bd5e696df54b5eb1ce06f893940a242e091eab59a18fca2b0d1130b82a293033

Analysis

max time kernel
144s
max time network
18s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 08:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-07-10_f0f903ee95d1fa10a99131cefba9a6a2_goldeneye.exe
Size

192KB
MD5

f0f903ee95d1fa10a99131cefba9a6a2
SHA1

01f541c37eba35d5dce8e5ecac14ebb528c55038
SHA256

bd5e696df54b5eb1ce06f893940a242e091eab59a18fca2b0d1130b82a293033
SHA512

3710ed6195c6599c10f23eb149667593ffe476ac072b54b6e68c6c4e5a49753ecc52b0d12ab635f5d825dc3931208862443cff673bf9d511151a20dade766e13
SSDEEP

1536:1EGh0o9l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0o9l1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC71403B-272D-4ec8-85F4-6CDA8B9B1B0D}	{34BA1565-7C86-450c-8B42-7E2BB29A95D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B0B9C30-64E8-42da-90A7-6A4EF4965A85}	{E6ECEC02-3DB3-4dc3-A64D-6725A3D38C56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B0B9C30-64E8-42da-90A7-6A4EF4965A85}\stubpath = "C:\\Windows\\{8B0B9C30-64E8-42da-90A7-6A4EF4965A85}.exe"	{E6ECEC02-3DB3-4dc3-A64D-6725A3D38C56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6715583A-22C6-43c4-8CB2-D2F2460D554A}\stubpath = "C:\\Windows\\{6715583A-22C6-43c4-8CB2-D2F2460D554A}.exe"	{B6D55D6C-0294-499e-9209-7850F176DE4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95729D97-0B06-4e5d-96B7-05A150A7C2FA}\stubpath = "C:\\Windows\\{95729D97-0B06-4e5d-96B7-05A150A7C2FA}.exe"	{6715583A-22C6-43c4-8CB2-D2F2460D554A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A01C497B-9FF5-4003-8E5E-1A0CC627F176}	{A3AF6A1C-FDD3-47bf-9859-8F8F9FF5F5CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6ECEC02-3DB3-4dc3-A64D-6725A3D38C56}\stubpath = "C:\\Windows\\{E6ECEC02-3DB3-4dc3-A64D-6725A3D38C56}.exe"	2024-07-10_f0f903ee95d1fa10a99131cefba9a6a2_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95729D97-0B06-4e5d-96B7-05A150A7C2FA}	{6715583A-22C6-43c4-8CB2-D2F2460D554A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59DB6910-F6CD-45ab-8F03-67DC2806B977}	{855B0FF3-5D8D-4df9-B162-82E6E57C6972}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34BA1565-7C86-450c-8B42-7E2BB29A95D3}	{A01C497B-9FF5-4003-8E5E-1A0CC627F176}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34BA1565-7C86-450c-8B42-7E2BB29A95D3}\stubpath = "C:\\Windows\\{34BA1565-7C86-450c-8B42-7E2BB29A95D3}.exe"	{A01C497B-9FF5-4003-8E5E-1A0CC627F176}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6D55D6C-0294-499e-9209-7850F176DE4C}\stubpath = "C:\\Windows\\{B6D55D6C-0294-499e-9209-7850F176DE4C}.exe"	{8B0B9C30-64E8-42da-90A7-6A4EF4965A85}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{855B0FF3-5D8D-4df9-B162-82E6E57C6972}	{95729D97-0B06-4e5d-96B7-05A150A7C2FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59DB6910-F6CD-45ab-8F03-67DC2806B977}\stubpath = "C:\\Windows\\{59DB6910-F6CD-45ab-8F03-67DC2806B977}.exe"	{855B0FF3-5D8D-4df9-B162-82E6E57C6972}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3AF6A1C-FDD3-47bf-9859-8F8F9FF5F5CA}	{59DB6910-F6CD-45ab-8F03-67DC2806B977}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3AF6A1C-FDD3-47bf-9859-8F8F9FF5F5CA}\stubpath = "C:\\Windows\\{A3AF6A1C-FDD3-47bf-9859-8F8F9FF5F5CA}.exe"	{59DB6910-F6CD-45ab-8F03-67DC2806B977}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC71403B-272D-4ec8-85F4-6CDA8B9B1B0D}\stubpath = "C:\\Windows\\{DC71403B-272D-4ec8-85F4-6CDA8B9B1B0D}.exe"	{34BA1565-7C86-450c-8B42-7E2BB29A95D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6ECEC02-3DB3-4dc3-A64D-6725A3D38C56}	2024-07-10_f0f903ee95d1fa10a99131cefba9a6a2_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6D55D6C-0294-499e-9209-7850F176DE4C}	{8B0B9C30-64E8-42da-90A7-6A4EF4965A85}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6715583A-22C6-43c4-8CB2-D2F2460D554A}	{B6D55D6C-0294-499e-9209-7850F176DE4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{855B0FF3-5D8D-4df9-B162-82E6E57C6972}\stubpath = "C:\\Windows\\{855B0FF3-5D8D-4df9-B162-82E6E57C6972}.exe"	{95729D97-0B06-4e5d-96B7-05A150A7C2FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A01C497B-9FF5-4003-8E5E-1A0CC627F176}\stubpath = "C:\\Windows\\{A01C497B-9FF5-4003-8E5E-1A0CC627F176}.exe"	{A3AF6A1C-FDD3-47bf-9859-8F8F9FF5F5CA}.exe

Deletes itself 1 IoCs

pid	Process
2768	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1976	{E6ECEC02-3DB3-4dc3-A64D-6725A3D38C56}.exe
2632	{8B0B9C30-64E8-42da-90A7-6A4EF4965A85}.exe
2664	{B6D55D6C-0294-499e-9209-7850F176DE4C}.exe
2692	{6715583A-22C6-43c4-8CB2-D2F2460D554A}.exe
2944	{95729D97-0B06-4e5d-96B7-05A150A7C2FA}.exe
2376	{855B0FF3-5D8D-4df9-B162-82E6E57C6972}.exe
3016	{59DB6910-F6CD-45ab-8F03-67DC2806B977}.exe
2952	{A3AF6A1C-FDD3-47bf-9859-8F8F9FF5F5CA}.exe
684	{A01C497B-9FF5-4003-8E5E-1A0CC627F176}.exe
2388	{34BA1565-7C86-450c-8B42-7E2BB29A95D3}.exe
2204	{DC71403B-272D-4ec8-85F4-6CDA8B9B1B0D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{A01C497B-9FF5-4003-8E5E-1A0CC627F176}.exe	{A3AF6A1C-FDD3-47bf-9859-8F8F9FF5F5CA}.exe
File created	C:\Windows\{8B0B9C30-64E8-42da-90A7-6A4EF4965A85}.exe	{E6ECEC02-3DB3-4dc3-A64D-6725A3D38C56}.exe
File created	C:\Windows\{6715583A-22C6-43c4-8CB2-D2F2460D554A}.exe	{B6D55D6C-0294-499e-9209-7850F176DE4C}.exe
File created	C:\Windows\{59DB6910-F6CD-45ab-8F03-67DC2806B977}.exe	{855B0FF3-5D8D-4df9-B162-82E6E57C6972}.exe
File created	C:\Windows\{A3AF6A1C-FDD3-47bf-9859-8F8F9FF5F5CA}.exe	{59DB6910-F6CD-45ab-8F03-67DC2806B977}.exe
File created	C:\Windows\{34BA1565-7C86-450c-8B42-7E2BB29A95D3}.exe	{A01C497B-9FF5-4003-8E5E-1A0CC627F176}.exe
File created	C:\Windows\{DC71403B-272D-4ec8-85F4-6CDA8B9B1B0D}.exe	{34BA1565-7C86-450c-8B42-7E2BB29A95D3}.exe
File created	C:\Windows\{E6ECEC02-3DB3-4dc3-A64D-6725A3D38C56}.exe	2024-07-10_f0f903ee95d1fa10a99131cefba9a6a2_goldeneye.exe
File created	C:\Windows\{B6D55D6C-0294-499e-9209-7850F176DE4C}.exe	{8B0B9C30-64E8-42da-90A7-6A4EF4965A85}.exe
File created	C:\Windows\{95729D97-0B06-4e5d-96B7-05A150A7C2FA}.exe	{6715583A-22C6-43c4-8CB2-D2F2460D554A}.exe
File created	C:\Windows\{855B0FF3-5D8D-4df9-B162-82E6E57C6972}.exe	{95729D97-0B06-4e5d-96B7-05A150A7C2FA}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2468	2024-07-10_f0f903ee95d1fa10a99131cefba9a6a2_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1976	{E6ECEC02-3DB3-4dc3-A64D-6725A3D38C56}.exe
Token: SeIncBasePriorityPrivilege	2632	{8B0B9C30-64E8-42da-90A7-6A4EF4965A85}.exe
Token: SeIncBasePriorityPrivilege	2664	{B6D55D6C-0294-499e-9209-7850F176DE4C}.exe
Token: SeIncBasePriorityPrivilege	2692	{6715583A-22C6-43c4-8CB2-D2F2460D554A}.exe
Token: SeIncBasePriorityPrivilege	2944	{95729D97-0B06-4e5d-96B7-05A150A7C2FA}.exe
Token: SeIncBasePriorityPrivilege	2376	{855B0FF3-5D8D-4df9-B162-82E6E57C6972}.exe
Token: SeIncBasePriorityPrivilege	3016	{59DB6910-F6CD-45ab-8F03-67DC2806B977}.exe
Token: SeIncBasePriorityPrivilege	2952	{A3AF6A1C-FDD3-47bf-9859-8F8F9FF5F5CA}.exe
Token: SeIncBasePriorityPrivilege	684	{A01C497B-9FF5-4003-8E5E-1A0CC627F176}.exe
Token: SeIncBasePriorityPrivilege	2388	{34BA1565-7C86-450c-8B42-7E2BB29A95D3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 1976	2468	2024-07-10_f0f903ee95d1fa10a99131cefba9a6a2_goldeneye.exe	29
PID 2468 wrote to memory of 1976	2468	2024-07-10_f0f903ee95d1fa10a99131cefba9a6a2_goldeneye.exe	29
PID 2468 wrote to memory of 1976	2468	2024-07-10_f0f903ee95d1fa10a99131cefba9a6a2_goldeneye.exe	29
PID 2468 wrote to memory of 1976	2468	2024-07-10_f0f903ee95d1fa10a99131cefba9a6a2_goldeneye.exe	29
PID 2468 wrote to memory of 2768	2468	2024-07-10_f0f903ee95d1fa10a99131cefba9a6a2_goldeneye.exe	30
PID 2468 wrote to memory of 2768	2468	2024-07-10_f0f903ee95d1fa10a99131cefba9a6a2_goldeneye.exe	30
PID 2468 wrote to memory of 2768	2468	2024-07-10_f0f903ee95d1fa10a99131cefba9a6a2_goldeneye.exe	30
PID 2468 wrote to memory of 2768	2468	2024-07-10_f0f903ee95d1fa10a99131cefba9a6a2_goldeneye.exe	30
PID 1976 wrote to memory of 2632	1976	{E6ECEC02-3DB3-4dc3-A64D-6725A3D38C56}.exe	31
PID 1976 wrote to memory of 2632	1976	{E6ECEC02-3DB3-4dc3-A64D-6725A3D38C56}.exe	31
PID 1976 wrote to memory of 2632	1976	{E6ECEC02-3DB3-4dc3-A64D-6725A3D38C56}.exe	31
PID 1976 wrote to memory of 2632	1976	{E6ECEC02-3DB3-4dc3-A64D-6725A3D38C56}.exe	31
PID 1976 wrote to memory of 2164	1976	{E6ECEC02-3DB3-4dc3-A64D-6725A3D38C56}.exe	32
PID 1976 wrote to memory of 2164	1976	{E6ECEC02-3DB3-4dc3-A64D-6725A3D38C56}.exe	32
PID 1976 wrote to memory of 2164	1976	{E6ECEC02-3DB3-4dc3-A64D-6725A3D38C56}.exe	32
PID 1976 wrote to memory of 2164	1976	{E6ECEC02-3DB3-4dc3-A64D-6725A3D38C56}.exe	32
PID 2632 wrote to memory of 2664	2632	{8B0B9C30-64E8-42da-90A7-6A4EF4965A85}.exe	33
PID 2632 wrote to memory of 2664	2632	{8B0B9C30-64E8-42da-90A7-6A4EF4965A85}.exe	33
PID 2632 wrote to memory of 2664	2632	{8B0B9C30-64E8-42da-90A7-6A4EF4965A85}.exe	33
PID 2632 wrote to memory of 2664	2632	{8B0B9C30-64E8-42da-90A7-6A4EF4965A85}.exe	33
PID 2632 wrote to memory of 2672	2632	{8B0B9C30-64E8-42da-90A7-6A4EF4965A85}.exe	34
PID 2632 wrote to memory of 2672	2632	{8B0B9C30-64E8-42da-90A7-6A4EF4965A85}.exe	34
PID 2632 wrote to memory of 2672	2632	{8B0B9C30-64E8-42da-90A7-6A4EF4965A85}.exe	34
PID 2632 wrote to memory of 2672	2632	{8B0B9C30-64E8-42da-90A7-6A4EF4965A85}.exe	34
PID 2664 wrote to memory of 2692	2664	{B6D55D6C-0294-499e-9209-7850F176DE4C}.exe	35
PID 2664 wrote to memory of 2692	2664	{B6D55D6C-0294-499e-9209-7850F176DE4C}.exe	35
PID 2664 wrote to memory of 2692	2664	{B6D55D6C-0294-499e-9209-7850F176DE4C}.exe	35
PID 2664 wrote to memory of 2692	2664	{B6D55D6C-0294-499e-9209-7850F176DE4C}.exe	35
PID 2664 wrote to memory of 2324	2664	{B6D55D6C-0294-499e-9209-7850F176DE4C}.exe	36
PID 2664 wrote to memory of 2324	2664	{B6D55D6C-0294-499e-9209-7850F176DE4C}.exe	36
PID 2664 wrote to memory of 2324	2664	{B6D55D6C-0294-499e-9209-7850F176DE4C}.exe	36
PID 2664 wrote to memory of 2324	2664	{B6D55D6C-0294-499e-9209-7850F176DE4C}.exe	36
PID 2692 wrote to memory of 2944	2692	{6715583A-22C6-43c4-8CB2-D2F2460D554A}.exe	37
PID 2692 wrote to memory of 2944	2692	{6715583A-22C6-43c4-8CB2-D2F2460D554A}.exe	37
PID 2692 wrote to memory of 2944	2692	{6715583A-22C6-43c4-8CB2-D2F2460D554A}.exe	37
PID 2692 wrote to memory of 2944	2692	{6715583A-22C6-43c4-8CB2-D2F2460D554A}.exe	37
PID 2692 wrote to memory of 2040	2692	{6715583A-22C6-43c4-8CB2-D2F2460D554A}.exe	38
PID 2692 wrote to memory of 2040	2692	{6715583A-22C6-43c4-8CB2-D2F2460D554A}.exe	38
PID 2692 wrote to memory of 2040	2692	{6715583A-22C6-43c4-8CB2-D2F2460D554A}.exe	38
PID 2692 wrote to memory of 2040	2692	{6715583A-22C6-43c4-8CB2-D2F2460D554A}.exe	38
PID 2944 wrote to memory of 2376	2944	{95729D97-0B06-4e5d-96B7-05A150A7C2FA}.exe	39
PID 2944 wrote to memory of 2376	2944	{95729D97-0B06-4e5d-96B7-05A150A7C2FA}.exe	39
PID 2944 wrote to memory of 2376	2944	{95729D97-0B06-4e5d-96B7-05A150A7C2FA}.exe	39
PID 2944 wrote to memory of 2376	2944	{95729D97-0B06-4e5d-96B7-05A150A7C2FA}.exe	39
PID 2944 wrote to memory of 2936	2944	{95729D97-0B06-4e5d-96B7-05A150A7C2FA}.exe	40
PID 2944 wrote to memory of 2936	2944	{95729D97-0B06-4e5d-96B7-05A150A7C2FA}.exe	40
PID 2944 wrote to memory of 2936	2944	{95729D97-0B06-4e5d-96B7-05A150A7C2FA}.exe	40
PID 2944 wrote to memory of 2936	2944	{95729D97-0B06-4e5d-96B7-05A150A7C2FA}.exe	40
PID 2376 wrote to memory of 3016	2376	{855B0FF3-5D8D-4df9-B162-82E6E57C6972}.exe	41
PID 2376 wrote to memory of 3016	2376	{855B0FF3-5D8D-4df9-B162-82E6E57C6972}.exe	41
PID 2376 wrote to memory of 3016	2376	{855B0FF3-5D8D-4df9-B162-82E6E57C6972}.exe	41
PID 2376 wrote to memory of 3016	2376	{855B0FF3-5D8D-4df9-B162-82E6E57C6972}.exe	41
PID 2376 wrote to memory of 3008	2376	{855B0FF3-5D8D-4df9-B162-82E6E57C6972}.exe	42
PID 2376 wrote to memory of 3008	2376	{855B0FF3-5D8D-4df9-B162-82E6E57C6972}.exe	42
PID 2376 wrote to memory of 3008	2376	{855B0FF3-5D8D-4df9-B162-82E6E57C6972}.exe	42
PID 2376 wrote to memory of 3008	2376	{855B0FF3-5D8D-4df9-B162-82E6E57C6972}.exe	42
PID 3016 wrote to memory of 2952	3016	{59DB6910-F6CD-45ab-8F03-67DC2806B977}.exe	43
PID 3016 wrote to memory of 2952	3016	{59DB6910-F6CD-45ab-8F03-67DC2806B977}.exe	43
PID 3016 wrote to memory of 2952	3016	{59DB6910-F6CD-45ab-8F03-67DC2806B977}.exe	43
PID 3016 wrote to memory of 2952	3016	{59DB6910-F6CD-45ab-8F03-67DC2806B977}.exe	43
PID 3016 wrote to memory of 2992	3016	{59DB6910-F6CD-45ab-8F03-67DC2806B977}.exe	44
PID 3016 wrote to memory of 2992	3016	{59DB6910-F6CD-45ab-8F03-67DC2806B977}.exe	44
PID 3016 wrote to memory of 2992	3016	{59DB6910-F6CD-45ab-8F03-67DC2806B977}.exe	44
PID 3016 wrote to memory of 2992	3016	{59DB6910-F6CD-45ab-8F03-67DC2806B977}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-07-10_f0f903ee95d1fa10a99131cefba9a6a2_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-10_f0f903ee95d1fa10a99131cefba9a6a2_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\{E6ECEC02-3DB3-4dc3-A64D-6725A3D38C56}.exe
  C:\Windows\{E6ECEC02-3DB3-4dc3-A64D-6725A3D38C56}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\{8B0B9C30-64E8-42da-90A7-6A4EF4965A85}.exe
    C:\Windows\{8B0B9C30-64E8-42da-90A7-6A4EF4965A85}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\{B6D55D6C-0294-499e-9209-7850F176DE4C}.exe
      C:\Windows\{B6D55D6C-0294-499e-9209-7850F176DE4C}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\{6715583A-22C6-43c4-8CB2-D2F2460D554A}.exe
        
        C:\Windows\{6715583A-22C6-43c4-8CB2-D2F2460D554A}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2692
      - C:\Windows\{95729D97-0B06-4e5d-96B7-05A150A7C2FA}.exe
        
        C:\Windows\{95729D97-0B06-4e5d-96B7-05A150A7C2FA}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\{855B0FF3-5D8D-4df9-B162-82E6E57C6972}.exe
        
        C:\Windows\{855B0FF3-5D8D-4df9-B162-82E6E57C6972}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\{59DB6910-F6CD-45ab-8F03-67DC2806B977}.exe
        
        C:\Windows\{59DB6910-F6CD-45ab-8F03-67DC2806B977}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\{A3AF6A1C-FDD3-47bf-9859-8F8F9FF5F5CA}.exe
        
        C:\Windows\{A3AF6A1C-FDD3-47bf-9859-8F8F9FF5F5CA}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
        
        C:\Windows\{A01C497B-9FF5-4003-8E5E-1A0CC627F176}.exe
        
        C:\Windows\{A01C497B-9FF5-4003-8E5E-1A0CC627F176}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:684
        
        C:\Windows\{34BA1565-7C86-450c-8B42-7E2BB29A95D3}.exe
        
        C:\Windows\{34BA1565-7C86-450c-8B42-7E2BB29A95D3}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
        
        C:\Windows\{DC71403B-272D-4ec8-85F4-6CDA8B9B1B0D}.exe
        
        C:\Windows\{DC71403B-272D-4ec8-85F4-6CDA8B9B1B0D}.exe
        12⤵
        Executes dropped EXE
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34BA1~1.EXE > nul
        12⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A01C4~1.EXE > nul
        11⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3AF6~1.EXE > nul
        10⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59DB6~1.EXE > nul
        9⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{855B0~1.EXE > nul
        8⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95729~1.EXE > nul
        7⤵
        
        PID:2936
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67155~1.EXE > nul
        6⤵
        
        PID:2040
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6D55~1.EXE > nul
        5⤵
        
        PID:2324
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8B0B9~1.EXE > nul
      4⤵
      PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E6ECE~1.EXE > nul
    3⤵
    PID:2164
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{34BA1565-7C86-450c-8B42-7E2BB29A95D3}.exe

Filesize
192KB

MD5
79b7815c581032f46072ec0509b8844e

SHA1
c64c0d004e05820fa83cb62a58902304a7575ee7

SHA256
933a052c56167eec204bc070daf78b5e57f84fccb01e1b6ec2f27935f1c5a784

SHA512
40faebbe415399e8ddff732b6db8b595238dedb789271ccd55cd6063681cf89bfcaace08613ec30c6aa9a8d797e9aa9c731d440967b50902c7843ea0694e4f0a

Download Submit
C:\Windows\{59DB6910-F6CD-45ab-8F03-67DC2806B977}.exe

Filesize
192KB

MD5
b511c4282d44c82f128c9e626c8d0f45

SHA1
9321856b99c2568af1b51546235bec168725738f

SHA256
4963a4c59f593ec3a0f92cdd4215ce2f872fdd413f6303e3e81c14cfac6cd0ee

SHA512
756e0929587ad3df452fed0afef568de363566b8dafb1e961ce6c7a8ea8bbffbbce340af53a40d92aaec89f97b7f70a2a02420cbe920b7d615ce5df04e3de3bc

Download Submit
C:\Windows\{6715583A-22C6-43c4-8CB2-D2F2460D554A}.exe

Filesize
192KB

MD5
d265871edc4ff1eb502f33ad64b4c513

SHA1
3a80eed25c9e7318054b01731620a5986890f5f6

SHA256
9f43a3eaf2a473ecc3d7f5bacd5372330bf408d7458f6df72b20dd9984d4bec8

SHA512
a2a7b3e9ea91abf79b8ac10e59b2fbb2b9dae5b7e3faf449c79219065dd195b2c0ee8a6224b11790ec459bc0d6e57e1fe12715101d9e2da0c48dcd8f45e63b53

Download Submit
C:\Windows\{855B0FF3-5D8D-4df9-B162-82E6E57C6972}.exe

Filesize
192KB

MD5
0d682f70540b38f1648484d012e7c396

SHA1
6da0706780885e4259e8746273d5c4ff71e496ed

SHA256
6d657228c167280d5222aecbce06e27559aadbe00b84dd42a34c22f873a70e75

SHA512
68ef196b4def39c4d4cb9127752066702c86428cb327b428f2bdfba5923ceb84a4d3d030255a2d8a5404d991ff3965d7996834c405693995fdfc4b8d182a7188

Download Submit
C:\Windows\{8B0B9C30-64E8-42da-90A7-6A4EF4965A85}.exe

Filesize
192KB

MD5
2ae3dea7f4b2f6ba72efc513b6d393ae

SHA1
022a78c43d5232111e8503edd40b951fa6c8b0a4

SHA256
1c55e738b46d666e0b73bbe0440614c82d2e6c16ebefdd3cc57c094dfa3215c1

SHA512
e538d9645867c6c839d84ba3585c021fd3ce796ac2b712b4cc24fc43cb9946c9e260d98760416ae2ffe89b02bab6e8fc3f7d38753f220d273ff3a0136b604a00

Download Submit
C:\Windows\{95729D97-0B06-4e5d-96B7-05A150A7C2FA}.exe

Filesize
192KB

MD5
56691428a1f7c3e33e2adf96668470e4

SHA1
a32ec0526803f93096a26c8de7a78cfeb650d7a0

SHA256
7b36ae873844e17ea1c41ad3c7227eeafab8d892eb0b2c9a4c8750d8c12137c6

SHA512
fcb2fc154f5de99ccb7ab54ed8b20b48ffe7ca9aee051e2579c0941d7c8fe0320061e5ee551a2cfad5cc444ec6bb1ac0299552ac477097eb07857c77714955c1

Download Submit
C:\Windows\{A01C497B-9FF5-4003-8E5E-1A0CC627F176}.exe

Filesize
192KB

MD5
3baccace31b1679c9cf5de75f76c0a01

SHA1
57334572ec6001ef24e43de1416ebeb0a8ea455a

SHA256
3a024fb7db6ac150bbf5ea67748d72a1ddd5412d3169ab294217e92547f54ecd

SHA512
556a4de872a41378f00761f0055fe339cf84b77ebfc10323bc7fd67c336e3e65a90d5a7e5510cbb35aa640c7b20f80170c01223e3b93326fe46ec561c7b683bc

Download Submit
C:\Windows\{A3AF6A1C-FDD3-47bf-9859-8F8F9FF5F5CA}.exe

Filesize
192KB

MD5
df18fa2fb0671bd6fbce829f0d97eedb

SHA1
ab277979c8151c8d162ca92316a3937153a7bd72

SHA256
097739a68ee31b20869b0be4cf13ff9cd0e5dd259a751c784b6d59bb715b86a9

SHA512
957f2f8efb36307f9d6754052c700627f4d95cecf548f75d5bb50ace47c26bd505455ad30461f22ba4bc05ab2b02961753d61a837e7ce18c654c457b3ac94f71

Download Submit
C:\Windows\{B6D55D6C-0294-499e-9209-7850F176DE4C}.exe

Filesize
192KB

MD5
d56a9934ad41ee556ca96926cb9cb516

SHA1
b8b0e326fed05e1e8129c454fea6cb685345bb72

SHA256
d19ffd309295c6bbc21d9f41c84d8bd433bdf9f5413279bce413965a1811f7ff

SHA512
33892004656317995168f01a132c5fc8c7c8513bc5f6e78322f08ce6a2b5dd158998dde1325d6432bc5ad405c844d444f8cb758ad1a81005d907d5feb7346499

Download Submit
C:\Windows\{DC71403B-272D-4ec8-85F4-6CDA8B9B1B0D}.exe

Filesize
192KB

MD5
6ad99b4ef6b29e25f7862a21e91d53dd

SHA1
678b95af387a6e8549df66591151cc4fce5cba2f

SHA256
fa3b371c1add554d70f12119ab9cbdbe72959689ec660297282ddcfaa28d01e8

SHA512
4f3e27c914737fed8936675394b4d6f132694ad99ca6f5643f13ae60e86c556b12a2de2fa7f78120bf0a062b74b52646ee42dc73fc361d80b4258fc9dc737845

Download Submit
C:\Windows\{E6ECEC02-3DB3-4dc3-A64D-6725A3D38C56}.exe

Filesize
192KB

MD5
5d85400522dff9880b16b8d17a6a0e22

SHA1
fac687a6c7904468b06e8579e52ea3df92d255d9

SHA256
232d737f71fdecc2a8bbfdd498e22958f2893e89b5b999dbbf4fe90add2a1bf4

SHA512
74a47a88d2c11e9ff450685c4e5c03b3d50e5b5fd5165b83ee2325825a689aab23c0921f0165baf5265c82a580f18d3ea284b286a4d87c648138fd652ffb2bc6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads