b10af3e4e8baa4781f123559040ffe8974694e0fb64187287d47e1ebf15d36a3

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 07:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-07-10_7eb1eb56769e01d76f17bdb09fb003a3_goldeneye.exe
Size

168KB
MD5

7eb1eb56769e01d76f17bdb09fb003a3
SHA1

cd2733d3f637ffe1f757474069a41f70aea1aad7
SHA256

b10af3e4e8baa4781f123559040ffe8974694e0fb64187287d47e1ebf15d36a3
SHA512

087bf93aab5052f0d81156e90282710f9535495f965af412a93763d243904ced9a1fc4e327d5f89e4fa029ce47843b608938665f82ef046954c91210da598fc2
SSDEEP

1536:1EGh0o8lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o8lqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3FBD56CF-5BC3-471f-BC2C-9CD47BE795B7}\stubpath = "C:\\Windows\\{3FBD56CF-5BC3-471f-BC2C-9CD47BE795B7}.exe"	2024-07-10_7eb1eb56769e01d76f17bdb09fb003a3_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9F1DCD4-E024-4d9b-92E9-49A5593DD7BC}	{3FBD56CF-5BC3-471f-BC2C-9CD47BE795B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58D7B7D0-40CF-46c7-877F-D83BEDE61531}\stubpath = "C:\\Windows\\{58D7B7D0-40CF-46c7-877F-D83BEDE61531}.exe"	{DD124026-9069-4b61-BB6D-8F2509633CE4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8377955E-D3A6-4188-95F1-C6F1AD0A290A}\stubpath = "C:\\Windows\\{8377955E-D3A6-4188-95F1-C6F1AD0A290A}.exe"	{95F4ADF5-0E8C-4567-AABE-3596DC3502F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2615E670-20ED-4f4a-B43F-F18230C5EDC0}\stubpath = "C:\\Windows\\{2615E670-20ED-4f4a-B43F-F18230C5EDC0}.exe"	{58D7B7D0-40CF-46c7-877F-D83BEDE61531}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CF83372-1E1F-40a5-BBC7-C6D66A9DD39C}\stubpath = "C:\\Windows\\{7CF83372-1E1F-40a5-BBC7-C6D66A9DD39C}.exe"	{2615E670-20ED-4f4a-B43F-F18230C5EDC0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95F4ADF5-0E8C-4567-AABE-3596DC3502F1}\stubpath = "C:\\Windows\\{95F4ADF5-0E8C-4567-AABE-3596DC3502F1}.exe"	{2AF642B4-4798-4f5d-8DB7-09A852F894BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0665D47-8F79-4e1a-AE16-189209216AE6}\stubpath = "C:\\Windows\\{B0665D47-8F79-4e1a-AE16-189209216AE6}.exe"	{2E477703-EE89-4ca8-94F4-44617D21AE89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95F4ADF5-0E8C-4567-AABE-3596DC3502F1}	{2AF642B4-4798-4f5d-8DB7-09A852F894BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8377955E-D3A6-4188-95F1-C6F1AD0A290A}	{95F4ADF5-0E8C-4567-AABE-3596DC3502F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E477703-EE89-4ca8-94F4-44617D21AE89}\stubpath = "C:\\Windows\\{2E477703-EE89-4ca8-94F4-44617D21AE89}.exe"	{8377955E-D3A6-4188-95F1-C6F1AD0A290A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3FBD56CF-5BC3-471f-BC2C-9CD47BE795B7}	2024-07-10_7eb1eb56769e01d76f17bdb09fb003a3_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9F1DCD4-E024-4d9b-92E9-49A5593DD7BC}\stubpath = "C:\\Windows\\{D9F1DCD4-E024-4d9b-92E9-49A5593DD7BC}.exe"	{3FBD56CF-5BC3-471f-BC2C-9CD47BE795B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2615E670-20ED-4f4a-B43F-F18230C5EDC0}	{58D7B7D0-40CF-46c7-877F-D83BEDE61531}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AF642B4-4798-4f5d-8DB7-09A852F894BF}	{7CF83372-1E1F-40a5-BBC7-C6D66A9DD39C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AF642B4-4798-4f5d-8DB7-09A852F894BF}\stubpath = "C:\\Windows\\{2AF642B4-4798-4f5d-8DB7-09A852F894BF}.exe"	{7CF83372-1E1F-40a5-BBC7-C6D66A9DD39C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E477703-EE89-4ca8-94F4-44617D21AE89}	{8377955E-D3A6-4188-95F1-C6F1AD0A290A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0665D47-8F79-4e1a-AE16-189209216AE6}	{2E477703-EE89-4ca8-94F4-44617D21AE89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD124026-9069-4b61-BB6D-8F2509633CE4}	{D9F1DCD4-E024-4d9b-92E9-49A5593DD7BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD124026-9069-4b61-BB6D-8F2509633CE4}\stubpath = "C:\\Windows\\{DD124026-9069-4b61-BB6D-8F2509633CE4}.exe"	{D9F1DCD4-E024-4d9b-92E9-49A5593DD7BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58D7B7D0-40CF-46c7-877F-D83BEDE61531}	{DD124026-9069-4b61-BB6D-8F2509633CE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CF83372-1E1F-40a5-BBC7-C6D66A9DD39C}	{2615E670-20ED-4f4a-B43F-F18230C5EDC0}.exe

Deletes itself 1 IoCs

pid	Process
2576	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2040	{3FBD56CF-5BC3-471f-BC2C-9CD47BE795B7}.exe
2944	{D9F1DCD4-E024-4d9b-92E9-49A5593DD7BC}.exe
2108	{DD124026-9069-4b61-BB6D-8F2509633CE4}.exe
2640	{58D7B7D0-40CF-46c7-877F-D83BEDE61531}.exe
1176	{2615E670-20ED-4f4a-B43F-F18230C5EDC0}.exe
2732	{7CF83372-1E1F-40a5-BBC7-C6D66A9DD39C}.exe
2884	{2AF642B4-4798-4f5d-8DB7-09A852F894BF}.exe
1164	{95F4ADF5-0E8C-4567-AABE-3596DC3502F1}.exe
1904	{8377955E-D3A6-4188-95F1-C6F1AD0A290A}.exe
1480	{2E477703-EE89-4ca8-94F4-44617D21AE89}.exe
2448	{B0665D47-8F79-4e1a-AE16-189209216AE6}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2AF642B4-4798-4f5d-8DB7-09A852F894BF}.exe	{7CF83372-1E1F-40a5-BBC7-C6D66A9DD39C}.exe
File created	C:\Windows\{95F4ADF5-0E8C-4567-AABE-3596DC3502F1}.exe	{2AF642B4-4798-4f5d-8DB7-09A852F894BF}.exe
File created	C:\Windows\{8377955E-D3A6-4188-95F1-C6F1AD0A290A}.exe	{95F4ADF5-0E8C-4567-AABE-3596DC3502F1}.exe
File created	C:\Windows\{3FBD56CF-5BC3-471f-BC2C-9CD47BE795B7}.exe	2024-07-10_7eb1eb56769e01d76f17bdb09fb003a3_goldeneye.exe
File created	C:\Windows\{D9F1DCD4-E024-4d9b-92E9-49A5593DD7BC}.exe	{3FBD56CF-5BC3-471f-BC2C-9CD47BE795B7}.exe
File created	C:\Windows\{58D7B7D0-40CF-46c7-877F-D83BEDE61531}.exe	{DD124026-9069-4b61-BB6D-8F2509633CE4}.exe
File created	C:\Windows\{2615E670-20ED-4f4a-B43F-F18230C5EDC0}.exe	{58D7B7D0-40CF-46c7-877F-D83BEDE61531}.exe
File created	C:\Windows\{DD124026-9069-4b61-BB6D-8F2509633CE4}.exe	{D9F1DCD4-E024-4d9b-92E9-49A5593DD7BC}.exe
File created	C:\Windows\{7CF83372-1E1F-40a5-BBC7-C6D66A9DD39C}.exe	{2615E670-20ED-4f4a-B43F-F18230C5EDC0}.exe
File created	C:\Windows\{2E477703-EE89-4ca8-94F4-44617D21AE89}.exe	{8377955E-D3A6-4188-95F1-C6F1AD0A290A}.exe
File created	C:\Windows\{B0665D47-8F79-4e1a-AE16-189209216AE6}.exe	{2E477703-EE89-4ca8-94F4-44617D21AE89}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1404	2024-07-10_7eb1eb56769e01d76f17bdb09fb003a3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2040	{3FBD56CF-5BC3-471f-BC2C-9CD47BE795B7}.exe
Token: SeIncBasePriorityPrivilege	2944	{D9F1DCD4-E024-4d9b-92E9-49A5593DD7BC}.exe
Token: SeIncBasePriorityPrivilege	2108	{DD124026-9069-4b61-BB6D-8F2509633CE4}.exe
Token: SeIncBasePriorityPrivilege	2640	{58D7B7D0-40CF-46c7-877F-D83BEDE61531}.exe
Token: SeIncBasePriorityPrivilege	1176	{2615E670-20ED-4f4a-B43F-F18230C5EDC0}.exe
Token: SeIncBasePriorityPrivilege	2732	{7CF83372-1E1F-40a5-BBC7-C6D66A9DD39C}.exe
Token: SeIncBasePriorityPrivilege	2884	{2AF642B4-4798-4f5d-8DB7-09A852F894BF}.exe
Token: SeIncBasePriorityPrivilege	1164	{95F4ADF5-0E8C-4567-AABE-3596DC3502F1}.exe
Token: SeIncBasePriorityPrivilege	1904	{8377955E-D3A6-4188-95F1-C6F1AD0A290A}.exe
Token: SeIncBasePriorityPrivilege	1480	{2E477703-EE89-4ca8-94F4-44617D21AE89}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 2040	1404	2024-07-10_7eb1eb56769e01d76f17bdb09fb003a3_goldeneye.exe	30
PID 1404 wrote to memory of 2040	1404	2024-07-10_7eb1eb56769e01d76f17bdb09fb003a3_goldeneye.exe	30
PID 1404 wrote to memory of 2040	1404	2024-07-10_7eb1eb56769e01d76f17bdb09fb003a3_goldeneye.exe	30
PID 1404 wrote to memory of 2040	1404	2024-07-10_7eb1eb56769e01d76f17bdb09fb003a3_goldeneye.exe	30
PID 1404 wrote to memory of 2576	1404	2024-07-10_7eb1eb56769e01d76f17bdb09fb003a3_goldeneye.exe	31
PID 1404 wrote to memory of 2576	1404	2024-07-10_7eb1eb56769e01d76f17bdb09fb003a3_goldeneye.exe	31
PID 1404 wrote to memory of 2576	1404	2024-07-10_7eb1eb56769e01d76f17bdb09fb003a3_goldeneye.exe	31
PID 1404 wrote to memory of 2576	1404	2024-07-10_7eb1eb56769e01d76f17bdb09fb003a3_goldeneye.exe	31
PID 2040 wrote to memory of 2944	2040	{3FBD56CF-5BC3-471f-BC2C-9CD47BE795B7}.exe	33
PID 2040 wrote to memory of 2944	2040	{3FBD56CF-5BC3-471f-BC2C-9CD47BE795B7}.exe	33
PID 2040 wrote to memory of 2944	2040	{3FBD56CF-5BC3-471f-BC2C-9CD47BE795B7}.exe	33
PID 2040 wrote to memory of 2944	2040	{3FBD56CF-5BC3-471f-BC2C-9CD47BE795B7}.exe	33
PID 2040 wrote to memory of 2792	2040	{3FBD56CF-5BC3-471f-BC2C-9CD47BE795B7}.exe	34
PID 2040 wrote to memory of 2792	2040	{3FBD56CF-5BC3-471f-BC2C-9CD47BE795B7}.exe	34
PID 2040 wrote to memory of 2792	2040	{3FBD56CF-5BC3-471f-BC2C-9CD47BE795B7}.exe	34
PID 2040 wrote to memory of 2792	2040	{3FBD56CF-5BC3-471f-BC2C-9CD47BE795B7}.exe	34
PID 2944 wrote to memory of 2108	2944	{D9F1DCD4-E024-4d9b-92E9-49A5593DD7BC}.exe	35
PID 2944 wrote to memory of 2108	2944	{D9F1DCD4-E024-4d9b-92E9-49A5593DD7BC}.exe	35
PID 2944 wrote to memory of 2108	2944	{D9F1DCD4-E024-4d9b-92E9-49A5593DD7BC}.exe	35
PID 2944 wrote to memory of 2108	2944	{D9F1DCD4-E024-4d9b-92E9-49A5593DD7BC}.exe	35
PID 2944 wrote to memory of 2860	2944	{D9F1DCD4-E024-4d9b-92E9-49A5593DD7BC}.exe	36
PID 2944 wrote to memory of 2860	2944	{D9F1DCD4-E024-4d9b-92E9-49A5593DD7BC}.exe	36
PID 2944 wrote to memory of 2860	2944	{D9F1DCD4-E024-4d9b-92E9-49A5593DD7BC}.exe	36
PID 2944 wrote to memory of 2860	2944	{D9F1DCD4-E024-4d9b-92E9-49A5593DD7BC}.exe	36
PID 2108 wrote to memory of 2640	2108	{DD124026-9069-4b61-BB6D-8F2509633CE4}.exe	37
PID 2108 wrote to memory of 2640	2108	{DD124026-9069-4b61-BB6D-8F2509633CE4}.exe	37
PID 2108 wrote to memory of 2640	2108	{DD124026-9069-4b61-BB6D-8F2509633CE4}.exe	37
PID 2108 wrote to memory of 2640	2108	{DD124026-9069-4b61-BB6D-8F2509633CE4}.exe	37
PID 2108 wrote to memory of 2688	2108	{DD124026-9069-4b61-BB6D-8F2509633CE4}.exe	38
PID 2108 wrote to memory of 2688	2108	{DD124026-9069-4b61-BB6D-8F2509633CE4}.exe	38
PID 2108 wrote to memory of 2688	2108	{DD124026-9069-4b61-BB6D-8F2509633CE4}.exe	38
PID 2108 wrote to memory of 2688	2108	{DD124026-9069-4b61-BB6D-8F2509633CE4}.exe	38
PID 2640 wrote to memory of 1176	2640	{58D7B7D0-40CF-46c7-877F-D83BEDE61531}.exe	39
PID 2640 wrote to memory of 1176	2640	{58D7B7D0-40CF-46c7-877F-D83BEDE61531}.exe	39
PID 2640 wrote to memory of 1176	2640	{58D7B7D0-40CF-46c7-877F-D83BEDE61531}.exe	39
PID 2640 wrote to memory of 1176	2640	{58D7B7D0-40CF-46c7-877F-D83BEDE61531}.exe	39
PID 2640 wrote to memory of 2848	2640	{58D7B7D0-40CF-46c7-877F-D83BEDE61531}.exe	40
PID 2640 wrote to memory of 2848	2640	{58D7B7D0-40CF-46c7-877F-D83BEDE61531}.exe	40
PID 2640 wrote to memory of 2848	2640	{58D7B7D0-40CF-46c7-877F-D83BEDE61531}.exe	40
PID 2640 wrote to memory of 2848	2640	{58D7B7D0-40CF-46c7-877F-D83BEDE61531}.exe	40
PID 1176 wrote to memory of 2732	1176	{2615E670-20ED-4f4a-B43F-F18230C5EDC0}.exe	41
PID 1176 wrote to memory of 2732	1176	{2615E670-20ED-4f4a-B43F-F18230C5EDC0}.exe	41
PID 1176 wrote to memory of 2732	1176	{2615E670-20ED-4f4a-B43F-F18230C5EDC0}.exe	41
PID 1176 wrote to memory of 2732	1176	{2615E670-20ED-4f4a-B43F-F18230C5EDC0}.exe	41
PID 1176 wrote to memory of 1748	1176	{2615E670-20ED-4f4a-B43F-F18230C5EDC0}.exe	42
PID 1176 wrote to memory of 1748	1176	{2615E670-20ED-4f4a-B43F-F18230C5EDC0}.exe	42
PID 1176 wrote to memory of 1748	1176	{2615E670-20ED-4f4a-B43F-F18230C5EDC0}.exe	42
PID 1176 wrote to memory of 1748	1176	{2615E670-20ED-4f4a-B43F-F18230C5EDC0}.exe	42
PID 2732 wrote to memory of 2884	2732	{7CF83372-1E1F-40a5-BBC7-C6D66A9DD39C}.exe	43
PID 2732 wrote to memory of 2884	2732	{7CF83372-1E1F-40a5-BBC7-C6D66A9DD39C}.exe	43
PID 2732 wrote to memory of 2884	2732	{7CF83372-1E1F-40a5-BBC7-C6D66A9DD39C}.exe	43
PID 2732 wrote to memory of 2884	2732	{7CF83372-1E1F-40a5-BBC7-C6D66A9DD39C}.exe	43
PID 2732 wrote to memory of 3016	2732	{7CF83372-1E1F-40a5-BBC7-C6D66A9DD39C}.exe	44
PID 2732 wrote to memory of 3016	2732	{7CF83372-1E1F-40a5-BBC7-C6D66A9DD39C}.exe	44
PID 2732 wrote to memory of 3016	2732	{7CF83372-1E1F-40a5-BBC7-C6D66A9DD39C}.exe	44
PID 2732 wrote to memory of 3016	2732	{7CF83372-1E1F-40a5-BBC7-C6D66A9DD39C}.exe	44
PID 2884 wrote to memory of 1164	2884	{2AF642B4-4798-4f5d-8DB7-09A852F894BF}.exe	45
PID 2884 wrote to memory of 1164	2884	{2AF642B4-4798-4f5d-8DB7-09A852F894BF}.exe	45
PID 2884 wrote to memory of 1164	2884	{2AF642B4-4798-4f5d-8DB7-09A852F894BF}.exe	45
PID 2884 wrote to memory of 1164	2884	{2AF642B4-4798-4f5d-8DB7-09A852F894BF}.exe	45
PID 2884 wrote to memory of 536	2884	{2AF642B4-4798-4f5d-8DB7-09A852F894BF}.exe	46
PID 2884 wrote to memory of 536	2884	{2AF642B4-4798-4f5d-8DB7-09A852F894BF}.exe	46
PID 2884 wrote to memory of 536	2884	{2AF642B4-4798-4f5d-8DB7-09A852F894BF}.exe	46
PID 2884 wrote to memory of 536	2884	{2AF642B4-4798-4f5d-8DB7-09A852F894BF}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-07-10_7eb1eb56769e01d76f17bdb09fb003a3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-10_7eb1eb56769e01d76f17bdb09fb003a3_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Windows\{3FBD56CF-5BC3-471f-BC2C-9CD47BE795B7}.exe
  C:\Windows\{3FBD56CF-5BC3-471f-BC2C-9CD47BE795B7}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\{D9F1DCD4-E024-4d9b-92E9-49A5593DD7BC}.exe
    C:\Windows\{D9F1DCD4-E024-4d9b-92E9-49A5593DD7BC}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\{DD124026-9069-4b61-BB6D-8F2509633CE4}.exe
      C:\Windows\{DD124026-9069-4b61-BB6D-8F2509633CE4}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2108
    - - C:\Windows\{58D7B7D0-40CF-46c7-877F-D83BEDE61531}.exe
        
        C:\Windows\{58D7B7D0-40CF-46c7-877F-D83BEDE61531}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2640
      - C:\Windows\{2615E670-20ED-4f4a-B43F-F18230C5EDC0}.exe
        
        C:\Windows\{2615E670-20ED-4f4a-B43F-F18230C5EDC0}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\{7CF83372-1E1F-40a5-BBC7-C6D66A9DD39C}.exe
        
        C:\Windows\{7CF83372-1E1F-40a5-BBC7-C6D66A9DD39C}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\{2AF642B4-4798-4f5d-8DB7-09A852F894BF}.exe
        
        C:\Windows\{2AF642B4-4798-4f5d-8DB7-09A852F894BF}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\{95F4ADF5-0E8C-4567-AABE-3596DC3502F1}.exe
        
        C:\Windows\{95F4ADF5-0E8C-4567-AABE-3596DC3502F1}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164
        
        C:\Windows\{8377955E-D3A6-4188-95F1-C6F1AD0A290A}.exe
        
        C:\Windows\{8377955E-D3A6-4188-95F1-C6F1AD0A290A}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
        
        C:\Windows\{2E477703-EE89-4ca8-94F4-44617D21AE89}.exe
        
        C:\Windows\{2E477703-EE89-4ca8-94F4-44617D21AE89}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
        
        C:\Windows\{B0665D47-8F79-4e1a-AE16-189209216AE6}.exe
        
        C:\Windows\{B0665D47-8F79-4e1a-AE16-189209216AE6}.exe
        12⤵
        Executes dropped EXE
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E477~1.EXE > nul
        12⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83779~1.EXE > nul
        11⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95F4A~1.EXE > nul
        10⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2AF64~1.EXE > nul
        9⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7CF83~1.EXE > nul
        8⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2615E~1.EXE > nul
        7⤵
        
        PID:1748
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58D7B~1.EXE > nul
        6⤵
        
        PID:2848
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD124~1.EXE > nul
        5⤵
        
        PID:2688
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D9F1D~1.EXE > nul
      4⤵
      PID:2860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3FBD5~1.EXE > nul
    3⤵
    PID:2792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2615E670-20ED-4f4a-B43F-F18230C5EDC0}.exe

Filesize
168KB

MD5
d8055b79d0744435a2fff62a97848cbb

SHA1
ff872b4ed15c1f6feae0aac3e0522b73d93513c1

SHA256
e575bb1ac4d086e90495e021e9c6dd722724a6c6e9ed24267f3cf1a6de9fddec

SHA512
c4bfd83d01358684fae4be334959f0af886873d406fdd5b444bb4c13302b4bc9cba1d37765ae8f735c51acb762000b7edfd56dcfdc624276fa2b04cfd5369719

Download Submit
C:\Windows\{2AF642B4-4798-4f5d-8DB7-09A852F894BF}.exe

Filesize
168KB

MD5
14363e3d007771a00db1d2a678fd76fc

SHA1
edbaef6e4fedb4f7818a942ee7e8215e7e162f08

SHA256
ba350c8f60721b8fcb1603197275f29706785e6cc086a0a398d0016163fad9df

SHA512
6bec932fa0a4d85677fe95fe315184396cd897f653cbaaae0e55d001520624b705dc4f4e1245eeaf2217d35687ba206d415da470ec27abd69b6b208aa0b5868d

Download Submit
C:\Windows\{2E477703-EE89-4ca8-94F4-44617D21AE89}.exe

Filesize
168KB

MD5
15228a1142e664e2108ccfd07047fc31

SHA1
5b0826680dc716a79fa3222e78cf31e5b805174d

SHA256
dc3a7031d942508a84aa0dc6e8e026f955336f32eb1ecde84d3b705f69eb3210

SHA512
246587ec0603e3ac44d9d26d34bf7035a69afd87c120fcbf83b60e75a43ac1f3f373b0160c3a646e4f17f0e88dac81e7e2dcc6eb936563f93e511cd647cffa63

Download Submit
C:\Windows\{3FBD56CF-5BC3-471f-BC2C-9CD47BE795B7}.exe

Filesize
168KB

MD5
10ea3584afbe79379fc1a4d8f0ca2a7d

SHA1
ec7d1d3b07cb41a1e479a68a91ea2510a9b4d242

SHA256
d9dbad30842e1a8c58e76c9a6f2dd08dabd0fea4ffdf77dda36113a9126bdddd

SHA512
bf00f4b4d57e8bad8ff0d16d6b19a71fd207c5b8669926eeefea927e0f14027710bc2e44b329b048aff1dc75ae2d68365fb1df4fb011bbb618afe8e7f9a4b3f6

Download Submit
C:\Windows\{58D7B7D0-40CF-46c7-877F-D83BEDE61531}.exe

Filesize
168KB

MD5
f87f15d7863764094dbb7c7c5e924f8f

SHA1
caca97810f6d70a724f5e817f6531476adfee91a

SHA256
e0132aed06421593783881b342e35ccf471f980e44a293a00c5a9a4a6dc13744

SHA512
476618624493b22e7d5aa3039bc5932d26d4ca010dc683777bc46b26b8e73760966f2c93ef467182b18305f4fe852246698fa713b3c57965c2b663805ead0a8a

Download Submit
C:\Windows\{7CF83372-1E1F-40a5-BBC7-C6D66A9DD39C}.exe

Filesize
168KB

MD5
249474c66a8c9a3502c7bd5f64c6d0f7

SHA1
ea336f9cb697fdef3a771a2906d39c60cd20c4dc

SHA256
7dbb0d34fedfe9d9ec37f5e7bf91ba404917adb042ffb03770b34f55594c31a7

SHA512
4aa743dc881dd228e425b165b06c29862db824b57e575b050ebfe0d4e1748aa9bd4a63205b481d52aa34dac7b890861ed9630cbd5c51a0240a76f380a34b4cab

Download Submit
C:\Windows\{8377955E-D3A6-4188-95F1-C6F1AD0A290A}.exe

Filesize
168KB

MD5
56a4b9b300b141faa599c3c1dde299b0

SHA1
bcddf8521e991ad766d5451182400626f01b7c4b

SHA256
16e0d0929d78b157bb267414d9d42f565103e50be106e71b46b0f67aecac90f2

SHA512
8348a4c821ab819fadcbc070fac065c286a4e47dad3b5d5056d763a7b400896f437a5f829d871a2fe080b59c2e3111f528b7115514cf6789c9e11ac8045eb807

Download Submit
C:\Windows\{95F4ADF5-0E8C-4567-AABE-3596DC3502F1}.exe

Filesize
168KB

MD5
eeb217a6991f446a2c347e3d2dda9ba1

SHA1
2392c2197442b67a6c529b03075b01a07070d64a

SHA256
2b01db252ec8759aec47e63d2e9041eabdf91ebaf2fcbd0d15294a0cd7e5bd65

SHA512
b0c5b6b1ec69674b8e83c22c22f18c6fa20790e9d8c1447e1f0d43a4bb1deb9bcf10b6b0fa96b037703e444598e713356251bc819d9f247027d6b81cb3b7f09c

Download Submit
C:\Windows\{B0665D47-8F79-4e1a-AE16-189209216AE6}.exe

Filesize
168KB

MD5
9e0eddab66540060768b28b0486852dd

SHA1
2ad4019e7aa1e09446c1ab31546a3e639c18aee5

SHA256
6b0fee1d5f31626f1b75080de4f9a7941561abf6331b92dd1a8dca408c3b1939

SHA512
0ddbf263942b367b77dc797c26a1e50737ee30c0de29d0169dbcb20a85a4d9a0d4f1716b8fe32cd7d07358b6f581752a400639129ea5ada3cb0d27b2c89387e2

Download Submit
C:\Windows\{D9F1DCD4-E024-4d9b-92E9-49A5593DD7BC}.exe

Filesize
168KB

MD5
763c08fd284f2156f21c0c913e7cff9d

SHA1
6d8bfe67805887a107be80eb51eb3c03019bee8b

SHA256
2f4bb12855eba3f59e9cf44397b37301ef733ace310d0a5d2cd26bc91a180bab

SHA512
1b66285248a79566d70a93f4688e0bffcdc6436fe38513e1efe3f166202b13ae55f21024e4c8ca785a609cd800bec1c43279ca7b3b8b4124c8dadd750430e6e7

Download Submit
C:\Windows\{DD124026-9069-4b61-BB6D-8F2509633CE4}.exe

Filesize
168KB

MD5
f1fed5d165db7c66000ab583da9031ed

SHA1
bba747648712da0524efbe5ba6b80a67d359068a

SHA256
bfba2f0f594e6ef417ed234a577ab7530bd57553e5692eccb82d9416a57a5625

SHA512
a16249cf3d1239ffd17bd4aeae634bea5b5b42844f1f13c67a73f5af432d209f1535b88d975a28a0c06438be8343979602825b7b2bfff3e6ab0331826aeeae19

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads