bee73b8ec23bea45261caabcac0114cd0622910a9b9d1fb5860ead6d8dd47129

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 09:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-11_8d01d9d7a7abb8a712640a1b2c2e0886_goldeneye.exe
Size

216KB
MD5

8d01d9d7a7abb8a712640a1b2c2e0886
SHA1

025432c7a3d8b62f3aa36146755211de4abf4ae6
SHA256

bee73b8ec23bea45261caabcac0114cd0622910a9b9d1fb5860ead6d8dd47129
SHA512

f8f2b603836e2f70e48f6786484108826ea981c9143aae820005eb8cc67b991fdd7cc14a1aa4b7a71854af699ce21a53583ad8e0ec17931a9ee20654923c0022
SSDEEP

3072:jEGh0oSl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG8lEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38E36CC0-D930-4072-889B-264C32529456}\stubpath = "C:\\Windows\\{38E36CC0-D930-4072-889B-264C32529456}.exe"	{87F9A4C6-1B7E-4586-8E4E-A97E45B005B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCB44013-6683-49c6-91E2-6DB5550BEC79}	{8A42B707-033B-414f-AEF6-7C4B361A4F43}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED500D0D-11AF-48d1-9AC7-D770E3FF8748}\stubpath = "C:\\Windows\\{ED500D0D-11AF-48d1-9AC7-D770E3FF8748}.exe"	{23B90A81-AC4C-48b1-893F-7024BE4093F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA0402B8-FC99-4527-A5D4-BA6EB23FDB8D}	{ED500D0D-11AF-48d1-9AC7-D770E3FF8748}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A42B707-033B-414f-AEF6-7C4B361A4F43}	{889ED120-0D49-4b52-BE23-F60E4627486E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A42B707-033B-414f-AEF6-7C4B361A4F43}\stubpath = "C:\\Windows\\{8A42B707-033B-414f-AEF6-7C4B361A4F43}.exe"	{889ED120-0D49-4b52-BE23-F60E4627486E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B52999A0-61CA-4beb-938E-53E3963EAD49}	{1C5A919C-5268-4764-9985-B8B49073A9D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23B90A81-AC4C-48b1-893F-7024BE4093F5}	{B52999A0-61CA-4beb-938E-53E3963EAD49}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38E36CC0-D930-4072-889B-264C32529456}	{87F9A4C6-1B7E-4586-8E4E-A97E45B005B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{889ED120-0D49-4b52-BE23-F60E4627486E}	{38E36CC0-D930-4072-889B-264C32529456}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{889ED120-0D49-4b52-BE23-F60E4627486E}\stubpath = "C:\\Windows\\{889ED120-0D49-4b52-BE23-F60E4627486E}.exe"	{38E36CC0-D930-4072-889B-264C32529456}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C5A919C-5268-4764-9985-B8B49073A9D7}	{BCB44013-6683-49c6-91E2-6DB5550BEC79}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C5A919C-5268-4764-9985-B8B49073A9D7}\stubpath = "C:\\Windows\\{1C5A919C-5268-4764-9985-B8B49073A9D7}.exe"	{BCB44013-6683-49c6-91E2-6DB5550BEC79}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23B90A81-AC4C-48b1-893F-7024BE4093F5}\stubpath = "C:\\Windows\\{23B90A81-AC4C-48b1-893F-7024BE4093F5}.exe"	{B52999A0-61CA-4beb-938E-53E3963EAD49}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED500D0D-11AF-48d1-9AC7-D770E3FF8748}	{23B90A81-AC4C-48b1-893F-7024BE4093F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA0402B8-FC99-4527-A5D4-BA6EB23FDB8D}\stubpath = "C:\\Windows\\{AA0402B8-FC99-4527-A5D4-BA6EB23FDB8D}.exe"	{ED500D0D-11AF-48d1-9AC7-D770E3FF8748}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7315FB87-A2D0-4e93-873C-AF5632D6052A}	{AA0402B8-FC99-4527-A5D4-BA6EB23FDB8D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87F9A4C6-1B7E-4586-8E4E-A97E45B005B2}	2024-07-11_8d01d9d7a7abb8a712640a1b2c2e0886_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87F9A4C6-1B7E-4586-8E4E-A97E45B005B2}\stubpath = "C:\\Windows\\{87F9A4C6-1B7E-4586-8E4E-A97E45B005B2}.exe"	2024-07-11_8d01d9d7a7abb8a712640a1b2c2e0886_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCB44013-6683-49c6-91E2-6DB5550BEC79}\stubpath = "C:\\Windows\\{BCB44013-6683-49c6-91E2-6DB5550BEC79}.exe"	{8A42B707-033B-414f-AEF6-7C4B361A4F43}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B52999A0-61CA-4beb-938E-53E3963EAD49}\stubpath = "C:\\Windows\\{B52999A0-61CA-4beb-938E-53E3963EAD49}.exe"	{1C5A919C-5268-4764-9985-B8B49073A9D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7315FB87-A2D0-4e93-873C-AF5632D6052A}\stubpath = "C:\\Windows\\{7315FB87-A2D0-4e93-873C-AF5632D6052A}.exe"	{AA0402B8-FC99-4527-A5D4-BA6EB23FDB8D}.exe

Deletes itself 1 IoCs

pid	Process
2656	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2608	{87F9A4C6-1B7E-4586-8E4E-A97E45B005B2}.exe
2752	{38E36CC0-D930-4072-889B-264C32529456}.exe
568	{889ED120-0D49-4b52-BE23-F60E4627486E}.exe
2684	{8A42B707-033B-414f-AEF6-7C4B361A4F43}.exe
2492	{BCB44013-6683-49c6-91E2-6DB5550BEC79}.exe
2256	{1C5A919C-5268-4764-9985-B8B49073A9D7}.exe
1084	{B52999A0-61CA-4beb-938E-53E3963EAD49}.exe
1624	{23B90A81-AC4C-48b1-893F-7024BE4093F5}.exe
1956	{ED500D0D-11AF-48d1-9AC7-D770E3FF8748}.exe
2084	{AA0402B8-FC99-4527-A5D4-BA6EB23FDB8D}.exe
2852	{7315FB87-A2D0-4e93-873C-AF5632D6052A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{8A42B707-033B-414f-AEF6-7C4B361A4F43}.exe	{889ED120-0D49-4b52-BE23-F60E4627486E}.exe
File created	C:\Windows\{1C5A919C-5268-4764-9985-B8B49073A9D7}.exe	{BCB44013-6683-49c6-91E2-6DB5550BEC79}.exe
File created	C:\Windows\{B52999A0-61CA-4beb-938E-53E3963EAD49}.exe	{1C5A919C-5268-4764-9985-B8B49073A9D7}.exe
File created	C:\Windows\{23B90A81-AC4C-48b1-893F-7024BE4093F5}.exe	{B52999A0-61CA-4beb-938E-53E3963EAD49}.exe
File created	C:\Windows\{ED500D0D-11AF-48d1-9AC7-D770E3FF8748}.exe	{23B90A81-AC4C-48b1-893F-7024BE4093F5}.exe
File created	C:\Windows\{AA0402B8-FC99-4527-A5D4-BA6EB23FDB8D}.exe	{ED500D0D-11AF-48d1-9AC7-D770E3FF8748}.exe
File created	C:\Windows\{87F9A4C6-1B7E-4586-8E4E-A97E45B005B2}.exe	2024-07-11_8d01d9d7a7abb8a712640a1b2c2e0886_goldeneye.exe
File created	C:\Windows\{38E36CC0-D930-4072-889B-264C32529456}.exe	{87F9A4C6-1B7E-4586-8E4E-A97E45B005B2}.exe
File created	C:\Windows\{7315FB87-A2D0-4e93-873C-AF5632D6052A}.exe	{AA0402B8-FC99-4527-A5D4-BA6EB23FDB8D}.exe
File created	C:\Windows\{889ED120-0D49-4b52-BE23-F60E4627486E}.exe	{38E36CC0-D930-4072-889B-264C32529456}.exe
File created	C:\Windows\{BCB44013-6683-49c6-91E2-6DB5550BEC79}.exe	{8A42B707-033B-414f-AEF6-7C4B361A4F43}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2324	2024-07-11_8d01d9d7a7abb8a712640a1b2c2e0886_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2608	{87F9A4C6-1B7E-4586-8E4E-A97E45B005B2}.exe
Token: SeIncBasePriorityPrivilege	2752	{38E36CC0-D930-4072-889B-264C32529456}.exe
Token: SeIncBasePriorityPrivilege	568	{889ED120-0D49-4b52-BE23-F60E4627486E}.exe
Token: SeIncBasePriorityPrivilege	2684	{8A42B707-033B-414f-AEF6-7C4B361A4F43}.exe
Token: SeIncBasePriorityPrivilege	2492	{BCB44013-6683-49c6-91E2-6DB5550BEC79}.exe
Token: SeIncBasePriorityPrivilege	2256	{1C5A919C-5268-4764-9985-B8B49073A9D7}.exe
Token: SeIncBasePriorityPrivilege	1084	{B52999A0-61CA-4beb-938E-53E3963EAD49}.exe
Token: SeIncBasePriorityPrivilege	1624	{23B90A81-AC4C-48b1-893F-7024BE4093F5}.exe
Token: SeIncBasePriorityPrivilege	1956	{ED500D0D-11AF-48d1-9AC7-D770E3FF8748}.exe
Token: SeIncBasePriorityPrivilege	2084	{AA0402B8-FC99-4527-A5D4-BA6EB23FDB8D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2608	2324	2024-07-11_8d01d9d7a7abb8a712640a1b2c2e0886_goldeneye.exe	31
PID 2324 wrote to memory of 2608	2324	2024-07-11_8d01d9d7a7abb8a712640a1b2c2e0886_goldeneye.exe	31
PID 2324 wrote to memory of 2608	2324	2024-07-11_8d01d9d7a7abb8a712640a1b2c2e0886_goldeneye.exe	31
PID 2324 wrote to memory of 2608	2324	2024-07-11_8d01d9d7a7abb8a712640a1b2c2e0886_goldeneye.exe	31
PID 2324 wrote to memory of 2656	2324	2024-07-11_8d01d9d7a7abb8a712640a1b2c2e0886_goldeneye.exe	32
PID 2324 wrote to memory of 2656	2324	2024-07-11_8d01d9d7a7abb8a712640a1b2c2e0886_goldeneye.exe	32
PID 2324 wrote to memory of 2656	2324	2024-07-11_8d01d9d7a7abb8a712640a1b2c2e0886_goldeneye.exe	32
PID 2324 wrote to memory of 2656	2324	2024-07-11_8d01d9d7a7abb8a712640a1b2c2e0886_goldeneye.exe	32
PID 2608 wrote to memory of 2752	2608	{87F9A4C6-1B7E-4586-8E4E-A97E45B005B2}.exe	33
PID 2608 wrote to memory of 2752	2608	{87F9A4C6-1B7E-4586-8E4E-A97E45B005B2}.exe	33
PID 2608 wrote to memory of 2752	2608	{87F9A4C6-1B7E-4586-8E4E-A97E45B005B2}.exe	33
PID 2608 wrote to memory of 2752	2608	{87F9A4C6-1B7E-4586-8E4E-A97E45B005B2}.exe	33
PID 2608 wrote to memory of 2888	2608	{87F9A4C6-1B7E-4586-8E4E-A97E45B005B2}.exe	34
PID 2608 wrote to memory of 2888	2608	{87F9A4C6-1B7E-4586-8E4E-A97E45B005B2}.exe	34
PID 2608 wrote to memory of 2888	2608	{87F9A4C6-1B7E-4586-8E4E-A97E45B005B2}.exe	34
PID 2608 wrote to memory of 2888	2608	{87F9A4C6-1B7E-4586-8E4E-A97E45B005B2}.exe	34
PID 2752 wrote to memory of 568	2752	{38E36CC0-D930-4072-889B-264C32529456}.exe	35
PID 2752 wrote to memory of 568	2752	{38E36CC0-D930-4072-889B-264C32529456}.exe	35
PID 2752 wrote to memory of 568	2752	{38E36CC0-D930-4072-889B-264C32529456}.exe	35
PID 2752 wrote to memory of 568	2752	{38E36CC0-D930-4072-889B-264C32529456}.exe	35
PID 2752 wrote to memory of 2628	2752	{38E36CC0-D930-4072-889B-264C32529456}.exe	36
PID 2752 wrote to memory of 2628	2752	{38E36CC0-D930-4072-889B-264C32529456}.exe	36
PID 2752 wrote to memory of 2628	2752	{38E36CC0-D930-4072-889B-264C32529456}.exe	36
PID 2752 wrote to memory of 2628	2752	{38E36CC0-D930-4072-889B-264C32529456}.exe	36
PID 568 wrote to memory of 2684	568	{889ED120-0D49-4b52-BE23-F60E4627486E}.exe	37
PID 568 wrote to memory of 2684	568	{889ED120-0D49-4b52-BE23-F60E4627486E}.exe	37
PID 568 wrote to memory of 2684	568	{889ED120-0D49-4b52-BE23-F60E4627486E}.exe	37
PID 568 wrote to memory of 2684	568	{889ED120-0D49-4b52-BE23-F60E4627486E}.exe	37
PID 568 wrote to memory of 2804	568	{889ED120-0D49-4b52-BE23-F60E4627486E}.exe	38
PID 568 wrote to memory of 2804	568	{889ED120-0D49-4b52-BE23-F60E4627486E}.exe	38
PID 568 wrote to memory of 2804	568	{889ED120-0D49-4b52-BE23-F60E4627486E}.exe	38
PID 568 wrote to memory of 2804	568	{889ED120-0D49-4b52-BE23-F60E4627486E}.exe	38
PID 2684 wrote to memory of 2492	2684	{8A42B707-033B-414f-AEF6-7C4B361A4F43}.exe	39
PID 2684 wrote to memory of 2492	2684	{8A42B707-033B-414f-AEF6-7C4B361A4F43}.exe	39
PID 2684 wrote to memory of 2492	2684	{8A42B707-033B-414f-AEF6-7C4B361A4F43}.exe	39
PID 2684 wrote to memory of 2492	2684	{8A42B707-033B-414f-AEF6-7C4B361A4F43}.exe	39
PID 2684 wrote to memory of 2028	2684	{8A42B707-033B-414f-AEF6-7C4B361A4F43}.exe	40
PID 2684 wrote to memory of 2028	2684	{8A42B707-033B-414f-AEF6-7C4B361A4F43}.exe	40
PID 2684 wrote to memory of 2028	2684	{8A42B707-033B-414f-AEF6-7C4B361A4F43}.exe	40
PID 2684 wrote to memory of 2028	2684	{8A42B707-033B-414f-AEF6-7C4B361A4F43}.exe	40
PID 2492 wrote to memory of 2256	2492	{BCB44013-6683-49c6-91E2-6DB5550BEC79}.exe	41
PID 2492 wrote to memory of 2256	2492	{BCB44013-6683-49c6-91E2-6DB5550BEC79}.exe	41
PID 2492 wrote to memory of 2256	2492	{BCB44013-6683-49c6-91E2-6DB5550BEC79}.exe	41
PID 2492 wrote to memory of 2256	2492	{BCB44013-6683-49c6-91E2-6DB5550BEC79}.exe	41
PID 2492 wrote to memory of 592	2492	{BCB44013-6683-49c6-91E2-6DB5550BEC79}.exe	42
PID 2492 wrote to memory of 592	2492	{BCB44013-6683-49c6-91E2-6DB5550BEC79}.exe	42
PID 2492 wrote to memory of 592	2492	{BCB44013-6683-49c6-91E2-6DB5550BEC79}.exe	42
PID 2492 wrote to memory of 592	2492	{BCB44013-6683-49c6-91E2-6DB5550BEC79}.exe	42
PID 2256 wrote to memory of 1084	2256	{1C5A919C-5268-4764-9985-B8B49073A9D7}.exe	43
PID 2256 wrote to memory of 1084	2256	{1C5A919C-5268-4764-9985-B8B49073A9D7}.exe	43
PID 2256 wrote to memory of 1084	2256	{1C5A919C-5268-4764-9985-B8B49073A9D7}.exe	43
PID 2256 wrote to memory of 1084	2256	{1C5A919C-5268-4764-9985-B8B49073A9D7}.exe	43
PID 2256 wrote to memory of 1984	2256	{1C5A919C-5268-4764-9985-B8B49073A9D7}.exe	44
PID 2256 wrote to memory of 1984	2256	{1C5A919C-5268-4764-9985-B8B49073A9D7}.exe	44
PID 2256 wrote to memory of 1984	2256	{1C5A919C-5268-4764-9985-B8B49073A9D7}.exe	44
PID 2256 wrote to memory of 1984	2256	{1C5A919C-5268-4764-9985-B8B49073A9D7}.exe	44
PID 1084 wrote to memory of 1624	1084	{B52999A0-61CA-4beb-938E-53E3963EAD49}.exe	45
PID 1084 wrote to memory of 1624	1084	{B52999A0-61CA-4beb-938E-53E3963EAD49}.exe	45
PID 1084 wrote to memory of 1624	1084	{B52999A0-61CA-4beb-938E-53E3963EAD49}.exe	45
PID 1084 wrote to memory of 1624	1084	{B52999A0-61CA-4beb-938E-53E3963EAD49}.exe	45
PID 1084 wrote to memory of 1460	1084	{B52999A0-61CA-4beb-938E-53E3963EAD49}.exe	46
PID 1084 wrote to memory of 1460	1084	{B52999A0-61CA-4beb-938E-53E3963EAD49}.exe	46
PID 1084 wrote to memory of 1460	1084	{B52999A0-61CA-4beb-938E-53E3963EAD49}.exe	46
PID 1084 wrote to memory of 1460	1084	{B52999A0-61CA-4beb-938E-53E3963EAD49}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-07-11_8d01d9d7a7abb8a712640a1b2c2e0886_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-11_8d01d9d7a7abb8a712640a1b2c2e0886_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\{87F9A4C6-1B7E-4586-8E4E-A97E45B005B2}.exe
  C:\Windows\{87F9A4C6-1B7E-4586-8E4E-A97E45B005B2}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\{38E36CC0-D930-4072-889B-264C32529456}.exe
    C:\Windows\{38E36CC0-D930-4072-889B-264C32529456}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\{889ED120-0D49-4b52-BE23-F60E4627486E}.exe
      C:\Windows\{889ED120-0D49-4b52-BE23-F60E4627486E}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:568
    - - C:\Windows\{8A42B707-033B-414f-AEF6-7C4B361A4F43}.exe
        
        C:\Windows\{8A42B707-033B-414f-AEF6-7C4B361A4F43}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2684
      - C:\Windows\{BCB44013-6683-49c6-91E2-6DB5550BEC79}.exe
        
        C:\Windows\{BCB44013-6683-49c6-91E2-6DB5550BEC79}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\{1C5A919C-5268-4764-9985-B8B49073A9D7}.exe
        
        C:\Windows\{1C5A919C-5268-4764-9985-B8B49073A9D7}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\{B52999A0-61CA-4beb-938E-53E3963EAD49}.exe
        
        C:\Windows\{B52999A0-61CA-4beb-938E-53E3963EAD49}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\{23B90A81-AC4C-48b1-893F-7024BE4093F5}.exe
        
        C:\Windows\{23B90A81-AC4C-48b1-893F-7024BE4093F5}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
        
        C:\Windows\{ED500D0D-11AF-48d1-9AC7-D770E3FF8748}.exe
        
        C:\Windows\{ED500D0D-11AF-48d1-9AC7-D770E3FF8748}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
        
        C:\Windows\{AA0402B8-FC99-4527-A5D4-BA6EB23FDB8D}.exe
        
        C:\Windows\{AA0402B8-FC99-4527-A5D4-BA6EB23FDB8D}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
        
        C:\Windows\{7315FB87-A2D0-4e93-873C-AF5632D6052A}.exe
        
        C:\Windows\{7315FB87-A2D0-4e93-873C-AF5632D6052A}.exe
        12⤵
        Executes dropped EXE
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA040~1.EXE > nul
        12⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED500~1.EXE > nul
        11⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23B90~1.EXE > nul
        10⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5299~1.EXE > nul
        9⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C5A9~1.EXE > nul
        8⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCB44~1.EXE > nul
        7⤵
        
        PID:592
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A42B~1.EXE > nul
        6⤵
        
        PID:2028
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{889ED~1.EXE > nul
        5⤵
        
        PID:2804
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{38E36~1.EXE > nul
      4⤵
      PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{87F9A~1.EXE > nul
    3⤵
    PID:2888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1C5A919C-5268-4764-9985-B8B49073A9D7}.exe

Filesize
216KB

MD5
f53444d39b9c038a52952302ed9e0eba

SHA1
b51f8291ecdd40d19dee4dca235b0a2151468129

SHA256
742255da6ce57a79868f74f0c11160794e436d191aba3d97395e386be364a88b

SHA512
5c3920b7632e7698c351d3dd6477b8c0a436e7db87167de70a246fcb1fc6c8d0b791aa105b13edc3f089fe723907358ec7932f9dad9b358f2a15914b4e31406c

Download Submit
C:\Windows\{23B90A81-AC4C-48b1-893F-7024BE4093F5}.exe

Filesize
216KB

MD5
507ec2805e13480dbb53368604c85700

SHA1
312281e12c993fdca7607b6fb5b1f2e207f2214d

SHA256
8e73055950fcc35c6a7df3c41defc859e74b352e8f91ee35a7b2c1fcd9cdb08e

SHA512
4f85b5515a6bd8fc738ad23670bd8a7c11d6e00b3522a7ade49b7bb89f2635e0d6996b224b354bc0a9423b8ecd3ceba06854295ad48c75c1286f39473272b1f8

Download Submit
C:\Windows\{38E36CC0-D930-4072-889B-264C32529456}.exe

Filesize
216KB

MD5
7fcb9a0e2757b0010efe87a758b337b5

SHA1
fc8dd9936bffab9615f06f932c98d2b25ad1590d

SHA256
bfd8106a85d881a848414f26da54b8120d06839a31f197d7f0f540eb9a1690f4

SHA512
35205bb070c2aa8d94d81ff675695fe55b48a8bd180265a4e7a853438a55f5a4337fbc7dffae74bfeb551382ea0c83bc83dc0484db2351b071b42c8432c9c4fb

Download Submit
C:\Windows\{7315FB87-A2D0-4e93-873C-AF5632D6052A}.exe

Filesize
216KB

MD5
780fc9edadea4332714cabdf0b95126f

SHA1
2b3f52998b063e1b7183949dfaa5d0d43269e1ed

SHA256
d3268490313ababc6cc18d634974da86964bc3cd1c26a87d0701ca33ab886097

SHA512
e7e4b4c9774b4d38abd2b1c870758d0248a8e689f577073f495915ea353c948f9d4b02796f3bad4ece48273a89d1d4c712de8ddfdb73d2b119a460a15d84530d

Download Submit
C:\Windows\{87F9A4C6-1B7E-4586-8E4E-A97E45B005B2}.exe

Filesize
216KB

MD5
4484e4667ec27c2a6075d622a7926a56

SHA1
c73698fe454c2fd66fad47ef083c6985d0097942

SHA256
5c5e1651cd35f626a4eaf98286cb9dae586aec367984913db4761c7bd1dbb7f6

SHA512
92baab7bb77cd0d4d903a9b13de44a073299ece0a8bef2339bc1e90aaa975d1e327b8904e03c58bbf6acca0d5dff1c1880c1af380dadfb84393d7c63f9b8fe46

Download Submit
C:\Windows\{889ED120-0D49-4b52-BE23-F60E4627486E}.exe

Filesize
216KB

MD5
6bd14cb3ce5c542632dbce2ee19da182

SHA1
289f6c56b1ae823727bc44b34db58778761e5834

SHA256
beb77a7d15c2f8c00398a8d9166dc83a4a612a4a106ea32a341065bded495245

SHA512
2123ea98b8d0bfdc951d9db6f9448a18162705e3cc2b315276f3ef0b9195b394ecba7bbfac36d5066a10cd43da65df0f698ffc1e12db149808947a74f9c7fd62

Download Submit
C:\Windows\{8A42B707-033B-414f-AEF6-7C4B361A4F43}.exe

Filesize
216KB

MD5
ba979bf5a8ca15ec2eacd340d9355618

SHA1
558f23a05def0e39e0f16d3d76e85357e7c6e748

SHA256
115f5369ea6ea206c420f42dbe9ac0cafd6c37b6ed88c53ff03121726ff4659b

SHA512
3fe3466fdd849d02264c4e01e86485cc2de8a70941499940ca5b726bd2e797e53155a79ff7842fc197306b8b6f9896c0e0fbfeeb4ff44d4b64bf671291715db6

Download Submit
C:\Windows\{AA0402B8-FC99-4527-A5D4-BA6EB23FDB8D}.exe

Filesize
216KB

MD5
5f0f0018ebe89b7d8e05cb242bc0fe26

SHA1
6e9f04c7648e6f58f566f2691647c850a3400428

SHA256
a1280f02e5c4e0810f5469efb14afe14558667508f4e63af39c52ff619b78032

SHA512
5b91fdf747013d6f4063d5b650434f541fd269158a3401f58833b0b673cf91b959f79b654e96dc3d43b34d3e827e1921ef71e4775f73f68e1161b10d4825c652

Download Submit
C:\Windows\{B52999A0-61CA-4beb-938E-53E3963EAD49}.exe

Filesize
216KB

MD5
10995d786164ce3ca12ecad16928931e

SHA1
66a144168e0749f6d6bdf50cd330a3d5818abab3

SHA256
97f3b841677749cc20533b3ac93a7a953affb36193828ece1f2384f0f7cd0c5a

SHA512
d1147c5bb99aef85085a726ecaaf57d02112400d91518fe6516b17d9bd87b0684a26ab26c39a625218c51a2fcd8be1eef610789b433eb4f3a5b3524b1480d208

Download Submit
C:\Windows\{BCB44013-6683-49c6-91E2-6DB5550BEC79}.exe

Filesize
216KB

MD5
1b0a050556ab9400414c9ab1abbe2b6f

SHA1
689536ce174bb808dd25656256d29c005ee0d575

SHA256
ca38e0ecd7e8a45ea13644cedc33e788e2aed79cc1310991389d0e99eff85ad0

SHA512
480c1fae662307ba7af0399f0ffc8de15ba12956cfa40eaac46297d0f81094f479f308b404e9dcc74d67ab3ed98236684ea85126a7ec871754befdecc25302d7

Download Submit
C:\Windows\{ED500D0D-11AF-48d1-9AC7-D770E3FF8748}.exe

Filesize
216KB

MD5
be20a7611244feb6918933cec7d5a34b

SHA1
bfc03759ab5e3b2e75c2c3b0b8fdf93b12b3d36d

SHA256
a20584b0693835a083447a86b77e953293e72743a8573552bf117df233f57127

SHA512
f177bb68b58de72576e98858895d8325765f742950e0516fa0f375d84055c61de7627945a8cc729e91d55c4b1034ad160cc3e6c6614f49153c0e6c37c20b98f2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads