5b28384365492cebc5d210e1c554162f16d459a6f62b2894a614e95c77970d5d

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05/07/2024, 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-05_e2a1f51489b4b04073e76aa2cb43b374_goldeneye.exe
Size

372KB
MD5

e2a1f51489b4b04073e76aa2cb43b374
SHA1

76efee2664ce8d47285ffe1009705f5af5fc73c3
SHA256

5b28384365492cebc5d210e1c554162f16d459a6f62b2894a614e95c77970d5d
SHA512

91633056701b4cd9bbdf8919aeb7aec61d9064b7f6812d41cebcc391b42e755e366c7435f60da7fc2b674a7f81acabb6f70a1e2d6004b5e848ba374fd89f625b
SSDEEP

3072:CEGh0o9elMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGClkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{149FD407-178E-4017-8D7E-D1B6883EC8A0}	{A15CC8FF-1240-43ec-8405-9A696F59A05C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD3FCEF4-0C50-4309-A0A7-15EDAF03555C}	{149FD407-178E-4017-8D7E-D1B6883EC8A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60606C73-361F-44a9-BC4D-63EBB3119765}	{DD3FCEF4-0C50-4309-A0A7-15EDAF03555C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D0C25C3-EE95-4beb-B3B2-6BFD50A7B989}	{73F1BDB4-5454-488e-816B-57C8A01267AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34F3998F-50C3-4f58-B98C-3113CD206532}\stubpath = "C:\\Windows\\{34F3998F-50C3-4f58-B98C-3113CD206532}.exe"	{1D0C25C3-EE95-4beb-B3B2-6BFD50A7B989}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA43D2AA-2DC8-4777-BCB9-7C73D91F840A}	2024-07-05_e2a1f51489b4b04073e76aa2cb43b374_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7A0B905-E27B-4e78-9908-AF5152EA8CA9}	{9546BD23-09C8-4411-B463-31ABD88048EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7A0B905-E27B-4e78-9908-AF5152EA8CA9}\stubpath = "C:\\Windows\\{E7A0B905-E27B-4e78-9908-AF5152EA8CA9}.exe"	{9546BD23-09C8-4411-B463-31ABD88048EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73F1BDB4-5454-488e-816B-57C8A01267AA}	{60606C73-361F-44a9-BC4D-63EBB3119765}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA43D2AA-2DC8-4777-BCB9-7C73D91F840A}\stubpath = "C:\\Windows\\{BA43D2AA-2DC8-4777-BCB9-7C73D91F840A}.exe"	2024-07-05_e2a1f51489b4b04073e76aa2cb43b374_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A15CC8FF-1240-43ec-8405-9A696F59A05C}\stubpath = "C:\\Windows\\{A15CC8FF-1240-43ec-8405-9A696F59A05C}.exe"	{16F34218-AD63-43ac-96C5-3B094F785791}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD3FCEF4-0C50-4309-A0A7-15EDAF03555C}\stubpath = "C:\\Windows\\{DD3FCEF4-0C50-4309-A0A7-15EDAF03555C}.exe"	{149FD407-178E-4017-8D7E-D1B6883EC8A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73F1BDB4-5454-488e-816B-57C8A01267AA}\stubpath = "C:\\Windows\\{73F1BDB4-5454-488e-816B-57C8A01267AA}.exe"	{60606C73-361F-44a9-BC4D-63EBB3119765}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D0C25C3-EE95-4beb-B3B2-6BFD50A7B989}\stubpath = "C:\\Windows\\{1D0C25C3-EE95-4beb-B3B2-6BFD50A7B989}.exe"	{73F1BDB4-5454-488e-816B-57C8A01267AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34F3998F-50C3-4f58-B98C-3113CD206532}	{1D0C25C3-EE95-4beb-B3B2-6BFD50A7B989}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9546BD23-09C8-4411-B463-31ABD88048EE}\stubpath = "C:\\Windows\\{9546BD23-09C8-4411-B463-31ABD88048EE}.exe"	{BA43D2AA-2DC8-4777-BCB9-7C73D91F840A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16F34218-AD63-43ac-96C5-3B094F785791}	{E7A0B905-E27B-4e78-9908-AF5152EA8CA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A15CC8FF-1240-43ec-8405-9A696F59A05C}	{16F34218-AD63-43ac-96C5-3B094F785791}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60606C73-361F-44a9-BC4D-63EBB3119765}\stubpath = "C:\\Windows\\{60606C73-361F-44a9-BC4D-63EBB3119765}.exe"	{DD3FCEF4-0C50-4309-A0A7-15EDAF03555C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9546BD23-09C8-4411-B463-31ABD88048EE}	{BA43D2AA-2DC8-4777-BCB9-7C73D91F840A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16F34218-AD63-43ac-96C5-3B094F785791}\stubpath = "C:\\Windows\\{16F34218-AD63-43ac-96C5-3B094F785791}.exe"	{E7A0B905-E27B-4e78-9908-AF5152EA8CA9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{149FD407-178E-4017-8D7E-D1B6883EC8A0}\stubpath = "C:\\Windows\\{149FD407-178E-4017-8D7E-D1B6883EC8A0}.exe"	{A15CC8FF-1240-43ec-8405-9A696F59A05C}.exe

Executes dropped EXE 11 IoCs

pid	Process
3004	{BA43D2AA-2DC8-4777-BCB9-7C73D91F840A}.exe
2536	{9546BD23-09C8-4411-B463-31ABD88048EE}.exe
2476	{E7A0B905-E27B-4e78-9908-AF5152EA8CA9}.exe
2108	{16F34218-AD63-43ac-96C5-3B094F785791}.exe
2608	{A15CC8FF-1240-43ec-8405-9A696F59A05C}.exe
1924	{149FD407-178E-4017-8D7E-D1B6883EC8A0}.exe
1584	{DD3FCEF4-0C50-4309-A0A7-15EDAF03555C}.exe
1908	{60606C73-361F-44a9-BC4D-63EBB3119765}.exe
1776	{73F1BDB4-5454-488e-816B-57C8A01267AA}.exe
304	{1D0C25C3-EE95-4beb-B3B2-6BFD50A7B989}.exe
828	{34F3998F-50C3-4f58-B98C-3113CD206532}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{9546BD23-09C8-4411-B463-31ABD88048EE}.exe	{BA43D2AA-2DC8-4777-BCB9-7C73D91F840A}.exe
File created	C:\Windows\{A15CC8FF-1240-43ec-8405-9A696F59A05C}.exe	{16F34218-AD63-43ac-96C5-3B094F785791}.exe
File created	C:\Windows\{149FD407-178E-4017-8D7E-D1B6883EC8A0}.exe	{A15CC8FF-1240-43ec-8405-9A696F59A05C}.exe
File created	C:\Windows\{73F1BDB4-5454-488e-816B-57C8A01267AA}.exe	{60606C73-361F-44a9-BC4D-63EBB3119765}.exe
File created	C:\Windows\{1D0C25C3-EE95-4beb-B3B2-6BFD50A7B989}.exe	{73F1BDB4-5454-488e-816B-57C8A01267AA}.exe
File created	C:\Windows\{34F3998F-50C3-4f58-B98C-3113CD206532}.exe	{1D0C25C3-EE95-4beb-B3B2-6BFD50A7B989}.exe
File created	C:\Windows\{BA43D2AA-2DC8-4777-BCB9-7C73D91F840A}.exe	2024-07-05_e2a1f51489b4b04073e76aa2cb43b374_goldeneye.exe
File created	C:\Windows\{E7A0B905-E27B-4e78-9908-AF5152EA8CA9}.exe	{9546BD23-09C8-4411-B463-31ABD88048EE}.exe
File created	C:\Windows\{16F34218-AD63-43ac-96C5-3B094F785791}.exe	{E7A0B905-E27B-4e78-9908-AF5152EA8CA9}.exe
File created	C:\Windows\{DD3FCEF4-0C50-4309-A0A7-15EDAF03555C}.exe	{149FD407-178E-4017-8D7E-D1B6883EC8A0}.exe
File created	C:\Windows\{60606C73-361F-44a9-BC4D-63EBB3119765}.exe	{DD3FCEF4-0C50-4309-A0A7-15EDAF03555C}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2188	2024-07-05_e2a1f51489b4b04073e76aa2cb43b374_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3004	{BA43D2AA-2DC8-4777-BCB9-7C73D91F840A}.exe
Token: SeIncBasePriorityPrivilege	2536	{9546BD23-09C8-4411-B463-31ABD88048EE}.exe
Token: SeIncBasePriorityPrivilege	2476	{E7A0B905-E27B-4e78-9908-AF5152EA8CA9}.exe
Token: SeIncBasePriorityPrivilege	2108	{16F34218-AD63-43ac-96C5-3B094F785791}.exe
Token: SeIncBasePriorityPrivilege	2608	{A15CC8FF-1240-43ec-8405-9A696F59A05C}.exe
Token: SeIncBasePriorityPrivilege	1924	{149FD407-178E-4017-8D7E-D1B6883EC8A0}.exe
Token: SeIncBasePriorityPrivilege	1584	{DD3FCEF4-0C50-4309-A0A7-15EDAF03555C}.exe
Token: SeIncBasePriorityPrivilege	1908	{60606C73-361F-44a9-BC4D-63EBB3119765}.exe
Token: SeIncBasePriorityPrivilege	1776	{73F1BDB4-5454-488e-816B-57C8A01267AA}.exe
Token: SeIncBasePriorityPrivilege	304	{1D0C25C3-EE95-4beb-B3B2-6BFD50A7B989}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 3004	2188	2024-07-05_e2a1f51489b4b04073e76aa2cb43b374_goldeneye.exe	30
PID 2188 wrote to memory of 3004	2188	2024-07-05_e2a1f51489b4b04073e76aa2cb43b374_goldeneye.exe	30
PID 2188 wrote to memory of 3004	2188	2024-07-05_e2a1f51489b4b04073e76aa2cb43b374_goldeneye.exe	30
PID 2188 wrote to memory of 3004	2188	2024-07-05_e2a1f51489b4b04073e76aa2cb43b374_goldeneye.exe	30
PID 2188 wrote to memory of 2624	2188	2024-07-05_e2a1f51489b4b04073e76aa2cb43b374_goldeneye.exe	31
PID 2188 wrote to memory of 2624	2188	2024-07-05_e2a1f51489b4b04073e76aa2cb43b374_goldeneye.exe	31
PID 2188 wrote to memory of 2624	2188	2024-07-05_e2a1f51489b4b04073e76aa2cb43b374_goldeneye.exe	31
PID 2188 wrote to memory of 2624	2188	2024-07-05_e2a1f51489b4b04073e76aa2cb43b374_goldeneye.exe	31
PID 3004 wrote to memory of 2536	3004	{BA43D2AA-2DC8-4777-BCB9-7C73D91F840A}.exe	32
PID 3004 wrote to memory of 2536	3004	{BA43D2AA-2DC8-4777-BCB9-7C73D91F840A}.exe	32
PID 3004 wrote to memory of 2536	3004	{BA43D2AA-2DC8-4777-BCB9-7C73D91F840A}.exe	32
PID 3004 wrote to memory of 2536	3004	{BA43D2AA-2DC8-4777-BCB9-7C73D91F840A}.exe	32
PID 3004 wrote to memory of 2712	3004	{BA43D2AA-2DC8-4777-BCB9-7C73D91F840A}.exe	33
PID 3004 wrote to memory of 2712	3004	{BA43D2AA-2DC8-4777-BCB9-7C73D91F840A}.exe	33
PID 3004 wrote to memory of 2712	3004	{BA43D2AA-2DC8-4777-BCB9-7C73D91F840A}.exe	33
PID 3004 wrote to memory of 2712	3004	{BA43D2AA-2DC8-4777-BCB9-7C73D91F840A}.exe	33
PID 2536 wrote to memory of 2476	2536	{9546BD23-09C8-4411-B463-31ABD88048EE}.exe	34
PID 2536 wrote to memory of 2476	2536	{9546BD23-09C8-4411-B463-31ABD88048EE}.exe	34
PID 2536 wrote to memory of 2476	2536	{9546BD23-09C8-4411-B463-31ABD88048EE}.exe	34
PID 2536 wrote to memory of 2476	2536	{9546BD23-09C8-4411-B463-31ABD88048EE}.exe	34
PID 2536 wrote to memory of 2440	2536	{9546BD23-09C8-4411-B463-31ABD88048EE}.exe	35
PID 2536 wrote to memory of 2440	2536	{9546BD23-09C8-4411-B463-31ABD88048EE}.exe	35
PID 2536 wrote to memory of 2440	2536	{9546BD23-09C8-4411-B463-31ABD88048EE}.exe	35
PID 2536 wrote to memory of 2440	2536	{9546BD23-09C8-4411-B463-31ABD88048EE}.exe	35
PID 2476 wrote to memory of 2108	2476	{E7A0B905-E27B-4e78-9908-AF5152EA8CA9}.exe	36
PID 2476 wrote to memory of 2108	2476	{E7A0B905-E27B-4e78-9908-AF5152EA8CA9}.exe	36
PID 2476 wrote to memory of 2108	2476	{E7A0B905-E27B-4e78-9908-AF5152EA8CA9}.exe	36
PID 2476 wrote to memory of 2108	2476	{E7A0B905-E27B-4e78-9908-AF5152EA8CA9}.exe	36
PID 2476 wrote to memory of 2912	2476	{E7A0B905-E27B-4e78-9908-AF5152EA8CA9}.exe	37
PID 2476 wrote to memory of 2912	2476	{E7A0B905-E27B-4e78-9908-AF5152EA8CA9}.exe	37
PID 2476 wrote to memory of 2912	2476	{E7A0B905-E27B-4e78-9908-AF5152EA8CA9}.exe	37
PID 2476 wrote to memory of 2912	2476	{E7A0B905-E27B-4e78-9908-AF5152EA8CA9}.exe	37
PID 2108 wrote to memory of 2608	2108	{16F34218-AD63-43ac-96C5-3B094F785791}.exe	38
PID 2108 wrote to memory of 2608	2108	{16F34218-AD63-43ac-96C5-3B094F785791}.exe	38
PID 2108 wrote to memory of 2608	2108	{16F34218-AD63-43ac-96C5-3B094F785791}.exe	38
PID 2108 wrote to memory of 2608	2108	{16F34218-AD63-43ac-96C5-3B094F785791}.exe	38
PID 2108 wrote to memory of 2748	2108	{16F34218-AD63-43ac-96C5-3B094F785791}.exe	39
PID 2108 wrote to memory of 2748	2108	{16F34218-AD63-43ac-96C5-3B094F785791}.exe	39
PID 2108 wrote to memory of 2748	2108	{16F34218-AD63-43ac-96C5-3B094F785791}.exe	39
PID 2108 wrote to memory of 2748	2108	{16F34218-AD63-43ac-96C5-3B094F785791}.exe	39
PID 2608 wrote to memory of 1924	2608	{A15CC8FF-1240-43ec-8405-9A696F59A05C}.exe	40
PID 2608 wrote to memory of 1924	2608	{A15CC8FF-1240-43ec-8405-9A696F59A05C}.exe	40
PID 2608 wrote to memory of 1924	2608	{A15CC8FF-1240-43ec-8405-9A696F59A05C}.exe	40
PID 2608 wrote to memory of 1924	2608	{A15CC8FF-1240-43ec-8405-9A696F59A05C}.exe	40
PID 2608 wrote to memory of 1276	2608	{A15CC8FF-1240-43ec-8405-9A696F59A05C}.exe	41
PID 2608 wrote to memory of 1276	2608	{A15CC8FF-1240-43ec-8405-9A696F59A05C}.exe	41
PID 2608 wrote to memory of 1276	2608	{A15CC8FF-1240-43ec-8405-9A696F59A05C}.exe	41
PID 2608 wrote to memory of 1276	2608	{A15CC8FF-1240-43ec-8405-9A696F59A05C}.exe	41
PID 1924 wrote to memory of 1584	1924	{149FD407-178E-4017-8D7E-D1B6883EC8A0}.exe	42
PID 1924 wrote to memory of 1584	1924	{149FD407-178E-4017-8D7E-D1B6883EC8A0}.exe	42
PID 1924 wrote to memory of 1584	1924	{149FD407-178E-4017-8D7E-D1B6883EC8A0}.exe	42
PID 1924 wrote to memory of 1584	1924	{149FD407-178E-4017-8D7E-D1B6883EC8A0}.exe	42
PID 1924 wrote to memory of 484	1924	{149FD407-178E-4017-8D7E-D1B6883EC8A0}.exe	43
PID 1924 wrote to memory of 484	1924	{149FD407-178E-4017-8D7E-D1B6883EC8A0}.exe	43
PID 1924 wrote to memory of 484	1924	{149FD407-178E-4017-8D7E-D1B6883EC8A0}.exe	43
PID 1924 wrote to memory of 484	1924	{149FD407-178E-4017-8D7E-D1B6883EC8A0}.exe	43
PID 1584 wrote to memory of 1908	1584	{DD3FCEF4-0C50-4309-A0A7-15EDAF03555C}.exe	44
PID 1584 wrote to memory of 1908	1584	{DD3FCEF4-0C50-4309-A0A7-15EDAF03555C}.exe	44
PID 1584 wrote to memory of 1908	1584	{DD3FCEF4-0C50-4309-A0A7-15EDAF03555C}.exe	44
PID 1584 wrote to memory of 1908	1584	{DD3FCEF4-0C50-4309-A0A7-15EDAF03555C}.exe	44
PID 1584 wrote to memory of 1860	1584	{DD3FCEF4-0C50-4309-A0A7-15EDAF03555C}.exe	45
PID 1584 wrote to memory of 1860	1584	{DD3FCEF4-0C50-4309-A0A7-15EDAF03555C}.exe	45
PID 1584 wrote to memory of 1860	1584	{DD3FCEF4-0C50-4309-A0A7-15EDAF03555C}.exe	45
PID 1584 wrote to memory of 1860	1584	{DD3FCEF4-0C50-4309-A0A7-15EDAF03555C}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-07-05_e2a1f51489b4b04073e76aa2cb43b374_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-05_e2a1f51489b4b04073e76aa2cb43b374_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\{BA43D2AA-2DC8-4777-BCB9-7C73D91F840A}.exe
  C:\Windows\{BA43D2AA-2DC8-4777-BCB9-7C73D91F840A}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\{9546BD23-09C8-4411-B463-31ABD88048EE}.exe
    C:\Windows\{9546BD23-09C8-4411-B463-31ABD88048EE}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Windows\{E7A0B905-E27B-4e78-9908-AF5152EA8CA9}.exe
      C:\Windows\{E7A0B905-E27B-4e78-9908-AF5152EA8CA9}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2476
    - - C:\Windows\{16F34218-AD63-43ac-96C5-3B094F785791}.exe
        
        C:\Windows\{16F34218-AD63-43ac-96C5-3B094F785791}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2108
      - C:\Windows\{A15CC8FF-1240-43ec-8405-9A696F59A05C}.exe
        
        C:\Windows\{A15CC8FF-1240-43ec-8405-9A696F59A05C}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\{149FD407-178E-4017-8D7E-D1B6883EC8A0}.exe
        
        C:\Windows\{149FD407-178E-4017-8D7E-D1B6883EC8A0}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\{DD3FCEF4-0C50-4309-A0A7-15EDAF03555C}.exe
        
        C:\Windows\{DD3FCEF4-0C50-4309-A0A7-15EDAF03555C}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\{60606C73-361F-44a9-BC4D-63EBB3119765}.exe
        
        C:\Windows\{60606C73-361F-44a9-BC4D-63EBB3119765}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
        
        C:\Windows\{73F1BDB4-5454-488e-816B-57C8A01267AA}.exe
        
        C:\Windows\{73F1BDB4-5454-488e-816B-57C8A01267AA}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
        
        C:\Windows\{1D0C25C3-EE95-4beb-B3B2-6BFD50A7B989}.exe
        
        C:\Windows\{1D0C25C3-EE95-4beb-B3B2-6BFD50A7B989}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:304
        
        C:\Windows\{34F3998F-50C3-4f58-B98C-3113CD206532}.exe
        
        C:\Windows\{34F3998F-50C3-4f58-B98C-3113CD206532}.exe
        12⤵
        Executes dropped EXE
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1D0C2~1.EXE > nul
        12⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73F1B~1.EXE > nul
        11⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60606~1.EXE > nul
        10⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD3FC~1.EXE > nul
        9⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{149FD~1.EXE > nul
        8⤵
        
        PID:484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A15CC~1.EXE > nul
        7⤵
        
        PID:1276
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16F34~1.EXE > nul
        6⤵
        
        PID:2748
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7A0B~1.EXE > nul
        5⤵
        
        PID:2912
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9546B~1.EXE > nul
      4⤵
      PID:2440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BA43D~1.EXE > nul
    3⤵
    PID:2712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{149FD407-178E-4017-8D7E-D1B6883EC8A0}.exe

Filesize
372KB

MD5
68253ac5d1814b04c492f9220391f80b

SHA1
a8de8260f93e16d43c812ad2c5bb70b4358c9f42

SHA256
2f6ddddcfbedb81c5620e9c21f83bae558645547d63191cbbfaac489e133073b

SHA512
cd62aebb0030c20478f91aec6d8c5195d6302019af6903ed8b54976619174213c3c94a9e51a354492991b446bb0ec45fc49df74ff72b1adc2282de62f9da9470

Download Submit
C:\Windows\{16F34218-AD63-43ac-96C5-3B094F785791}.exe

Filesize
372KB

MD5
0181b5d53542b7bae0515f1e43bb5360

SHA1
d92b2ecd5030432fe00f732a0fb3e9de90224200

SHA256
8e5daef08eede5b26d243a9bc8e4867d2014eef65bfc46bad17eecfce423d033

SHA512
520f4d8113923ff846f2d2e45b980620dc8bdd1adb4cc0fc3e3bb9ece4fa0d29a3b3a76226a4e3669573a0ee57888912e8a12c9eb5cc27288d1504fd39fffe59

Download Submit
C:\Windows\{1D0C25C3-EE95-4beb-B3B2-6BFD50A7B989}.exe

Filesize
372KB

MD5
d05dde3057b30c7a86fcbb20b5669e95

SHA1
c1f12c93e9c894e6285236914b774f8142940da1

SHA256
cd778d779acf091bcee1c417bb8dee4b410b41593dbd57c3d9ac3b4105ae9671

SHA512
db06619ee29eccf52d86d1c311db818fd61e82ae1cc6d8e81c4023ad9a1a3e942145720f514b1edac2a6671948e19f4462571a6de9c6f6435b2230cc252c0fda

Download Submit
C:\Windows\{34F3998F-50C3-4f58-B98C-3113CD206532}.exe

Filesize
372KB

MD5
d720592c866fa523ad3390067fc470e4

SHA1
73e8b68d8b35380b0379c44cea3bd185e08df118

SHA256
0b97fdb7505d9a6fdc9282024480b53772b0e0e7de2b8bbdfb15d56b8de4c5fc

SHA512
ee20e63078745fe1d529cf01b3f06e6289f6176d12c53a9e9036a97eba7cf53f82ca7c19fcfb9f63b628fe6607c2a9a14d7da762727680407de34c88c623bf9e

Download Submit
C:\Windows\{60606C73-361F-44a9-BC4D-63EBB3119765}.exe

Filesize
372KB

MD5
0663270a10fb40c4867fdfcc2942ff4f

SHA1
c35df1e2bc7e294153ed41171b8d48ca1d5a9d1f

SHA256
31fa01bfcc52bc6850b0fd56ead1222a0946b7a7aebba8ce58d57e53f56cc56d

SHA512
21540efc55e06824f5fdde7e5ba14815cdbd5f4cac50fe760bc70bb872d84fb93f5a1b5041e4aa8558a890bbfa69dc345e5492d2bb8894624b9b7070b9fd625e

Download Submit
C:\Windows\{73F1BDB4-5454-488e-816B-57C8A01267AA}.exe

Filesize
372KB

MD5
7330f641fdb2e0f2920730a314c75ddb

SHA1
bf392125874d7a4dcffdd00d899ba015daa0869d

SHA256
9fc143076cdc42051e334bfc8a0a166bbe84b202ec7912b691f4bad0eb713b7b

SHA512
f65eec1ceb0ed9b70e75a90990d4dce6474974018ecee96d73a452c38882df63aa53def81c2859767082eea9dac0dabfee8ece8c28694d943bc56acfdebe736e

Download Submit
C:\Windows\{9546BD23-09C8-4411-B463-31ABD88048EE}.exe

Filesize
372KB

MD5
d1b404c25d289527634a0ad0d502549e

SHA1
12e832258e0ccd120b7a331663312864ff9bb51f

SHA256
eed1a69ee7948ae326d936e33591337f863199cd987a3de50ebcd5d1f55c6be7

SHA512
20c3c9a0444db52f374a9fe74abcefec6714b90143875ca6e4039bf5ccc69b08e70eb8938a444001c859e66823b35cb44b71a1e2c0a5a8d47d395f28af2b78fa

Download Submit
C:\Windows\{A15CC8FF-1240-43ec-8405-9A696F59A05C}.exe

Filesize
372KB

MD5
7f80639587cdc347cc8c301e76525fdb

SHA1
020af135a3ddd004e48e7f2815770121c614cce5

SHA256
cab1b5e0b28950628c4313567cb0bcbd0105f233f7b965bdc6f03d8fa184cf28

SHA512
6e20db4ff7f4d1c278e817ffc58ffd8d522dd10c749a2764ded20803380e98b21244156620cd23ae7b94dbd9b0f7bf7bb6ac2333d67d60041ae70892b3e22d72

Download Submit
C:\Windows\{BA43D2AA-2DC8-4777-BCB9-7C73D91F840A}.exe

Filesize
372KB

MD5
7c5e371cd5ab072cc9c71138155e79f3

SHA1
9de9139b74f65b3eec0f04178ff15c457a2e2e3d

SHA256
d21f8768cceddae808099a43eed94672d6e72e77d7cece96542f43671e635e6f

SHA512
71c7a0f2443f6f0a8dd10adb661d9d7077527f5e151186b766ff096ae0c60dcaea934ea6145f54b22456a5d2e523aecf486b5dc1b399d00e267d6f3d4a523692

Download Submit
C:\Windows\{DD3FCEF4-0C50-4309-A0A7-15EDAF03555C}.exe

Filesize
372KB

MD5
68d85719adb2683bce36a37138e3c645

SHA1
a99c8e10d119d2eb11ef13d8bddca135a98722f4

SHA256
74e4651c97e774c855010bde1c80ccfa25ce8e55a94a7a34d832ef66ce4e3c6b

SHA512
f8911bea9c475d3c16459c807d2519f7ea8842d2eb43b7690b70342fffcd45c1cb647820e22a7f4d685004e5c8e41417442eb7d112c21dd4d7d2aba34b058e59

Download Submit
C:\Windows\{E7A0B905-E27B-4e78-9908-AF5152EA8CA9}.exe

Filesize
372KB

MD5
b50f2aea03f7e7dbf3f7b2e500ca744e

SHA1
40cfbfc44afa870bd37618b8afb47a0164fa5def

SHA256
4f3cfe0a667fabbf13ae9f3035083c76bb1a690915d58f4cfce24d7db609d815

SHA512
7d13a6ec2ce916e4de368ba19436dd32aaff38e89a46262f0a5d77f5f046d00ea56440a4c8fb784d6c01f24e418eee48df44fb6c94f10d37eca92a9bb558da1d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads