5fe1bd8fce9fc2feaa72e48eed713bfcff5bb1693abcce21c3252baa3c3e1f48

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-08_0c8dfa629cee1f786d593781e00e990f_goldeneye.exe
Size

372KB
MD5

0c8dfa629cee1f786d593781e00e990f
SHA1

a76792116d3d59ad26f7eff68849468f8907cf0f
SHA256

5fe1bd8fce9fc2feaa72e48eed713bfcff5bb1693abcce21c3252baa3c3e1f48
SHA512

029c853a0385b3ddb90511167af59c30bd3078e69be332012bffc605b3f8946f6be38a078aa4f447eba3da590c10d7e70e55a49dbe3790c351e8d657214d3c0c
SSDEEP

3072:CEGh0oElMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGelkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{278C0A87-02FB-4d81-9C06-B102C19AAAE2}	2024-07-08_0c8dfa629cee1f786d593781e00e990f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF76C0E0-3167-4321-96D8-A3E5A158A4B5}	{278C0A87-02FB-4d81-9C06-B102C19AAAE2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF76C0E0-3167-4321-96D8-A3E5A158A4B5}\stubpath = "C:\\Windows\\{FF76C0E0-3167-4321-96D8-A3E5A158A4B5}.exe"	{278C0A87-02FB-4d81-9C06-B102C19AAAE2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37CEA218-A2A0-4fe9-A060-09B28E3482B5}	{4DA24412-9C2A-4ccc-91D6-D534D02A8507}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37CEA218-A2A0-4fe9-A060-09B28E3482B5}\stubpath = "C:\\Windows\\{37CEA218-A2A0-4fe9-A060-09B28E3482B5}.exe"	{4DA24412-9C2A-4ccc-91D6-D534D02A8507}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C476A34-8C53-4847-A997-4664B027F622}\stubpath = "C:\\Windows\\{2C476A34-8C53-4847-A997-4664B027F622}.exe"	{C728E135-BECA-49e3-9AF6-2E659B5EF581}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FA2CE79-6335-4966-90D1-077B5ED7AF5C}	{2C476A34-8C53-4847-A997-4664B027F622}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{278C0A87-02FB-4d81-9C06-B102C19AAAE2}\stubpath = "C:\\Windows\\{278C0A87-02FB-4d81-9C06-B102C19AAAE2}.exe"	2024-07-08_0c8dfa629cee1f786d593781e00e990f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4337962C-4E9F-4749-92C5-0D99972E3944}	{1294F2C8-D3D5-48cc-A897-881EA052ECA1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DA24412-9C2A-4ccc-91D6-D534D02A8507}\stubpath = "C:\\Windows\\{4DA24412-9C2A-4ccc-91D6-D534D02A8507}.exe"	{4337962C-4E9F-4749-92C5-0D99972E3944}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{838156F6-4E89-48ce-9D2D-94D1985E5EDF}\stubpath = "C:\\Windows\\{838156F6-4E89-48ce-9D2D-94D1985E5EDF}.exe"	{37CEA218-A2A0-4fe9-A060-09B28E3482B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C728E135-BECA-49e3-9AF6-2E659B5EF581}\stubpath = "C:\\Windows\\{C728E135-BECA-49e3-9AF6-2E659B5EF581}.exe"	{838156F6-4E89-48ce-9D2D-94D1985E5EDF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C476A34-8C53-4847-A997-4664B027F622}	{C728E135-BECA-49e3-9AF6-2E659B5EF581}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C728E135-BECA-49e3-9AF6-2E659B5EF581}	{838156F6-4E89-48ce-9D2D-94D1985E5EDF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FA2CE79-6335-4966-90D1-077B5ED7AF5C}\stubpath = "C:\\Windows\\{2FA2CE79-6335-4966-90D1-077B5ED7AF5C}.exe"	{2C476A34-8C53-4847-A997-4664B027F622}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB07427E-9C2B-4594-9D47-08BE85331D86}\stubpath = "C:\\Windows\\{CB07427E-9C2B-4594-9D47-08BE85331D86}.exe"	{FF76C0E0-3167-4321-96D8-A3E5A158A4B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1294F2C8-D3D5-48cc-A897-881EA052ECA1}	{CB07427E-9C2B-4594-9D47-08BE85331D86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1294F2C8-D3D5-48cc-A897-881EA052ECA1}\stubpath = "C:\\Windows\\{1294F2C8-D3D5-48cc-A897-881EA052ECA1}.exe"	{CB07427E-9C2B-4594-9D47-08BE85331D86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4337962C-4E9F-4749-92C5-0D99972E3944}\stubpath = "C:\\Windows\\{4337962C-4E9F-4749-92C5-0D99972E3944}.exe"	{1294F2C8-D3D5-48cc-A897-881EA052ECA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DA24412-9C2A-4ccc-91D6-D534D02A8507}	{4337962C-4E9F-4749-92C5-0D99972E3944}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{838156F6-4E89-48ce-9D2D-94D1985E5EDF}	{37CEA218-A2A0-4fe9-A060-09B28E3482B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB07427E-9C2B-4594-9D47-08BE85331D86}	{FF76C0E0-3167-4321-96D8-A3E5A158A4B5}.exe

Deletes itself 1 IoCs

pid	Process
3044	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3048	{278C0A87-02FB-4d81-9C06-B102C19AAAE2}.exe
2668	{FF76C0E0-3167-4321-96D8-A3E5A158A4B5}.exe
2696	{CB07427E-9C2B-4594-9D47-08BE85331D86}.exe
2528	{1294F2C8-D3D5-48cc-A897-881EA052ECA1}.exe
2688	{4337962C-4E9F-4749-92C5-0D99972E3944}.exe
1924	{4DA24412-9C2A-4ccc-91D6-D534D02A8507}.exe
812	{37CEA218-A2A0-4fe9-A060-09B28E3482B5}.exe
1636	{838156F6-4E89-48ce-9D2D-94D1985E5EDF}.exe
2268	{C728E135-BECA-49e3-9AF6-2E659B5EF581}.exe
2112	{2C476A34-8C53-4847-A997-4664B027F622}.exe
1484	{2FA2CE79-6335-4966-90D1-077B5ED7AF5C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{838156F6-4E89-48ce-9D2D-94D1985E5EDF}.exe	{37CEA218-A2A0-4fe9-A060-09B28E3482B5}.exe
File created	C:\Windows\{2C476A34-8C53-4847-A997-4664B027F622}.exe	{C728E135-BECA-49e3-9AF6-2E659B5EF581}.exe
File created	C:\Windows\{2FA2CE79-6335-4966-90D1-077B5ED7AF5C}.exe	{2C476A34-8C53-4847-A997-4664B027F622}.exe
File created	C:\Windows\{FF76C0E0-3167-4321-96D8-A3E5A158A4B5}.exe	{278C0A87-02FB-4d81-9C06-B102C19AAAE2}.exe
File created	C:\Windows\{1294F2C8-D3D5-48cc-A897-881EA052ECA1}.exe	{CB07427E-9C2B-4594-9D47-08BE85331D86}.exe
File created	C:\Windows\{4337962C-4E9F-4749-92C5-0D99972E3944}.exe	{1294F2C8-D3D5-48cc-A897-881EA052ECA1}.exe
File created	C:\Windows\{37CEA218-A2A0-4fe9-A060-09B28E3482B5}.exe	{4DA24412-9C2A-4ccc-91D6-D534D02A8507}.exe
File created	C:\Windows\{C728E135-BECA-49e3-9AF6-2E659B5EF581}.exe	{838156F6-4E89-48ce-9D2D-94D1985E5EDF}.exe
File created	C:\Windows\{278C0A87-02FB-4d81-9C06-B102C19AAAE2}.exe	2024-07-08_0c8dfa629cee1f786d593781e00e990f_goldeneye.exe
File created	C:\Windows\{CB07427E-9C2B-4594-9D47-08BE85331D86}.exe	{FF76C0E0-3167-4321-96D8-A3E5A158A4B5}.exe
File created	C:\Windows\{4DA24412-9C2A-4ccc-91D6-D534D02A8507}.exe	{4337962C-4E9F-4749-92C5-0D99972E3944}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2184	2024-07-08_0c8dfa629cee1f786d593781e00e990f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3048	{278C0A87-02FB-4d81-9C06-B102C19AAAE2}.exe
Token: SeIncBasePriorityPrivilege	2668	{FF76C0E0-3167-4321-96D8-A3E5A158A4B5}.exe
Token: SeIncBasePriorityPrivilege	2696	{CB07427E-9C2B-4594-9D47-08BE85331D86}.exe
Token: SeIncBasePriorityPrivilege	2528	{1294F2C8-D3D5-48cc-A897-881EA052ECA1}.exe
Token: SeIncBasePriorityPrivilege	2688	{4337962C-4E9F-4749-92C5-0D99972E3944}.exe
Token: SeIncBasePriorityPrivilege	1924	{4DA24412-9C2A-4ccc-91D6-D534D02A8507}.exe
Token: SeIncBasePriorityPrivilege	812	{37CEA218-A2A0-4fe9-A060-09B28E3482B5}.exe
Token: SeIncBasePriorityPrivilege	1636	{838156F6-4E89-48ce-9D2D-94D1985E5EDF}.exe
Token: SeIncBasePriorityPrivilege	2268	{C728E135-BECA-49e3-9AF6-2E659B5EF581}.exe
Token: SeIncBasePriorityPrivilege	2112	{2C476A34-8C53-4847-A997-4664B027F622}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 3048	2184	2024-07-08_0c8dfa629cee1f786d593781e00e990f_goldeneye.exe	28
PID 2184 wrote to memory of 3048	2184	2024-07-08_0c8dfa629cee1f786d593781e00e990f_goldeneye.exe	28
PID 2184 wrote to memory of 3048	2184	2024-07-08_0c8dfa629cee1f786d593781e00e990f_goldeneye.exe	28
PID 2184 wrote to memory of 3048	2184	2024-07-08_0c8dfa629cee1f786d593781e00e990f_goldeneye.exe	28
PID 2184 wrote to memory of 3044	2184	2024-07-08_0c8dfa629cee1f786d593781e00e990f_goldeneye.exe	29
PID 2184 wrote to memory of 3044	2184	2024-07-08_0c8dfa629cee1f786d593781e00e990f_goldeneye.exe	29
PID 2184 wrote to memory of 3044	2184	2024-07-08_0c8dfa629cee1f786d593781e00e990f_goldeneye.exe	29
PID 2184 wrote to memory of 3044	2184	2024-07-08_0c8dfa629cee1f786d593781e00e990f_goldeneye.exe	29
PID 3048 wrote to memory of 2668	3048	{278C0A87-02FB-4d81-9C06-B102C19AAAE2}.exe	30
PID 3048 wrote to memory of 2668	3048	{278C0A87-02FB-4d81-9C06-B102C19AAAE2}.exe	30
PID 3048 wrote to memory of 2668	3048	{278C0A87-02FB-4d81-9C06-B102C19AAAE2}.exe	30
PID 3048 wrote to memory of 2668	3048	{278C0A87-02FB-4d81-9C06-B102C19AAAE2}.exe	30
PID 3048 wrote to memory of 2124	3048	{278C0A87-02FB-4d81-9C06-B102C19AAAE2}.exe	31
PID 3048 wrote to memory of 2124	3048	{278C0A87-02FB-4d81-9C06-B102C19AAAE2}.exe	31
PID 3048 wrote to memory of 2124	3048	{278C0A87-02FB-4d81-9C06-B102C19AAAE2}.exe	31
PID 3048 wrote to memory of 2124	3048	{278C0A87-02FB-4d81-9C06-B102C19AAAE2}.exe	31
PID 2668 wrote to memory of 2696	2668	{FF76C0E0-3167-4321-96D8-A3E5A158A4B5}.exe	32
PID 2668 wrote to memory of 2696	2668	{FF76C0E0-3167-4321-96D8-A3E5A158A4B5}.exe	32
PID 2668 wrote to memory of 2696	2668	{FF76C0E0-3167-4321-96D8-A3E5A158A4B5}.exe	32
PID 2668 wrote to memory of 2696	2668	{FF76C0E0-3167-4321-96D8-A3E5A158A4B5}.exe	32
PID 2668 wrote to memory of 2648	2668	{FF76C0E0-3167-4321-96D8-A3E5A158A4B5}.exe	33
PID 2668 wrote to memory of 2648	2668	{FF76C0E0-3167-4321-96D8-A3E5A158A4B5}.exe	33
PID 2668 wrote to memory of 2648	2668	{FF76C0E0-3167-4321-96D8-A3E5A158A4B5}.exe	33
PID 2668 wrote to memory of 2648	2668	{FF76C0E0-3167-4321-96D8-A3E5A158A4B5}.exe	33
PID 2696 wrote to memory of 2528	2696	{CB07427E-9C2B-4594-9D47-08BE85331D86}.exe	36
PID 2696 wrote to memory of 2528	2696	{CB07427E-9C2B-4594-9D47-08BE85331D86}.exe	36
PID 2696 wrote to memory of 2528	2696	{CB07427E-9C2B-4594-9D47-08BE85331D86}.exe	36
PID 2696 wrote to memory of 2528	2696	{CB07427E-9C2B-4594-9D47-08BE85331D86}.exe	36
PID 2696 wrote to memory of 2000	2696	{CB07427E-9C2B-4594-9D47-08BE85331D86}.exe	37
PID 2696 wrote to memory of 2000	2696	{CB07427E-9C2B-4594-9D47-08BE85331D86}.exe	37
PID 2696 wrote to memory of 2000	2696	{CB07427E-9C2B-4594-9D47-08BE85331D86}.exe	37
PID 2696 wrote to memory of 2000	2696	{CB07427E-9C2B-4594-9D47-08BE85331D86}.exe	37
PID 2528 wrote to memory of 2688	2528	{1294F2C8-D3D5-48cc-A897-881EA052ECA1}.exe	38
PID 2528 wrote to memory of 2688	2528	{1294F2C8-D3D5-48cc-A897-881EA052ECA1}.exe	38
PID 2528 wrote to memory of 2688	2528	{1294F2C8-D3D5-48cc-A897-881EA052ECA1}.exe	38
PID 2528 wrote to memory of 2688	2528	{1294F2C8-D3D5-48cc-A897-881EA052ECA1}.exe	38
PID 2528 wrote to memory of 2868	2528	{1294F2C8-D3D5-48cc-A897-881EA052ECA1}.exe	39
PID 2528 wrote to memory of 2868	2528	{1294F2C8-D3D5-48cc-A897-881EA052ECA1}.exe	39
PID 2528 wrote to memory of 2868	2528	{1294F2C8-D3D5-48cc-A897-881EA052ECA1}.exe	39
PID 2528 wrote to memory of 2868	2528	{1294F2C8-D3D5-48cc-A897-881EA052ECA1}.exe	39
PID 2688 wrote to memory of 1924	2688	{4337962C-4E9F-4749-92C5-0D99972E3944}.exe	40
PID 2688 wrote to memory of 1924	2688	{4337962C-4E9F-4749-92C5-0D99972E3944}.exe	40
PID 2688 wrote to memory of 1924	2688	{4337962C-4E9F-4749-92C5-0D99972E3944}.exe	40
PID 2688 wrote to memory of 1924	2688	{4337962C-4E9F-4749-92C5-0D99972E3944}.exe	40
PID 2688 wrote to memory of 1984	2688	{4337962C-4E9F-4749-92C5-0D99972E3944}.exe	41
PID 2688 wrote to memory of 1984	2688	{4337962C-4E9F-4749-92C5-0D99972E3944}.exe	41
PID 2688 wrote to memory of 1984	2688	{4337962C-4E9F-4749-92C5-0D99972E3944}.exe	41
PID 2688 wrote to memory of 1984	2688	{4337962C-4E9F-4749-92C5-0D99972E3944}.exe	41
PID 1924 wrote to memory of 812	1924	{4DA24412-9C2A-4ccc-91D6-D534D02A8507}.exe	42
PID 1924 wrote to memory of 812	1924	{4DA24412-9C2A-4ccc-91D6-D534D02A8507}.exe	42
PID 1924 wrote to memory of 812	1924	{4DA24412-9C2A-4ccc-91D6-D534D02A8507}.exe	42
PID 1924 wrote to memory of 812	1924	{4DA24412-9C2A-4ccc-91D6-D534D02A8507}.exe	42
PID 1924 wrote to memory of 1288	1924	{4DA24412-9C2A-4ccc-91D6-D534D02A8507}.exe	43
PID 1924 wrote to memory of 1288	1924	{4DA24412-9C2A-4ccc-91D6-D534D02A8507}.exe	43
PID 1924 wrote to memory of 1288	1924	{4DA24412-9C2A-4ccc-91D6-D534D02A8507}.exe	43
PID 1924 wrote to memory of 1288	1924	{4DA24412-9C2A-4ccc-91D6-D534D02A8507}.exe	43
PID 812 wrote to memory of 1636	812	{37CEA218-A2A0-4fe9-A060-09B28E3482B5}.exe	44
PID 812 wrote to memory of 1636	812	{37CEA218-A2A0-4fe9-A060-09B28E3482B5}.exe	44
PID 812 wrote to memory of 1636	812	{37CEA218-A2A0-4fe9-A060-09B28E3482B5}.exe	44
PID 812 wrote to memory of 1636	812	{37CEA218-A2A0-4fe9-A060-09B28E3482B5}.exe	44
PID 812 wrote to memory of 1400	812	{37CEA218-A2A0-4fe9-A060-09B28E3482B5}.exe	45
PID 812 wrote to memory of 1400	812	{37CEA218-A2A0-4fe9-A060-09B28E3482B5}.exe	45
PID 812 wrote to memory of 1400	812	{37CEA218-A2A0-4fe9-A060-09B28E3482B5}.exe	45
PID 812 wrote to memory of 1400	812	{37CEA218-A2A0-4fe9-A060-09B28E3482B5}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-07-08_0c8dfa629cee1f786d593781e00e990f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-08_0c8dfa629cee1f786d593781e00e990f_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\{278C0A87-02FB-4d81-9C06-B102C19AAAE2}.exe
  C:\Windows\{278C0A87-02FB-4d81-9C06-B102C19AAAE2}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\{FF76C0E0-3167-4321-96D8-A3E5A158A4B5}.exe
    C:\Windows\{FF76C0E0-3167-4321-96D8-A3E5A158A4B5}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\{CB07427E-9C2B-4594-9D47-08BE85331D86}.exe
      C:\Windows\{CB07427E-9C2B-4594-9D47-08BE85331D86}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Windows\{1294F2C8-D3D5-48cc-A897-881EA052ECA1}.exe
        
        C:\Windows\{1294F2C8-D3D5-48cc-A897-881EA052ECA1}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2528
      - C:\Windows\{4337962C-4E9F-4749-92C5-0D99972E3944}.exe
        
        C:\Windows\{4337962C-4E9F-4749-92C5-0D99972E3944}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\{4DA24412-9C2A-4ccc-91D6-D534D02A8507}.exe
        
        C:\Windows\{4DA24412-9C2A-4ccc-91D6-D534D02A8507}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\{37CEA218-A2A0-4fe9-A060-09B28E3482B5}.exe
        
        C:\Windows\{37CEA218-A2A0-4fe9-A060-09B28E3482B5}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Windows\{838156F6-4E89-48ce-9D2D-94D1985E5EDF}.exe
        
        C:\Windows\{838156F6-4E89-48ce-9D2D-94D1985E5EDF}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
        
        C:\Windows\{C728E135-BECA-49e3-9AF6-2E659B5EF581}.exe
        
        C:\Windows\{C728E135-BECA-49e3-9AF6-2E659B5EF581}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
        
        C:\Windows\{2C476A34-8C53-4847-A997-4664B027F622}.exe
        
        C:\Windows\{2C476A34-8C53-4847-A997-4664B027F622}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\{2FA2CE79-6335-4966-90D1-077B5ED7AF5C}.exe
        
        C:\Windows\{2FA2CE79-6335-4966-90D1-077B5ED7AF5C}.exe
        12⤵
        Executes dropped EXE
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C476~1.EXE > nul
        12⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C728E~1.EXE > nul
        11⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83815~1.EXE > nul
        10⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37CEA~1.EXE > nul
        9⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4DA24~1.EXE > nul
        8⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43379~1.EXE > nul
        7⤵
        
        PID:1984
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1294F~1.EXE > nul
        6⤵
        
        PID:2868
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB074~1.EXE > nul
        5⤵
        
        PID:2000
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FF76C~1.EXE > nul
      4⤵
      PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{278C0~1.EXE > nul
    3⤵
    PID:2124
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1294F2C8-D3D5-48cc-A897-881EA052ECA1}.exe

Filesize
372KB

MD5
58fff29785b3f4d84a5fe86bee8fb220

SHA1
f48df538e56817ac8f4c2e16678953da027ec5f2

SHA256
39ec4377902ef482eae26550be8afe593d4b6657fceab71590403e58629db73d

SHA512
fe7f9ca7d4586a26f4f3b4738ffe9691f88b4db19d1144d626d532a55a2efd2058a8ca305ead2f515ba0d9a4f773274ca056f504ec991332b63f4307544af4cc

Download Submit
C:\Windows\{278C0A87-02FB-4d81-9C06-B102C19AAAE2}.exe

Filesize
372KB

MD5
f1439fddebf74372b86a52cf9d601750

SHA1
2895060cf741b16e2057f6114ef398d170da6208

SHA256
b82d56f0ff550312039598b52a2fc049fd65b8e695fb3314f9fe6477715425ae

SHA512
91641bdd616c1dd8d96798b99d8f99eb1531d0773652e88adced49f5facadd71ef8338f1d448cacef979a9c24fe0fcfa4362aacee3f71fdc40ac15cd721f2315

Download Submit
C:\Windows\{2C476A34-8C53-4847-A997-4664B027F622}.exe

Filesize
372KB

MD5
6fbedc1fcdf2faf4dd2f9ba4a82777f9

SHA1
aac425993ffc882ef5a521cdae21331e3b603a2e

SHA256
5cd25e581eb964de73b6125be126dc6768aa52c13f6580c5cb651a9f9cf88117

SHA512
7943a4af74e2ec927f64decfd25fc51d2c6cbca05286ed06bad336431c4e4c94ecc3f88254c8047b90216bda6b5fcfa9665c4e3e1e4501195110e01a0d5e1bf0

Download Submit
C:\Windows\{2FA2CE79-6335-4966-90D1-077B5ED7AF5C}.exe

Filesize
372KB

MD5
99c4e4af7e81cd6a16438e19a3b736a6

SHA1
5181cc990b5817ce0e0c7ebe86df29c1acf93b4f

SHA256
5c7bba330dd41b71f59fcf65f860e43768d80baccd608a6f8136741ecab5bfdb

SHA512
2e23adde1c5b77ab9b466730eddcef46501ede671b9ba9c582d3bc636863bc301c13deada78605800d6e8a4e11240e1ee11a61f97a51c7fcb9ea4f0c13dda2ab

Download Submit
C:\Windows\{37CEA218-A2A0-4fe9-A060-09B28E3482B5}.exe

Filesize
372KB

MD5
754824a9d96f873fa03c1accad6bdf33

SHA1
fda285f3563ce2369a74f82c307c02850abcf34e

SHA256
e8efeae84c468ed9b922e5be92a0c82e30c358e64f7337f65d1bade9379f9347

SHA512
07c005d723eb4635f88139118694039102c383e59b5277ec539bc9ec805bdc9b2be144549d952de42cd0bb38502aa0bb1d87ed95c1b5853169dee730ab2c84a5

Download Submit
C:\Windows\{4337962C-4E9F-4749-92C5-0D99972E3944}.exe

Filesize
372KB

MD5
b5c9c329c13517cf266d01b5281a9552

SHA1
ffaee94c5005af43189e4d5cae6a487a8e966e4a

SHA256
2861db15e90830e55d0ce1308db30864b72a766e98ef23cf914ec4b947ea69d5

SHA512
372339797d6a20c3665f8a611f579c26360e8788d313489405a8ebc26a7f5b7cfc35426eefc23da14cce6a1cd7c8a4d53d6dd46a4ee02478b86e70832369d890

Download Submit
C:\Windows\{4DA24412-9C2A-4ccc-91D6-D534D02A8507}.exe

Filesize
372KB

MD5
4c183359aca1bc88610cbf810bd5cc5e

SHA1
517777801afb62ef7247308cfec886c2fe773ec9

SHA256
85d9b3a403902e567361d8349fe2afb42a903fd805a69c14230017f7690b8129

SHA512
caec26b9595e4469c656881d893b9c30e7d7a53e5ed6b1093e59cbf2cccfd5efea83328cf868b22185d8360bd4c4ae360bd926686adc18983102ed10af3acc1f

Download Submit
C:\Windows\{838156F6-4E89-48ce-9D2D-94D1985E5EDF}.exe

Filesize
372KB

MD5
9cf6280ba7f80b3e3be68b02dc2509f8

SHA1
6209a248b4dec1c656572244fcf9a2df26add8be

SHA256
ebfc51208b414c8657c48abda2a68c2107febf127da8ccccf19faaa17557e949

SHA512
7dae2d8c51a9b665363653f35bc78f798e15425faf6e14482b1328d5f566816fe5a2044ecccd28f63356ad0079ce4c756a7c08e19d9aeb4cd2463f3c70c68e0d

Download Submit
C:\Windows\{C728E135-BECA-49e3-9AF6-2E659B5EF581}.exe

Filesize
372KB

MD5
bdac1213cc0fc02c8c392604228a0f98

SHA1
c05d759138bb1fcb359dd8eeda88338fa8c06d63

SHA256
9cc547c1c573287bd7ec05e77ce14376a75e654f7c83c542e478e74d2b867bef

SHA512
26a3c1c5e2734175415c254a2353d2dde46fcb719e8e4e0fea1e5c5e2059042708ef4ca1b1d18671b0f9c57b95475c5f78d325157b11c81d6f7ab114c67de563

Download Submit
C:\Windows\{CB07427E-9C2B-4594-9D47-08BE85331D86}.exe

Filesize
372KB

MD5
d63ce6f5f245d9608810b8262f74dcf3

SHA1
94edffa5f0691754b77b0f0d1d0d2b441e35b539

SHA256
c82299f797ff05658872472a457c0cf4cdbc5ea02c1540478511120c6dbc2638

SHA512
dc59529903aca548e1c0c2cf14dcc3c7bb35e126919878ea5f3eacd912cee5939376dd04fe684a0b37f9fa94470c796b744c3db75ca801869dfed8ca7aa6b5a7

Download Submit
C:\Windows\{FF76C0E0-3167-4321-96D8-A3E5A158A4B5}.exe

Filesize
372KB

MD5
c00751aec7b9e5663e2ac4a104f98114

SHA1
83a1a6c428ebbad4ddba6e8f55612a9524d91c72

SHA256
b5281d167cbaea556e9a5c4211b3374f0fca626fa2cb56e0c857b5a3c383bda0

SHA512
b2167185de5aa0eebbed5577c8bb687e8191febe622a0c1da66782b0049b72c8527898653fbeb0eeaae02ff76cb8ac1c179200f83854fab2b3b1766c476f5966

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads