8e811f130100ffd084bff99c03aa0fa6793b3f8b0b9d8510608fba535d1307f7

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-04_d2d67417eb9b04798aaedd17f8ab53cf_goldeneye.exe
Size

192KB
MD5

d2d67417eb9b04798aaedd17f8ab53cf
SHA1

9b8dabf83d13b5042eefb10a2dfe787a35574fb4
SHA256

8e811f130100ffd084bff99c03aa0fa6793b3f8b0b9d8510608fba535d1307f7
SHA512

bdc514a91ff31ebe669382135f23bc879d5aadb14624e52d3f563d343c5348f53e4a0355047978de17a9fe43c6f328eeefe82957a83376147f2069dea17c494d
SSDEEP

1536:1EGh0oUl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oUl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3963A1BA-08A1-4e10-AAE2-E01E60DBCB37}	{F1B73AA5-0408-4a18-9C95-CECA071715D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{949F6AA8-A33D-4844-BFEB-8B4B4EADDB99}	{3963A1BA-08A1-4e10-AAE2-E01E60DBCB37}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{949F6AA8-A33D-4844-BFEB-8B4B4EADDB99}\stubpath = "C:\\Windows\\{949F6AA8-A33D-4844-BFEB-8B4B4EADDB99}.exe"	{3963A1BA-08A1-4e10-AAE2-E01E60DBCB37}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25D7BF37-8244-4170-B7CA-99EC5F18D763}\stubpath = "C:\\Windows\\{25D7BF37-8244-4170-B7CA-99EC5F18D763}.exe"	{DF2C919E-479B-4c11-BD85-E7AF4CEE8144}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87382B33-EF96-438b-9E0A-EEBF76D9C1AC}	{65FA0BFD-65FB-4c9b-AED7-AEF70BF95170}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87382B33-EF96-438b-9E0A-EEBF76D9C1AC}\stubpath = "C:\\Windows\\{87382B33-EF96-438b-9E0A-EEBF76D9C1AC}.exe"	{65FA0BFD-65FB-4c9b-AED7-AEF70BF95170}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25D7BF37-8244-4170-B7CA-99EC5F18D763}	{DF2C919E-479B-4c11-BD85-E7AF4CEE8144}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C60A8DD-8EBA-4f1f-9758-730C7FD0B3DD}	{25D7BF37-8244-4170-B7CA-99EC5F18D763}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1FC0B617-BA5D-444d-BEB7-6042A9EED65F}	2024-07-04_d2d67417eb9b04798aaedd17f8ab53cf_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1FC0B617-BA5D-444d-BEB7-6042A9EED65F}\stubpath = "C:\\Windows\\{1FC0B617-BA5D-444d-BEB7-6042A9EED65F}.exe"	2024-07-04_d2d67417eb9b04798aaedd17f8ab53cf_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E606D51-0D7C-4465-A1D1-3BA8ACAB4E73}	{1FC0B617-BA5D-444d-BEB7-6042A9EED65F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1B73AA5-0408-4a18-9C95-CECA071715D9}	{8E606D51-0D7C-4465-A1D1-3BA8ACAB4E73}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{516138F9-A020-40da-B675-9A1C10142AD5}\stubpath = "C:\\Windows\\{516138F9-A020-40da-B675-9A1C10142AD5}.exe"	{949F6AA8-A33D-4844-BFEB-8B4B4EADDB99}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF2C919E-479B-4c11-BD85-E7AF4CEE8144}	{516138F9-A020-40da-B675-9A1C10142AD5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65FA0BFD-65FB-4c9b-AED7-AEF70BF95170}	{1C60A8DD-8EBA-4f1f-9758-730C7FD0B3DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65FA0BFD-65FB-4c9b-AED7-AEF70BF95170}\stubpath = "C:\\Windows\\{65FA0BFD-65FB-4c9b-AED7-AEF70BF95170}.exe"	{1C60A8DD-8EBA-4f1f-9758-730C7FD0B3DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF2C919E-479B-4c11-BD85-E7AF4CEE8144}\stubpath = "C:\\Windows\\{DF2C919E-479B-4c11-BD85-E7AF4CEE8144}.exe"	{516138F9-A020-40da-B675-9A1C10142AD5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C60A8DD-8EBA-4f1f-9758-730C7FD0B3DD}\stubpath = "C:\\Windows\\{1C60A8DD-8EBA-4f1f-9758-730C7FD0B3DD}.exe"	{25D7BF37-8244-4170-B7CA-99EC5F18D763}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E606D51-0D7C-4465-A1D1-3BA8ACAB4E73}\stubpath = "C:\\Windows\\{8E606D51-0D7C-4465-A1D1-3BA8ACAB4E73}.exe"	{1FC0B617-BA5D-444d-BEB7-6042A9EED65F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1B73AA5-0408-4a18-9C95-CECA071715D9}\stubpath = "C:\\Windows\\{F1B73AA5-0408-4a18-9C95-CECA071715D9}.exe"	{8E606D51-0D7C-4465-A1D1-3BA8ACAB4E73}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3963A1BA-08A1-4e10-AAE2-E01E60DBCB37}\stubpath = "C:\\Windows\\{3963A1BA-08A1-4e10-AAE2-E01E60DBCB37}.exe"	{F1B73AA5-0408-4a18-9C95-CECA071715D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{516138F9-A020-40da-B675-9A1C10142AD5}	{949F6AA8-A33D-4844-BFEB-8B4B4EADDB99}.exe

Deletes itself 1 IoCs

pid	Process
1728	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2236	{1FC0B617-BA5D-444d-BEB7-6042A9EED65F}.exe
2728	{8E606D51-0D7C-4465-A1D1-3BA8ACAB4E73}.exe
2644	{F1B73AA5-0408-4a18-9C95-CECA071715D9}.exe
2640	{3963A1BA-08A1-4e10-AAE2-E01E60DBCB37}.exe
1432	{949F6AA8-A33D-4844-BFEB-8B4B4EADDB99}.exe
2216	{516138F9-A020-40da-B675-9A1C10142AD5}.exe
1304	{DF2C919E-479B-4c11-BD85-E7AF4CEE8144}.exe
1612	{25D7BF37-8244-4170-B7CA-99EC5F18D763}.exe
2616	{1C60A8DD-8EBA-4f1f-9758-730C7FD0B3DD}.exe
2924	{65FA0BFD-65FB-4c9b-AED7-AEF70BF95170}.exe
1136	{87382B33-EF96-438b-9E0A-EEBF76D9C1AC}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{1C60A8DD-8EBA-4f1f-9758-730C7FD0B3DD}.exe	{25D7BF37-8244-4170-B7CA-99EC5F18D763}.exe
File created	C:\Windows\{1FC0B617-BA5D-444d-BEB7-6042A9EED65F}.exe	2024-07-04_d2d67417eb9b04798aaedd17f8ab53cf_goldeneye.exe
File created	C:\Windows\{8E606D51-0D7C-4465-A1D1-3BA8ACAB4E73}.exe	{1FC0B617-BA5D-444d-BEB7-6042A9EED65F}.exe
File created	C:\Windows\{F1B73AA5-0408-4a18-9C95-CECA071715D9}.exe	{8E606D51-0D7C-4465-A1D1-3BA8ACAB4E73}.exe
File created	C:\Windows\{3963A1BA-08A1-4e10-AAE2-E01E60DBCB37}.exe	{F1B73AA5-0408-4a18-9C95-CECA071715D9}.exe
File created	C:\Windows\{949F6AA8-A33D-4844-BFEB-8B4B4EADDB99}.exe	{3963A1BA-08A1-4e10-AAE2-E01E60DBCB37}.exe
File created	C:\Windows\{516138F9-A020-40da-B675-9A1C10142AD5}.exe	{949F6AA8-A33D-4844-BFEB-8B4B4EADDB99}.exe
File created	C:\Windows\{DF2C919E-479B-4c11-BD85-E7AF4CEE8144}.exe	{516138F9-A020-40da-B675-9A1C10142AD5}.exe
File created	C:\Windows\{25D7BF37-8244-4170-B7CA-99EC5F18D763}.exe	{DF2C919E-479B-4c11-BD85-E7AF4CEE8144}.exe
File created	C:\Windows\{65FA0BFD-65FB-4c9b-AED7-AEF70BF95170}.exe	{1C60A8DD-8EBA-4f1f-9758-730C7FD0B3DD}.exe
File created	C:\Windows\{87382B33-EF96-438b-9E0A-EEBF76D9C1AC}.exe	{65FA0BFD-65FB-4c9b-AED7-AEF70BF95170}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1748	2024-07-04_d2d67417eb9b04798aaedd17f8ab53cf_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2236	{1FC0B617-BA5D-444d-BEB7-6042A9EED65F}.exe
Token: SeIncBasePriorityPrivilege	2728	{8E606D51-0D7C-4465-A1D1-3BA8ACAB4E73}.exe
Token: SeIncBasePriorityPrivilege	2644	{F1B73AA5-0408-4a18-9C95-CECA071715D9}.exe
Token: SeIncBasePriorityPrivilege	2640	{3963A1BA-08A1-4e10-AAE2-E01E60DBCB37}.exe
Token: SeIncBasePriorityPrivilege	1432	{949F6AA8-A33D-4844-BFEB-8B4B4EADDB99}.exe
Token: SeIncBasePriorityPrivilege	2216	{516138F9-A020-40da-B675-9A1C10142AD5}.exe
Token: SeIncBasePriorityPrivilege	1304	{DF2C919E-479B-4c11-BD85-E7AF4CEE8144}.exe
Token: SeIncBasePriorityPrivilege	1612	{25D7BF37-8244-4170-B7CA-99EC5F18D763}.exe
Token: SeIncBasePriorityPrivilege	2616	{1C60A8DD-8EBA-4f1f-9758-730C7FD0B3DD}.exe
Token: SeIncBasePriorityPrivilege	2924	{65FA0BFD-65FB-4c9b-AED7-AEF70BF95170}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 2236	1748	2024-07-04_d2d67417eb9b04798aaedd17f8ab53cf_goldeneye.exe	28
PID 1748 wrote to memory of 2236	1748	2024-07-04_d2d67417eb9b04798aaedd17f8ab53cf_goldeneye.exe	28
PID 1748 wrote to memory of 2236	1748	2024-07-04_d2d67417eb9b04798aaedd17f8ab53cf_goldeneye.exe	28
PID 1748 wrote to memory of 2236	1748	2024-07-04_d2d67417eb9b04798aaedd17f8ab53cf_goldeneye.exe	28
PID 1748 wrote to memory of 1728	1748	2024-07-04_d2d67417eb9b04798aaedd17f8ab53cf_goldeneye.exe	29
PID 1748 wrote to memory of 1728	1748	2024-07-04_d2d67417eb9b04798aaedd17f8ab53cf_goldeneye.exe	29
PID 1748 wrote to memory of 1728	1748	2024-07-04_d2d67417eb9b04798aaedd17f8ab53cf_goldeneye.exe	29
PID 1748 wrote to memory of 1728	1748	2024-07-04_d2d67417eb9b04798aaedd17f8ab53cf_goldeneye.exe	29
PID 2236 wrote to memory of 2728	2236	{1FC0B617-BA5D-444d-BEB7-6042A9EED65F}.exe	30
PID 2236 wrote to memory of 2728	2236	{1FC0B617-BA5D-444d-BEB7-6042A9EED65F}.exe	30
PID 2236 wrote to memory of 2728	2236	{1FC0B617-BA5D-444d-BEB7-6042A9EED65F}.exe	30
PID 2236 wrote to memory of 2728	2236	{1FC0B617-BA5D-444d-BEB7-6042A9EED65F}.exe	30
PID 2236 wrote to memory of 2752	2236	{1FC0B617-BA5D-444d-BEB7-6042A9EED65F}.exe	31
PID 2236 wrote to memory of 2752	2236	{1FC0B617-BA5D-444d-BEB7-6042A9EED65F}.exe	31
PID 2236 wrote to memory of 2752	2236	{1FC0B617-BA5D-444d-BEB7-6042A9EED65F}.exe	31
PID 2236 wrote to memory of 2752	2236	{1FC0B617-BA5D-444d-BEB7-6042A9EED65F}.exe	31
PID 2728 wrote to memory of 2644	2728	{8E606D51-0D7C-4465-A1D1-3BA8ACAB4E73}.exe	32
PID 2728 wrote to memory of 2644	2728	{8E606D51-0D7C-4465-A1D1-3BA8ACAB4E73}.exe	32
PID 2728 wrote to memory of 2644	2728	{8E606D51-0D7C-4465-A1D1-3BA8ACAB4E73}.exe	32
PID 2728 wrote to memory of 2644	2728	{8E606D51-0D7C-4465-A1D1-3BA8ACAB4E73}.exe	32
PID 2728 wrote to memory of 2636	2728	{8E606D51-0D7C-4465-A1D1-3BA8ACAB4E73}.exe	33
PID 2728 wrote to memory of 2636	2728	{8E606D51-0D7C-4465-A1D1-3BA8ACAB4E73}.exe	33
PID 2728 wrote to memory of 2636	2728	{8E606D51-0D7C-4465-A1D1-3BA8ACAB4E73}.exe	33
PID 2728 wrote to memory of 2636	2728	{8E606D51-0D7C-4465-A1D1-3BA8ACAB4E73}.exe	33
PID 2644 wrote to memory of 2640	2644	{F1B73AA5-0408-4a18-9C95-CECA071715D9}.exe	36
PID 2644 wrote to memory of 2640	2644	{F1B73AA5-0408-4a18-9C95-CECA071715D9}.exe	36
PID 2644 wrote to memory of 2640	2644	{F1B73AA5-0408-4a18-9C95-CECA071715D9}.exe	36
PID 2644 wrote to memory of 2640	2644	{F1B73AA5-0408-4a18-9C95-CECA071715D9}.exe	36
PID 2644 wrote to memory of 2796	2644	{F1B73AA5-0408-4a18-9C95-CECA071715D9}.exe	37
PID 2644 wrote to memory of 2796	2644	{F1B73AA5-0408-4a18-9C95-CECA071715D9}.exe	37
PID 2644 wrote to memory of 2796	2644	{F1B73AA5-0408-4a18-9C95-CECA071715D9}.exe	37
PID 2644 wrote to memory of 2796	2644	{F1B73AA5-0408-4a18-9C95-CECA071715D9}.exe	37
PID 2640 wrote to memory of 1432	2640	{3963A1BA-08A1-4e10-AAE2-E01E60DBCB37}.exe	38
PID 2640 wrote to memory of 1432	2640	{3963A1BA-08A1-4e10-AAE2-E01E60DBCB37}.exe	38
PID 2640 wrote to memory of 1432	2640	{3963A1BA-08A1-4e10-AAE2-E01E60DBCB37}.exe	38
PID 2640 wrote to memory of 1432	2640	{3963A1BA-08A1-4e10-AAE2-E01E60DBCB37}.exe	38
PID 2640 wrote to memory of 2620	2640	{3963A1BA-08A1-4e10-AAE2-E01E60DBCB37}.exe	39
PID 2640 wrote to memory of 2620	2640	{3963A1BA-08A1-4e10-AAE2-E01E60DBCB37}.exe	39
PID 2640 wrote to memory of 2620	2640	{3963A1BA-08A1-4e10-AAE2-E01E60DBCB37}.exe	39
PID 2640 wrote to memory of 2620	2640	{3963A1BA-08A1-4e10-AAE2-E01E60DBCB37}.exe	39
PID 1432 wrote to memory of 2216	1432	{949F6AA8-A33D-4844-BFEB-8B4B4EADDB99}.exe	40
PID 1432 wrote to memory of 2216	1432	{949F6AA8-A33D-4844-BFEB-8B4B4EADDB99}.exe	40
PID 1432 wrote to memory of 2216	1432	{949F6AA8-A33D-4844-BFEB-8B4B4EADDB99}.exe	40
PID 1432 wrote to memory of 2216	1432	{949F6AA8-A33D-4844-BFEB-8B4B4EADDB99}.exe	40
PID 1432 wrote to memory of 1440	1432	{949F6AA8-A33D-4844-BFEB-8B4B4EADDB99}.exe	41
PID 1432 wrote to memory of 1440	1432	{949F6AA8-A33D-4844-BFEB-8B4B4EADDB99}.exe	41
PID 1432 wrote to memory of 1440	1432	{949F6AA8-A33D-4844-BFEB-8B4B4EADDB99}.exe	41
PID 1432 wrote to memory of 1440	1432	{949F6AA8-A33D-4844-BFEB-8B4B4EADDB99}.exe	41
PID 2216 wrote to memory of 1304	2216	{516138F9-A020-40da-B675-9A1C10142AD5}.exe	42
PID 2216 wrote to memory of 1304	2216	{516138F9-A020-40da-B675-9A1C10142AD5}.exe	42
PID 2216 wrote to memory of 1304	2216	{516138F9-A020-40da-B675-9A1C10142AD5}.exe	42
PID 2216 wrote to memory of 1304	2216	{516138F9-A020-40da-B675-9A1C10142AD5}.exe	42
PID 2216 wrote to memory of 1680	2216	{516138F9-A020-40da-B675-9A1C10142AD5}.exe	43
PID 2216 wrote to memory of 1680	2216	{516138F9-A020-40da-B675-9A1C10142AD5}.exe	43
PID 2216 wrote to memory of 1680	2216	{516138F9-A020-40da-B675-9A1C10142AD5}.exe	43
PID 2216 wrote to memory of 1680	2216	{516138F9-A020-40da-B675-9A1C10142AD5}.exe	43
PID 1304 wrote to memory of 1612	1304	{DF2C919E-479B-4c11-BD85-E7AF4CEE8144}.exe	44
PID 1304 wrote to memory of 1612	1304	{DF2C919E-479B-4c11-BD85-E7AF4CEE8144}.exe	44
PID 1304 wrote to memory of 1612	1304	{DF2C919E-479B-4c11-BD85-E7AF4CEE8144}.exe	44
PID 1304 wrote to memory of 1612	1304	{DF2C919E-479B-4c11-BD85-E7AF4CEE8144}.exe	44
PID 1304 wrote to memory of 2868	1304	{DF2C919E-479B-4c11-BD85-E7AF4CEE8144}.exe	45
PID 1304 wrote to memory of 2868	1304	{DF2C919E-479B-4c11-BD85-E7AF4CEE8144}.exe	45
PID 1304 wrote to memory of 2868	1304	{DF2C919E-479B-4c11-BD85-E7AF4CEE8144}.exe	45
PID 1304 wrote to memory of 2868	1304	{DF2C919E-479B-4c11-BD85-E7AF4CEE8144}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-07-04_d2d67417eb9b04798aaedd17f8ab53cf_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-04_d2d67417eb9b04798aaedd17f8ab53cf_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Windows\{1FC0B617-BA5D-444d-BEB7-6042A9EED65F}.exe
  C:\Windows\{1FC0B617-BA5D-444d-BEB7-6042A9EED65F}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\{8E606D51-0D7C-4465-A1D1-3BA8ACAB4E73}.exe
    C:\Windows\{8E606D51-0D7C-4465-A1D1-3BA8ACAB4E73}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\{F1B73AA5-0408-4a18-9C95-CECA071715D9}.exe
      C:\Windows\{F1B73AA5-0408-4a18-9C95-CECA071715D9}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Windows\{3963A1BA-08A1-4e10-AAE2-E01E60DBCB37}.exe
        
        C:\Windows\{3963A1BA-08A1-4e10-AAE2-E01E60DBCB37}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2640
      - C:\Windows\{949F6AA8-A33D-4844-BFEB-8B4B4EADDB99}.exe
        
        C:\Windows\{949F6AA8-A33D-4844-BFEB-8B4B4EADDB99}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\{516138F9-A020-40da-B675-9A1C10142AD5}.exe
        
        C:\Windows\{516138F9-A020-40da-B675-9A1C10142AD5}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\{DF2C919E-479B-4c11-BD85-E7AF4CEE8144}.exe
        
        C:\Windows\{DF2C919E-479B-4c11-BD85-E7AF4CEE8144}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\{25D7BF37-8244-4170-B7CA-99EC5F18D763}.exe
        
        C:\Windows\{25D7BF37-8244-4170-B7CA-99EC5F18D763}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
        
        C:\Windows\{1C60A8DD-8EBA-4f1f-9758-730C7FD0B3DD}.exe
        
        C:\Windows\{1C60A8DD-8EBA-4f1f-9758-730C7FD0B3DD}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
        
        C:\Windows\{65FA0BFD-65FB-4c9b-AED7-AEF70BF95170}.exe
        
        C:\Windows\{65FA0BFD-65FB-4c9b-AED7-AEF70BF95170}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
        
        C:\Windows\{87382B33-EF96-438b-9E0A-EEBF76D9C1AC}.exe
        
        C:\Windows\{87382B33-EF96-438b-9E0A-EEBF76D9C1AC}.exe
        12⤵
        Executes dropped EXE
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65FA0~1.EXE > nul
        12⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C60A~1.EXE > nul
        11⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25D7B~1.EXE > nul
        10⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF2C9~1.EXE > nul
        9⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51613~1.EXE > nul
        8⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{949F6~1.EXE > nul
        7⤵
        
        PID:1440
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3963A~1.EXE > nul
        6⤵
        
        PID:2620
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1B73~1.EXE > nul
        5⤵
        
        PID:2796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8E606~1.EXE > nul
      4⤵
      PID:2636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1FC0B~1.EXE > nul
    3⤵
    PID:2752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1C60A8DD-8EBA-4f1f-9758-730C7FD0B3DD}.exe

Filesize
192KB

MD5
9cbb3bda136ec7c92a5190ab4806a48f

SHA1
f9460cc27739eec106741d50c1c741e5c7be42ba

SHA256
02836835d61702210b69e5a7729d3b34aa1d6dd09c9eaa4cde47e99a734fd31e

SHA512
5ad68dbfe75f6bdc7989f4a6f9cfae1361ca5b7c8b19b76cb8f225df11cb054579beb87544d6b4ff09df1273546b812992ff40aac15fa78cf72c86414930cabb

Download Submit
C:\Windows\{1FC0B617-BA5D-444d-BEB7-6042A9EED65F}.exe

Filesize
192KB

MD5
d429578caef3b995f0f6ee839f27b803

SHA1
a73db68423a8e0d29f6960f54f3c6d11870c5930

SHA256
38690b3f8fbf9dc469a1b4ba959fc03993991428484870a32944e293a3df3d88

SHA512
67ae526ef24597394e47b5871c23cedc20ab68e54d97533c31dc21230a3d067e2e56aaa8d6ceb3984c87f7eb50413a6de64597b0f512320ede4845f934f62583

Download Submit
C:\Windows\{25D7BF37-8244-4170-B7CA-99EC5F18D763}.exe

Filesize
192KB

MD5
c8e35bbfe06469cca38020d59b82d86b

SHA1
2e80572cd69b59c6f649730d94520ec9edf3e54e

SHA256
259ee24d683638b7de6bcb4124876c70a90d376361e2b8b6482fd930a58bb02c

SHA512
d7bebde76c8530a82a82064cb1118f3a05a508f1edd89e4569d1dc0f82689d3969cfd313f2412f32893046f4cc273ee6f506f3e2dbfcb3df815af015fc23b886

Download Submit
C:\Windows\{3963A1BA-08A1-4e10-AAE2-E01E60DBCB37}.exe

Filesize
192KB

MD5
2d8fb74cfc3e4360de012cebf4ea87e0

SHA1
485d6fb0b0ea6ff9557bce980921cc2aae451760

SHA256
cb147de9e956a50e475d7942b00a6c9184b033050a2e8c1746e11216b0a9c86c

SHA512
fbb0fd04daa9435a01d51ddb8295080360f235273e58f607e013a101e065494bf4f4f8f1508d85b23d2822d87797c138d0889651b8ec7d317d5d57ba779e70f4

Download Submit
C:\Windows\{516138F9-A020-40da-B675-9A1C10142AD5}.exe

Filesize
192KB

MD5
d0298894d938b966b885b12a3045c33c

SHA1
4f8d144929a7b4b4c415451546ac8568d78e2a28

SHA256
1e10ccb6a39ca7ad1c828baa7bed336250dcd0209093ac1a56ecffb5f1b05f3d

SHA512
9e661257b00fdc5c6afd071913bbec97b5c07b2eac304672a10001b9e5fa0e2d7c40a7f634003dcdd543083ac4863a7ae433ee1f667a3bca53da077bb1e69047

Download Submit
C:\Windows\{65FA0BFD-65FB-4c9b-AED7-AEF70BF95170}.exe

Filesize
192KB

MD5
66db3ffe2158a7f56622b573f54a09aa

SHA1
e9d22f5144c6cd182a5f779a7a1a9a28e596fcc2

SHA256
0e7a2e323e7f6f50d7cf63cd61e5644f4b3b47abe11c0400f12cfa6fcea0d4dc

SHA512
6e5395ebd125480eb5d5102b5e306bab2cde0d7c3cc9a2d2d7143a21bbcd87eb8b2b985e66b59b5dc4dafc6f3d0e4ea2f385e4ed72b0baec69a5d82340e5886d

Download Submit
C:\Windows\{87382B33-EF96-438b-9E0A-EEBF76D9C1AC}.exe

Filesize
192KB

MD5
60a9954e904bd25cef6d815971aab49f

SHA1
85a2c8d26a6581329acd635a67e04ff484e9921a

SHA256
b97151306f707307f0d3f7284e120842a0d247aea8573495de5ca1c653c53c60

SHA512
d52588e71f22009d4f54ae94082d7f16baf72e782862864c6b0ccb361d83a65a0d3cbf05c663248bf1391ae882a784ce1591da52d0de9a2fe484eb3061e32a1b

Download Submit
C:\Windows\{8E606D51-0D7C-4465-A1D1-3BA8ACAB4E73}.exe

Filesize
192KB

MD5
27d40dc887d61d5e23fc2507610dce3a

SHA1
4deefba8eb34ce1a2f25a34e7ce2651f618e991a

SHA256
6ddf81973519fa0dcf3a3d7f42cc610a09d0799f41097ddc19af6007531a280a

SHA512
5116ae0c90d7fea2ded27a54ea9e850b98a283702ad5cbd227c640a842ac486132374e1605ed7fd112db9da5bb466b6409bbc8ae07393b145b383658e7a0daab

Download Submit
C:\Windows\{949F6AA8-A33D-4844-BFEB-8B4B4EADDB99}.exe

Filesize
192KB

MD5
328b7eceafd0e9619f9f6d6efbe0d765

SHA1
dfe692050d0dcb01b5ae9b2be165f46941a18546

SHA256
0efecb418ca0465922cabba256d4431510fd4e48b12d8175dbff90a621abe18e

SHA512
915475c3dfeaab503e8f8599a5986e561cb561f04c54965e5623d488a89df87e98823de10104b560133a664ec4fd6f923d1b742971b5b111022614dfcd24eeb6

Download Submit
C:\Windows\{DF2C919E-479B-4c11-BD85-E7AF4CEE8144}.exe

Filesize
192KB

MD5
d853705d2036206fffd6edaa4ddd0335

SHA1
a08d7ca4cb2d1968b5bd72cd5a062c13db1663f2

SHA256
1b129c665b838312b29fa0d831bf788b26ec0d74f935579825e608487d03f3ec

SHA512
1910ad0c9c29a61c381724f1218ecb5e734c4a4901602bc653b2483ae11e9aa8d5506b0a71f92941b729d6f89bba9489d00cc974655ea897ed3719836fbe9dd7

Download Submit
C:\Windows\{F1B73AA5-0408-4a18-9C95-CECA071715D9}.exe

Filesize
192KB

MD5
abb745bb0f9eaa486bdf5e7a7276a733

SHA1
c23a0f930fa97dcbd957d3f387cd6d9971e55285

SHA256
faa8e3bbf868b2fca2ab3b9f349346c4a6719211485d4f604a96527f0afd42c5

SHA512
aea28bea6a33b45fa3000cce55e1eb4572b3a812b7946c1099955558f24048f6f5dcdd1f3d21b367b9764ea7f8a66b77384c2a0a82d6aaf8e76b60ed398d2e4c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads