aeb532a6244392e31cf40dea4aaae945f86c50b3b47ef33b93b7b43acb277202

Analysis

max time kernel
149s
max time network
129s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
07-07-2024 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-07_d1e7f8f4936c32dc3bcf7b0a7467907d_goldeneye.exe
Size

408KB
MD5

d1e7f8f4936c32dc3bcf7b0a7467907d
SHA1

b9ffda553e52a9e5a1a516487af36641e08239c5
SHA256

aeb532a6244392e31cf40dea4aaae945f86c50b3b47ef33b93b7b43acb277202
SHA512

e52580d8e4afaa3ba6c06a7e8f50163f24937d26e8f2552ced5f3e195ca0f4d4789ede517b3dc60dd3295c48274d20dbec3b28427b6c885e434d3f8b2148426a
SSDEEP

3072:CEGh0oDl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGVldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B8B47BA-89B6-401e-9C88-8C1280874AD6}	{51B609B1-B1B1-449d-A323-D9A87B4E9CC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B8B47BA-89B6-401e-9C88-8C1280874AD6}\stubpath = "C:\\Windows\\{4B8B47BA-89B6-401e-9C88-8C1280874AD6}.exe"	{51B609B1-B1B1-449d-A323-D9A87B4E9CC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5E94C05-6D30-4f00-B30A-970028F58C66}\stubpath = "C:\\Windows\\{A5E94C05-6D30-4f00-B30A-970028F58C66}.exe"	{4B8B47BA-89B6-401e-9C88-8C1280874AD6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A90DD89F-BA20-4081-86AC-B44A7632E5BE}	{790A32B4-C0DD-4ae3-A113-FDF9324AFA79}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A90DD89F-BA20-4081-86AC-B44A7632E5BE}\stubpath = "C:\\Windows\\{A90DD89F-BA20-4081-86AC-B44A7632E5BE}.exe"	{790A32B4-C0DD-4ae3-A113-FDF9324AFA79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3429421D-BF8F-406f-B305-505071FC31C4}	2024-07-07_d1e7f8f4936c32dc3bcf7b0a7467907d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23CCCFA1-9744-4d96-90DF-F22C5ED9FDA1}\stubpath = "C:\\Windows\\{23CCCFA1-9744-4d96-90DF-F22C5ED9FDA1}.exe"	{3429421D-BF8F-406f-B305-505071FC31C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6E9530A-D5B5-4bac-9BA7-0D1C2D73EC6E}	{23CCCFA1-9744-4d96-90DF-F22C5ED9FDA1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{079B3F0F-CCBB-4b74-B174-DA1C35F7F424}\stubpath = "C:\\Windows\\{079B3F0F-CCBB-4b74-B174-DA1C35F7F424}.exe"	{C2EB107E-E6D5-4b66-A435-9CC7FA3BD425}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93CBB89B-625E-4cd5-97C0-78B9BF33228A}\stubpath = "C:\\Windows\\{93CBB89B-625E-4cd5-97C0-78B9BF33228A}.exe"	{A90DD89F-BA20-4081-86AC-B44A7632E5BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B06137FA-945D-4fcb-B8EC-2C839C2B6655}	{93CBB89B-625E-4cd5-97C0-78B9BF33228A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2EB107E-E6D5-4b66-A435-9CC7FA3BD425}\stubpath = "C:\\Windows\\{C2EB107E-E6D5-4b66-A435-9CC7FA3BD425}.exe"	{B06137FA-945D-4fcb-B8EC-2C839C2B6655}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{079B3F0F-CCBB-4b74-B174-DA1C35F7F424}	{C2EB107E-E6D5-4b66-A435-9CC7FA3BD425}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23CCCFA1-9744-4d96-90DF-F22C5ED9FDA1}	{3429421D-BF8F-406f-B305-505071FC31C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51B609B1-B1B1-449d-A323-D9A87B4E9CC1}\stubpath = "C:\\Windows\\{51B609B1-B1B1-449d-A323-D9A87B4E9CC1}.exe"	{A6E9530A-D5B5-4bac-9BA7-0D1C2D73EC6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{790A32B4-C0DD-4ae3-A113-FDF9324AFA79}	{A5E94C05-6D30-4f00-B30A-970028F58C66}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B06137FA-945D-4fcb-B8EC-2C839C2B6655}\stubpath = "C:\\Windows\\{B06137FA-945D-4fcb-B8EC-2C839C2B6655}.exe"	{93CBB89B-625E-4cd5-97C0-78B9BF33228A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6E9530A-D5B5-4bac-9BA7-0D1C2D73EC6E}\stubpath = "C:\\Windows\\{A6E9530A-D5B5-4bac-9BA7-0D1C2D73EC6E}.exe"	{23CCCFA1-9744-4d96-90DF-F22C5ED9FDA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51B609B1-B1B1-449d-A323-D9A87B4E9CC1}	{A6E9530A-D5B5-4bac-9BA7-0D1C2D73EC6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5E94C05-6D30-4f00-B30A-970028F58C66}	{4B8B47BA-89B6-401e-9C88-8C1280874AD6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2EB107E-E6D5-4b66-A435-9CC7FA3BD425}	{B06137FA-945D-4fcb-B8EC-2C839C2B6655}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3429421D-BF8F-406f-B305-505071FC31C4}\stubpath = "C:\\Windows\\{3429421D-BF8F-406f-B305-505071FC31C4}.exe"	2024-07-07_d1e7f8f4936c32dc3bcf7b0a7467907d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{790A32B4-C0DD-4ae3-A113-FDF9324AFA79}\stubpath = "C:\\Windows\\{790A32B4-C0DD-4ae3-A113-FDF9324AFA79}.exe"	{A5E94C05-6D30-4f00-B30A-970028F58C66}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93CBB89B-625E-4cd5-97C0-78B9BF33228A}	{A90DD89F-BA20-4081-86AC-B44A7632E5BE}.exe

Deletes itself 1 IoCs

pid	Process
2792	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2740	{3429421D-BF8F-406f-B305-505071FC31C4}.exe
2772	{23CCCFA1-9744-4d96-90DF-F22C5ED9FDA1}.exe
3036	{A6E9530A-D5B5-4bac-9BA7-0D1C2D73EC6E}.exe
2548	{51B609B1-B1B1-449d-A323-D9A87B4E9CC1}.exe
2976	{4B8B47BA-89B6-401e-9C88-8C1280874AD6}.exe
2932	{A5E94C05-6D30-4f00-B30A-970028F58C66}.exe
2924	{790A32B4-C0DD-4ae3-A113-FDF9324AFA79}.exe
2396	{A90DD89F-BA20-4081-86AC-B44A7632E5BE}.exe
1352	{93CBB89B-625E-4cd5-97C0-78B9BF33228A}.exe
2236	{B06137FA-945D-4fcb-B8EC-2C839C2B6655}.exe
2104	{C2EB107E-E6D5-4b66-A435-9CC7FA3BD425}.exe
1792	{079B3F0F-CCBB-4b74-B174-DA1C35F7F424}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{51B609B1-B1B1-449d-A323-D9A87B4E9CC1}.exe	{A6E9530A-D5B5-4bac-9BA7-0D1C2D73EC6E}.exe
File created	C:\Windows\{4B8B47BA-89B6-401e-9C88-8C1280874AD6}.exe	{51B609B1-B1B1-449d-A323-D9A87B4E9CC1}.exe
File created	C:\Windows\{A5E94C05-6D30-4f00-B30A-970028F58C66}.exe	{4B8B47BA-89B6-401e-9C88-8C1280874AD6}.exe
File created	C:\Windows\{C2EB107E-E6D5-4b66-A435-9CC7FA3BD425}.exe	{B06137FA-945D-4fcb-B8EC-2C839C2B6655}.exe
File created	C:\Windows\{079B3F0F-CCBB-4b74-B174-DA1C35F7F424}.exe	{C2EB107E-E6D5-4b66-A435-9CC7FA3BD425}.exe
File created	C:\Windows\{3429421D-BF8F-406f-B305-505071FC31C4}.exe	2024-07-07_d1e7f8f4936c32dc3bcf7b0a7467907d_goldeneye.exe
File created	C:\Windows\{A6E9530A-D5B5-4bac-9BA7-0D1C2D73EC6E}.exe	{23CCCFA1-9744-4d96-90DF-F22C5ED9FDA1}.exe
File created	C:\Windows\{790A32B4-C0DD-4ae3-A113-FDF9324AFA79}.exe	{A5E94C05-6D30-4f00-B30A-970028F58C66}.exe
File created	C:\Windows\{A90DD89F-BA20-4081-86AC-B44A7632E5BE}.exe	{790A32B4-C0DD-4ae3-A113-FDF9324AFA79}.exe
File created	C:\Windows\{93CBB89B-625E-4cd5-97C0-78B9BF33228A}.exe	{A90DD89F-BA20-4081-86AC-B44A7632E5BE}.exe
File created	C:\Windows\{B06137FA-945D-4fcb-B8EC-2C839C2B6655}.exe	{93CBB89B-625E-4cd5-97C0-78B9BF33228A}.exe
File created	C:\Windows\{23CCCFA1-9744-4d96-90DF-F22C5ED9FDA1}.exe	{3429421D-BF8F-406f-B305-505071FC31C4}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2724	2024-07-07_d1e7f8f4936c32dc3bcf7b0a7467907d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2740	{3429421D-BF8F-406f-B305-505071FC31C4}.exe
Token: SeIncBasePriorityPrivilege	2772	{23CCCFA1-9744-4d96-90DF-F22C5ED9FDA1}.exe
Token: SeIncBasePriorityPrivilege	3036	{A6E9530A-D5B5-4bac-9BA7-0D1C2D73EC6E}.exe
Token: SeIncBasePriorityPrivilege	2548	{51B609B1-B1B1-449d-A323-D9A87B4E9CC1}.exe
Token: SeIncBasePriorityPrivilege	2976	{4B8B47BA-89B6-401e-9C88-8C1280874AD6}.exe
Token: SeIncBasePriorityPrivilege	2932	{A5E94C05-6D30-4f00-B30A-970028F58C66}.exe
Token: SeIncBasePriorityPrivilege	2924	{790A32B4-C0DD-4ae3-A113-FDF9324AFA79}.exe
Token: SeIncBasePriorityPrivilege	2396	{A90DD89F-BA20-4081-86AC-B44A7632E5BE}.exe
Token: SeIncBasePriorityPrivilege	1352	{93CBB89B-625E-4cd5-97C0-78B9BF33228A}.exe
Token: SeIncBasePriorityPrivilege	2236	{B06137FA-945D-4fcb-B8EC-2C839C2B6655}.exe
Token: SeIncBasePriorityPrivilege	2104	{C2EB107E-E6D5-4b66-A435-9CC7FA3BD425}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 2740	2724	2024-07-07_d1e7f8f4936c32dc3bcf7b0a7467907d_goldeneye.exe	30
PID 2724 wrote to memory of 2740	2724	2024-07-07_d1e7f8f4936c32dc3bcf7b0a7467907d_goldeneye.exe	30
PID 2724 wrote to memory of 2740	2724	2024-07-07_d1e7f8f4936c32dc3bcf7b0a7467907d_goldeneye.exe	30
PID 2724 wrote to memory of 2740	2724	2024-07-07_d1e7f8f4936c32dc3bcf7b0a7467907d_goldeneye.exe	30
PID 2724 wrote to memory of 2792	2724	2024-07-07_d1e7f8f4936c32dc3bcf7b0a7467907d_goldeneye.exe	31
PID 2724 wrote to memory of 2792	2724	2024-07-07_d1e7f8f4936c32dc3bcf7b0a7467907d_goldeneye.exe	31
PID 2724 wrote to memory of 2792	2724	2024-07-07_d1e7f8f4936c32dc3bcf7b0a7467907d_goldeneye.exe	31
PID 2724 wrote to memory of 2792	2724	2024-07-07_d1e7f8f4936c32dc3bcf7b0a7467907d_goldeneye.exe	31
PID 2740 wrote to memory of 2772	2740	{3429421D-BF8F-406f-B305-505071FC31C4}.exe	32
PID 2740 wrote to memory of 2772	2740	{3429421D-BF8F-406f-B305-505071FC31C4}.exe	32
PID 2740 wrote to memory of 2772	2740	{3429421D-BF8F-406f-B305-505071FC31C4}.exe	32
PID 2740 wrote to memory of 2772	2740	{3429421D-BF8F-406f-B305-505071FC31C4}.exe	32
PID 2740 wrote to memory of 2696	2740	{3429421D-BF8F-406f-B305-505071FC31C4}.exe	33
PID 2740 wrote to memory of 2696	2740	{3429421D-BF8F-406f-B305-505071FC31C4}.exe	33
PID 2740 wrote to memory of 2696	2740	{3429421D-BF8F-406f-B305-505071FC31C4}.exe	33
PID 2740 wrote to memory of 2696	2740	{3429421D-BF8F-406f-B305-505071FC31C4}.exe	33
PID 2772 wrote to memory of 3036	2772	{23CCCFA1-9744-4d96-90DF-F22C5ED9FDA1}.exe	34
PID 2772 wrote to memory of 3036	2772	{23CCCFA1-9744-4d96-90DF-F22C5ED9FDA1}.exe	34
PID 2772 wrote to memory of 3036	2772	{23CCCFA1-9744-4d96-90DF-F22C5ED9FDA1}.exe	34
PID 2772 wrote to memory of 3036	2772	{23CCCFA1-9744-4d96-90DF-F22C5ED9FDA1}.exe	34
PID 2772 wrote to memory of 2304	2772	{23CCCFA1-9744-4d96-90DF-F22C5ED9FDA1}.exe	35
PID 2772 wrote to memory of 2304	2772	{23CCCFA1-9744-4d96-90DF-F22C5ED9FDA1}.exe	35
PID 2772 wrote to memory of 2304	2772	{23CCCFA1-9744-4d96-90DF-F22C5ED9FDA1}.exe	35
PID 2772 wrote to memory of 2304	2772	{23CCCFA1-9744-4d96-90DF-F22C5ED9FDA1}.exe	35
PID 3036 wrote to memory of 2548	3036	{A6E9530A-D5B5-4bac-9BA7-0D1C2D73EC6E}.exe	36
PID 3036 wrote to memory of 2548	3036	{A6E9530A-D5B5-4bac-9BA7-0D1C2D73EC6E}.exe	36
PID 3036 wrote to memory of 2548	3036	{A6E9530A-D5B5-4bac-9BA7-0D1C2D73EC6E}.exe	36
PID 3036 wrote to memory of 2548	3036	{A6E9530A-D5B5-4bac-9BA7-0D1C2D73EC6E}.exe	36
PID 3036 wrote to memory of 1720	3036	{A6E9530A-D5B5-4bac-9BA7-0D1C2D73EC6E}.exe	37
PID 3036 wrote to memory of 1720	3036	{A6E9530A-D5B5-4bac-9BA7-0D1C2D73EC6E}.exe	37
PID 3036 wrote to memory of 1720	3036	{A6E9530A-D5B5-4bac-9BA7-0D1C2D73EC6E}.exe	37
PID 3036 wrote to memory of 1720	3036	{A6E9530A-D5B5-4bac-9BA7-0D1C2D73EC6E}.exe	37
PID 2548 wrote to memory of 2976	2548	{51B609B1-B1B1-449d-A323-D9A87B4E9CC1}.exe	38
PID 2548 wrote to memory of 2976	2548	{51B609B1-B1B1-449d-A323-D9A87B4E9CC1}.exe	38
PID 2548 wrote to memory of 2976	2548	{51B609B1-B1B1-449d-A323-D9A87B4E9CC1}.exe	38
PID 2548 wrote to memory of 2976	2548	{51B609B1-B1B1-449d-A323-D9A87B4E9CC1}.exe	38
PID 2548 wrote to memory of 2368	2548	{51B609B1-B1B1-449d-A323-D9A87B4E9CC1}.exe	39
PID 2548 wrote to memory of 2368	2548	{51B609B1-B1B1-449d-A323-D9A87B4E9CC1}.exe	39
PID 2548 wrote to memory of 2368	2548	{51B609B1-B1B1-449d-A323-D9A87B4E9CC1}.exe	39
PID 2548 wrote to memory of 2368	2548	{51B609B1-B1B1-449d-A323-D9A87B4E9CC1}.exe	39
PID 2976 wrote to memory of 2932	2976	{4B8B47BA-89B6-401e-9C88-8C1280874AD6}.exe	40
PID 2976 wrote to memory of 2932	2976	{4B8B47BA-89B6-401e-9C88-8C1280874AD6}.exe	40
PID 2976 wrote to memory of 2932	2976	{4B8B47BA-89B6-401e-9C88-8C1280874AD6}.exe	40
PID 2976 wrote to memory of 2932	2976	{4B8B47BA-89B6-401e-9C88-8C1280874AD6}.exe	40
PID 2976 wrote to memory of 2388	2976	{4B8B47BA-89B6-401e-9C88-8C1280874AD6}.exe	41
PID 2976 wrote to memory of 2388	2976	{4B8B47BA-89B6-401e-9C88-8C1280874AD6}.exe	41
PID 2976 wrote to memory of 2388	2976	{4B8B47BA-89B6-401e-9C88-8C1280874AD6}.exe	41
PID 2976 wrote to memory of 2388	2976	{4B8B47BA-89B6-401e-9C88-8C1280874AD6}.exe	41
PID 2932 wrote to memory of 2924	2932	{A5E94C05-6D30-4f00-B30A-970028F58C66}.exe	42
PID 2932 wrote to memory of 2924	2932	{A5E94C05-6D30-4f00-B30A-970028F58C66}.exe	42
PID 2932 wrote to memory of 2924	2932	{A5E94C05-6D30-4f00-B30A-970028F58C66}.exe	42
PID 2932 wrote to memory of 2924	2932	{A5E94C05-6D30-4f00-B30A-970028F58C66}.exe	42
PID 2932 wrote to memory of 2472	2932	{A5E94C05-6D30-4f00-B30A-970028F58C66}.exe	43
PID 2932 wrote to memory of 2472	2932	{A5E94C05-6D30-4f00-B30A-970028F58C66}.exe	43
PID 2932 wrote to memory of 2472	2932	{A5E94C05-6D30-4f00-B30A-970028F58C66}.exe	43
PID 2932 wrote to memory of 2472	2932	{A5E94C05-6D30-4f00-B30A-970028F58C66}.exe	43
PID 2924 wrote to memory of 2396	2924	{790A32B4-C0DD-4ae3-A113-FDF9324AFA79}.exe	44
PID 2924 wrote to memory of 2396	2924	{790A32B4-C0DD-4ae3-A113-FDF9324AFA79}.exe	44
PID 2924 wrote to memory of 2396	2924	{790A32B4-C0DD-4ae3-A113-FDF9324AFA79}.exe	44
PID 2924 wrote to memory of 2396	2924	{790A32B4-C0DD-4ae3-A113-FDF9324AFA79}.exe	44
PID 2924 wrote to memory of 2336	2924	{790A32B4-C0DD-4ae3-A113-FDF9324AFA79}.exe	45
PID 2924 wrote to memory of 2336	2924	{790A32B4-C0DD-4ae3-A113-FDF9324AFA79}.exe	45
PID 2924 wrote to memory of 2336	2924	{790A32B4-C0DD-4ae3-A113-FDF9324AFA79}.exe	45
PID 2924 wrote to memory of 2336	2924	{790A32B4-C0DD-4ae3-A113-FDF9324AFA79}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-07-07_d1e7f8f4936c32dc3bcf7b0a7467907d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-07_d1e7f8f4936c32dc3bcf7b0a7467907d_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\{3429421D-BF8F-406f-B305-505071FC31C4}.exe
  C:\Windows\{3429421D-BF8F-406f-B305-505071FC31C4}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\{23CCCFA1-9744-4d96-90DF-F22C5ED9FDA1}.exe
    C:\Windows\{23CCCFA1-9744-4d96-90DF-F22C5ED9FDA1}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\{A6E9530A-D5B5-4bac-9BA7-0D1C2D73EC6E}.exe
      C:\Windows\{A6E9530A-D5B5-4bac-9BA7-0D1C2D73EC6E}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3036
    - - C:\Windows\{51B609B1-B1B1-449d-A323-D9A87B4E9CC1}.exe
        
        C:\Windows\{51B609B1-B1B1-449d-A323-D9A87B4E9CC1}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2548
      - C:\Windows\{4B8B47BA-89B6-401e-9C88-8C1280874AD6}.exe
        
        C:\Windows\{4B8B47BA-89B6-401e-9C88-8C1280874AD6}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\{A5E94C05-6D30-4f00-B30A-970028F58C66}.exe
        
        C:\Windows\{A5E94C05-6D30-4f00-B30A-970028F58C66}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\{790A32B4-C0DD-4ae3-A113-FDF9324AFA79}.exe
        
        C:\Windows\{790A32B4-C0DD-4ae3-A113-FDF9324AFA79}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\{A90DD89F-BA20-4081-86AC-B44A7632E5BE}.exe
        
        C:\Windows\{A90DD89F-BA20-4081-86AC-B44A7632E5BE}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
        
        C:\Windows\{93CBB89B-625E-4cd5-97C0-78B9BF33228A}.exe
        
        C:\Windows\{93CBB89B-625E-4cd5-97C0-78B9BF33228A}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1352
        
        C:\Windows\{B06137FA-945D-4fcb-B8EC-2C839C2B6655}.exe
        
        C:\Windows\{B06137FA-945D-4fcb-B8EC-2C839C2B6655}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
        
        C:\Windows\{C2EB107E-E6D5-4b66-A435-9CC7FA3BD425}.exe
        
        C:\Windows\{C2EB107E-E6D5-4b66-A435-9CC7FA3BD425}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
        
        C:\Windows\{079B3F0F-CCBB-4b74-B174-DA1C35F7F424}.exe
        
        C:\Windows\{079B3F0F-CCBB-4b74-B174-DA1C35F7F424}.exe
        13⤵
        Executes dropped EXE
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2EB1~1.EXE > nul
        13⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0613~1.EXE > nul
        12⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93CBB~1.EXE > nul
        11⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A90DD~1.EXE > nul
        10⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{790A3~1.EXE > nul
        9⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5E94~1.EXE > nul
        8⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B8B4~1.EXE > nul
        7⤵
        
        PID:2388
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51B60~1.EXE > nul
        6⤵
        
        PID:2368
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6E95~1.EXE > nul
        5⤵
        
        PID:1720
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{23CCC~1.EXE > nul
      4⤵
      PID:2304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{34294~1.EXE > nul
    3⤵
    PID:2696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{079B3F0F-CCBB-4b74-B174-DA1C35F7F424}.exe

Filesize
408KB

MD5
cc1fee7d02d3912461f945f8664dc670

SHA1
59721586ffeee71a8e96677bc9ed9738842b60ce

SHA256
e92f6c98c29ea95539ffb63dddf563d65aaf82e279fbe90762c943330f4e7df0

SHA512
871d214f5e9a38b54dc3d0afe6992840cc555728e72a303eb2fb506875fdedfdc0762cacfd885d1f49db6710fde32aa784a323f2a7049c71a6aff5eaf804bc57

Download Submit
C:\Windows\{23CCCFA1-9744-4d96-90DF-F22C5ED9FDA1}.exe

Filesize
408KB

MD5
099e792d3cdfb0a004c4100bc47a759d

SHA1
21343a2c7c05720c1ba44f3c0241c6176d853c6a

SHA256
21c2cec7e806c325fd178f8e2bc308ad8216b68f63b5df722ad19470c6b5e3c2

SHA512
726f169965e928e83531ebc67ec8590316be97c6f3a7fa581f61118a4e9e2e39a7e7c9e2f0d81b728e1d68665a3f0718cd29d6d2a1649b6ba0c255b5dfe6c779

Download Submit
C:\Windows\{3429421D-BF8F-406f-B305-505071FC31C4}.exe

Filesize
408KB

MD5
184cc419ee4789d63189c5aea7bfdad5

SHA1
7d1e1ed5b7729b3d7287d0ad269a95c124036ad0

SHA256
222e63cd5891a85f40bf1162ead59e41ec86b499ae3c144879b765999c87cfa2

SHA512
822561edf459f26114b85a53352e8c9dae2b9745f0fb2ed0b50959978f9c4f03c0c4bc3039060bb454613e7a19ceb875b4d0fd1b6c7bc53f5118881c2fdaae0e

Download Submit
C:\Windows\{4B8B47BA-89B6-401e-9C88-8C1280874AD6}.exe

Filesize
408KB

MD5
f83dca78c1d8e9d0b1bd26b6cf0f6df0

SHA1
07e794c7776aed4633a933bc651e72c98ebb8f46

SHA256
292f3b6ef2cb7652a86a8ae4356519f364b9504e008040fdafd768ed41c0a2d8

SHA512
62d382c3bf789822b62e8efa70c9294a91883e233905d5145eafb1b89bb85733e9e0358430c3a5a098eb3358650c8860cad7e89b5748031b5112179585640597

Download Submit
C:\Windows\{51B609B1-B1B1-449d-A323-D9A87B4E9CC1}.exe

Filesize
408KB

MD5
81d9a0217d8692349720232afe84e292

SHA1
9ece04ee2067584ef3b00a53184b9c00e3cc5c52

SHA256
c5745db1ca357f67424ebcd17abf7ca0986acf5f2bddd102d85173312385c765

SHA512
d520de3ffdbc9e5f29da186580c37fa220b7aca2ab59b635c9df60b458afed0495bc8405cecb7a6053499cbee9fabe164e5423ea84b25e31f5d59b0bf039b223

Download Submit
C:\Windows\{790A32B4-C0DD-4ae3-A113-FDF9324AFA79}.exe

Filesize
408KB

MD5
becffb19c282508cd824752a5b92be9b

SHA1
8a7864e126a0735a71545dc9df336c348a7f31b9

SHA256
85c58e1bc66d6f5fa040711da5ee0102e0139c95a4c8869f0573c5d83f49cc2f

SHA512
14c47162e604ec349ea0882a4e66b641f0a621e5578031fb35c7f1ad829dff9e895df303d37a21f8ffc5bb97ccebf1a420a0b4dfcf7e7d2fb2be8c5262732e9b

Download Submit
C:\Windows\{93CBB89B-625E-4cd5-97C0-78B9BF33228A}.exe

Filesize
408KB

MD5
88ae35b389145456758bae6df07b5087

SHA1
a17bd9bacad0f984148ea4e99c3c2bfd19dc26fd

SHA256
569a30020196dc49d8e22e25e45d9315c7bb388c3db1dcfdc74f184b6be5afdb

SHA512
932032e17c06705a7140e14b740c118541299c73e6ac1de06daa614babaf49a3cb128640636ed3dec40aafee2f9bbd41dcaf145dbd208a8f7a3527e7e53fe87b

Download Submit
C:\Windows\{A5E94C05-6D30-4f00-B30A-970028F58C66}.exe

Filesize
408KB

MD5
727ae47d6e8d430d970cb844e3d70c7b

SHA1
b10326381dcfcc8ed8dae2117ad668cf50b757d3

SHA256
a49c00b7ca9783e4548127ccae96132abe80e21575eca47d8688bc0a274835a9

SHA512
2cb8814c164b8046be80a1db5faac8778430b3ad4dc730edbcea3648d484081b50cbccc3614c5f139b8b67a77c0d52b9efcb1967db395877176d9445306729c0

Download Submit
C:\Windows\{A6E9530A-D5B5-4bac-9BA7-0D1C2D73EC6E}.exe

Filesize
408KB

MD5
243aeeede372e35e00e61057045c44a2

SHA1
1990f0faa6d8a435266bb81defc58bd9c82f04f8

SHA256
38ee7e038f8e59a30f112ef9760197d9c0946bf09bc5bcb6fb37faba67e1e4b3

SHA512
aa4900d9359bc7935147a667fa0090770724c73f87ab97f2fbcbaf79989f3940a5a38041ee4e0f07be7d92ab6e1156c1609f6479f4235d21b302bfa676e3cd46

Download Submit
C:\Windows\{A90DD89F-BA20-4081-86AC-B44A7632E5BE}.exe

Filesize
408KB

MD5
1e704197b44ce3ae7c9471bf30ecd5c4

SHA1
276e51012991b0e5cd0d8b78d503b2bbb9bebb74

SHA256
c54f5ac2fcaae8bdd473680bf7cc3ab14cb98cf8206269e2e75361826de0c60f

SHA512
cf3a711002906c441969e0008a724e7f9300610b453a5cad1cd6352cf8d429a03ba61c5ca8a60ddcb6eb8a2ba664e6f8e0b2d7272677918ee05b0f13cd868d6e

Download Submit
C:\Windows\{B06137FA-945D-4fcb-B8EC-2C839C2B6655}.exe

Filesize
408KB

MD5
5eedfd74305c406f9116a8e14c6e8ae2

SHA1
bb87be928083f2b34d929ef24436a821a03e27f9

SHA256
90a6911fbaa6f1cd30c1894ca4ec717fbb2b49096ddb4e6ee1b47467d31b9fba

SHA512
dccb1054782a7d09aeca25942c1a7d8d4d5b268a5a5b37f4340e31d010d37d3004490fc219398433de56da68f656203988e751e8bc9b1444fd72c77a7caf9a8f

Download Submit
C:\Windows\{C2EB107E-E6D5-4b66-A435-9CC7FA3BD425}.exe

Filesize
408KB

MD5
73007729d836808d7cab571a73a17c3e

SHA1
e379beb319af34b06f17e547531334545485ecad

SHA256
03ff1a19b71756563b4dced690cacb8679fb242dcf5411666f62fca02a254f20

SHA512
3835233e42b8d3abe4515a616a150e1f0e26204f4f7585240313ceb2ac8f7abe70af0ef599bd4401ad845a275a988213d7562aefbf673d2b3d59c22eb42511f6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads