05f2dc9dee89dfb567407d5bf2981dddf38bc6edfa97f07083a009596bf73e7b

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-10_3c673abff1148d61f14b2c06f50c598a_goldeneye.exe
Size

180KB
MD5

3c673abff1148d61f14b2c06f50c598a
SHA1

f76438cb13c2140271d4dcf17a7f0706a87419a9
SHA256

05f2dc9dee89dfb567407d5bf2981dddf38bc6edfa97f07083a009596bf73e7b
SHA512

4eef387db98f2d347f4e0591b57f6036bf4c4dcffb2464e8a0b71e17d7287594c7d3455a0cc810b939f92f2c9a2bbc4b30880f2e587b445955b7ef697285715d
SSDEEP

3072:jEGh0oUlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGSl5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EED13D51-CA66-4580-A775-896A3E712DA4}	2024-07-10_3c673abff1148d61f14b2c06f50c598a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A8293C1-5FD2-430f-94B9-FA27C737C1C0}\stubpath = "C:\\Windows\\{4A8293C1-5FD2-430f-94B9-FA27C737C1C0}.exe"	{8A3BADB4-949E-4b7e-8F3A-6922527265CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49C03ED5-2D13-4a51-A802-F2228AABD483}	{6162785B-9CC5-48cb-9216-3FE6980A092F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B31A4082-39CF-4c36-A94D-B4BFDAB9900B}\stubpath = "C:\\Windows\\{B31A4082-39CF-4c36-A94D-B4BFDAB9900B}.exe"	{0472BE80-BE25-411b-AC49-C5933CC2BF0B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C468057-C0AE-47d9-996D-4C46C413CF09}\stubpath = "C:\\Windows\\{9C468057-C0AE-47d9-996D-4C46C413CF09}.exe"	{D8DF0006-EFB2-4833-976B-4B49005193E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56FA73AA-3166-48ad-A019-EBEE9D64B1B3}\stubpath = "C:\\Windows\\{56FA73AA-3166-48ad-A019-EBEE9D64B1B3}.exe"	{9C468057-C0AE-47d9-996D-4C46C413CF09}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EED13D51-CA66-4580-A775-896A3E712DA4}\stubpath = "C:\\Windows\\{EED13D51-CA66-4580-A775-896A3E712DA4}.exe"	2024-07-10_3c673abff1148d61f14b2c06f50c598a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A8293C1-5FD2-430f-94B9-FA27C737C1C0}	{8A3BADB4-949E-4b7e-8F3A-6922527265CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8DF0006-EFB2-4833-976B-4B49005193E1}	{4A8293C1-5FD2-430f-94B9-FA27C737C1C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8DF0006-EFB2-4833-976B-4B49005193E1}\stubpath = "C:\\Windows\\{D8DF0006-EFB2-4833-976B-4B49005193E1}.exe"	{4A8293C1-5FD2-430f-94B9-FA27C737C1C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C468057-C0AE-47d9-996D-4C46C413CF09}	{D8DF0006-EFB2-4833-976B-4B49005193E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0DF9CF5F-E7A4-4065-86D5-C0265FAA3FED}	{56FA73AA-3166-48ad-A019-EBEE9D64B1B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0DF9CF5F-E7A4-4065-86D5-C0265FAA3FED}\stubpath = "C:\\Windows\\{0DF9CF5F-E7A4-4065-86D5-C0265FAA3FED}.exe"	{56FA73AA-3166-48ad-A019-EBEE9D64B1B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49C03ED5-2D13-4a51-A802-F2228AABD483}\stubpath = "C:\\Windows\\{49C03ED5-2D13-4a51-A802-F2228AABD483}.exe"	{6162785B-9CC5-48cb-9216-3FE6980A092F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0472BE80-BE25-411b-AC49-C5933CC2BF0B}\stubpath = "C:\\Windows\\{0472BE80-BE25-411b-AC49-C5933CC2BF0B}.exe"	{49C03ED5-2D13-4a51-A802-F2228AABD483}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B31A4082-39CF-4c36-A94D-B4BFDAB9900B}	{0472BE80-BE25-411b-AC49-C5933CC2BF0B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A3BADB4-949E-4b7e-8F3A-6922527265CB}	{EED13D51-CA66-4580-A775-896A3E712DA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A3BADB4-949E-4b7e-8F3A-6922527265CB}\stubpath = "C:\\Windows\\{8A3BADB4-949E-4b7e-8F3A-6922527265CB}.exe"	{EED13D51-CA66-4580-A775-896A3E712DA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{56FA73AA-3166-48ad-A019-EBEE9D64B1B3}	{9C468057-C0AE-47d9-996D-4C46C413CF09}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6162785B-9CC5-48cb-9216-3FE6980A092F}	{0DF9CF5F-E7A4-4065-86D5-C0265FAA3FED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6162785B-9CC5-48cb-9216-3FE6980A092F}\stubpath = "C:\\Windows\\{6162785B-9CC5-48cb-9216-3FE6980A092F}.exe"	{0DF9CF5F-E7A4-4065-86D5-C0265FAA3FED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0472BE80-BE25-411b-AC49-C5933CC2BF0B}	{49C03ED5-2D13-4a51-A802-F2228AABD483}.exe

Deletes itself 1 IoCs

pid	Process
2280	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2772	{EED13D51-CA66-4580-A775-896A3E712DA4}.exe
2744	{8A3BADB4-949E-4b7e-8F3A-6922527265CB}.exe
3044	{4A8293C1-5FD2-430f-94B9-FA27C737C1C0}.exe
2092	{D8DF0006-EFB2-4833-976B-4B49005193E1}.exe
2668	{9C468057-C0AE-47d9-996D-4C46C413CF09}.exe
3024	{56FA73AA-3166-48ad-A019-EBEE9D64B1B3}.exe
3064	{0DF9CF5F-E7A4-4065-86D5-C0265FAA3FED}.exe
1456	{6162785B-9CC5-48cb-9216-3FE6980A092F}.exe
2440	{49C03ED5-2D13-4a51-A802-F2228AABD483}.exe
2268	{0472BE80-BE25-411b-AC49-C5933CC2BF0B}.exe
916	{B31A4082-39CF-4c36-A94D-B4BFDAB9900B}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{4A8293C1-5FD2-430f-94B9-FA27C737C1C0}.exe	{8A3BADB4-949E-4b7e-8F3A-6922527265CB}.exe
File created	C:\Windows\{D8DF0006-EFB2-4833-976B-4B49005193E1}.exe	{4A8293C1-5FD2-430f-94B9-FA27C737C1C0}.exe
File created	C:\Windows\{9C468057-C0AE-47d9-996D-4C46C413CF09}.exe	{D8DF0006-EFB2-4833-976B-4B49005193E1}.exe
File created	C:\Windows\{56FA73AA-3166-48ad-A019-EBEE9D64B1B3}.exe	{9C468057-C0AE-47d9-996D-4C46C413CF09}.exe
File created	C:\Windows\{49C03ED5-2D13-4a51-A802-F2228AABD483}.exe	{6162785B-9CC5-48cb-9216-3FE6980A092F}.exe
File created	C:\Windows\{0472BE80-BE25-411b-AC49-C5933CC2BF0B}.exe	{49C03ED5-2D13-4a51-A802-F2228AABD483}.exe
File created	C:\Windows\{B31A4082-39CF-4c36-A94D-B4BFDAB9900B}.exe	{0472BE80-BE25-411b-AC49-C5933CC2BF0B}.exe
File created	C:\Windows\{EED13D51-CA66-4580-A775-896A3E712DA4}.exe	2024-07-10_3c673abff1148d61f14b2c06f50c598a_goldeneye.exe
File created	C:\Windows\{8A3BADB4-949E-4b7e-8F3A-6922527265CB}.exe	{EED13D51-CA66-4580-A775-896A3E712DA4}.exe
File created	C:\Windows\{0DF9CF5F-E7A4-4065-86D5-C0265FAA3FED}.exe	{56FA73AA-3166-48ad-A019-EBEE9D64B1B3}.exe
File created	C:\Windows\{6162785B-9CC5-48cb-9216-3FE6980A092F}.exe	{0DF9CF5F-E7A4-4065-86D5-C0265FAA3FED}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2312	2024-07-10_3c673abff1148d61f14b2c06f50c598a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2772	{EED13D51-CA66-4580-A775-896A3E712DA4}.exe
Token: SeIncBasePriorityPrivilege	2744	{8A3BADB4-949E-4b7e-8F3A-6922527265CB}.exe
Token: SeIncBasePriorityPrivilege	3044	{4A8293C1-5FD2-430f-94B9-FA27C737C1C0}.exe
Token: SeIncBasePriorityPrivilege	2092	{D8DF0006-EFB2-4833-976B-4B49005193E1}.exe
Token: SeIncBasePriorityPrivilege	2668	{9C468057-C0AE-47d9-996D-4C46C413CF09}.exe
Token: SeIncBasePriorityPrivilege	3024	{56FA73AA-3166-48ad-A019-EBEE9D64B1B3}.exe
Token: SeIncBasePriorityPrivilege	3064	{0DF9CF5F-E7A4-4065-86D5-C0265FAA3FED}.exe
Token: SeIncBasePriorityPrivilege	1456	{6162785B-9CC5-48cb-9216-3FE6980A092F}.exe
Token: SeIncBasePriorityPrivilege	2440	{49C03ED5-2D13-4a51-A802-F2228AABD483}.exe
Token: SeIncBasePriorityPrivilege	2268	{0472BE80-BE25-411b-AC49-C5933CC2BF0B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 2772	2312	2024-07-10_3c673abff1148d61f14b2c06f50c598a_goldeneye.exe	30
PID 2312 wrote to memory of 2772	2312	2024-07-10_3c673abff1148d61f14b2c06f50c598a_goldeneye.exe	30
PID 2312 wrote to memory of 2772	2312	2024-07-10_3c673abff1148d61f14b2c06f50c598a_goldeneye.exe	30
PID 2312 wrote to memory of 2772	2312	2024-07-10_3c673abff1148d61f14b2c06f50c598a_goldeneye.exe	30
PID 2312 wrote to memory of 2280	2312	2024-07-10_3c673abff1148d61f14b2c06f50c598a_goldeneye.exe	31
PID 2312 wrote to memory of 2280	2312	2024-07-10_3c673abff1148d61f14b2c06f50c598a_goldeneye.exe	31
PID 2312 wrote to memory of 2280	2312	2024-07-10_3c673abff1148d61f14b2c06f50c598a_goldeneye.exe	31
PID 2312 wrote to memory of 2280	2312	2024-07-10_3c673abff1148d61f14b2c06f50c598a_goldeneye.exe	31
PID 2772 wrote to memory of 2744	2772	{EED13D51-CA66-4580-A775-896A3E712DA4}.exe	33
PID 2772 wrote to memory of 2744	2772	{EED13D51-CA66-4580-A775-896A3E712DA4}.exe	33
PID 2772 wrote to memory of 2744	2772	{EED13D51-CA66-4580-A775-896A3E712DA4}.exe	33
PID 2772 wrote to memory of 2744	2772	{EED13D51-CA66-4580-A775-896A3E712DA4}.exe	33
PID 2772 wrote to memory of 2576	2772	{EED13D51-CA66-4580-A775-896A3E712DA4}.exe	34
PID 2772 wrote to memory of 2576	2772	{EED13D51-CA66-4580-A775-896A3E712DA4}.exe	34
PID 2772 wrote to memory of 2576	2772	{EED13D51-CA66-4580-A775-896A3E712DA4}.exe	34
PID 2772 wrote to memory of 2576	2772	{EED13D51-CA66-4580-A775-896A3E712DA4}.exe	34
PID 2744 wrote to memory of 3044	2744	{8A3BADB4-949E-4b7e-8F3A-6922527265CB}.exe	35
PID 2744 wrote to memory of 3044	2744	{8A3BADB4-949E-4b7e-8F3A-6922527265CB}.exe	35
PID 2744 wrote to memory of 3044	2744	{8A3BADB4-949E-4b7e-8F3A-6922527265CB}.exe	35
PID 2744 wrote to memory of 3044	2744	{8A3BADB4-949E-4b7e-8F3A-6922527265CB}.exe	35
PID 2744 wrote to memory of 3056	2744	{8A3BADB4-949E-4b7e-8F3A-6922527265CB}.exe	36
PID 2744 wrote to memory of 3056	2744	{8A3BADB4-949E-4b7e-8F3A-6922527265CB}.exe	36
PID 2744 wrote to memory of 3056	2744	{8A3BADB4-949E-4b7e-8F3A-6922527265CB}.exe	36
PID 2744 wrote to memory of 3056	2744	{8A3BADB4-949E-4b7e-8F3A-6922527265CB}.exe	36
PID 3044 wrote to memory of 2092	3044	{4A8293C1-5FD2-430f-94B9-FA27C737C1C0}.exe	37
PID 3044 wrote to memory of 2092	3044	{4A8293C1-5FD2-430f-94B9-FA27C737C1C0}.exe	37
PID 3044 wrote to memory of 2092	3044	{4A8293C1-5FD2-430f-94B9-FA27C737C1C0}.exe	37
PID 3044 wrote to memory of 2092	3044	{4A8293C1-5FD2-430f-94B9-FA27C737C1C0}.exe	37
PID 3044 wrote to memory of 2108	3044	{4A8293C1-5FD2-430f-94B9-FA27C737C1C0}.exe	38
PID 3044 wrote to memory of 2108	3044	{4A8293C1-5FD2-430f-94B9-FA27C737C1C0}.exe	38
PID 3044 wrote to memory of 2108	3044	{4A8293C1-5FD2-430f-94B9-FA27C737C1C0}.exe	38
PID 3044 wrote to memory of 2108	3044	{4A8293C1-5FD2-430f-94B9-FA27C737C1C0}.exe	38
PID 2092 wrote to memory of 2668	2092	{D8DF0006-EFB2-4833-976B-4B49005193E1}.exe	39
PID 2092 wrote to memory of 2668	2092	{D8DF0006-EFB2-4833-976B-4B49005193E1}.exe	39
PID 2092 wrote to memory of 2668	2092	{D8DF0006-EFB2-4833-976B-4B49005193E1}.exe	39
PID 2092 wrote to memory of 2668	2092	{D8DF0006-EFB2-4833-976B-4B49005193E1}.exe	39
PID 2092 wrote to memory of 2564	2092	{D8DF0006-EFB2-4833-976B-4B49005193E1}.exe	40
PID 2092 wrote to memory of 2564	2092	{D8DF0006-EFB2-4833-976B-4B49005193E1}.exe	40
PID 2092 wrote to memory of 2564	2092	{D8DF0006-EFB2-4833-976B-4B49005193E1}.exe	40
PID 2092 wrote to memory of 2564	2092	{D8DF0006-EFB2-4833-976B-4B49005193E1}.exe	40
PID 2668 wrote to memory of 3024	2668	{9C468057-C0AE-47d9-996D-4C46C413CF09}.exe	41
PID 2668 wrote to memory of 3024	2668	{9C468057-C0AE-47d9-996D-4C46C413CF09}.exe	41
PID 2668 wrote to memory of 3024	2668	{9C468057-C0AE-47d9-996D-4C46C413CF09}.exe	41
PID 2668 wrote to memory of 3024	2668	{9C468057-C0AE-47d9-996D-4C46C413CF09}.exe	41
PID 2668 wrote to memory of 2864	2668	{9C468057-C0AE-47d9-996D-4C46C413CF09}.exe	42
PID 2668 wrote to memory of 2864	2668	{9C468057-C0AE-47d9-996D-4C46C413CF09}.exe	42
PID 2668 wrote to memory of 2864	2668	{9C468057-C0AE-47d9-996D-4C46C413CF09}.exe	42
PID 2668 wrote to memory of 2864	2668	{9C468057-C0AE-47d9-996D-4C46C413CF09}.exe	42
PID 3024 wrote to memory of 3064	3024	{56FA73AA-3166-48ad-A019-EBEE9D64B1B3}.exe	43
PID 3024 wrote to memory of 3064	3024	{56FA73AA-3166-48ad-A019-EBEE9D64B1B3}.exe	43
PID 3024 wrote to memory of 3064	3024	{56FA73AA-3166-48ad-A019-EBEE9D64B1B3}.exe	43
PID 3024 wrote to memory of 3064	3024	{56FA73AA-3166-48ad-A019-EBEE9D64B1B3}.exe	43
PID 3024 wrote to memory of 1056	3024	{56FA73AA-3166-48ad-A019-EBEE9D64B1B3}.exe	44
PID 3024 wrote to memory of 1056	3024	{56FA73AA-3166-48ad-A019-EBEE9D64B1B3}.exe	44
PID 3024 wrote to memory of 1056	3024	{56FA73AA-3166-48ad-A019-EBEE9D64B1B3}.exe	44
PID 3024 wrote to memory of 1056	3024	{56FA73AA-3166-48ad-A019-EBEE9D64B1B3}.exe	44
PID 3064 wrote to memory of 1456	3064	{0DF9CF5F-E7A4-4065-86D5-C0265FAA3FED}.exe	45
PID 3064 wrote to memory of 1456	3064	{0DF9CF5F-E7A4-4065-86D5-C0265FAA3FED}.exe	45
PID 3064 wrote to memory of 1456	3064	{0DF9CF5F-E7A4-4065-86D5-C0265FAA3FED}.exe	45
PID 3064 wrote to memory of 1456	3064	{0DF9CF5F-E7A4-4065-86D5-C0265FAA3FED}.exe	45
PID 3064 wrote to memory of 1100	3064	{0DF9CF5F-E7A4-4065-86D5-C0265FAA3FED}.exe	46
PID 3064 wrote to memory of 1100	3064	{0DF9CF5F-E7A4-4065-86D5-C0265FAA3FED}.exe	46
PID 3064 wrote to memory of 1100	3064	{0DF9CF5F-E7A4-4065-86D5-C0265FAA3FED}.exe	46
PID 3064 wrote to memory of 1100	3064	{0DF9CF5F-E7A4-4065-86D5-C0265FAA3FED}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-07-10_3c673abff1148d61f14b2c06f50c598a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-10_3c673abff1148d61f14b2c06f50c598a_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\{EED13D51-CA66-4580-A775-896A3E712DA4}.exe
  C:\Windows\{EED13D51-CA66-4580-A775-896A3E712DA4}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\{8A3BADB4-949E-4b7e-8F3A-6922527265CB}.exe
    C:\Windows\{8A3BADB4-949E-4b7e-8F3A-6922527265CB}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\{4A8293C1-5FD2-430f-94B9-FA27C737C1C0}.exe
      C:\Windows\{4A8293C1-5FD2-430f-94B9-FA27C737C1C0}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3044
    - - C:\Windows\{D8DF0006-EFB2-4833-976B-4B49005193E1}.exe
        
        C:\Windows\{D8DF0006-EFB2-4833-976B-4B49005193E1}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2092
      - C:\Windows\{9C468057-C0AE-47d9-996D-4C46C413CF09}.exe
        
        C:\Windows\{9C468057-C0AE-47d9-996D-4C46C413CF09}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\{56FA73AA-3166-48ad-A019-EBEE9D64B1B3}.exe
        
        C:\Windows\{56FA73AA-3166-48ad-A019-EBEE9D64B1B3}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\{0DF9CF5F-E7A4-4065-86D5-C0265FAA3FED}.exe
        
        C:\Windows\{0DF9CF5F-E7A4-4065-86D5-C0265FAA3FED}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\{6162785B-9CC5-48cb-9216-3FE6980A092F}.exe
        
        C:\Windows\{6162785B-9CC5-48cb-9216-3FE6980A092F}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
        
        C:\Windows\{49C03ED5-2D13-4a51-A802-F2228AABD483}.exe
        
        C:\Windows\{49C03ED5-2D13-4a51-A802-F2228AABD483}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
        
        C:\Windows\{0472BE80-BE25-411b-AC49-C5933CC2BF0B}.exe
        
        C:\Windows\{0472BE80-BE25-411b-AC49-C5933CC2BF0B}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
        
        C:\Windows\{B31A4082-39CF-4c36-A94D-B4BFDAB9900B}.exe
        
        C:\Windows\{B31A4082-39CF-4c36-A94D-B4BFDAB9900B}.exe
        12⤵
        Executes dropped EXE
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0472B~1.EXE > nul
        12⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49C03~1.EXE > nul
        11⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61627~1.EXE > nul
        10⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0DF9C~1.EXE > nul
        9⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{56FA7~1.EXE > nul
        8⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C468~1.EXE > nul
        7⤵
        
        PID:2864
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8DF0~1.EXE > nul
        6⤵
        
        PID:2564
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A829~1.EXE > nul
        5⤵
        
        PID:2108
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8A3BA~1.EXE > nul
      4⤵
      PID:3056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EED13~1.EXE > nul
    3⤵
    PID:2576
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0472BE80-BE25-411b-AC49-C5933CC2BF0B}.exe

Filesize
180KB

MD5
b4e8d5f39c77ec869d902402b2b0f3e6

SHA1
a41a98c5c4662aa00e4943204243f31171170c6a

SHA256
107aaebb38b35d43f04ea79267af01608a33a50b821756b81df60bfcb9f5653a

SHA512
e00c5c7e4befd37e2f8df6bf7f4e9fe144263218cb7726d23496d5b58a755416ba921727b551be518adb69511be6e44ea28c6c5f9856e44b99b3b6bd3187fb0c

Download Submit
C:\Windows\{0DF9CF5F-E7A4-4065-86D5-C0265FAA3FED}.exe

Filesize
180KB

MD5
613396bb6045e3683030665d4d2c1483

SHA1
ba61d1822a742c2cc19c75bf88dfc8b7c4df64a2

SHA256
d148bed343605de745f52e05af2a0926cba0048937d921bfa6432219205c64c6

SHA512
ac7123153bc39eb492707a883bcf8845b9705d872ad76770ea52b61e02a1df2f2e97229fcfc360845448e8d4fc90eda9b0118cba13e322bb21bb49f1a56f62ec

Download Submit
C:\Windows\{49C03ED5-2D13-4a51-A802-F2228AABD483}.exe

Filesize
180KB

MD5
28cd77bd29c364616409f54f44dc5f1b

SHA1
c6d5786fc2b525cff043d07cd22fb0dffe375e4e

SHA256
1faf345d0003829d5970fb62f36bb936a2ec5329f594d86362962051285c6f23

SHA512
253aa997c88f4f6850b81c4bbc9f2905ec8ee1124be053bcf8d69a78092f0b227e43bd7675343428f4777b7d7c84d1b347c5d3f6e9ae5e934e9781f58c8de44a

Download Submit
C:\Windows\{4A8293C1-5FD2-430f-94B9-FA27C737C1C0}.exe

Filesize
180KB

MD5
2b38ff08f51bcb79784b51ea671ca4e9

SHA1
afd4ee36fc7fbe7e5588bc0ece03834b345301c3

SHA256
bfecfd183235749cd55c932f67a32913f6b3cada1e2f0fe15e5b16e004f6852f

SHA512
f2d7b3e65bc721ed0110bfb06bf56e27c1b6d49537a7283b1275c5cbafbbeda6bd8eece5b587b5599b10c22fb0d898c0c6a2dab7b4d877c48d760609b596c2cd

Download Submit
C:\Windows\{56FA73AA-3166-48ad-A019-EBEE9D64B1B3}.exe

Filesize
180KB

MD5
dd5dad2212f32ae5eb24f4a1011d0abf

SHA1
d197139eef2057426c7aff9eed46c94f209a2071

SHA256
d7ac4a7c7754ef95bda58742db6a4f32881f2e2e862287f24814e98b13dab013

SHA512
e79db186c7becad3843463fab8f559a40d2fa29a95c9ac6f94eb6eac34491db7f682b62c57fbf5111fa66480d24e2b591df9b3b01db5319f1c73599dd8aa1c56

Download Submit
C:\Windows\{6162785B-9CC5-48cb-9216-3FE6980A092F}.exe

Filesize
180KB

MD5
472378be436c3074c922d1f42b303c71

SHA1
5191495a7a65ca3820bf15923f991ad2034dabbe

SHA256
0271ddd3cce2c677b8545f867afdd6cc548872e1c36bd291dd3a5cf5c01a1a10

SHA512
1e24a123e3c173eed8cd1adc59393a9f8ffa2d41be32e9ad71a51c5844297bd3719600b1427979c7baa1b38bd3b09200a8a441f255eda910e0040a53df81dbff

Download Submit
C:\Windows\{8A3BADB4-949E-4b7e-8F3A-6922527265CB}.exe

Filesize
180KB

MD5
e8c57cfc26fec8640b1c155d944c360b

SHA1
d88002a37312b184571d97f34797405f51b1f3de

SHA256
39067775d2c2fe07747eac7a14efe6d186585a111353bc85f3f73f0ce7a98933

SHA512
79534626a7a4adfdb1aeed7f54ebede00723d1e768803d21514e7461b4fad7967019164e9489dbe3abe74a577f879d183e13130ccc57cb6e1f351ba47685d79f

Download Submit
C:\Windows\{9C468057-C0AE-47d9-996D-4C46C413CF09}.exe

Filesize
180KB

MD5
369e33a2f9e8f75162695b432a7a270e

SHA1
168ec32bfa8c61b02ffca55d69759143c06234bd

SHA256
1ff0625345b11faf1c9167237063d20cca2d3bf69724b72aacaa0a3b3d3c0d1c

SHA512
ae384e078f16ae78787eb5e755ec8c704be33a2d9d06cf4199aee4f85677e1a64656639768a826a917e3444d162ae374556fc5f1e44a3ed57102f1b0a73b0b6c

Download Submit
C:\Windows\{B31A4082-39CF-4c36-A94D-B4BFDAB9900B}.exe

Filesize
180KB

MD5
82115a04ce919749e5d8d53b90df494c

SHA1
422947f4479f6525f0a400d5ceb9a3bf1c77007c

SHA256
08b498bafbaaf4ec6fea3aa0346fa11d62f590aa51cff7c81459b18062e0f79d

SHA512
a9ae5854ffa9e01b1182b65750554711b05db0554404d12d3ca827a626d79385901ad56af16f11ce2576628f4b84b3f53b26587263bcfa3009259305ec356cac

Download Submit
C:\Windows\{D8DF0006-EFB2-4833-976B-4B49005193E1}.exe

Filesize
180KB

MD5
173f91f6516041d06ecd7f7809946ec2

SHA1
ff19026942a621ebfeec426dfd9d35daa545581e

SHA256
d2dbe027159d75f8dd3fc4dd292a63b4adf1ba827ca7cdfa585c7da223699d71

SHA512
494031843f23d02752a5f854977ed6e9d0f259a6f61055d1526c1fbd36def3283ed1df35de488b1b199ea6e99424eb746239e62a1573eabeafda59dabea8c25f

Download Submit
C:\Windows\{EED13D51-CA66-4580-A775-896A3E712DA4}.exe

Filesize
180KB

MD5
407334589ac406950eb5580d4122a198

SHA1
56c5208fce2335d8061f5a6232d5d4748c22b024

SHA256
28ecd87f74648d9b3d5e82c38ac4efad843112abe0cc3d1df608cfdbcedf37b7

SHA512
8aeefa76ce40c2eb4eebefc49516a210ca57a4d7e6dc23168bc588f5bd0b486ff14c135b0e13fe3dcb93cb24f43d3ceb50507f3deb1d45c6ae72235ebf821b55

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads