3c5bf4b183f15a15f4427f53b80d86997526b890016f17998a0d847110d153ed

Analysis

max time kernel
144s
max time network
117s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 05:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-07-11_c7e31b280bba93796653e6fd68af67c8_goldeneye.exe
Size

408KB
MD5

c7e31b280bba93796653e6fd68af67c8
SHA1

d658060d213109c43d6cb5d440b80d3ef20e13ed
SHA256

3c5bf4b183f15a15f4427f53b80d86997526b890016f17998a0d847110d153ed
SHA512

a995b6c7c8b1d2fa57596f90fc5aab52eabb6ffb0fcf1b36c1c2efc9854ca17760c88b28c79fe00ff1f6e15a14e15384d5bfd6fe996c437e5b627c6a5cf436b7
SSDEEP

3072:CEGh0o4l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGKldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF773E3B-ED17-40fa-989E-0861087C95CA}	{7F163318-AA7D-4c88-8129-22EAEE2BEC74}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF773E3B-ED17-40fa-989E-0861087C95CA}\stubpath = "C:\\Windows\\{BF773E3B-ED17-40fa-989E-0861087C95CA}.exe"	{7F163318-AA7D-4c88-8129-22EAEE2BEC74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9D6B376-32F1-4f6f-B0EC-A8FCE694241C}	{BF773E3B-ED17-40fa-989E-0861087C95CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92B33818-10CF-46f8-A25A-2AEE37C25923}\stubpath = "C:\\Windows\\{92B33818-10CF-46f8-A25A-2AEE37C25923}.exe"	{E9D6B376-32F1-4f6f-B0EC-A8FCE694241C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF03C97B-15E9-41fb-A0FC-C4FD8A68B84F}	{92B33818-10CF-46f8-A25A-2AEE37C25923}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9165AD38-B9EE-418a-A177-E5943A5A8451}\stubpath = "C:\\Windows\\{9165AD38-B9EE-418a-A177-E5943A5A8451}.exe"	{BF03C97B-15E9-41fb-A0FC-C4FD8A68B84F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BC7EFD4-1ABB-42ed-9965-6A0CE0F1D28D}\stubpath = "C:\\Windows\\{3BC7EFD4-1ABB-42ed-9965-6A0CE0F1D28D}.exe"	{9165AD38-B9EE-418a-A177-E5943A5A8451}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18FDEFB9-8416-4ba3-B264-077E32883A74}\stubpath = "C:\\Windows\\{18FDEFB9-8416-4ba3-B264-077E32883A74}.exe"	{B7DDFC5B-4348-4ed6-B552-9611E93BD21A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F163318-AA7D-4c88-8129-22EAEE2BEC74}	2024-07-11_c7e31b280bba93796653e6fd68af67c8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F163318-AA7D-4c88-8129-22EAEE2BEC74}\stubpath = "C:\\Windows\\{7F163318-AA7D-4c88-8129-22EAEE2BEC74}.exe"	2024-07-11_c7e31b280bba93796653e6fd68af67c8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9D6B376-32F1-4f6f-B0EC-A8FCE694241C}\stubpath = "C:\\Windows\\{E9D6B376-32F1-4f6f-B0EC-A8FCE694241C}.exe"	{BF773E3B-ED17-40fa-989E-0861087C95CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92B33818-10CF-46f8-A25A-2AEE37C25923}	{E9D6B376-32F1-4f6f-B0EC-A8FCE694241C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BC7EFD4-1ABB-42ed-9965-6A0CE0F1D28D}	{9165AD38-B9EE-418a-A177-E5943A5A8451}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7F0B5FA-B5FE-4e22-9D73-33A2F906E542}\stubpath = "C:\\Windows\\{F7F0B5FA-B5FE-4e22-9D73-33A2F906E542}.exe"	{3BC7EFD4-1ABB-42ed-9965-6A0CE0F1D28D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF03C97B-15E9-41fb-A0FC-C4FD8A68B84F}\stubpath = "C:\\Windows\\{BF03C97B-15E9-41fb-A0FC-C4FD8A68B84F}.exe"	{92B33818-10CF-46f8-A25A-2AEE37C25923}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9165AD38-B9EE-418a-A177-E5943A5A8451}	{BF03C97B-15E9-41fb-A0FC-C4FD8A68B84F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7F0B5FA-B5FE-4e22-9D73-33A2F906E542}	{3BC7EFD4-1ABB-42ed-9965-6A0CE0F1D28D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7DDFC5B-4348-4ed6-B552-9611E93BD21A}	{F7F0B5FA-B5FE-4e22-9D73-33A2F906E542}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7DDFC5B-4348-4ed6-B552-9611E93BD21A}\stubpath = "C:\\Windows\\{B7DDFC5B-4348-4ed6-B552-9611E93BD21A}.exe"	{F7F0B5FA-B5FE-4e22-9D73-33A2F906E542}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18FDEFB9-8416-4ba3-B264-077E32883A74}	{B7DDFC5B-4348-4ed6-B552-9611E93BD21A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DCCAFBB-3146-41e1-BC52-45943383E656}	{18FDEFB9-8416-4ba3-B264-077E32883A74}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DCCAFBB-3146-41e1-BC52-45943383E656}\stubpath = "C:\\Windows\\{9DCCAFBB-3146-41e1-BC52-45943383E656}.exe"	{18FDEFB9-8416-4ba3-B264-077E32883A74}.exe

Deletes itself 1 IoCs

pid	Process
2780	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2736	{7F163318-AA7D-4c88-8129-22EAEE2BEC74}.exe
2832	{BF773E3B-ED17-40fa-989E-0861087C95CA}.exe
2540	{E9D6B376-32F1-4f6f-B0EC-A8FCE694241C}.exe
3048	{92B33818-10CF-46f8-A25A-2AEE37C25923}.exe
2516	{BF03C97B-15E9-41fb-A0FC-C4FD8A68B84F}.exe
1000	{9165AD38-B9EE-418a-A177-E5943A5A8451}.exe
2884	{3BC7EFD4-1ABB-42ed-9965-6A0CE0F1D28D}.exe
1924	{F7F0B5FA-B5FE-4e22-9D73-33A2F906E542}.exe
1956	{B7DDFC5B-4348-4ed6-B552-9611E93BD21A}.exe
2072	{18FDEFB9-8416-4ba3-B264-077E32883A74}.exe
2484	{9DCCAFBB-3146-41e1-BC52-45943383E656}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{BF773E3B-ED17-40fa-989E-0861087C95CA}.exe	{7F163318-AA7D-4c88-8129-22EAEE2BEC74}.exe
File created	C:\Windows\{E9D6B376-32F1-4f6f-B0EC-A8FCE694241C}.exe	{BF773E3B-ED17-40fa-989E-0861087C95CA}.exe
File created	C:\Windows\{92B33818-10CF-46f8-A25A-2AEE37C25923}.exe	{E9D6B376-32F1-4f6f-B0EC-A8FCE694241C}.exe
File created	C:\Windows\{BF03C97B-15E9-41fb-A0FC-C4FD8A68B84F}.exe	{92B33818-10CF-46f8-A25A-2AEE37C25923}.exe
File created	C:\Windows\{3BC7EFD4-1ABB-42ed-9965-6A0CE0F1D28D}.exe	{9165AD38-B9EE-418a-A177-E5943A5A8451}.exe
File created	C:\Windows\{F7F0B5FA-B5FE-4e22-9D73-33A2F906E542}.exe	{3BC7EFD4-1ABB-42ed-9965-6A0CE0F1D28D}.exe
File created	C:\Windows\{B7DDFC5B-4348-4ed6-B552-9611E93BD21A}.exe	{F7F0B5FA-B5FE-4e22-9D73-33A2F906E542}.exe
File created	C:\Windows\{7F163318-AA7D-4c88-8129-22EAEE2BEC74}.exe	2024-07-11_c7e31b280bba93796653e6fd68af67c8_goldeneye.exe
File created	C:\Windows\{9DCCAFBB-3146-41e1-BC52-45943383E656}.exe	{18FDEFB9-8416-4ba3-B264-077E32883A74}.exe
File created	C:\Windows\{18FDEFB9-8416-4ba3-B264-077E32883A74}.exe	{B7DDFC5B-4348-4ed6-B552-9611E93BD21A}.exe
File created	C:\Windows\{9165AD38-B9EE-418a-A177-E5943A5A8451}.exe	{BF03C97B-15E9-41fb-A0FC-C4FD8A68B84F}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2152	2024-07-11_c7e31b280bba93796653e6fd68af67c8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2736	{7F163318-AA7D-4c88-8129-22EAEE2BEC74}.exe
Token: SeIncBasePriorityPrivilege	2832	{BF773E3B-ED17-40fa-989E-0861087C95CA}.exe
Token: SeIncBasePriorityPrivilege	2540	{E9D6B376-32F1-4f6f-B0EC-A8FCE694241C}.exe
Token: SeIncBasePriorityPrivilege	3048	{92B33818-10CF-46f8-A25A-2AEE37C25923}.exe
Token: SeIncBasePriorityPrivilege	2516	{BF03C97B-15E9-41fb-A0FC-C4FD8A68B84F}.exe
Token: SeIncBasePriorityPrivilege	1000	{9165AD38-B9EE-418a-A177-E5943A5A8451}.exe
Token: SeIncBasePriorityPrivilege	2884	{3BC7EFD4-1ABB-42ed-9965-6A0CE0F1D28D}.exe
Token: SeIncBasePriorityPrivilege	1924	{F7F0B5FA-B5FE-4e22-9D73-33A2F906E542}.exe
Token: SeIncBasePriorityPrivilege	1956	{B7DDFC5B-4348-4ed6-B552-9611E93BD21A}.exe
Token: SeIncBasePriorityPrivilege	2072	{18FDEFB9-8416-4ba3-B264-077E32883A74}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 2736	2152	2024-07-11_c7e31b280bba93796653e6fd68af67c8_goldeneye.exe	30
PID 2152 wrote to memory of 2736	2152	2024-07-11_c7e31b280bba93796653e6fd68af67c8_goldeneye.exe	30
PID 2152 wrote to memory of 2736	2152	2024-07-11_c7e31b280bba93796653e6fd68af67c8_goldeneye.exe	30
PID 2152 wrote to memory of 2736	2152	2024-07-11_c7e31b280bba93796653e6fd68af67c8_goldeneye.exe	30
PID 2152 wrote to memory of 2780	2152	2024-07-11_c7e31b280bba93796653e6fd68af67c8_goldeneye.exe	31
PID 2152 wrote to memory of 2780	2152	2024-07-11_c7e31b280bba93796653e6fd68af67c8_goldeneye.exe	31
PID 2152 wrote to memory of 2780	2152	2024-07-11_c7e31b280bba93796653e6fd68af67c8_goldeneye.exe	31
PID 2152 wrote to memory of 2780	2152	2024-07-11_c7e31b280bba93796653e6fd68af67c8_goldeneye.exe	31
PID 2736 wrote to memory of 2832	2736	{7F163318-AA7D-4c88-8129-22EAEE2BEC74}.exe	32
PID 2736 wrote to memory of 2832	2736	{7F163318-AA7D-4c88-8129-22EAEE2BEC74}.exe	32
PID 2736 wrote to memory of 2832	2736	{7F163318-AA7D-4c88-8129-22EAEE2BEC74}.exe	32
PID 2736 wrote to memory of 2832	2736	{7F163318-AA7D-4c88-8129-22EAEE2BEC74}.exe	32
PID 2736 wrote to memory of 2784	2736	{7F163318-AA7D-4c88-8129-22EAEE2BEC74}.exe	33
PID 2736 wrote to memory of 2784	2736	{7F163318-AA7D-4c88-8129-22EAEE2BEC74}.exe	33
PID 2736 wrote to memory of 2784	2736	{7F163318-AA7D-4c88-8129-22EAEE2BEC74}.exe	33
PID 2736 wrote to memory of 2784	2736	{7F163318-AA7D-4c88-8129-22EAEE2BEC74}.exe	33
PID 2832 wrote to memory of 2540	2832	{BF773E3B-ED17-40fa-989E-0861087C95CA}.exe	34
PID 2832 wrote to memory of 2540	2832	{BF773E3B-ED17-40fa-989E-0861087C95CA}.exe	34
PID 2832 wrote to memory of 2540	2832	{BF773E3B-ED17-40fa-989E-0861087C95CA}.exe	34
PID 2832 wrote to memory of 2540	2832	{BF773E3B-ED17-40fa-989E-0861087C95CA}.exe	34
PID 2832 wrote to memory of 2568	2832	{BF773E3B-ED17-40fa-989E-0861087C95CA}.exe	35
PID 2832 wrote to memory of 2568	2832	{BF773E3B-ED17-40fa-989E-0861087C95CA}.exe	35
PID 2832 wrote to memory of 2568	2832	{BF773E3B-ED17-40fa-989E-0861087C95CA}.exe	35
PID 2832 wrote to memory of 2568	2832	{BF773E3B-ED17-40fa-989E-0861087C95CA}.exe	35
PID 2540 wrote to memory of 3048	2540	{E9D6B376-32F1-4f6f-B0EC-A8FCE694241C}.exe	36
PID 2540 wrote to memory of 3048	2540	{E9D6B376-32F1-4f6f-B0EC-A8FCE694241C}.exe	36
PID 2540 wrote to memory of 3048	2540	{E9D6B376-32F1-4f6f-B0EC-A8FCE694241C}.exe	36
PID 2540 wrote to memory of 3048	2540	{E9D6B376-32F1-4f6f-B0EC-A8FCE694241C}.exe	36
PID 2540 wrote to memory of 272	2540	{E9D6B376-32F1-4f6f-B0EC-A8FCE694241C}.exe	37
PID 2540 wrote to memory of 272	2540	{E9D6B376-32F1-4f6f-B0EC-A8FCE694241C}.exe	37
PID 2540 wrote to memory of 272	2540	{E9D6B376-32F1-4f6f-B0EC-A8FCE694241C}.exe	37
PID 2540 wrote to memory of 272	2540	{E9D6B376-32F1-4f6f-B0EC-A8FCE694241C}.exe	37
PID 3048 wrote to memory of 2516	3048	{92B33818-10CF-46f8-A25A-2AEE37C25923}.exe	38
PID 3048 wrote to memory of 2516	3048	{92B33818-10CF-46f8-A25A-2AEE37C25923}.exe	38
PID 3048 wrote to memory of 2516	3048	{92B33818-10CF-46f8-A25A-2AEE37C25923}.exe	38
PID 3048 wrote to memory of 2516	3048	{92B33818-10CF-46f8-A25A-2AEE37C25923}.exe	38
PID 3048 wrote to memory of 2724	3048	{92B33818-10CF-46f8-A25A-2AEE37C25923}.exe	39
PID 3048 wrote to memory of 2724	3048	{92B33818-10CF-46f8-A25A-2AEE37C25923}.exe	39
PID 3048 wrote to memory of 2724	3048	{92B33818-10CF-46f8-A25A-2AEE37C25923}.exe	39
PID 3048 wrote to memory of 2724	3048	{92B33818-10CF-46f8-A25A-2AEE37C25923}.exe	39
PID 2516 wrote to memory of 1000	2516	{BF03C97B-15E9-41fb-A0FC-C4FD8A68B84F}.exe	40
PID 2516 wrote to memory of 1000	2516	{BF03C97B-15E9-41fb-A0FC-C4FD8A68B84F}.exe	40
PID 2516 wrote to memory of 1000	2516	{BF03C97B-15E9-41fb-A0FC-C4FD8A68B84F}.exe	40
PID 2516 wrote to memory of 1000	2516	{BF03C97B-15E9-41fb-A0FC-C4FD8A68B84F}.exe	40
PID 2516 wrote to memory of 2608	2516	{BF03C97B-15E9-41fb-A0FC-C4FD8A68B84F}.exe	41
PID 2516 wrote to memory of 2608	2516	{BF03C97B-15E9-41fb-A0FC-C4FD8A68B84F}.exe	41
PID 2516 wrote to memory of 2608	2516	{BF03C97B-15E9-41fb-A0FC-C4FD8A68B84F}.exe	41
PID 2516 wrote to memory of 2608	2516	{BF03C97B-15E9-41fb-A0FC-C4FD8A68B84F}.exe	41
PID 1000 wrote to memory of 2884	1000	{9165AD38-B9EE-418a-A177-E5943A5A8451}.exe	42
PID 1000 wrote to memory of 2884	1000	{9165AD38-B9EE-418a-A177-E5943A5A8451}.exe	42
PID 1000 wrote to memory of 2884	1000	{9165AD38-B9EE-418a-A177-E5943A5A8451}.exe	42
PID 1000 wrote to memory of 2884	1000	{9165AD38-B9EE-418a-A177-E5943A5A8451}.exe	42
PID 1000 wrote to memory of 2924	1000	{9165AD38-B9EE-418a-A177-E5943A5A8451}.exe	43
PID 1000 wrote to memory of 2924	1000	{9165AD38-B9EE-418a-A177-E5943A5A8451}.exe	43
PID 1000 wrote to memory of 2924	1000	{9165AD38-B9EE-418a-A177-E5943A5A8451}.exe	43
PID 1000 wrote to memory of 2924	1000	{9165AD38-B9EE-418a-A177-E5943A5A8451}.exe	43
PID 2884 wrote to memory of 1924	2884	{3BC7EFD4-1ABB-42ed-9965-6A0CE0F1D28D}.exe	44
PID 2884 wrote to memory of 1924	2884	{3BC7EFD4-1ABB-42ed-9965-6A0CE0F1D28D}.exe	44
PID 2884 wrote to memory of 1924	2884	{3BC7EFD4-1ABB-42ed-9965-6A0CE0F1D28D}.exe	44
PID 2884 wrote to memory of 1924	2884	{3BC7EFD4-1ABB-42ed-9965-6A0CE0F1D28D}.exe	44
PID 2884 wrote to memory of 2104	2884	{3BC7EFD4-1ABB-42ed-9965-6A0CE0F1D28D}.exe	45
PID 2884 wrote to memory of 2104	2884	{3BC7EFD4-1ABB-42ed-9965-6A0CE0F1D28D}.exe	45
PID 2884 wrote to memory of 2104	2884	{3BC7EFD4-1ABB-42ed-9965-6A0CE0F1D28D}.exe	45
PID 2884 wrote to memory of 2104	2884	{3BC7EFD4-1ABB-42ed-9965-6A0CE0F1D28D}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-07-11_c7e31b280bba93796653e6fd68af67c8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-11_c7e31b280bba93796653e6fd68af67c8_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Windows\{7F163318-AA7D-4c88-8129-22EAEE2BEC74}.exe
  C:\Windows\{7F163318-AA7D-4c88-8129-22EAEE2BEC74}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\{BF773E3B-ED17-40fa-989E-0861087C95CA}.exe
    C:\Windows\{BF773E3B-ED17-40fa-989E-0861087C95CA}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\{E9D6B376-32F1-4f6f-B0EC-A8FCE694241C}.exe
      C:\Windows\{E9D6B376-32F1-4f6f-B0EC-A8FCE694241C}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Windows\{92B33818-10CF-46f8-A25A-2AEE37C25923}.exe
        
        C:\Windows\{92B33818-10CF-46f8-A25A-2AEE37C25923}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3048
      - C:\Windows\{BF03C97B-15E9-41fb-A0FC-C4FD8A68B84F}.exe
        
        C:\Windows\{BF03C97B-15E9-41fb-A0FC-C4FD8A68B84F}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\{9165AD38-B9EE-418a-A177-E5943A5A8451}.exe
        
        C:\Windows\{9165AD38-B9EE-418a-A177-E5943A5A8451}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\{3BC7EFD4-1ABB-42ed-9965-6A0CE0F1D28D}.exe
        
        C:\Windows\{3BC7EFD4-1ABB-42ed-9965-6A0CE0F1D28D}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\{F7F0B5FA-B5FE-4e22-9D73-33A2F906E542}.exe
        
        C:\Windows\{F7F0B5FA-B5FE-4e22-9D73-33A2F906E542}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Windows\{B7DDFC5B-4348-4ed6-B552-9611E93BD21A}.exe
        
        C:\Windows\{B7DDFC5B-4348-4ed6-B552-9611E93BD21A}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
        
        C:\Windows\{18FDEFB9-8416-4ba3-B264-077E32883A74}.exe
        
        C:\Windows\{18FDEFB9-8416-4ba3-B264-077E32883A74}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\{9DCCAFBB-3146-41e1-BC52-45943383E656}.exe
        
        C:\Windows\{9DCCAFBB-3146-41e1-BC52-45943383E656}.exe
        12⤵
        Executes dropped EXE
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18FDE~1.EXE > nul
        12⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7DDF~1.EXE > nul
        11⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7F0B~1.EXE > nul
        10⤵
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3BC7E~1.EXE > nul
        9⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9165A~1.EXE > nul
        8⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF03C~1.EXE > nul
        7⤵
        
        PID:2608
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92B33~1.EXE > nul
        6⤵
        
        PID:2724
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9D6B~1.EXE > nul
        5⤵
        
        PID:272
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BF773~1.EXE > nul
      4⤵
      PID:2568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7F163~1.EXE > nul
    3⤵
    PID:2784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{18FDEFB9-8416-4ba3-B264-077E32883A74}.exe

Filesize
408KB

MD5
70cb5e0ace7cec0f93c721dfb00234ef

SHA1
a4a0e01702ec26f1595f6bccf16d674b3b488062

SHA256
0a361459e3aeb837ba4235cc8fa3b677d5a438cba4a878ff9d5d6331dcd23bd0

SHA512
60bb203c5da4935dfc748b02a851971ce3b19457e28ad22b78622b061253b27570c0ad8e2a18efe83b8d7580956943ef185cd4d2279cf932a86c132daa3ea92a

Download Submit
C:\Windows\{3BC7EFD4-1ABB-42ed-9965-6A0CE0F1D28D}.exe

Filesize
408KB

MD5
d9537a0d8038432ad28c491cb3750394

SHA1
d1b74457c51076eaf9b672573e8d28bcda288828

SHA256
43ac0fa32846563683d3def626a4617bf4ae363e310a48448746dfe0195994ea

SHA512
36cb6847f77930b63975493351517a6c017bc26a3fc574f44e6fb4098b8939e1d3ba76e064ea7d7ba2557be4997b87650318b296f7a4ebcb364b4e2eb4e4059f

Download Submit
C:\Windows\{7F163318-AA7D-4c88-8129-22EAEE2BEC74}.exe

Filesize
408KB

MD5
7c25eff80cefba1c77519a58e9eb6ab4

SHA1
eb9add3635446aa8fc103470d8294a162e80405d

SHA256
153a3e93163cf5737b431b0899d3020552f5439be5c1ff8717220e13e4e855ef

SHA512
7a4ce44c1951108d66de63be23fba8c61631093ac042354975b7b53e3ed5021360007504176c81cfbc460886bd691f0c89c3794b7d156f28a6b1a91be9aa98c3

Download Submit
C:\Windows\{9165AD38-B9EE-418a-A177-E5943A5A8451}.exe

Filesize
408KB

MD5
2423f289d35164ef906b05ac86697436

SHA1
3a461929b93013657bee09be4a6227ff44d0a7b4

SHA256
aa18e5964c711a8aa275b74ebfd8e88c82095ec7eb2411226484312c0eed37a8

SHA512
aed8ec4022d4cd2b540ad3ff38dd37039e70f6f786b55f6a48603c6b6b5b62f16a8eafac7621bc6635f090af1d3d78fe857d031cbb7e58fa0307ad92bdf4c297

Download Submit
C:\Windows\{92B33818-10CF-46f8-A25A-2AEE37C25923}.exe

Filesize
408KB

MD5
870146b1e2269f51e9a15d55c22932c9

SHA1
edde0c2fc7453989d30a4ed066ad1aa069476960

SHA256
702c7047daff7e32c510e8dcef75fb1ea2db3d5c230116835f26208f184c22ac

SHA512
6967ce3ed593057c4cc22de511dbdeb0e0eea8f144c52bab1350d548e6ea549244d65e5638f26b4c8993a9b5825eb2f6de12f459f2e7d669fbbb7d7f858b0213

Download Submit
C:\Windows\{9DCCAFBB-3146-41e1-BC52-45943383E656}.exe

Filesize
408KB

MD5
048e07942c134abf3c69af2c025620b1

SHA1
39b52a267bff517f504ae0d70b295504f90ada7e

SHA256
2f5c586122488a1566ab1b52bb380bee6f5273a3b34460438de088655dece52a

SHA512
162cf45ab6b4089b1f46accdb3b920191e6bac4bf94ce20b992b2f28a63cdb6b403de90373f4a3602b7cb004f5c9491e65d2b99091e90c192e43dce2a1227ada

Download Submit
C:\Windows\{B7DDFC5B-4348-4ed6-B552-9611E93BD21A}.exe

Filesize
408KB

MD5
df608857bce19f2629dc7394c2885175

SHA1
e906f59bb92dfebe29e36d91d3619895d51aa6b5

SHA256
c267912a24a3c916248916b6a1fadc9977940dbf92450ff15b4363b1976556f4

SHA512
26e53f504d0465d870b15db5c23453f1f78f6fb0085cc88836ae8f17ec736444105b5ef464d3e1df47f34fbc79f2880e310e256abcc15bc581e3645c056830ff

Download Submit
C:\Windows\{BF03C97B-15E9-41fb-A0FC-C4FD8A68B84F}.exe

Filesize
408KB

MD5
ff8e0c139d386f70d3b17f82f08cd0c9

SHA1
d26f61199612a2e2b44c5d8c719742c40d055af0

SHA256
75f53a679a2dc0e55ca8107709654966e2076c92dd146e0ad0000e0e7a03ff49

SHA512
e2c2d1c83fafe421eb9285cfaf3771435090e31a6cf56c3817ac71cdf4d436eb2e5d25fcdc97374ef3188265df53aa5cf92cffef936364a8fa0d99a6c8ec0e24

Download Submit
C:\Windows\{BF773E3B-ED17-40fa-989E-0861087C95CA}.exe

Filesize
408KB

MD5
b78f54811d40b474f161711011c35300

SHA1
e0a44492445c4b44d0ab4035fb7224cc78ca0f42

SHA256
0ce5e2fd745835120b2cd4facc92dc61e898e4c1c657de5e427d59585ad1a304

SHA512
248cf526412ecce82d58e53c151253b76cb0932b31cbe2b7a771aadc18861084a628057b5edb929277701a9b45359f63134a8bd28422dd2858277b9c8284e9b4

Download Submit
C:\Windows\{E9D6B376-32F1-4f6f-B0EC-A8FCE694241C}.exe

Filesize
408KB

MD5
085541153f8f1878bb80faa8285487c1

SHA1
74c6177102a1c5a5dda433d0ad182fc99b638e6c

SHA256
e735cbf1fb3b15f108dd54658d983b89e1df07e2f2925e1508a89657cb35c7f6

SHA512
49ac802da8bd525856daf5c4833e720e8f4429a1fe55cea6df5c7a4f2359b73c471a6b9cf3c637630fa57f937b7452069a31432c8742e745b25005166842a741

Download Submit
C:\Windows\{F7F0B5FA-B5FE-4e22-9D73-33A2F906E542}.exe

Filesize
408KB

MD5
ec3a313440f20e188ef57de04a2cc843

SHA1
a8761c6ddbde70e43d17f714a9c108357c6dd262

SHA256
8d60de596930af9116ff17c70728e3f98e7260c9c9c5ebc39c18b9e570efb20b

SHA512
228deced4f32cb7dea9143cc2cf2e1b20902abc8bcfb47351782e853632b135a285e32536cdfe1264db43ffcc9536aad77e29dfa45cd4b42ff8e5cf00caa8521

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads