d969cc64c54fd2b286fb44486976617a5305a237bc078aa9ddc479f2ca76576d

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
10-07-2024 10:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-10_272939a92c90623b302fc8a4afb34caf_goldeneye.exe
Size

180KB
MD5

272939a92c90623b302fc8a4afb34caf
SHA1

96410af9c90f0847da247cf71462d1534a26a015
SHA256

d969cc64c54fd2b286fb44486976617a5305a237bc078aa9ddc479f2ca76576d
SHA512

e8ca417e1fb1fe395fbfa97b7a884741c2754a0d39476db505d360c543f49ddf4e74b323daaa33438b896632121de4a8f7e5b87c78b335c34d079479eab7c5f0
SSDEEP

3072:jEGh0oZlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGnl5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89DC7297-0B16-48a2-89A4-2EBEE15F740B}\stubpath = "C:\\Windows\\{89DC7297-0B16-48a2-89A4-2EBEE15F740B}.exe"	{6C06FFC4-4594-4053-8983-A92AD9B074E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41393CF2-CA25-4b01-AE60-325136A2E832}\stubpath = "C:\\Windows\\{41393CF2-CA25-4b01-AE60-325136A2E832}.exe"	{B4D5EB32-0225-4ddb-9384-C0DD0090BDB8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E25E27A8-D103-4f51-B90C-8E8A2B4A563E}	{41393CF2-CA25-4b01-AE60-325136A2E832}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B94CE066-BB0E-4370-BC9B-86B26DCE477B}	{43F23D3F-0252-45dd-8582-3A3B0644A2CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C06FFC4-4594-4053-8983-A92AD9B074E3}	{B94CE066-BB0E-4370-BC9B-86B26DCE477B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C06FFC4-4594-4053-8983-A92AD9B074E3}\stubpath = "C:\\Windows\\{6C06FFC4-4594-4053-8983-A92AD9B074E3}.exe"	{B94CE066-BB0E-4370-BC9B-86B26DCE477B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E25E27A8-D103-4f51-B90C-8E8A2B4A563E}\stubpath = "C:\\Windows\\{E25E27A8-D103-4f51-B90C-8E8A2B4A563E}.exe"	{41393CF2-CA25-4b01-AE60-325136A2E832}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2659AC7-31BC-4224-AE60-128D51FB5ACB}\stubpath = "C:\\Windows\\{C2659AC7-31BC-4224-AE60-128D51FB5ACB}.exe"	{83F7CFE7-E6B1-409f-BF5A-B5D2767B9E8C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43F23D3F-0252-45dd-8582-3A3B0644A2CA}	{C2659AC7-31BC-4224-AE60-128D51FB5ACB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B94CE066-BB0E-4370-BC9B-86B26DCE477B}\stubpath = "C:\\Windows\\{B94CE066-BB0E-4370-BC9B-86B26DCE477B}.exe"	{43F23D3F-0252-45dd-8582-3A3B0644A2CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4D5EB32-0225-4ddb-9384-C0DD0090BDB8}	2024-07-10_272939a92c90623b302fc8a4afb34caf_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4D5EB32-0225-4ddb-9384-C0DD0090BDB8}\stubpath = "C:\\Windows\\{B4D5EB32-0225-4ddb-9384-C0DD0090BDB8}.exe"	2024-07-10_272939a92c90623b302fc8a4afb34caf_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{267339B3-478E-4d1a-8472-0BC4132D08FA}	{E25E27A8-D103-4f51-B90C-8E8A2B4A563E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2659AC7-31BC-4224-AE60-128D51FB5ACB}	{83F7CFE7-E6B1-409f-BF5A-B5D2767B9E8C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43F23D3F-0252-45dd-8582-3A3B0644A2CA}\stubpath = "C:\\Windows\\{43F23D3F-0252-45dd-8582-3A3B0644A2CA}.exe"	{C2659AC7-31BC-4224-AE60-128D51FB5ACB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89DC7297-0B16-48a2-89A4-2EBEE15F740B}	{6C06FFC4-4594-4053-8983-A92AD9B074E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C791A0C3-5795-494b-B0B6-EF1BBFC35970}	{89DC7297-0B16-48a2-89A4-2EBEE15F740B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41393CF2-CA25-4b01-AE60-325136A2E832}	{B4D5EB32-0225-4ddb-9384-C0DD0090BDB8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{267339B3-478E-4d1a-8472-0BC4132D08FA}\stubpath = "C:\\Windows\\{267339B3-478E-4d1a-8472-0BC4132D08FA}.exe"	{E25E27A8-D103-4f51-B90C-8E8A2B4A563E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83F7CFE7-E6B1-409f-BF5A-B5D2767B9E8C}	{267339B3-478E-4d1a-8472-0BC4132D08FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83F7CFE7-E6B1-409f-BF5A-B5D2767B9E8C}\stubpath = "C:\\Windows\\{83F7CFE7-E6B1-409f-BF5A-B5D2767B9E8C}.exe"	{267339B3-478E-4d1a-8472-0BC4132D08FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C791A0C3-5795-494b-B0B6-EF1BBFC35970}\stubpath = "C:\\Windows\\{C791A0C3-5795-494b-B0B6-EF1BBFC35970}.exe"	{89DC7297-0B16-48a2-89A4-2EBEE15F740B}.exe

Deletes itself 1 IoCs

pid	Process
2692	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2792	{B4D5EB32-0225-4ddb-9384-C0DD0090BDB8}.exe
2576	{41393CF2-CA25-4b01-AE60-325136A2E832}.exe
2600	{E25E27A8-D103-4f51-B90C-8E8A2B4A563E}.exe
1660	{267339B3-478E-4d1a-8472-0BC4132D08FA}.exe
2944	{83F7CFE7-E6B1-409f-BF5A-B5D2767B9E8C}.exe
2288	{C2659AC7-31BC-4224-AE60-128D51FB5ACB}.exe
1868	{43F23D3F-0252-45dd-8582-3A3B0644A2CA}.exe
1972	{B94CE066-BB0E-4370-BC9B-86B26DCE477B}.exe
1312	{6C06FFC4-4594-4053-8983-A92AD9B074E3}.exe
2508	{89DC7297-0B16-48a2-89A4-2EBEE15F740B}.exe
2236	{C791A0C3-5795-494b-B0B6-EF1BBFC35970}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{267339B3-478E-4d1a-8472-0BC4132D08FA}.exe	{E25E27A8-D103-4f51-B90C-8E8A2B4A563E}.exe
File created	C:\Windows\{83F7CFE7-E6B1-409f-BF5A-B5D2767B9E8C}.exe	{267339B3-478E-4d1a-8472-0BC4132D08FA}.exe
File created	C:\Windows\{43F23D3F-0252-45dd-8582-3A3B0644A2CA}.exe	{C2659AC7-31BC-4224-AE60-128D51FB5ACB}.exe
File created	C:\Windows\{6C06FFC4-4594-4053-8983-A92AD9B074E3}.exe	{B94CE066-BB0E-4370-BC9B-86B26DCE477B}.exe
File created	C:\Windows\{C791A0C3-5795-494b-B0B6-EF1BBFC35970}.exe	{89DC7297-0B16-48a2-89A4-2EBEE15F740B}.exe
File created	C:\Windows\{B4D5EB32-0225-4ddb-9384-C0DD0090BDB8}.exe	2024-07-10_272939a92c90623b302fc8a4afb34caf_goldeneye.exe
File created	C:\Windows\{41393CF2-CA25-4b01-AE60-325136A2E832}.exe	{B4D5EB32-0225-4ddb-9384-C0DD0090BDB8}.exe
File created	C:\Windows\{E25E27A8-D103-4f51-B90C-8E8A2B4A563E}.exe	{41393CF2-CA25-4b01-AE60-325136A2E832}.exe
File created	C:\Windows\{C2659AC7-31BC-4224-AE60-128D51FB5ACB}.exe	{83F7CFE7-E6B1-409f-BF5A-B5D2767B9E8C}.exe
File created	C:\Windows\{B94CE066-BB0E-4370-BC9B-86B26DCE477B}.exe	{43F23D3F-0252-45dd-8582-3A3B0644A2CA}.exe
File created	C:\Windows\{89DC7297-0B16-48a2-89A4-2EBEE15F740B}.exe	{6C06FFC4-4594-4053-8983-A92AD9B074E3}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1544	2024-07-10_272939a92c90623b302fc8a4afb34caf_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2792	{B4D5EB32-0225-4ddb-9384-C0DD0090BDB8}.exe
Token: SeIncBasePriorityPrivilege	2576	{41393CF2-CA25-4b01-AE60-325136A2E832}.exe
Token: SeIncBasePriorityPrivilege	2600	{E25E27A8-D103-4f51-B90C-8E8A2B4A563E}.exe
Token: SeIncBasePriorityPrivilege	1660	{267339B3-478E-4d1a-8472-0BC4132D08FA}.exe
Token: SeIncBasePriorityPrivilege	2944	{83F7CFE7-E6B1-409f-BF5A-B5D2767B9E8C}.exe
Token: SeIncBasePriorityPrivilege	2288	{C2659AC7-31BC-4224-AE60-128D51FB5ACB}.exe
Token: SeIncBasePriorityPrivilege	1868	{43F23D3F-0252-45dd-8582-3A3B0644A2CA}.exe
Token: SeIncBasePriorityPrivilege	1972	{B94CE066-BB0E-4370-BC9B-86B26DCE477B}.exe
Token: SeIncBasePriorityPrivilege	1312	{6C06FFC4-4594-4053-8983-A92AD9B074E3}.exe
Token: SeIncBasePriorityPrivilege	2508	{89DC7297-0B16-48a2-89A4-2EBEE15F740B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 2792	1544	2024-07-10_272939a92c90623b302fc8a4afb34caf_goldeneye.exe	31
PID 1544 wrote to memory of 2792	1544	2024-07-10_272939a92c90623b302fc8a4afb34caf_goldeneye.exe	31
PID 1544 wrote to memory of 2792	1544	2024-07-10_272939a92c90623b302fc8a4afb34caf_goldeneye.exe	31
PID 1544 wrote to memory of 2792	1544	2024-07-10_272939a92c90623b302fc8a4afb34caf_goldeneye.exe	31
PID 1544 wrote to memory of 2692	1544	2024-07-10_272939a92c90623b302fc8a4afb34caf_goldeneye.exe	32
PID 1544 wrote to memory of 2692	1544	2024-07-10_272939a92c90623b302fc8a4afb34caf_goldeneye.exe	32
PID 1544 wrote to memory of 2692	1544	2024-07-10_272939a92c90623b302fc8a4afb34caf_goldeneye.exe	32
PID 1544 wrote to memory of 2692	1544	2024-07-10_272939a92c90623b302fc8a4afb34caf_goldeneye.exe	32
PID 2792 wrote to memory of 2576	2792	{B4D5EB32-0225-4ddb-9384-C0DD0090BDB8}.exe	33
PID 2792 wrote to memory of 2576	2792	{B4D5EB32-0225-4ddb-9384-C0DD0090BDB8}.exe	33
PID 2792 wrote to memory of 2576	2792	{B4D5EB32-0225-4ddb-9384-C0DD0090BDB8}.exe	33
PID 2792 wrote to memory of 2576	2792	{B4D5EB32-0225-4ddb-9384-C0DD0090BDB8}.exe	33
PID 2792 wrote to memory of 2688	2792	{B4D5EB32-0225-4ddb-9384-C0DD0090BDB8}.exe	34
PID 2792 wrote to memory of 2688	2792	{B4D5EB32-0225-4ddb-9384-C0DD0090BDB8}.exe	34
PID 2792 wrote to memory of 2688	2792	{B4D5EB32-0225-4ddb-9384-C0DD0090BDB8}.exe	34
PID 2792 wrote to memory of 2688	2792	{B4D5EB32-0225-4ddb-9384-C0DD0090BDB8}.exe	34
PID 2576 wrote to memory of 2600	2576	{41393CF2-CA25-4b01-AE60-325136A2E832}.exe	35
PID 2576 wrote to memory of 2600	2576	{41393CF2-CA25-4b01-AE60-325136A2E832}.exe	35
PID 2576 wrote to memory of 2600	2576	{41393CF2-CA25-4b01-AE60-325136A2E832}.exe	35
PID 2576 wrote to memory of 2600	2576	{41393CF2-CA25-4b01-AE60-325136A2E832}.exe	35
PID 2576 wrote to memory of 3040	2576	{41393CF2-CA25-4b01-AE60-325136A2E832}.exe	36
PID 2576 wrote to memory of 3040	2576	{41393CF2-CA25-4b01-AE60-325136A2E832}.exe	36
PID 2576 wrote to memory of 3040	2576	{41393CF2-CA25-4b01-AE60-325136A2E832}.exe	36
PID 2576 wrote to memory of 3040	2576	{41393CF2-CA25-4b01-AE60-325136A2E832}.exe	36
PID 2600 wrote to memory of 1660	2600	{E25E27A8-D103-4f51-B90C-8E8A2B4A563E}.exe	37
PID 2600 wrote to memory of 1660	2600	{E25E27A8-D103-4f51-B90C-8E8A2B4A563E}.exe	37
PID 2600 wrote to memory of 1660	2600	{E25E27A8-D103-4f51-B90C-8E8A2B4A563E}.exe	37
PID 2600 wrote to memory of 1660	2600	{E25E27A8-D103-4f51-B90C-8E8A2B4A563E}.exe	37
PID 2600 wrote to memory of 1776	2600	{E25E27A8-D103-4f51-B90C-8E8A2B4A563E}.exe	38
PID 2600 wrote to memory of 1776	2600	{E25E27A8-D103-4f51-B90C-8E8A2B4A563E}.exe	38
PID 2600 wrote to memory of 1776	2600	{E25E27A8-D103-4f51-B90C-8E8A2B4A563E}.exe	38
PID 2600 wrote to memory of 1776	2600	{E25E27A8-D103-4f51-B90C-8E8A2B4A563E}.exe	38
PID 1660 wrote to memory of 2944	1660	{267339B3-478E-4d1a-8472-0BC4132D08FA}.exe	39
PID 1660 wrote to memory of 2944	1660	{267339B3-478E-4d1a-8472-0BC4132D08FA}.exe	39
PID 1660 wrote to memory of 2944	1660	{267339B3-478E-4d1a-8472-0BC4132D08FA}.exe	39
PID 1660 wrote to memory of 2944	1660	{267339B3-478E-4d1a-8472-0BC4132D08FA}.exe	39
PID 1660 wrote to memory of 2196	1660	{267339B3-478E-4d1a-8472-0BC4132D08FA}.exe	40
PID 1660 wrote to memory of 2196	1660	{267339B3-478E-4d1a-8472-0BC4132D08FA}.exe	40
PID 1660 wrote to memory of 2196	1660	{267339B3-478E-4d1a-8472-0BC4132D08FA}.exe	40
PID 1660 wrote to memory of 2196	1660	{267339B3-478E-4d1a-8472-0BC4132D08FA}.exe	40
PID 2944 wrote to memory of 2288	2944	{83F7CFE7-E6B1-409f-BF5A-B5D2767B9E8C}.exe	41
PID 2944 wrote to memory of 2288	2944	{83F7CFE7-E6B1-409f-BF5A-B5D2767B9E8C}.exe	41
PID 2944 wrote to memory of 2288	2944	{83F7CFE7-E6B1-409f-BF5A-B5D2767B9E8C}.exe	41
PID 2944 wrote to memory of 2288	2944	{83F7CFE7-E6B1-409f-BF5A-B5D2767B9E8C}.exe	41
PID 2944 wrote to memory of 2280	2944	{83F7CFE7-E6B1-409f-BF5A-B5D2767B9E8C}.exe	42
PID 2944 wrote to memory of 2280	2944	{83F7CFE7-E6B1-409f-BF5A-B5D2767B9E8C}.exe	42
PID 2944 wrote to memory of 2280	2944	{83F7CFE7-E6B1-409f-BF5A-B5D2767B9E8C}.exe	42
PID 2944 wrote to memory of 2280	2944	{83F7CFE7-E6B1-409f-BF5A-B5D2767B9E8C}.exe	42
PID 2288 wrote to memory of 1868	2288	{C2659AC7-31BC-4224-AE60-128D51FB5ACB}.exe	43
PID 2288 wrote to memory of 1868	2288	{C2659AC7-31BC-4224-AE60-128D51FB5ACB}.exe	43
PID 2288 wrote to memory of 1868	2288	{C2659AC7-31BC-4224-AE60-128D51FB5ACB}.exe	43
PID 2288 wrote to memory of 1868	2288	{C2659AC7-31BC-4224-AE60-128D51FB5ACB}.exe	43
PID 2288 wrote to memory of 2952	2288	{C2659AC7-31BC-4224-AE60-128D51FB5ACB}.exe	44
PID 2288 wrote to memory of 2952	2288	{C2659AC7-31BC-4224-AE60-128D51FB5ACB}.exe	44
PID 2288 wrote to memory of 2952	2288	{C2659AC7-31BC-4224-AE60-128D51FB5ACB}.exe	44
PID 2288 wrote to memory of 2952	2288	{C2659AC7-31BC-4224-AE60-128D51FB5ACB}.exe	44
PID 1868 wrote to memory of 1972	1868	{43F23D3F-0252-45dd-8582-3A3B0644A2CA}.exe	45
PID 1868 wrote to memory of 1972	1868	{43F23D3F-0252-45dd-8582-3A3B0644A2CA}.exe	45
PID 1868 wrote to memory of 1972	1868	{43F23D3F-0252-45dd-8582-3A3B0644A2CA}.exe	45
PID 1868 wrote to memory of 1972	1868	{43F23D3F-0252-45dd-8582-3A3B0644A2CA}.exe	45
PID 1868 wrote to memory of 532	1868	{43F23D3F-0252-45dd-8582-3A3B0644A2CA}.exe	46
PID 1868 wrote to memory of 532	1868	{43F23D3F-0252-45dd-8582-3A3B0644A2CA}.exe	46
PID 1868 wrote to memory of 532	1868	{43F23D3F-0252-45dd-8582-3A3B0644A2CA}.exe	46
PID 1868 wrote to memory of 532	1868	{43F23D3F-0252-45dd-8582-3A3B0644A2CA}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-07-10_272939a92c90623b302fc8a4afb34caf_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-10_272939a92c90623b302fc8a4afb34caf_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Windows\{B4D5EB32-0225-4ddb-9384-C0DD0090BDB8}.exe
  C:\Windows\{B4D5EB32-0225-4ddb-9384-C0DD0090BDB8}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\{41393CF2-CA25-4b01-AE60-325136A2E832}.exe
    C:\Windows\{41393CF2-CA25-4b01-AE60-325136A2E832}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\{E25E27A8-D103-4f51-B90C-8E8A2B4A563E}.exe
      C:\Windows\{E25E27A8-D103-4f51-B90C-8E8A2B4A563E}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Windows\{267339B3-478E-4d1a-8472-0BC4132D08FA}.exe
        
        C:\Windows\{267339B3-478E-4d1a-8472-0BC4132D08FA}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1660
      - C:\Windows\{83F7CFE7-E6B1-409f-BF5A-B5D2767B9E8C}.exe
        
        C:\Windows\{83F7CFE7-E6B1-409f-BF5A-B5D2767B9E8C}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\{C2659AC7-31BC-4224-AE60-128D51FB5ACB}.exe
        
        C:\Windows\{C2659AC7-31BC-4224-AE60-128D51FB5ACB}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\{43F23D3F-0252-45dd-8582-3A3B0644A2CA}.exe
        
        C:\Windows\{43F23D3F-0252-45dd-8582-3A3B0644A2CA}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\{B94CE066-BB0E-4370-BC9B-86B26DCE477B}.exe
        
        C:\Windows\{B94CE066-BB0E-4370-BC9B-86B26DCE477B}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
        
        C:\Windows\{6C06FFC4-4594-4053-8983-A92AD9B074E3}.exe
        
        C:\Windows\{6C06FFC4-4594-4053-8983-A92AD9B074E3}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
        
        C:\Windows\{89DC7297-0B16-48a2-89A4-2EBEE15F740B}.exe
        
        C:\Windows\{89DC7297-0B16-48a2-89A4-2EBEE15F740B}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
        
        C:\Windows\{C791A0C3-5795-494b-B0B6-EF1BBFC35970}.exe
        
        C:\Windows\{C791A0C3-5795-494b-B0B6-EF1BBFC35970}.exe
        12⤵
        Executes dropped EXE
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89DC7~1.EXE > nul
        12⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C06F~1.EXE > nul
        11⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B94CE~1.EXE > nul
        10⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43F23~1.EXE > nul
        9⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2659~1.EXE > nul
        8⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83F7C~1.EXE > nul
        7⤵
        
        PID:2280
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26733~1.EXE > nul
        6⤵
        
        PID:2196
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E25E2~1.EXE > nul
        5⤵
        
        PID:1776
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{41393~1.EXE > nul
      4⤵
      PID:3040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B4D5E~1.EXE > nul
    3⤵
    PID:2688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{267339B3-478E-4d1a-8472-0BC4132D08FA}.exe

Filesize
180KB

MD5
805cb92c09413b700b5651ba1244eccf

SHA1
487013e565df914d097668f902d317050b04ef9e

SHA256
900e6a1a0378160d9a3826e9cb749f7db6b1e48dcc66c8c95ab1640197caf726

SHA512
0ed967123d329c9f724871e9cccfb8d5b583892e2a27031dd6d9f73dccf34729030d257af91567c83593fb67bf9eb302a3e3d071bc4255d2acd35fbd7dcc1c73

Download Submit
C:\Windows\{41393CF2-CA25-4b01-AE60-325136A2E832}.exe

Filesize
180KB

MD5
2f7bff1ae0db22b1b15e3d69ecbb139a

SHA1
f26a27b51a245216b73b344ee56f178da3a4d74c

SHA256
94f23201c6c96a84d4d5691c57755e2a46834bf787a7f6eebb0d786967f41255

SHA512
c41b3bd8eae85c869dd96e5b9acc1db91d495f185d1cd79887b2b27cbb14bf332a054dfc3f9488bc07dc7847baed852921d79de64dd871477e938d3c77b6e7df

Download Submit
C:\Windows\{43F23D3F-0252-45dd-8582-3A3B0644A2CA}.exe

Filesize
180KB

MD5
fb4b3845a8ecca1e2768158cdd076b7a

SHA1
258ebe24be96c5d79a1c70005cd5df6cad135730

SHA256
2416482b4d1334886bb32e0355b6ec2daf5d2bff238ae673c54c10343632e1e4

SHA512
073794d70f97ca298ae497619276a6db406c4966ec5163b9c04db059a60cdddc2321b54c4cee338b57c5b95e68447008b817f69cf7b0ad920d339884e9bdf8bf

Download Submit
C:\Windows\{6C06FFC4-4594-4053-8983-A92AD9B074E3}.exe

Filesize
180KB

MD5
50fe2fbad8723ffff423a9bbf7d2de6e

SHA1
557bd46005fadbc9fa28ce0f7037a9f7d01297c7

SHA256
e03a8080f857aa3a3444735a9c05c63bd386ededb24a8656b94d733cc476465e

SHA512
ee4f2b0621dd6b7fdb5c6fb44afe3b6afcf85488181880880f197b0d3c8cdc6037431385f39c9bef545731fee5427f62eff665329648c2d194ddc846e8e97200

Download Submit
C:\Windows\{83F7CFE7-E6B1-409f-BF5A-B5D2767B9E8C}.exe

Filesize
180KB

MD5
4ec6b14f30a81841c58695574c4490db

SHA1
8a09aa08172a2a5dbd561fced9957c6888eaf5b2

SHA256
9923dbd739cb3831677aa9c4e23a042856d19b5a467204c79b6b656255f78928

SHA512
30d8a673b6f746588b5ecbd9cd570370a6af6b3997ae50f387d961f3c636fb6bd65db062bd578702ec442208999d1a3e80945da2aa8062ee56fdbde9907736b3

Download Submit
C:\Windows\{89DC7297-0B16-48a2-89A4-2EBEE15F740B}.exe

Filesize
180KB

MD5
b796b0da06cdabd251c43688439698dd

SHA1
251cad6aa82ecea0d40dd92ce890b8274e4c930f

SHA256
eacccc41fbeab53d6c364abb950d6928b087f0411d6605abc233b5640f8a55c0

SHA512
cee3ee52c9b5cf523655c1592f239da351c62d186c599944bd31771c04a26903c00bb9608ab0cbaa0591afa753ffdf8f4a0c75cb229ed8e52caf2759dc42f3fa

Download Submit
C:\Windows\{B4D5EB32-0225-4ddb-9384-C0DD0090BDB8}.exe

Filesize
180KB

MD5
32c67d29229ffb1457cf5113f89a172c

SHA1
c8c679a2edae3148325216ccf95ffbcb64777780

SHA256
a661fd65c0c8e2e16ab011f62e36d27aec5ddf7296cfadd0ba2791eab9197d66

SHA512
ae959c04ce8bd3de3d1fae265a28788fee9974a579c6e1bb1bb201e72924f17b02385b28f5a35ea481a9d26db2f336a9af7b0ebe18442f1638bfc1b75a84fa86

Download Submit
C:\Windows\{B94CE066-BB0E-4370-BC9B-86B26DCE477B}.exe

Filesize
180KB

MD5
645f082cd834d09ef7ea4d126abcb93d

SHA1
ff9e086bd0069418c633a732a98f520ee9ec4bb4

SHA256
c857a61b7bba05f5d5dac88e161367110e6ad0ec90f242ca85ed644d6bdf324e

SHA512
bc49709a771f62a6972eec67fb0b51bf77cfaeb964410ac829862acf335cf7ad65e01d9c0b455d7d169ff18eb553605f0450c2efee916287cf81d87a4b60c747

Download Submit
C:\Windows\{C2659AC7-31BC-4224-AE60-128D51FB5ACB}.exe

Filesize
180KB

MD5
ed8dfd57706eeff73a4c9c76dc61b9ca

SHA1
7629570b4868e11f294ff0a3c3ef35679d4dec2c

SHA256
dd68a04f592a2c11819d5f984af6ff5acfbb96f51a7a93cce9820fcab54fa6bb

SHA512
1a14fa6652d0f650c996a11c358d28b8db812a639f92363443b8670f782d2ed5de46c819015ba83c7abff6a875309a347b8aa8d5ec85cabdf248e3a78dc5ff34

Download Submit
C:\Windows\{C791A0C3-5795-494b-B0B6-EF1BBFC35970}.exe

Filesize
180KB

MD5
a56e239026bd34b9163f5a41f5624d4d

SHA1
0ecd332969a8f2056432a19865d38992437906f9

SHA256
db451c07dcf4fc06d9b3fb73299c2a256696289cff754b656d1d8f7bb97ea982

SHA512
d0504e3e175a3b7ba420927c349a8868988ced93893c9765ebcff908ed8dfbe2fc07df6ab252024f2001fa09a9b6a720ff806642e846dace4e9eaaed81b8f5c6

Download Submit
C:\Windows\{E25E27A8-D103-4f51-B90C-8E8A2B4A563E}.exe

Filesize
180KB

MD5
00cfe5bcb7bd698a022973cbec6683c1

SHA1
f581bdfd82e64f17ab8ddd8aa867b21b52664e65

SHA256
e09cc4ff93ed0288b9cbd83166e78e19331e527521b47ec265ac7b7d95d7c189

SHA512
f3bc5b9d8f8092f23d8bcbb60a78a6e83ec3b22c5e1690a272806fbb768efdfa032373abcd6d5c68a0fd8a22cf551efcc50438657ba22b66c99be8c3cb99cefc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads