e479e77b1ee73e2905b4a96ddd4e40720674c5e5ed6b28ce63fa2b8b911dcb49

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-03_5b68e69d2395b63e55dcd6f11b614f8f_goldeneye.exe
Size

372KB
MD5

5b68e69d2395b63e55dcd6f11b614f8f
SHA1

2fbec41a6916acb6206ac8b47720fdd48fc5684f
SHA256

e479e77b1ee73e2905b4a96ddd4e40720674c5e5ed6b28ce63fa2b8b911dcb49
SHA512

739a0a9a9f928a6d3c497a94d05438512b25af7e4f228570590ee30484a67f2c8a30ee31bf4637ed555e28430890b31ad74792e323082905781c8c140fe8a176
SSDEEP

3072:CEGh0orlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGhlkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B6CEDAF-95B3-42bd-85B9-7EAEF7C1DB58}\stubpath = "C:\\Windows\\{9B6CEDAF-95B3-42bd-85B9-7EAEF7C1DB58}.exe"	{9F826A6C-FFBE-426e-BBAA-2A13EF818E8D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D67246E-6149-42e9-BC43-DB9C26E2DD4A}	{62D572FF-B989-4672-B447-CA4C86133246}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D67246E-6149-42e9-BC43-DB9C26E2DD4A}\stubpath = "C:\\Windows\\{8D67246E-6149-42e9-BC43-DB9C26E2DD4A}.exe"	{62D572FF-B989-4672-B447-CA4C86133246}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{739BC306-1BF3-4a98-9B1F-505F673C0B0B}\stubpath = "C:\\Windows\\{739BC306-1BF3-4a98-9B1F-505F673C0B0B}.exe"	{1E224EC2-76BB-4acc-A1D1-73F7C044A2E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{881565FA-41A2-4aba-9374-5CFA1FA319DB}	{739BC306-1BF3-4a98-9B1F-505F673C0B0B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{952148BB-F703-4818-B5C9-FFE3438099F4}	2024-07-03_5b68e69d2395b63e55dcd6f11b614f8f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB1F48FF-BEB6-4cca-AE9B-916537850876}	{A91D7D9A-961B-4a8a-A068-0052808F7243}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F826A6C-FFBE-426e-BBAA-2A13EF818E8D}\stubpath = "C:\\Windows\\{9F826A6C-FFBE-426e-BBAA-2A13EF818E8D}.exe"	{BB1F48FF-BEB6-4cca-AE9B-916537850876}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB1F48FF-BEB6-4cca-AE9B-916537850876}\stubpath = "C:\\Windows\\{BB1F48FF-BEB6-4cca-AE9B-916537850876}.exe"	{A91D7D9A-961B-4a8a-A068-0052808F7243}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F826A6C-FFBE-426e-BBAA-2A13EF818E8D}	{BB1F48FF-BEB6-4cca-AE9B-916537850876}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62D572FF-B989-4672-B447-CA4C86133246}	{9B6CEDAF-95B3-42bd-85B9-7EAEF7C1DB58}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E224EC2-76BB-4acc-A1D1-73F7C044A2E7}\stubpath = "C:\\Windows\\{1E224EC2-76BB-4acc-A1D1-73F7C044A2E7}.exe"	{8D67246E-6149-42e9-BC43-DB9C26E2DD4A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{952148BB-F703-4818-B5C9-FFE3438099F4}\stubpath = "C:\\Windows\\{952148BB-F703-4818-B5C9-FFE3438099F4}.exe"	2024-07-03_5b68e69d2395b63e55dcd6f11b614f8f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FD6A0C7-198C-4974-978A-59DF5A6AE1CC}	{952148BB-F703-4818-B5C9-FFE3438099F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FD6A0C7-198C-4974-978A-59DF5A6AE1CC}\stubpath = "C:\\Windows\\{6FD6A0C7-198C-4974-978A-59DF5A6AE1CC}.exe"	{952148BB-F703-4818-B5C9-FFE3438099F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{739BC306-1BF3-4a98-9B1F-505F673C0B0B}	{1E224EC2-76BB-4acc-A1D1-73F7C044A2E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{881565FA-41A2-4aba-9374-5CFA1FA319DB}\stubpath = "C:\\Windows\\{881565FA-41A2-4aba-9374-5CFA1FA319DB}.exe"	{739BC306-1BF3-4a98-9B1F-505F673C0B0B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B6CEDAF-95B3-42bd-85B9-7EAEF7C1DB58}	{9F826A6C-FFBE-426e-BBAA-2A13EF818E8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62D572FF-B989-4672-B447-CA4C86133246}\stubpath = "C:\\Windows\\{62D572FF-B989-4672-B447-CA4C86133246}.exe"	{9B6CEDAF-95B3-42bd-85B9-7EAEF7C1DB58}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E224EC2-76BB-4acc-A1D1-73F7C044A2E7}	{8D67246E-6149-42e9-BC43-DB9C26E2DD4A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A91D7D9A-961B-4a8a-A068-0052808F7243}	{6FD6A0C7-198C-4974-978A-59DF5A6AE1CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A91D7D9A-961B-4a8a-A068-0052808F7243}\stubpath = "C:\\Windows\\{A91D7D9A-961B-4a8a-A068-0052808F7243}.exe"	{6FD6A0C7-198C-4974-978A-59DF5A6AE1CC}.exe

Deletes itself 1 IoCs

pid	Process
3008	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2348	{952148BB-F703-4818-B5C9-FFE3438099F4}.exe
2724	{6FD6A0C7-198C-4974-978A-59DF5A6AE1CC}.exe
2812	{A91D7D9A-961B-4a8a-A068-0052808F7243}.exe
3036	{BB1F48FF-BEB6-4cca-AE9B-916537850876}.exe
2604	{9F826A6C-FFBE-426e-BBAA-2A13EF818E8D}.exe
2448	{9B6CEDAF-95B3-42bd-85B9-7EAEF7C1DB58}.exe
1680	{62D572FF-B989-4672-B447-CA4C86133246}.exe
2572	{8D67246E-6149-42e9-BC43-DB9C26E2DD4A}.exe
1756	{1E224EC2-76BB-4acc-A1D1-73F7C044A2E7}.exe
1908	{739BC306-1BF3-4a98-9B1F-505F673C0B0B}.exe
484	{881565FA-41A2-4aba-9374-5CFA1FA319DB}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{A91D7D9A-961B-4a8a-A068-0052808F7243}.exe	{6FD6A0C7-198C-4974-978A-59DF5A6AE1CC}.exe
File created	C:\Windows\{BB1F48FF-BEB6-4cca-AE9B-916537850876}.exe	{A91D7D9A-961B-4a8a-A068-0052808F7243}.exe
File created	C:\Windows\{9F826A6C-FFBE-426e-BBAA-2A13EF818E8D}.exe	{BB1F48FF-BEB6-4cca-AE9B-916537850876}.exe
File created	C:\Windows\{8D67246E-6149-42e9-BC43-DB9C26E2DD4A}.exe	{62D572FF-B989-4672-B447-CA4C86133246}.exe
File created	C:\Windows\{1E224EC2-76BB-4acc-A1D1-73F7C044A2E7}.exe	{8D67246E-6149-42e9-BC43-DB9C26E2DD4A}.exe
File created	C:\Windows\{739BC306-1BF3-4a98-9B1F-505F673C0B0B}.exe	{1E224EC2-76BB-4acc-A1D1-73F7C044A2E7}.exe
File created	C:\Windows\{952148BB-F703-4818-B5C9-FFE3438099F4}.exe	2024-07-03_5b68e69d2395b63e55dcd6f11b614f8f_goldeneye.exe
File created	C:\Windows\{6FD6A0C7-198C-4974-978A-59DF5A6AE1CC}.exe	{952148BB-F703-4818-B5C9-FFE3438099F4}.exe
File created	C:\Windows\{881565FA-41A2-4aba-9374-5CFA1FA319DB}.exe	{739BC306-1BF3-4a98-9B1F-505F673C0B0B}.exe
File created	C:\Windows\{9B6CEDAF-95B3-42bd-85B9-7EAEF7C1DB58}.exe	{9F826A6C-FFBE-426e-BBAA-2A13EF818E8D}.exe
File created	C:\Windows\{62D572FF-B989-4672-B447-CA4C86133246}.exe	{9B6CEDAF-95B3-42bd-85B9-7EAEF7C1DB58}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2952	2024-07-03_5b68e69d2395b63e55dcd6f11b614f8f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2348	{952148BB-F703-4818-B5C9-FFE3438099F4}.exe
Token: SeIncBasePriorityPrivilege	2724	{6FD6A0C7-198C-4974-978A-59DF5A6AE1CC}.exe
Token: SeIncBasePriorityPrivilege	2812	{A91D7D9A-961B-4a8a-A068-0052808F7243}.exe
Token: SeIncBasePriorityPrivilege	3036	{BB1F48FF-BEB6-4cca-AE9B-916537850876}.exe
Token: SeIncBasePriorityPrivilege	2604	{9F826A6C-FFBE-426e-BBAA-2A13EF818E8D}.exe
Token: SeIncBasePriorityPrivilege	2448	{9B6CEDAF-95B3-42bd-85B9-7EAEF7C1DB58}.exe
Token: SeIncBasePriorityPrivilege	1680	{62D572FF-B989-4672-B447-CA4C86133246}.exe
Token: SeIncBasePriorityPrivilege	2572	{8D67246E-6149-42e9-BC43-DB9C26E2DD4A}.exe
Token: SeIncBasePriorityPrivilege	1756	{1E224EC2-76BB-4acc-A1D1-73F7C044A2E7}.exe
Token: SeIncBasePriorityPrivilege	1908	{739BC306-1BF3-4a98-9B1F-505F673C0B0B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2348	2952	2024-07-03_5b68e69d2395b63e55dcd6f11b614f8f_goldeneye.exe	28
PID 2952 wrote to memory of 2348	2952	2024-07-03_5b68e69d2395b63e55dcd6f11b614f8f_goldeneye.exe	28
PID 2952 wrote to memory of 2348	2952	2024-07-03_5b68e69d2395b63e55dcd6f11b614f8f_goldeneye.exe	28
PID 2952 wrote to memory of 2348	2952	2024-07-03_5b68e69d2395b63e55dcd6f11b614f8f_goldeneye.exe	28
PID 2952 wrote to memory of 3008	2952	2024-07-03_5b68e69d2395b63e55dcd6f11b614f8f_goldeneye.exe	29
PID 2952 wrote to memory of 3008	2952	2024-07-03_5b68e69d2395b63e55dcd6f11b614f8f_goldeneye.exe	29
PID 2952 wrote to memory of 3008	2952	2024-07-03_5b68e69d2395b63e55dcd6f11b614f8f_goldeneye.exe	29
PID 2952 wrote to memory of 3008	2952	2024-07-03_5b68e69d2395b63e55dcd6f11b614f8f_goldeneye.exe	29
PID 2348 wrote to memory of 2724	2348	{952148BB-F703-4818-B5C9-FFE3438099F4}.exe	30
PID 2348 wrote to memory of 2724	2348	{952148BB-F703-4818-B5C9-FFE3438099F4}.exe	30
PID 2348 wrote to memory of 2724	2348	{952148BB-F703-4818-B5C9-FFE3438099F4}.exe	30
PID 2348 wrote to memory of 2724	2348	{952148BB-F703-4818-B5C9-FFE3438099F4}.exe	30
PID 2348 wrote to memory of 2660	2348	{952148BB-F703-4818-B5C9-FFE3438099F4}.exe	31
PID 2348 wrote to memory of 2660	2348	{952148BB-F703-4818-B5C9-FFE3438099F4}.exe	31
PID 2348 wrote to memory of 2660	2348	{952148BB-F703-4818-B5C9-FFE3438099F4}.exe	31
PID 2348 wrote to memory of 2660	2348	{952148BB-F703-4818-B5C9-FFE3438099F4}.exe	31
PID 2724 wrote to memory of 2812	2724	{6FD6A0C7-198C-4974-978A-59DF5A6AE1CC}.exe	32
PID 2724 wrote to memory of 2812	2724	{6FD6A0C7-198C-4974-978A-59DF5A6AE1CC}.exe	32
PID 2724 wrote to memory of 2812	2724	{6FD6A0C7-198C-4974-978A-59DF5A6AE1CC}.exe	32
PID 2724 wrote to memory of 2812	2724	{6FD6A0C7-198C-4974-978A-59DF5A6AE1CC}.exe	32
PID 2724 wrote to memory of 2532	2724	{6FD6A0C7-198C-4974-978A-59DF5A6AE1CC}.exe	33
PID 2724 wrote to memory of 2532	2724	{6FD6A0C7-198C-4974-978A-59DF5A6AE1CC}.exe	33
PID 2724 wrote to memory of 2532	2724	{6FD6A0C7-198C-4974-978A-59DF5A6AE1CC}.exe	33
PID 2724 wrote to memory of 2532	2724	{6FD6A0C7-198C-4974-978A-59DF5A6AE1CC}.exe	33
PID 2812 wrote to memory of 3036	2812	{A91D7D9A-961B-4a8a-A068-0052808F7243}.exe	36
PID 2812 wrote to memory of 3036	2812	{A91D7D9A-961B-4a8a-A068-0052808F7243}.exe	36
PID 2812 wrote to memory of 3036	2812	{A91D7D9A-961B-4a8a-A068-0052808F7243}.exe	36
PID 2812 wrote to memory of 3036	2812	{A91D7D9A-961B-4a8a-A068-0052808F7243}.exe	36
PID 2812 wrote to memory of 2248	2812	{A91D7D9A-961B-4a8a-A068-0052808F7243}.exe	37
PID 2812 wrote to memory of 2248	2812	{A91D7D9A-961B-4a8a-A068-0052808F7243}.exe	37
PID 2812 wrote to memory of 2248	2812	{A91D7D9A-961B-4a8a-A068-0052808F7243}.exe	37
PID 2812 wrote to memory of 2248	2812	{A91D7D9A-961B-4a8a-A068-0052808F7243}.exe	37
PID 3036 wrote to memory of 2604	3036	{BB1F48FF-BEB6-4cca-AE9B-916537850876}.exe	38
PID 3036 wrote to memory of 2604	3036	{BB1F48FF-BEB6-4cca-AE9B-916537850876}.exe	38
PID 3036 wrote to memory of 2604	3036	{BB1F48FF-BEB6-4cca-AE9B-916537850876}.exe	38
PID 3036 wrote to memory of 2604	3036	{BB1F48FF-BEB6-4cca-AE9B-916537850876}.exe	38
PID 3036 wrote to memory of 2736	3036	{BB1F48FF-BEB6-4cca-AE9B-916537850876}.exe	39
PID 3036 wrote to memory of 2736	3036	{BB1F48FF-BEB6-4cca-AE9B-916537850876}.exe	39
PID 3036 wrote to memory of 2736	3036	{BB1F48FF-BEB6-4cca-AE9B-916537850876}.exe	39
PID 3036 wrote to memory of 2736	3036	{BB1F48FF-BEB6-4cca-AE9B-916537850876}.exe	39
PID 2604 wrote to memory of 2448	2604	{9F826A6C-FFBE-426e-BBAA-2A13EF818E8D}.exe	40
PID 2604 wrote to memory of 2448	2604	{9F826A6C-FFBE-426e-BBAA-2A13EF818E8D}.exe	40
PID 2604 wrote to memory of 2448	2604	{9F826A6C-FFBE-426e-BBAA-2A13EF818E8D}.exe	40
PID 2604 wrote to memory of 2448	2604	{9F826A6C-FFBE-426e-BBAA-2A13EF818E8D}.exe	40
PID 2604 wrote to memory of 1988	2604	{9F826A6C-FFBE-426e-BBAA-2A13EF818E8D}.exe	41
PID 2604 wrote to memory of 1988	2604	{9F826A6C-FFBE-426e-BBAA-2A13EF818E8D}.exe	41
PID 2604 wrote to memory of 1988	2604	{9F826A6C-FFBE-426e-BBAA-2A13EF818E8D}.exe	41
PID 2604 wrote to memory of 1988	2604	{9F826A6C-FFBE-426e-BBAA-2A13EF818E8D}.exe	41
PID 2448 wrote to memory of 1680	2448	{9B6CEDAF-95B3-42bd-85B9-7EAEF7C1DB58}.exe	42
PID 2448 wrote to memory of 1680	2448	{9B6CEDAF-95B3-42bd-85B9-7EAEF7C1DB58}.exe	42
PID 2448 wrote to memory of 1680	2448	{9B6CEDAF-95B3-42bd-85B9-7EAEF7C1DB58}.exe	42
PID 2448 wrote to memory of 1680	2448	{9B6CEDAF-95B3-42bd-85B9-7EAEF7C1DB58}.exe	42
PID 2448 wrote to memory of 1272	2448	{9B6CEDAF-95B3-42bd-85B9-7EAEF7C1DB58}.exe	43
PID 2448 wrote to memory of 1272	2448	{9B6CEDAF-95B3-42bd-85B9-7EAEF7C1DB58}.exe	43
PID 2448 wrote to memory of 1272	2448	{9B6CEDAF-95B3-42bd-85B9-7EAEF7C1DB58}.exe	43
PID 2448 wrote to memory of 1272	2448	{9B6CEDAF-95B3-42bd-85B9-7EAEF7C1DB58}.exe	43
PID 1680 wrote to memory of 2572	1680	{62D572FF-B989-4672-B447-CA4C86133246}.exe	44
PID 1680 wrote to memory of 2572	1680	{62D572FF-B989-4672-B447-CA4C86133246}.exe	44
PID 1680 wrote to memory of 2572	1680	{62D572FF-B989-4672-B447-CA4C86133246}.exe	44
PID 1680 wrote to memory of 2572	1680	{62D572FF-B989-4672-B447-CA4C86133246}.exe	44
PID 1680 wrote to memory of 2564	1680	{62D572FF-B989-4672-B447-CA4C86133246}.exe	45
PID 1680 wrote to memory of 2564	1680	{62D572FF-B989-4672-B447-CA4C86133246}.exe	45
PID 1680 wrote to memory of 2564	1680	{62D572FF-B989-4672-B447-CA4C86133246}.exe	45
PID 1680 wrote to memory of 2564	1680	{62D572FF-B989-4672-B447-CA4C86133246}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-07-03_5b68e69d2395b63e55dcd6f11b614f8f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-03_5b68e69d2395b63e55dcd6f11b614f8f_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Windows\{952148BB-F703-4818-B5C9-FFE3438099F4}.exe
  C:\Windows\{952148BB-F703-4818-B5C9-FFE3438099F4}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\{6FD6A0C7-198C-4974-978A-59DF5A6AE1CC}.exe
    C:\Windows\{6FD6A0C7-198C-4974-978A-59DF5A6AE1CC}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\{A91D7D9A-961B-4a8a-A068-0052808F7243}.exe
      C:\Windows\{A91D7D9A-961B-4a8a-A068-0052808F7243}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Windows\{BB1F48FF-BEB6-4cca-AE9B-916537850876}.exe
        
        C:\Windows\{BB1F48FF-BEB6-4cca-AE9B-916537850876}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3036
      - C:\Windows\{9F826A6C-FFBE-426e-BBAA-2A13EF818E8D}.exe
        
        C:\Windows\{9F826A6C-FFBE-426e-BBAA-2A13EF818E8D}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\{9B6CEDAF-95B3-42bd-85B9-7EAEF7C1DB58}.exe
        
        C:\Windows\{9B6CEDAF-95B3-42bd-85B9-7EAEF7C1DB58}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\{62D572FF-B989-4672-B447-CA4C86133246}.exe
        
        C:\Windows\{62D572FF-B989-4672-B447-CA4C86133246}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\{8D67246E-6149-42e9-BC43-DB9C26E2DD4A}.exe
        
        C:\Windows\{8D67246E-6149-42e9-BC43-DB9C26E2DD4A}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
        
        C:\Windows\{1E224EC2-76BB-4acc-A1D1-73F7C044A2E7}.exe
        
        C:\Windows\{1E224EC2-76BB-4acc-A1D1-73F7C044A2E7}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
        
        C:\Windows\{739BC306-1BF3-4a98-9B1F-505F673C0B0B}.exe
        
        C:\Windows\{739BC306-1BF3-4a98-9B1F-505F673C0B0B}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
        
        C:\Windows\{881565FA-41A2-4aba-9374-5CFA1FA319DB}.exe
        
        C:\Windows\{881565FA-41A2-4aba-9374-5CFA1FA319DB}.exe
        12⤵
        Executes dropped EXE
        
        PID:484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{739BC~1.EXE > nul
        12⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E224~1.EXE > nul
        11⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D672~1.EXE > nul
        10⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62D57~1.EXE > nul
        9⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B6CE~1.EXE > nul
        8⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F826~1.EXE > nul
        7⤵
        
        PID:1988
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB1F4~1.EXE > nul
        6⤵
        
        PID:2736
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A91D7~1.EXE > nul
        5⤵
        
        PID:2248
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6FD6A~1.EXE > nul
      4⤵
      PID:2532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{95214~1.EXE > nul
    3⤵
    PID:2660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1E224EC2-76BB-4acc-A1D1-73F7C044A2E7}.exe

Filesize
372KB

MD5
941ceae6c77fe2cf92e3706dddcf6ba7

SHA1
1a1aa6ce57a02ac744e52e7d7dbc7c0df2698b7b

SHA256
1d594629b35c7c2f1f6caa3d2438f68b8f276ee406a72cb023b0da64842a6b5e

SHA512
9e17a15dbc04d4206492b695c49bc6fa7f93e650c5ace82d80e901c319c4a566b38938ee72d9c57f765cbf0b577a532f49163c37b617f313ef710227e6336676

Download Submit
C:\Windows\{62D572FF-B989-4672-B447-CA4C86133246}.exe

Filesize
372KB

MD5
5bd5f49987a3e78818684fe792df19b5

SHA1
50e34d8da1c8fe30e72ded82f59ec3b475a8f991

SHA256
13a496763fb133afa9857b9fc8707eb6108b6befed81d33397c315e81353af3e

SHA512
da2e16ca590bb22cee10e5020fcdfc4d4d241e40d12fd3f934d4331c2b59ccabf9e8e06d000f394c1d6b6b240b3e240fa0d9e971d8acd8dda6f6b620f440f38f

Download Submit
C:\Windows\{6FD6A0C7-198C-4974-978A-59DF5A6AE1CC}.exe

Filesize
372KB

MD5
a16ce0d06c6eb3251084bf443711706f

SHA1
345eb9399f7c55bc58a69dfa981e31c4446f22b3

SHA256
80b0bb09e2f276c4c502e5778643b8d23ea39b04eb97ee7ce3f3584e1601f01e

SHA512
36d832a2eb7fa7ebd085cbc4c7d83dbab4ec8ec65d4f51d7ed373f41c3d153a9c961ad57531702cc474000631dc9c71a1e58b08ea3b5c2097c52bc25cac60c3d

Download Submit
C:\Windows\{739BC306-1BF3-4a98-9B1F-505F673C0B0B}.exe

Filesize
372KB

MD5
b33c260ce69e7d97fed7c0280cc076c2

SHA1
15898537749a5831fd8480dfc0ca9813290e929d

SHA256
4e5a4d9cc872387e44ae3201c2bdeb49850dff70be0a078a0df2ef4be89aef68

SHA512
02810bdb2e70726f8880d00e412f26be562c7190f3ce79888deb8bb31a30f38f4d91fa423f6c9fc38c1bf640bb582661e67acbfdb9483b7de94ef7932f39d875

Download Submit
C:\Windows\{881565FA-41A2-4aba-9374-5CFA1FA319DB}.exe

Filesize
372KB

MD5
7454bfbbc1bd79c9cd0c51a6602669d8

SHA1
06fb4af272045fefc128457038bde9ce5e507181

SHA256
6fd104c63ece32e8a446e8d916bb49fec72b2f45420155b02c764e6097e21b15

SHA512
501cc37455b683147b26fec8da7564df3b82bcc2ad3b560fe93a2e90f49a4675677c5623d576eb584c710fa12f951a17e528e3f7ae715bfc81423a98c8819079

Download Submit
C:\Windows\{8D67246E-6149-42e9-BC43-DB9C26E2DD4A}.exe

Filesize
372KB

MD5
960390a48b9f1137c80568d117202712

SHA1
7b7678caedcd60131d2714b6f675fd9276b87fb4

SHA256
9b8c0e87f6f57c4c79964ab6c40693d36e91e6112ef80b63c681cf8aaf5f1919

SHA512
adec6e7ebdd418edbf3de44fa54348b092c94f3aa07339551adddb29aa792f8fdd6fac1bf472580eea9f3a33b298531614ff464386bbf9a8d3562e1e48aede6d

Download Submit
C:\Windows\{952148BB-F703-4818-B5C9-FFE3438099F4}.exe

Filesize
372KB

MD5
d1f7f66fbeeccdc277167db78ec3d46c

SHA1
3f1bd2cdf38579f24d04858bc4c064a63e0ac1ab

SHA256
4c392b328a6afa54b8609dce2e8621938c3182af2c821e8b1520ac8d1763e47e

SHA512
dc67954a7e9aefe4300ef86aa4e0d2c8470d5daecf13bd5a6fd800789d732ffca863ab3ad1351fab2b6604be0f282c556f08278d6febab23838c83af1f711711

Download Submit
C:\Windows\{9B6CEDAF-95B3-42bd-85B9-7EAEF7C1DB58}.exe

Filesize
372KB

MD5
fc9f4273707642a7b4b13d53138ff1aa

SHA1
270dc0c329a9cf9e6dc98473052749c59f54fb57

SHA256
9c4cd969edbfc6e845f1474a8d5cdc3464a278097a0a137399fe60affdf83fc3

SHA512
d9b942363158f1fbdb45bf0a7c891184ff9f5d09cff493281b7e20ce6d9ef083874e632685fa10fad6240f4cc98feee07ce9348961b2d077a7800e8e08d80232

Download Submit
C:\Windows\{9F826A6C-FFBE-426e-BBAA-2A13EF818E8D}.exe

Filesize
372KB

MD5
0f2ee7d51e4fa82122ee0116f013d505

SHA1
56a945f2ba307cf55cf04562b92b934649e062ea

SHA256
0ed9ba8022532b0fe5dc70e9f0f9680a9fb5e930302882f89b47b6cd662e64c6

SHA512
cee5c55aa1ebe404314fe7774ffaa50dd87d3d2b5cd6fcfddaad72fb69d144db36883a31015c08f153ce92bab50f27ff8cc0364c0432a1b93d3da8a254ddfc07

Download Submit
C:\Windows\{A91D7D9A-961B-4a8a-A068-0052808F7243}.exe

Filesize
372KB

MD5
fff4525c044b9a76712f1f58c23ad576

SHA1
3712d60578a67735b9d734dc400680993714972b

SHA256
4202fe8cf64e9fec7bdfd8fdadc7850ed08a7b9e79a0f1057814d5168c1ade35

SHA512
d27d253a37cd5b933a80855cbba1b1e70899ac7217bff81b780980cc58c21576afab1c302a020743a14a7fb27d1efe4d6467f3d4b42bce1e5ef8a7d8dbac31df

Download Submit
C:\Windows\{BB1F48FF-BEB6-4cca-AE9B-916537850876}.exe

Filesize
372KB

MD5
0a30167eef249be095f0f4089e76fc1f

SHA1
f1441c6f7fc9267969e2b6fda7b1cd9a91bc8711

SHA256
f9aa6b849bcd4239934fa374ddb6703f118135d68c6b350ff92d2586cd5ab5e9

SHA512
ce9bf8a1f40507c3f2a0e77c072b6e5c34eb345e8408df721a4c48af298e4566d0a40e07db7a22c3d53f227335df9419a2282b2cf0672d83d9e4bb295fd7ac6d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads