6973f1fe8f83b2053e3a8ed244f19f7d0e66ed2822db4ba4f92b287264167ade

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
06/07/2024, 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-06_7a7b1c5b219538dcc2561feee8b58d96_goldeneye.exe
Size

192KB
MD5

7a7b1c5b219538dcc2561feee8b58d96
SHA1

43317d85521fe9fa1c30fe175090e101d99b3b60
SHA256

6973f1fe8f83b2053e3a8ed244f19f7d0e66ed2822db4ba4f92b287264167ade
SHA512

ef2869187af30bf64a7d3c51a07bf48bc2e2382947109b9581cb5744dd29a78723c6869f50b806d2b38b639d72c6b440c7648f24597717dfdbf26d8b7ecd064b
SSDEEP

1536:1EGh0oEl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oEl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AFDBC70-F5D8-41a1-B06F-C13B51AAA5FE}	{1FEC61FD-4486-4d81-940F-6E08A833547F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F25B3779-2823-4fc4-9420-845F5C39F670}	{9AFDBC70-F5D8-41a1-B06F-C13B51AAA5FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2A7DE4A-DE12-4228-9BF6-B84AF8963F06}\stubpath = "C:\\Windows\\{C2A7DE4A-DE12-4228-9BF6-B84AF8963F06}.exe"	{C2B360B1-7E81-4978-A42F-C591208642CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E181AD3F-1F2C-4edc-A91D-EA8B22374143}	{8024F973-7AD3-4df6-BBAB-19CC5DD5E191}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A27D3B4D-8C90-4433-8CED-E2E33F85FCC0}\stubpath = "C:\\Windows\\{A27D3B4D-8C90-4433-8CED-E2E33F85FCC0}.exe"	{5B779519-0945-49b1-AE3D-52FCCFDB7CF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAF320E3-84B3-4138-8E0C-CBF49C486E1A}	{A27D3B4D-8C90-4433-8CED-E2E33F85FCC0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05DC4189-6465-4142-B28F-EF72DB365CE7}	{AAF320E3-84B3-4138-8E0C-CBF49C486E1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8024F973-7AD3-4df6-BBAB-19CC5DD5E191}\stubpath = "C:\\Windows\\{8024F973-7AD3-4df6-BBAB-19CC5DD5E191}.exe"	{05DC4189-6465-4142-B28F-EF72DB365CE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1FEC61FD-4486-4d81-940F-6E08A833547F}\stubpath = "C:\\Windows\\{1FEC61FD-4486-4d81-940F-6E08A833547F}.exe"	{E181AD3F-1F2C-4edc-A91D-EA8B22374143}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2A7DE4A-DE12-4228-9BF6-B84AF8963F06}	{C2B360B1-7E81-4978-A42F-C591208642CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B779519-0945-49b1-AE3D-52FCCFDB7CF8}	{C2A7DE4A-DE12-4228-9BF6-B84AF8963F06}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05DC4189-6465-4142-B28F-EF72DB365CE7}\stubpath = "C:\\Windows\\{05DC4189-6465-4142-B28F-EF72DB365CE7}.exe"	{AAF320E3-84B3-4138-8E0C-CBF49C486E1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8024F973-7AD3-4df6-BBAB-19CC5DD5E191}	{05DC4189-6465-4142-B28F-EF72DB365CE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2B360B1-7E81-4978-A42F-C591208642CE}	2024-07-06_7a7b1c5b219538dcc2561feee8b58d96_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2B360B1-7E81-4978-A42F-C591208642CE}\stubpath = "C:\\Windows\\{C2B360B1-7E81-4978-A42F-C591208642CE}.exe"	2024-07-06_7a7b1c5b219538dcc2561feee8b58d96_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAF320E3-84B3-4138-8E0C-CBF49C486E1A}\stubpath = "C:\\Windows\\{AAF320E3-84B3-4138-8E0C-CBF49C486E1A}.exe"	{A27D3B4D-8C90-4433-8CED-E2E33F85FCC0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E181AD3F-1F2C-4edc-A91D-EA8B22374143}\stubpath = "C:\\Windows\\{E181AD3F-1F2C-4edc-A91D-EA8B22374143}.exe"	{8024F973-7AD3-4df6-BBAB-19CC5DD5E191}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1FEC61FD-4486-4d81-940F-6E08A833547F}	{E181AD3F-1F2C-4edc-A91D-EA8B22374143}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AFDBC70-F5D8-41a1-B06F-C13B51AAA5FE}\stubpath = "C:\\Windows\\{9AFDBC70-F5D8-41a1-B06F-C13B51AAA5FE}.exe"	{1FEC61FD-4486-4d81-940F-6E08A833547F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F25B3779-2823-4fc4-9420-845F5C39F670}\stubpath = "C:\\Windows\\{F25B3779-2823-4fc4-9420-845F5C39F670}.exe"	{9AFDBC70-F5D8-41a1-B06F-C13B51AAA5FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B779519-0945-49b1-AE3D-52FCCFDB7CF8}\stubpath = "C:\\Windows\\{5B779519-0945-49b1-AE3D-52FCCFDB7CF8}.exe"	{C2A7DE4A-DE12-4228-9BF6-B84AF8963F06}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A27D3B4D-8C90-4433-8CED-E2E33F85FCC0}	{5B779519-0945-49b1-AE3D-52FCCFDB7CF8}.exe

Deletes itself 1 IoCs

pid	Process
3068	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2856	{C2B360B1-7E81-4978-A42F-C591208642CE}.exe
1324	{C2A7DE4A-DE12-4228-9BF6-B84AF8963F06}.exe
1892	{5B779519-0945-49b1-AE3D-52FCCFDB7CF8}.exe
1784	{A27D3B4D-8C90-4433-8CED-E2E33F85FCC0}.exe
2368	{AAF320E3-84B3-4138-8E0C-CBF49C486E1A}.exe
2820	{05DC4189-6465-4142-B28F-EF72DB365CE7}.exe
2336	{8024F973-7AD3-4df6-BBAB-19CC5DD5E191}.exe
2512	{E181AD3F-1F2C-4edc-A91D-EA8B22374143}.exe
776	{1FEC61FD-4486-4d81-940F-6E08A833547F}.exe
2188	{9AFDBC70-F5D8-41a1-B06F-C13B51AAA5FE}.exe
912	{F25B3779-2823-4fc4-9420-845F5C39F670}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C2A7DE4A-DE12-4228-9BF6-B84AF8963F06}.exe	{C2B360B1-7E81-4978-A42F-C591208642CE}.exe
File created	C:\Windows\{5B779519-0945-49b1-AE3D-52FCCFDB7CF8}.exe	{C2A7DE4A-DE12-4228-9BF6-B84AF8963F06}.exe
File created	C:\Windows\{A27D3B4D-8C90-4433-8CED-E2E33F85FCC0}.exe	{5B779519-0945-49b1-AE3D-52FCCFDB7CF8}.exe
File created	C:\Windows\{05DC4189-6465-4142-B28F-EF72DB365CE7}.exe	{AAF320E3-84B3-4138-8E0C-CBF49C486E1A}.exe
File created	C:\Windows\{1FEC61FD-4486-4d81-940F-6E08A833547F}.exe	{E181AD3F-1F2C-4edc-A91D-EA8B22374143}.exe
File created	C:\Windows\{9AFDBC70-F5D8-41a1-B06F-C13B51AAA5FE}.exe	{1FEC61FD-4486-4d81-940F-6E08A833547F}.exe
File created	C:\Windows\{F25B3779-2823-4fc4-9420-845F5C39F670}.exe	{9AFDBC70-F5D8-41a1-B06F-C13B51AAA5FE}.exe
File created	C:\Windows\{C2B360B1-7E81-4978-A42F-C591208642CE}.exe	2024-07-06_7a7b1c5b219538dcc2561feee8b58d96_goldeneye.exe
File created	C:\Windows\{AAF320E3-84B3-4138-8E0C-CBF49C486E1A}.exe	{A27D3B4D-8C90-4433-8CED-E2E33F85FCC0}.exe
File created	C:\Windows\{8024F973-7AD3-4df6-BBAB-19CC5DD5E191}.exe	{05DC4189-6465-4142-B28F-EF72DB365CE7}.exe
File created	C:\Windows\{E181AD3F-1F2C-4edc-A91D-EA8B22374143}.exe	{8024F973-7AD3-4df6-BBAB-19CC5DD5E191}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2176	2024-07-06_7a7b1c5b219538dcc2561feee8b58d96_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2856	{C2B360B1-7E81-4978-A42F-C591208642CE}.exe
Token: SeIncBasePriorityPrivilege	1324	{C2A7DE4A-DE12-4228-9BF6-B84AF8963F06}.exe
Token: SeIncBasePriorityPrivilege	1892	{5B779519-0945-49b1-AE3D-52FCCFDB7CF8}.exe
Token: SeIncBasePriorityPrivilege	1784	{A27D3B4D-8C90-4433-8CED-E2E33F85FCC0}.exe
Token: SeIncBasePriorityPrivilege	2368	{AAF320E3-84B3-4138-8E0C-CBF49C486E1A}.exe
Token: SeIncBasePriorityPrivilege	2820	{05DC4189-6465-4142-B28F-EF72DB365CE7}.exe
Token: SeIncBasePriorityPrivilege	2336	{8024F973-7AD3-4df6-BBAB-19CC5DD5E191}.exe
Token: SeIncBasePriorityPrivilege	2512	{E181AD3F-1F2C-4edc-A91D-EA8B22374143}.exe
Token: SeIncBasePriorityPrivilege	776	{1FEC61FD-4486-4d81-940F-6E08A833547F}.exe
Token: SeIncBasePriorityPrivilege	2188	{9AFDBC70-F5D8-41a1-B06F-C13B51AAA5FE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2856	2176	2024-07-06_7a7b1c5b219538dcc2561feee8b58d96_goldeneye.exe	30
PID 2176 wrote to memory of 2856	2176	2024-07-06_7a7b1c5b219538dcc2561feee8b58d96_goldeneye.exe	30
PID 2176 wrote to memory of 2856	2176	2024-07-06_7a7b1c5b219538dcc2561feee8b58d96_goldeneye.exe	30
PID 2176 wrote to memory of 2856	2176	2024-07-06_7a7b1c5b219538dcc2561feee8b58d96_goldeneye.exe	30
PID 2176 wrote to memory of 3068	2176	2024-07-06_7a7b1c5b219538dcc2561feee8b58d96_goldeneye.exe	31
PID 2176 wrote to memory of 3068	2176	2024-07-06_7a7b1c5b219538dcc2561feee8b58d96_goldeneye.exe	31
PID 2176 wrote to memory of 3068	2176	2024-07-06_7a7b1c5b219538dcc2561feee8b58d96_goldeneye.exe	31
PID 2176 wrote to memory of 3068	2176	2024-07-06_7a7b1c5b219538dcc2561feee8b58d96_goldeneye.exe	31
PID 2856 wrote to memory of 1324	2856	{C2B360B1-7E81-4978-A42F-C591208642CE}.exe	33
PID 2856 wrote to memory of 1324	2856	{C2B360B1-7E81-4978-A42F-C591208642CE}.exe	33
PID 2856 wrote to memory of 1324	2856	{C2B360B1-7E81-4978-A42F-C591208642CE}.exe	33
PID 2856 wrote to memory of 1324	2856	{C2B360B1-7E81-4978-A42F-C591208642CE}.exe	33
PID 2856 wrote to memory of 2620	2856	{C2B360B1-7E81-4978-A42F-C591208642CE}.exe	34
PID 2856 wrote to memory of 2620	2856	{C2B360B1-7E81-4978-A42F-C591208642CE}.exe	34
PID 2856 wrote to memory of 2620	2856	{C2B360B1-7E81-4978-A42F-C591208642CE}.exe	34
PID 2856 wrote to memory of 2620	2856	{C2B360B1-7E81-4978-A42F-C591208642CE}.exe	34
PID 1324 wrote to memory of 1892	1324	{C2A7DE4A-DE12-4228-9BF6-B84AF8963F06}.exe	35
PID 1324 wrote to memory of 1892	1324	{C2A7DE4A-DE12-4228-9BF6-B84AF8963F06}.exe	35
PID 1324 wrote to memory of 1892	1324	{C2A7DE4A-DE12-4228-9BF6-B84AF8963F06}.exe	35
PID 1324 wrote to memory of 1892	1324	{C2A7DE4A-DE12-4228-9BF6-B84AF8963F06}.exe	35
PID 1324 wrote to memory of 988	1324	{C2A7DE4A-DE12-4228-9BF6-B84AF8963F06}.exe	36
PID 1324 wrote to memory of 988	1324	{C2A7DE4A-DE12-4228-9BF6-B84AF8963F06}.exe	36
PID 1324 wrote to memory of 988	1324	{C2A7DE4A-DE12-4228-9BF6-B84AF8963F06}.exe	36
PID 1324 wrote to memory of 988	1324	{C2A7DE4A-DE12-4228-9BF6-B84AF8963F06}.exe	36
PID 1892 wrote to memory of 1784	1892	{5B779519-0945-49b1-AE3D-52FCCFDB7CF8}.exe	37
PID 1892 wrote to memory of 1784	1892	{5B779519-0945-49b1-AE3D-52FCCFDB7CF8}.exe	37
PID 1892 wrote to memory of 1784	1892	{5B779519-0945-49b1-AE3D-52FCCFDB7CF8}.exe	37
PID 1892 wrote to memory of 1784	1892	{5B779519-0945-49b1-AE3D-52FCCFDB7CF8}.exe	37
PID 1892 wrote to memory of 2276	1892	{5B779519-0945-49b1-AE3D-52FCCFDB7CF8}.exe	38
PID 1892 wrote to memory of 2276	1892	{5B779519-0945-49b1-AE3D-52FCCFDB7CF8}.exe	38
PID 1892 wrote to memory of 2276	1892	{5B779519-0945-49b1-AE3D-52FCCFDB7CF8}.exe	38
PID 1892 wrote to memory of 2276	1892	{5B779519-0945-49b1-AE3D-52FCCFDB7CF8}.exe	38
PID 1784 wrote to memory of 2368	1784	{A27D3B4D-8C90-4433-8CED-E2E33F85FCC0}.exe	39
PID 1784 wrote to memory of 2368	1784	{A27D3B4D-8C90-4433-8CED-E2E33F85FCC0}.exe	39
PID 1784 wrote to memory of 2368	1784	{A27D3B4D-8C90-4433-8CED-E2E33F85FCC0}.exe	39
PID 1784 wrote to memory of 2368	1784	{A27D3B4D-8C90-4433-8CED-E2E33F85FCC0}.exe	39
PID 1784 wrote to memory of 2824	1784	{A27D3B4D-8C90-4433-8CED-E2E33F85FCC0}.exe	40
PID 1784 wrote to memory of 2824	1784	{A27D3B4D-8C90-4433-8CED-E2E33F85FCC0}.exe	40
PID 1784 wrote to memory of 2824	1784	{A27D3B4D-8C90-4433-8CED-E2E33F85FCC0}.exe	40
PID 1784 wrote to memory of 2824	1784	{A27D3B4D-8C90-4433-8CED-E2E33F85FCC0}.exe	40
PID 2368 wrote to memory of 2820	2368	{AAF320E3-84B3-4138-8E0C-CBF49C486E1A}.exe	41
PID 2368 wrote to memory of 2820	2368	{AAF320E3-84B3-4138-8E0C-CBF49C486E1A}.exe	41
PID 2368 wrote to memory of 2820	2368	{AAF320E3-84B3-4138-8E0C-CBF49C486E1A}.exe	41
PID 2368 wrote to memory of 2820	2368	{AAF320E3-84B3-4138-8E0C-CBF49C486E1A}.exe	41
PID 2368 wrote to memory of 2808	2368	{AAF320E3-84B3-4138-8E0C-CBF49C486E1A}.exe	42
PID 2368 wrote to memory of 2808	2368	{AAF320E3-84B3-4138-8E0C-CBF49C486E1A}.exe	42
PID 2368 wrote to memory of 2808	2368	{AAF320E3-84B3-4138-8E0C-CBF49C486E1A}.exe	42
PID 2368 wrote to memory of 2808	2368	{AAF320E3-84B3-4138-8E0C-CBF49C486E1A}.exe	42
PID 2820 wrote to memory of 2336	2820	{05DC4189-6465-4142-B28F-EF72DB365CE7}.exe	43
PID 2820 wrote to memory of 2336	2820	{05DC4189-6465-4142-B28F-EF72DB365CE7}.exe	43
PID 2820 wrote to memory of 2336	2820	{05DC4189-6465-4142-B28F-EF72DB365CE7}.exe	43
PID 2820 wrote to memory of 2336	2820	{05DC4189-6465-4142-B28F-EF72DB365CE7}.exe	43
PID 2820 wrote to memory of 1288	2820	{05DC4189-6465-4142-B28F-EF72DB365CE7}.exe	44
PID 2820 wrote to memory of 1288	2820	{05DC4189-6465-4142-B28F-EF72DB365CE7}.exe	44
PID 2820 wrote to memory of 1288	2820	{05DC4189-6465-4142-B28F-EF72DB365CE7}.exe	44
PID 2820 wrote to memory of 1288	2820	{05DC4189-6465-4142-B28F-EF72DB365CE7}.exe	44
PID 2336 wrote to memory of 2512	2336	{8024F973-7AD3-4df6-BBAB-19CC5DD5E191}.exe	45
PID 2336 wrote to memory of 2512	2336	{8024F973-7AD3-4df6-BBAB-19CC5DD5E191}.exe	45
PID 2336 wrote to memory of 2512	2336	{8024F973-7AD3-4df6-BBAB-19CC5DD5E191}.exe	45
PID 2336 wrote to memory of 2512	2336	{8024F973-7AD3-4df6-BBAB-19CC5DD5E191}.exe	45
PID 2336 wrote to memory of 760	2336	{8024F973-7AD3-4df6-BBAB-19CC5DD5E191}.exe	46
PID 2336 wrote to memory of 760	2336	{8024F973-7AD3-4df6-BBAB-19CC5DD5E191}.exe	46
PID 2336 wrote to memory of 760	2336	{8024F973-7AD3-4df6-BBAB-19CC5DD5E191}.exe	46
PID 2336 wrote to memory of 760	2336	{8024F973-7AD3-4df6-BBAB-19CC5DD5E191}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-07-06_7a7b1c5b219538dcc2561feee8b58d96_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-06_7a7b1c5b219538dcc2561feee8b58d96_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\{C2B360B1-7E81-4978-A42F-C591208642CE}.exe
  C:\Windows\{C2B360B1-7E81-4978-A42F-C591208642CE}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Windows\{C2A7DE4A-DE12-4228-9BF6-B84AF8963F06}.exe
    C:\Windows\{C2A7DE4A-DE12-4228-9BF6-B84AF8963F06}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1324
  - - C:\Windows\{5B779519-0945-49b1-AE3D-52FCCFDB7CF8}.exe
      C:\Windows\{5B779519-0945-49b1-AE3D-52FCCFDB7CF8}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1892
    - - C:\Windows\{A27D3B4D-8C90-4433-8CED-E2E33F85FCC0}.exe
        
        C:\Windows\{A27D3B4D-8C90-4433-8CED-E2E33F85FCC0}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1784
      - C:\Windows\{AAF320E3-84B3-4138-8E0C-CBF49C486E1A}.exe
        
        C:\Windows\{AAF320E3-84B3-4138-8E0C-CBF49C486E1A}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\{05DC4189-6465-4142-B28F-EF72DB365CE7}.exe
        
        C:\Windows\{05DC4189-6465-4142-B28F-EF72DB365CE7}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\{8024F973-7AD3-4df6-BBAB-19CC5DD5E191}.exe
        
        C:\Windows\{8024F973-7AD3-4df6-BBAB-19CC5DD5E191}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\{E181AD3F-1F2C-4edc-A91D-EA8B22374143}.exe
        
        C:\Windows\{E181AD3F-1F2C-4edc-A91D-EA8B22374143}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512
        
        C:\Windows\{1FEC61FD-4486-4d81-940F-6E08A833547F}.exe
        
        C:\Windows\{1FEC61FD-4486-4d81-940F-6E08A833547F}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:776
        
        C:\Windows\{9AFDBC70-F5D8-41a1-B06F-C13B51AAA5FE}.exe
        
        C:\Windows\{9AFDBC70-F5D8-41a1-B06F-C13B51AAA5FE}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
        
        C:\Windows\{F25B3779-2823-4fc4-9420-845F5C39F670}.exe
        
        C:\Windows\{F25B3779-2823-4fc4-9420-845F5C39F670}.exe
        12⤵
        Executes dropped EXE
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9AFDB~1.EXE > nul
        12⤵
        
        PID:304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1FEC6~1.EXE > nul
        11⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E181A~1.EXE > nul
        10⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8024F~1.EXE > nul
        9⤵
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05DC4~1.EXE > nul
        8⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AAF32~1.EXE > nul
        7⤵
        
        PID:2808
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A27D3~1.EXE > nul
        6⤵
        
        PID:2824
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B779~1.EXE > nul
        5⤵
        
        PID:2276
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C2A7D~1.EXE > nul
      4⤵
      PID:988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C2B36~1.EXE > nul
    3⤵
    PID:2620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05DC4189-6465-4142-B28F-EF72DB365CE7}.exe

Filesize
192KB

MD5
4f4aabb36e0019a7816ed1deaae88110

SHA1
758da78a41514479a8ad5d027ac8285ef2f3079b

SHA256
9b6d46f939cf853d33749932feae2e57665a1df3ec6e966183a5944e021928c2

SHA512
5e94aeed3a8af48831161301de94470040850e16f3872615274b1460e861a1efa6e696d7c5d00de4618a0833826fb9bbd079bbb612bcb33ca81d6febbc1116e4

Download Submit
C:\Windows\{1FEC61FD-4486-4d81-940F-6E08A833547F}.exe

Filesize
192KB

MD5
73815c2baf649cbb02f59418c80fe7e3

SHA1
2b4bdc686d88f7f736e4de753c1c2ecb19e68ec7

SHA256
b643e6abe6799bb51f8f2aa6defcd96a192fcbf53e38c8f09d61080b72f16ee1

SHA512
688ee830f527c2c82f80829806b5177787539ea5ae433be2fc2c6a5f86eb1abee89d8eff7598f4b8f7c595de9e9ddae0dc95a8ca963f6dbdf7a15452d9b8abe2

Download Submit
C:\Windows\{5B779519-0945-49b1-AE3D-52FCCFDB7CF8}.exe

Filesize
192KB

MD5
633277b79bbb1c762d90945a3b7576f4

SHA1
5a1453437d29ad3685b76917beb5c0cbda2fe0ad

SHA256
291fb7747c916b94c8babf95c68a1cbd638c8e82f1954c7ed0a276a393f7ca04

SHA512
94527f6e9880f29c6242d9bdafc247e3abf193aa196e61c4d0a6fe83bbf795b408b5e4728ccde10ca85dbdba3960d03e61dcfc5f092b1b3c30c92f9f7fb0d753

Download Submit
C:\Windows\{8024F973-7AD3-4df6-BBAB-19CC5DD5E191}.exe

Filesize
192KB

MD5
ce10e378df53f17ee94b2c3a77b10b9b

SHA1
1171b4e6a4789655acb5cc0335a2c0b001f597b4

SHA256
6c0ce3ce54e358f73f19042973b25435d8669601e8602d1bbff0e6dc32144d7f

SHA512
4a02e140bde8b53dc2106da99cb15a83ae24c4c582be0f48e4dc3e3140ed21ba0fa26be6122cd0556d850d3ecff087fc80c7c36eefe7bd75d294aade462fff2d

Download Submit
C:\Windows\{9AFDBC70-F5D8-41a1-B06F-C13B51AAA5FE}.exe

Filesize
192KB

MD5
cd96b9684eba94403945cb5732d5a891

SHA1
4c1dd30b984bebb5c21f59d012293a34065ccfac

SHA256
3201f37d53906f01126b724db9312bb12a7d1e63d2c0d9ec8c18eadd24add714

SHA512
602d65a2674cca2b2980b105b9b176e7ea55ebdfc2e134e4019524f13904683510010a9e5a3b68159ae73fa415ba219c4beabf701197644c3273b1672b986e6a

Download Submit
C:\Windows\{A27D3B4D-8C90-4433-8CED-E2E33F85FCC0}.exe

Filesize
192KB

MD5
5147ac1c0e3431600e6d9f308047e780

SHA1
c56bf31308ed7260b6065be996c20197790aaa60

SHA256
42a12b392c4eaaceb23b1180e9742ff43904febafb7ecf27d3fbc71915926d4b

SHA512
53ebaf8780206e8c0134eb2df304b1dbba012ea8c75f8ba3599cc90e1c90f1eadfb54504e6a8d2f9688137552e20336ab90b14aa9c733f62c80e37363a762e7d

Download Submit
C:\Windows\{AAF320E3-84B3-4138-8E0C-CBF49C486E1A}.exe

Filesize
192KB

MD5
1a11f06e277aa9db0c352e669bda4091

SHA1
a1e97c292f49183180b0a53ef966470f2d3e17da

SHA256
e1870cf87fe098922429f41bdb28ac57a12653dad30ff9540b03a0b2734fbf2d

SHA512
1750d1ff2061d020fc3fe99ba301bf15328cbb1a2e12280ac46fe47824507b2dd833818eda8abb2c6b1716c392d98844fa938e48ffba5b66a6346ceca2a0890d

Download Submit
C:\Windows\{C2A7DE4A-DE12-4228-9BF6-B84AF8963F06}.exe

Filesize
192KB

MD5
a1bfbd1dc60ba4446ad81979a50c2936

SHA1
b89cf868882d96018c1f0581a31341404ec9b04d

SHA256
0a9a5ac03fda626550a0f45d2d0e90029498442e3dfe963bceee9437e8f32da2

SHA512
cbc693e4d77e9f09134e0d522df3ea841ee27573da523b6125573458f25fd0071571449250738e8951e93b2f169563fecc2b1476159421f46de1e6edc1f507b9

Download Submit
C:\Windows\{C2B360B1-7E81-4978-A42F-C591208642CE}.exe

Filesize
192KB

MD5
9a421f2eb01b037fe5c2a759cce87ee1

SHA1
6ef030013eef20c2bb5829a4d0f3e7cb8a8a37e7

SHA256
e8512061147d443e9a71d7bc1b2c7d70b8ee214f4733cdf90b8d9cae2bd395ca

SHA512
37a6ae59578eea735a5a74eda101b05440423541c6c810f4f38385b44931a42f5254647e19bebe46d865a667c17bcc35a708d28eee8ae12fdeb6640f60fe55ad

Download Submit
C:\Windows\{E181AD3F-1F2C-4edc-A91D-EA8B22374143}.exe

Filesize
192KB

MD5
eab2a2c3afa6203c173f53c3a90f064a

SHA1
fb9f84739c1f8476902604807ea3db7dba2ec49f

SHA256
d08e3577467e157d7483fdc531d7a914f4adfbbbfe715afcf0d04b2fc2c77dee

SHA512
6e0590c152c7de87b8291e85c14e0297b5047a2508b3698e15a525148e53b1ea5ca1ef4360d07c09170b484b8fd2e2c3f08ee42a9b48ec4ead02de5cec0003ae

Download Submit
C:\Windows\{F25B3779-2823-4fc4-9420-845F5C39F670}.exe

Filesize
192KB

MD5
563176542f72ebd170c678825565c820

SHA1
689f5fd36da71c8e79e69c7dc810b8ce634d0b07

SHA256
c89c71e30f957c9068906ecb2aba2a11ae556445fcd5b3402a19656b70cb8ba4

SHA512
edd01bcf8737fe642164be37e5975c1b1833dee99d20bfd61f1ed18a32182f60a63893a29e0174bc3f2ba6d3ed0fd183c39b178e75bf7f6414ba38dbec5998bd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads