ae283b8a56d6070cede8d14576a732c5b1d46951fbc7fe0921b26465fb26d967

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22-07-2024 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-22_d9851c6218dd6aab017d4ba3213c7608_goldeneye.exe
Size

192KB
MD5

d9851c6218dd6aab017d4ba3213c7608
SHA1

cb3526cc1b6fa43a3f8289ae88a0684113889009
SHA256

ae283b8a56d6070cede8d14576a732c5b1d46951fbc7fe0921b26465fb26d967
SHA512

42c27a111c4fe25e8dbd1b1a2e6b06eec1f438eec8bf88a306def74484f6928a039e8b5fd153dfe57b16f2f7d8c9ea23dc8b1c5668249dd7d73c4b2935d5e191
SSDEEP

1536:1EGh0opl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0opl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E19365F5-B062-4a46-A0BB-9E5365B081D3}\stubpath = "C:\\Windows\\{E19365F5-B062-4a46-A0BB-9E5365B081D3}.exe"	{910ED668-B220-46b6-8D6B-988F3D121017}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E45FCCA8-DE48-408f-AC10-548D2343496D}\stubpath = "C:\\Windows\\{E45FCCA8-DE48-408f-AC10-548D2343496D}.exe"	{E19365F5-B062-4a46-A0BB-9E5365B081D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CEAB284-F2D9-4252-A2C8-121A7E37DDEC}\stubpath = "C:\\Windows\\{4CEAB284-F2D9-4252-A2C8-121A7E37DDEC}.exe"	{E45FCCA8-DE48-408f-AC10-548D2343496D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B313E7AC-ADCB-42e2-ACB4-3AF2CAC669F1}	{9C8A48EA-7904-4811-A210-9C6430DA49D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{910ED668-B220-46b6-8D6B-988F3D121017}	{64525B3A-D814-4484-82FB-3DBC7A98ADF0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E19365F5-B062-4a46-A0BB-9E5365B081D3}	{910ED668-B220-46b6-8D6B-988F3D121017}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E45FCCA8-DE48-408f-AC10-548D2343496D}	{E19365F5-B062-4a46-A0BB-9E5365B081D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CEAB284-F2D9-4252-A2C8-121A7E37DDEC}	{E45FCCA8-DE48-408f-AC10-548D2343496D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC7134E0-67E8-4399-8147-46401F9B8B84}	{4CEAB284-F2D9-4252-A2C8-121A7E37DDEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BB8DAD4-9C17-4f1c-B8C5-C86EA10FE21A}	{AC7134E0-67E8-4399-8147-46401F9B8B84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C8A48EA-7904-4811-A210-9C6430DA49D2}\stubpath = "C:\\Windows\\{9C8A48EA-7904-4811-A210-9C6430DA49D2}.exe"	2024-07-22_d9851c6218dd6aab017d4ba3213c7608_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35B790DF-87DB-4c89-9AF5-8AED888A38E4}\stubpath = "C:\\Windows\\{35B790DF-87DB-4c89-9AF5-8AED888A38E4}.exe"	{7AA429AD-4BCA-41d3-836B-7732C7B5A80B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC7134E0-67E8-4399-8147-46401F9B8B84}\stubpath = "C:\\Windows\\{AC7134E0-67E8-4399-8147-46401F9B8B84}.exe"	{4CEAB284-F2D9-4252-A2C8-121A7E37DDEC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B313E7AC-ADCB-42e2-ACB4-3AF2CAC669F1}\stubpath = "C:\\Windows\\{B313E7AC-ADCB-42e2-ACB4-3AF2CAC669F1}.exe"	{9C8A48EA-7904-4811-A210-9C6430DA49D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AA429AD-4BCA-41d3-836B-7732C7B5A80B}\stubpath = "C:\\Windows\\{7AA429AD-4BCA-41d3-836B-7732C7B5A80B}.exe"	{B313E7AC-ADCB-42e2-ACB4-3AF2CAC669F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35B790DF-87DB-4c89-9AF5-8AED888A38E4}	{7AA429AD-4BCA-41d3-836B-7732C7B5A80B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64525B3A-D814-4484-82FB-3DBC7A98ADF0}	{35B790DF-87DB-4c89-9AF5-8AED888A38E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64525B3A-D814-4484-82FB-3DBC7A98ADF0}\stubpath = "C:\\Windows\\{64525B3A-D814-4484-82FB-3DBC7A98ADF0}.exe"	{35B790DF-87DB-4c89-9AF5-8AED888A38E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{910ED668-B220-46b6-8D6B-988F3D121017}\stubpath = "C:\\Windows\\{910ED668-B220-46b6-8D6B-988F3D121017}.exe"	{64525B3A-D814-4484-82FB-3DBC7A98ADF0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BB8DAD4-9C17-4f1c-B8C5-C86EA10FE21A}\stubpath = "C:\\Windows\\{1BB8DAD4-9C17-4f1c-B8C5-C86EA10FE21A}.exe"	{AC7134E0-67E8-4399-8147-46401F9B8B84}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C8A48EA-7904-4811-A210-9C6430DA49D2}	2024-07-22_d9851c6218dd6aab017d4ba3213c7608_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AA429AD-4BCA-41d3-836B-7732C7B5A80B}	{B313E7AC-ADCB-42e2-ACB4-3AF2CAC669F1}.exe

Deletes itself 1 IoCs

pid	Process
2592	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2328	{9C8A48EA-7904-4811-A210-9C6430DA49D2}.exe
2620	{B313E7AC-ADCB-42e2-ACB4-3AF2CAC669F1}.exe
2560	{7AA429AD-4BCA-41d3-836B-7732C7B5A80B}.exe
1824	{35B790DF-87DB-4c89-9AF5-8AED888A38E4}.exe
1668	{64525B3A-D814-4484-82FB-3DBC7A98ADF0}.exe
2856	{910ED668-B220-46b6-8D6B-988F3D121017}.exe
2252	{E19365F5-B062-4a46-A0BB-9E5365B081D3}.exe
1816	{E45FCCA8-DE48-408f-AC10-548D2343496D}.exe
2000	{4CEAB284-F2D9-4252-A2C8-121A7E37DDEC}.exe
2364	{AC7134E0-67E8-4399-8147-46401F9B8B84}.exe
2996	{1BB8DAD4-9C17-4f1c-B8C5-C86EA10FE21A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{B313E7AC-ADCB-42e2-ACB4-3AF2CAC669F1}.exe	{9C8A48EA-7904-4811-A210-9C6430DA49D2}.exe
File created	C:\Windows\{7AA429AD-4BCA-41d3-836B-7732C7B5A80B}.exe	{B313E7AC-ADCB-42e2-ACB4-3AF2CAC669F1}.exe
File created	C:\Windows\{35B790DF-87DB-4c89-9AF5-8AED888A38E4}.exe	{7AA429AD-4BCA-41d3-836B-7732C7B5A80B}.exe
File created	C:\Windows\{910ED668-B220-46b6-8D6B-988F3D121017}.exe	{64525B3A-D814-4484-82FB-3DBC7A98ADF0}.exe
File created	C:\Windows\{4CEAB284-F2D9-4252-A2C8-121A7E37DDEC}.exe	{E45FCCA8-DE48-408f-AC10-548D2343496D}.exe
File created	C:\Windows\{AC7134E0-67E8-4399-8147-46401F9B8B84}.exe	{4CEAB284-F2D9-4252-A2C8-121A7E37DDEC}.exe
File created	C:\Windows\{9C8A48EA-7904-4811-A210-9C6430DA49D2}.exe	2024-07-22_d9851c6218dd6aab017d4ba3213c7608_goldeneye.exe
File created	C:\Windows\{E19365F5-B062-4a46-A0BB-9E5365B081D3}.exe	{910ED668-B220-46b6-8D6B-988F3D121017}.exe
File created	C:\Windows\{E45FCCA8-DE48-408f-AC10-548D2343496D}.exe	{E19365F5-B062-4a46-A0BB-9E5365B081D3}.exe
File created	C:\Windows\{1BB8DAD4-9C17-4f1c-B8C5-C86EA10FE21A}.exe	{AC7134E0-67E8-4399-8147-46401F9B8B84}.exe
File created	C:\Windows\{64525B3A-D814-4484-82FB-3DBC7A98ADF0}.exe	{35B790DF-87DB-4c89-9AF5-8AED888A38E4}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2676	2024-07-22_d9851c6218dd6aab017d4ba3213c7608_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2328	{9C8A48EA-7904-4811-A210-9C6430DA49D2}.exe
Token: SeIncBasePriorityPrivilege	2620	{B313E7AC-ADCB-42e2-ACB4-3AF2CAC669F1}.exe
Token: SeIncBasePriorityPrivilege	2560	{7AA429AD-4BCA-41d3-836B-7732C7B5A80B}.exe
Token: SeIncBasePriorityPrivilege	1824	{35B790DF-87DB-4c89-9AF5-8AED888A38E4}.exe
Token: SeIncBasePriorityPrivilege	1668	{64525B3A-D814-4484-82FB-3DBC7A98ADF0}.exe
Token: SeIncBasePriorityPrivilege	2856	{910ED668-B220-46b6-8D6B-988F3D121017}.exe
Token: SeIncBasePriorityPrivilege	2252	{E19365F5-B062-4a46-A0BB-9E5365B081D3}.exe
Token: SeIncBasePriorityPrivilege	1816	{E45FCCA8-DE48-408f-AC10-548D2343496D}.exe
Token: SeIncBasePriorityPrivilege	2000	{4CEAB284-F2D9-4252-A2C8-121A7E37DDEC}.exe
Token: SeIncBasePriorityPrivilege	2364	{AC7134E0-67E8-4399-8147-46401F9B8B84}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2328	2676	2024-07-22_d9851c6218dd6aab017d4ba3213c7608_goldeneye.exe	28
PID 2676 wrote to memory of 2328	2676	2024-07-22_d9851c6218dd6aab017d4ba3213c7608_goldeneye.exe	28
PID 2676 wrote to memory of 2328	2676	2024-07-22_d9851c6218dd6aab017d4ba3213c7608_goldeneye.exe	28
PID 2676 wrote to memory of 2328	2676	2024-07-22_d9851c6218dd6aab017d4ba3213c7608_goldeneye.exe	28
PID 2676 wrote to memory of 2592	2676	2024-07-22_d9851c6218dd6aab017d4ba3213c7608_goldeneye.exe	29
PID 2676 wrote to memory of 2592	2676	2024-07-22_d9851c6218dd6aab017d4ba3213c7608_goldeneye.exe	29
PID 2676 wrote to memory of 2592	2676	2024-07-22_d9851c6218dd6aab017d4ba3213c7608_goldeneye.exe	29
PID 2676 wrote to memory of 2592	2676	2024-07-22_d9851c6218dd6aab017d4ba3213c7608_goldeneye.exe	29
PID 2328 wrote to memory of 2620	2328	{9C8A48EA-7904-4811-A210-9C6430DA49D2}.exe	30
PID 2328 wrote to memory of 2620	2328	{9C8A48EA-7904-4811-A210-9C6430DA49D2}.exe	30
PID 2328 wrote to memory of 2620	2328	{9C8A48EA-7904-4811-A210-9C6430DA49D2}.exe	30
PID 2328 wrote to memory of 2620	2328	{9C8A48EA-7904-4811-A210-9C6430DA49D2}.exe	30
PID 2328 wrote to memory of 2604	2328	{9C8A48EA-7904-4811-A210-9C6430DA49D2}.exe	31
PID 2328 wrote to memory of 2604	2328	{9C8A48EA-7904-4811-A210-9C6430DA49D2}.exe	31
PID 2328 wrote to memory of 2604	2328	{9C8A48EA-7904-4811-A210-9C6430DA49D2}.exe	31
PID 2328 wrote to memory of 2604	2328	{9C8A48EA-7904-4811-A210-9C6430DA49D2}.exe	31
PID 2620 wrote to memory of 2560	2620	{B313E7AC-ADCB-42e2-ACB4-3AF2CAC669F1}.exe	34
PID 2620 wrote to memory of 2560	2620	{B313E7AC-ADCB-42e2-ACB4-3AF2CAC669F1}.exe	34
PID 2620 wrote to memory of 2560	2620	{B313E7AC-ADCB-42e2-ACB4-3AF2CAC669F1}.exe	34
PID 2620 wrote to memory of 2560	2620	{B313E7AC-ADCB-42e2-ACB4-3AF2CAC669F1}.exe	34
PID 2620 wrote to memory of 3008	2620	{B313E7AC-ADCB-42e2-ACB4-3AF2CAC669F1}.exe	35
PID 2620 wrote to memory of 3008	2620	{B313E7AC-ADCB-42e2-ACB4-3AF2CAC669F1}.exe	35
PID 2620 wrote to memory of 3008	2620	{B313E7AC-ADCB-42e2-ACB4-3AF2CAC669F1}.exe	35
PID 2620 wrote to memory of 3008	2620	{B313E7AC-ADCB-42e2-ACB4-3AF2CAC669F1}.exe	35
PID 2560 wrote to memory of 1824	2560	{7AA429AD-4BCA-41d3-836B-7732C7B5A80B}.exe	36
PID 2560 wrote to memory of 1824	2560	{7AA429AD-4BCA-41d3-836B-7732C7B5A80B}.exe	36
PID 2560 wrote to memory of 1824	2560	{7AA429AD-4BCA-41d3-836B-7732C7B5A80B}.exe	36
PID 2560 wrote to memory of 1824	2560	{7AA429AD-4BCA-41d3-836B-7732C7B5A80B}.exe	36
PID 2560 wrote to memory of 744	2560	{7AA429AD-4BCA-41d3-836B-7732C7B5A80B}.exe	37
PID 2560 wrote to memory of 744	2560	{7AA429AD-4BCA-41d3-836B-7732C7B5A80B}.exe	37
PID 2560 wrote to memory of 744	2560	{7AA429AD-4BCA-41d3-836B-7732C7B5A80B}.exe	37
PID 2560 wrote to memory of 744	2560	{7AA429AD-4BCA-41d3-836B-7732C7B5A80B}.exe	37
PID 1824 wrote to memory of 1668	1824	{35B790DF-87DB-4c89-9AF5-8AED888A38E4}.exe	38
PID 1824 wrote to memory of 1668	1824	{35B790DF-87DB-4c89-9AF5-8AED888A38E4}.exe	38
PID 1824 wrote to memory of 1668	1824	{35B790DF-87DB-4c89-9AF5-8AED888A38E4}.exe	38
PID 1824 wrote to memory of 1668	1824	{35B790DF-87DB-4c89-9AF5-8AED888A38E4}.exe	38
PID 1824 wrote to memory of 2804	1824	{35B790DF-87DB-4c89-9AF5-8AED888A38E4}.exe	39
PID 1824 wrote to memory of 2804	1824	{35B790DF-87DB-4c89-9AF5-8AED888A38E4}.exe	39
PID 1824 wrote to memory of 2804	1824	{35B790DF-87DB-4c89-9AF5-8AED888A38E4}.exe	39
PID 1824 wrote to memory of 2804	1824	{35B790DF-87DB-4c89-9AF5-8AED888A38E4}.exe	39
PID 1668 wrote to memory of 2856	1668	{64525B3A-D814-4484-82FB-3DBC7A98ADF0}.exe	40
PID 1668 wrote to memory of 2856	1668	{64525B3A-D814-4484-82FB-3DBC7A98ADF0}.exe	40
PID 1668 wrote to memory of 2856	1668	{64525B3A-D814-4484-82FB-3DBC7A98ADF0}.exe	40
PID 1668 wrote to memory of 2856	1668	{64525B3A-D814-4484-82FB-3DBC7A98ADF0}.exe	40
PID 1668 wrote to memory of 1756	1668	{64525B3A-D814-4484-82FB-3DBC7A98ADF0}.exe	41
PID 1668 wrote to memory of 1756	1668	{64525B3A-D814-4484-82FB-3DBC7A98ADF0}.exe	41
PID 1668 wrote to memory of 1756	1668	{64525B3A-D814-4484-82FB-3DBC7A98ADF0}.exe	41
PID 1668 wrote to memory of 1756	1668	{64525B3A-D814-4484-82FB-3DBC7A98ADF0}.exe	41
PID 2856 wrote to memory of 2252	2856	{910ED668-B220-46b6-8D6B-988F3D121017}.exe	42
PID 2856 wrote to memory of 2252	2856	{910ED668-B220-46b6-8D6B-988F3D121017}.exe	42
PID 2856 wrote to memory of 2252	2856	{910ED668-B220-46b6-8D6B-988F3D121017}.exe	42
PID 2856 wrote to memory of 2252	2856	{910ED668-B220-46b6-8D6B-988F3D121017}.exe	42
PID 2856 wrote to memory of 1464	2856	{910ED668-B220-46b6-8D6B-988F3D121017}.exe	43
PID 2856 wrote to memory of 1464	2856	{910ED668-B220-46b6-8D6B-988F3D121017}.exe	43
PID 2856 wrote to memory of 1464	2856	{910ED668-B220-46b6-8D6B-988F3D121017}.exe	43
PID 2856 wrote to memory of 1464	2856	{910ED668-B220-46b6-8D6B-988F3D121017}.exe	43
PID 2252 wrote to memory of 1816	2252	{E19365F5-B062-4a46-A0BB-9E5365B081D3}.exe	44
PID 2252 wrote to memory of 1816	2252	{E19365F5-B062-4a46-A0BB-9E5365B081D3}.exe	44
PID 2252 wrote to memory of 1816	2252	{E19365F5-B062-4a46-A0BB-9E5365B081D3}.exe	44
PID 2252 wrote to memory of 1816	2252	{E19365F5-B062-4a46-A0BB-9E5365B081D3}.exe	44
PID 2252 wrote to memory of 2584	2252	{E19365F5-B062-4a46-A0BB-9E5365B081D3}.exe	45
PID 2252 wrote to memory of 2584	2252	{E19365F5-B062-4a46-A0BB-9E5365B081D3}.exe	45
PID 2252 wrote to memory of 2584	2252	{E19365F5-B062-4a46-A0BB-9E5365B081D3}.exe	45
PID 2252 wrote to memory of 2584	2252	{E19365F5-B062-4a46-A0BB-9E5365B081D3}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-07-22_d9851c6218dd6aab017d4ba3213c7608_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-22_d9851c6218dd6aab017d4ba3213c7608_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\{9C8A48EA-7904-4811-A210-9C6430DA49D2}.exe
  C:\Windows\{9C8A48EA-7904-4811-A210-9C6430DA49D2}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\{B313E7AC-ADCB-42e2-ACB4-3AF2CAC669F1}.exe
    C:\Windows\{B313E7AC-ADCB-42e2-ACB4-3AF2CAC669F1}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\{7AA429AD-4BCA-41d3-836B-7732C7B5A80B}.exe
      C:\Windows\{7AA429AD-4BCA-41d3-836B-7732C7B5A80B}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2560
    - - C:\Windows\{35B790DF-87DB-4c89-9AF5-8AED888A38E4}.exe
        
        C:\Windows\{35B790DF-87DB-4c89-9AF5-8AED888A38E4}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1824
      - C:\Windows\{64525B3A-D814-4484-82FB-3DBC7A98ADF0}.exe
        
        C:\Windows\{64525B3A-D814-4484-82FB-3DBC7A98ADF0}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\{910ED668-B220-46b6-8D6B-988F3D121017}.exe
        
        C:\Windows\{910ED668-B220-46b6-8D6B-988F3D121017}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\{E19365F5-B062-4a46-A0BB-9E5365B081D3}.exe
        
        C:\Windows\{E19365F5-B062-4a46-A0BB-9E5365B081D3}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\{E45FCCA8-DE48-408f-AC10-548D2343496D}.exe
        
        C:\Windows\{E45FCCA8-DE48-408f-AC10-548D2343496D}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
        
        C:\Windows\{4CEAB284-F2D9-4252-A2C8-121A7E37DDEC}.exe
        
        C:\Windows\{4CEAB284-F2D9-4252-A2C8-121A7E37DDEC}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Windows\{AC7134E0-67E8-4399-8147-46401F9B8B84}.exe
        
        C:\Windows\{AC7134E0-67E8-4399-8147-46401F9B8B84}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Windows\{1BB8DAD4-9C17-4f1c-B8C5-C86EA10FE21A}.exe
        
        C:\Windows\{1BB8DAD4-9C17-4f1c-B8C5-C86EA10FE21A}.exe
        12⤵
        Executes dropped EXE
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AC713~1.EXE > nul
        12⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4CEAB~1.EXE > nul
        11⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E45FC~1.EXE > nul
        10⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1936~1.EXE > nul
        9⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{910ED~1.EXE > nul
        8⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64525~1.EXE > nul
        7⤵
        
        PID:1756
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35B79~1.EXE > nul
        6⤵
        
        PID:2804
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7AA42~1.EXE > nul
        5⤵
        
        PID:744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B313E~1.EXE > nul
      4⤵
      PID:3008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9C8A4~1.EXE > nul
    3⤵
    PID:2604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1BB8DAD4-9C17-4f1c-B8C5-C86EA10FE21A}.exe

Filesize
192KB

MD5
d9f364fe34789d7bdc4e9c0ebbd281be

SHA1
077855a42b4e51b240c17b5be5ef1319c311641e

SHA256
5b9cb3f1963efa8733e584e55b7519849f2b172f446e9e4b4f8d6274a269d10d

SHA512
58eb8e303c616cb04d12695de6c2d64e8a7631c7b987ecf69118a6c1d2a11dbb6456fffdf2004c3f971cb4bac412e3f808bd068ea78684f30d0dd9541356e66a

Download Submit
C:\Windows\{35B790DF-87DB-4c89-9AF5-8AED888A38E4}.exe

Filesize
192KB

MD5
5109bfdae3dc69d5b9895da78c9ae0fe

SHA1
a6d33d7c737374908d687ad541d25810e9d52f42

SHA256
1a89ac7366f6be4c5cf77bc45d733efd667e3dce3e1ee09266ae0ec93487f443

SHA512
3e396b3fa013c12d0aa19ea29a43d4a1bf335eb6cfd01d299cf13c8fd929b7db1ce94fe7775ca41350d143cbe40920ce98b49134c60afae45fb49a2b7e0e7bf7

Download Submit
C:\Windows\{4CEAB284-F2D9-4252-A2C8-121A7E37DDEC}.exe

Filesize
192KB

MD5
093bb5a9837980431191d8e0a8f4a85c

SHA1
db01cd5cfb7f0dc5fcedc82a2a58397b210a32a7

SHA256
0cc9d02bfaf98db67e58c91e970742104efec6721516cc45bc543ad0b14d6305

SHA512
5d7bea62de5d7a8d481132b93cfcb56fbc5ed08d9398b77a2ed89a9e0318ca85dd3eee6fc0fd208d18caaf1af7e6b902aa96639bd9e10fc703921ae755b6b742

Download Submit
C:\Windows\{64525B3A-D814-4484-82FB-3DBC7A98ADF0}.exe

Filesize
192KB

MD5
850e20e878770fc23c41b4c5c63ec0cd

SHA1
bffbbe0c0a377fa277e34012e1c0d103bb6a01c5

SHA256
f7a8de999af650b67cbdd8f495dea132a8224de397c524aabe2f90feb5d1b90e

SHA512
6afaf025cb3cbc4cf5c9eed073e36f4869cfeebf2d27ad63359421d70f6c2ac8382067eff8123a73f0d69b6b6ce8bff1f5681bb75d12f1ac2ec77c5c4df4b8ff

Download Submit
C:\Windows\{7AA429AD-4BCA-41d3-836B-7732C7B5A80B}.exe

Filesize
192KB

MD5
7e76f1a30a0d02b480d311e24e5fd724

SHA1
2ce38f4d8f1f03c9c91c21572d5f3486a1745867

SHA256
e235770df4f2120f618f09c0c7d7c4412eafc2eb97fbc0f8eda35f8377a97628

SHA512
5e6b0c239f17099c9c0d2c821c15c78585d227c73fbb3d80e88b18569951d2922664f1a93faf256a299b2b231d04e162d863d2282a0cf1a86e45d020ed0148f7

Download Submit
C:\Windows\{910ED668-B220-46b6-8D6B-988F3D121017}.exe

Filesize
192KB

MD5
4ea2d8439b2dcd0aa087282f822cd4df

SHA1
732af5170fb97986e4945ab0f0aca4c432bc859e

SHA256
5409d9d4e9dffe9360a914383190e3a0057324ea8620c284cb9efd186e4bdfe9

SHA512
ef9483ee51f3079147118278878f7f0900a75a366a7ca459a97a01144aa97b1613adc3437eb0c005f7007f75a1e3f6625b08e7367b3b2e93e0a124d5a731ade5

Download Submit
C:\Windows\{9C8A48EA-7904-4811-A210-9C6430DA49D2}.exe

Filesize
192KB

MD5
4edada35bab7783e98b1d8dcfb603c48

SHA1
bea2ca3c7a75f2a9f3e93121a31a4530d28323b2

SHA256
06c2583c2668b73e661e11865443390c6f08411c894f809b2f19d78be2a8f402

SHA512
f69747e3e8c50cef9346a8490cf76d7a0e78db78a1f42f6cea8b096d717c6d4fc856068f099d0bec3a47244ee719ffccce17950f8b743883920e07eabfe9c143

Download Submit
C:\Windows\{AC7134E0-67E8-4399-8147-46401F9B8B84}.exe

Filesize
192KB

MD5
27ea1b42524433af20d32153692f27fa

SHA1
0fd5710cf6e945239c2bf98819dbec7ef9e8d8fd

SHA256
8986d3f4203afe670c25c86b542910cb682e109757d3e9e0ff36b223bded2a98

SHA512
70b717311318ab28ec270a53998e6f44818b6067f1a52bfd786c697063ba0a148e4c3f6e1a4acc484cad1c092556975fe19c0b8c0643a21ed971c4d3e27511b3

Download Submit
C:\Windows\{B313E7AC-ADCB-42e2-ACB4-3AF2CAC669F1}.exe

Filesize
192KB

MD5
7929af97cc755e75df55794eeb90419f

SHA1
de3700d796fbd4d85e94379ab8f06efd20d87f54

SHA256
6b87c79fbed9a3c639e3bf89ef9257c4a64f6bfc8447056e79951f017689b259

SHA512
a79aa0329ecf74f2e20e76c6145495feeaecc509535ad6a3e064c96c117aaaa30862d88ba87e54ed9f980369cdbb0632fec27969dcc7744f0f3700e6ced4fbee

Download Submit
C:\Windows\{E19365F5-B062-4a46-A0BB-9E5365B081D3}.exe

Filesize
192KB

MD5
4a1bfff5f8480b09e233d34277d23e39

SHA1
9e3f1b1b95ff3102f316666d3a04a95c001f7525

SHA256
1990dd650056f8dbb7f956c3d233b4ec5f97aaebfec351ffd33f88171bd8aaee

SHA512
9fabdc9fcb05c8ea8185b30e3752a3affdd8b4690a0935f6c77a438ea645d8d7c598a4b51183a31576e9c926c51607388d04b336c74a07e1319240ceba343da6

Download Submit
C:\Windows\{E45FCCA8-DE48-408f-AC10-548D2343496D}.exe

Filesize
192KB

MD5
55ffa19d655fde1cabf8ad259aed9e45

SHA1
b12be2771e8a9e2c74d04e7ee13dba007391bae8

SHA256
8996952d918b239bffc4a5c2da23741f125c7bc090150d392bbda52d1a38f590

SHA512
250908cfa3d017ca055f38b71c6fdcf95aa8333ae2bc73826862248d61f493c660446fbea9065cb5b606f62b11fd5d880a992eef866d1abc964a05e66d02ed2d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads