00e61ee838083d54dd41893eae425649433ca530efc8116455e75a7bf963694c

Analysis

max time kernel
144s
max time network
127s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-04_8f4861fd6e74758cd9280ef68e3677df_goldeneye.exe
Size

344KB
MD5

8f4861fd6e74758cd9280ef68e3677df
SHA1

df5cdbfdf3df5039dec29a638eb7776ad2fa9b16
SHA256

00e61ee838083d54dd41893eae425649433ca530efc8116455e75a7bf963694c
SHA512

1c2ff43d910c492dad65b9fa3cedfb4dce6d97c98f7278ef6523ef7298951b472505378ebf423f459337f5de3f300a2483ffb7c77088ae8570250a51c8cb2976
SSDEEP

3072:mEGh0oQlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGalqOe2MUVg3v2IneKcAEcA

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{949679EE-852A-49c0-B1AC-A4AECBAD5584}	{6694B736-E224-4f71-B667-2AE05314932C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2922BFA-2F2D-4b08-89CD-30A349732B4C}\stubpath = "C:\\Windows\\{E2922BFA-2F2D-4b08-89CD-30A349732B4C}.exe"	{949679EE-852A-49c0-B1AC-A4AECBAD5584}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36821D55-28EF-44ec-A06E-4A76ED975333}	2024-07-04_8f4861fd6e74758cd9280ef68e3677df_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DC5708D-BBE2-46f1-9556-5A2798AB192A}	{36821D55-28EF-44ec-A06E-4A76ED975333}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0ED82234-0AA7-41d6-A763-642FA20A110D}\stubpath = "C:\\Windows\\{0ED82234-0AA7-41d6-A763-642FA20A110D}.exe"	{A7B7ABF0-7FBB-4c2e-8EB3-98EA18056706}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6694B736-E224-4f71-B667-2AE05314932C}	{0ED82234-0AA7-41d6-A763-642FA20A110D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7B7ABF0-7FBB-4c2e-8EB3-98EA18056706}	{5134C284-A99E-4d7d-ACDF-6B0DD2195E19}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0ED82234-0AA7-41d6-A763-642FA20A110D}	{A7B7ABF0-7FBB-4c2e-8EB3-98EA18056706}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6694B736-E224-4f71-B667-2AE05314932C}\stubpath = "C:\\Windows\\{6694B736-E224-4f71-B667-2AE05314932C}.exe"	{0ED82234-0AA7-41d6-A763-642FA20A110D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{949679EE-852A-49c0-B1AC-A4AECBAD5584}\stubpath = "C:\\Windows\\{949679EE-852A-49c0-B1AC-A4AECBAD5584}.exe"	{6694B736-E224-4f71-B667-2AE05314932C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C1DEED3-5EB0-4331-8BCF-F4443C7395AE}	{4DC5708D-BBE2-46f1-9556-5A2798AB192A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C1DEED3-5EB0-4331-8BCF-F4443C7395AE}\stubpath = "C:\\Windows\\{4C1DEED3-5EB0-4331-8BCF-F4443C7395AE}.exe"	{4DC5708D-BBE2-46f1-9556-5A2798AB192A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{580D9D65-8AFA-4638-80F4-98972D7AF400}\stubpath = "C:\\Windows\\{580D9D65-8AFA-4638-80F4-98972D7AF400}.exe"	{BF59813F-62A7-4d13-B2A4-03CDD5F051C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5134C284-A99E-4d7d-ACDF-6B0DD2195E19}\stubpath = "C:\\Windows\\{5134C284-A99E-4d7d-ACDF-6B0DD2195E19}.exe"	{580D9D65-8AFA-4638-80F4-98972D7AF400}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5134C284-A99E-4d7d-ACDF-6B0DD2195E19}	{580D9D65-8AFA-4638-80F4-98972D7AF400}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7B7ABF0-7FBB-4c2e-8EB3-98EA18056706}\stubpath = "C:\\Windows\\{A7B7ABF0-7FBB-4c2e-8EB3-98EA18056706}.exe"	{5134C284-A99E-4d7d-ACDF-6B0DD2195E19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36821D55-28EF-44ec-A06E-4A76ED975333}\stubpath = "C:\\Windows\\{36821D55-28EF-44ec-A06E-4A76ED975333}.exe"	2024-07-04_8f4861fd6e74758cd9280ef68e3677df_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF59813F-62A7-4d13-B2A4-03CDD5F051C0}	{4C1DEED3-5EB0-4331-8BCF-F4443C7395AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF59813F-62A7-4d13-B2A4-03CDD5F051C0}\stubpath = "C:\\Windows\\{BF59813F-62A7-4d13-B2A4-03CDD5F051C0}.exe"	{4C1DEED3-5EB0-4331-8BCF-F4443C7395AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{580D9D65-8AFA-4638-80F4-98972D7AF400}	{BF59813F-62A7-4d13-B2A4-03CDD5F051C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DC5708D-BBE2-46f1-9556-5A2798AB192A}\stubpath = "C:\\Windows\\{4DC5708D-BBE2-46f1-9556-5A2798AB192A}.exe"	{36821D55-28EF-44ec-A06E-4A76ED975333}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2922BFA-2F2D-4b08-89CD-30A349732B4C}	{949679EE-852A-49c0-B1AC-A4AECBAD5584}.exe

Deletes itself 1 IoCs

pid	Process
2116	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2056	{36821D55-28EF-44ec-A06E-4A76ED975333}.exe
3032	{4DC5708D-BBE2-46f1-9556-5A2798AB192A}.exe
2680	{4C1DEED3-5EB0-4331-8BCF-F4443C7395AE}.exe
2536	{BF59813F-62A7-4d13-B2A4-03CDD5F051C0}.exe
2952	{580D9D65-8AFA-4638-80F4-98972D7AF400}.exe
852	{5134C284-A99E-4d7d-ACDF-6B0DD2195E19}.exe
1004	{A7B7ABF0-7FBB-4c2e-8EB3-98EA18056706}.exe
1252	{0ED82234-0AA7-41d6-A763-642FA20A110D}.exe
1328	{6694B736-E224-4f71-B667-2AE05314932C}.exe
2844	{949679EE-852A-49c0-B1AC-A4AECBAD5584}.exe
1488	{E2922BFA-2F2D-4b08-89CD-30A349732B4C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{BF59813F-62A7-4d13-B2A4-03CDD5F051C0}.exe	{4C1DEED3-5EB0-4331-8BCF-F4443C7395AE}.exe
File created	C:\Windows\{A7B7ABF0-7FBB-4c2e-8EB3-98EA18056706}.exe	{5134C284-A99E-4d7d-ACDF-6B0DD2195E19}.exe
File created	C:\Windows\{0ED82234-0AA7-41d6-A763-642FA20A110D}.exe	{A7B7ABF0-7FBB-4c2e-8EB3-98EA18056706}.exe
File created	C:\Windows\{6694B736-E224-4f71-B667-2AE05314932C}.exe	{0ED82234-0AA7-41d6-A763-642FA20A110D}.exe
File created	C:\Windows\{949679EE-852A-49c0-B1AC-A4AECBAD5584}.exe	{6694B736-E224-4f71-B667-2AE05314932C}.exe
File created	C:\Windows\{36821D55-28EF-44ec-A06E-4A76ED975333}.exe	2024-07-04_8f4861fd6e74758cd9280ef68e3677df_goldeneye.exe
File created	C:\Windows\{4C1DEED3-5EB0-4331-8BCF-F4443C7395AE}.exe	{4DC5708D-BBE2-46f1-9556-5A2798AB192A}.exe
File created	C:\Windows\{5134C284-A99E-4d7d-ACDF-6B0DD2195E19}.exe	{580D9D65-8AFA-4638-80F4-98972D7AF400}.exe
File created	C:\Windows\{E2922BFA-2F2D-4b08-89CD-30A349732B4C}.exe	{949679EE-852A-49c0-B1AC-A4AECBAD5584}.exe
File created	C:\Windows\{4DC5708D-BBE2-46f1-9556-5A2798AB192A}.exe	{36821D55-28EF-44ec-A06E-4A76ED975333}.exe
File created	C:\Windows\{580D9D65-8AFA-4638-80F4-98972D7AF400}.exe	{BF59813F-62A7-4d13-B2A4-03CDD5F051C0}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1968	2024-07-04_8f4861fd6e74758cd9280ef68e3677df_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2056	{36821D55-28EF-44ec-A06E-4A76ED975333}.exe
Token: SeIncBasePriorityPrivilege	3032	{4DC5708D-BBE2-46f1-9556-5A2798AB192A}.exe
Token: SeIncBasePriorityPrivilege	2680	{4C1DEED3-5EB0-4331-8BCF-F4443C7395AE}.exe
Token: SeIncBasePriorityPrivilege	2536	{BF59813F-62A7-4d13-B2A4-03CDD5F051C0}.exe
Token: SeIncBasePriorityPrivilege	2952	{580D9D65-8AFA-4638-80F4-98972D7AF400}.exe
Token: SeIncBasePriorityPrivilege	852	{5134C284-A99E-4d7d-ACDF-6B0DD2195E19}.exe
Token: SeIncBasePriorityPrivilege	1004	{A7B7ABF0-7FBB-4c2e-8EB3-98EA18056706}.exe
Token: SeIncBasePriorityPrivilege	1252	{0ED82234-0AA7-41d6-A763-642FA20A110D}.exe
Token: SeIncBasePriorityPrivilege	1328	{6694B736-E224-4f71-B667-2AE05314932C}.exe
Token: SeIncBasePriorityPrivilege	2844	{949679EE-852A-49c0-B1AC-A4AECBAD5584}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2056	1968	2024-07-04_8f4861fd6e74758cd9280ef68e3677df_goldeneye.exe	28
PID 1968 wrote to memory of 2056	1968	2024-07-04_8f4861fd6e74758cd9280ef68e3677df_goldeneye.exe	28
PID 1968 wrote to memory of 2056	1968	2024-07-04_8f4861fd6e74758cd9280ef68e3677df_goldeneye.exe	28
PID 1968 wrote to memory of 2056	1968	2024-07-04_8f4861fd6e74758cd9280ef68e3677df_goldeneye.exe	28
PID 1968 wrote to memory of 2116	1968	2024-07-04_8f4861fd6e74758cd9280ef68e3677df_goldeneye.exe	29
PID 1968 wrote to memory of 2116	1968	2024-07-04_8f4861fd6e74758cd9280ef68e3677df_goldeneye.exe	29
PID 1968 wrote to memory of 2116	1968	2024-07-04_8f4861fd6e74758cd9280ef68e3677df_goldeneye.exe	29
PID 1968 wrote to memory of 2116	1968	2024-07-04_8f4861fd6e74758cd9280ef68e3677df_goldeneye.exe	29
PID 2056 wrote to memory of 3032	2056	{36821D55-28EF-44ec-A06E-4A76ED975333}.exe	30
PID 2056 wrote to memory of 3032	2056	{36821D55-28EF-44ec-A06E-4A76ED975333}.exe	30
PID 2056 wrote to memory of 3032	2056	{36821D55-28EF-44ec-A06E-4A76ED975333}.exe	30
PID 2056 wrote to memory of 3032	2056	{36821D55-28EF-44ec-A06E-4A76ED975333}.exe	30
PID 2056 wrote to memory of 2664	2056	{36821D55-28EF-44ec-A06E-4A76ED975333}.exe	31
PID 2056 wrote to memory of 2664	2056	{36821D55-28EF-44ec-A06E-4A76ED975333}.exe	31
PID 2056 wrote to memory of 2664	2056	{36821D55-28EF-44ec-A06E-4A76ED975333}.exe	31
PID 2056 wrote to memory of 2664	2056	{36821D55-28EF-44ec-A06E-4A76ED975333}.exe	31
PID 3032 wrote to memory of 2680	3032	{4DC5708D-BBE2-46f1-9556-5A2798AB192A}.exe	32
PID 3032 wrote to memory of 2680	3032	{4DC5708D-BBE2-46f1-9556-5A2798AB192A}.exe	32
PID 3032 wrote to memory of 2680	3032	{4DC5708D-BBE2-46f1-9556-5A2798AB192A}.exe	32
PID 3032 wrote to memory of 2680	3032	{4DC5708D-BBE2-46f1-9556-5A2798AB192A}.exe	32
PID 3032 wrote to memory of 2776	3032	{4DC5708D-BBE2-46f1-9556-5A2798AB192A}.exe	33
PID 3032 wrote to memory of 2776	3032	{4DC5708D-BBE2-46f1-9556-5A2798AB192A}.exe	33
PID 3032 wrote to memory of 2776	3032	{4DC5708D-BBE2-46f1-9556-5A2798AB192A}.exe	33
PID 3032 wrote to memory of 2776	3032	{4DC5708D-BBE2-46f1-9556-5A2798AB192A}.exe	33
PID 2680 wrote to memory of 2536	2680	{4C1DEED3-5EB0-4331-8BCF-F4443C7395AE}.exe	36
PID 2680 wrote to memory of 2536	2680	{4C1DEED3-5EB0-4331-8BCF-F4443C7395AE}.exe	36
PID 2680 wrote to memory of 2536	2680	{4C1DEED3-5EB0-4331-8BCF-F4443C7395AE}.exe	36
PID 2680 wrote to memory of 2536	2680	{4C1DEED3-5EB0-4331-8BCF-F4443C7395AE}.exe	36
PID 2680 wrote to memory of 2596	2680	{4C1DEED3-5EB0-4331-8BCF-F4443C7395AE}.exe	37
PID 2680 wrote to memory of 2596	2680	{4C1DEED3-5EB0-4331-8BCF-F4443C7395AE}.exe	37
PID 2680 wrote to memory of 2596	2680	{4C1DEED3-5EB0-4331-8BCF-F4443C7395AE}.exe	37
PID 2680 wrote to memory of 2596	2680	{4C1DEED3-5EB0-4331-8BCF-F4443C7395AE}.exe	37
PID 2536 wrote to memory of 2952	2536	{BF59813F-62A7-4d13-B2A4-03CDD5F051C0}.exe	38
PID 2536 wrote to memory of 2952	2536	{BF59813F-62A7-4d13-B2A4-03CDD5F051C0}.exe	38
PID 2536 wrote to memory of 2952	2536	{BF59813F-62A7-4d13-B2A4-03CDD5F051C0}.exe	38
PID 2536 wrote to memory of 2952	2536	{BF59813F-62A7-4d13-B2A4-03CDD5F051C0}.exe	38
PID 2536 wrote to memory of 1780	2536	{BF59813F-62A7-4d13-B2A4-03CDD5F051C0}.exe	39
PID 2536 wrote to memory of 1780	2536	{BF59813F-62A7-4d13-B2A4-03CDD5F051C0}.exe	39
PID 2536 wrote to memory of 1780	2536	{BF59813F-62A7-4d13-B2A4-03CDD5F051C0}.exe	39
PID 2536 wrote to memory of 1780	2536	{BF59813F-62A7-4d13-B2A4-03CDD5F051C0}.exe	39
PID 2952 wrote to memory of 852	2952	{580D9D65-8AFA-4638-80F4-98972D7AF400}.exe	40
PID 2952 wrote to memory of 852	2952	{580D9D65-8AFA-4638-80F4-98972D7AF400}.exe	40
PID 2952 wrote to memory of 852	2952	{580D9D65-8AFA-4638-80F4-98972D7AF400}.exe	40
PID 2952 wrote to memory of 852	2952	{580D9D65-8AFA-4638-80F4-98972D7AF400}.exe	40
PID 2952 wrote to memory of 888	2952	{580D9D65-8AFA-4638-80F4-98972D7AF400}.exe	41
PID 2952 wrote to memory of 888	2952	{580D9D65-8AFA-4638-80F4-98972D7AF400}.exe	41
PID 2952 wrote to memory of 888	2952	{580D9D65-8AFA-4638-80F4-98972D7AF400}.exe	41
PID 2952 wrote to memory of 888	2952	{580D9D65-8AFA-4638-80F4-98972D7AF400}.exe	41
PID 852 wrote to memory of 1004	852	{5134C284-A99E-4d7d-ACDF-6B0DD2195E19}.exe	42
PID 852 wrote to memory of 1004	852	{5134C284-A99E-4d7d-ACDF-6B0DD2195E19}.exe	42
PID 852 wrote to memory of 1004	852	{5134C284-A99E-4d7d-ACDF-6B0DD2195E19}.exe	42
PID 852 wrote to memory of 1004	852	{5134C284-A99E-4d7d-ACDF-6B0DD2195E19}.exe	42
PID 852 wrote to memory of 1592	852	{5134C284-A99E-4d7d-ACDF-6B0DD2195E19}.exe	43
PID 852 wrote to memory of 1592	852	{5134C284-A99E-4d7d-ACDF-6B0DD2195E19}.exe	43
PID 852 wrote to memory of 1592	852	{5134C284-A99E-4d7d-ACDF-6B0DD2195E19}.exe	43
PID 852 wrote to memory of 1592	852	{5134C284-A99E-4d7d-ACDF-6B0DD2195E19}.exe	43
PID 1004 wrote to memory of 1252	1004	{A7B7ABF0-7FBB-4c2e-8EB3-98EA18056706}.exe	44
PID 1004 wrote to memory of 1252	1004	{A7B7ABF0-7FBB-4c2e-8EB3-98EA18056706}.exe	44
PID 1004 wrote to memory of 1252	1004	{A7B7ABF0-7FBB-4c2e-8EB3-98EA18056706}.exe	44
PID 1004 wrote to memory of 1252	1004	{A7B7ABF0-7FBB-4c2e-8EB3-98EA18056706}.exe	44
PID 1004 wrote to memory of 856	1004	{A7B7ABF0-7FBB-4c2e-8EB3-98EA18056706}.exe	45
PID 1004 wrote to memory of 856	1004	{A7B7ABF0-7FBB-4c2e-8EB3-98EA18056706}.exe	45
PID 1004 wrote to memory of 856	1004	{A7B7ABF0-7FBB-4c2e-8EB3-98EA18056706}.exe	45
PID 1004 wrote to memory of 856	1004	{A7B7ABF0-7FBB-4c2e-8EB3-98EA18056706}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-07-04_8f4861fd6e74758cd9280ef68e3677df_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-04_8f4861fd6e74758cd9280ef68e3677df_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\{36821D55-28EF-44ec-A06E-4A76ED975333}.exe
  C:\Windows\{36821D55-28EF-44ec-A06E-4A76ED975333}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\{4DC5708D-BBE2-46f1-9556-5A2798AB192A}.exe
    C:\Windows\{4DC5708D-BBE2-46f1-9556-5A2798AB192A}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Windows\{4C1DEED3-5EB0-4331-8BCF-F4443C7395AE}.exe
      C:\Windows\{4C1DEED3-5EB0-4331-8BCF-F4443C7395AE}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\Windows\{BF59813F-62A7-4d13-B2A4-03CDD5F051C0}.exe
        
        C:\Windows\{BF59813F-62A7-4d13-B2A4-03CDD5F051C0}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2536
      - C:\Windows\{580D9D65-8AFA-4638-80F4-98972D7AF400}.exe
        
        C:\Windows\{580D9D65-8AFA-4638-80F4-98972D7AF400}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\{5134C284-A99E-4d7d-ACDF-6B0DD2195E19}.exe
        
        C:\Windows\{5134C284-A99E-4d7d-ACDF-6B0DD2195E19}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\{A7B7ABF0-7FBB-4c2e-8EB3-98EA18056706}.exe
        
        C:\Windows\{A7B7ABF0-7FBB-4c2e-8EB3-98EA18056706}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\{0ED82234-0AA7-41d6-A763-642FA20A110D}.exe
        
        C:\Windows\{0ED82234-0AA7-41d6-A763-642FA20A110D}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1252
        
        C:\Windows\{6694B736-E224-4f71-B667-2AE05314932C}.exe
        
        C:\Windows\{6694B736-E224-4f71-B667-2AE05314932C}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1328
        
        C:\Windows\{949679EE-852A-49c0-B1AC-A4AECBAD5584}.exe
        
        C:\Windows\{949679EE-852A-49c0-B1AC-A4AECBAD5584}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\{E2922BFA-2F2D-4b08-89CD-30A349732B4C}.exe
        
        C:\Windows\{E2922BFA-2F2D-4b08-89CD-30A349732B4C}.exe
        12⤵
        Executes dropped EXE
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94967~1.EXE > nul
        12⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6694B~1.EXE > nul
        11⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0ED82~1.EXE > nul
        10⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7B7A~1.EXE > nul
        9⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5134C~1.EXE > nul
        8⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{580D9~1.EXE > nul
        7⤵
        
        PID:888
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF598~1.EXE > nul
        6⤵
        
        PID:1780
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C1DE~1.EXE > nul
        5⤵
        
        PID:2596
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4DC57~1.EXE > nul
      4⤵
      PID:2776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{36821~1.EXE > nul
    3⤵
    PID:2664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0ED82234-0AA7-41d6-A763-642FA20A110D}.exe

Filesize
344KB

MD5
be83de8450beea29e5680f5b89beeec3

SHA1
599dc04745e1d480b09f2f6010ad60eab0c2f08b

SHA256
19214dbec2b844f898f7258785699a09c6843da258ebb08f500c9d4529324e13

SHA512
6fc8f13dc9d1a155ed4b9e366cf4ef58800ddf92835288375e3ecd74c5af92ab13ad5a268c98ed07783b2845b75999cf7dd1f5046e85d746f0271ddb0afc8587

Download Submit
C:\Windows\{36821D55-28EF-44ec-A06E-4A76ED975333}.exe

Filesize
344KB

MD5
5f26697e7f4d85e7a45a074ecf7ca707

SHA1
6e9cc90adbc7e2d65fa41d0c49eebd68e5ef31b5

SHA256
7cd3eb52044cafe3c6bdde7eb98552a4ced7bc045c1052f5b0b6e80324a52dac

SHA512
1301c04667cb42e163895b23939f9cb3627ae3a8fe66d23e1885b138e6b9d439374d100cdcc19be53d1b918102fc99afa57c76f295826f8dbe0b0652fdba1e56

Download Submit
C:\Windows\{4C1DEED3-5EB0-4331-8BCF-F4443C7395AE}.exe

Filesize
344KB

MD5
05b5e7163f8a848e1edb1e33e58079a8

SHA1
5352ee4680d9176cacfa4c1c0ae479b9ac8f8d99

SHA256
c1667446ca919933a453ffec6f8fdafb83e3c2f1e6d187f9cea723a26a6088f0

SHA512
2db76d8e5cd9a12562268734c31614d16ae594e7a5bdf01aa812c52b8886baefd27be2df7586de377a5e3bcc65dc523739d1831ef5e2a6659830fe705f94c484

Download Submit
C:\Windows\{4DC5708D-BBE2-46f1-9556-5A2798AB192A}.exe

Filesize
344KB

MD5
6239fd3a7bc5ee2e37c357d4085601d2

SHA1
fb855651b0c40316a1693f0ea247e4e207b0cc81

SHA256
e147a2faff1cc5554847e066ee691dab12832e0ef04a0835bc820f9f27f1232a

SHA512
3c55b251ac5c678e6266499e3f74de9bd45adad22f5ab9351041c14870457aaaa118dc9892de7cea759c5b935095d69835a147424b5f5ca015f6365c698ea41a

Download Submit
C:\Windows\{5134C284-A99E-4d7d-ACDF-6B0DD2195E19}.exe

Filesize
344KB

MD5
dbac164498485351c1053073dc0918b3

SHA1
7ae6d50051147ae74343282f2c470d866782eec4

SHA256
6e3f9a64fb442667719748530ca8004fc69e4089afcda970c04f2a4e8de59eb5

SHA512
9ce241abe6ee93c5cacb6706cb6f820744063c33cc950bf5e5e24636840880f2d0803c7afbfa6323c233bb0aa5004d96effc7667da60cce0bb7ac18ba753afbb

Download Submit
C:\Windows\{580D9D65-8AFA-4638-80F4-98972D7AF400}.exe

Filesize
344KB

MD5
f90a6fe3b382e0bededdfb4692bc636a

SHA1
b95968cc8496b56e54d29f35b7ad82d6da2ef3f0

SHA256
063bd6009b7facd8a9a36717b61e84ea79d7760edf61ecaa4c5832e5ad6ee1b8

SHA512
ac09e9e9c8f701ce8ac33fed95160f1f6376dce615622723252a3f4c01eda182e3cb7caefcf5365bfed3b15d03be6f9ec6a21bae74866ff1ef204999a761f433

Download Submit
C:\Windows\{6694B736-E224-4f71-B667-2AE05314932C}.exe

Filesize
344KB

MD5
33a63fc8587b2812b83b61c6a9db50ab

SHA1
b68f287962ca9714a72206203647b5516cf2eb48

SHA256
503999d163abc0523fc6a5521e7347f893c958b7b72a0c6c72761ec3561a831d

SHA512
1788e8a38c2d8c29e252e6f9aed4c128adf6e8ac22c86f58b1995fdf208f00dad6e8c4d9bcb297be33802604efbbdfc6f1ebd491b33dacfc07f1816fd70721dc

Download Submit
C:\Windows\{949679EE-852A-49c0-B1AC-A4AECBAD5584}.exe

Filesize
344KB

MD5
8db90cc7479fd8d0f5f1834356e401fb

SHA1
f85d2d5632c3b685d99a7a2441b44e1abe134a06

SHA256
608362ef7cb6f62cfe4fbacaa4db7b5baa42b656981ddebdf5d5e0774711dea4

SHA512
2283579e9eddad8eed1be2e2d22f8b44c73e4b5f46bf1ea6a644718c6a6cd19115f2d82ba9243aa6028b57ca8b209dde9ed8b835a2559d4db6a086cd63b768a1

Download Submit
C:\Windows\{A7B7ABF0-7FBB-4c2e-8EB3-98EA18056706}.exe

Filesize
344KB

MD5
16d40d5851085cfc4cceffa6f2fc0e0d

SHA1
7ecff239c42c36f627e0589febebe7ef6254bdce

SHA256
811a18cf7b489b0d0b0596ff21789f3deeca9914987344b71aa6765e25389836

SHA512
b5d4fee4ceb754168738ca3544a27d6f34b78da9d7ecc8a93374751cdd02fdc903ec6ca6a5a3f161aa5c9935809e0815738b2f39fe8ba24b334557fa187c54f7

Download Submit
C:\Windows\{BF59813F-62A7-4d13-B2A4-03CDD5F051C0}.exe

Filesize
344KB

MD5
25efb0d2deef7ac48661cae0eef310d9

SHA1
421301f7b347361726c5d359e9817f405a4e2922

SHA256
3ffc866adaf8a12dcdf5b904a2b9f12c65fc37608e265ed9575815c9fabe6909

SHA512
b619a5105182d19505d8f5312907ba1d119a14f6274a115d083448aea77cd9d671978bede415a2122b98e9187e5319bdb853de1f99d10aeee488ee441a412477

Download Submit
C:\Windows\{E2922BFA-2F2D-4b08-89CD-30A349732B4C}.exe

Filesize
344KB

MD5
a12c5a15e927e54e62e1eddddffdf60c

SHA1
dd005ffb675d3a67413ada0a352da9bf0665767c

SHA256
4ec92d98dd25265b8196bf06620b61b45dc4efd4a754cfcd726bee2bf597d16e

SHA512
efcfc1ce0ec112b6a50873daaeb9b65ed4c0d73c123cc407e99b9c48af089092cb5cad9074dafb3bc3716977cd1cc2183cc3a7e5a00e3d6ebe6d5d76df62884b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads