170eb77efef2fd

SHA512
6ed19337d2d033f499f069bea955b24c25a0d1e9eccbe3527aef6624064499282c92997b6093337afb1e560e60cc1f530a76502fbbce55bdc8aac5cc4c8bb597

Download Submit
C:\Windows\{F66230CF-323D-48fc-BB96-63EAA7AA3A6D}.exe

Filesize
408KB

MD5
11ab53ca98dad09b45a3b4de6fa31ed0

SHA1
04112d8231deafb8f76e86f828f93e6a0fdbe9ab

SHA256
14d610eada951181122994f3facbda82f45bb8a6c126bc5c8d732b76b4e7064d

SHA512
250a42a320994eddd86a569f6e0c57a06454034754edad5819bf42f0ba60c74d113cfab93bfc8cc977551a87fda818a334f0f9ed51a7e985b15b30bc0f23c554

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads