bd5874e6e3ecd2e489ba632aff59af53f2aaa539fa458ab0db539519a4f3a225

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
06/07/2024, 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-06_505da9d6e8a4223951fd5b2165d98895_goldeneye.exe
Size

408KB
MD5

505da9d6e8a4223951fd5b2165d98895
SHA1

574aded91c55c99ab8aadd7af30db5793c593201
SHA256

bd5874e6e3ecd2e489ba632aff59af53f2aaa539fa458ab0db539519a4f3a225
SHA512

0280b0998b446c5e7344aaceefa86bf7b61c70aa8a00fd75dca2c502a269d3bff392ae224e1f1b3dac6513020f104678047fecb82d849df2695388540442349d
SSDEEP

3072:CEGh0oYl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGOldOe2MUVg3vTeKcAEciTBqr3jy9

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{562E0EF5-499D-480c-A866-ED357E7E2E22}\stubpath = "C:\\Windows\\{562E0EF5-499D-480c-A866-ED357E7E2E22}.exe"	{38D1E4D8-A516-446a-AB6A-C1B12EEDB0FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D501926-C975-47e4-9A1E-3064E1B04F1D}\stubpath = "C:\\Windows\\{9D501926-C975-47e4-9A1E-3064E1B04F1D}.exe"	2024-07-06_505da9d6e8a4223951fd5b2165d98895_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF9F778E-981E-411d-BFB3-B439B1FA7D58}	{AD69EA20-66D8-425d-A097-9E0F953F4695}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC7CD6F2-8BB1-4554-B109-0CEDEB7D04CE}\stubpath = "C:\\Windows\\{BC7CD6F2-8BB1-4554-B109-0CEDEB7D04CE}.exe"	{01A7BE69-45DE-4a5d-A0C3-422FDE10E9C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38D1E4D8-A516-446a-AB6A-C1B12EEDB0FC}\stubpath = "C:\\Windows\\{38D1E4D8-A516-446a-AB6A-C1B12EEDB0FC}.exe"	{BC7CD6F2-8BB1-4554-B109-0CEDEB7D04CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{517879C0-D9BA-4b85-B1D9-2AB31BCB0759}\stubpath = "C:\\Windows\\{517879C0-D9BA-4b85-B1D9-2AB31BCB0759}.exe"	{9D501926-C975-47e4-9A1E-3064E1B04F1D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C16C10B9-F139-44f4-BB87-A811B676BF6B}\stubpath = "C:\\Windows\\{C16C10B9-F139-44f4-BB87-A811B676BF6B}.exe"	{517879C0-D9BA-4b85-B1D9-2AB31BCB0759}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44534F6D-BEF9-49e0-9DAE-DBC593F43AEE}	{C16C10B9-F139-44f4-BB87-A811B676BF6B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD69EA20-66D8-425d-A097-9E0F953F4695}	{44534F6D-BEF9-49e0-9DAE-DBC593F43AEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD69EA20-66D8-425d-A097-9E0F953F4695}\stubpath = "C:\\Windows\\{AD69EA20-66D8-425d-A097-9E0F953F4695}.exe"	{44534F6D-BEF9-49e0-9DAE-DBC593F43AEE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41E68320-9DFA-429a-8859-65ADE6D0730A}	{AF9F778E-981E-411d-BFB3-B439B1FA7D58}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01A7BE69-45DE-4a5d-A0C3-422FDE10E9C4}	{41E68320-9DFA-429a-8859-65ADE6D0730A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D501926-C975-47e4-9A1E-3064E1B04F1D}	2024-07-06_505da9d6e8a4223951fd5b2165d98895_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{517879C0-D9BA-4b85-B1D9-2AB31BCB0759}	{9D501926-C975-47e4-9A1E-3064E1B04F1D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44534F6D-BEF9-49e0-9DAE-DBC593F43AEE}\stubpath = "C:\\Windows\\{44534F6D-BEF9-49e0-9DAE-DBC593F43AEE}.exe"	{C16C10B9-F139-44f4-BB87-A811B676BF6B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01A7BE69-45DE-4a5d-A0C3-422FDE10E9C4}\stubpath = "C:\\Windows\\{01A7BE69-45DE-4a5d-A0C3-422FDE10E9C4}.exe"	{41E68320-9DFA-429a-8859-65ADE6D0730A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC7CD6F2-8BB1-4554-B109-0CEDEB7D04CE}	{01A7BE69-45DE-4a5d-A0C3-422FDE10E9C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38D1E4D8-A516-446a-AB6A-C1B12EEDB0FC}	{BC7CD6F2-8BB1-4554-B109-0CEDEB7D04CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{562E0EF5-499D-480c-A866-ED357E7E2E22}	{38D1E4D8-A516-446a-AB6A-C1B12EEDB0FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C16C10B9-F139-44f4-BB87-A811B676BF6B}	{517879C0-D9BA-4b85-B1D9-2AB31BCB0759}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF9F778E-981E-411d-BFB3-B439B1FA7D58}\stubpath = "C:\\Windows\\{AF9F778E-981E-411d-BFB3-B439B1FA7D58}.exe"	{AD69EA20-66D8-425d-A097-9E0F953F4695}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41E68320-9DFA-429a-8859-65ADE6D0730A}\stubpath = "C:\\Windows\\{41E68320-9DFA-429a-8859-65ADE6D0730A}.exe"	{AF9F778E-981E-411d-BFB3-B439B1FA7D58}.exe

Deletes itself 1 IoCs

pid	Process
2708	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2808	{9D501926-C975-47e4-9A1E-3064E1B04F1D}.exe
2720	{517879C0-D9BA-4b85-B1D9-2AB31BCB0759}.exe
2600	{C16C10B9-F139-44f4-BB87-A811B676BF6B}.exe
1456	{44534F6D-BEF9-49e0-9DAE-DBC593F43AEE}.exe
2960	{AD69EA20-66D8-425d-A097-9E0F953F4695}.exe
1308	{AF9F778E-981E-411d-BFB3-B439B1FA7D58}.exe
2344	{41E68320-9DFA-429a-8859-65ADE6D0730A}.exe
2124	{01A7BE69-45DE-4a5d-A0C3-422FDE10E9C4}.exe
2348	{BC7CD6F2-8BB1-4554-B109-0CEDEB7D04CE}.exe
2412	{38D1E4D8-A516-446a-AB6A-C1B12EEDB0FC}.exe
756	{562E0EF5-499D-480c-A866-ED357E7E2E22}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{9D501926-C975-47e4-9A1E-3064E1B04F1D}.exe	2024-07-06_505da9d6e8a4223951fd5b2165d98895_goldeneye.exe
File created	C:\Windows\{AD69EA20-66D8-425d-A097-9E0F953F4695}.exe	{44534F6D-BEF9-49e0-9DAE-DBC593F43AEE}.exe
File created	C:\Windows\{AF9F778E-981E-411d-BFB3-B439B1FA7D58}.exe	{AD69EA20-66D8-425d-A097-9E0F953F4695}.exe
File created	C:\Windows\{01A7BE69-45DE-4a5d-A0C3-422FDE10E9C4}.exe	{41E68320-9DFA-429a-8859-65ADE6D0730A}.exe
File created	C:\Windows\{38D1E4D8-A516-446a-AB6A-C1B12EEDB0FC}.exe	{BC7CD6F2-8BB1-4554-B109-0CEDEB7D04CE}.exe
File created	C:\Windows\{562E0EF5-499D-480c-A866-ED357E7E2E22}.exe	{38D1E4D8-A516-446a-AB6A-C1B12EEDB0FC}.exe
File created	C:\Windows\{517879C0-D9BA-4b85-B1D9-2AB31BCB0759}.exe	{9D501926-C975-47e4-9A1E-3064E1B04F1D}.exe
File created	C:\Windows\{C16C10B9-F139-44f4-BB87-A811B676BF6B}.exe	{517879C0-D9BA-4b85-B1D9-2AB31BCB0759}.exe
File created	C:\Windows\{44534F6D-BEF9-49e0-9DAE-DBC593F43AEE}.exe	{C16C10B9-F139-44f4-BB87-A811B676BF6B}.exe
File created	C:\Windows\{41E68320-9DFA-429a-8859-65ADE6D0730A}.exe	{AF9F778E-981E-411d-BFB3-B439B1FA7D58}.exe
File created	C:\Windows\{BC7CD6F2-8BB1-4554-B109-0CEDEB7D04CE}.exe	{01A7BE69-45DE-4a5d-A0C3-422FDE10E9C4}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2240	2024-07-06_505da9d6e8a4223951fd5b2165d98895_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2808	{9D501926-C975-47e4-9A1E-3064E1B04F1D}.exe
Token: SeIncBasePriorityPrivilege	2720	{517879C0-D9BA-4b85-B1D9-2AB31BCB0759}.exe
Token: SeIncBasePriorityPrivilege	2600	{C16C10B9-F139-44f4-BB87-A811B676BF6B}.exe
Token: SeIncBasePriorityPrivilege	1456	{44534F6D-BEF9-49e0-9DAE-DBC593F43AEE}.exe
Token: SeIncBasePriorityPrivilege	2960	{AD69EA20-66D8-425d-A097-9E0F953F4695}.exe
Token: SeIncBasePriorityPrivilege	1308	{AF9F778E-981E-411d-BFB3-B439B1FA7D58}.exe
Token: SeIncBasePriorityPrivilege	2344	{41E68320-9DFA-429a-8859-65ADE6D0730A}.exe
Token: SeIncBasePriorityPrivilege	2124	{01A7BE69-45DE-4a5d-A0C3-422FDE10E9C4}.exe
Token: SeIncBasePriorityPrivilege	2348	{BC7CD6F2-8BB1-4554-B109-0CEDEB7D04CE}.exe
Token: SeIncBasePriorityPrivilege	2412	{38D1E4D8-A516-446a-AB6A-C1B12EEDB0FC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2808	2240	2024-07-06_505da9d6e8a4223951fd5b2165d98895_goldeneye.exe	30
PID 2240 wrote to memory of 2808	2240	2024-07-06_505da9d6e8a4223951fd5b2165d98895_goldeneye.exe	30
PID 2240 wrote to memory of 2808	2240	2024-07-06_505da9d6e8a4223951fd5b2165d98895_goldeneye.exe	30
PID 2240 wrote to memory of 2808	2240	2024-07-06_505da9d6e8a4223951fd5b2165d98895_goldeneye.exe	30
PID 2240 wrote to memory of 2708	2240	2024-07-06_505da9d6e8a4223951fd5b2165d98895_goldeneye.exe	31
PID 2240 wrote to memory of 2708	2240	2024-07-06_505da9d6e8a4223951fd5b2165d98895_goldeneye.exe	31
PID 2240 wrote to memory of 2708	2240	2024-07-06_505da9d6e8a4223951fd5b2165d98895_goldeneye.exe	31
PID 2240 wrote to memory of 2708	2240	2024-07-06_505da9d6e8a4223951fd5b2165d98895_goldeneye.exe	31
PID 2808 wrote to memory of 2720	2808	{9D501926-C975-47e4-9A1E-3064E1B04F1D}.exe	33
PID 2808 wrote to memory of 2720	2808	{9D501926-C975-47e4-9A1E-3064E1B04F1D}.exe	33
PID 2808 wrote to memory of 2720	2808	{9D501926-C975-47e4-9A1E-3064E1B04F1D}.exe	33
PID 2808 wrote to memory of 2720	2808	{9D501926-C975-47e4-9A1E-3064E1B04F1D}.exe	33
PID 2808 wrote to memory of 2556	2808	{9D501926-C975-47e4-9A1E-3064E1B04F1D}.exe	34
PID 2808 wrote to memory of 2556	2808	{9D501926-C975-47e4-9A1E-3064E1B04F1D}.exe	34
PID 2808 wrote to memory of 2556	2808	{9D501926-C975-47e4-9A1E-3064E1B04F1D}.exe	34
PID 2808 wrote to memory of 2556	2808	{9D501926-C975-47e4-9A1E-3064E1B04F1D}.exe	34
PID 2720 wrote to memory of 2600	2720	{517879C0-D9BA-4b85-B1D9-2AB31BCB0759}.exe	35
PID 2720 wrote to memory of 2600	2720	{517879C0-D9BA-4b85-B1D9-2AB31BCB0759}.exe	35
PID 2720 wrote to memory of 2600	2720	{517879C0-D9BA-4b85-B1D9-2AB31BCB0759}.exe	35
PID 2720 wrote to memory of 2600	2720	{517879C0-D9BA-4b85-B1D9-2AB31BCB0759}.exe	35
PID 2720 wrote to memory of 2112	2720	{517879C0-D9BA-4b85-B1D9-2AB31BCB0759}.exe	36
PID 2720 wrote to memory of 2112	2720	{517879C0-D9BA-4b85-B1D9-2AB31BCB0759}.exe	36
PID 2720 wrote to memory of 2112	2720	{517879C0-D9BA-4b85-B1D9-2AB31BCB0759}.exe	36
PID 2720 wrote to memory of 2112	2720	{517879C0-D9BA-4b85-B1D9-2AB31BCB0759}.exe	36
PID 2600 wrote to memory of 1456	2600	{C16C10B9-F139-44f4-BB87-A811B676BF6B}.exe	37
PID 2600 wrote to memory of 1456	2600	{C16C10B9-F139-44f4-BB87-A811B676BF6B}.exe	37
PID 2600 wrote to memory of 1456	2600	{C16C10B9-F139-44f4-BB87-A811B676BF6B}.exe	37
PID 2600 wrote to memory of 1456	2600	{C16C10B9-F139-44f4-BB87-A811B676BF6B}.exe	37
PID 2600 wrote to memory of 1272	2600	{C16C10B9-F139-44f4-BB87-A811B676BF6B}.exe	38
PID 2600 wrote to memory of 1272	2600	{C16C10B9-F139-44f4-BB87-A811B676BF6B}.exe	38
PID 2600 wrote to memory of 1272	2600	{C16C10B9-F139-44f4-BB87-A811B676BF6B}.exe	38
PID 2600 wrote to memory of 1272	2600	{C16C10B9-F139-44f4-BB87-A811B676BF6B}.exe	38
PID 1456 wrote to memory of 2960	1456	{44534F6D-BEF9-49e0-9DAE-DBC593F43AEE}.exe	39
PID 1456 wrote to memory of 2960	1456	{44534F6D-BEF9-49e0-9DAE-DBC593F43AEE}.exe	39
PID 1456 wrote to memory of 2960	1456	{44534F6D-BEF9-49e0-9DAE-DBC593F43AEE}.exe	39
PID 1456 wrote to memory of 2960	1456	{44534F6D-BEF9-49e0-9DAE-DBC593F43AEE}.exe	39
PID 1456 wrote to memory of 2284	1456	{44534F6D-BEF9-49e0-9DAE-DBC593F43AEE}.exe	40
PID 1456 wrote to memory of 2284	1456	{44534F6D-BEF9-49e0-9DAE-DBC593F43AEE}.exe	40
PID 1456 wrote to memory of 2284	1456	{44534F6D-BEF9-49e0-9DAE-DBC593F43AEE}.exe	40
PID 1456 wrote to memory of 2284	1456	{44534F6D-BEF9-49e0-9DAE-DBC593F43AEE}.exe	40
PID 2960 wrote to memory of 1308	2960	{AD69EA20-66D8-425d-A097-9E0F953F4695}.exe	41
PID 2960 wrote to memory of 1308	2960	{AD69EA20-66D8-425d-A097-9E0F953F4695}.exe	41
PID 2960 wrote to memory of 1308	2960	{AD69EA20-66D8-425d-A097-9E0F953F4695}.exe	41
PID 2960 wrote to memory of 1308	2960	{AD69EA20-66D8-425d-A097-9E0F953F4695}.exe	41
PID 2960 wrote to memory of 1656	2960	{AD69EA20-66D8-425d-A097-9E0F953F4695}.exe	42
PID 2960 wrote to memory of 1656	2960	{AD69EA20-66D8-425d-A097-9E0F953F4695}.exe	42
PID 2960 wrote to memory of 1656	2960	{AD69EA20-66D8-425d-A097-9E0F953F4695}.exe	42
PID 2960 wrote to memory of 1656	2960	{AD69EA20-66D8-425d-A097-9E0F953F4695}.exe	42
PID 1308 wrote to memory of 2344	1308	{AF9F778E-981E-411d-BFB3-B439B1FA7D58}.exe	43
PID 1308 wrote to memory of 2344	1308	{AF9F778E-981E-411d-BFB3-B439B1FA7D58}.exe	43
PID 1308 wrote to memory of 2344	1308	{AF9F778E-981E-411d-BFB3-B439B1FA7D58}.exe	43
PID 1308 wrote to memory of 2344	1308	{AF9F778E-981E-411d-BFB3-B439B1FA7D58}.exe	43
PID 1308 wrote to memory of 1920	1308	{AF9F778E-981E-411d-BFB3-B439B1FA7D58}.exe	44
PID 1308 wrote to memory of 1920	1308	{AF9F778E-981E-411d-BFB3-B439B1FA7D58}.exe	44
PID 1308 wrote to memory of 1920	1308	{AF9F778E-981E-411d-BFB3-B439B1FA7D58}.exe	44
PID 1308 wrote to memory of 1920	1308	{AF9F778E-981E-411d-BFB3-B439B1FA7D58}.exe	44
PID 2344 wrote to memory of 2124	2344	{41E68320-9DFA-429a-8859-65ADE6D0730A}.exe	45
PID 2344 wrote to memory of 2124	2344	{41E68320-9DFA-429a-8859-65ADE6D0730A}.exe	45
PID 2344 wrote to memory of 2124	2344	{41E68320-9DFA-429a-8859-65ADE6D0730A}.exe	45
PID 2344 wrote to memory of 2124	2344	{41E68320-9DFA-429a-8859-65ADE6D0730A}.exe	45
PID 2344 wrote to memory of 1484	2344	{41E68320-9DFA-429a-8859-65ADE6D0730A}.exe	46
PID 2344 wrote to memory of 1484	2344	{41E68320-9DFA-429a-8859-65ADE6D0730A}.exe	46
PID 2344 wrote to memory of 1484	2344	{41E68320-9DFA-429a-8859-65ADE6D0730A}.exe	46
PID 2344 wrote to memory of 1484	2344	{41E68320-9DFA-429a-8859-65ADE6D0730A}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-07-06_505da9d6e8a4223951fd5b2165d98895_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-06_505da9d6e8a4223951fd5b2165d98895_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\{9D501926-C975-47e4-9A1E-3064E1B04F1D}.exe
  C:\Windows\{9D501926-C975-47e4-9A1E-3064E1B04F1D}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\{517879C0-D9BA-4b85-B1D9-2AB31BCB0759}.exe
    C:\Windows\{517879C0-D9BA-4b85-B1D9-2AB31BCB0759}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\{C16C10B9-F139-44f4-BB87-A811B676BF6B}.exe
      C:\Windows\{C16C10B9-F139-44f4-BB87-A811B676BF6B}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Windows\{44534F6D-BEF9-49e0-9DAE-DBC593F43AEE}.exe
        
        C:\Windows\{44534F6D-BEF9-49e0-9DAE-DBC593F43AEE}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1456
      - C:\Windows\{AD69EA20-66D8-425d-A097-9E0F953F4695}.exe
        
        C:\Windows\{AD69EA20-66D8-425d-A097-9E0F953F4695}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\{AF9F778E-981E-411d-BFB3-B439B1FA7D58}.exe
        
        C:\Windows\{AF9F778E-981E-411d-BFB3-B439B1FA7D58}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\{41E68320-9DFA-429a-8859-65ADE6D0730A}.exe
        
        C:\Windows\{41E68320-9DFA-429a-8859-65ADE6D0730A}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\{01A7BE69-45DE-4a5d-A0C3-422FDE10E9C4}.exe
        
        C:\Windows\{01A7BE69-45DE-4a5d-A0C3-422FDE10E9C4}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
        
        C:\Windows\{BC7CD6F2-8BB1-4554-B109-0CEDEB7D04CE}.exe
        
        C:\Windows\{BC7CD6F2-8BB1-4554-B109-0CEDEB7D04CE}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
        
        C:\Windows\{38D1E4D8-A516-446a-AB6A-C1B12EEDB0FC}.exe
        
        C:\Windows\{38D1E4D8-A516-446a-AB6A-C1B12EEDB0FC}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
        
        C:\Windows\{562E0EF5-499D-480c-A866-ED357E7E2E22}.exe
        
        C:\Windows\{562E0EF5-499D-480c-A866-ED357E7E2E22}.exe
        12⤵
        Executes dropped EXE
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38D1E~1.EXE > nul
        12⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC7CD~1.EXE > nul
        11⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01A7B~1.EXE > nul
        10⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41E68~1.EXE > nul
        9⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF9F7~1.EXE > nul
        8⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD69E~1.EXE > nul
        7⤵
        
        PID:1656
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44534~1.EXE > nul
        6⤵
        
        PID:2284
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C16C1~1.EXE > nul
        5⤵
        
        PID:1272
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{51787~1.EXE > nul
      4⤵
      PID:2112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9D501~1.EXE > nul
    3⤵
    PID:2556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01A7BE69-45DE-4a5d-A0C3-422FDE10E9C4}.exe

Filesize
408KB

MD5
408456a0881bd123d13d96d5352bbe61

SHA1
0799faeb84dfb2289da1d2853f3e91400ba6f578

SHA256
becad66479f477711803cce6c26a37c482c2d53e73c61d5cc9b9ad3b288b9194

SHA512
eb23a34893f5fdea58c8deb74dac8bd9882bd2f8adf8c93f14ffce5deace2ed4b3afe76717d62e71e373cad718a23108fb32289a50717e393137fb620a87d4f6

Download Submit
C:\Windows\{38D1E4D8-A516-446a-AB6A-C1B12EEDB0FC}.exe

Filesize
408KB

MD5
c82a539cf396a87ba2e5b72f785e11e5

SHA1
e44377bee5b424ff51e13a14e1fcdf2b24c4d898

SHA256
ce80da3a806535b60b079e89e4d5e6d6f3a2b319ea9b4674b494949b00b98ff7

SHA512
31b807c1a81f07f5498899aecaa2047993ba0a646d2d7ef14f283bbdf4ae42f349413a40be819944a977da60058128b781c114f77b49c7ca797da732bda13acd

Download Submit
C:\Windows\{41E68320-9DFA-429a-8859-65ADE6D0730A}.exe

Filesize
408KB

MD5
5b2c9cdf18c775b929a402160171c385

SHA1
979059337b0555b3a1a66e1c0745d3b5211f30c2

SHA256
349d34044c1a22aba6d82d1db869852a9a1259e4f45505d5f57547eff631bc72

SHA512
3b9c231886939842a5841a356983a0c73aa6938fc08577034280df9dd932e3325e0368cb02675850947420d1bc5436af47880de95d81234b8ba12ed77ee2be31

Download Submit
C:\Windows\{44534F6D-BEF9-49e0-9DAE-DBC593F43AEE}.exe

Filesize
408KB

MD5
f33244846fa73b309c5470759c3f4ed3

SHA1
d083ffe26db6224383975231f3d4fcc2e7e7d42c

SHA256
cd828c0bc8ade7bad37484a8b8ff4cc38477bcc10f77b8db48695e8b6b657bb3

SHA512
fce8479ac74ce06b74f4d33cd2007222396013063656adea0f5d8e9894734e03f065e4ffca2c11042f295c5dea8470066e5971b014430e202cb3f5e3bd7c5ca5

Download Submit
C:\Windows\{517879C0-D9BA-4b85-B1D9-2AB31BCB0759}.exe

Filesize
408KB

MD5
db6ac3d8c852a7406a34ef5d9bea87a6

SHA1
0e673f192da34b5f8d598375a1a498e8c7ce1459

SHA256
2f6c4f7ca228fec50fc173c9631c9425b45998ec15995fefa093619ab369b471

SHA512
fe6e10c0f334a624f0bd8fd62d33f76a71a78b744c903a891c8770d6234bbc0b4f198d1e309e7c12a2ab57b2f441927471b042ddaac1dd1bbf6ed1028eae71ed

Download Submit
C:\Windows\{562E0EF5-499D-480c-A866-ED357E7E2E22}.exe

Filesize
408KB

MD5
c4d2bbd6a6826282b2f9ea3a976d6eaf

SHA1
55ec20b835d1a519fb268d4b3a94fd8fa92a2d1c

SHA256
6a0b276fe8d20c93fb5a53b33235828a5902472677fb14aab0395799f8129068

SHA512
ea3e80d99d58b428874a2c12848b4f61ef341b4871d4aba40c63541083ffa8cd81b17369b27f4f9968b83875d5f861b2000c57683195b5324c55737f66c5eb9a

Download Submit
C:\Windows\{9D501926-C975-47e4-9A1E-3064E1B04F1D}.exe

Filesize
408KB

MD5
1625d80c93dee027761b94e5d7b94fb6

SHA1
a87e292499a10a94f5e1064fceb3be33308fc193

SHA256
32ad44512897bb2b0218109a30c96cf0771bcd8ed655c923e06d002c49ab8d16

SHA512
bf821c351c22b104461bd93603b1ff6d641453a57bcb334abd8a480cb946212c91702b0276426c83de0ded55e4ee02e0b6d861e1b435b27671f5b9b43931dcb7

Download Submit
C:\Windows\{AD69EA20-66D8-425d-A097-9E0F953F4695}.exe

Filesize
408KB

MD5
7789a821a456277da4ce6eb614a140c4

SHA1
145a046598fd4ffc148c52ba5103285dd2c10f52

SHA256
1f3313f09206857e07d7abc298bbe34000bc88bf594f334408aeadfe412ac59d

SHA512
8c2b9afd49f6f251666dbb1784b493af3cb3f5449fd4949a223a5b75184e59d4fbe7e843b2bbe728c2dc234174852abf40a5f6d718bb7728564c84b6069f5961

Download Submit
C:\Windows\{AF9F778E-981E-411d-BFB3-B439B1FA7D58}.exe

Filesize
408KB

MD5
5267d159f87f77f7d8800cebf6c164e5

SHA1
9fec39c9987efcac0079b514ddaa06a400b503f3

SHA256
c1068d8851a75abe7026dacb25819f9cf506dee5ee391ec268d518293d0bf94d

SHA512
f523bb01d2c851c75a9ca990e493fef29658cda28b818fd9127fce0d84a21f5520e996e1d949ee2ab3090ff845623e45551d07859fae7515fdb032cf2a917258

Download Submit
C:\Windows\{BC7CD6F2-8BB1-4554-B109-0CEDEB7D04CE}.exe

Filesize
408KB

MD5
73d02e32ca5f5eccbdce2fb21c1db385

SHA1
d76934464644c56fe6e3c2efabef1d0e0cb0e1cf

SHA256
17d2f67ca2202f4972fab22ed617f087e1fc520b10279c03f7e3607a7a29cdb2

SHA512
8f07b24aaee4393ae20f25ba3fd20b81335c71b98f87d804639d598a18e81a1061c2a719e83a4c5376d37ffad16dbb6daacad330d999687ba4d1515eca5ece41

Download Submit
C:\Windows\{C16C10B9-F139-44f4-BB87-A811B676BF6B}.exe

Filesize
408KB

MD5
dc6ca4443a329f7e05bd539d1aed7b3f

SHA1
8153633bf82659fd3b4215f49d32718f3427b091

SHA256
6e48f3b092ac169b3ca260531c1e2c2aad30c93cd9ee0bfc70fcad18f7710472

SHA512
fdd2af23b3d9b2c595e9992e845d15cdc94f8261f0fa8df57321126bfee4b9ae713935415f640de2638a40d54ef61e281dbf4ca8c9baaf96447282e817808784

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads