39c14c550ac2c65502f4ed3bee54d3231ead3eb63e70dcc739f7439912df4b36

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 09:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-04_7ecbcbdc0671945868a4ee73fea64f70_goldeneye.exe
Size

180KB
MD5

7ecbcbdc0671945868a4ee73fea64f70
SHA1

18a4e924bd64afbc0bf01e05ea453d7be971d197
SHA256

39c14c550ac2c65502f4ed3bee54d3231ead3eb63e70dcc739f7439912df4b36
SHA512

3e16a336aa4bdf4e53e29a894391ca7ac254d5f6d348cb91dad7b9724fc354506a5e29220d5786bdb71a3d42fe2d023435d9d9bd0f48731ecda11bfa18a68458
SSDEEP

3072:jEGh0o/lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGNl5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09C4C1A8-44AF-4da9-8864-818851DD845F}\stubpath = "C:\\Windows\\{09C4C1A8-44AF-4da9-8864-818851DD845F}.exe"	{47A14643-31AE-4983-87F8-7DB7CF6E304D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB26E0DC-F647-4dc9-88D4-FE9CE98F0C10}	{2D2BA3C7-4D82-4e95-B912-675AAF22D5E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB26E0DC-F647-4dc9-88D4-FE9CE98F0C10}\stubpath = "C:\\Windows\\{DB26E0DC-F647-4dc9-88D4-FE9CE98F0C10}.exe"	{2D2BA3C7-4D82-4e95-B912-675AAF22D5E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B20900CF-FCF3-4d83-AB2F-EEAD8F10C64F}\stubpath = "C:\\Windows\\{B20900CF-FCF3-4d83-AB2F-EEAD8F10C64F}.exe"	{DB26E0DC-F647-4dc9-88D4-FE9CE98F0C10}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B701AF42-A5E4-45f1-AD34-ABBE1A0A1746}	{2AD8DE65-2C15-4ce1-A049-7881BFF14FED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D543ECF1-66A4-4672-B291-F3762E0E2D15}\stubpath = "C:\\Windows\\{D543ECF1-66A4-4672-B291-F3762E0E2D15}.exe"	2024-07-04_7ecbcbdc0671945868a4ee73fea64f70_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{805BAE5C-70F1-49fa-BB43-AA72A4B4E219}	{D543ECF1-66A4-4672-B291-F3762E0E2D15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AD8DE65-2C15-4ce1-A049-7881BFF14FED}	{B20900CF-FCF3-4d83-AB2F-EEAD8F10C64F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B701AF42-A5E4-45f1-AD34-ABBE1A0A1746}\stubpath = "C:\\Windows\\{B701AF42-A5E4-45f1-AD34-ABBE1A0A1746}.exe"	{2AD8DE65-2C15-4ce1-A049-7881BFF14FED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA0BFBA1-CDB8-4637-9CC6-78F0393DC66A}\stubpath = "C:\\Windows\\{DA0BFBA1-CDB8-4637-9CC6-78F0393DC66A}.exe"	{09C4C1A8-44AF-4da9-8864-818851DD845F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D2BA3C7-4D82-4e95-B912-675AAF22D5E8}\stubpath = "C:\\Windows\\{2D2BA3C7-4D82-4e95-B912-675AAF22D5E8}.exe"	{DA0BFBA1-CDB8-4637-9CC6-78F0393DC66A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D2BA3C7-4D82-4e95-B912-675AAF22D5E8}	{DA0BFBA1-CDB8-4637-9CC6-78F0393DC66A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B20900CF-FCF3-4d83-AB2F-EEAD8F10C64F}	{DB26E0DC-F647-4dc9-88D4-FE9CE98F0C10}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AD8DE65-2C15-4ce1-A049-7881BFF14FED}\stubpath = "C:\\Windows\\{2AD8DE65-2C15-4ce1-A049-7881BFF14FED}.exe"	{B20900CF-FCF3-4d83-AB2F-EEAD8F10C64F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47A14643-31AE-4983-87F8-7DB7CF6E304D}	{15F9C569-582E-4697-94E1-CCC3D88F89B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA0BFBA1-CDB8-4637-9CC6-78F0393DC66A}	{09C4C1A8-44AF-4da9-8864-818851DD845F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15F9C569-582E-4697-94E1-CCC3D88F89B4}	{805BAE5C-70F1-49fa-BB43-AA72A4B4E219}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15F9C569-582E-4697-94E1-CCC3D88F89B4}\stubpath = "C:\\Windows\\{15F9C569-582E-4697-94E1-CCC3D88F89B4}.exe"	{805BAE5C-70F1-49fa-BB43-AA72A4B4E219}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47A14643-31AE-4983-87F8-7DB7CF6E304D}\stubpath = "C:\\Windows\\{47A14643-31AE-4983-87F8-7DB7CF6E304D}.exe"	{15F9C569-582E-4697-94E1-CCC3D88F89B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09C4C1A8-44AF-4da9-8864-818851DD845F}	{47A14643-31AE-4983-87F8-7DB7CF6E304D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D543ECF1-66A4-4672-B291-F3762E0E2D15}	2024-07-04_7ecbcbdc0671945868a4ee73fea64f70_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{805BAE5C-70F1-49fa-BB43-AA72A4B4E219}\stubpath = "C:\\Windows\\{805BAE5C-70F1-49fa-BB43-AA72A4B4E219}.exe"	{D543ECF1-66A4-4672-B291-F3762E0E2D15}.exe

Deletes itself 1 IoCs

pid	Process
2164	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2084	{D543ECF1-66A4-4672-B291-F3762E0E2D15}.exe
2712	{805BAE5C-70F1-49fa-BB43-AA72A4B4E219}.exe
2668	{15F9C569-582E-4697-94E1-CCC3D88F89B4}.exe
2952	{47A14643-31AE-4983-87F8-7DB7CF6E304D}.exe
2588	{09C4C1A8-44AF-4da9-8864-818851DD845F}.exe
272	{DA0BFBA1-CDB8-4637-9CC6-78F0393DC66A}.exe
1980	{2D2BA3C7-4D82-4e95-B912-675AAF22D5E8}.exe
1456	{DB26E0DC-F647-4dc9-88D4-FE9CE98F0C10}.exe
1612	{B20900CF-FCF3-4d83-AB2F-EEAD8F10C64F}.exe
2196	{2AD8DE65-2C15-4ce1-A049-7881BFF14FED}.exe
700	{B701AF42-A5E4-45f1-AD34-ABBE1A0A1746}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{DA0BFBA1-CDB8-4637-9CC6-78F0393DC66A}.exe	{09C4C1A8-44AF-4da9-8864-818851DD845F}.exe
File created	C:\Windows\{2D2BA3C7-4D82-4e95-B912-675AAF22D5E8}.exe	{DA0BFBA1-CDB8-4637-9CC6-78F0393DC66A}.exe
File created	C:\Windows\{DB26E0DC-F647-4dc9-88D4-FE9CE98F0C10}.exe	{2D2BA3C7-4D82-4e95-B912-675AAF22D5E8}.exe
File created	C:\Windows\{2AD8DE65-2C15-4ce1-A049-7881BFF14FED}.exe	{B20900CF-FCF3-4d83-AB2F-EEAD8F10C64F}.exe
File created	C:\Windows\{D543ECF1-66A4-4672-B291-F3762E0E2D15}.exe	2024-07-04_7ecbcbdc0671945868a4ee73fea64f70_goldeneye.exe
File created	C:\Windows\{15F9C569-582E-4697-94E1-CCC3D88F89B4}.exe	{805BAE5C-70F1-49fa-BB43-AA72A4B4E219}.exe
File created	C:\Windows\{47A14643-31AE-4983-87F8-7DB7CF6E304D}.exe	{15F9C569-582E-4697-94E1-CCC3D88F89B4}.exe
File created	C:\Windows\{09C4C1A8-44AF-4da9-8864-818851DD845F}.exe	{47A14643-31AE-4983-87F8-7DB7CF6E304D}.exe
File created	C:\Windows\{805BAE5C-70F1-49fa-BB43-AA72A4B4E219}.exe	{D543ECF1-66A4-4672-B291-F3762E0E2D15}.exe
File created	C:\Windows\{B20900CF-FCF3-4d83-AB2F-EEAD8F10C64F}.exe	{DB26E0DC-F647-4dc9-88D4-FE9CE98F0C10}.exe
File created	C:\Windows\{B701AF42-A5E4-45f1-AD34-ABBE1A0A1746}.exe	{2AD8DE65-2C15-4ce1-A049-7881BFF14FED}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1200	2024-07-04_7ecbcbdc0671945868a4ee73fea64f70_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2084	{D543ECF1-66A4-4672-B291-F3762E0E2D15}.exe
Token: SeIncBasePriorityPrivilege	2712	{805BAE5C-70F1-49fa-BB43-AA72A4B4E219}.exe
Token: SeIncBasePriorityPrivilege	2668	{15F9C569-582E-4697-94E1-CCC3D88F89B4}.exe
Token: SeIncBasePriorityPrivilege	2952	{47A14643-31AE-4983-87F8-7DB7CF6E304D}.exe
Token: SeIncBasePriorityPrivilege	2588	{09C4C1A8-44AF-4da9-8864-818851DD845F}.exe
Token: SeIncBasePriorityPrivilege	272	{DA0BFBA1-CDB8-4637-9CC6-78F0393DC66A}.exe
Token: SeIncBasePriorityPrivilege	1980	{2D2BA3C7-4D82-4e95-B912-675AAF22D5E8}.exe
Token: SeIncBasePriorityPrivilege	1456	{DB26E0DC-F647-4dc9-88D4-FE9CE98F0C10}.exe
Token: SeIncBasePriorityPrivilege	1612	{B20900CF-FCF3-4d83-AB2F-EEAD8F10C64F}.exe
Token: SeIncBasePriorityPrivilege	2196	{2AD8DE65-2C15-4ce1-A049-7881BFF14FED}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 2084	1200	2024-07-04_7ecbcbdc0671945868a4ee73fea64f70_goldeneye.exe	28
PID 1200 wrote to memory of 2084	1200	2024-07-04_7ecbcbdc0671945868a4ee73fea64f70_goldeneye.exe	28
PID 1200 wrote to memory of 2084	1200	2024-07-04_7ecbcbdc0671945868a4ee73fea64f70_goldeneye.exe	28
PID 1200 wrote to memory of 2084	1200	2024-07-04_7ecbcbdc0671945868a4ee73fea64f70_goldeneye.exe	28
PID 1200 wrote to memory of 2164	1200	2024-07-04_7ecbcbdc0671945868a4ee73fea64f70_goldeneye.exe	29
PID 1200 wrote to memory of 2164	1200	2024-07-04_7ecbcbdc0671945868a4ee73fea64f70_goldeneye.exe	29
PID 1200 wrote to memory of 2164	1200	2024-07-04_7ecbcbdc0671945868a4ee73fea64f70_goldeneye.exe	29
PID 1200 wrote to memory of 2164	1200	2024-07-04_7ecbcbdc0671945868a4ee73fea64f70_goldeneye.exe	29
PID 2084 wrote to memory of 2712	2084	{D543ECF1-66A4-4672-B291-F3762E0E2D15}.exe	30
PID 2084 wrote to memory of 2712	2084	{D543ECF1-66A4-4672-B291-F3762E0E2D15}.exe	30
PID 2084 wrote to memory of 2712	2084	{D543ECF1-66A4-4672-B291-F3762E0E2D15}.exe	30
PID 2084 wrote to memory of 2712	2084	{D543ECF1-66A4-4672-B291-F3762E0E2D15}.exe	30
PID 2084 wrote to memory of 2640	2084	{D543ECF1-66A4-4672-B291-F3762E0E2D15}.exe	31
PID 2084 wrote to memory of 2640	2084	{D543ECF1-66A4-4672-B291-F3762E0E2D15}.exe	31
PID 2084 wrote to memory of 2640	2084	{D543ECF1-66A4-4672-B291-F3762E0E2D15}.exe	31
PID 2084 wrote to memory of 2640	2084	{D543ECF1-66A4-4672-B291-F3762E0E2D15}.exe	31
PID 2712 wrote to memory of 2668	2712	{805BAE5C-70F1-49fa-BB43-AA72A4B4E219}.exe	32
PID 2712 wrote to memory of 2668	2712	{805BAE5C-70F1-49fa-BB43-AA72A4B4E219}.exe	32
PID 2712 wrote to memory of 2668	2712	{805BAE5C-70F1-49fa-BB43-AA72A4B4E219}.exe	32
PID 2712 wrote to memory of 2668	2712	{805BAE5C-70F1-49fa-BB43-AA72A4B4E219}.exe	32
PID 2712 wrote to memory of 1092	2712	{805BAE5C-70F1-49fa-BB43-AA72A4B4E219}.exe	33
PID 2712 wrote to memory of 1092	2712	{805BAE5C-70F1-49fa-BB43-AA72A4B4E219}.exe	33
PID 2712 wrote to memory of 1092	2712	{805BAE5C-70F1-49fa-BB43-AA72A4B4E219}.exe	33
PID 2712 wrote to memory of 1092	2712	{805BAE5C-70F1-49fa-BB43-AA72A4B4E219}.exe	33
PID 2668 wrote to memory of 2952	2668	{15F9C569-582E-4697-94E1-CCC3D88F89B4}.exe	36
PID 2668 wrote to memory of 2952	2668	{15F9C569-582E-4697-94E1-CCC3D88F89B4}.exe	36
PID 2668 wrote to memory of 2952	2668	{15F9C569-582E-4697-94E1-CCC3D88F89B4}.exe	36
PID 2668 wrote to memory of 2952	2668	{15F9C569-582E-4697-94E1-CCC3D88F89B4}.exe	36
PID 2668 wrote to memory of 2960	2668	{15F9C569-582E-4697-94E1-CCC3D88F89B4}.exe	37
PID 2668 wrote to memory of 2960	2668	{15F9C569-582E-4697-94E1-CCC3D88F89B4}.exe	37
PID 2668 wrote to memory of 2960	2668	{15F9C569-582E-4697-94E1-CCC3D88F89B4}.exe	37
PID 2668 wrote to memory of 2960	2668	{15F9C569-582E-4697-94E1-CCC3D88F89B4}.exe	37
PID 2952 wrote to memory of 2588	2952	{47A14643-31AE-4983-87F8-7DB7CF6E304D}.exe	38
PID 2952 wrote to memory of 2588	2952	{47A14643-31AE-4983-87F8-7DB7CF6E304D}.exe	38
PID 2952 wrote to memory of 2588	2952	{47A14643-31AE-4983-87F8-7DB7CF6E304D}.exe	38
PID 2952 wrote to memory of 2588	2952	{47A14643-31AE-4983-87F8-7DB7CF6E304D}.exe	38
PID 2952 wrote to memory of 2812	2952	{47A14643-31AE-4983-87F8-7DB7CF6E304D}.exe	39
PID 2952 wrote to memory of 2812	2952	{47A14643-31AE-4983-87F8-7DB7CF6E304D}.exe	39
PID 2952 wrote to memory of 2812	2952	{47A14643-31AE-4983-87F8-7DB7CF6E304D}.exe	39
PID 2952 wrote to memory of 2812	2952	{47A14643-31AE-4983-87F8-7DB7CF6E304D}.exe	39
PID 2588 wrote to memory of 272	2588	{09C4C1A8-44AF-4da9-8864-818851DD845F}.exe	40
PID 2588 wrote to memory of 272	2588	{09C4C1A8-44AF-4da9-8864-818851DD845F}.exe	40
PID 2588 wrote to memory of 272	2588	{09C4C1A8-44AF-4da9-8864-818851DD845F}.exe	40
PID 2588 wrote to memory of 272	2588	{09C4C1A8-44AF-4da9-8864-818851DD845F}.exe	40
PID 2588 wrote to memory of 1648	2588	{09C4C1A8-44AF-4da9-8864-818851DD845F}.exe	41
PID 2588 wrote to memory of 1648	2588	{09C4C1A8-44AF-4da9-8864-818851DD845F}.exe	41
PID 2588 wrote to memory of 1648	2588	{09C4C1A8-44AF-4da9-8864-818851DD845F}.exe	41
PID 2588 wrote to memory of 1648	2588	{09C4C1A8-44AF-4da9-8864-818851DD845F}.exe	41
PID 272 wrote to memory of 1980	272	{DA0BFBA1-CDB8-4637-9CC6-78F0393DC66A}.exe	42
PID 272 wrote to memory of 1980	272	{DA0BFBA1-CDB8-4637-9CC6-78F0393DC66A}.exe	42
PID 272 wrote to memory of 1980	272	{DA0BFBA1-CDB8-4637-9CC6-78F0393DC66A}.exe	42
PID 272 wrote to memory of 1980	272	{DA0BFBA1-CDB8-4637-9CC6-78F0393DC66A}.exe	42
PID 272 wrote to memory of 1788	272	{DA0BFBA1-CDB8-4637-9CC6-78F0393DC66A}.exe	43
PID 272 wrote to memory of 1788	272	{DA0BFBA1-CDB8-4637-9CC6-78F0393DC66A}.exe	43
PID 272 wrote to memory of 1788	272	{DA0BFBA1-CDB8-4637-9CC6-78F0393DC66A}.exe	43
PID 272 wrote to memory of 1788	272	{DA0BFBA1-CDB8-4637-9CC6-78F0393DC66A}.exe	43
PID 1980 wrote to memory of 1456	1980	{2D2BA3C7-4D82-4e95-B912-675AAF22D5E8}.exe	44
PID 1980 wrote to memory of 1456	1980	{2D2BA3C7-4D82-4e95-B912-675AAF22D5E8}.exe	44
PID 1980 wrote to memory of 1456	1980	{2D2BA3C7-4D82-4e95-B912-675AAF22D5E8}.exe	44
PID 1980 wrote to memory of 1456	1980	{2D2BA3C7-4D82-4e95-B912-675AAF22D5E8}.exe	44
PID 1980 wrote to memory of 2168	1980	{2D2BA3C7-4D82-4e95-B912-675AAF22D5E8}.exe	45
PID 1980 wrote to memory of 2168	1980	{2D2BA3C7-4D82-4e95-B912-675AAF22D5E8}.exe	45
PID 1980 wrote to memory of 2168	1980	{2D2BA3C7-4D82-4e95-B912-675AAF22D5E8}.exe	45
PID 1980 wrote to memory of 2168	1980	{2D2BA3C7-4D82-4e95-B912-675AAF22D5E8}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-07-04_7ecbcbdc0671945868a4ee73fea64f70_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-04_7ecbcbdc0671945868a4ee73fea64f70_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Windows\{D543ECF1-66A4-4672-B291-F3762E0E2D15}.exe
  C:\Windows\{D543ECF1-66A4-4672-B291-F3762E0E2D15}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\{805BAE5C-70F1-49fa-BB43-AA72A4B4E219}.exe
    C:\Windows\{805BAE5C-70F1-49fa-BB43-AA72A4B4E219}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\{15F9C569-582E-4697-94E1-CCC3D88F89B4}.exe
      C:\Windows\{15F9C569-582E-4697-94E1-CCC3D88F89B4}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\{47A14643-31AE-4983-87F8-7DB7CF6E304D}.exe
        
        C:\Windows\{47A14643-31AE-4983-87F8-7DB7CF6E304D}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2952
      - C:\Windows\{09C4C1A8-44AF-4da9-8864-818851DD845F}.exe
        
        C:\Windows\{09C4C1A8-44AF-4da9-8864-818851DD845F}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\{DA0BFBA1-CDB8-4637-9CC6-78F0393DC66A}.exe
        
        C:\Windows\{DA0BFBA1-CDB8-4637-9CC6-78F0393DC66A}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:272
        
        C:\Windows\{2D2BA3C7-4D82-4e95-B912-675AAF22D5E8}.exe
        
        C:\Windows\{2D2BA3C7-4D82-4e95-B912-675AAF22D5E8}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\{DB26E0DC-F647-4dc9-88D4-FE9CE98F0C10}.exe
        
        C:\Windows\{DB26E0DC-F647-4dc9-88D4-FE9CE98F0C10}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
        
        C:\Windows\{B20900CF-FCF3-4d83-AB2F-EEAD8F10C64F}.exe
        
        C:\Windows\{B20900CF-FCF3-4d83-AB2F-EEAD8F10C64F}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
        
        C:\Windows\{2AD8DE65-2C15-4ce1-A049-7881BFF14FED}.exe
        
        C:\Windows\{2AD8DE65-2C15-4ce1-A049-7881BFF14FED}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Windows\{B701AF42-A5E4-45f1-AD34-ABBE1A0A1746}.exe
        
        C:\Windows\{B701AF42-A5E4-45f1-AD34-ABBE1A0A1746}.exe
        12⤵
        Executes dropped EXE
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2AD8D~1.EXE > nul
        12⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2090~1.EXE > nul
        11⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB26E~1.EXE > nul
        10⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D2BA~1.EXE > nul
        9⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA0BF~1.EXE > nul
        8⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09C4C~1.EXE > nul
        7⤵
        
        PID:1648
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47A14~1.EXE > nul
        6⤵
        
        PID:2812
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15F9C~1.EXE > nul
        5⤵
        
        PID:2960
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{805BA~1.EXE > nul
      4⤵
      PID:1092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D543E~1.EXE > nul
    3⤵
    PID:2640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09C4C1A8-44AF-4da9-8864-818851DD845F}.exe

Filesize
180KB

MD5
4da4a01318480239f3de492d5ca2b006

SHA1
935c14afb7aa6590b9bc06d3ae9d3e72d9893d46

SHA256
2db0a169b6288a35d4f2cf43e0bfd868ae91856ba8d02eb27bb7a323dcd117fe

SHA512
ff3236f00d657a83e67ce84e6c53edc90ee2e06e60b57a2585b85e6b3e4be11d1f1e02f74075c7ae1ed0b7d43cb1cb23b61d3b5742228d70df4b0897e31154c4

Download Submit
C:\Windows\{15F9C569-582E-4697-94E1-CCC3D88F89B4}.exe

Filesize
180KB

MD5
e6cbc94be354d5ae60c23924db350097

SHA1
2041755ee92779a4a92566e2222486d981f5dc6b

SHA256
ff31a8710c928a99084608c2ae9c3c4781074cf618d2b00441ccc86dc7e32d49

SHA512
76d9797c6798b3258f507dc961c81a80ba11c00d755ff6d1674e2c242ba1dc6dba1942ec93a978cc831c843e5254f9fadb969541ff7b3f79aa0ca34a4990bf40

Download Submit
C:\Windows\{2AD8DE65-2C15-4ce1-A049-7881BFF14FED}.exe

Filesize
180KB

MD5
fa5853456d38735b378779b62e547579

SHA1
a5fd82cff37a47b5faacc9c280f524a35df336d5

SHA256
dc28952de1d338af66d1f0382dde3cb8a82589b97134bce8fb0b9b2356b37067

SHA512
a206c7afbd9d7e71f8f4f746c44c9b371448931b196578a4478c5cfb2643c1c37a94bb6670a6a7a88e498ecf31798611b105fe3a0f71b309cca688b96b0d9ae3

Download Submit
C:\Windows\{2D2BA3C7-4D82-4e95-B912-675AAF22D5E8}.exe

Filesize
180KB

MD5
4ac8effab4dd7bb83f7541471503f3e5

SHA1
7d77831d0594e536852ce2c1431462d43eea81ca

SHA256
41d6900cee9866e908c970af2fa9fbe6ae6b13d8a5c23985601c26f32602dbe3

SHA512
384745c4d9dffd8324720a69f6b1d46e9b654035d157fa53297a675f7c5a3a58f6d9efb887cad7afc28f6345a3f9bedd3f15649dafe9c53c8df6aae76a8f1eff

Download Submit
C:\Windows\{47A14643-31AE-4983-87F8-7DB7CF6E304D}.exe

Filesize
180KB

MD5
d99ef3fedbbf61ce1c554c37ec8d2974

SHA1
b96faea8ab424699789be899b4294d1111e98c68

SHA256
8f93cfd110ad5e53850a1aa626cfe60a4115343099d7296f465503c192ccb94c

SHA512
ad9f951c27c3ce97f7d94dbc14e4c90a14bdde08a14ae5f696b8980896173b69499b7d29ae04f0706b4d94ffa920258987373f8857ddf51bdb7f1b5c9e7bdf1a

Download Submit
C:\Windows\{805BAE5C-70F1-49fa-BB43-AA72A4B4E219}.exe

Filesize
180KB

MD5
2e3211723a49abf10741768c0c979384

SHA1
42287fdf3593fdaecbae26ef3923daf864900762

SHA256
2efc83632f34c1fdf86073a17ebce6d0477ddeea1227d4b76608a3b374cb1e35

SHA512
e65c81b10c1bf2d88f319489497aaaee5b49f8aba78f5357ca9b9ff2d389db1e1f72367e738d8784e705a49302342114c39fefa4f3cb8c0f9ecac4be0d9547f8

Download Submit
C:\Windows\{B20900CF-FCF3-4d83-AB2F-EEAD8F10C64F}.exe

Filesize
180KB

MD5
536ec9ddded3b3e2b876a910ad10e619

SHA1
380562e360a6f3d452805de90ba769b3b876a2c7

SHA256
8bbe8a3a038034d0a37627fe841989c6c63d72a77630683234d70e30c05c63ae

SHA512
cd54f82994b251cce7b0c1accde2650d573b88664f1ce84b1904e01ae428e69e3bc9f0806b8be01a406df7e4cbf681eea354e6568ddf235a0aa86f4c733d84f7

Download Submit
C:\Windows\{B701AF42-A5E4-45f1-AD34-ABBE1A0A1746}.exe

Filesize
180KB

MD5
33814cf5459a17af11fc22971df0cd8b

SHA1
7e683f0655c29d2413d9838ff14eba09b1ac1740

SHA256
d47c36c00bd80812b934f41dcc9de6d9114400b8430d27702636b4a9feb00534

SHA512
9b6f0b449339a281adae5fa3ac6cd58ccb0ee500f71aaefca77b553411b63289fe21160ea7fb4aa86d7030dd32e7139322b9ba6daf1242ad732a881bc12ff520

Download Submit
C:\Windows\{D543ECF1-66A4-4672-B291-F3762E0E2D15}.exe

Filesize
180KB

MD5
8852b303b5344df953dcfe82706e0ab6

SHA1
05bc433b507a75bead18483494a710c79a8e2d45

SHA256
d39ace473bdb1dc6844f8d06eb426da5db002fc6fc7b4218ceb0620fd029fef8

SHA512
7802152c02fcb72c9c01e0358793e07363200c14dfdf6aae99bd083f95976918e0690c740ed0f49d0a74d46063b84b75767aea277a800b3df2be70406987b09d

Download Submit
C:\Windows\{DA0BFBA1-CDB8-4637-9CC6-78F0393DC66A}.exe

Filesize
180KB

MD5
aad385694aedeb4933043978009f7513

SHA1
47709f35a0eda3d48e7ac941bf502e14919d345d

SHA256
01db8fc8688b51b892b96ac3730ad4ef7f32743f0d9b92c45ccde75821d5b56c

SHA512
d8adfe37a2083068d0ebf11289d6e68c7ccc28085e424642492f81509a36f9397c6f76c04adf3f1169aa7722fb8cbb71aaa03131dca77a0e4cd8224e2c044ec8

Download Submit
C:\Windows\{DB26E0DC-F647-4dc9-88D4-FE9CE98F0C10}.exe

Filesize
180KB

MD5
89f2cbd0348e21f29c1286a2349290ae

SHA1
7c3b05b0ea9be89bc3396e0c609fc8073577d045

SHA256
5888406f5eaee0059f4594aebbc08fe7eaa32c3c31f6c1b7babafc2eff0898f0

SHA512
4968f5fc5b14f5184e22df128ab83321bf3e01825146c1804501bbc4cdfa3e0fdb0e7b9fa7246b6e02ee5833298783d8e50a709e8bf8757360e12cdb570a8fee

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads