3e774765de691bd420ac0ad5341829de1f34cca8f60b973a9c7d1ee34a4621f9

Analysis

max time kernel
151s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
05/01/2024, 05:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-01_1e36b4b57c160dff6b82aad86fcc2aa8_goldeneye.exe
Size

380KB
MD5

1e36b4b57c160dff6b82aad86fcc2aa8
SHA1

fc05434f3c8456cc31e444f81f6a0a0453fe5e66
SHA256

3e774765de691bd420ac0ad5341829de1f34cca8f60b973a9c7d1ee34a4621f9
SHA512

324ff0f1fec9cce4a9f41307de667990d04f669831a4815d9f127fe4dff537e903e4d25ff517860d0420ff0557776b7c3717ddf230ec9a844906c3ce7903e9c0
SSDEEP

3072:mEGh0oclPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGCl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0BD82A5-2BDA-439a-AA54-F12EC44382FB}	{5D810491-8AF0-4dc8-8079-D478152DAC51}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FDDCEA66-D350-450d-8B85-E91436CB2F75}\stubpath = "C:\\Windows\\{FDDCEA66-D350-450d-8B85-E91436CB2F75}.exe"	{C4B1601B-91EF-4557-8F16-9581EB5708E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AA4EF0A-937F-4095-A06B-313050DAD7FB}	{FDDCEA66-D350-450d-8B85-E91436CB2F75}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BDC04B6-6D77-468e-9C05-F9347E42FF7B}\stubpath = "C:\\Windows\\{2BDC04B6-6D77-468e-9C05-F9347E42FF7B}.exe"	{5F3230A3-20EA-41fb-BDD0-A8AF91587468}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A2BFDB2-557D-4cad-A8A5-7BB84A38EF5B}	{998FC13D-64C8-418d-9165-45C63D12C469}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D810491-8AF0-4dc8-8079-D478152DAC51}	2024-01-01_1e36b4b57c160dff6b82aad86fcc2aa8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4B1601B-91EF-4557-8F16-9581EB5708E0}	{F0BD82A5-2BDA-439a-AA54-F12EC44382FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4B1601B-91EF-4557-8F16-9581EB5708E0}\stubpath = "C:\\Windows\\{C4B1601B-91EF-4557-8F16-9581EB5708E0}.exe"	{F0BD82A5-2BDA-439a-AA54-F12EC44382FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14D240D2-6E20-4c31-BCA8-5A56A5D65BE9}	{9AA4EF0A-937F-4095-A06B-313050DAD7FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F3230A3-20EA-41fb-BDD0-A8AF91587468}\stubpath = "C:\\Windows\\{5F3230A3-20EA-41fb-BDD0-A8AF91587468}.exe"	{14D240D2-6E20-4c31-BCA8-5A56A5D65BE9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD1FE61D-6E71-4823-93B7-EB88DAAE6AA0}\stubpath = "C:\\Windows\\{DD1FE61D-6E71-4823-93B7-EB88DAAE6AA0}.exe"	{1A2BFDB2-557D-4cad-A8A5-7BB84A38EF5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FDDCEA66-D350-450d-8B85-E91436CB2F75}	{C4B1601B-91EF-4557-8F16-9581EB5708E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F3230A3-20EA-41fb-BDD0-A8AF91587468}	{14D240D2-6E20-4c31-BCA8-5A56A5D65BE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BDC04B6-6D77-468e-9C05-F9347E42FF7B}	{5F3230A3-20EA-41fb-BDD0-A8AF91587468}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E8617D1-7273-408d-8093-D5CE39D92213}	{2BDC04B6-6D77-468e-9C05-F9347E42FF7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{998FC13D-64C8-418d-9165-45C63D12C469}\stubpath = "C:\\Windows\\{998FC13D-64C8-418d-9165-45C63D12C469}.exe"	{4E8617D1-7273-408d-8093-D5CE39D92213}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{998FC13D-64C8-418d-9165-45C63D12C469}	{4E8617D1-7273-408d-8093-D5CE39D92213}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A2BFDB2-557D-4cad-A8A5-7BB84A38EF5B}\stubpath = "C:\\Windows\\{1A2BFDB2-557D-4cad-A8A5-7BB84A38EF5B}.exe"	{998FC13D-64C8-418d-9165-45C63D12C469}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD1FE61D-6E71-4823-93B7-EB88DAAE6AA0}	{1A2BFDB2-557D-4cad-A8A5-7BB84A38EF5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D810491-8AF0-4dc8-8079-D478152DAC51}\stubpath = "C:\\Windows\\{5D810491-8AF0-4dc8-8079-D478152DAC51}.exe"	2024-01-01_1e36b4b57c160dff6b82aad86fcc2aa8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0BD82A5-2BDA-439a-AA54-F12EC44382FB}\stubpath = "C:\\Windows\\{F0BD82A5-2BDA-439a-AA54-F12EC44382FB}.exe"	{5D810491-8AF0-4dc8-8079-D478152DAC51}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AA4EF0A-937F-4095-A06B-313050DAD7FB}\stubpath = "C:\\Windows\\{9AA4EF0A-937F-4095-A06B-313050DAD7FB}.exe"	{FDDCEA66-D350-450d-8B85-E91436CB2F75}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14D240D2-6E20-4c31-BCA8-5A56A5D65BE9}\stubpath = "C:\\Windows\\{14D240D2-6E20-4c31-BCA8-5A56A5D65BE9}.exe"	{9AA4EF0A-937F-4095-A06B-313050DAD7FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E8617D1-7273-408d-8093-D5CE39D92213}\stubpath = "C:\\Windows\\{4E8617D1-7273-408d-8093-D5CE39D92213}.exe"	{2BDC04B6-6D77-468e-9C05-F9347E42FF7B}.exe

Deletes itself 1 IoCs

pid	Process
2312	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
636	{5D810491-8AF0-4dc8-8079-D478152DAC51}.exe
2940	{F0BD82A5-2BDA-439a-AA54-F12EC44382FB}.exe
1508	{C4B1601B-91EF-4557-8F16-9581EB5708E0}.exe
2652	{FDDCEA66-D350-450d-8B85-E91436CB2F75}.exe
1444	{9AA4EF0A-937F-4095-A06B-313050DAD7FB}.exe
2368	{14D240D2-6E20-4c31-BCA8-5A56A5D65BE9}.exe
1108	{5F3230A3-20EA-41fb-BDD0-A8AF91587468}.exe
948	{2BDC04B6-6D77-468e-9C05-F9347E42FF7B}.exe
1684	{4E8617D1-7273-408d-8093-D5CE39D92213}.exe
2112	{998FC13D-64C8-418d-9165-45C63D12C469}.exe
1484	{1A2BFDB2-557D-4cad-A8A5-7BB84A38EF5B}.exe
2500	{DD1FE61D-6E71-4823-93B7-EB88DAAE6AA0}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{5F3230A3-20EA-41fb-BDD0-A8AF91587468}.exe	{14D240D2-6E20-4c31-BCA8-5A56A5D65BE9}.exe
File created	C:\Windows\{2BDC04B6-6D77-468e-9C05-F9347E42FF7B}.exe	{5F3230A3-20EA-41fb-BDD0-A8AF91587468}.exe
File created	C:\Windows\{4E8617D1-7273-408d-8093-D5CE39D92213}.exe	{2BDC04B6-6D77-468e-9C05-F9347E42FF7B}.exe
File created	C:\Windows\{5D810491-8AF0-4dc8-8079-D478152DAC51}.exe	2024-01-01_1e36b4b57c160dff6b82aad86fcc2aa8_goldeneye.exe
File created	C:\Windows\{F0BD82A5-2BDA-439a-AA54-F12EC44382FB}.exe	{5D810491-8AF0-4dc8-8079-D478152DAC51}.exe
File created	C:\Windows\{C4B1601B-91EF-4557-8F16-9581EB5708E0}.exe	{F0BD82A5-2BDA-439a-AA54-F12EC44382FB}.exe
File created	C:\Windows\{9AA4EF0A-937F-4095-A06B-313050DAD7FB}.exe	{FDDCEA66-D350-450d-8B85-E91436CB2F75}.exe
File created	C:\Windows\{14D240D2-6E20-4c31-BCA8-5A56A5D65BE9}.exe	{9AA4EF0A-937F-4095-A06B-313050DAD7FB}.exe
File created	C:\Windows\{FDDCEA66-D350-450d-8B85-E91436CB2F75}.exe	{C4B1601B-91EF-4557-8F16-9581EB5708E0}.exe
File created	C:\Windows\{998FC13D-64C8-418d-9165-45C63D12C469}.exe	{4E8617D1-7273-408d-8093-D5CE39D92213}.exe
File created	C:\Windows\{1A2BFDB2-557D-4cad-A8A5-7BB84A38EF5B}.exe	{998FC13D-64C8-418d-9165-45C63D12C469}.exe
File created	C:\Windows\{DD1FE61D-6E71-4823-93B7-EB88DAAE6AA0}.exe	{1A2BFDB2-557D-4cad-A8A5-7BB84A38EF5B}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2988	2024-01-01_1e36b4b57c160dff6b82aad86fcc2aa8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	636	{5D810491-8AF0-4dc8-8079-D478152DAC51}.exe
Token: SeIncBasePriorityPrivilege	2940	{F0BD82A5-2BDA-439a-AA54-F12EC44382FB}.exe
Token: SeIncBasePriorityPrivilege	1508	{C4B1601B-91EF-4557-8F16-9581EB5708E0}.exe
Token: SeIncBasePriorityPrivilege	2652	{FDDCEA66-D350-450d-8B85-E91436CB2F75}.exe
Token: SeIncBasePriorityPrivilege	1444	{9AA4EF0A-937F-4095-A06B-313050DAD7FB}.exe
Token: SeIncBasePriorityPrivilege	2368	{14D240D2-6E20-4c31-BCA8-5A56A5D65BE9}.exe
Token: SeIncBasePriorityPrivilege	1108	{5F3230A3-20EA-41fb-BDD0-A8AF91587468}.exe
Token: SeIncBasePriorityPrivilege	948	{2BDC04B6-6D77-468e-9C05-F9347E42FF7B}.exe
Token: SeIncBasePriorityPrivilege	1684	{4E8617D1-7273-408d-8093-D5CE39D92213}.exe
Token: SeIncBasePriorityPrivilege	2112	{998FC13D-64C8-418d-9165-45C63D12C469}.exe
Token: SeIncBasePriorityPrivilege	1484	{1A2BFDB2-557D-4cad-A8A5-7BB84A38EF5B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 636	2988	2024-01-01_1e36b4b57c160dff6b82aad86fcc2aa8_goldeneye.exe	28
PID 2988 wrote to memory of 636	2988	2024-01-01_1e36b4b57c160dff6b82aad86fcc2aa8_goldeneye.exe	28
PID 2988 wrote to memory of 636	2988	2024-01-01_1e36b4b57c160dff6b82aad86fcc2aa8_goldeneye.exe	28
PID 2988 wrote to memory of 636	2988	2024-01-01_1e36b4b57c160dff6b82aad86fcc2aa8_goldeneye.exe	28
PID 2988 wrote to memory of 2312	2988	2024-01-01_1e36b4b57c160dff6b82aad86fcc2aa8_goldeneye.exe	29
PID 2988 wrote to memory of 2312	2988	2024-01-01_1e36b4b57c160dff6b82aad86fcc2aa8_goldeneye.exe	29
PID 2988 wrote to memory of 2312	2988	2024-01-01_1e36b4b57c160dff6b82aad86fcc2aa8_goldeneye.exe	29
PID 2988 wrote to memory of 2312	2988	2024-01-01_1e36b4b57c160dff6b82aad86fcc2aa8_goldeneye.exe	29
PID 636 wrote to memory of 2940	636	{5D810491-8AF0-4dc8-8079-D478152DAC51}.exe	32
PID 636 wrote to memory of 2940	636	{5D810491-8AF0-4dc8-8079-D478152DAC51}.exe	32
PID 636 wrote to memory of 2940	636	{5D810491-8AF0-4dc8-8079-D478152DAC51}.exe	32
PID 636 wrote to memory of 2940	636	{5D810491-8AF0-4dc8-8079-D478152DAC51}.exe	32
PID 636 wrote to memory of 2584	636	{5D810491-8AF0-4dc8-8079-D478152DAC51}.exe	33
PID 636 wrote to memory of 2584	636	{5D810491-8AF0-4dc8-8079-D478152DAC51}.exe	33
PID 636 wrote to memory of 2584	636	{5D810491-8AF0-4dc8-8079-D478152DAC51}.exe	33
PID 636 wrote to memory of 2584	636	{5D810491-8AF0-4dc8-8079-D478152DAC51}.exe	33
PID 2940 wrote to memory of 1508	2940	{F0BD82A5-2BDA-439a-AA54-F12EC44382FB}.exe	34
PID 2940 wrote to memory of 1508	2940	{F0BD82A5-2BDA-439a-AA54-F12EC44382FB}.exe	34
PID 2940 wrote to memory of 1508	2940	{F0BD82A5-2BDA-439a-AA54-F12EC44382FB}.exe	34
PID 2940 wrote to memory of 1508	2940	{F0BD82A5-2BDA-439a-AA54-F12EC44382FB}.exe	34
PID 2940 wrote to memory of 2740	2940	{F0BD82A5-2BDA-439a-AA54-F12EC44382FB}.exe	35
PID 2940 wrote to memory of 2740	2940	{F0BD82A5-2BDA-439a-AA54-F12EC44382FB}.exe	35
PID 2940 wrote to memory of 2740	2940	{F0BD82A5-2BDA-439a-AA54-F12EC44382FB}.exe	35
PID 2940 wrote to memory of 2740	2940	{F0BD82A5-2BDA-439a-AA54-F12EC44382FB}.exe	35
PID 1508 wrote to memory of 2652	1508	{C4B1601B-91EF-4557-8F16-9581EB5708E0}.exe	36
PID 1508 wrote to memory of 2652	1508	{C4B1601B-91EF-4557-8F16-9581EB5708E0}.exe	36
PID 1508 wrote to memory of 2652	1508	{C4B1601B-91EF-4557-8F16-9581EB5708E0}.exe	36
PID 1508 wrote to memory of 2652	1508	{C4B1601B-91EF-4557-8F16-9581EB5708E0}.exe	36
PID 1508 wrote to memory of 3020	1508	{C4B1601B-91EF-4557-8F16-9581EB5708E0}.exe	37
PID 1508 wrote to memory of 3020	1508	{C4B1601B-91EF-4557-8F16-9581EB5708E0}.exe	37
PID 1508 wrote to memory of 3020	1508	{C4B1601B-91EF-4557-8F16-9581EB5708E0}.exe	37
PID 1508 wrote to memory of 3020	1508	{C4B1601B-91EF-4557-8F16-9581EB5708E0}.exe	37
PID 2652 wrote to memory of 1444	2652	{FDDCEA66-D350-450d-8B85-E91436CB2F75}.exe	38
PID 2652 wrote to memory of 1444	2652	{FDDCEA66-D350-450d-8B85-E91436CB2F75}.exe	38
PID 2652 wrote to memory of 1444	2652	{FDDCEA66-D350-450d-8B85-E91436CB2F75}.exe	38
PID 2652 wrote to memory of 1444	2652	{FDDCEA66-D350-450d-8B85-E91436CB2F75}.exe	38
PID 2652 wrote to memory of 2032	2652	{FDDCEA66-D350-450d-8B85-E91436CB2F75}.exe	39
PID 2652 wrote to memory of 2032	2652	{FDDCEA66-D350-450d-8B85-E91436CB2F75}.exe	39
PID 2652 wrote to memory of 2032	2652	{FDDCEA66-D350-450d-8B85-E91436CB2F75}.exe	39
PID 2652 wrote to memory of 2032	2652	{FDDCEA66-D350-450d-8B85-E91436CB2F75}.exe	39
PID 1444 wrote to memory of 2368	1444	{9AA4EF0A-937F-4095-A06B-313050DAD7FB}.exe	40
PID 1444 wrote to memory of 2368	1444	{9AA4EF0A-937F-4095-A06B-313050DAD7FB}.exe	40
PID 1444 wrote to memory of 2368	1444	{9AA4EF0A-937F-4095-A06B-313050DAD7FB}.exe	40
PID 1444 wrote to memory of 2368	1444	{9AA4EF0A-937F-4095-A06B-313050DAD7FB}.exe	40
PID 1444 wrote to memory of 2348	1444	{9AA4EF0A-937F-4095-A06B-313050DAD7FB}.exe	41
PID 1444 wrote to memory of 2348	1444	{9AA4EF0A-937F-4095-A06B-313050DAD7FB}.exe	41
PID 1444 wrote to memory of 2348	1444	{9AA4EF0A-937F-4095-A06B-313050DAD7FB}.exe	41
PID 1444 wrote to memory of 2348	1444	{9AA4EF0A-937F-4095-A06B-313050DAD7FB}.exe	41
PID 2368 wrote to memory of 1108	2368	{14D240D2-6E20-4c31-BCA8-5A56A5D65BE9}.exe	42
PID 2368 wrote to memory of 1108	2368	{14D240D2-6E20-4c31-BCA8-5A56A5D65BE9}.exe	42
PID 2368 wrote to memory of 1108	2368	{14D240D2-6E20-4c31-BCA8-5A56A5D65BE9}.exe	42
PID 2368 wrote to memory of 1108	2368	{14D240D2-6E20-4c31-BCA8-5A56A5D65BE9}.exe	42
PID 2368 wrote to memory of 1968	2368	{14D240D2-6E20-4c31-BCA8-5A56A5D65BE9}.exe	43
PID 2368 wrote to memory of 1968	2368	{14D240D2-6E20-4c31-BCA8-5A56A5D65BE9}.exe	43
PID 2368 wrote to memory of 1968	2368	{14D240D2-6E20-4c31-BCA8-5A56A5D65BE9}.exe	43
PID 2368 wrote to memory of 1968	2368	{14D240D2-6E20-4c31-BCA8-5A56A5D65BE9}.exe	43
PID 1108 wrote to memory of 948	1108	{5F3230A3-20EA-41fb-BDD0-A8AF91587468}.exe	44
PID 1108 wrote to memory of 948	1108	{5F3230A3-20EA-41fb-BDD0-A8AF91587468}.exe	44
PID 1108 wrote to memory of 948	1108	{5F3230A3-20EA-41fb-BDD0-A8AF91587468}.exe	44
PID 1108 wrote to memory of 948	1108	{5F3230A3-20EA-41fb-BDD0-A8AF91587468}.exe	44
PID 1108 wrote to memory of 2072	1108	{5F3230A3-20EA-41fb-BDD0-A8AF91587468}.exe	45
PID 1108 wrote to memory of 2072	1108	{5F3230A3-20EA-41fb-BDD0-A8AF91587468}.exe	45
PID 1108 wrote to memory of 2072	1108	{5F3230A3-20EA-41fb-BDD0-A8AF91587468}.exe	45
PID 1108 wrote to memory of 2072	1108	{5F3230A3-20EA-41fb-BDD0-A8AF91587468}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-01_1e36b4b57c160dff6b82aad86fcc2aa8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-01_1e36b4b57c160dff6b82aad86fcc2aa8_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\{5D810491-8AF0-4dc8-8079-D478152DAC51}.exe
  C:\Windows\{5D810491-8AF0-4dc8-8079-D478152DAC51}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Windows\{F0BD82A5-2BDA-439a-AA54-F12EC44382FB}.exe
    C:\Windows\{F0BD82A5-2BDA-439a-AA54-F12EC44382FB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Windows\{C4B1601B-91EF-4557-8F16-9581EB5708E0}.exe
      C:\Windows\{C4B1601B-91EF-4557-8F16-9581EB5708E0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1508
    - - C:\Windows\{FDDCEA66-D350-450d-8B85-E91436CB2F75}.exe
        
        C:\Windows\{FDDCEA66-D350-450d-8B85-E91436CB2F75}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2652
      - C:\Windows\{9AA4EF0A-937F-4095-A06B-313050DAD7FB}.exe
        
        C:\Windows\{9AA4EF0A-937F-4095-A06B-313050DAD7FB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\{14D240D2-6E20-4c31-BCA8-5A56A5D65BE9}.exe
        
        C:\Windows\{14D240D2-6E20-4c31-BCA8-5A56A5D65BE9}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\{5F3230A3-20EA-41fb-BDD0-A8AF91587468}.exe
        
        C:\Windows\{5F3230A3-20EA-41fb-BDD0-A8AF91587468}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\{2BDC04B6-6D77-468e-9C05-F9347E42FF7B}.exe
        
        C:\Windows\{2BDC04B6-6D77-468e-9C05-F9347E42FF7B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:948
        
        C:\Windows\{4E8617D1-7273-408d-8093-D5CE39D92213}.exe
        
        C:\Windows\{4E8617D1-7273-408d-8093-D5CE39D92213}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
        
        C:\Windows\{998FC13D-64C8-418d-9165-45C63D12C469}.exe
        
        C:\Windows\{998FC13D-64C8-418d-9165-45C63D12C469}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\{1A2BFDB2-557D-4cad-A8A5-7BB84A38EF5B}.exe
        
        C:\Windows\{1A2BFDB2-557D-4cad-A8A5-7BB84A38EF5B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Windows\{DD1FE61D-6E71-4823-93B7-EB88DAAE6AA0}.exe
        
        C:\Windows\{DD1FE61D-6E71-4823-93B7-EB88DAAE6AA0}.exe
        13⤵
        Executes dropped EXE
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A2BF~1.EXE > nul
        13⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{998FC~1.EXE > nul
        12⤵
        
        PID:600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E861~1.EXE > nul
        11⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2BDC0~1.EXE > nul
        10⤵
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F323~1.EXE > nul
        9⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14D24~1.EXE > nul
        8⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9AA4E~1.EXE > nul
        7⤵
        
        PID:2348
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FDDCE~1.EXE > nul
        6⤵
        
        PID:2032
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4B16~1.EXE > nul
        5⤵
        
        PID:3020
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F0BD8~1.EXE > nul
      4⤵
      PID:2740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5D810~1.EXE > nul
    3⤵
    PID:2584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{14D240D2-6E20-4c31-BCA8-5A56A5D65BE9}.exe

Filesize
380KB

MD5
159d19e84af50ae8de0adffbc6b0d4a9

SHA1
28a3a91cdb691aaacb7a413c9a306802e2d3fb58

SHA256
47e28a7266637673398e7c8bda3d282e400e630148eebf6485282e26c3701aa8

SHA512
2acfd7b7710d458a71cbc51a142d2dc35f47e2a95ed5c0b6b858df0b5a732a46acca2b2afd7f0f956efebd8320581768ef14476be0f81f4bf90c008bd65b3171

Download Submit
C:\Windows\{1A2BFDB2-557D-4cad-A8A5-7BB84A38EF5B}.exe

Filesize
380KB

MD5
3a006ef5b33d35ea8eb39dc8fe94a0dd

SHA1
a5620b19189855b61521c49a5e671d2b31526fe3

SHA256
12940a70710084aa7e322753b65767b4c913c7368ab4d1f67015fa456d05cc7c

SHA512
1e360ee21f362fc7bc6865f86718dd8c38b441b0ca42993728cd57fb3f38a05ed00e64713c9d6552ded372b33a423b60eaef9f7f17b9e60540a6968e9fdd986a

Download Submit
C:\Windows\{2BDC04B6-6D77-468e-9C05-F9347E42FF7B}.exe

Filesize
380KB

MD5
bf52195738bcfc5cc74a2da9d2561188

SHA1
5d927eb29dc59be6f4d97ec24506367eeb577683

SHA256
9e233cca8d4528b4370ba6706debcdd42dfd695bff9241e4ccced36d03e27d4e

SHA512
d6760b095895c625be5903f7618fa7966b73aede37455d4d7bbcae18702301597de6b2fdbf9a53219263ac398c77dec3b7c6995b1381ade2a23dc39313d20a34

Download Submit
C:\Windows\{4E8617D1-7273-408d-8093-D5CE39D92213}.exe

Filesize
380KB

MD5
4a1f64b9a3fb02f92cfadc1c18e75059

SHA1
63623862a1deb993d025ada14305d939321d2336

SHA256
3f096a9962ff484aa476aef689329218ff81cf9296e0f1485fe3ed1eeb83509d

SHA512
59ac8fd7f6c70fb7d597c76226faeb631f498a3acbcb091843e95a753eafcd388d9a7d315a3625bd099020f0bc2ed30ef4757c7030345d4f7bcf7b8453ad6a80

Download Submit
C:\Windows\{5D810491-8AF0-4dc8-8079-D478152DAC51}.exe

Filesize
380KB

MD5
498d52b0f3da08fa45902d8f51cdd167

SHA1
062f714ed3fdcb75f1a247af7e8918c63aab097e

SHA256
825842b5b750d8103bf440e746529a81a5e43edac769fd3729713706a2cba8ba

SHA512
01b6d4de21b9d572859a1a2cceea91fb0ce4240d80dac34a99b41984219e241cb90cecb0f70fc8266151a054b75fac2fcbf1b6105408ccc37094298bdcb07d19

Download Submit
C:\Windows\{5F3230A3-20EA-41fb-BDD0-A8AF91587468}.exe

Filesize
380KB

MD5
4e5e3d20d9ba4902e15a61a96616c635

SHA1
f4160b4a065598c545a6b7d56bcb8e2bb35cee1c

SHA256
96ca3d194de7d008fff271276848b7178c73b4e74f7a46d1bbc0944e72430b29

SHA512
6de852b9573bc70f8102502f59c4958aa31052e692ed01e965bdb56e7d4286597e16c87918a6f250081d60a8289949040a5e9aea2968bd3c860515109b3cefd5

Download Submit
C:\Windows\{998FC13D-64C8-418d-9165-45C63D12C469}.exe

Filesize
380KB

MD5
80bdda90d5ec7adcd7d981eaf5c9eaa6

SHA1
977aee6d1f3d2bc20d493da14d6446c024da7776

SHA256
79e0bc36009898c9a02d4d08eea1e275f40fe34eef8c099abb3fbde1f475d27a

SHA512
f09ab3b8e85293040e465075b9281280176a3eca13df345581b84a06f633b384016b237ec4963836cef0f33ba48780af674abf280b70afc527b4a180ac947475

Download Submit
C:\Windows\{9AA4EF0A-937F-4095-A06B-313050DAD7FB}.exe

Filesize
380KB

MD5
36260da8e1e62dc331e06d62d1eef913

SHA1
89168a2f77f5b4c08fe6f0478ac7fc443bdb6e55

SHA256
3fe0b07ff14f5f1087ac76bdac8800193a1ca8fcad5fd4e2fdb592cadef8e8fd

SHA512
10de910c422568a9f880e8bc9c57f50e64f9c5bbbc7ac5d2991657811c8063a6f561b6de354c0a3dbada9b031ccda0fe00e6f5fcdff9bffbb0b295524eeca20b

Download Submit
C:\Windows\{C4B1601B-91EF-4557-8F16-9581EB5708E0}.exe

Filesize
380KB

MD5
89083dd2462244147e2fb816d3b646ed

SHA1
a07bf4df4a53b7d93df51c97d544f08c6bc36416

SHA256
8ab47c1e264f75b4b1e61993160bd4e220b9d1a64f438a725059107c2a194c5f

SHA512
817df939912a38e83b0906778199b5660f7aca461eb496d43b05c4f9e89aa6205ab6c8243c3e61756dfef8e6a5ff8116d3d50248e0a3b83348a5f340bd18c7d6

Download Submit
C:\Windows\{DD1FE61D-6E71-4823-93B7-EB88DAAE6AA0}.exe

Filesize
380KB

MD5
2fdc2de2bfa9f9bf2c269f544b9f2efa

SHA1
0029f04f41a1c21742250a89b2c93948614d2cef

SHA256
293797c0216f329ba6773c3c99a91957439fb473bc48bd5ad97059ca2dad0f22

SHA512
0668c118fe8a20623a842cedc249329dedb608497987879caa65424a5f51d2305532238c2ccc8c91c1a88dd2b24c2dc089a23f6d05c3fa45379d386bfbd19050

Download Submit
C:\Windows\{F0BD82A5-2BDA-439a-AA54-F12EC44382FB}.exe

Filesize
380KB

MD5
adb5269dc5af3c68fb3a5a6446219363

SHA1
166e2badc764c649dc1d2e020b27e71ac871c847

SHA256
7419cef5a93c3a7ad065d92c2bd568307fa217e641598cc28bed08e1699c782f

SHA512
9e3e2f5e8fd133aafeb85d95cf85835db03c4af17ca02bdfbfa33328dc798eda7a8aa4a0de18df7f8290ad4ade7954986b4f2ec4505a9f6cb2c9e42d585d067e

Download Submit
C:\Windows\{FDDCEA66-D350-450d-8B85-E91436CB2F75}.exe

Filesize
380KB

MD5
1bb6b467637ec82233ca43c92ae09364

SHA1
330ac93781ee12bb31bdfb185b78a3277d27010f

SHA256
2d6191e8c18d3045015f65186392bf27c7525a14f0fa1e32f681ee9161940292

SHA512
57014a6cceade80b2087a358564884e6b48f2980cf86f01a55494d5669c42aecda398ad0c634fa0d4c3568e071f419d80192d19c0475080fc871dcf28308ee2a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads