22619fe784199c98f5038808fd937e7863410fe441afcc61e54cbcabbca523da

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 20:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-04_55b36f32de2c5684d76a1ea16efae169_goldeneye.exe
Size

372KB
MD5

55b36f32de2c5684d76a1ea16efae169
SHA1

f19d53ddfbe08cd1aad6b4baa7ece7c4501a9443
SHA256

22619fe784199c98f5038808fd937e7863410fe441afcc61e54cbcabbca523da
SHA512

43b695cd33c7cc96f53175f16c7c622ecf8526d0338a5eea60e49713709c5112d8c06cc5fb222263f52f7955ac5bfea54940d58ff3faab6f5c22451fc8aaa9e5
SSDEEP

3072:CEGh0o4lMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGKlkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E5A5E81-03B1-455a-9F0B-D603218B5DA5}	{43EE0EA7-9374-4042-A8D1-FC7CC7D1572B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31D961C1-EEB5-4e19-B242-782E23C19EE8}\stubpath = "C:\\Windows\\{31D961C1-EEB5-4e19-B242-782E23C19EE8}.exe"	{5E5A5E81-03B1-455a-9F0B-D603218B5DA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9295DF9D-3A1B-421a-AD8F-8E8DE9C80138}	{D27030F0-7629-45f4-921E-77D8E4DA7A8B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9295DF9D-3A1B-421a-AD8F-8E8DE9C80138}\stubpath = "C:\\Windows\\{9295DF9D-3A1B-421a-AD8F-8E8DE9C80138}.exe"	{D27030F0-7629-45f4-921E-77D8E4DA7A8B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9F34571-41FC-40db-9E9B-3756212C52DC}\stubpath = "C:\\Windows\\{D9F34571-41FC-40db-9E9B-3756212C52DC}.exe"	2024-07-04_55b36f32de2c5684d76a1ea16efae169_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{799EB86B-E58E-4b64-9783-0664259BCF32}	{CA46B9CF-BDAC-4299-A3A5-98540AA07B66}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEB5017C-824A-403c-A327-6512F52D0367}	{799EB86B-E58E-4b64-9783-0664259BCF32}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEB5017C-824A-403c-A327-6512F52D0367}\stubpath = "C:\\Windows\\{AEB5017C-824A-403c-A327-6512F52D0367}.exe"	{799EB86B-E58E-4b64-9783-0664259BCF32}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43EE0EA7-9374-4042-A8D1-FC7CC7D1572B}\stubpath = "C:\\Windows\\{43EE0EA7-9374-4042-A8D1-FC7CC7D1572B}.exe"	{AEB5017C-824A-403c-A327-6512F52D0367}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31D961C1-EEB5-4e19-B242-782E23C19EE8}	{5E5A5E81-03B1-455a-9F0B-D603218B5DA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{317FBEC0-22C7-4819-8E45-563BA3137F73}	{D9F34571-41FC-40db-9E9B-3756212C52DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{799EB86B-E58E-4b64-9783-0664259BCF32}\stubpath = "C:\\Windows\\{799EB86B-E58E-4b64-9783-0664259BCF32}.exe"	{CA46B9CF-BDAC-4299-A3A5-98540AA07B66}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E5A5E81-03B1-455a-9F0B-D603218B5DA5}\stubpath = "C:\\Windows\\{5E5A5E81-03B1-455a-9F0B-D603218B5DA5}.exe"	{43EE0EA7-9374-4042-A8D1-FC7CC7D1572B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27030F0-7629-45f4-921E-77D8E4DA7A8B}	{8E8F9124-8216-431e-B5C8-DD4A5370C0A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9F34571-41FC-40db-9E9B-3756212C52DC}	2024-07-04_55b36f32de2c5684d76a1ea16efae169_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA46B9CF-BDAC-4299-A3A5-98540AA07B66}	{317FBEC0-22C7-4819-8E45-563BA3137F73}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA46B9CF-BDAC-4299-A3A5-98540AA07B66}\stubpath = "C:\\Windows\\{CA46B9CF-BDAC-4299-A3A5-98540AA07B66}.exe"	{317FBEC0-22C7-4819-8E45-563BA3137F73}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43EE0EA7-9374-4042-A8D1-FC7CC7D1572B}	{AEB5017C-824A-403c-A327-6512F52D0367}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E8F9124-8216-431e-B5C8-DD4A5370C0A7}	{31D961C1-EEB5-4e19-B242-782E23C19EE8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E8F9124-8216-431e-B5C8-DD4A5370C0A7}\stubpath = "C:\\Windows\\{8E8F9124-8216-431e-B5C8-DD4A5370C0A7}.exe"	{31D961C1-EEB5-4e19-B242-782E23C19EE8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27030F0-7629-45f4-921E-77D8E4DA7A8B}\stubpath = "C:\\Windows\\{D27030F0-7629-45f4-921E-77D8E4DA7A8B}.exe"	{8E8F9124-8216-431e-B5C8-DD4A5370C0A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{317FBEC0-22C7-4819-8E45-563BA3137F73}\stubpath = "C:\\Windows\\{317FBEC0-22C7-4819-8E45-563BA3137F73}.exe"	{D9F34571-41FC-40db-9E9B-3756212C52DC}.exe

Deletes itself 1 IoCs

pid	Process
1620	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2484	{D9F34571-41FC-40db-9E9B-3756212C52DC}.exe
2524	{317FBEC0-22C7-4819-8E45-563BA3137F73}.exe
2588	{CA46B9CF-BDAC-4299-A3A5-98540AA07B66}.exe
1852	{799EB86B-E58E-4b64-9783-0664259BCF32}.exe
2596	{AEB5017C-824A-403c-A327-6512F52D0367}.exe
1900	{43EE0EA7-9374-4042-A8D1-FC7CC7D1572B}.exe
2168	{5E5A5E81-03B1-455a-9F0B-D603218B5DA5}.exe
640	{31D961C1-EEB5-4e19-B242-782E23C19EE8}.exe
2072	{8E8F9124-8216-431e-B5C8-DD4A5370C0A7}.exe
2100	{D27030F0-7629-45f4-921E-77D8E4DA7A8B}.exe
1572	{9295DF9D-3A1B-421a-AD8F-8E8DE9C80138}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{43EE0EA7-9374-4042-A8D1-FC7CC7D1572B}.exe	{AEB5017C-824A-403c-A327-6512F52D0367}.exe
File created	C:\Windows\{5E5A5E81-03B1-455a-9F0B-D603218B5DA5}.exe	{43EE0EA7-9374-4042-A8D1-FC7CC7D1572B}.exe
File created	C:\Windows\{31D961C1-EEB5-4e19-B242-782E23C19EE8}.exe	{5E5A5E81-03B1-455a-9F0B-D603218B5DA5}.exe
File created	C:\Windows\{D27030F0-7629-45f4-921E-77D8E4DA7A8B}.exe	{8E8F9124-8216-431e-B5C8-DD4A5370C0A7}.exe
File created	C:\Windows\{317FBEC0-22C7-4819-8E45-563BA3137F73}.exe	{D9F34571-41FC-40db-9E9B-3756212C52DC}.exe
File created	C:\Windows\{CA46B9CF-BDAC-4299-A3A5-98540AA07B66}.exe	{317FBEC0-22C7-4819-8E45-563BA3137F73}.exe
File created	C:\Windows\{AEB5017C-824A-403c-A327-6512F52D0367}.exe	{799EB86B-E58E-4b64-9783-0664259BCF32}.exe
File created	C:\Windows\{8E8F9124-8216-431e-B5C8-DD4A5370C0A7}.exe	{31D961C1-EEB5-4e19-B242-782E23C19EE8}.exe
File created	C:\Windows\{9295DF9D-3A1B-421a-AD8F-8E8DE9C80138}.exe	{D27030F0-7629-45f4-921E-77D8E4DA7A8B}.exe
File created	C:\Windows\{D9F34571-41FC-40db-9E9B-3756212C52DC}.exe	2024-07-04_55b36f32de2c5684d76a1ea16efae169_goldeneye.exe
File created	C:\Windows\{799EB86B-E58E-4b64-9783-0664259BCF32}.exe	{CA46B9CF-BDAC-4299-A3A5-98540AA07B66}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2928	2024-07-04_55b36f32de2c5684d76a1ea16efae169_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2484	{D9F34571-41FC-40db-9E9B-3756212C52DC}.exe
Token: SeIncBasePriorityPrivilege	2524	{317FBEC0-22C7-4819-8E45-563BA3137F73}.exe
Token: SeIncBasePriorityPrivilege	2588	{CA46B9CF-BDAC-4299-A3A5-98540AA07B66}.exe
Token: SeIncBasePriorityPrivilege	1852	{799EB86B-E58E-4b64-9783-0664259BCF32}.exe
Token: SeIncBasePriorityPrivilege	2596	{AEB5017C-824A-403c-A327-6512F52D0367}.exe
Token: SeIncBasePriorityPrivilege	1900	{43EE0EA7-9374-4042-A8D1-FC7CC7D1572B}.exe
Token: SeIncBasePriorityPrivilege	2168	{5E5A5E81-03B1-455a-9F0B-D603218B5DA5}.exe
Token: SeIncBasePriorityPrivilege	640	{31D961C1-EEB5-4e19-B242-782E23C19EE8}.exe
Token: SeIncBasePriorityPrivilege	2072	{8E8F9124-8216-431e-B5C8-DD4A5370C0A7}.exe
Token: SeIncBasePriorityPrivilege	2100	{D27030F0-7629-45f4-921E-77D8E4DA7A8B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 2484	2928	2024-07-04_55b36f32de2c5684d76a1ea16efae169_goldeneye.exe	28
PID 2928 wrote to memory of 2484	2928	2024-07-04_55b36f32de2c5684d76a1ea16efae169_goldeneye.exe	28
PID 2928 wrote to memory of 2484	2928	2024-07-04_55b36f32de2c5684d76a1ea16efae169_goldeneye.exe	28
PID 2928 wrote to memory of 2484	2928	2024-07-04_55b36f32de2c5684d76a1ea16efae169_goldeneye.exe	28
PID 2928 wrote to memory of 1620	2928	2024-07-04_55b36f32de2c5684d76a1ea16efae169_goldeneye.exe	29
PID 2928 wrote to memory of 1620	2928	2024-07-04_55b36f32de2c5684d76a1ea16efae169_goldeneye.exe	29
PID 2928 wrote to memory of 1620	2928	2024-07-04_55b36f32de2c5684d76a1ea16efae169_goldeneye.exe	29
PID 2928 wrote to memory of 1620	2928	2024-07-04_55b36f32de2c5684d76a1ea16efae169_goldeneye.exe	29
PID 2484 wrote to memory of 2524	2484	{D9F34571-41FC-40db-9E9B-3756212C52DC}.exe	30
PID 2484 wrote to memory of 2524	2484	{D9F34571-41FC-40db-9E9B-3756212C52DC}.exe	30
PID 2484 wrote to memory of 2524	2484	{D9F34571-41FC-40db-9E9B-3756212C52DC}.exe	30
PID 2484 wrote to memory of 2524	2484	{D9F34571-41FC-40db-9E9B-3756212C52DC}.exe	30
PID 2484 wrote to memory of 2552	2484	{D9F34571-41FC-40db-9E9B-3756212C52DC}.exe	31
PID 2484 wrote to memory of 2552	2484	{D9F34571-41FC-40db-9E9B-3756212C52DC}.exe	31
PID 2484 wrote to memory of 2552	2484	{D9F34571-41FC-40db-9E9B-3756212C52DC}.exe	31
PID 2484 wrote to memory of 2552	2484	{D9F34571-41FC-40db-9E9B-3756212C52DC}.exe	31
PID 2524 wrote to memory of 2588	2524	{317FBEC0-22C7-4819-8E45-563BA3137F73}.exe	32
PID 2524 wrote to memory of 2588	2524	{317FBEC0-22C7-4819-8E45-563BA3137F73}.exe	32
PID 2524 wrote to memory of 2588	2524	{317FBEC0-22C7-4819-8E45-563BA3137F73}.exe	32
PID 2524 wrote to memory of 2588	2524	{317FBEC0-22C7-4819-8E45-563BA3137F73}.exe	32
PID 2524 wrote to memory of 2324	2524	{317FBEC0-22C7-4819-8E45-563BA3137F73}.exe	33
PID 2524 wrote to memory of 2324	2524	{317FBEC0-22C7-4819-8E45-563BA3137F73}.exe	33
PID 2524 wrote to memory of 2324	2524	{317FBEC0-22C7-4819-8E45-563BA3137F73}.exe	33
PID 2524 wrote to memory of 2324	2524	{317FBEC0-22C7-4819-8E45-563BA3137F73}.exe	33
PID 2588 wrote to memory of 1852	2588	{CA46B9CF-BDAC-4299-A3A5-98540AA07B66}.exe	36
PID 2588 wrote to memory of 1852	2588	{CA46B9CF-BDAC-4299-A3A5-98540AA07B66}.exe	36
PID 2588 wrote to memory of 1852	2588	{CA46B9CF-BDAC-4299-A3A5-98540AA07B66}.exe	36
PID 2588 wrote to memory of 1852	2588	{CA46B9CF-BDAC-4299-A3A5-98540AA07B66}.exe	36
PID 2588 wrote to memory of 1356	2588	{CA46B9CF-BDAC-4299-A3A5-98540AA07B66}.exe	37
PID 2588 wrote to memory of 1356	2588	{CA46B9CF-BDAC-4299-A3A5-98540AA07B66}.exe	37
PID 2588 wrote to memory of 1356	2588	{CA46B9CF-BDAC-4299-A3A5-98540AA07B66}.exe	37
PID 2588 wrote to memory of 1356	2588	{CA46B9CF-BDAC-4299-A3A5-98540AA07B66}.exe	37
PID 1852 wrote to memory of 2596	1852	{799EB86B-E58E-4b64-9783-0664259BCF32}.exe	38
PID 1852 wrote to memory of 2596	1852	{799EB86B-E58E-4b64-9783-0664259BCF32}.exe	38
PID 1852 wrote to memory of 2596	1852	{799EB86B-E58E-4b64-9783-0664259BCF32}.exe	38
PID 1852 wrote to memory of 2596	1852	{799EB86B-E58E-4b64-9783-0664259BCF32}.exe	38
PID 1852 wrote to memory of 1944	1852	{799EB86B-E58E-4b64-9783-0664259BCF32}.exe	39
PID 1852 wrote to memory of 1944	1852	{799EB86B-E58E-4b64-9783-0664259BCF32}.exe	39
PID 1852 wrote to memory of 1944	1852	{799EB86B-E58E-4b64-9783-0664259BCF32}.exe	39
PID 1852 wrote to memory of 1944	1852	{799EB86B-E58E-4b64-9783-0664259BCF32}.exe	39
PID 2596 wrote to memory of 1900	2596	{AEB5017C-824A-403c-A327-6512F52D0367}.exe	40
PID 2596 wrote to memory of 1900	2596	{AEB5017C-824A-403c-A327-6512F52D0367}.exe	40
PID 2596 wrote to memory of 1900	2596	{AEB5017C-824A-403c-A327-6512F52D0367}.exe	40
PID 2596 wrote to memory of 1900	2596	{AEB5017C-824A-403c-A327-6512F52D0367}.exe	40
PID 2596 wrote to memory of 2124	2596	{AEB5017C-824A-403c-A327-6512F52D0367}.exe	41
PID 2596 wrote to memory of 2124	2596	{AEB5017C-824A-403c-A327-6512F52D0367}.exe	41
PID 2596 wrote to memory of 2124	2596	{AEB5017C-824A-403c-A327-6512F52D0367}.exe	41
PID 2596 wrote to memory of 2124	2596	{AEB5017C-824A-403c-A327-6512F52D0367}.exe	41
PID 1900 wrote to memory of 2168	1900	{43EE0EA7-9374-4042-A8D1-FC7CC7D1572B}.exe	42
PID 1900 wrote to memory of 2168	1900	{43EE0EA7-9374-4042-A8D1-FC7CC7D1572B}.exe	42
PID 1900 wrote to memory of 2168	1900	{43EE0EA7-9374-4042-A8D1-FC7CC7D1572B}.exe	42
PID 1900 wrote to memory of 2168	1900	{43EE0EA7-9374-4042-A8D1-FC7CC7D1572B}.exe	42
PID 1900 wrote to memory of 2120	1900	{43EE0EA7-9374-4042-A8D1-FC7CC7D1572B}.exe	43
PID 1900 wrote to memory of 2120	1900	{43EE0EA7-9374-4042-A8D1-FC7CC7D1572B}.exe	43
PID 1900 wrote to memory of 2120	1900	{43EE0EA7-9374-4042-A8D1-FC7CC7D1572B}.exe	43
PID 1900 wrote to memory of 2120	1900	{43EE0EA7-9374-4042-A8D1-FC7CC7D1572B}.exe	43
PID 2168 wrote to memory of 640	2168	{5E5A5E81-03B1-455a-9F0B-D603218B5DA5}.exe	44
PID 2168 wrote to memory of 640	2168	{5E5A5E81-03B1-455a-9F0B-D603218B5DA5}.exe	44
PID 2168 wrote to memory of 640	2168	{5E5A5E81-03B1-455a-9F0B-D603218B5DA5}.exe	44
PID 2168 wrote to memory of 640	2168	{5E5A5E81-03B1-455a-9F0B-D603218B5DA5}.exe	44
PID 2168 wrote to memory of 1488	2168	{5E5A5E81-03B1-455a-9F0B-D603218B5DA5}.exe	45
PID 2168 wrote to memory of 1488	2168	{5E5A5E81-03B1-455a-9F0B-D603218B5DA5}.exe	45
PID 2168 wrote to memory of 1488	2168	{5E5A5E81-03B1-455a-9F0B-D603218B5DA5}.exe	45
PID 2168 wrote to memory of 1488	2168	{5E5A5E81-03B1-455a-9F0B-D603218B5DA5}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-07-04_55b36f32de2c5684d76a1ea16efae169_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-04_55b36f32de2c5684d76a1ea16efae169_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\{D9F34571-41FC-40db-9E9B-3756212C52DC}.exe
  C:\Windows\{D9F34571-41FC-40db-9E9B-3756212C52DC}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\{317FBEC0-22C7-4819-8E45-563BA3137F73}.exe
    C:\Windows\{317FBEC0-22C7-4819-8E45-563BA3137F73}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Windows\{CA46B9CF-BDAC-4299-A3A5-98540AA07B66}.exe
      C:\Windows\{CA46B9CF-BDAC-4299-A3A5-98540AA07B66}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\{799EB86B-E58E-4b64-9783-0664259BCF32}.exe
        
        C:\Windows\{799EB86B-E58E-4b64-9783-0664259BCF32}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1852
      - C:\Windows\{AEB5017C-824A-403c-A327-6512F52D0367}.exe
        
        C:\Windows\{AEB5017C-824A-403c-A327-6512F52D0367}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\{43EE0EA7-9374-4042-A8D1-FC7CC7D1572B}.exe
        
        C:\Windows\{43EE0EA7-9374-4042-A8D1-FC7CC7D1572B}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\{5E5A5E81-03B1-455a-9F0B-D603218B5DA5}.exe
        
        C:\Windows\{5E5A5E81-03B1-455a-9F0B-D603218B5DA5}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\{31D961C1-EEB5-4e19-B242-782E23C19EE8}.exe
        
        C:\Windows\{31D961C1-EEB5-4e19-B242-782E23C19EE8}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:640
        
        C:\Windows\{8E8F9124-8216-431e-B5C8-DD4A5370C0A7}.exe
        
        C:\Windows\{8E8F9124-8216-431e-B5C8-DD4A5370C0A7}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\{D27030F0-7629-45f4-921E-77D8E4DA7A8B}.exe
        
        C:\Windows\{D27030F0-7629-45f4-921E-77D8E4DA7A8B}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
        
        C:\Windows\{9295DF9D-3A1B-421a-AD8F-8E8DE9C80138}.exe
        
        C:\Windows\{9295DF9D-3A1B-421a-AD8F-8E8DE9C80138}.exe
        12⤵
        Executes dropped EXE
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2703~1.EXE > nul
        12⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E8F9~1.EXE > nul
        11⤵
        
        PID:600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31D96~1.EXE > nul
        10⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E5A5~1.EXE > nul
        9⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43EE0~1.EXE > nul
        8⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AEB50~1.EXE > nul
        7⤵
        
        PID:2124
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{799EB~1.EXE > nul
        6⤵
        
        PID:1944
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA46B~1.EXE > nul
        5⤵
        
        PID:1356
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{317FB~1.EXE > nul
      4⤵
      PID:2324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D9F34~1.EXE > nul
    3⤵
    PID:2552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{317FBEC0-22C7-4819-8E45-563BA3137F73}.exe

Filesize
372KB

MD5
0b9cddeaf74e2d0d93c9fc2bcb9a24d4

SHA1
b3b818aac8bbee68a7aea8c3634e67e328f0af73

SHA256
a5a4bfa4527739a57e520f82a6cd0f14cb7103d7a84bc3c6d6ac0098b368ca41

SHA512
1885716c8e272104391ccfdd40ccda3c4f21ed0f1fe9c3d2b04f61a215d06ff496193ee59ff9de5ab4395eb4e6956551c313f29b659a64b9a985e1941ad8a218

Download Submit
C:\Windows\{31D961C1-EEB5-4e19-B242-782E23C19EE8}.exe

Filesize
372KB

MD5
9f1d2df734f7e791063b2b8ebe6d60b8

SHA1
52c4edcbac2836ca42fcd38aa5a4631e37bf12c5

SHA256
a9b32b95253fcb18fe7b33a931a5622db2a835ff959de6b6d50dd423bd8c8bfa

SHA512
dfd61f4dbe3731332d6ad876faada7da222a48d3e0983d16b1eac2d2dfdb2d12d5b841119518fa7a1fd7a621b9e42e1fcd1ad33c5fc71fef6c7d124135b1ff90

Download Submit
C:\Windows\{43EE0EA7-9374-4042-A8D1-FC7CC7D1572B}.exe

Filesize
372KB

MD5
4f698491ec118b9ecac0556b7f454496

SHA1
ca8b9907e49c70cbf26cd0575088b79d43b5e065

SHA256
5760932a93ec95418a031fccff8e3aab32e7e92a35ec1cb278e95cbd567a45be

SHA512
dd38ff46210c885e174fa251f6bbaa07c8621c36b538cab5ef85f3a3d4d993b634d9c9307811244f61ef0adc527e60fe88e38bcba6c1941600a2b11d2725ac56

Download Submit
C:\Windows\{5E5A5E81-03B1-455a-9F0B-D603218B5DA5}.exe

Filesize
372KB

MD5
ff963a3021b74e19c20a0e9b168a7a94

SHA1
8cbdde8f53a8583786c7d415de5188e0a8053d5f

SHA256
27692bca285655d84a56ae093240b7802dddf18c75867ffbaca8e3ee4e0c44b0

SHA512
0d47ded811ecd265cf7001d6a465c14b1e6d28fcbdd7d7d6c1eb12b26129c83953fff60b24a02cafbc501608ad8a306903fb34561c9c2edec1fb37fbbe5a1421

Download Submit
C:\Windows\{799EB86B-E58E-4b64-9783-0664259BCF32}.exe

Filesize
372KB

MD5
82b70c8a0825a59799dcd27f075756a1

SHA1
842c7e8eba8f22e88270abc56c3bff43ba7f42b1

SHA256
807364a655dbbd8bef879810bc67b19bf1b1e8cbb23a45e39ae751219adaac99

SHA512
b5f5e4362a84c3cfaf60ce87c7142feae01fc7d3ae597ad1cfd847bf11cd116b87e8475fb26c0b3a530b2d88dbd43c1b6bb8abf39cc61116124fe55cfd85562a

Download Submit
C:\Windows\{8E8F9124-8216-431e-B5C8-DD4A5370C0A7}.exe

Filesize
372KB

MD5
e05891644794a344c702c3f522d3be0b

SHA1
8e22893ed73c2788c623106cfbda9397aa8e72c5

SHA256
1171e0fd3f750fd050b182fa4de73c0426cc96be1c0e14fe19dfdaa6500c2d97

SHA512
9b4fafb6f372e8e736222faec7e21832e865d90cdb1b0754aed30626a4c31768b42512b4b79bedc0f35b9cdb5782582b105e609de8288de9d5f6f6d4f4472e80

Download Submit
C:\Windows\{9295DF9D-3A1B-421a-AD8F-8E8DE9C80138}.exe

Filesize
372KB

MD5
f4248b212a7c0e366ec15fc1bbd81ad5

SHA1
a106d901dbd7fb1cb4e639e83d1a8cf8f60ebb55

SHA256
c3e12deade1dff962b67de087f34b648951423c79a5d594867faabd3b1935ce5

SHA512
05c89fda7426d01d319066f6d1382d2320e678cdf5d2af6f87bffe19f4d125a4c1a6d8d7766aae831a5c437aa9015010e341f7f4d9b22c11a553ce2f681925cc

Download Submit
C:\Windows\{AEB5017C-824A-403c-A327-6512F52D0367}.exe

Filesize
372KB

MD5
4d0d131fc501528a234b428d630dcc90

SHA1
3a7927f496a181346b3925f9a77e08afc5e7c7b4

SHA256
d3ff63170d9241858477507d498b6cfe6785870a0e9f83eed8a5ea8d19ced697

SHA512
ebdc960b1d1ae89acaf44dfa9c5e2bb35fb17a820f99d190af33916147d2290fa0936c0d74502cb54c168724a4db605fa35f4a9674957cf7bc09aab702908a2a

Download Submit
C:\Windows\{CA46B9CF-BDAC-4299-A3A5-98540AA07B66}.exe

Filesize
372KB

MD5
9d889b9cafeedc4a7af6e3b0f895f5bb

SHA1
07881861f5aea28431688cd4b3d57071e47643bb

SHA256
d4e508b75642c361dbcaa0f2a944abee9e2b5ee184aa48f0fcc0bd7297d10057

SHA512
50edff2c5411d33f98539a3caaf65dbdd351527ca09a1a4392cd0121b07849fe1930915253c45f95369860b93587fe9cd6f4e699421b846c5f0818a59004070b

Download Submit
C:\Windows\{D27030F0-7629-45f4-921E-77D8E4DA7A8B}.exe

Filesize
372KB

MD5
7ded9ecb49852291aa27d10358618007

SHA1
219bca2b1faef6eab4982624cf58d7cf8ddaf604

SHA256
30af12750abff28a74752178d81f6948f3665bf5715721ea4d38920d33a9c2ee

SHA512
79e8508848f49e33641417510e31591dce2eb7ccb02b06cae36c9e180cee7a61b1f944b50f28bd8e902646acb195ca24a0af52e94180bd08949312d7dc367e59

Download Submit
C:\Windows\{D9F34571-41FC-40db-9E9B-3756212C52DC}.exe

Filesize
372KB

MD5
798d16583165eca9cf4eaa9631c3894b

SHA1
1abbcf71512b5ac64f9ca7a1741a232b642a5e86

SHA256
968284192f985f89996252bbabb7a4e65179aa6ec77e000b6f0fea9610154797

SHA512
1bffdecb7b6f75bce7655f702fb633b0a8bdbe7fa5d20becf65bb3d9cd045dacdf8607d6261711adf3bc02df29230c3d789e1d8a6b287ec07dc1656252e1d472

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads