de3f78fbc8965be3a6c1b5de310d76b6ef8bc622c2f124a91531d8816a7093b8

Analysis

max time kernel
144s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
06/07/2024, 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-06_5a4391a560fdb980b144143891e788c8_goldeneye.exe
Size

344KB
MD5

5a4391a560fdb980b144143891e788c8
SHA1

d4ae6706a59d6a77fdcf7a7d111c15d4bf474880
SHA256

de3f78fbc8965be3a6c1b5de310d76b6ef8bc622c2f124a91531d8816a7093b8
SHA512

7a72a4a7de7d8ef6e6731f261f408f1168354fd3929eeb6dcb76f686cd4727043b9a86cd7382cedfb1a2fe6e24c59b4658e07b762f38d3f50874ec930b91e2ac
SSDEEP

3072:mEGh0oflEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGNlqOe2MUVg3v2IneKcAEcA

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{951B5404-A19A-495f-8001-12393F26129A}\stubpath = "C:\\Windows\\{951B5404-A19A-495f-8001-12393F26129A}.exe"	{64603ED2-5EED-4907-8FA8-0616DFB8D198}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3B03257-4304-4f74-9B84-9B737DBEAD2C}	{951B5404-A19A-495f-8001-12393F26129A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D298448-B731-4ab6-99FA-AC3A372CBE47}	{9BBA846A-373E-449b-AA0D-80305F002FDA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{614C7615-156E-47f3-90FC-13783E6162A9}	{9D298448-B731-4ab6-99FA-AC3A372CBE47}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF42C257-0755-4c8f-8E47-7F6FCB242443}\stubpath = "C:\\Windows\\{CF42C257-0755-4c8f-8E47-7F6FCB242443}.exe"	{614C7615-156E-47f3-90FC-13783E6162A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17EB9E92-DFF7-45d3-B3D1-D7222F466780}	{CF42C257-0755-4c8f-8E47-7F6FCB242443}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64603ED2-5EED-4907-8FA8-0616DFB8D198}\stubpath = "C:\\Windows\\{64603ED2-5EED-4907-8FA8-0616DFB8D198}.exe"	{57C9E2B9-2066-4449-93D7-1C6FEAE4FD5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57C9E2B9-2066-4449-93D7-1C6FEAE4FD5F}\stubpath = "C:\\Windows\\{57C9E2B9-2066-4449-93D7-1C6FEAE4FD5F}.exe"	{3F188A17-2AAB-4b80-8340-A55CCC856F92}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3B03257-4304-4f74-9B84-9B737DBEAD2C}\stubpath = "C:\\Windows\\{E3B03257-4304-4f74-9B84-9B737DBEAD2C}.exe"	{951B5404-A19A-495f-8001-12393F26129A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6F73B11-367D-4260-AC67-8553CAA8CF2D}\stubpath = "C:\\Windows\\{B6F73B11-367D-4260-AC67-8553CAA8CF2D}.exe"	2024-07-06_5a4391a560fdb980b144143891e788c8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BBA846A-373E-449b-AA0D-80305F002FDA}\stubpath = "C:\\Windows\\{9BBA846A-373E-449b-AA0D-80305F002FDA}.exe"	{B6F73B11-367D-4260-AC67-8553CAA8CF2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{614C7615-156E-47f3-90FC-13783E6162A9}\stubpath = "C:\\Windows\\{614C7615-156E-47f3-90FC-13783E6162A9}.exe"	{9D298448-B731-4ab6-99FA-AC3A372CBE47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF42C257-0755-4c8f-8E47-7F6FCB242443}	{614C7615-156E-47f3-90FC-13783E6162A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17EB9E92-DFF7-45d3-B3D1-D7222F466780}\stubpath = "C:\\Windows\\{17EB9E92-DFF7-45d3-B3D1-D7222F466780}.exe"	{CF42C257-0755-4c8f-8E47-7F6FCB242443}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6F73B11-367D-4260-AC67-8553CAA8CF2D}	2024-07-06_5a4391a560fdb980b144143891e788c8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D298448-B731-4ab6-99FA-AC3A372CBE47}\stubpath = "C:\\Windows\\{9D298448-B731-4ab6-99FA-AC3A372CBE47}.exe"	{9BBA846A-373E-449b-AA0D-80305F002FDA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F188A17-2AAB-4b80-8340-A55CCC856F92}	{17EB9E92-DFF7-45d3-B3D1-D7222F466780}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{951B5404-A19A-495f-8001-12393F26129A}	{64603ED2-5EED-4907-8FA8-0616DFB8D198}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BBA846A-373E-449b-AA0D-80305F002FDA}	{B6F73B11-367D-4260-AC67-8553CAA8CF2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F188A17-2AAB-4b80-8340-A55CCC856F92}\stubpath = "C:\\Windows\\{3F188A17-2AAB-4b80-8340-A55CCC856F92}.exe"	{17EB9E92-DFF7-45d3-B3D1-D7222F466780}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57C9E2B9-2066-4449-93D7-1C6FEAE4FD5F}	{3F188A17-2AAB-4b80-8340-A55CCC856F92}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64603ED2-5EED-4907-8FA8-0616DFB8D198}	{57C9E2B9-2066-4449-93D7-1C6FEAE4FD5F}.exe

Deletes itself 1 IoCs

pid	Process
2580	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2356	{B6F73B11-367D-4260-AC67-8553CAA8CF2D}.exe
2860	{9BBA846A-373E-449b-AA0D-80305F002FDA}.exe
2060	{9D298448-B731-4ab6-99FA-AC3A372CBE47}.exe
2804	{614C7615-156E-47f3-90FC-13783E6162A9}.exe
3060	{CF42C257-0755-4c8f-8E47-7F6FCB242443}.exe
1912	{17EB9E92-DFF7-45d3-B3D1-D7222F466780}.exe
2528	{3F188A17-2AAB-4b80-8340-A55CCC856F92}.exe
1100	{57C9E2B9-2066-4449-93D7-1C6FEAE4FD5F}.exe
2964	{64603ED2-5EED-4907-8FA8-0616DFB8D198}.exe
2348	{951B5404-A19A-495f-8001-12393F26129A}.exe
572	{E3B03257-4304-4f74-9B84-9B737DBEAD2C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{17EB9E92-DFF7-45d3-B3D1-D7222F466780}.exe	{CF42C257-0755-4c8f-8E47-7F6FCB242443}.exe
File created	C:\Windows\{3F188A17-2AAB-4b80-8340-A55CCC856F92}.exe	{17EB9E92-DFF7-45d3-B3D1-D7222F466780}.exe
File created	C:\Windows\{64603ED2-5EED-4907-8FA8-0616DFB8D198}.exe	{57C9E2B9-2066-4449-93D7-1C6FEAE4FD5F}.exe
File created	C:\Windows\{E3B03257-4304-4f74-9B84-9B737DBEAD2C}.exe	{951B5404-A19A-495f-8001-12393F26129A}.exe
File created	C:\Windows\{B6F73B11-367D-4260-AC67-8553CAA8CF2D}.exe	2024-07-06_5a4391a560fdb980b144143891e788c8_goldeneye.exe
File created	C:\Windows\{9BBA846A-373E-449b-AA0D-80305F002FDA}.exe	{B6F73B11-367D-4260-AC67-8553CAA8CF2D}.exe
File created	C:\Windows\{CF42C257-0755-4c8f-8E47-7F6FCB242443}.exe	{614C7615-156E-47f3-90FC-13783E6162A9}.exe
File created	C:\Windows\{57C9E2B9-2066-4449-93D7-1C6FEAE4FD5F}.exe	{3F188A17-2AAB-4b80-8340-A55CCC856F92}.exe
File created	C:\Windows\{951B5404-A19A-495f-8001-12393F26129A}.exe	{64603ED2-5EED-4907-8FA8-0616DFB8D198}.exe
File created	C:\Windows\{9D298448-B731-4ab6-99FA-AC3A372CBE47}.exe	{9BBA846A-373E-449b-AA0D-80305F002FDA}.exe
File created	C:\Windows\{614C7615-156E-47f3-90FC-13783E6162A9}.exe	{9D298448-B731-4ab6-99FA-AC3A372CBE47}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2256	2024-07-06_5a4391a560fdb980b144143891e788c8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2356	{B6F73B11-367D-4260-AC67-8553CAA8CF2D}.exe
Token: SeIncBasePriorityPrivilege	2860	{9BBA846A-373E-449b-AA0D-80305F002FDA}.exe
Token: SeIncBasePriorityPrivilege	2060	{9D298448-B731-4ab6-99FA-AC3A372CBE47}.exe
Token: SeIncBasePriorityPrivilege	2804	{614C7615-156E-47f3-90FC-13783E6162A9}.exe
Token: SeIncBasePriorityPrivilege	3060	{CF42C257-0755-4c8f-8E47-7F6FCB242443}.exe
Token: SeIncBasePriorityPrivilege	1912	{17EB9E92-DFF7-45d3-B3D1-D7222F466780}.exe
Token: SeIncBasePriorityPrivilege	2528	{3F188A17-2AAB-4b80-8340-A55CCC856F92}.exe
Token: SeIncBasePriorityPrivilege	1100	{57C9E2B9-2066-4449-93D7-1C6FEAE4FD5F}.exe
Token: SeIncBasePriorityPrivilege	2964	{64603ED2-5EED-4907-8FA8-0616DFB8D198}.exe
Token: SeIncBasePriorityPrivilege	2348	{951B5404-A19A-495f-8001-12393F26129A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2356	2256	2024-07-06_5a4391a560fdb980b144143891e788c8_goldeneye.exe	29
PID 2256 wrote to memory of 2356	2256	2024-07-06_5a4391a560fdb980b144143891e788c8_goldeneye.exe	29
PID 2256 wrote to memory of 2356	2256	2024-07-06_5a4391a560fdb980b144143891e788c8_goldeneye.exe	29
PID 2256 wrote to memory of 2356	2256	2024-07-06_5a4391a560fdb980b144143891e788c8_goldeneye.exe	29
PID 2256 wrote to memory of 2580	2256	2024-07-06_5a4391a560fdb980b144143891e788c8_goldeneye.exe	30
PID 2256 wrote to memory of 2580	2256	2024-07-06_5a4391a560fdb980b144143891e788c8_goldeneye.exe	30
PID 2256 wrote to memory of 2580	2256	2024-07-06_5a4391a560fdb980b144143891e788c8_goldeneye.exe	30
PID 2256 wrote to memory of 2580	2256	2024-07-06_5a4391a560fdb980b144143891e788c8_goldeneye.exe	30
PID 2356 wrote to memory of 2860	2356	{B6F73B11-367D-4260-AC67-8553CAA8CF2D}.exe	31
PID 2356 wrote to memory of 2860	2356	{B6F73B11-367D-4260-AC67-8553CAA8CF2D}.exe	31
PID 2356 wrote to memory of 2860	2356	{B6F73B11-367D-4260-AC67-8553CAA8CF2D}.exe	31
PID 2356 wrote to memory of 2860	2356	{B6F73B11-367D-4260-AC67-8553CAA8CF2D}.exe	31
PID 2356 wrote to memory of 2896	2356	{B6F73B11-367D-4260-AC67-8553CAA8CF2D}.exe	32
PID 2356 wrote to memory of 2896	2356	{B6F73B11-367D-4260-AC67-8553CAA8CF2D}.exe	32
PID 2356 wrote to memory of 2896	2356	{B6F73B11-367D-4260-AC67-8553CAA8CF2D}.exe	32
PID 2356 wrote to memory of 2896	2356	{B6F73B11-367D-4260-AC67-8553CAA8CF2D}.exe	32
PID 2860 wrote to memory of 2060	2860	{9BBA846A-373E-449b-AA0D-80305F002FDA}.exe	33
PID 2860 wrote to memory of 2060	2860	{9BBA846A-373E-449b-AA0D-80305F002FDA}.exe	33
PID 2860 wrote to memory of 2060	2860	{9BBA846A-373E-449b-AA0D-80305F002FDA}.exe	33
PID 2860 wrote to memory of 2060	2860	{9BBA846A-373E-449b-AA0D-80305F002FDA}.exe	33
PID 2860 wrote to memory of 2900	2860	{9BBA846A-373E-449b-AA0D-80305F002FDA}.exe	34
PID 2860 wrote to memory of 2900	2860	{9BBA846A-373E-449b-AA0D-80305F002FDA}.exe	34
PID 2860 wrote to memory of 2900	2860	{9BBA846A-373E-449b-AA0D-80305F002FDA}.exe	34
PID 2860 wrote to memory of 2900	2860	{9BBA846A-373E-449b-AA0D-80305F002FDA}.exe	34
PID 2060 wrote to memory of 2804	2060	{9D298448-B731-4ab6-99FA-AC3A372CBE47}.exe	35
PID 2060 wrote to memory of 2804	2060	{9D298448-B731-4ab6-99FA-AC3A372CBE47}.exe	35
PID 2060 wrote to memory of 2804	2060	{9D298448-B731-4ab6-99FA-AC3A372CBE47}.exe	35
PID 2060 wrote to memory of 2804	2060	{9D298448-B731-4ab6-99FA-AC3A372CBE47}.exe	35
PID 2060 wrote to memory of 2744	2060	{9D298448-B731-4ab6-99FA-AC3A372CBE47}.exe	36
PID 2060 wrote to memory of 2744	2060	{9D298448-B731-4ab6-99FA-AC3A372CBE47}.exe	36
PID 2060 wrote to memory of 2744	2060	{9D298448-B731-4ab6-99FA-AC3A372CBE47}.exe	36
PID 2060 wrote to memory of 2744	2060	{9D298448-B731-4ab6-99FA-AC3A372CBE47}.exe	36
PID 2804 wrote to memory of 3060	2804	{614C7615-156E-47f3-90FC-13783E6162A9}.exe	37
PID 2804 wrote to memory of 3060	2804	{614C7615-156E-47f3-90FC-13783E6162A9}.exe	37
PID 2804 wrote to memory of 3060	2804	{614C7615-156E-47f3-90FC-13783E6162A9}.exe	37
PID 2804 wrote to memory of 3060	2804	{614C7615-156E-47f3-90FC-13783E6162A9}.exe	37
PID 2804 wrote to memory of 2288	2804	{614C7615-156E-47f3-90FC-13783E6162A9}.exe	38
PID 2804 wrote to memory of 2288	2804	{614C7615-156E-47f3-90FC-13783E6162A9}.exe	38
PID 2804 wrote to memory of 2288	2804	{614C7615-156E-47f3-90FC-13783E6162A9}.exe	38
PID 2804 wrote to memory of 2288	2804	{614C7615-156E-47f3-90FC-13783E6162A9}.exe	38
PID 3060 wrote to memory of 1912	3060	{CF42C257-0755-4c8f-8E47-7F6FCB242443}.exe	39
PID 3060 wrote to memory of 1912	3060	{CF42C257-0755-4c8f-8E47-7F6FCB242443}.exe	39
PID 3060 wrote to memory of 1912	3060	{CF42C257-0755-4c8f-8E47-7F6FCB242443}.exe	39
PID 3060 wrote to memory of 1912	3060	{CF42C257-0755-4c8f-8E47-7F6FCB242443}.exe	39
PID 3060 wrote to memory of 832	3060	{CF42C257-0755-4c8f-8E47-7F6FCB242443}.exe	40
PID 3060 wrote to memory of 832	3060	{CF42C257-0755-4c8f-8E47-7F6FCB242443}.exe	40
PID 3060 wrote to memory of 832	3060	{CF42C257-0755-4c8f-8E47-7F6FCB242443}.exe	40
PID 3060 wrote to memory of 832	3060	{CF42C257-0755-4c8f-8E47-7F6FCB242443}.exe	40
PID 1912 wrote to memory of 2528	1912	{17EB9E92-DFF7-45d3-B3D1-D7222F466780}.exe	41
PID 1912 wrote to memory of 2528	1912	{17EB9E92-DFF7-45d3-B3D1-D7222F466780}.exe	41
PID 1912 wrote to memory of 2528	1912	{17EB9E92-DFF7-45d3-B3D1-D7222F466780}.exe	41
PID 1912 wrote to memory of 2528	1912	{17EB9E92-DFF7-45d3-B3D1-D7222F466780}.exe	41
PID 1912 wrote to memory of 1148	1912	{17EB9E92-DFF7-45d3-B3D1-D7222F466780}.exe	42
PID 1912 wrote to memory of 1148	1912	{17EB9E92-DFF7-45d3-B3D1-D7222F466780}.exe	42
PID 1912 wrote to memory of 1148	1912	{17EB9E92-DFF7-45d3-B3D1-D7222F466780}.exe	42
PID 1912 wrote to memory of 1148	1912	{17EB9E92-DFF7-45d3-B3D1-D7222F466780}.exe	42
PID 2528 wrote to memory of 1100	2528	{3F188A17-2AAB-4b80-8340-A55CCC856F92}.exe	43
PID 2528 wrote to memory of 1100	2528	{3F188A17-2AAB-4b80-8340-A55CCC856F92}.exe	43
PID 2528 wrote to memory of 1100	2528	{3F188A17-2AAB-4b80-8340-A55CCC856F92}.exe	43
PID 2528 wrote to memory of 1100	2528	{3F188A17-2AAB-4b80-8340-A55CCC856F92}.exe	43
PID 2528 wrote to memory of 2928	2528	{3F188A17-2AAB-4b80-8340-A55CCC856F92}.exe	44
PID 2528 wrote to memory of 2928	2528	{3F188A17-2AAB-4b80-8340-A55CCC856F92}.exe	44
PID 2528 wrote to memory of 2928	2528	{3F188A17-2AAB-4b80-8340-A55CCC856F92}.exe	44
PID 2528 wrote to memory of 2928	2528	{3F188A17-2AAB-4b80-8340-A55CCC856F92}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-07-06_5a4391a560fdb980b144143891e788c8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-06_5a4391a560fdb980b144143891e788c8_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\{B6F73B11-367D-4260-AC67-8553CAA8CF2D}.exe
  C:\Windows\{B6F73B11-367D-4260-AC67-8553CAA8CF2D}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\{9BBA846A-373E-449b-AA0D-80305F002FDA}.exe
    C:\Windows\{9BBA846A-373E-449b-AA0D-80305F002FDA}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Windows\{9D298448-B731-4ab6-99FA-AC3A372CBE47}.exe
      C:\Windows\{9D298448-B731-4ab6-99FA-AC3A372CBE47}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2060
    - - C:\Windows\{614C7615-156E-47f3-90FC-13783E6162A9}.exe
        
        C:\Windows\{614C7615-156E-47f3-90FC-13783E6162A9}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2804
      - C:\Windows\{CF42C257-0755-4c8f-8E47-7F6FCB242443}.exe
        
        C:\Windows\{CF42C257-0755-4c8f-8E47-7F6FCB242443}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\{17EB9E92-DFF7-45d3-B3D1-D7222F466780}.exe
        
        C:\Windows\{17EB9E92-DFF7-45d3-B3D1-D7222F466780}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\{3F188A17-2AAB-4b80-8340-A55CCC856F92}.exe
        
        C:\Windows\{3F188A17-2AAB-4b80-8340-A55CCC856F92}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\{57C9E2B9-2066-4449-93D7-1C6FEAE4FD5F}.exe
        
        C:\Windows\{57C9E2B9-2066-4449-93D7-1C6FEAE4FD5F}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
        
        C:\Windows\{64603ED2-5EED-4907-8FA8-0616DFB8D198}.exe
        
        C:\Windows\{64603ED2-5EED-4907-8FA8-0616DFB8D198}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2964
        
        C:\Windows\{951B5404-A19A-495f-8001-12393F26129A}.exe
        
        C:\Windows\{951B5404-A19A-495f-8001-12393F26129A}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
        
        C:\Windows\{E3B03257-4304-4f74-9B84-9B737DBEAD2C}.exe
        
        C:\Windows\{E3B03257-4304-4f74-9B84-9B737DBEAD2C}.exe
        12⤵
        Executes dropped EXE
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{951B5~1.EXE > nul
        12⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64603~1.EXE > nul
        11⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57C9E~1.EXE > nul
        10⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F188~1.EXE > nul
        9⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17EB9~1.EXE > nul
        8⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF42C~1.EXE > nul
        7⤵
        
        PID:832
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{614C7~1.EXE > nul
        6⤵
        
        PID:2288
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D298~1.EXE > nul
        5⤵
        
        PID:2744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9BBA8~1.EXE > nul
      4⤵
      PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B6F73~1.EXE > nul
    3⤵
    PID:2896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{17EB9E92-DFF7-45d3-B3D1-D7222F466780}.exe

Filesize
344KB

MD5
10ea420917b4f955f27a866eb7d3e8e0

SHA1
b94ae5242c737e5905074b881ba075c29d55eef2

SHA256
1d84b4cee70a8c8f7d47214981039f055f26e43e2847310e2a8921d0ec873990

SHA512
cb75dd73374194a752fca58cd4aa3bf1ced7620e6bddb8091e613bd9655b1243b14c98f47336e057b679711f70d2b9ae05e9d24433e97c1a9f5a543a79b7994b

Download Submit
C:\Windows\{3F188A17-2AAB-4b80-8340-A55CCC856F92}.exe

Filesize
344KB

MD5
c2fa1f200fa0f3812440f2ed25fe61b9

SHA1
06bbf6ceeed490aa105fac8d8c3a176351af75ac

SHA256
d1a5ddc1357057c95224d356bd6b7108dc3eb6417eb786ecb569f439e99e26d5

SHA512
12b9ec39901e08e4966df555aab733009dd63c1e1408b238b2fcf8d59199c7f3ecaad9f89aa99b5ea19a247059c328443137ef9bb7538d25664b4dbe46af48cf

Download Submit
C:\Windows\{57C9E2B9-2066-4449-93D7-1C6FEAE4FD5F}.exe

Filesize
344KB

MD5
0d0e2986968c2a256c5224471a6bb161

SHA1
e4dea47ea326611fec101ceebdca908147a6b140

SHA256
d786bf0d7e8a49ac394bdfde70f9c3ea6cb5b60e1eb8b1ac92eceeff38913620

SHA512
9c1b6139d03a9c0f8b921f91e795d7d6a19f287c78f578c96c18a7a26a6a4b1dbac3851d199d639137ef3e1559083602e2be61ee9277454e6dbc2b1122df1fb1

Download Submit
C:\Windows\{614C7615-156E-47f3-90FC-13783E6162A9}.exe

Filesize
344KB

MD5
04ea1a537f4f0f38a8bfc4e07438c162

SHA1
132bd3dd78310572ef8f3817f47e4bca8f2bb07d

SHA256
15241020fb26ae675a11d7c15737f4d8cb0fcb2805d23b826c2630698bd1b763

SHA512
364096a2199ea2d2ee5d2ac465f8d41e0dd2a624b053fc07eb9c94fd9e18165daae7f9640958c8f574e066324f963f4310b6a715b6f4cb48d543c48e21b124de

Download Submit
C:\Windows\{64603ED2-5EED-4907-8FA8-0616DFB8D198}.exe

Filesize
344KB

MD5
0ca0320005ae77015317c6f5b73b22d4

SHA1
cb2e6120400af74fca06250470c01167d6283bbb

SHA256
47205aec250b836166ebf185825600a609cff1c89c6bcd445d699b4e076a6c70

SHA512
90968e08aab8f0a7ddd0016b7c66dc3179c99037747f3eeeb01baf2cc13f3faff8a2d3edd1e9cfc66482b655b22a23911848e6017c965def33c874fe7274cf5a

Download Submit
C:\Windows\{951B5404-A19A-495f-8001-12393F26129A}.exe

Filesize
344KB

MD5
f61da50b2fa25a5409ee9b51789038f3

SHA1
2da86fbd65afa2e88a617179bdbd101bff83b9eb

SHA256
ba2728f33f4b77fc188074eafec7183ab66076419f36644bc3d2a93030128346

SHA512
64516840b85d807500f8714ae15b7a4cc36302d7cd0535da8ac6bb47bb8e7970b862584d9e55bda8831e07a7787e4b0ea2bbb6e506c0d0b2224b85b04a3389b9

Download Submit
C:\Windows\{9BBA846A-373E-449b-AA0D-80305F002FDA}.exe

Filesize
344KB

MD5
51311ebed0f7c83bd0938b5ff4117897

SHA1
da3ee536bb53bb13376d8245cffb10769571c22e

SHA256
fca5ebe174239314120c187af2761c727b83dad23d6bf10e6306436b648a5111

SHA512
5dac1afb6350b08f0f397913ac6493cb63a751d313e2ed9b3df959b4ea80d4b3f54ea504a1a883807eb5fd242befedcf8401e4474a88b00dc91922293f8075ed

Download Submit
C:\Windows\{9D298448-B731-4ab6-99FA-AC3A372CBE47}.exe

Filesize
344KB

MD5
c551ce1a0b92679f9f40a24011728ea6

SHA1
5b2c8b2d1c2ffae00d68dacc616f7619d77b417c

SHA256
1e8ebc72bf148604c7ab3ba88e90aa5202faf8a71b1cc14ddc5f73ba02ea79a0

SHA512
898c5a47ac8c4fa631fb65625011c825487d54db895f8eb1ee9e91d3c59e776a3647efe1908899ef11b380713aa4ebb3eb754c2f30b7a6a4b79794e5c100d3ed

Download Submit
C:\Windows\{B6F73B11-367D-4260-AC67-8553CAA8CF2D}.exe

Filesize
344KB

MD5
d5f31f887ea06fc35ebacc0760fb9390

SHA1
0fd61fc3131951fcacf8dfe653c3f78fb51f6be7

SHA256
f9d5ba8ea25711b4ea6c9325d18096f180d57b65f94506ba31192984b9edbc9b

SHA512
28423f5ba79d35fe2591cfe0d43491862989816135a90c85a7c82a372209c9a9a4d26c5cdb3f3646342279df3e36a23524ee527994b06467303ce88f371bc777

Download Submit
C:\Windows\{CF42C257-0755-4c8f-8E47-7F6FCB242443}.exe

Filesize
344KB

MD5
6865b3e46c979531c0f4b7777f1bdf5f

SHA1
a94518decf2c8eb40b41c07c772037a13ad94e40

SHA256
8b1e5c08fe032c3fc5b1926aeb53a51431c20d2bf26787d9acd36e61fcb8fc21

SHA512
d98c4a2e7df6e671feaf9968bbe385446c21b4b5972dc580ff58b36f14f9696ca6b85db933a52e84b44a8b567f26b93b90c091b1e2a79bbeb09ef91873b24fff

Download Submit
C:\Windows\{E3B03257-4304-4f74-9B84-9B737DBEAD2C}.exe

Filesize
344KB

MD5
43f450ad8b1725aad2813025f09da448

SHA1
a5c8053b1940e878b4f48c9dafd7edefc91774ad

SHA256
15f05c197ae837597c979d1665d1bf8efd6fa085c270ef73fcf32e2740d26abc

SHA512
6df7b311cddb86cf78927886fad1e6479e9f4200a6366f344b0cf9814e0b5da5d9d9772e507fc667826194f9369ce71ed5c3eb35a9c06f3ee9493e3edf2983be

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads