dbf13b1eaa020f948a678e438e25d65285eeeb75762a1ed050566f2a088cfb4d

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
05/07/2024, 07:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-07-05_8e2a9c341f6dac0a840083352946cb1f_goldeneye.exe
Size

216KB
MD5

8e2a9c341f6dac0a840083352946cb1f
SHA1

0d0eb6d228a0f6f8ac8124f74c2b462c06171a18
SHA256

dbf13b1eaa020f948a678e438e25d65285eeeb75762a1ed050566f2a088cfb4d
SHA512

c9925d0634048a36049fc2b7407b9b4171deccadc7d0541cf003e03dc0f7a87a36799fc9820548d271b4e7099550b5ba42436279a6dbcd4be31843548645d87f
SSDEEP

3072:jEGh0oyl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG8lEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D660457B-3655-41b2-9774-3FD8399D1F56}\stubpath = "C:\\Windows\\{D660457B-3655-41b2-9774-3FD8399D1F56}.exe"	{0D1409B8-B8AD-4d03-AFCD-3A667B15A51E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B554C8CC-4557-464b-9124-2413F7F9BDCE}\stubpath = "C:\\Windows\\{B554C8CC-4557-464b-9124-2413F7F9BDCE}.exe"	{FC7999E4-365B-4d7f-9F5E-B3D36EECCBFF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{760AE3E0-6E8E-43c6-AC91-1E8443B06651}\stubpath = "C:\\Windows\\{760AE3E0-6E8E-43c6-AC91-1E8443B06651}.exe"	{62FC3CF0-F739-4c52-ADFB-ED73E3174A87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D1409B8-B8AD-4d03-AFCD-3A667B15A51E}	{C1EFF04B-9C23-403e-9369-92E5872CBF05}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B554C8CC-4557-464b-9124-2413F7F9BDCE}	{FC7999E4-365B-4d7f-9F5E-B3D36EECCBFF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62FC3CF0-F739-4c52-ADFB-ED73E3174A87}	2024-07-05_8e2a9c341f6dac0a840083352946cb1f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1EFF04B-9C23-403e-9369-92E5872CBF05}	{A41E45E9-7C3A-4741-AB39-D51FF61A5501}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82CB067B-3851-4481-8C5D-48B46F4877FF}\stubpath = "C:\\Windows\\{82CB067B-3851-4481-8C5D-48B46F4877FF}.exe"	{760AE3E0-6E8E-43c6-AC91-1E8443B06651}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A41E45E9-7C3A-4741-AB39-D51FF61A5501}\stubpath = "C:\\Windows\\{A41E45E9-7C3A-4741-AB39-D51FF61A5501}.exe"	{82CB067B-3851-4481-8C5D-48B46F4877FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1EFF04B-9C23-403e-9369-92E5872CBF05}\stubpath = "C:\\Windows\\{C1EFF04B-9C23-403e-9369-92E5872CBF05}.exe"	{A41E45E9-7C3A-4741-AB39-D51FF61A5501}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D1409B8-B8AD-4d03-AFCD-3A667B15A51E}\stubpath = "C:\\Windows\\{0D1409B8-B8AD-4d03-AFCD-3A667B15A51E}.exe"	{C1EFF04B-9C23-403e-9369-92E5872CBF05}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D660457B-3655-41b2-9774-3FD8399D1F56}	{0D1409B8-B8AD-4d03-AFCD-3A667B15A51E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B19E864-ABDD-497e-83F8-E279AE8F3C29}	{E94C1DD2-3194-4ade-91F6-0642B308FBE0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62FC3CF0-F739-4c52-ADFB-ED73E3174A87}\stubpath = "C:\\Windows\\{62FC3CF0-F739-4c52-ADFB-ED73E3174A87}.exe"	2024-07-05_8e2a9c341f6dac0a840083352946cb1f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82CB067B-3851-4481-8C5D-48B46F4877FF}	{760AE3E0-6E8E-43c6-AC91-1E8443B06651}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B19E864-ABDD-497e-83F8-E279AE8F3C29}\stubpath = "C:\\Windows\\{3B19E864-ABDD-497e-83F8-E279AE8F3C29}.exe"	{E94C1DD2-3194-4ade-91F6-0642B308FBE0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E94C1DD2-3194-4ade-91F6-0642B308FBE0}	{D660457B-3655-41b2-9774-3FD8399D1F56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E94C1DD2-3194-4ade-91F6-0642B308FBE0}\stubpath = "C:\\Windows\\{E94C1DD2-3194-4ade-91F6-0642B308FBE0}.exe"	{D660457B-3655-41b2-9774-3FD8399D1F56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC7999E4-365B-4d7f-9F5E-B3D36EECCBFF}	{3B19E864-ABDD-497e-83F8-E279AE8F3C29}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC7999E4-365B-4d7f-9F5E-B3D36EECCBFF}\stubpath = "C:\\Windows\\{FC7999E4-365B-4d7f-9F5E-B3D36EECCBFF}.exe"	{3B19E864-ABDD-497e-83F8-E279AE8F3C29}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{760AE3E0-6E8E-43c6-AC91-1E8443B06651}	{62FC3CF0-F739-4c52-ADFB-ED73E3174A87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A41E45E9-7C3A-4741-AB39-D51FF61A5501}	{82CB067B-3851-4481-8C5D-48B46F4877FF}.exe

Deletes itself 1 IoCs

pid	Process
3056	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2412	{62FC3CF0-F739-4c52-ADFB-ED73E3174A87}.exe
2732	{760AE3E0-6E8E-43c6-AC91-1E8443B06651}.exe
2768	{82CB067B-3851-4481-8C5D-48B46F4877FF}.exe
2572	{A41E45E9-7C3A-4741-AB39-D51FF61A5501}.exe
2900	{C1EFF04B-9C23-403e-9369-92E5872CBF05}.exe
1640	{0D1409B8-B8AD-4d03-AFCD-3A667B15A51E}.exe
820	{D660457B-3655-41b2-9774-3FD8399D1F56}.exe
2696	{E94C1DD2-3194-4ade-91F6-0642B308FBE0}.exe
2084	{3B19E864-ABDD-497e-83F8-E279AE8F3C29}.exe
2940	{FC7999E4-365B-4d7f-9F5E-B3D36EECCBFF}.exe
476	{B554C8CC-4557-464b-9124-2413F7F9BDCE}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{82CB067B-3851-4481-8C5D-48B46F4877FF}.exe	{760AE3E0-6E8E-43c6-AC91-1E8443B06651}.exe
File created	C:\Windows\{C1EFF04B-9C23-403e-9369-92E5872CBF05}.exe	{A41E45E9-7C3A-4741-AB39-D51FF61A5501}.exe
File created	C:\Windows\{0D1409B8-B8AD-4d03-AFCD-3A667B15A51E}.exe	{C1EFF04B-9C23-403e-9369-92E5872CBF05}.exe
File created	C:\Windows\{FC7999E4-365B-4d7f-9F5E-B3D36EECCBFF}.exe	{3B19E864-ABDD-497e-83F8-E279AE8F3C29}.exe
File created	C:\Windows\{62FC3CF0-F739-4c52-ADFB-ED73E3174A87}.exe	2024-07-05_8e2a9c341f6dac0a840083352946cb1f_goldeneye.exe
File created	C:\Windows\{760AE3E0-6E8E-43c6-AC91-1E8443B06651}.exe	{62FC3CF0-F739-4c52-ADFB-ED73E3174A87}.exe
File created	C:\Windows\{A41E45E9-7C3A-4741-AB39-D51FF61A5501}.exe	{82CB067B-3851-4481-8C5D-48B46F4877FF}.exe
File created	C:\Windows\{D660457B-3655-41b2-9774-3FD8399D1F56}.exe	{0D1409B8-B8AD-4d03-AFCD-3A667B15A51E}.exe
File created	C:\Windows\{E94C1DD2-3194-4ade-91F6-0642B308FBE0}.exe	{D660457B-3655-41b2-9774-3FD8399D1F56}.exe
File created	C:\Windows\{3B19E864-ABDD-497e-83F8-E279AE8F3C29}.exe	{E94C1DD2-3194-4ade-91F6-0642B308FBE0}.exe
File created	C:\Windows\{B554C8CC-4557-464b-9124-2413F7F9BDCE}.exe	{FC7999E4-365B-4d7f-9F5E-B3D36EECCBFF}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2980	2024-07-05_8e2a9c341f6dac0a840083352946cb1f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2412	{62FC3CF0-F739-4c52-ADFB-ED73E3174A87}.exe
Token: SeIncBasePriorityPrivilege	2732	{760AE3E0-6E8E-43c6-AC91-1E8443B06651}.exe
Token: SeIncBasePriorityPrivilege	2768	{82CB067B-3851-4481-8C5D-48B46F4877FF}.exe
Token: SeIncBasePriorityPrivilege	2572	{A41E45E9-7C3A-4741-AB39-D51FF61A5501}.exe
Token: SeIncBasePriorityPrivilege	2900	{C1EFF04B-9C23-403e-9369-92E5872CBF05}.exe
Token: SeIncBasePriorityPrivilege	1640	{0D1409B8-B8AD-4d03-AFCD-3A667B15A51E}.exe
Token: SeIncBasePriorityPrivilege	820	{D660457B-3655-41b2-9774-3FD8399D1F56}.exe
Token: SeIncBasePriorityPrivilege	2696	{E94C1DD2-3194-4ade-91F6-0642B308FBE0}.exe
Token: SeIncBasePriorityPrivilege	2084	{3B19E864-ABDD-497e-83F8-E279AE8F3C29}.exe
Token: SeIncBasePriorityPrivilege	2940	{FC7999E4-365B-4d7f-9F5E-B3D36EECCBFF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2412	2980	2024-07-05_8e2a9c341f6dac0a840083352946cb1f_goldeneye.exe	28
PID 2980 wrote to memory of 2412	2980	2024-07-05_8e2a9c341f6dac0a840083352946cb1f_goldeneye.exe	28
PID 2980 wrote to memory of 2412	2980	2024-07-05_8e2a9c341f6dac0a840083352946cb1f_goldeneye.exe	28
PID 2980 wrote to memory of 2412	2980	2024-07-05_8e2a9c341f6dac0a840083352946cb1f_goldeneye.exe	28
PID 2980 wrote to memory of 3056	2980	2024-07-05_8e2a9c341f6dac0a840083352946cb1f_goldeneye.exe	29
PID 2980 wrote to memory of 3056	2980	2024-07-05_8e2a9c341f6dac0a840083352946cb1f_goldeneye.exe	29
PID 2980 wrote to memory of 3056	2980	2024-07-05_8e2a9c341f6dac0a840083352946cb1f_goldeneye.exe	29
PID 2980 wrote to memory of 3056	2980	2024-07-05_8e2a9c341f6dac0a840083352946cb1f_goldeneye.exe	29
PID 2412 wrote to memory of 2732	2412	{62FC3CF0-F739-4c52-ADFB-ED73E3174A87}.exe	30
PID 2412 wrote to memory of 2732	2412	{62FC3CF0-F739-4c52-ADFB-ED73E3174A87}.exe	30
PID 2412 wrote to memory of 2732	2412	{62FC3CF0-F739-4c52-ADFB-ED73E3174A87}.exe	30
PID 2412 wrote to memory of 2732	2412	{62FC3CF0-F739-4c52-ADFB-ED73E3174A87}.exe	30
PID 2412 wrote to memory of 2672	2412	{62FC3CF0-F739-4c52-ADFB-ED73E3174A87}.exe	31
PID 2412 wrote to memory of 2672	2412	{62FC3CF0-F739-4c52-ADFB-ED73E3174A87}.exe	31
PID 2412 wrote to memory of 2672	2412	{62FC3CF0-F739-4c52-ADFB-ED73E3174A87}.exe	31
PID 2412 wrote to memory of 2672	2412	{62FC3CF0-F739-4c52-ADFB-ED73E3174A87}.exe	31
PID 2732 wrote to memory of 2768	2732	{760AE3E0-6E8E-43c6-AC91-1E8443B06651}.exe	32
PID 2732 wrote to memory of 2768	2732	{760AE3E0-6E8E-43c6-AC91-1E8443B06651}.exe	32
PID 2732 wrote to memory of 2768	2732	{760AE3E0-6E8E-43c6-AC91-1E8443B06651}.exe	32
PID 2732 wrote to memory of 2768	2732	{760AE3E0-6E8E-43c6-AC91-1E8443B06651}.exe	32
PID 2732 wrote to memory of 2728	2732	{760AE3E0-6E8E-43c6-AC91-1E8443B06651}.exe	33
PID 2732 wrote to memory of 2728	2732	{760AE3E0-6E8E-43c6-AC91-1E8443B06651}.exe	33
PID 2732 wrote to memory of 2728	2732	{760AE3E0-6E8E-43c6-AC91-1E8443B06651}.exe	33
PID 2732 wrote to memory of 2728	2732	{760AE3E0-6E8E-43c6-AC91-1E8443B06651}.exe	33
PID 2768 wrote to memory of 2572	2768	{82CB067B-3851-4481-8C5D-48B46F4877FF}.exe	36
PID 2768 wrote to memory of 2572	2768	{82CB067B-3851-4481-8C5D-48B46F4877FF}.exe	36
PID 2768 wrote to memory of 2572	2768	{82CB067B-3851-4481-8C5D-48B46F4877FF}.exe	36
PID 2768 wrote to memory of 2572	2768	{82CB067B-3851-4481-8C5D-48B46F4877FF}.exe	36
PID 2768 wrote to memory of 3032	2768	{82CB067B-3851-4481-8C5D-48B46F4877FF}.exe	37
PID 2768 wrote to memory of 3032	2768	{82CB067B-3851-4481-8C5D-48B46F4877FF}.exe	37
PID 2768 wrote to memory of 3032	2768	{82CB067B-3851-4481-8C5D-48B46F4877FF}.exe	37
PID 2768 wrote to memory of 3032	2768	{82CB067B-3851-4481-8C5D-48B46F4877FF}.exe	37
PID 2572 wrote to memory of 2900	2572	{A41E45E9-7C3A-4741-AB39-D51FF61A5501}.exe	38
PID 2572 wrote to memory of 2900	2572	{A41E45E9-7C3A-4741-AB39-D51FF61A5501}.exe	38
PID 2572 wrote to memory of 2900	2572	{A41E45E9-7C3A-4741-AB39-D51FF61A5501}.exe	38
PID 2572 wrote to memory of 2900	2572	{A41E45E9-7C3A-4741-AB39-D51FF61A5501}.exe	38
PID 2572 wrote to memory of 3000	2572	{A41E45E9-7C3A-4741-AB39-D51FF61A5501}.exe	39
PID 2572 wrote to memory of 3000	2572	{A41E45E9-7C3A-4741-AB39-D51FF61A5501}.exe	39
PID 2572 wrote to memory of 3000	2572	{A41E45E9-7C3A-4741-AB39-D51FF61A5501}.exe	39
PID 2572 wrote to memory of 3000	2572	{A41E45E9-7C3A-4741-AB39-D51FF61A5501}.exe	39
PID 2900 wrote to memory of 1640	2900	{C1EFF04B-9C23-403e-9369-92E5872CBF05}.exe	40
PID 2900 wrote to memory of 1640	2900	{C1EFF04B-9C23-403e-9369-92E5872CBF05}.exe	40
PID 2900 wrote to memory of 1640	2900	{C1EFF04B-9C23-403e-9369-92E5872CBF05}.exe	40
PID 2900 wrote to memory of 1640	2900	{C1EFF04B-9C23-403e-9369-92E5872CBF05}.exe	40
PID 2900 wrote to memory of 1048	2900	{C1EFF04B-9C23-403e-9369-92E5872CBF05}.exe	41
PID 2900 wrote to memory of 1048	2900	{C1EFF04B-9C23-403e-9369-92E5872CBF05}.exe	41
PID 2900 wrote to memory of 1048	2900	{C1EFF04B-9C23-403e-9369-92E5872CBF05}.exe	41
PID 2900 wrote to memory of 1048	2900	{C1EFF04B-9C23-403e-9369-92E5872CBF05}.exe	41
PID 1640 wrote to memory of 820	1640	{0D1409B8-B8AD-4d03-AFCD-3A667B15A51E}.exe	42
PID 1640 wrote to memory of 820	1640	{0D1409B8-B8AD-4d03-AFCD-3A667B15A51E}.exe	42
PID 1640 wrote to memory of 820	1640	{0D1409B8-B8AD-4d03-AFCD-3A667B15A51E}.exe	42
PID 1640 wrote to memory of 820	1640	{0D1409B8-B8AD-4d03-AFCD-3A667B15A51E}.exe	42
PID 1640 wrote to memory of 1444	1640	{0D1409B8-B8AD-4d03-AFCD-3A667B15A51E}.exe	43
PID 1640 wrote to memory of 1444	1640	{0D1409B8-B8AD-4d03-AFCD-3A667B15A51E}.exe	43
PID 1640 wrote to memory of 1444	1640	{0D1409B8-B8AD-4d03-AFCD-3A667B15A51E}.exe	43
PID 1640 wrote to memory of 1444	1640	{0D1409B8-B8AD-4d03-AFCD-3A667B15A51E}.exe	43
PID 820 wrote to memory of 2696	820	{D660457B-3655-41b2-9774-3FD8399D1F56}.exe	44
PID 820 wrote to memory of 2696	820	{D660457B-3655-41b2-9774-3FD8399D1F56}.exe	44
PID 820 wrote to memory of 2696	820	{D660457B-3655-41b2-9774-3FD8399D1F56}.exe	44
PID 820 wrote to memory of 2696	820	{D660457B-3655-41b2-9774-3FD8399D1F56}.exe	44
PID 820 wrote to memory of 2616	820	{D660457B-3655-41b2-9774-3FD8399D1F56}.exe	45
PID 820 wrote to memory of 2616	820	{D660457B-3655-41b2-9774-3FD8399D1F56}.exe	45
PID 820 wrote to memory of 2616	820	{D660457B-3655-41b2-9774-3FD8399D1F56}.exe	45
PID 820 wrote to memory of 2616	820	{D660457B-3655-41b2-9774-3FD8399D1F56}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-07-05_8e2a9c341f6dac0a840083352946cb1f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-05_8e2a9c341f6dac0a840083352946cb1f_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\{62FC3CF0-F739-4c52-ADFB-ED73E3174A87}.exe
  C:\Windows\{62FC3CF0-F739-4c52-ADFB-ED73E3174A87}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\{760AE3E0-6E8E-43c6-AC91-1E8443B06651}.exe
    C:\Windows\{760AE3E0-6E8E-43c6-AC91-1E8443B06651}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\{82CB067B-3851-4481-8C5D-48B46F4877FF}.exe
      C:\Windows\{82CB067B-3851-4481-8C5D-48B46F4877FF}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Windows\{A41E45E9-7C3A-4741-AB39-D51FF61A5501}.exe
        
        C:\Windows\{A41E45E9-7C3A-4741-AB39-D51FF61A5501}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2572
      - C:\Windows\{C1EFF04B-9C23-403e-9369-92E5872CBF05}.exe
        
        C:\Windows\{C1EFF04B-9C23-403e-9369-92E5872CBF05}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\{0D1409B8-B8AD-4d03-AFCD-3A667B15A51E}.exe
        
        C:\Windows\{0D1409B8-B8AD-4d03-AFCD-3A667B15A51E}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\{D660457B-3655-41b2-9774-3FD8399D1F56}.exe
        
        C:\Windows\{D660457B-3655-41b2-9774-3FD8399D1F56}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Windows\{E94C1DD2-3194-4ade-91F6-0642B308FBE0}.exe
        
        C:\Windows\{E94C1DD2-3194-4ade-91F6-0642B308FBE0}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
        
        C:\Windows\{3B19E864-ABDD-497e-83F8-E279AE8F3C29}.exe
        
        C:\Windows\{3B19E864-ABDD-497e-83F8-E279AE8F3C29}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
        
        C:\Windows\{FC7999E4-365B-4d7f-9F5E-B3D36EECCBFF}.exe
        
        C:\Windows\{FC7999E4-365B-4d7f-9F5E-B3D36EECCBFF}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
        
        C:\Windows\{B554C8CC-4557-464b-9124-2413F7F9BDCE}.exe
        
        C:\Windows\{B554C8CC-4557-464b-9124-2413F7F9BDCE}.exe
        12⤵
        Executes dropped EXE
        
        PID:476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC799~1.EXE > nul
        12⤵
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B19E~1.EXE > nul
        11⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E94C1~1.EXE > nul
        10⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6604~1.EXE > nul
        9⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D140~1.EXE > nul
        8⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1EFF~1.EXE > nul
        7⤵
        
        PID:1048
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A41E4~1.EXE > nul
        6⤵
        
        PID:3000
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82CB0~1.EXE > nul
        5⤵
        
        PID:3032
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{760AE~1.EXE > nul
      4⤵
      PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{62FC3~1.EXE > nul
    3⤵
    PID:2672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0D1409B8-B8AD-4d03-AFCD-3A667B15A51E}.exe

Filesize
216KB

MD5
5a73157160a0649dd5e9c1aea0d94580

SHA1
9ac37e859cd9f3040cec59b23fc2d81384bebea3

SHA256
acbc979cd456076cb4a2cfdf13edf5272bd09b284628a5ad6ed41342ea0a2341

SHA512
ab06d021716cbbdd8521f9a2ac2b14dbe7e5ba0af6b285d66896ff388ae5f40663054d75cc01f482a6d39683fe1847ed58aa57cb1691bbf0b8e237521c841474

Download Submit
C:\Windows\{3B19E864-ABDD-497e-83F8-E279AE8F3C29}.exe

Filesize
216KB

MD5
733a3792fc684d4f03da423175c053b1

SHA1
e0229dced41d019da049764af5224e539ecc7841

SHA256
1b17dca104758a3e246ddd631a4b9202f4a88e977f501cb4805684c55df1f954

SHA512
7682e1288a25607aa5e178e49bad56b714f366aedc961cc97406c62524c0ad429199c32964911c8c39ef7f1290008ed23acf1e8ceaeca86ee99d570bcdf84528

Download Submit
C:\Windows\{62FC3CF0-F739-4c52-ADFB-ED73E3174A87}.exe

Filesize
216KB

MD5
f423dcba7b3e9bcc8e146788509a7fca

SHA1
afc605261ebc36509264859554aab217425dd228

SHA256
872d84e1e7b49b9449cd6f65407d0e1ae5f855086d7c48e9e9e255015b1b9efa

SHA512
8a25a55080982f6263273a7a48e99b25299bb84d069d19634e3f7ab8c54b6f4c81de3a0fa20e754379aa1d53450201b606b87e9e87d73400928fc9442f234e7b

Download Submit
C:\Windows\{760AE3E0-6E8E-43c6-AC91-1E8443B06651}.exe

Filesize
216KB

MD5
9d432b7d1abfa10d4a775105134871a0

SHA1
f29dfcab399a4d13deba85578befcf39628620b9

SHA256
656a08cc85204060b0abf16751a8b5343acb5ce5bbf9c69d4d4ba164b15f5937

SHA512
3e1a9b2326eb05f038086313cf417a2e8eabce74565f0878378a270a8b661e227266b5944429f461c53758e6f7f4df4dc29852969372bee2b087d14746586cbf

Download Submit
C:\Windows\{82CB067B-3851-4481-8C5D-48B46F4877FF}.exe

Filesize
216KB

MD5
97f94180cc417f50cd8b9a4791803f6d

SHA1
d520e6230d270e1ce0a99f38430bdbb6ccf99394

SHA256
eb9905483a8357cb4dda1b8f435bffd4a5066d0831826682d5b7d2d53d88b616

SHA512
f382b24e0d84e6bbe217584861120cc42616922e4884f431f328bc318f9cfa8cf216780a0631548568549ce261ef728ac8a9fa8491d51dc21e75fde274c04d8c

Download Submit
C:\Windows\{A41E45E9-7C3A-4741-AB39-D51FF61A5501}.exe

Filesize
216KB

MD5
1e2c9d94e502aa9e48cfa89dc8871c5e

SHA1
6c0482e7b4f383be5ca356bc31d8e4c452e88f74

SHA256
f4f358bf248134f20f3387da631456183f635e584ea9eb1d2e64009bb7015734

SHA512
391cef34d05d36c03a3b172787f151e96afa6423e11a14f23f2367e21dd2a60ce850d45663381f9bbea327f2ecacf6187347316bb64e71cbb20665681a7ecf40

Download Submit
C:\Windows\{B554C8CC-4557-464b-9124-2413F7F9BDCE}.exe

Filesize
216KB

MD5
2fcef80c4230bdb3bd59cf05abb7c266

SHA1
fd65aee79b37d75eb1063da4ce2e9e704dba0641

SHA256
6b03951a1f9df847a6eab418b9f0e329c5b92df649863a0bb490b9a71bb5ec28

SHA512
0b9442d4705e1a316d522c709cc56a8c5212c3e98b3cd6d230d42169d8610b8d9ce9e880304caecb269cc9374e59d476ad7b2b1493187b5850f68ea2c98c747b

Download Submit
C:\Windows\{C1EFF04B-9C23-403e-9369-92E5872CBF05}.exe

Filesize
216KB

MD5
146584042459f26c9a0dacb0502d0e2d

SHA1
fe52a4fbe00f811b784de1a6205f4db24527bf9e

SHA256
b93f12ebe5e6ddd86d553a40b53126a2940158463cc091196f617a18de9252bb

SHA512
38dc7297988b59bdf731a077c11d0769920c657749d9880f13ed6a214c8be2e06fce290e020420645807d522a60785acac341baf191e215282531be88d17f79a

Download Submit
C:\Windows\{D660457B-3655-41b2-9774-3FD8399D1F56}.exe

Filesize
216KB

MD5
ed4dae8dd803e81f15e58068c8ed1be1

SHA1
e829da43964f1bf9c986485724eaaf0c7d34de93

SHA256
f1c483fc25beb2d2ceb66d90a9bbc2c8d606f3da135b614e3ae4fb6e9b9f6143

SHA512
32883437a9bf0c08df8a05dd795eda09d811f611d2f364a57ebe2f32ec1cd6f4e8423960d42de04b61f23657345a9ca82628a8c64d364de7b0fb5e67c4d2fc3b

Download Submit
C:\Windows\{E94C1DD2-3194-4ade-91F6-0642B308FBE0}.exe

Filesize
216KB

MD5
1ce59308b4288f3fda02c89675ea1b06

SHA1
126caaa51b5332e991a6876b172acaca2001a2bd

SHA256
61e6b57953f74c7bff593d8c03deb680122a36c6abd8778e20dbbe74b79fac9a

SHA512
1f2bb5bf9026cdcae5046b9a109f82d50a7336c7de37eee29c0f8720db4fb5bb34bd8c9f984c4da75f920a23c11f3539bad395e94cc8d8d6065237077aeb3b26

Download Submit
C:\Windows\{FC7999E4-365B-4d7f-9F5E-B3D36EECCBFF}.exe

Filesize
216KB

MD5
ad47109608a117c463d0cfac12f9e5f4

SHA1
d879194586b464f2fe2b9ba17b4fc8daa6ebf85a

SHA256
53c57b18f76a1b1532b3c03221aa66f054e3d02bbcaf3c84d6496f6aaad7dd14

SHA512
8dec26b666d8de1e07c6cc6f01261c4e610482b798591c4071447666c8d95ab08170d788486d4d999e99ff9676706f2e21e426dd6f5a124f6404d8fb409bbe8c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads