ba7ecfbc64aab3587f713f9fb16712fa7a55c954d198438140d0ba9a28940d82

Analysis

max time kernel
162s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05-01-2024 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-01_5554270cbd6f37a1e271e3c409f2a433_goldeneye.exe
Size

408KB
MD5

5554270cbd6f37a1e271e3c409f2a433
SHA1

f0af2b66f5a8a5ae2590476aeb5e5e23aca548f7
SHA256

ba7ecfbc64aab3587f713f9fb16712fa7a55c954d198438140d0ba9a28940d82
SHA512

49523c5eed7fb53160a3ba7003caa20f4846e3fc38da611a121fe51dc4c1e76e822275f20a884a955d1a4125600d214796abf3e5b94c649471e202429eda9404
SSDEEP

3072:CEGh0oGl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGYldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD8CA5B8-08A9-4494-84BA-B46B9417D901}\stubpath = "C:\\Windows\\{DD8CA5B8-08A9-4494-84BA-B46B9417D901}.exe"	{B258931F-ADB1-473d-8361-8CB3CDCFB5A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D975B51-E5CB-4e99-A536-B2AFF515AAE0}	{DD8CA5B8-08A9-4494-84BA-B46B9417D901}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{624A5B37-6440-425c-BA47-ECF80C30327E}	{7D975B51-E5CB-4e99-A536-B2AFF515AAE0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85CCC2AE-3B71-4bb7-9ACE-51A51498842D}\stubpath = "C:\\Windows\\{85CCC2AE-3B71-4bb7-9ACE-51A51498842D}.exe"	{38B09F51-B524-4ae1-92C2-F49A6C87A56A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FF670A7-612A-483b-9C26-3002FDF8DB5F}	{85CCC2AE-3B71-4bb7-9ACE-51A51498842D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FF670A7-612A-483b-9C26-3002FDF8DB5F}\stubpath = "C:\\Windows\\{3FF670A7-612A-483b-9C26-3002FDF8DB5F}.exe"	{85CCC2AE-3B71-4bb7-9ACE-51A51498842D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC7E9136-08A1-4941-872B-C965543C98E9}	{3FF670A7-612A-483b-9C26-3002FDF8DB5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D195E61-129B-4cc5-9640-782A5771693B}\stubpath = "C:\\Windows\\{1D195E61-129B-4cc5-9640-782A5771693B}.exe"	{AC7E9136-08A1-4941-872B-C965543C98E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{624A5B37-6440-425c-BA47-ECF80C30327E}\stubpath = "C:\\Windows\\{624A5B37-6440-425c-BA47-ECF80C30327E}.exe"	{7D975B51-E5CB-4e99-A536-B2AFF515AAE0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10CFB110-6BEA-49df-9280-D80546F71DC1}\stubpath = "C:\\Windows\\{10CFB110-6BEA-49df-9280-D80546F71DC1}.exe"	{657C52BE-5F98-4b32-9C63-6D15BA210C3D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B258931F-ADB1-473d-8361-8CB3CDCFB5A7}	{1D195E61-129B-4cc5-9640-782A5771693B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D975B51-E5CB-4e99-A536-B2AFF515AAE0}\stubpath = "C:\\Windows\\{7D975B51-E5CB-4e99-A536-B2AFF515AAE0}.exe"	{DD8CA5B8-08A9-4494-84BA-B46B9417D901}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{633E2133-B15D-4ff4-8BE1-718DA1465A99}\stubpath = "C:\\Windows\\{633E2133-B15D-4ff4-8BE1-718DA1465A99}.exe"	{624A5B37-6440-425c-BA47-ECF80C30327E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{657C52BE-5F98-4b32-9C63-6D15BA210C3D}	{633E2133-B15D-4ff4-8BE1-718DA1465A99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{657C52BE-5F98-4b32-9C63-6D15BA210C3D}\stubpath = "C:\\Windows\\{657C52BE-5F98-4b32-9C63-6D15BA210C3D}.exe"	{633E2133-B15D-4ff4-8BE1-718DA1465A99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38B09F51-B524-4ae1-92C2-F49A6C87A56A}\stubpath = "C:\\Windows\\{38B09F51-B524-4ae1-92C2-F49A6C87A56A}.exe"	2024-01-01_5554270cbd6f37a1e271e3c409f2a433_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10CFB110-6BEA-49df-9280-D80546F71DC1}	{657C52BE-5F98-4b32-9C63-6D15BA210C3D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD8CA5B8-08A9-4494-84BA-B46B9417D901}	{B258931F-ADB1-473d-8361-8CB3CDCFB5A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{633E2133-B15D-4ff4-8BE1-718DA1465A99}	{624A5B37-6440-425c-BA47-ECF80C30327E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38B09F51-B524-4ae1-92C2-F49A6C87A56A}	2024-01-01_5554270cbd6f37a1e271e3c409f2a433_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85CCC2AE-3B71-4bb7-9ACE-51A51498842D}	{38B09F51-B524-4ae1-92C2-F49A6C87A56A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC7E9136-08A1-4941-872B-C965543C98E9}\stubpath = "C:\\Windows\\{AC7E9136-08A1-4941-872B-C965543C98E9}.exe"	{3FF670A7-612A-483b-9C26-3002FDF8DB5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D195E61-129B-4cc5-9640-782A5771693B}	{AC7E9136-08A1-4941-872B-C965543C98E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B258931F-ADB1-473d-8361-8CB3CDCFB5A7}\stubpath = "C:\\Windows\\{B258931F-ADB1-473d-8361-8CB3CDCFB5A7}.exe"	{1D195E61-129B-4cc5-9640-782A5771693B}.exe

Executes dropped EXE 12 IoCs

pid	Process
3980	{38B09F51-B524-4ae1-92C2-F49A6C87A56A}.exe
4852	{85CCC2AE-3B71-4bb7-9ACE-51A51498842D}.exe
4904	{3FF670A7-612A-483b-9C26-3002FDF8DB5F}.exe
4752	{AC7E9136-08A1-4941-872B-C965543C98E9}.exe
3480	{1D195E61-129B-4cc5-9640-782A5771693B}.exe
2060	{B258931F-ADB1-473d-8361-8CB3CDCFB5A7}.exe
3548	{DD8CA5B8-08A9-4494-84BA-B46B9417D901}.exe
3208	{7D975B51-E5CB-4e99-A536-B2AFF515AAE0}.exe
4016	{624A5B37-6440-425c-BA47-ECF80C30327E}.exe
3728	{633E2133-B15D-4ff4-8BE1-718DA1465A99}.exe
4248	{657C52BE-5F98-4b32-9C63-6D15BA210C3D}.exe
4160	{10CFB110-6BEA-49df-9280-D80546F71DC1}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{38B09F51-B524-4ae1-92C2-F49A6C87A56A}.exe	2024-01-01_5554270cbd6f37a1e271e3c409f2a433_goldeneye.exe
File created	C:\Windows\{85CCC2AE-3B71-4bb7-9ACE-51A51498842D}.exe	{38B09F51-B524-4ae1-92C2-F49A6C87A56A}.exe
File created	C:\Windows\{1D195E61-129B-4cc5-9640-782A5771693B}.exe	{AC7E9136-08A1-4941-872B-C965543C98E9}.exe
File created	C:\Windows\{B258931F-ADB1-473d-8361-8CB3CDCFB5A7}.exe	{1D195E61-129B-4cc5-9640-782A5771693B}.exe
File created	C:\Windows\{DD8CA5B8-08A9-4494-84BA-B46B9417D901}.exe	{B258931F-ADB1-473d-8361-8CB3CDCFB5A7}.exe
File created	C:\Windows\{7D975B51-E5CB-4e99-A536-B2AFF515AAE0}.exe	{DD8CA5B8-08A9-4494-84BA-B46B9417D901}.exe
File created	C:\Windows\{624A5B37-6440-425c-BA47-ECF80C30327E}.exe	{7D975B51-E5CB-4e99-A536-B2AFF515AAE0}.exe
File created	C:\Windows\{633E2133-B15D-4ff4-8BE1-718DA1465A99}.exe	{624A5B37-6440-425c-BA47-ECF80C30327E}.exe
File created	C:\Windows\{10CFB110-6BEA-49df-9280-D80546F71DC1}.exe	{657C52BE-5F98-4b32-9C63-6D15BA210C3D}.exe
File created	C:\Windows\{3FF670A7-612A-483b-9C26-3002FDF8DB5F}.exe	{85CCC2AE-3B71-4bb7-9ACE-51A51498842D}.exe
File created	C:\Windows\{AC7E9136-08A1-4941-872B-C965543C98E9}.exe	{3FF670A7-612A-483b-9C26-3002FDF8DB5F}.exe
File created	C:\Windows\{657C52BE-5F98-4b32-9C63-6D15BA210C3D}.exe	{633E2133-B15D-4ff4-8BE1-718DA1465A99}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4156	2024-01-01_5554270cbd6f37a1e271e3c409f2a433_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3980	{38B09F51-B524-4ae1-92C2-F49A6C87A56A}.exe
Token: SeIncBasePriorityPrivilege	4852	{85CCC2AE-3B71-4bb7-9ACE-51A51498842D}.exe
Token: SeIncBasePriorityPrivilege	4904	{3FF670A7-612A-483b-9C26-3002FDF8DB5F}.exe
Token: SeIncBasePriorityPrivilege	4752	{AC7E9136-08A1-4941-872B-C965543C98E9}.exe
Token: SeIncBasePriorityPrivilege	3480	{1D195E61-129B-4cc5-9640-782A5771693B}.exe
Token: SeIncBasePriorityPrivilege	2060	{B258931F-ADB1-473d-8361-8CB3CDCFB5A7}.exe
Token: SeIncBasePriorityPrivilege	3548	{DD8CA5B8-08A9-4494-84BA-B46B9417D901}.exe
Token: SeIncBasePriorityPrivilege	3208	{7D975B51-E5CB-4e99-A536-B2AFF515AAE0}.exe
Token: SeIncBasePriorityPrivilege	4016	{624A5B37-6440-425c-BA47-ECF80C30327E}.exe
Token: SeIncBasePriorityPrivilege	3728	{633E2133-B15D-4ff4-8BE1-718DA1465A99}.exe
Token: SeIncBasePriorityPrivilege	4248	{657C52BE-5F98-4b32-9C63-6D15BA210C3D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4156 wrote to memory of 3980	4156	2024-01-01_5554270cbd6f37a1e271e3c409f2a433_goldeneye.exe	90
PID 4156 wrote to memory of 3980	4156	2024-01-01_5554270cbd6f37a1e271e3c409f2a433_goldeneye.exe	90
PID 4156 wrote to memory of 3980	4156	2024-01-01_5554270cbd6f37a1e271e3c409f2a433_goldeneye.exe	90
PID 4156 wrote to memory of 1020	4156	2024-01-01_5554270cbd6f37a1e271e3c409f2a433_goldeneye.exe	91
PID 4156 wrote to memory of 1020	4156	2024-01-01_5554270cbd6f37a1e271e3c409f2a433_goldeneye.exe	91
PID 4156 wrote to memory of 1020	4156	2024-01-01_5554270cbd6f37a1e271e3c409f2a433_goldeneye.exe	91
PID 3980 wrote to memory of 4852	3980	{38B09F51-B524-4ae1-92C2-F49A6C87A56A}.exe	97
PID 3980 wrote to memory of 4852	3980	{38B09F51-B524-4ae1-92C2-F49A6C87A56A}.exe	97
PID 3980 wrote to memory of 4852	3980	{38B09F51-B524-4ae1-92C2-F49A6C87A56A}.exe	97
PID 3980 wrote to memory of 4104	3980	{38B09F51-B524-4ae1-92C2-F49A6C87A56A}.exe	96
PID 3980 wrote to memory of 4104	3980	{38B09F51-B524-4ae1-92C2-F49A6C87A56A}.exe	96
PID 3980 wrote to memory of 4104	3980	{38B09F51-B524-4ae1-92C2-F49A6C87A56A}.exe	96
PID 4852 wrote to memory of 4904	4852	{85CCC2AE-3B71-4bb7-9ACE-51A51498842D}.exe	102
PID 4852 wrote to memory of 4904	4852	{85CCC2AE-3B71-4bb7-9ACE-51A51498842D}.exe	102
PID 4852 wrote to memory of 4904	4852	{85CCC2AE-3B71-4bb7-9ACE-51A51498842D}.exe	102
PID 4852 wrote to memory of 920	4852	{85CCC2AE-3B71-4bb7-9ACE-51A51498842D}.exe	103
PID 4852 wrote to memory of 920	4852	{85CCC2AE-3B71-4bb7-9ACE-51A51498842D}.exe	103
PID 4852 wrote to memory of 920	4852	{85CCC2AE-3B71-4bb7-9ACE-51A51498842D}.exe	103
PID 4904 wrote to memory of 4752	4904	{3FF670A7-612A-483b-9C26-3002FDF8DB5F}.exe	106
PID 4904 wrote to memory of 4752	4904	{3FF670A7-612A-483b-9C26-3002FDF8DB5F}.exe	106
PID 4904 wrote to memory of 4752	4904	{3FF670A7-612A-483b-9C26-3002FDF8DB5F}.exe	106
PID 4904 wrote to memory of 4748	4904	{3FF670A7-612A-483b-9C26-3002FDF8DB5F}.exe	107
PID 4904 wrote to memory of 4748	4904	{3FF670A7-612A-483b-9C26-3002FDF8DB5F}.exe	107
PID 4904 wrote to memory of 4748	4904	{3FF670A7-612A-483b-9C26-3002FDF8DB5F}.exe	107
PID 4752 wrote to memory of 3480	4752	{AC7E9136-08A1-4941-872B-C965543C98E9}.exe	110
PID 4752 wrote to memory of 3480	4752	{AC7E9136-08A1-4941-872B-C965543C98E9}.exe	110
PID 4752 wrote to memory of 3480	4752	{AC7E9136-08A1-4941-872B-C965543C98E9}.exe	110
PID 4752 wrote to memory of 2640	4752	{AC7E9136-08A1-4941-872B-C965543C98E9}.exe	111
PID 4752 wrote to memory of 2640	4752	{AC7E9136-08A1-4941-872B-C965543C98E9}.exe	111
PID 4752 wrote to memory of 2640	4752	{AC7E9136-08A1-4941-872B-C965543C98E9}.exe	111
PID 3480 wrote to memory of 2060	3480	{1D195E61-129B-4cc5-9640-782A5771693B}.exe	112
PID 3480 wrote to memory of 2060	3480	{1D195E61-129B-4cc5-9640-782A5771693B}.exe	112
PID 3480 wrote to memory of 2060	3480	{1D195E61-129B-4cc5-9640-782A5771693B}.exe	112
PID 3480 wrote to memory of 4996	3480	{1D195E61-129B-4cc5-9640-782A5771693B}.exe	113
PID 3480 wrote to memory of 4996	3480	{1D195E61-129B-4cc5-9640-782A5771693B}.exe	113
PID 3480 wrote to memory of 4996	3480	{1D195E61-129B-4cc5-9640-782A5771693B}.exe	113
PID 2060 wrote to memory of 3548	2060	{B258931F-ADB1-473d-8361-8CB3CDCFB5A7}.exe	116
PID 2060 wrote to memory of 3548	2060	{B258931F-ADB1-473d-8361-8CB3CDCFB5A7}.exe	116
PID 2060 wrote to memory of 3548	2060	{B258931F-ADB1-473d-8361-8CB3CDCFB5A7}.exe	116
PID 2060 wrote to memory of 4804	2060	{B258931F-ADB1-473d-8361-8CB3CDCFB5A7}.exe	117
PID 2060 wrote to memory of 4804	2060	{B258931F-ADB1-473d-8361-8CB3CDCFB5A7}.exe	117
PID 2060 wrote to memory of 4804	2060	{B258931F-ADB1-473d-8361-8CB3CDCFB5A7}.exe	117
PID 3548 wrote to memory of 3208	3548	{DD8CA5B8-08A9-4494-84BA-B46B9417D901}.exe	118
PID 3548 wrote to memory of 3208	3548	{DD8CA5B8-08A9-4494-84BA-B46B9417D901}.exe	118
PID 3548 wrote to memory of 3208	3548	{DD8CA5B8-08A9-4494-84BA-B46B9417D901}.exe	118
PID 3548 wrote to memory of 4968	3548	{DD8CA5B8-08A9-4494-84BA-B46B9417D901}.exe	119
PID 3548 wrote to memory of 4968	3548	{DD8CA5B8-08A9-4494-84BA-B46B9417D901}.exe	119
PID 3548 wrote to memory of 4968	3548	{DD8CA5B8-08A9-4494-84BA-B46B9417D901}.exe	119
PID 3208 wrote to memory of 4016	3208	{7D975B51-E5CB-4e99-A536-B2AFF515AAE0}.exe	120
PID 3208 wrote to memory of 4016	3208	{7D975B51-E5CB-4e99-A536-B2AFF515AAE0}.exe	120
PID 3208 wrote to memory of 4016	3208	{7D975B51-E5CB-4e99-A536-B2AFF515AAE0}.exe	120
PID 3208 wrote to memory of 1576	3208	{7D975B51-E5CB-4e99-A536-B2AFF515AAE0}.exe	121
PID 3208 wrote to memory of 1576	3208	{7D975B51-E5CB-4e99-A536-B2AFF515AAE0}.exe	121
PID 3208 wrote to memory of 1576	3208	{7D975B51-E5CB-4e99-A536-B2AFF515AAE0}.exe	121
PID 4016 wrote to memory of 3728	4016	{624A5B37-6440-425c-BA47-ECF80C30327E}.exe	123
PID 4016 wrote to memory of 3728	4016	{624A5B37-6440-425c-BA47-ECF80C30327E}.exe	123
PID 4016 wrote to memory of 3728	4016	{624A5B37-6440-425c-BA47-ECF80C30327E}.exe	123
PID 4016 wrote to memory of 4756	4016	{624A5B37-6440-425c-BA47-ECF80C30327E}.exe	124
PID 4016 wrote to memory of 4756	4016	{624A5B37-6440-425c-BA47-ECF80C30327E}.exe	124
PID 4016 wrote to memory of 4756	4016	{624A5B37-6440-425c-BA47-ECF80C30327E}.exe	124
PID 3728 wrote to memory of 4248	3728	{633E2133-B15D-4ff4-8BE1-718DA1465A99}.exe	125
PID 3728 wrote to memory of 4248	3728	{633E2133-B15D-4ff4-8BE1-718DA1465A99}.exe	125
PID 3728 wrote to memory of 4248	3728	{633E2133-B15D-4ff4-8BE1-718DA1465A99}.exe	125
PID 3728 wrote to memory of 4880	3728	{633E2133-B15D-4ff4-8BE1-718DA1465A99}.exe	126

C:\Users\Admin\AppData\Local\Temp\2024-01-01_5554270cbd6f37a1e271e3c409f2a433_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-01_5554270cbd6f37a1e271e3c409f2a433_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4156
- C:\Windows\{38B09F51-B524-4ae1-92C2-F49A6C87A56A}.exe
  C:\Windows\{38B09F51-B524-4ae1-92C2-F49A6C87A56A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{38B09~1.EXE > nul
    3⤵
    PID:4104
- - C:\Windows\{85CCC2AE-3B71-4bb7-9ACE-51A51498842D}.exe
    C:\Windows\{85CCC2AE-3B71-4bb7-9ACE-51A51498842D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4852
  - - C:\Windows\{3FF670A7-612A-483b-9C26-3002FDF8DB5F}.exe
      C:\Windows\{3FF670A7-612A-483b-9C26-3002FDF8DB5F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4904
    - - C:\Windows\{AC7E9136-08A1-4941-872B-C965543C98E9}.exe
        
        C:\Windows\{AC7E9136-08A1-4941-872B-C965543C98E9}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4752
      - C:\Windows\{1D195E61-129B-4cc5-9640-782A5771693B}.exe
        
        C:\Windows\{1D195E61-129B-4cc5-9640-782A5771693B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\{B258931F-ADB1-473d-8361-8CB3CDCFB5A7}.exe
        
        C:\Windows\{B258931F-ADB1-473d-8361-8CB3CDCFB5A7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\{DD8CA5B8-08A9-4494-84BA-B46B9417D901}.exe
        
        C:\Windows\{DD8CA5B8-08A9-4494-84BA-B46B9417D901}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\{7D975B51-E5CB-4e99-A536-B2AFF515AAE0}.exe
        
        C:\Windows\{7D975B51-E5CB-4e99-A536-B2AFF515AAE0}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\{624A5B37-6440-425c-BA47-ECF80C30327E}.exe
        
        C:\Windows\{624A5B37-6440-425c-BA47-ECF80C30327E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\{633E2133-B15D-4ff4-8BE1-718DA1465A99}.exe
        
        C:\Windows\{633E2133-B15D-4ff4-8BE1-718DA1465A99}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\{657C52BE-5F98-4b32-9C63-6D15BA210C3D}.exe
        
        C:\Windows\{657C52BE-5F98-4b32-9C63-6D15BA210C3D}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{657C5~1.EXE > nul
        13⤵
        
        PID:1600
        
        C:\Windows\{10CFB110-6BEA-49df-9280-D80546F71DC1}.exe
        
        C:\Windows\{10CFB110-6BEA-49df-9280-D80546F71DC1}.exe
        13⤵
        Executes dropped EXE
        
        PID:4160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{633E2~1.EXE > nul
        12⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{624A5~1.EXE > nul
        11⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D975~1.EXE > nul
        10⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD8CA~1.EXE > nul
        9⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2589~1.EXE > nul
        8⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1D195~1.EXE > nul
        7⤵
        
        PID:4996
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AC7E9~1.EXE > nul
        6⤵
        
        PID:2640
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3FF67~1.EXE > nul
        5⤵
        
        PID:4748
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{85CCC~1.EXE > nul
      4⤵
      PID:920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{10CFB110-6BEA-49df-9280-D80546F71DC1}.exe

Filesize
32KB

MD5
ed04fa538dd5b59becbb41f19edb117e

SHA1
3f3eee4c86d8e0387009794221bc02e472938a13

SHA256
4acab661e0ea4759d0ca6e8a0b82597cfc15eb14a4ce3d0a89df7e63b3c0eefb

SHA512
034a2688b9068f33d8a4a7489dae3ad918ca88ad8948db08b5f84bb3e76248e8761e6e16b9685d4f94d410615c05d12ee41a3fab56b27696f0d9311451c2cd00

Download Submit
C:\Windows\{10CFB110-6BEA-49df-9280-D80546F71DC1}.exe

Filesize
72KB

MD5
aea60a3c5c9546e5d92838885557ffa9

SHA1
8c48498992539b6de714752f3812f16e2304c49f

SHA256
6cafae41f926d8ec272aec6fdf3613ac7355ebbdf7b6c48dcd49ed95b0b9011e

SHA512
00272a56643ae94c02a814043ebdf44d05d0e96a7296d61e6b6184c0e86dd0cad56c8f37b12caa0940b0bc0a76229f60979d1c355421513f3623b4545f7bf047

Download Submit
C:\Windows\{1D195E61-129B-4cc5-9640-782A5771693B}.exe

Filesize
408KB

MD5
f00257f1cae9941adb501b68166ee716

SHA1
6723cb31e8d0387db0b11230eca2d8a2c5f4186a

SHA256
6f2bc1b698dfcd96675cd165f80751f53aebb1272dd9eaffa462d0c1afdb254a

SHA512
9b876309aab2573a2d0bdf30ed5db870b20e8f61fce92924a3de22cd44d7d4e4b3a33eabaacb974392ca29b8bcbfdedc4eb5245c1a943f22df5ce09f10e3c076

Download Submit
C:\Windows\{38B09F51-B524-4ae1-92C2-F49A6C87A56A}.exe

Filesize
408KB

MD5
c8d173d0e097169830908fa670c54902

SHA1
b6d3bcdad0d09f952311b7302ad0ecbdf748b6a9

SHA256
d32995a9dd96fb047b29c64df367f95572209e64702330c7e358bb501c8e5020

SHA512
f6583568b1b8be033a755244340879ec7783321e29cfebb485bfe90b772f3f12568ca6efc84f4d9a570b37c28a52171ebc5f02c5bf7eeec10d400c8b2e673d29

Download Submit
C:\Windows\{3FF670A7-612A-483b-9C26-3002FDF8DB5F}.exe

Filesize
163KB

MD5
44ab79a25a3af09672ed806547ffbaa1

SHA1
57e67d3691129ea36fe3c78e2d44acc6fa5aff99

SHA256
c47db8e3b0e99d00a455595ac3349e9184d7c50a76fc8d052f4cdf1d68116a30

SHA512
6bc58b3e2a3770ebecf154265b00f5f2a02828ccd9bd47c2b2c61d28bd07a5fdbba8c1a6a4dd639a7c9a10b1ece87b2af54fa3eb3340ff994eddf44f3225df4e

Download Submit
C:\Windows\{3FF670A7-612A-483b-9C26-3002FDF8DB5F}.exe

Filesize
176KB

MD5
a76c69c4c1936b4ebed06afce512a394

SHA1
28f7c47f33d2c498e6615165cc816d4a3c86bea3

SHA256
adf20a7d1bcf5218058b026c682a5c45efb9bb0daacb2945541e7b15290c00b1

SHA512
2c354f7c575702c968e429c609eb1d67dacab60a146b371b3ed1b591cdc2c9a27ddd5784dfa2e8ee718e86ccca5cc0f2cc85726325a98de178a407b0ab7373bf

Download Submit
C:\Windows\{3FF670A7-612A-483b-9C26-3002FDF8DB5F}.exe

Filesize
333KB

MD5
0ecec52b9572e611baae934c6e721f28

SHA1
c98598eaf1e8e195185feb187c2f8913ce7417d8

SHA256
b5877fa15d379178a83b2f79ad5418868afe68a4c9ec049643ec9409da34cece

SHA512
81fcd0dc9823e05cb9bf071103f02d9b94d8ebaec43e2ff084a0277abcd899a416b0a2722212fd9e76c3a6c4f93f496166c80afa865f0e36358c2d7cfa91a379

Download Submit
C:\Windows\{624A5B37-6440-425c-BA47-ECF80C30327E}.exe

Filesize
140KB

MD5
54bff34dd06bf6a9a47207914e77218d

SHA1
dc186f3a446a7b6d95f04b48b44cccda9f005071

SHA256
be18d1fd13ca92a3801e49209728f171bf46b43057306af582371184be73690d

SHA512
858e019b31d2c33485ed2566aa488d057f225810ab926f6f45f294ec2ecdd2969f1e6cbf58ae560761d7123424b1f5f69129391e7d547773ee0c366d16df8b9a

Download Submit
C:\Windows\{624A5B37-6440-425c-BA47-ECF80C30327E}.exe

Filesize
408KB

MD5
f2150e035e913d97add5fdd3330cad10

SHA1
991b32f9244b55ceafc711d1b0d70239003c4818

SHA256
6d4a155a38bdb37ca2d328524d584b8f82ebfb76816a0dc6514280947248ac8c

SHA512
d11a18e65e5ad8dac011d14b9273740bbfe75141a42aa695e181044970cad0aacc4678134d3b698e468d06902dc4dd2020bd47538adbe79baea5c053b2380b75

Download Submit
C:\Windows\{633E2133-B15D-4ff4-8BE1-718DA1465A99}.exe

Filesize
408KB

MD5
aece4f1a57379e649b5c667290a75f13

SHA1
349ccc410478c968b0c7b97b624436c5e8c34a15

SHA256
fe2b64404ab4374f0d0de8133a10234cdd59be4cd62b2dfd14b230f7aaf5b8a9

SHA512
2930dd5bc19ecc5dc6f9d516fef3ccb955e3c157863977d3ee6c8b98418add66ae8cb2e9e5dd1944fa740fa13f423d66af50cbb412705396dda31ba54a087417

Download Submit
C:\Windows\{657C52BE-5F98-4b32-9C63-6D15BA210C3D}.exe

Filesize
203KB

MD5
f8dded9ddf3f00852df699da5f9d2ae9

SHA1
ada5ec8eae190c5469c75540b0f0bf3ad34a2107

SHA256
55cf25d9b75a71c8d4b1981884c8288d763a4ee87d363f466e5c6b26cc65b727

SHA512
b38d9c0e0c3be4bfa246959e1316f2f9f81ad6a4178d7c214c81958cacb7cae78c227d2f155c988dfef6ead8b6bb06e3ae0b7792484d52fda5f72432d2e43137

Download Submit
C:\Windows\{657C52BE-5F98-4b32-9C63-6D15BA210C3D}.exe

Filesize
138KB

MD5
b3b72f5611a95a8d8c555adb10a311b6

SHA1
90bce3e680f92525ef14076c28a207651cdb25ae

SHA256
0af803689d58d617040f43801396489c265ec9a51e3e43bea02fed913a96e562

SHA512
b09f420be5de4a88ccf1dcb9e2dabde9356c62911875c3cecc6378a1d1ecb0a48ee62d790c681a4be64d92f12a7e44d63ccd2636ec5be676e2c1b34729b89936

Download Submit
C:\Windows\{7D975B51-E5CB-4e99-A536-B2AFF515AAE0}.exe

Filesize
408KB

MD5
c22eaf3a7ccefb04202ac35eaa08243d

SHA1
1e4db6933735543c6b27288bdab856a9a2c25d3e

SHA256
e99b2ae4ea05337f537e73a6acda64372a81cd2cd07f2d8bd04c5fa05447dc57

SHA512
3cf2e1ff1f0d7fca03b790bb0005a1d41aaf8666ce0bda7b76bc0f31cbba4c23c6f411a1c41a3f22c0fb8a45f666c165c0d5256cc8f8f9cd991ea107d4f675f8

Download Submit
C:\Windows\{85CCC2AE-3B71-4bb7-9ACE-51A51498842D}.exe

Filesize
57KB

MD5
bee4b614481378a5ede78fe470718941

SHA1
90ab196aa9a03796de0eae903feb1d9309f13ffd

SHA256
46548ab6a2ca9dfaab42e46a3f0b480dfd3043626cdb51e24dc684296c180c89

SHA512
173f8fc242adf57c786c6720307b51be63c07bd9f90e8759eb3d436eb26be96db7f1f14d7e984bfded3c21fa3b5099feb6c85b4a35de0582bcc5ac7a0df13444

Download Submit
C:\Windows\{85CCC2AE-3B71-4bb7-9ACE-51A51498842D}.exe

Filesize
69KB

MD5
0dec5b935eea2e9c216b6ed11ba8ed6d

SHA1
147ad89414ef1416f4dcc62715577143c21d8e59

SHA256
a0bd71165bba1236eebd399fd754c1bbece3f33f4ef02c53deb46857eabd2ea7

SHA512
f803237027165d4fbb3ba5aca0eaccbd4fc823322045727181969d1d38c2fbae50484d907cb1c61235dcf341712f38d3f2af7294604da9359bab277f5b0f4ac8

Download Submit
C:\Windows\{AC7E9136-08A1-4941-872B-C965543C98E9}.exe

Filesize
408KB

MD5
9a00da48cdab3cc640cf67dde8eb8305

SHA1
0fded8da8693aa59edfae872355b435ad1e75a8b

SHA256
eb1fb6e169ebac5ab64cf6a0c4aab4094a8700c2e7004d8791bfd71bda38cb97

SHA512
1d3f34f350ca2091bf8695f1aa271c3c692bb78cb4d7747ce08492ff0d820ec934ad07c4f29db9490ed9bf1a228d7217b7be79896417b233e5570b5842b1e23c

Download Submit
C:\Windows\{B258931F-ADB1-473d-8361-8CB3CDCFB5A7}.exe

Filesize
49KB

MD5
8a24fb33850500f9a679043079a2561a

SHA1
82001c383ed2052eded8a9d36d6dc330d6b1563e

SHA256
2aed760afac17ee1191cb97b0e45d676f7f951429b856402e6c725c7720cb96c

SHA512
e1e8ee8d82c4cc3a7679a699567ae682ab43f3b90260f8b63fcb180de1d9d6fe0484e7515c986cf3328a1e9259873d665605539508e8083ab52f390cfce54c73

Download Submit
C:\Windows\{B258931F-ADB1-473d-8361-8CB3CDCFB5A7}.exe

Filesize
52KB

MD5
00b8b06891a00b2067ec2ee19812d16a

SHA1
a55acd5433da0330fab77cfe25285e88cd32a382

SHA256
766a04ea659045a249f389abba7c810440bb22c730f9c7c28f8a777b6985133e

SHA512
4f0ed198278f1fea24011248682124d94bb5ece537c100aae67a5cabbcc0841fe0ab00194fdac6d7da0fc9fcfb6f6aee25a2b0113bfefd65a5f32c622cc5c383

Download Submit
C:\Windows\{DD8CA5B8-08A9-4494-84BA-B46B9417D901}.exe

Filesize
405KB

MD5
c3cd08be7fa8f37530598ff398ac002c

SHA1
5d4a2afe0218041acf9d92a05a0f890dd3e40fcb

SHA256
af7a87076ae878e4ac35e3dd1080adf21a51564ba499b0db6dc08049e022a2ba

SHA512
a92c76f0f929f5b20f64d512c8c842a2d61c1b62d013bfe7b8439494e3614d321b37bf3d49821788fd98f018fc50cad73894f4047e9ba7d3edffcecd0e7e70cd

Download Submit
C:\Windows\{DD8CA5B8-08A9-4494-84BA-B46B9417D901}.exe

Filesize
408KB

MD5
0015da9b91d2916dcf052a8888437819

SHA1
6e98d9e02aa9d349a32553d1abf62fa6defadc2b

SHA256
8dd64fb272ecbfb6e37bc1a35d424660131375909b0e9c3d3da114005324698f

SHA512
9f439c2a1f7154ccf3a1c38b0f1c95cf09806ed25b34369dfd7285937c401b4e7086e5a849d265b62418160b0b37221a96832e9ef070d83cac7364d7b8de9826

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads