271e0453fcb4e24725aaf858df346f54c20692c7604699ce06f5827a27ce0aa4

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05/07/2024, 11:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-07-05_c58873152ec073b71a11658e07beab75_goldeneye.exe
Size

192KB
MD5

c58873152ec073b71a11658e07beab75
SHA1

88af8356929ea6ac4f02a18994b3510b38f00cca
SHA256

271e0453fcb4e24725aaf858df346f54c20692c7604699ce06f5827a27ce0aa4
SHA512

bd7e7887c01112edd833e237e43a031a562ab840fcc51ee8cdfdaa3bcb2b6bb4de473e7dd7ac54d49c267065c61a4584c783f78821048a1e5f24fccaad5306e8
SSDEEP

1536:1EGh0o8l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0o8l1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5371E71F-9B86-4dae-872E-235285ADC8F3}	{8F977A8D-CC59-431e-B77F-DCF43144ABB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6FDCC70-76AA-4de8-9949-35C84BA33951}	{5371E71F-9B86-4dae-872E-235285ADC8F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A70F673-B93F-4f7e-B78A-7A79B8C881DF}	{3694B1D5-3AE7-4878-BBA6-D50BE9A1214F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE7643A2-9C5B-4cd6-9E82-5CB715A9219C}	{B0CEC684-9EA6-4934-BE1D-415C91519C72}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE7643A2-9C5B-4cd6-9E82-5CB715A9219C}\stubpath = "C:\\Windows\\{BE7643A2-9C5B-4cd6-9E82-5CB715A9219C}.exe"	{B0CEC684-9EA6-4934-BE1D-415C91519C72}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{522DB657-0A21-4968-83DF-85DE2086ADD5}	{D3B0185B-060A-457e-89F1-39C39DC4B9B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F977A8D-CC59-431e-B77F-DCF43144ABB7}	{522DB657-0A21-4968-83DF-85DE2086ADD5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3694B1D5-3AE7-4878-BBA6-D50BE9A1214F}	2024-07-05_c58873152ec073b71a11658e07beab75_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3694B1D5-3AE7-4878-BBA6-D50BE9A1214F}\stubpath = "C:\\Windows\\{3694B1D5-3AE7-4878-BBA6-D50BE9A1214F}.exe"	2024-07-05_c58873152ec073b71a11658e07beab75_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B90E5622-ED1D-4648-83DC-EEF383F39E82}	{8A70F673-B93F-4f7e-B78A-7A79B8C881DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A86483DA-05AA-4c3b-8970-69CE5A607260}	{B90E5622-ED1D-4648-83DC-EEF383F39E82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3B0185B-060A-457e-89F1-39C39DC4B9B6}	{BE7643A2-9C5B-4cd6-9E82-5CB715A9219C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5371E71F-9B86-4dae-872E-235285ADC8F3}\stubpath = "C:\\Windows\\{5371E71F-9B86-4dae-872E-235285ADC8F3}.exe"	{8F977A8D-CC59-431e-B77F-DCF43144ABB7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6FDCC70-76AA-4de8-9949-35C84BA33951}\stubpath = "C:\\Windows\\{F6FDCC70-76AA-4de8-9949-35C84BA33951}.exe"	{5371E71F-9B86-4dae-872E-235285ADC8F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A70F673-B93F-4f7e-B78A-7A79B8C881DF}\stubpath = "C:\\Windows\\{8A70F673-B93F-4f7e-B78A-7A79B8C881DF}.exe"	{3694B1D5-3AE7-4878-BBA6-D50BE9A1214F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A86483DA-05AA-4c3b-8970-69CE5A607260}\stubpath = "C:\\Windows\\{A86483DA-05AA-4c3b-8970-69CE5A607260}.exe"	{B90E5622-ED1D-4648-83DC-EEF383F39E82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0CEC684-9EA6-4934-BE1D-415C91519C72}	{A86483DA-05AA-4c3b-8970-69CE5A607260}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3B0185B-060A-457e-89F1-39C39DC4B9B6}\stubpath = "C:\\Windows\\{D3B0185B-060A-457e-89F1-39C39DC4B9B6}.exe"	{BE7643A2-9C5B-4cd6-9E82-5CB715A9219C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F977A8D-CC59-431e-B77F-DCF43144ABB7}\stubpath = "C:\\Windows\\{8F977A8D-CC59-431e-B77F-DCF43144ABB7}.exe"	{522DB657-0A21-4968-83DF-85DE2086ADD5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B90E5622-ED1D-4648-83DC-EEF383F39E82}\stubpath = "C:\\Windows\\{B90E5622-ED1D-4648-83DC-EEF383F39E82}.exe"	{8A70F673-B93F-4f7e-B78A-7A79B8C881DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0CEC684-9EA6-4934-BE1D-415C91519C72}\stubpath = "C:\\Windows\\{B0CEC684-9EA6-4934-BE1D-415C91519C72}.exe"	{A86483DA-05AA-4c3b-8970-69CE5A607260}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{522DB657-0A21-4968-83DF-85DE2086ADD5}\stubpath = "C:\\Windows\\{522DB657-0A21-4968-83DF-85DE2086ADD5}.exe"	{D3B0185B-060A-457e-89F1-39C39DC4B9B6}.exe

Deletes itself 1 IoCs

pid	Process
1900	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2284	{3694B1D5-3AE7-4878-BBA6-D50BE9A1214F}.exe
2088	{8A70F673-B93F-4f7e-B78A-7A79B8C881DF}.exe
2520	{B90E5622-ED1D-4648-83DC-EEF383F39E82}.exe
2804	{A86483DA-05AA-4c3b-8970-69CE5A607260}.exe
2452	{B0CEC684-9EA6-4934-BE1D-415C91519C72}.exe
1588	{BE7643A2-9C5B-4cd6-9E82-5CB715A9219C}.exe
1548	{D3B0185B-060A-457e-89F1-39C39DC4B9B6}.exe
1860	{522DB657-0A21-4968-83DF-85DE2086ADD5}.exe
1604	{8F977A8D-CC59-431e-B77F-DCF43144ABB7}.exe
2680	{5371E71F-9B86-4dae-872E-235285ADC8F3}.exe
1912	{F6FDCC70-76AA-4de8-9949-35C84BA33951}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{A86483DA-05AA-4c3b-8970-69CE5A607260}.exe	{B90E5622-ED1D-4648-83DC-EEF383F39E82}.exe
File created	C:\Windows\{D3B0185B-060A-457e-89F1-39C39DC4B9B6}.exe	{BE7643A2-9C5B-4cd6-9E82-5CB715A9219C}.exe
File created	C:\Windows\{522DB657-0A21-4968-83DF-85DE2086ADD5}.exe	{D3B0185B-060A-457e-89F1-39C39DC4B9B6}.exe
File created	C:\Windows\{8F977A8D-CC59-431e-B77F-DCF43144ABB7}.exe	{522DB657-0A21-4968-83DF-85DE2086ADD5}.exe
File created	C:\Windows\{5371E71F-9B86-4dae-872E-235285ADC8F3}.exe	{8F977A8D-CC59-431e-B77F-DCF43144ABB7}.exe
File created	C:\Windows\{F6FDCC70-76AA-4de8-9949-35C84BA33951}.exe	{5371E71F-9B86-4dae-872E-235285ADC8F3}.exe
File created	C:\Windows\{3694B1D5-3AE7-4878-BBA6-D50BE9A1214F}.exe	2024-07-05_c58873152ec073b71a11658e07beab75_goldeneye.exe
File created	C:\Windows\{8A70F673-B93F-4f7e-B78A-7A79B8C881DF}.exe	{3694B1D5-3AE7-4878-BBA6-D50BE9A1214F}.exe
File created	C:\Windows\{B90E5622-ED1D-4648-83DC-EEF383F39E82}.exe	{8A70F673-B93F-4f7e-B78A-7A79B8C881DF}.exe
File created	C:\Windows\{B0CEC684-9EA6-4934-BE1D-415C91519C72}.exe	{A86483DA-05AA-4c3b-8970-69CE5A607260}.exe
File created	C:\Windows\{BE7643A2-9C5B-4cd6-9E82-5CB715A9219C}.exe	{B0CEC684-9EA6-4934-BE1D-415C91519C72}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2300	2024-07-05_c58873152ec073b71a11658e07beab75_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2284	{3694B1D5-3AE7-4878-BBA6-D50BE9A1214F}.exe
Token: SeIncBasePriorityPrivilege	2088	{8A70F673-B93F-4f7e-B78A-7A79B8C881DF}.exe
Token: SeIncBasePriorityPrivilege	2520	{B90E5622-ED1D-4648-83DC-EEF383F39E82}.exe
Token: SeIncBasePriorityPrivilege	2804	{A86483DA-05AA-4c3b-8970-69CE5A607260}.exe
Token: SeIncBasePriorityPrivilege	2452	{B0CEC684-9EA6-4934-BE1D-415C91519C72}.exe
Token: SeIncBasePriorityPrivilege	1588	{BE7643A2-9C5B-4cd6-9E82-5CB715A9219C}.exe
Token: SeIncBasePriorityPrivilege	1548	{D3B0185B-060A-457e-89F1-39C39DC4B9B6}.exe
Token: SeIncBasePriorityPrivilege	1860	{522DB657-0A21-4968-83DF-85DE2086ADD5}.exe
Token: SeIncBasePriorityPrivilege	1604	{8F977A8D-CC59-431e-B77F-DCF43144ABB7}.exe
Token: SeIncBasePriorityPrivilege	2680	{5371E71F-9B86-4dae-872E-235285ADC8F3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2284	2300	2024-07-05_c58873152ec073b71a11658e07beab75_goldeneye.exe	30
PID 2300 wrote to memory of 2284	2300	2024-07-05_c58873152ec073b71a11658e07beab75_goldeneye.exe	30
PID 2300 wrote to memory of 2284	2300	2024-07-05_c58873152ec073b71a11658e07beab75_goldeneye.exe	30
PID 2300 wrote to memory of 2284	2300	2024-07-05_c58873152ec073b71a11658e07beab75_goldeneye.exe	30
PID 2300 wrote to memory of 1900	2300	2024-07-05_c58873152ec073b71a11658e07beab75_goldeneye.exe	31
PID 2300 wrote to memory of 1900	2300	2024-07-05_c58873152ec073b71a11658e07beab75_goldeneye.exe	31
PID 2300 wrote to memory of 1900	2300	2024-07-05_c58873152ec073b71a11658e07beab75_goldeneye.exe	31
PID 2300 wrote to memory of 1900	2300	2024-07-05_c58873152ec073b71a11658e07beab75_goldeneye.exe	31
PID 2284 wrote to memory of 2088	2284	{3694B1D5-3AE7-4878-BBA6-D50BE9A1214F}.exe	32
PID 2284 wrote to memory of 2088	2284	{3694B1D5-3AE7-4878-BBA6-D50BE9A1214F}.exe	32
PID 2284 wrote to memory of 2088	2284	{3694B1D5-3AE7-4878-BBA6-D50BE9A1214F}.exe	32
PID 2284 wrote to memory of 2088	2284	{3694B1D5-3AE7-4878-BBA6-D50BE9A1214F}.exe	32
PID 2284 wrote to memory of 2536	2284	{3694B1D5-3AE7-4878-BBA6-D50BE9A1214F}.exe	33
PID 2284 wrote to memory of 2536	2284	{3694B1D5-3AE7-4878-BBA6-D50BE9A1214F}.exe	33
PID 2284 wrote to memory of 2536	2284	{3694B1D5-3AE7-4878-BBA6-D50BE9A1214F}.exe	33
PID 2284 wrote to memory of 2536	2284	{3694B1D5-3AE7-4878-BBA6-D50BE9A1214F}.exe	33
PID 2088 wrote to memory of 2520	2088	{8A70F673-B93F-4f7e-B78A-7A79B8C881DF}.exe	34
PID 2088 wrote to memory of 2520	2088	{8A70F673-B93F-4f7e-B78A-7A79B8C881DF}.exe	34
PID 2088 wrote to memory of 2520	2088	{8A70F673-B93F-4f7e-B78A-7A79B8C881DF}.exe	34
PID 2088 wrote to memory of 2520	2088	{8A70F673-B93F-4f7e-B78A-7A79B8C881DF}.exe	34
PID 2088 wrote to memory of 2848	2088	{8A70F673-B93F-4f7e-B78A-7A79B8C881DF}.exe	35
PID 2088 wrote to memory of 2848	2088	{8A70F673-B93F-4f7e-B78A-7A79B8C881DF}.exe	35
PID 2088 wrote to memory of 2848	2088	{8A70F673-B93F-4f7e-B78A-7A79B8C881DF}.exe	35
PID 2088 wrote to memory of 2848	2088	{8A70F673-B93F-4f7e-B78A-7A79B8C881DF}.exe	35
PID 2520 wrote to memory of 2804	2520	{B90E5622-ED1D-4648-83DC-EEF383F39E82}.exe	36
PID 2520 wrote to memory of 2804	2520	{B90E5622-ED1D-4648-83DC-EEF383F39E82}.exe	36
PID 2520 wrote to memory of 2804	2520	{B90E5622-ED1D-4648-83DC-EEF383F39E82}.exe	36
PID 2520 wrote to memory of 2804	2520	{B90E5622-ED1D-4648-83DC-EEF383F39E82}.exe	36
PID 2520 wrote to memory of 2688	2520	{B90E5622-ED1D-4648-83DC-EEF383F39E82}.exe	37
PID 2520 wrote to memory of 2688	2520	{B90E5622-ED1D-4648-83DC-EEF383F39E82}.exe	37
PID 2520 wrote to memory of 2688	2520	{B90E5622-ED1D-4648-83DC-EEF383F39E82}.exe	37
PID 2520 wrote to memory of 2688	2520	{B90E5622-ED1D-4648-83DC-EEF383F39E82}.exe	37
PID 2804 wrote to memory of 2452	2804	{A86483DA-05AA-4c3b-8970-69CE5A607260}.exe	38
PID 2804 wrote to memory of 2452	2804	{A86483DA-05AA-4c3b-8970-69CE5A607260}.exe	38
PID 2804 wrote to memory of 2452	2804	{A86483DA-05AA-4c3b-8970-69CE5A607260}.exe	38
PID 2804 wrote to memory of 2452	2804	{A86483DA-05AA-4c3b-8970-69CE5A607260}.exe	38
PID 2804 wrote to memory of 2952	2804	{A86483DA-05AA-4c3b-8970-69CE5A607260}.exe	39
PID 2804 wrote to memory of 2952	2804	{A86483DA-05AA-4c3b-8970-69CE5A607260}.exe	39
PID 2804 wrote to memory of 2952	2804	{A86483DA-05AA-4c3b-8970-69CE5A607260}.exe	39
PID 2804 wrote to memory of 2952	2804	{A86483DA-05AA-4c3b-8970-69CE5A607260}.exe	39
PID 2452 wrote to memory of 1588	2452	{B0CEC684-9EA6-4934-BE1D-415C91519C72}.exe	40
PID 2452 wrote to memory of 1588	2452	{B0CEC684-9EA6-4934-BE1D-415C91519C72}.exe	40
PID 2452 wrote to memory of 1588	2452	{B0CEC684-9EA6-4934-BE1D-415C91519C72}.exe	40
PID 2452 wrote to memory of 1588	2452	{B0CEC684-9EA6-4934-BE1D-415C91519C72}.exe	40
PID 2452 wrote to memory of 1768	2452	{B0CEC684-9EA6-4934-BE1D-415C91519C72}.exe	41
PID 2452 wrote to memory of 1768	2452	{B0CEC684-9EA6-4934-BE1D-415C91519C72}.exe	41
PID 2452 wrote to memory of 1768	2452	{B0CEC684-9EA6-4934-BE1D-415C91519C72}.exe	41
PID 2452 wrote to memory of 1768	2452	{B0CEC684-9EA6-4934-BE1D-415C91519C72}.exe	41
PID 1588 wrote to memory of 1548	1588	{BE7643A2-9C5B-4cd6-9E82-5CB715A9219C}.exe	42
PID 1588 wrote to memory of 1548	1588	{BE7643A2-9C5B-4cd6-9E82-5CB715A9219C}.exe	42
PID 1588 wrote to memory of 1548	1588	{BE7643A2-9C5B-4cd6-9E82-5CB715A9219C}.exe	42
PID 1588 wrote to memory of 1548	1588	{BE7643A2-9C5B-4cd6-9E82-5CB715A9219C}.exe	42
PID 1588 wrote to memory of 2124	1588	{BE7643A2-9C5B-4cd6-9E82-5CB715A9219C}.exe	43
PID 1588 wrote to memory of 2124	1588	{BE7643A2-9C5B-4cd6-9E82-5CB715A9219C}.exe	43
PID 1588 wrote to memory of 2124	1588	{BE7643A2-9C5B-4cd6-9E82-5CB715A9219C}.exe	43
PID 1588 wrote to memory of 2124	1588	{BE7643A2-9C5B-4cd6-9E82-5CB715A9219C}.exe	43
PID 1548 wrote to memory of 1860	1548	{D3B0185B-060A-457e-89F1-39C39DC4B9B6}.exe	44
PID 1548 wrote to memory of 1860	1548	{D3B0185B-060A-457e-89F1-39C39DC4B9B6}.exe	44
PID 1548 wrote to memory of 1860	1548	{D3B0185B-060A-457e-89F1-39C39DC4B9B6}.exe	44
PID 1548 wrote to memory of 1860	1548	{D3B0185B-060A-457e-89F1-39C39DC4B9B6}.exe	44
PID 1548 wrote to memory of 1784	1548	{D3B0185B-060A-457e-89F1-39C39DC4B9B6}.exe	45
PID 1548 wrote to memory of 1784	1548	{D3B0185B-060A-457e-89F1-39C39DC4B9B6}.exe	45
PID 1548 wrote to memory of 1784	1548	{D3B0185B-060A-457e-89F1-39C39DC4B9B6}.exe	45
PID 1548 wrote to memory of 1784	1548	{D3B0185B-060A-457e-89F1-39C39DC4B9B6}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-07-05_c58873152ec073b71a11658e07beab75_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-05_c58873152ec073b71a11658e07beab75_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\{3694B1D5-3AE7-4878-BBA6-D50BE9A1214F}.exe
  C:\Windows\{3694B1D5-3AE7-4878-BBA6-D50BE9A1214F}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Windows\{8A70F673-B93F-4f7e-B78A-7A79B8C881DF}.exe
    C:\Windows\{8A70F673-B93F-4f7e-B78A-7A79B8C881DF}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Windows\{B90E5622-ED1D-4648-83DC-EEF383F39E82}.exe
      C:\Windows\{B90E5622-ED1D-4648-83DC-EEF383F39E82}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2520
    - - C:\Windows\{A86483DA-05AA-4c3b-8970-69CE5A607260}.exe
        
        C:\Windows\{A86483DA-05AA-4c3b-8970-69CE5A607260}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2804
      - C:\Windows\{B0CEC684-9EA6-4934-BE1D-415C91519C72}.exe
        
        C:\Windows\{B0CEC684-9EA6-4934-BE1D-415C91519C72}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\{BE7643A2-9C5B-4cd6-9E82-5CB715A9219C}.exe
        
        C:\Windows\{BE7643A2-9C5B-4cd6-9E82-5CB715A9219C}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\{D3B0185B-060A-457e-89F1-39C39DC4B9B6}.exe
        
        C:\Windows\{D3B0185B-060A-457e-89F1-39C39DC4B9B6}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\{522DB657-0A21-4968-83DF-85DE2086ADD5}.exe
        
        C:\Windows\{522DB657-0A21-4968-83DF-85DE2086ADD5}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
        
        C:\Windows\{8F977A8D-CC59-431e-B77F-DCF43144ABB7}.exe
        
        C:\Windows\{8F977A8D-CC59-431e-B77F-DCF43144ABB7}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
        
        C:\Windows\{5371E71F-9B86-4dae-872E-235285ADC8F3}.exe
        
        C:\Windows\{5371E71F-9B86-4dae-872E-235285ADC8F3}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
        
        C:\Windows\{F6FDCC70-76AA-4de8-9949-35C84BA33951}.exe
        
        C:\Windows\{F6FDCC70-76AA-4de8-9949-35C84BA33951}.exe
        12⤵
        Executes dropped EXE
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5371E~1.EXE > nul
        12⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F977~1.EXE > nul
        11⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{522DB~1.EXE > nul
        10⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3B01~1.EXE > nul
        9⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE764~1.EXE > nul
        8⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0CEC~1.EXE > nul
        7⤵
        
        PID:1768
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8648~1.EXE > nul
        6⤵
        
        PID:2952
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B90E5~1.EXE > nul
        5⤵
        
        PID:2688
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8A70F~1.EXE > nul
      4⤵
      PID:2848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3694B~1.EXE > nul
    3⤵
    PID:2536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3694B1D5-3AE7-4878-BBA6-D50BE9A1214F}.exe

Filesize
192KB

MD5
c2aa9e8276888d261c23b91fa57318e9

SHA1
797727da7d7904f18db439687cd830ac7052f58f

SHA256
7c67babe5f092f91d014ad73caf7b5c85021f62efc7898bbd05952428b19d6ca

SHA512
15740a969f7cab2b81adc4b9dc7b120aefef3f5064a6b22051f665754d59aaaf0c4ab9e2cf128743e206766ac5d1a395126ef6bb21b3cc18ea27e1ca329ae03c

Download Submit
C:\Windows\{522DB657-0A21-4968-83DF-85DE2086ADD5}.exe

Filesize
192KB

MD5
955e2d6f5f73361f4b7957da811c7020

SHA1
9e056cc806c175e2ef78c285f1c4d0b355db7936

SHA256
3a38678f1102ccfe5523987ea229fc5b43a89372f1092495d8f60ee29929b27f

SHA512
8f5a3d5b77bfdc6167a7dad8742d519e874328010aeba6b5bf8d20f9e351a63860c76dbe8b228060b5986903280da4468b88b974b7804548328e95f80146282f

Download Submit
C:\Windows\{5371E71F-9B86-4dae-872E-235285ADC8F3}.exe

Filesize
192KB

MD5
0be82ad97027478fd5bd6ceb082e8cab

SHA1
3acf9aff1c1941e3c62b49bb256fd0a3596ecaa2

SHA256
9c37f93192001fe4c02d08d33cd57b57592f5c89b7e2dbb56d18e20b295a8967

SHA512
f752298a67878f3113f945e98533b44adef63863ea4e1489fd4d30b49bed7a49d7cf010683091c8250e3eddbe5b04d53679c98a59fdf253a77c5045bb794be48

Download Submit
C:\Windows\{8A70F673-B93F-4f7e-B78A-7A79B8C881DF}.exe

Filesize
192KB

MD5
bd52ead099954ad360401986c4c9a427

SHA1
ba0bcccc18f079b04f46064a99b08224049f86c2

SHA256
cc1a8becee1b044b10859c9dfb87853e09eeb782f1f7ea81df5233ce6fc3d71c

SHA512
e346bcb616940d597dcd783e8324f18b251bcece0b851f265cfa44853317f864e9e428ceb70e579d9c72a2a67c1789f3310ae4aa55a78ecf1bd0fe9ba06220e9

Download Submit
C:\Windows\{8F977A8D-CC59-431e-B77F-DCF43144ABB7}.exe

Filesize
192KB

MD5
6850ea16c1b7546ad087d82a2d03f89b

SHA1
cc80ac5c20b77462ecd1444661efba7af73bb089

SHA256
ae1721c5bb08b2cef605c6553594f9c54f0fb7732cc15b3a49c1a651e95fc4fc

SHA512
0658a2ad68489b7563b82b2f0d300d32e0497db932b4d94dc5a5bccf8f0a5f2f66f1055b22dd430d09f712ea4c2e4fb7ffd70062a24339edbdc5a39fde1dcb78

Download Submit
C:\Windows\{A86483DA-05AA-4c3b-8970-69CE5A607260}.exe

Filesize
192KB

MD5
31f0d18e2a086e9c9efd7b0b41a56344

SHA1
f309564c2cb266566350fd5ab13381faec23827f

SHA256
1a159bee69514891f7412e480adee40ef296bc1e11fa6f34b50ae1b06082fd78

SHA512
430eca40a14b47e739283ecade242167af01b6f9741a832d6fab07cd628364dadef1a40317300c3a854b9010cdb156b7e26860074d90c1796c4582f142975e84

Download Submit
C:\Windows\{B0CEC684-9EA6-4934-BE1D-415C91519C72}.exe

Filesize
192KB

MD5
f5726f4ed8c2e3cc634b938e7e650b3f

SHA1
eae7b10771e5e15aaf9b5d6dc1d21dd895f8f754

SHA256
c7bc674f4678916eb9d1b175a7f02b71dd5c26272f7f535d1070e4981517f7b7

SHA512
983e935851b038d1643df5f5e595d1ea1237cb1eecc8ae6be33e403762dd2648e55fbb809da01b78249a8639b8b9a846ebf59a09e5a0d4ad717e493080220c8a

Download Submit
C:\Windows\{B90E5622-ED1D-4648-83DC-EEF383F39E82}.exe

Filesize
192KB

MD5
7aa1134440c32019afc07fa3e8f266eb

SHA1
8397f25b8bc31cdf216814543686d4d37960a7ce

SHA256
32f757739e3723718e5e0751f42a7135429c95aa342d761137cae297f96a363f

SHA512
9f657b4bb91f96500435598395985a477d52e59981534a66a4e9826dcc1e527b66e1ceb2bfd22a14397f54b6661171634e0ebd755907fc0953108acd0de76727

Download Submit
C:\Windows\{BE7643A2-9C5B-4cd6-9E82-5CB715A9219C}.exe

Filesize
192KB

MD5
32ecdcd8fc0be4c0abd543432a1b6301

SHA1
c8f5b2a9c06662b36857638ed8d8f550d9747de2

SHA256
4881786e83952f010bf6f080565ce277f52bb21d838ef893557eb7ab1b2b7687

SHA512
1814d2bf8ef28d6942cb1d718fbe97fd5b3f794c64f75c54cc87ec91260af362b51faef9ba04a03bf2289432e1ee94de2196f1fa45bf1ac5710310ecf94fef2c

Download Submit
C:\Windows\{D3B0185B-060A-457e-89F1-39C39DC4B9B6}.exe

Filesize
192KB

MD5
6d5dfc7e39ddc227dc27a66e098286ed

SHA1
1365ee94d06831eb8406fd3fa9eeac242a187495

SHA256
380a5ba87f2935369a0c2a4eac2ac4bfb1ff0d1f5034ddbfeb5900705b25413e

SHA512
1009c79c31fa8a4181e6409ec1527338608fd5d34054fca6558ba8789b69c4bab2e6e559da56b68210f84b5e7354c5e240704d0eb2e3d5fa9c7fd89713ecb41f

Download Submit
C:\Windows\{F6FDCC70-76AA-4de8-9949-35C84BA33951}.exe

Filesize
192KB

MD5
1dcdd983f8a97629280b57b3b809a3c4

SHA1
4243f1a04ed7f13092fbe6361a62d2ee8f08cf85

SHA256
e4718fc491374ef0b6fd35d52d4d1cb2c33733456151ba30cbd508fe689a4b71

SHA512
fef0042317f4ca6aae0aafedaeb304d21b16064c143e7ad2f12560e34a7df491ed8d0b9b17a6dbf9d3657b45b19ff994d05dceb4d6035ba4fcda436703bf14ea

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads