a596a07b4267546df1ba44838821d2dd9c7cf5021903e909e3ef67c5ec9e71f5

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-11_66d841cb558a577f644125b0730ae334_goldeneye.exe
Size

372KB
MD5

66d841cb558a577f644125b0730ae334
SHA1

e514eeeab9312646e93c2b5b49689cb4cf950c96
SHA256

a596a07b4267546df1ba44838821d2dd9c7cf5021903e909e3ef67c5ec9e71f5
SHA512

6640ba9e169aa63a433812f2bead08db9a23eaa29cdfc924f5e9f3262db1c18c8923e5b6786114d0e1578efc40fcbd3c09c8f68ce2b76088909d16f2d57b086f
SSDEEP

3072:CEGh0o5mlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGyl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C30D7D56-7390-414e-A730-33C73A28CE88}	{B7FC96E3-DB66-4a0d-8849-128B916F3672}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5012D5A-20B0-4904-B9C2-7325BEC9DFEE}\stubpath = "C:\\Windows\\{F5012D5A-20B0-4904-B9C2-7325BEC9DFEE}.exe"	{6C3C0003-774B-45ec-86A0-1A5C562CC03D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25E42BD1-A5DA-4251-BA9B-45C8DBE24F5D}\stubpath = "C:\\Windows\\{25E42BD1-A5DA-4251-BA9B-45C8DBE24F5D}.exe"	{B624210E-D0B1-48fb-B6F8-D88A83541FE1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B624210E-D0B1-48fb-B6F8-D88A83541FE1}\stubpath = "C:\\Windows\\{B624210E-D0B1-48fb-B6F8-D88A83541FE1}.exe"	{B8EC0D63-A3A9-4178-A455-F43221B7F159}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CB43B25-A342-4510-B099-054EDC75AA2E}	{25E42BD1-A5DA-4251-BA9B-45C8DBE24F5D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CB43B25-A342-4510-B099-054EDC75AA2E}\stubpath = "C:\\Windows\\{1CB43B25-A342-4510-B099-054EDC75AA2E}.exe"	{25E42BD1-A5DA-4251-BA9B-45C8DBE24F5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7FC96E3-DB66-4a0d-8849-128B916F3672}	{1CB43B25-A342-4510-B099-054EDC75AA2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF2F9087-1E72-4c75-A720-BBA60AA1613F}\stubpath = "C:\\Windows\\{FF2F9087-1E72-4c75-A720-BBA60AA1613F}.exe"	{C30D7D56-7390-414e-A730-33C73A28CE88}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CA2A687-75EC-48bd-8A34-4C423E54AD1C}\stubpath = "C:\\Windows\\{0CA2A687-75EC-48bd-8A34-4C423E54AD1C}.exe"	{FF2F9087-1E72-4c75-A720-BBA60AA1613F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C3C0003-774B-45ec-86A0-1A5C562CC03D}	{E2CFCE9B-0778-4da3-97BC-7A3F55CAC65B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8EC0D63-A3A9-4178-A455-F43221B7F159}\stubpath = "C:\\Windows\\{B8EC0D63-A3A9-4178-A455-F43221B7F159}.exe"	2024-07-11_66d841cb558a577f644125b0730ae334_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C3C0003-774B-45ec-86A0-1A5C562CC03D}\stubpath = "C:\\Windows\\{6C3C0003-774B-45ec-86A0-1A5C562CC03D}.exe"	{E2CFCE9B-0778-4da3-97BC-7A3F55CAC65B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CA2A687-75EC-48bd-8A34-4C423E54AD1C}	{FF2F9087-1E72-4c75-A720-BBA60AA1613F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2CFCE9B-0778-4da3-97BC-7A3F55CAC65B}	{0CA2A687-75EC-48bd-8A34-4C423E54AD1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2CFCE9B-0778-4da3-97BC-7A3F55CAC65B}\stubpath = "C:\\Windows\\{E2CFCE9B-0778-4da3-97BC-7A3F55CAC65B}.exe"	{0CA2A687-75EC-48bd-8A34-4C423E54AD1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B624210E-D0B1-48fb-B6F8-D88A83541FE1}	{B8EC0D63-A3A9-4178-A455-F43221B7F159}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25E42BD1-A5DA-4251-BA9B-45C8DBE24F5D}	{B624210E-D0B1-48fb-B6F8-D88A83541FE1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7FC96E3-DB66-4a0d-8849-128B916F3672}\stubpath = "C:\\Windows\\{B7FC96E3-DB66-4a0d-8849-128B916F3672}.exe"	{1CB43B25-A342-4510-B099-054EDC75AA2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C30D7D56-7390-414e-A730-33C73A28CE88}\stubpath = "C:\\Windows\\{C30D7D56-7390-414e-A730-33C73A28CE88}.exe"	{B7FC96E3-DB66-4a0d-8849-128B916F3672}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF2F9087-1E72-4c75-A720-BBA60AA1613F}	{C30D7D56-7390-414e-A730-33C73A28CE88}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5012D5A-20B0-4904-B9C2-7325BEC9DFEE}	{6C3C0003-774B-45ec-86A0-1A5C562CC03D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8EC0D63-A3A9-4178-A455-F43221B7F159}	2024-07-11_66d841cb558a577f644125b0730ae334_goldeneye.exe

Deletes itself 1 IoCs

pid	Process
2700	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2844	{B8EC0D63-A3A9-4178-A455-F43221B7F159}.exe
3040	{B624210E-D0B1-48fb-B6F8-D88A83541FE1}.exe
2548	{25E42BD1-A5DA-4251-BA9B-45C8DBE24F5D}.exe
2244	{1CB43B25-A342-4510-B099-054EDC75AA2E}.exe
2980	{B7FC96E3-DB66-4a0d-8849-128B916F3672}.exe
2028	{C30D7D56-7390-414e-A730-33C73A28CE88}.exe
2932	{FF2F9087-1E72-4c75-A720-BBA60AA1613F}.exe
2432	{0CA2A687-75EC-48bd-8A34-4C423E54AD1C}.exe
2332	{E2CFCE9B-0778-4da3-97BC-7A3F55CAC65B}.exe
2128	{6C3C0003-774B-45ec-86A0-1A5C562CC03D}.exe
2164	{F5012D5A-20B0-4904-B9C2-7325BEC9DFEE}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{B624210E-D0B1-48fb-B6F8-D88A83541FE1}.exe	{B8EC0D63-A3A9-4178-A455-F43221B7F159}.exe
File created	C:\Windows\{1CB43B25-A342-4510-B099-054EDC75AA2E}.exe	{25E42BD1-A5DA-4251-BA9B-45C8DBE24F5D}.exe
File created	C:\Windows\{0CA2A687-75EC-48bd-8A34-4C423E54AD1C}.exe	{FF2F9087-1E72-4c75-A720-BBA60AA1613F}.exe
File created	C:\Windows\{E2CFCE9B-0778-4da3-97BC-7A3F55CAC65B}.exe	{0CA2A687-75EC-48bd-8A34-4C423E54AD1C}.exe
File created	C:\Windows\{B8EC0D63-A3A9-4178-A455-F43221B7F159}.exe	2024-07-11_66d841cb558a577f644125b0730ae334_goldeneye.exe
File created	C:\Windows\{B7FC96E3-DB66-4a0d-8849-128B916F3672}.exe	{1CB43B25-A342-4510-B099-054EDC75AA2E}.exe
File created	C:\Windows\{C30D7D56-7390-414e-A730-33C73A28CE88}.exe	{B7FC96E3-DB66-4a0d-8849-128B916F3672}.exe
File created	C:\Windows\{FF2F9087-1E72-4c75-A720-BBA60AA1613F}.exe	{C30D7D56-7390-414e-A730-33C73A28CE88}.exe
File created	C:\Windows\{6C3C0003-774B-45ec-86A0-1A5C562CC03D}.exe	{E2CFCE9B-0778-4da3-97BC-7A3F55CAC65B}.exe
File created	C:\Windows\{F5012D5A-20B0-4904-B9C2-7325BEC9DFEE}.exe	{6C3C0003-774B-45ec-86A0-1A5C562CC03D}.exe
File created	C:\Windows\{25E42BD1-A5DA-4251-BA9B-45C8DBE24F5D}.exe	{B624210E-D0B1-48fb-B6F8-D88A83541FE1}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2640	2024-07-11_66d841cb558a577f644125b0730ae334_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2844	{B8EC0D63-A3A9-4178-A455-F43221B7F159}.exe
Token: SeIncBasePriorityPrivilege	3040	{B624210E-D0B1-48fb-B6F8-D88A83541FE1}.exe
Token: SeIncBasePriorityPrivilege	2548	{25E42BD1-A5DA-4251-BA9B-45C8DBE24F5D}.exe
Token: SeIncBasePriorityPrivilege	2244	{1CB43B25-A342-4510-B099-054EDC75AA2E}.exe
Token: SeIncBasePriorityPrivilege	2980	{B7FC96E3-DB66-4a0d-8849-128B916F3672}.exe
Token: SeIncBasePriorityPrivilege	2028	{C30D7D56-7390-414e-A730-33C73A28CE88}.exe
Token: SeIncBasePriorityPrivilege	2932	{FF2F9087-1E72-4c75-A720-BBA60AA1613F}.exe
Token: SeIncBasePriorityPrivilege	2432	{0CA2A687-75EC-48bd-8A34-4C423E54AD1C}.exe
Token: SeIncBasePriorityPrivilege	2332	{E2CFCE9B-0778-4da3-97BC-7A3F55CAC65B}.exe
Token: SeIncBasePriorityPrivilege	2128	{6C3C0003-774B-45ec-86A0-1A5C562CC03D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2844	2640	2024-07-11_66d841cb558a577f644125b0730ae334_goldeneye.exe	30
PID 2640 wrote to memory of 2844	2640	2024-07-11_66d841cb558a577f644125b0730ae334_goldeneye.exe	30
PID 2640 wrote to memory of 2844	2640	2024-07-11_66d841cb558a577f644125b0730ae334_goldeneye.exe	30
PID 2640 wrote to memory of 2844	2640	2024-07-11_66d841cb558a577f644125b0730ae334_goldeneye.exe	30
PID 2640 wrote to memory of 2700	2640	2024-07-11_66d841cb558a577f644125b0730ae334_goldeneye.exe	31
PID 2640 wrote to memory of 2700	2640	2024-07-11_66d841cb558a577f644125b0730ae334_goldeneye.exe	31
PID 2640 wrote to memory of 2700	2640	2024-07-11_66d841cb558a577f644125b0730ae334_goldeneye.exe	31
PID 2640 wrote to memory of 2700	2640	2024-07-11_66d841cb558a577f644125b0730ae334_goldeneye.exe	31
PID 2844 wrote to memory of 3040	2844	{B8EC0D63-A3A9-4178-A455-F43221B7F159}.exe	32
PID 2844 wrote to memory of 3040	2844	{B8EC0D63-A3A9-4178-A455-F43221B7F159}.exe	32
PID 2844 wrote to memory of 3040	2844	{B8EC0D63-A3A9-4178-A455-F43221B7F159}.exe	32
PID 2844 wrote to memory of 3040	2844	{B8EC0D63-A3A9-4178-A455-F43221B7F159}.exe	32
PID 2844 wrote to memory of 2060	2844	{B8EC0D63-A3A9-4178-A455-F43221B7F159}.exe	33
PID 2844 wrote to memory of 2060	2844	{B8EC0D63-A3A9-4178-A455-F43221B7F159}.exe	33
PID 2844 wrote to memory of 2060	2844	{B8EC0D63-A3A9-4178-A455-F43221B7F159}.exe	33
PID 2844 wrote to memory of 2060	2844	{B8EC0D63-A3A9-4178-A455-F43221B7F159}.exe	33
PID 3040 wrote to memory of 2548	3040	{B624210E-D0B1-48fb-B6F8-D88A83541FE1}.exe	34
PID 3040 wrote to memory of 2548	3040	{B624210E-D0B1-48fb-B6F8-D88A83541FE1}.exe	34
PID 3040 wrote to memory of 2548	3040	{B624210E-D0B1-48fb-B6F8-D88A83541FE1}.exe	34
PID 3040 wrote to memory of 2548	3040	{B624210E-D0B1-48fb-B6F8-D88A83541FE1}.exe	34
PID 3040 wrote to memory of 2612	3040	{B624210E-D0B1-48fb-B6F8-D88A83541FE1}.exe	35
PID 3040 wrote to memory of 2612	3040	{B624210E-D0B1-48fb-B6F8-D88A83541FE1}.exe	35
PID 3040 wrote to memory of 2612	3040	{B624210E-D0B1-48fb-B6F8-D88A83541FE1}.exe	35
PID 3040 wrote to memory of 2612	3040	{B624210E-D0B1-48fb-B6F8-D88A83541FE1}.exe	35
PID 2548 wrote to memory of 2244	2548	{25E42BD1-A5DA-4251-BA9B-45C8DBE24F5D}.exe	36
PID 2548 wrote to memory of 2244	2548	{25E42BD1-A5DA-4251-BA9B-45C8DBE24F5D}.exe	36
PID 2548 wrote to memory of 2244	2548	{25E42BD1-A5DA-4251-BA9B-45C8DBE24F5D}.exe	36
PID 2548 wrote to memory of 2244	2548	{25E42BD1-A5DA-4251-BA9B-45C8DBE24F5D}.exe	36
PID 2548 wrote to memory of 2732	2548	{25E42BD1-A5DA-4251-BA9B-45C8DBE24F5D}.exe	37
PID 2548 wrote to memory of 2732	2548	{25E42BD1-A5DA-4251-BA9B-45C8DBE24F5D}.exe	37
PID 2548 wrote to memory of 2732	2548	{25E42BD1-A5DA-4251-BA9B-45C8DBE24F5D}.exe	37
PID 2548 wrote to memory of 2732	2548	{25E42BD1-A5DA-4251-BA9B-45C8DBE24F5D}.exe	37
PID 2244 wrote to memory of 2980	2244	{1CB43B25-A342-4510-B099-054EDC75AA2E}.exe	38
PID 2244 wrote to memory of 2980	2244	{1CB43B25-A342-4510-B099-054EDC75AA2E}.exe	38
PID 2244 wrote to memory of 2980	2244	{1CB43B25-A342-4510-B099-054EDC75AA2E}.exe	38
PID 2244 wrote to memory of 2980	2244	{1CB43B25-A342-4510-B099-054EDC75AA2E}.exe	38
PID 2244 wrote to memory of 2004	2244	{1CB43B25-A342-4510-B099-054EDC75AA2E}.exe	39
PID 2244 wrote to memory of 2004	2244	{1CB43B25-A342-4510-B099-054EDC75AA2E}.exe	39
PID 2244 wrote to memory of 2004	2244	{1CB43B25-A342-4510-B099-054EDC75AA2E}.exe	39
PID 2244 wrote to memory of 2004	2244	{1CB43B25-A342-4510-B099-054EDC75AA2E}.exe	39
PID 2980 wrote to memory of 2028	2980	{B7FC96E3-DB66-4a0d-8849-128B916F3672}.exe	40
PID 2980 wrote to memory of 2028	2980	{B7FC96E3-DB66-4a0d-8849-128B916F3672}.exe	40
PID 2980 wrote to memory of 2028	2980	{B7FC96E3-DB66-4a0d-8849-128B916F3672}.exe	40
PID 2980 wrote to memory of 2028	2980	{B7FC96E3-DB66-4a0d-8849-128B916F3672}.exe	40
PID 2980 wrote to memory of 2636	2980	{B7FC96E3-DB66-4a0d-8849-128B916F3672}.exe	41
PID 2980 wrote to memory of 2636	2980	{B7FC96E3-DB66-4a0d-8849-128B916F3672}.exe	41
PID 2980 wrote to memory of 2636	2980	{B7FC96E3-DB66-4a0d-8849-128B916F3672}.exe	41
PID 2980 wrote to memory of 2636	2980	{B7FC96E3-DB66-4a0d-8849-128B916F3672}.exe	41
PID 2028 wrote to memory of 2932	2028	{C30D7D56-7390-414e-A730-33C73A28CE88}.exe	42
PID 2028 wrote to memory of 2932	2028	{C30D7D56-7390-414e-A730-33C73A28CE88}.exe	42
PID 2028 wrote to memory of 2932	2028	{C30D7D56-7390-414e-A730-33C73A28CE88}.exe	42
PID 2028 wrote to memory of 2932	2028	{C30D7D56-7390-414e-A730-33C73A28CE88}.exe	42
PID 2028 wrote to memory of 580	2028	{C30D7D56-7390-414e-A730-33C73A28CE88}.exe	43
PID 2028 wrote to memory of 580	2028	{C30D7D56-7390-414e-A730-33C73A28CE88}.exe	43
PID 2028 wrote to memory of 580	2028	{C30D7D56-7390-414e-A730-33C73A28CE88}.exe	43
PID 2028 wrote to memory of 580	2028	{C30D7D56-7390-414e-A730-33C73A28CE88}.exe	43
PID 2932 wrote to memory of 2432	2932	{FF2F9087-1E72-4c75-A720-BBA60AA1613F}.exe	44
PID 2932 wrote to memory of 2432	2932	{FF2F9087-1E72-4c75-A720-BBA60AA1613F}.exe	44
PID 2932 wrote to memory of 2432	2932	{FF2F9087-1E72-4c75-A720-BBA60AA1613F}.exe	44
PID 2932 wrote to memory of 2432	2932	{FF2F9087-1E72-4c75-A720-BBA60AA1613F}.exe	44
PID 2932 wrote to memory of 2340	2932	{FF2F9087-1E72-4c75-A720-BBA60AA1613F}.exe	45
PID 2932 wrote to memory of 2340	2932	{FF2F9087-1E72-4c75-A720-BBA60AA1613F}.exe	45
PID 2932 wrote to memory of 2340	2932	{FF2F9087-1E72-4c75-A720-BBA60AA1613F}.exe	45
PID 2932 wrote to memory of 2340	2932	{FF2F9087-1E72-4c75-A720-BBA60AA1613F}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-07-11_66d841cb558a577f644125b0730ae334_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-11_66d841cb558a577f644125b0730ae334_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\{B8EC0D63-A3A9-4178-A455-F43221B7F159}.exe
  C:\Windows\{B8EC0D63-A3A9-4178-A455-F43221B7F159}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\{B624210E-D0B1-48fb-B6F8-D88A83541FE1}.exe
    C:\Windows\{B624210E-D0B1-48fb-B6F8-D88A83541FE1}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Windows\{25E42BD1-A5DA-4251-BA9B-45C8DBE24F5D}.exe
      C:\Windows\{25E42BD1-A5DA-4251-BA9B-45C8DBE24F5D}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2548
    - - C:\Windows\{1CB43B25-A342-4510-B099-054EDC75AA2E}.exe
        
        C:\Windows\{1CB43B25-A342-4510-B099-054EDC75AA2E}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2244
      - C:\Windows\{B7FC96E3-DB66-4a0d-8849-128B916F3672}.exe
        
        C:\Windows\{B7FC96E3-DB66-4a0d-8849-128B916F3672}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\{C30D7D56-7390-414e-A730-33C73A28CE88}.exe
        
        C:\Windows\{C30D7D56-7390-414e-A730-33C73A28CE88}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\{FF2F9087-1E72-4c75-A720-BBA60AA1613F}.exe
        
        C:\Windows\{FF2F9087-1E72-4c75-A720-BBA60AA1613F}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\{0CA2A687-75EC-48bd-8A34-4C423E54AD1C}.exe
        
        C:\Windows\{0CA2A687-75EC-48bd-8A34-4C423E54AD1C}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
        
        C:\Windows\{E2CFCE9B-0778-4da3-97BC-7A3F55CAC65B}.exe
        
        C:\Windows\{E2CFCE9B-0778-4da3-97BC-7A3F55CAC65B}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
        
        C:\Windows\{6C3C0003-774B-45ec-86A0-1A5C562CC03D}.exe
        
        C:\Windows\{6C3C0003-774B-45ec-86A0-1A5C562CC03D}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
        
        C:\Windows\{F5012D5A-20B0-4904-B9C2-7325BEC9DFEE}.exe
        
        C:\Windows\{F5012D5A-20B0-4904-B9C2-7325BEC9DFEE}.exe
        12⤵
        Executes dropped EXE
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C3C0~1.EXE > nul
        12⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2CFC~1.EXE > nul
        11⤵
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0CA2A~1.EXE > nul
        10⤵
        
        PID:608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF2F9~1.EXE > nul
        9⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C30D7~1.EXE > nul
        8⤵
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7FC9~1.EXE > nul
        7⤵
        
        PID:2636
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1CB43~1.EXE > nul
        6⤵
        
        PID:2004
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25E42~1.EXE > nul
        5⤵
        
        PID:2732
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B6242~1.EXE > nul
      4⤵
      PID:2612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B8EC0~1.EXE > nul
    3⤵
    PID:2060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0CA2A687-75EC-48bd-8A34-4C423E54AD1C}.exe

Filesize
372KB

MD5
d642393efed434d44b1f305a8e235d25

SHA1
a993c772e5984785a22d23d2ea36889329b475a2

SHA256
1ccc63e8c7d05b121da21f171399419e4f76480145f9027c735ad60383119ab9

SHA512
c48b0d0d314839b83c358525d6c4d5112105960c9eaebf4908f0b45ae9a19027ad146f82826bbd97320b12dbb4b4e9b13ee08d780d8a3d6ed15f97c78cb09495

Download Submit
C:\Windows\{1CB43B25-A342-4510-B099-054EDC75AA2E}.exe

Filesize
372KB

MD5
91cd5a57b219c1ecf747bf9aef2d99e5

SHA1
ced8cbee83268ca2cba110579d6a6260a0226a61

SHA256
2c06cce359fdc4a7a596d56e3f26562933b8f91164b901a28c53c0a59fa60ef3

SHA512
5486fb59c5a08969a2af321bd09def3e6ab19b28fbdae29697d501809e7225537a60e742794f909eb32f7251cfe0808ef034f67aff98807c7f2275ac66ec8e5b

Download Submit
C:\Windows\{25E42BD1-A5DA-4251-BA9B-45C8DBE24F5D}.exe

Filesize
372KB

MD5
c7b8535054435e90616bca944a8dfd97

SHA1
e5bd61c98130e75319afc6d543f07d61fbca1b83

SHA256
40c7069c1051013493d16d6e5f6fe5e77e663d2c617bc02770f401e6db14a176

SHA512
2e70c958c00c82118066b0231c9125419358dac8666390b3c17c41d53d32f7d37817eca496e446593e2a1f7cc259d743fefeb30b4eee9822068d21a0e3b25736

Download Submit
C:\Windows\{6C3C0003-774B-45ec-86A0-1A5C562CC03D}.exe

Filesize
372KB

MD5
9e91aae7f14ae145bd5df3bf146521a1

SHA1
a86fdbab73faf0ca2c041315001012e7416dd0fc

SHA256
f2b6d68811d867b9375bf760ca9f6f0aab397f6aa07e927a64b1220dd2fad676

SHA512
57a92ce9ca754677c87e7118c9ff475d847b3457180284df71c735ae7bfc0726e3961feefa5755bee27e9c7cc90ec5ba257dd2fd591b217a17ec35fc1c10eb78

Download Submit
C:\Windows\{B624210E-D0B1-48fb-B6F8-D88A83541FE1}.exe

Filesize
372KB

MD5
66e28d02f77f5f142751678139c9616c

SHA1
8ae90c0b3dd91eafbe5a85d19b7af8ca62e66d1f

SHA256
152c0e3040a89533073f6f2024bfa72569d694aa84f2ebf7886eb943ca8b097a

SHA512
6a38c7e35bbd3cb2655b3c17c6a62bdf53520bdf9ca230f082238762cd051aa00f09c2abecd57b77ff84454000132ed934ef80f832a127195b0c5af83491a669

Download Submit
C:\Windows\{B7FC96E3-DB66-4a0d-8849-128B916F3672}.exe

Filesize
372KB

MD5
b6e3507c3be2da602204b85a5806591f

SHA1
75a95b265844047584934fd0bdfb16c26121421e

SHA256
e77682a7474d11174c385a1bcd47afcc344685457fc8096cff2c57e8e76c0d59

SHA512
0514e7179f7379ccfcf04a1db3d1fad394ff67a698dfb2b520615d4bbe8f92e884797ccc00c4e076767e64eafcd386d6e2a3fac81683a9447a895d2997dd2e88

Download Submit
C:\Windows\{B8EC0D63-A3A9-4178-A455-F43221B7F159}.exe

Filesize
372KB

MD5
d94017c1d8c84a024c546fe8fd3d3a54

SHA1
e0021bee2d1d2c4609c66a6163547d8e097ab4b5

SHA256
635dd491c987a5e04d7f1b6047c017c1937eb3f35c9a73c9644f0783b82bba2a

SHA512
47e5a8aafd0467720d1340d99017651795cedbf546f88ab11c82aaf93f22253c9175d40c78792f481191a4184812d34b72b9b8d55a8a1be40e48d5ec0a89a025

Download Submit
C:\Windows\{C30D7D56-7390-414e-A730-33C73A28CE88}.exe

Filesize
372KB

MD5
a8ae664196f0431a8259e7a246c7354e

SHA1
f5581bb7668345a0310ad01b586378fa154226a3

SHA256
d595617d818e217586766cb6cd15d9ca6433f03682977d6b045c01b424227883

SHA512
ddab72feaa27d301392aaac3adca87eac2cf86b353e761c5ff76a4f6e11fbf9c4c83d902de2f0d3d8c59e782b810bfb7f54578d6080b0afcf3eb9c33a3f751ec

Download Submit
C:\Windows\{E2CFCE9B-0778-4da3-97BC-7A3F55CAC65B}.exe

Filesize
372KB

MD5
38696a320b7848a7569ebd34acd192af

SHA1
d97ebc09125352428765acd1c67c927d9290e7c1

SHA256
bc541ba68cd5092311a95014edbd38cae450e7643eff513b66a87041f076a0d1

SHA512
0189e5b5bc28675b3d964db274348c251f5488f5d6d3910304644d18f49c56f2f660ce87586549ac0984cdcf3d1bf8a5a6a22718b82903c585c9aafb99a50341

Download Submit
C:\Windows\{F5012D5A-20B0-4904-B9C2-7325BEC9DFEE}.exe

Filesize
372KB

MD5
93e1f0d6d63d61b2f0e15085e5d6647e

SHA1
cac6a277b4bad1514903d076dc01979a2299911f

SHA256
4e9c726649c1c0f833cf1f21d1cacb3658f59d1f64866abe60f4eb94af5f27ea

SHA512
f109b84aa61af885bf8246df323351d811cbecc6ab8612434df13cd9f5562a51d1dc60f928846a78c1d3dc0fef7fb234379a74a3bb4c00c269a26a8c95859440

Download Submit
C:\Windows\{FF2F9087-1E72-4c75-A720-BBA60AA1613F}.exe

Filesize
372KB

MD5
71f7e22cff533cbce89710e157a8e320

SHA1
1128e85f178ff9273015d9b0e3f18d47a675fab3

SHA256
c4e107770e39fd24c4c5f969f8497ed590eedc1e4893ade11c5ff629cdead478

SHA512
e79f479bf36db888e0451b9a63a0a1068f04087597ca338536603c2b4f0d6226dcd7063872993e9231891813d26210c4f202b5e308d625164c915900be154798

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads