c48c0159af432af892cebaf6b043e9fcf5abef2924e2c11606f21ebca4b439d8

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
05/07/2024, 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-05_f629a8a7e8a4ef5329ad1c3b798fcdd4_goldeneye.exe
Size

197KB
MD5

f629a8a7e8a4ef5329ad1c3b798fcdd4
SHA1

0da522f7c7e2dbdca6ea39cabcaadfab51ff85e4
SHA256

c48c0159af432af892cebaf6b043e9fcf5abef2924e2c11606f21ebca4b439d8
SHA512

a9ed68579b02df9fecfd803902dce50804847abb4b0a427a66300430c79b8b726eeec66bbf475dad2c6a32363a06114285acc9ed4d79adef789ecc8f30ca030a
SSDEEP

3072:jEGh0o6l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGAlEeKcAEca

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7D93D63-1A70-4a6e-8FFF-4A8DD3BD9158}\stubpath = "C:\\Windows\\{E7D93D63-1A70-4a6e-8FFF-4A8DD3BD9158}.exe"	{2A939C2A-0F9F-4f8a-8BA7-A917C3B6A9F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{822B7914-BF18-4cc6-8FD9-64ECCE57F5B3}\stubpath = "C:\\Windows\\{822B7914-BF18-4cc6-8FD9-64ECCE57F5B3}.exe"	{E7D93D63-1A70-4a6e-8FFF-4A8DD3BD9158}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FDA305EC-C54C-4235-A222-41C5586A9A31}\stubpath = "C:\\Windows\\{FDA305EC-C54C-4235-A222-41C5586A9A31}.exe"	{9B3C025A-8561-4069-8832-CE194192D551}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB205FA4-9D8B-49c3-BD7A-B97D31BD7307}	{F9C4317C-EAB9-47fe-933E-D38D24B3B246}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B97A8B3-5110-41ed-945F-A3CD13239B15}\stubpath = "C:\\Windows\\{2B97A8B3-5110-41ed-945F-A3CD13239B15}.exe"	{AB205FA4-9D8B-49c3-BD7A-B97D31BD7307}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A939C2A-0F9F-4f8a-8BA7-A917C3B6A9F9}	{45483903-93E6-4788-826B-F3983BE3CB2E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{822B7914-BF18-4cc6-8FD9-64ECCE57F5B3}	{E7D93D63-1A70-4a6e-8FFF-4A8DD3BD9158}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FDA305EC-C54C-4235-A222-41C5586A9A31}	{9B3C025A-8561-4069-8832-CE194192D551}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB205FA4-9D8B-49c3-BD7A-B97D31BD7307}\stubpath = "C:\\Windows\\{AB205FA4-9D8B-49c3-BD7A-B97D31BD7307}.exe"	{F9C4317C-EAB9-47fe-933E-D38D24B3B246}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B97A8B3-5110-41ed-945F-A3CD13239B15}	{AB205FA4-9D8B-49c3-BD7A-B97D31BD7307}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45DA1D47-1136-476c-A83D-7B38832327D7}\stubpath = "C:\\Windows\\{45DA1D47-1136-476c-A83D-7B38832327D7}.exe"	{FDA305EC-C54C-4235-A222-41C5586A9A31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45483903-93E6-4788-826B-F3983BE3CB2E}	{2B97A8B3-5110-41ed-945F-A3CD13239B15}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45483903-93E6-4788-826B-F3983BE3CB2E}\stubpath = "C:\\Windows\\{45483903-93E6-4788-826B-F3983BE3CB2E}.exe"	{2B97A8B3-5110-41ed-945F-A3CD13239B15}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A939C2A-0F9F-4f8a-8BA7-A917C3B6A9F9}\stubpath = "C:\\Windows\\{2A939C2A-0F9F-4f8a-8BA7-A917C3B6A9F9}.exe"	{45483903-93E6-4788-826B-F3983BE3CB2E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{171602F0-C38F-4dec-88FD-6607874A235C}	{822B7914-BF18-4cc6-8FD9-64ECCE57F5B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B3C025A-8561-4069-8832-CE194192D551}	2024-07-05_f629a8a7e8a4ef5329ad1c3b798fcdd4_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B3C025A-8561-4069-8832-CE194192D551}\stubpath = "C:\\Windows\\{9B3C025A-8561-4069-8832-CE194192D551}.exe"	2024-07-05_f629a8a7e8a4ef5329ad1c3b798fcdd4_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45DA1D47-1136-476c-A83D-7B38832327D7}	{FDA305EC-C54C-4235-A222-41C5586A9A31}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{171602F0-C38F-4dec-88FD-6607874A235C}\stubpath = "C:\\Windows\\{171602F0-C38F-4dec-88FD-6607874A235C}.exe"	{822B7914-BF18-4cc6-8FD9-64ECCE57F5B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9C4317C-EAB9-47fe-933E-D38D24B3B246}	{45DA1D47-1136-476c-A83D-7B38832327D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9C4317C-EAB9-47fe-933E-D38D24B3B246}\stubpath = "C:\\Windows\\{F9C4317C-EAB9-47fe-933E-D38D24B3B246}.exe"	{45DA1D47-1136-476c-A83D-7B38832327D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7D93D63-1A70-4a6e-8FFF-4A8DD3BD9158}	{2A939C2A-0F9F-4f8a-8BA7-A917C3B6A9F9}.exe

Deletes itself 1 IoCs

pid	Process
2572	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2924	{9B3C025A-8561-4069-8832-CE194192D551}.exe
2732	{FDA305EC-C54C-4235-A222-41C5586A9A31}.exe
2168	{45DA1D47-1136-476c-A83D-7B38832327D7}.exe
1036	{F9C4317C-EAB9-47fe-933E-D38D24B3B246}.exe
2748	{AB205FA4-9D8B-49c3-BD7A-B97D31BD7307}.exe
1784	{2B97A8B3-5110-41ed-945F-A3CD13239B15}.exe
2356	{45483903-93E6-4788-826B-F3983BE3CB2E}.exe
332	{2A939C2A-0F9F-4f8a-8BA7-A917C3B6A9F9}.exe
3024	{E7D93D63-1A70-4a6e-8FFF-4A8DD3BD9158}.exe
324	{822B7914-BF18-4cc6-8FD9-64ECCE57F5B3}.exe
1396	{171602F0-C38F-4dec-88FD-6607874A235C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{9B3C025A-8561-4069-8832-CE194192D551}.exe	2024-07-05_f629a8a7e8a4ef5329ad1c3b798fcdd4_goldeneye.exe
File created	C:\Windows\{FDA305EC-C54C-4235-A222-41C5586A9A31}.exe	{9B3C025A-8561-4069-8832-CE194192D551}.exe
File created	C:\Windows\{AB205FA4-9D8B-49c3-BD7A-B97D31BD7307}.exe	{F9C4317C-EAB9-47fe-933E-D38D24B3B246}.exe
File created	C:\Windows\{E7D93D63-1A70-4a6e-8FFF-4A8DD3BD9158}.exe	{2A939C2A-0F9F-4f8a-8BA7-A917C3B6A9F9}.exe
File created	C:\Windows\{822B7914-BF18-4cc6-8FD9-64ECCE57F5B3}.exe	{E7D93D63-1A70-4a6e-8FFF-4A8DD3BD9158}.exe
File created	C:\Windows\{171602F0-C38F-4dec-88FD-6607874A235C}.exe	{822B7914-BF18-4cc6-8FD9-64ECCE57F5B3}.exe
File created	C:\Windows\{45DA1D47-1136-476c-A83D-7B38832327D7}.exe	{FDA305EC-C54C-4235-A222-41C5586A9A31}.exe
File created	C:\Windows\{F9C4317C-EAB9-47fe-933E-D38D24B3B246}.exe	{45DA1D47-1136-476c-A83D-7B38832327D7}.exe
File created	C:\Windows\{2B97A8B3-5110-41ed-945F-A3CD13239B15}.exe	{AB205FA4-9D8B-49c3-BD7A-B97D31BD7307}.exe
File created	C:\Windows\{45483903-93E6-4788-826B-F3983BE3CB2E}.exe	{2B97A8B3-5110-41ed-945F-A3CD13239B15}.exe
File created	C:\Windows\{2A939C2A-0F9F-4f8a-8BA7-A917C3B6A9F9}.exe	{45483903-93E6-4788-826B-F3983BE3CB2E}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1508	2024-07-05_f629a8a7e8a4ef5329ad1c3b798fcdd4_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2924	{9B3C025A-8561-4069-8832-CE194192D551}.exe
Token: SeIncBasePriorityPrivilege	2732	{FDA305EC-C54C-4235-A222-41C5586A9A31}.exe
Token: SeIncBasePriorityPrivilege	2168	{45DA1D47-1136-476c-A83D-7B38832327D7}.exe
Token: SeIncBasePriorityPrivilege	1036	{F9C4317C-EAB9-47fe-933E-D38D24B3B246}.exe
Token: SeIncBasePriorityPrivilege	2748	{AB205FA4-9D8B-49c3-BD7A-B97D31BD7307}.exe
Token: SeIncBasePriorityPrivilege	1784	{2B97A8B3-5110-41ed-945F-A3CD13239B15}.exe
Token: SeIncBasePriorityPrivilege	2356	{45483903-93E6-4788-826B-F3983BE3CB2E}.exe
Token: SeIncBasePriorityPrivilege	332	{2A939C2A-0F9F-4f8a-8BA7-A917C3B6A9F9}.exe
Token: SeIncBasePriorityPrivilege	3024	{E7D93D63-1A70-4a6e-8FFF-4A8DD3BD9158}.exe
Token: SeIncBasePriorityPrivilege	324	{822B7914-BF18-4cc6-8FD9-64ECCE57F5B3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 2924	1508	2024-07-05_f629a8a7e8a4ef5329ad1c3b798fcdd4_goldeneye.exe	28
PID 1508 wrote to memory of 2924	1508	2024-07-05_f629a8a7e8a4ef5329ad1c3b798fcdd4_goldeneye.exe	28
PID 1508 wrote to memory of 2924	1508	2024-07-05_f629a8a7e8a4ef5329ad1c3b798fcdd4_goldeneye.exe	28
PID 1508 wrote to memory of 2924	1508	2024-07-05_f629a8a7e8a4ef5329ad1c3b798fcdd4_goldeneye.exe	28
PID 1508 wrote to memory of 2572	1508	2024-07-05_f629a8a7e8a4ef5329ad1c3b798fcdd4_goldeneye.exe	29
PID 1508 wrote to memory of 2572	1508	2024-07-05_f629a8a7e8a4ef5329ad1c3b798fcdd4_goldeneye.exe	29
PID 1508 wrote to memory of 2572	1508	2024-07-05_f629a8a7e8a4ef5329ad1c3b798fcdd4_goldeneye.exe	29
PID 1508 wrote to memory of 2572	1508	2024-07-05_f629a8a7e8a4ef5329ad1c3b798fcdd4_goldeneye.exe	29
PID 2924 wrote to memory of 2732	2924	{9B3C025A-8561-4069-8832-CE194192D551}.exe	30
PID 2924 wrote to memory of 2732	2924	{9B3C025A-8561-4069-8832-CE194192D551}.exe	30
PID 2924 wrote to memory of 2732	2924	{9B3C025A-8561-4069-8832-CE194192D551}.exe	30
PID 2924 wrote to memory of 2732	2924	{9B3C025A-8561-4069-8832-CE194192D551}.exe	30
PID 2924 wrote to memory of 2460	2924	{9B3C025A-8561-4069-8832-CE194192D551}.exe	31
PID 2924 wrote to memory of 2460	2924	{9B3C025A-8561-4069-8832-CE194192D551}.exe	31
PID 2924 wrote to memory of 2460	2924	{9B3C025A-8561-4069-8832-CE194192D551}.exe	31
PID 2924 wrote to memory of 2460	2924	{9B3C025A-8561-4069-8832-CE194192D551}.exe	31
PID 2732 wrote to memory of 2168	2732	{FDA305EC-C54C-4235-A222-41C5586A9A31}.exe	32
PID 2732 wrote to memory of 2168	2732	{FDA305EC-C54C-4235-A222-41C5586A9A31}.exe	32
PID 2732 wrote to memory of 2168	2732	{FDA305EC-C54C-4235-A222-41C5586A9A31}.exe	32
PID 2732 wrote to memory of 2168	2732	{FDA305EC-C54C-4235-A222-41C5586A9A31}.exe	32
PID 2732 wrote to memory of 2424	2732	{FDA305EC-C54C-4235-A222-41C5586A9A31}.exe	33
PID 2732 wrote to memory of 2424	2732	{FDA305EC-C54C-4235-A222-41C5586A9A31}.exe	33
PID 2732 wrote to memory of 2424	2732	{FDA305EC-C54C-4235-A222-41C5586A9A31}.exe	33
PID 2732 wrote to memory of 2424	2732	{FDA305EC-C54C-4235-A222-41C5586A9A31}.exe	33
PID 2168 wrote to memory of 1036	2168	{45DA1D47-1136-476c-A83D-7B38832327D7}.exe	36
PID 2168 wrote to memory of 1036	2168	{45DA1D47-1136-476c-A83D-7B38832327D7}.exe	36
PID 2168 wrote to memory of 1036	2168	{45DA1D47-1136-476c-A83D-7B38832327D7}.exe	36
PID 2168 wrote to memory of 1036	2168	{45DA1D47-1136-476c-A83D-7B38832327D7}.exe	36
PID 2168 wrote to memory of 1708	2168	{45DA1D47-1136-476c-A83D-7B38832327D7}.exe	37
PID 2168 wrote to memory of 1708	2168	{45DA1D47-1136-476c-A83D-7B38832327D7}.exe	37
PID 2168 wrote to memory of 1708	2168	{45DA1D47-1136-476c-A83D-7B38832327D7}.exe	37
PID 2168 wrote to memory of 1708	2168	{45DA1D47-1136-476c-A83D-7B38832327D7}.exe	37
PID 1036 wrote to memory of 2748	1036	{F9C4317C-EAB9-47fe-933E-D38D24B3B246}.exe	38
PID 1036 wrote to memory of 2748	1036	{F9C4317C-EAB9-47fe-933E-D38D24B3B246}.exe	38
PID 1036 wrote to memory of 2748	1036	{F9C4317C-EAB9-47fe-933E-D38D24B3B246}.exe	38
PID 1036 wrote to memory of 2748	1036	{F9C4317C-EAB9-47fe-933E-D38D24B3B246}.exe	38
PID 1036 wrote to memory of 2308	1036	{F9C4317C-EAB9-47fe-933E-D38D24B3B246}.exe	39
PID 1036 wrote to memory of 2308	1036	{F9C4317C-EAB9-47fe-933E-D38D24B3B246}.exe	39
PID 1036 wrote to memory of 2308	1036	{F9C4317C-EAB9-47fe-933E-D38D24B3B246}.exe	39
PID 1036 wrote to memory of 2308	1036	{F9C4317C-EAB9-47fe-933E-D38D24B3B246}.exe	39
PID 2748 wrote to memory of 1784	2748	{AB205FA4-9D8B-49c3-BD7A-B97D31BD7307}.exe	40
PID 2748 wrote to memory of 1784	2748	{AB205FA4-9D8B-49c3-BD7A-B97D31BD7307}.exe	40
PID 2748 wrote to memory of 1784	2748	{AB205FA4-9D8B-49c3-BD7A-B97D31BD7307}.exe	40
PID 2748 wrote to memory of 1784	2748	{AB205FA4-9D8B-49c3-BD7A-B97D31BD7307}.exe	40
PID 2748 wrote to memory of 2036	2748	{AB205FA4-9D8B-49c3-BD7A-B97D31BD7307}.exe	41
PID 2748 wrote to memory of 2036	2748	{AB205FA4-9D8B-49c3-BD7A-B97D31BD7307}.exe	41
PID 2748 wrote to memory of 2036	2748	{AB205FA4-9D8B-49c3-BD7A-B97D31BD7307}.exe	41
PID 2748 wrote to memory of 2036	2748	{AB205FA4-9D8B-49c3-BD7A-B97D31BD7307}.exe	41
PID 1784 wrote to memory of 2356	1784	{2B97A8B3-5110-41ed-945F-A3CD13239B15}.exe	42
PID 1784 wrote to memory of 2356	1784	{2B97A8B3-5110-41ed-945F-A3CD13239B15}.exe	42
PID 1784 wrote to memory of 2356	1784	{2B97A8B3-5110-41ed-945F-A3CD13239B15}.exe	42
PID 1784 wrote to memory of 2356	1784	{2B97A8B3-5110-41ed-945F-A3CD13239B15}.exe	42
PID 1784 wrote to memory of 1012	1784	{2B97A8B3-5110-41ed-945F-A3CD13239B15}.exe	43
PID 1784 wrote to memory of 1012	1784	{2B97A8B3-5110-41ed-945F-A3CD13239B15}.exe	43
PID 1784 wrote to memory of 1012	1784	{2B97A8B3-5110-41ed-945F-A3CD13239B15}.exe	43
PID 1784 wrote to memory of 1012	1784	{2B97A8B3-5110-41ed-945F-A3CD13239B15}.exe	43
PID 2356 wrote to memory of 332	2356	{45483903-93E6-4788-826B-F3983BE3CB2E}.exe	44
PID 2356 wrote to memory of 332	2356	{45483903-93E6-4788-826B-F3983BE3CB2E}.exe	44
PID 2356 wrote to memory of 332	2356	{45483903-93E6-4788-826B-F3983BE3CB2E}.exe	44
PID 2356 wrote to memory of 332	2356	{45483903-93E6-4788-826B-F3983BE3CB2E}.exe	44
PID 2356 wrote to memory of 1680	2356	{45483903-93E6-4788-826B-F3983BE3CB2E}.exe	45
PID 2356 wrote to memory of 1680	2356	{45483903-93E6-4788-826B-F3983BE3CB2E}.exe	45
PID 2356 wrote to memory of 1680	2356	{45483903-93E6-4788-826B-F3983BE3CB2E}.exe	45
PID 2356 wrote to memory of 1680	2356	{45483903-93E6-4788-826B-F3983BE3CB2E}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-07-05_f629a8a7e8a4ef5329ad1c3b798fcdd4_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-05_f629a8a7e8a4ef5329ad1c3b798fcdd4_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Windows\{9B3C025A-8561-4069-8832-CE194192D551}.exe
  C:\Windows\{9B3C025A-8561-4069-8832-CE194192D551}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\{FDA305EC-C54C-4235-A222-41C5586A9A31}.exe
    C:\Windows\{FDA305EC-C54C-4235-A222-41C5586A9A31}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\{45DA1D47-1136-476c-A83D-7B38832327D7}.exe
      C:\Windows\{45DA1D47-1136-476c-A83D-7B38832327D7}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2168
    - - C:\Windows\{F9C4317C-EAB9-47fe-933E-D38D24B3B246}.exe
        
        C:\Windows\{F9C4317C-EAB9-47fe-933E-D38D24B3B246}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1036
      - C:\Windows\{AB205FA4-9D8B-49c3-BD7A-B97D31BD7307}.exe
        
        C:\Windows\{AB205FA4-9D8B-49c3-BD7A-B97D31BD7307}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\{2B97A8B3-5110-41ed-945F-A3CD13239B15}.exe
        
        C:\Windows\{2B97A8B3-5110-41ed-945F-A3CD13239B15}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\{45483903-93E6-4788-826B-F3983BE3CB2E}.exe
        
        C:\Windows\{45483903-93E6-4788-826B-F3983BE3CB2E}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\{2A939C2A-0F9F-4f8a-8BA7-A917C3B6A9F9}.exe
        
        C:\Windows\{2A939C2A-0F9F-4f8a-8BA7-A917C3B6A9F9}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:332
        
        C:\Windows\{E7D93D63-1A70-4a6e-8FFF-4A8DD3BD9158}.exe
        
        C:\Windows\{E7D93D63-1A70-4a6e-8FFF-4A8DD3BD9158}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
        
        C:\Windows\{822B7914-BF18-4cc6-8FD9-64ECCE57F5B3}.exe
        
        C:\Windows\{822B7914-BF18-4cc6-8FD9-64ECCE57F5B3}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:324
        
        C:\Windows\{171602F0-C38F-4dec-88FD-6607874A235C}.exe
        
        C:\Windows\{171602F0-C38F-4dec-88FD-6607874A235C}.exe
        12⤵
        Executes dropped EXE
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{822B7~1.EXE > nul
        12⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7D93~1.EXE > nul
        11⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A939~1.EXE > nul
        10⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45483~1.EXE > nul
        9⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B97A~1.EXE > nul
        8⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB205~1.EXE > nul
        7⤵
        
        PID:2036
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9C43~1.EXE > nul
        6⤵
        
        PID:2308
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45DA1~1.EXE > nul
        5⤵
        
        PID:1708
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FDA30~1.EXE > nul
      4⤵
      PID:2424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9B3C0~1.EXE > nul
    3⤵
    PID:2460
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{171602F0-C38F-4dec-88FD-6607874A235C}.exe

Filesize
197KB

MD5
525a4886f878e69ca2b7507f5784f33c

SHA1
8312518210b69f66cfbc6fc40ca963e9d1a48488

SHA256
447750eb24ce1a65e93d25dbd5167f11ee1b40fdfe930110c0c0fd38181aa37d

SHA512
30d63065ba64563622bac65cede7f3c74d8190f6448232db419291bb0a8d97a660df79156e1dc5d0792f4f815b930495621c7743df440e64f7fd1cd9beeb3395

Download Submit
C:\Windows\{2A939C2A-0F9F-4f8a-8BA7-A917C3B6A9F9}.exe

Filesize
197KB

MD5
f1250331195bdb4beaf9bb04432ffafe

SHA1
ba7ecc626563f3aa2533eff196fbc7eafc9f9531

SHA256
b308cb9bdae8af6deb173de3ba42dd5415fd9ec50933f34d3bc9b21b0be7c5ff

SHA512
6bea7a25ffd328edd23e1a434cece44e4962e58bbc71c92003af2a2b20f29a2439475893a1743fd7f04a8c1cd87f1103fda02fddc9dc3f96339a92f68bf1cd49

Download Submit
C:\Windows\{2B97A8B3-5110-41ed-945F-A3CD13239B15}.exe

Filesize
197KB

MD5
ea30ca27b8ad5cdb89c17204ab456f18

SHA1
77ac04e38cc59d1ba543e744e6416a6e63c29d4d

SHA256
bfa540a6541e055e0c17d09e23755b1ebc6111e493fd63e7002c6d0afb1db4c9

SHA512
1b9c00ec13210ee0e7bb74622a06f7b12ed7a224bdc663eb3135b0110d35b6fc5cd6ace873379ee91b26851f408065c70486ef9d2df900c590b7ae171e0c4521

Download Submit
C:\Windows\{45483903-93E6-4788-826B-F3983BE3CB2E}.exe

Filesize
197KB

MD5
a47877c35ac89d86b128155904e8e363

SHA1
1374aa3f9d313e69c404d071006646217fe210d5

SHA256
f58e8b0d20cfd5a63df596a4b2be23e4e66c23d0dbe35997e409c88544746ac0

SHA512
50eaed4bab888dd2654cd021f8a49d11ef56f62dd6cff381a49fddfbaddea0f60673115238853ac73489cf4aa4e9b69f33fa665b80a51066d1d8308321d170c6

Download Submit
C:\Windows\{45DA1D47-1136-476c-A83D-7B38832327D7}.exe

Filesize
197KB

MD5
6dc0504a76661dcec32c82c2698df2ef

SHA1
9f1c795906447bd2aa5f59705f60c19678942bb9

SHA256
e2904f399638a0ae8ae194e0ffd8dfa131c9703a112a396b3b8d1aa74b192ecb

SHA512
aad85e91ff4fd4ca120ecc937ce6c8c628969f82a3d085a3e7bba7dbc5499a5381fe21087ad6d2a8349d5cd80fea04d60379140752aa6c7a9f3ed976603d01f1

Download Submit
C:\Windows\{822B7914-BF18-4cc6-8FD9-64ECCE57F5B3}.exe

Filesize
197KB

MD5
0a660484899f4e095c58996bf9bd4910

SHA1
73d5c7c40aef30843bc8df04e3cbe8961622cb78

SHA256
e3ca1a768cf3de70234bdfe97dae71f7751f605fd04862034a0a220f44f067c4

SHA512
06ef8dffe57e5609fcc58d8a20ac6785cd655e1306b6d26b3779ed8529b0db54d23f0213aed60c390fc35505bf071870a2d068fba95429417dbd89c8eb3606c5

Download Submit
C:\Windows\{9B3C025A-8561-4069-8832-CE194192D551}.exe

Filesize
197KB

MD5
6200fa868913ab58cf5a413b3aed570d

SHA1
5616f246bd429c964b2c1b14ce46581eae8b3c9e

SHA256
622ff9da9af4e336275be426934014d14323104abbc0552cddc1d2c3e5e680c5

SHA512
6c41d9aeab542d7412309149894b2f7b40f3ab17a509541627bae848dcd0605866b45cc7a04ee8bc01f1df4603c6728d6197ef1c8cc9fa2a0853fd45636920db

Download Submit
C:\Windows\{AB205FA4-9D8B-49c3-BD7A-B97D31BD7307}.exe

Filesize
197KB

MD5
1f20df98a2eb6986b8c18219a612a7f2

SHA1
bad898d9ca4baa30bc9d8626e84e0ae08af6cde8

SHA256
a5457a9cde84499df3ffcc507adec4c6f6018c899b572621461a9d9193eade3a

SHA512
bcef768811ed0094a2e7c58b30971a95b9d83a93cfe540b5254ad60423052716f5b091da8ed178a3d06afb6ce99cb3f89a4ce645ee9d02b6233e219778c52a44

Download Submit
C:\Windows\{E7D93D63-1A70-4a6e-8FFF-4A8DD3BD9158}.exe

Filesize
197KB

MD5
d472e96eccc54ecdd08af889c5add903

SHA1
642a5ef999891743c9e24707852ec0cdccae033b

SHA256
1d155af3a2c89c835fb4b851da64cb853a2595d81f3b4191ce0dba91667258f5

SHA512
da706c7921032d3ba51ad143dac2d7b981bc77a7772cacf1f2469967f36a63d2a0681ff59dd192a01c1479b6efc8dddefc4afaef1f584303d3ab89a20b0875e0

Download Submit
C:\Windows\{F9C4317C-EAB9-47fe-933E-D38D24B3B246}.exe

Filesize
197KB

MD5
daba5a72bad9e3da354d9f9fa20539a6

SHA1
853b0b2124193373b2d9ffd4c25e8b0d66c23737

SHA256
764544a93d080b8705d2d650293fe66d3141eabda7f8c70b6a39641f4f894265

SHA512
f55d161155056e694de006c0ee3bfe4ca183e0ca232aed27e45bc6dd2626e4947c182dd5c93d7116cdfe42fb784b8a1b7be2c10e8dc6e21e13b09bcfc0923819

Download Submit
C:\Windows\{FDA305EC-C54C-4235-A222-41C5586A9A31}.exe

Filesize
197KB

MD5
81757d55782daadbbc23cbc87c01f18e

SHA1
ce6aea0a7ee582a41b17738a88c5aa9b36ecba16

SHA256
5f071bcb323878930635c73410514460e914c65928311e81e99c958c1d2cd877

SHA512
6ebffda8ee71911944e2043515af296d001d875cf11add35bb07d1b06d4ac7780d09d7a1a9d54bb72a33c62e876ff7732c0f6c4be8d7c0a7606ead1e33f763c7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads