50360290803234c43c2cd6c009befa31c17d11a6ad7dfb4b26eae8880fbdb8ed

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05/01/2024, 05:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-01_d79161d8be763949d02a1200640b507a_goldeneye.exe
Size

380KB
MD5

d79161d8be763949d02a1200640b507a
SHA1

13d49858e50a26a76ee9783fa484a720656d553a
SHA256

50360290803234c43c2cd6c009befa31c17d11a6ad7dfb4b26eae8880fbdb8ed
SHA512

b73155e49cc9a4b3f945d7a2efd9adf099252cfe5da4b220b26fe71208b2cf61b45fb2fa003c73291d452097d2840a7974ce3bda2c0c1e84aec3b3346b6c84bf
SSDEEP

3072:mEGh0oalPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGEl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B0F0EBB-292B-46e3-B2A0-5DC9D63EE158}\stubpath = "C:\\Windows\\{1B0F0EBB-292B-46e3-B2A0-5DC9D63EE158}.exe"	{B7A3CAA9-06AD-417d-AC0B-3D1E6F92EC8A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F899DBA-7D16-4811-BB71-2D9248DEA30F}	{C85AD3D6-16CA-402b-9008-7CE59B17122A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DBECC92-1144-47f7-984E-C9F474831F06}	2024-01-01_d79161d8be763949d02a1200640b507a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7A3CAA9-06AD-417d-AC0B-3D1E6F92EC8A}	{5DBECC92-1144-47f7-984E-C9F474831F06}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7A3CAA9-06AD-417d-AC0B-3D1E6F92EC8A}\stubpath = "C:\\Windows\\{B7A3CAA9-06AD-417d-AC0B-3D1E6F92EC8A}.exe"	{5DBECC92-1144-47f7-984E-C9F474831F06}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17CF5318-7D38-4d34-A211-B2328618A2C9}	{3FDF4AAE-7019-42fd-9E74-206AC75DF236}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17CF5318-7D38-4d34-A211-B2328618A2C9}\stubpath = "C:\\Windows\\{17CF5318-7D38-4d34-A211-B2328618A2C9}.exe"	{3FDF4AAE-7019-42fd-9E74-206AC75DF236}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24D802E5-1EDF-4f05-92EA-AF63807ECD4D}	{17CF5318-7D38-4d34-A211-B2328618A2C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CD852F7-38C7-4fde-AC02-768F9BFE2EAE}	{24D802E5-1EDF-4f05-92EA-AF63807ECD4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CD852F7-38C7-4fde-AC02-768F9BFE2EAE}\stubpath = "C:\\Windows\\{5CD852F7-38C7-4fde-AC02-768F9BFE2EAE}.exe"	{24D802E5-1EDF-4f05-92EA-AF63807ECD4D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B0F0EBB-292B-46e3-B2A0-5DC9D63EE158}	{B7A3CAA9-06AD-417d-AC0B-3D1E6F92EC8A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C85AD3D6-16CA-402b-9008-7CE59B17122A}	{D968FC5A-B491-436f-B204-7C0BAC795060}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C85AD3D6-16CA-402b-9008-7CE59B17122A}\stubpath = "C:\\Windows\\{C85AD3D6-16CA-402b-9008-7CE59B17122A}.exe"	{D968FC5A-B491-436f-B204-7C0BAC795060}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F33D142A-9991-4b3f-BBC0-1291103325CF}\stubpath = "C:\\Windows\\{F33D142A-9991-4b3f-BBC0-1291103325CF}.exe"	{4F899DBA-7D16-4811-BB71-2D9248DEA30F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24D802E5-1EDF-4f05-92EA-AF63807ECD4D}\stubpath = "C:\\Windows\\{24D802E5-1EDF-4f05-92EA-AF63807ECD4D}.exe"	{17CF5318-7D38-4d34-A211-B2328618A2C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DBECC92-1144-47f7-984E-C9F474831F06}\stubpath = "C:\\Windows\\{5DBECC92-1144-47f7-984E-C9F474831F06}.exe"	2024-01-01_d79161d8be763949d02a1200640b507a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D968FC5A-B491-436f-B204-7C0BAC795060}	{1B0F0EBB-292B-46e3-B2A0-5DC9D63EE158}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F33D142A-9991-4b3f-BBC0-1291103325CF}	{4F899DBA-7D16-4811-BB71-2D9248DEA30F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FDF4AAE-7019-42fd-9E74-206AC75DF236}\stubpath = "C:\\Windows\\{3FDF4AAE-7019-42fd-9E74-206AC75DF236}.exe"	{F33D142A-9991-4b3f-BBC0-1291103325CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D968FC5A-B491-436f-B204-7C0BAC795060}\stubpath = "C:\\Windows\\{D968FC5A-B491-436f-B204-7C0BAC795060}.exe"	{1B0F0EBB-292B-46e3-B2A0-5DC9D63EE158}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F899DBA-7D16-4811-BB71-2D9248DEA30F}\stubpath = "C:\\Windows\\{4F899DBA-7D16-4811-BB71-2D9248DEA30F}.exe"	{C85AD3D6-16CA-402b-9008-7CE59B17122A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FDF4AAE-7019-42fd-9E74-206AC75DF236}	{F33D142A-9991-4b3f-BBC0-1291103325CF}.exe

Executes dropped EXE 10 IoCs

pid	Process
4988	{5DBECC92-1144-47f7-984E-C9F474831F06}.exe
4404	{B7A3CAA9-06AD-417d-AC0B-3D1E6F92EC8A}.exe
4204	{1B0F0EBB-292B-46e3-B2A0-5DC9D63EE158}.exe
1484	{D968FC5A-B491-436f-B204-7C0BAC795060}.exe
4092	{C85AD3D6-16CA-402b-9008-7CE59B17122A}.exe
2888	{4F899DBA-7D16-4811-BB71-2D9248DEA30F}.exe
4516	{F33D142A-9991-4b3f-BBC0-1291103325CF}.exe
2464	{3FDF4AAE-7019-42fd-9E74-206AC75DF236}.exe
700	{17CF5318-7D38-4d34-A211-B2328618A2C9}.exe
4796	{24D802E5-1EDF-4f05-92EA-AF63807ECD4D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{4F899DBA-7D16-4811-BB71-2D9248DEA30F}.exe	{C85AD3D6-16CA-402b-9008-7CE59B17122A}.exe
File created	C:\Windows\{F33D142A-9991-4b3f-BBC0-1291103325CF}.exe	{4F899DBA-7D16-4811-BB71-2D9248DEA30F}.exe
File created	C:\Windows\{5CD852F7-38C7-4fde-AC02-768F9BFE2EAE}.exe	{24D802E5-1EDF-4f05-92EA-AF63807ECD4D}.exe
File created	C:\Windows\{1B0F0EBB-292B-46e3-B2A0-5DC9D63EE158}.exe	{B7A3CAA9-06AD-417d-AC0B-3D1E6F92EC8A}.exe
File created	C:\Windows\{D968FC5A-B491-436f-B204-7C0BAC795060}.exe	{1B0F0EBB-292B-46e3-B2A0-5DC9D63EE158}.exe
File created	C:\Windows\{C85AD3D6-16CA-402b-9008-7CE59B17122A}.exe	{D968FC5A-B491-436f-B204-7C0BAC795060}.exe
File created	C:\Windows\{17CF5318-7D38-4d34-A211-B2328618A2C9}.exe	{3FDF4AAE-7019-42fd-9E74-206AC75DF236}.exe
File created	C:\Windows\{24D802E5-1EDF-4f05-92EA-AF63807ECD4D}.exe	{17CF5318-7D38-4d34-A211-B2328618A2C9}.exe
File created	C:\Windows\{5DBECC92-1144-47f7-984E-C9F474831F06}.exe	2024-01-01_d79161d8be763949d02a1200640b507a_goldeneye.exe
File created	C:\Windows\{B7A3CAA9-06AD-417d-AC0B-3D1E6F92EC8A}.exe	{5DBECC92-1144-47f7-984E-C9F474831F06}.exe
File created	C:\Windows\{3FDF4AAE-7019-42fd-9E74-206AC75DF236}.exe	{F33D142A-9991-4b3f-BBC0-1291103325CF}.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2380	2024-01-01_d79161d8be763949d02a1200640b507a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4988	{5DBECC92-1144-47f7-984E-C9F474831F06}.exe
Token: SeIncBasePriorityPrivilege	4404	{B7A3CAA9-06AD-417d-AC0B-3D1E6F92EC8A}.exe
Token: SeIncBasePriorityPrivilege	4204	{1B0F0EBB-292B-46e3-B2A0-5DC9D63EE158}.exe
Token: SeIncBasePriorityPrivilege	1484	{D968FC5A-B491-436f-B204-7C0BAC795060}.exe
Token: SeIncBasePriorityPrivilege	4092	{C85AD3D6-16CA-402b-9008-7CE59B17122A}.exe
Token: SeIncBasePriorityPrivilege	2888	{4F899DBA-7D16-4811-BB71-2D9248DEA30F}.exe
Token: SeIncBasePriorityPrivilege	4516	{F33D142A-9991-4b3f-BBC0-1291103325CF}.exe
Token: SeIncBasePriorityPrivilege	2464	{3FDF4AAE-7019-42fd-9E74-206AC75DF236}.exe
Token: SeIncBasePriorityPrivilege	700	{17CF5318-7D38-4d34-A211-B2328618A2C9}.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 4988	2380	2024-01-01_d79161d8be763949d02a1200640b507a_goldeneye.exe	97
PID 2380 wrote to memory of 4988	2380	2024-01-01_d79161d8be763949d02a1200640b507a_goldeneye.exe	97
PID 2380 wrote to memory of 4988	2380	2024-01-01_d79161d8be763949d02a1200640b507a_goldeneye.exe	97
PID 2380 wrote to memory of 2112	2380	2024-01-01_d79161d8be763949d02a1200640b507a_goldeneye.exe	98
PID 2380 wrote to memory of 2112	2380	2024-01-01_d79161d8be763949d02a1200640b507a_goldeneye.exe	98
PID 2380 wrote to memory of 2112	2380	2024-01-01_d79161d8be763949d02a1200640b507a_goldeneye.exe	98
PID 4988 wrote to memory of 4404	4988	{5DBECC92-1144-47f7-984E-C9F474831F06}.exe	102
PID 4988 wrote to memory of 4404	4988	{5DBECC92-1144-47f7-984E-C9F474831F06}.exe	102
PID 4988 wrote to memory of 4404	4988	{5DBECC92-1144-47f7-984E-C9F474831F06}.exe	102
PID 4988 wrote to memory of 396	4988	{5DBECC92-1144-47f7-984E-C9F474831F06}.exe	103
PID 4988 wrote to memory of 396	4988	{5DBECC92-1144-47f7-984E-C9F474831F06}.exe	103
PID 4988 wrote to memory of 396	4988	{5DBECC92-1144-47f7-984E-C9F474831F06}.exe	103
PID 4404 wrote to memory of 4204	4404	{B7A3CAA9-06AD-417d-AC0B-3D1E6F92EC8A}.exe	105
PID 4404 wrote to memory of 4204	4404	{B7A3CAA9-06AD-417d-AC0B-3D1E6F92EC8A}.exe	105
PID 4404 wrote to memory of 4204	4404	{B7A3CAA9-06AD-417d-AC0B-3D1E6F92EC8A}.exe	105
PID 4404 wrote to memory of 2348	4404	{B7A3CAA9-06AD-417d-AC0B-3D1E6F92EC8A}.exe	106
PID 4404 wrote to memory of 2348	4404	{B7A3CAA9-06AD-417d-AC0B-3D1E6F92EC8A}.exe	106
PID 4404 wrote to memory of 2348	4404	{B7A3CAA9-06AD-417d-AC0B-3D1E6F92EC8A}.exe	106
PID 4204 wrote to memory of 1484	4204	{1B0F0EBB-292B-46e3-B2A0-5DC9D63EE158}.exe	109
PID 4204 wrote to memory of 1484	4204	{1B0F0EBB-292B-46e3-B2A0-5DC9D63EE158}.exe	109
PID 4204 wrote to memory of 1484	4204	{1B0F0EBB-292B-46e3-B2A0-5DC9D63EE158}.exe	109
PID 4204 wrote to memory of 3412	4204	{1B0F0EBB-292B-46e3-B2A0-5DC9D63EE158}.exe	110
PID 4204 wrote to memory of 3412	4204	{1B0F0EBB-292B-46e3-B2A0-5DC9D63EE158}.exe	110
PID 4204 wrote to memory of 3412	4204	{1B0F0EBB-292B-46e3-B2A0-5DC9D63EE158}.exe	110
PID 1484 wrote to memory of 4092	1484	{D968FC5A-B491-436f-B204-7C0BAC795060}.exe	112
PID 1484 wrote to memory of 4092	1484	{D968FC5A-B491-436f-B204-7C0BAC795060}.exe	112
PID 1484 wrote to memory of 4092	1484	{D968FC5A-B491-436f-B204-7C0BAC795060}.exe	112
PID 1484 wrote to memory of 2844	1484	{D968FC5A-B491-436f-B204-7C0BAC795060}.exe	111
PID 1484 wrote to memory of 2844	1484	{D968FC5A-B491-436f-B204-7C0BAC795060}.exe	111
PID 1484 wrote to memory of 2844	1484	{D968FC5A-B491-436f-B204-7C0BAC795060}.exe	111
PID 4092 wrote to memory of 2888	4092	{C85AD3D6-16CA-402b-9008-7CE59B17122A}.exe	113
PID 4092 wrote to memory of 2888	4092	{C85AD3D6-16CA-402b-9008-7CE59B17122A}.exe	113
PID 4092 wrote to memory of 2888	4092	{C85AD3D6-16CA-402b-9008-7CE59B17122A}.exe	113
PID 4092 wrote to memory of 1256	4092	{C85AD3D6-16CA-402b-9008-7CE59B17122A}.exe	114
PID 4092 wrote to memory of 1256	4092	{C85AD3D6-16CA-402b-9008-7CE59B17122A}.exe	114
PID 4092 wrote to memory of 1256	4092	{C85AD3D6-16CA-402b-9008-7CE59B17122A}.exe	114
PID 2888 wrote to memory of 4516	2888	{4F899DBA-7D16-4811-BB71-2D9248DEA30F}.exe	121
PID 2888 wrote to memory of 4516	2888	{4F899DBA-7D16-4811-BB71-2D9248DEA30F}.exe	121
PID 2888 wrote to memory of 4516	2888	{4F899DBA-7D16-4811-BB71-2D9248DEA30F}.exe	121
PID 2888 wrote to memory of 3552	2888	{4F899DBA-7D16-4811-BB71-2D9248DEA30F}.exe	122
PID 2888 wrote to memory of 3552	2888	{4F899DBA-7D16-4811-BB71-2D9248DEA30F}.exe	122
PID 2888 wrote to memory of 3552	2888	{4F899DBA-7D16-4811-BB71-2D9248DEA30F}.exe	122
PID 4516 wrote to memory of 2464	4516	{F33D142A-9991-4b3f-BBC0-1291103325CF}.exe	123
PID 4516 wrote to memory of 2464	4516	{F33D142A-9991-4b3f-BBC0-1291103325CF}.exe	123
PID 4516 wrote to memory of 2464	4516	{F33D142A-9991-4b3f-BBC0-1291103325CF}.exe	123
PID 4516 wrote to memory of 972	4516	{F33D142A-9991-4b3f-BBC0-1291103325CF}.exe	124
PID 4516 wrote to memory of 972	4516	{F33D142A-9991-4b3f-BBC0-1291103325CF}.exe	124
PID 4516 wrote to memory of 972	4516	{F33D142A-9991-4b3f-BBC0-1291103325CF}.exe	124
PID 2464 wrote to memory of 700	2464	{3FDF4AAE-7019-42fd-9E74-206AC75DF236}.exe	126
PID 2464 wrote to memory of 700	2464	{3FDF4AAE-7019-42fd-9E74-206AC75DF236}.exe	126
PID 2464 wrote to memory of 700	2464	{3FDF4AAE-7019-42fd-9E74-206AC75DF236}.exe	126
PID 2464 wrote to memory of 3708	2464	{3FDF4AAE-7019-42fd-9E74-206AC75DF236}.exe	127
PID 2464 wrote to memory of 3708	2464	{3FDF4AAE-7019-42fd-9E74-206AC75DF236}.exe	127
PID 2464 wrote to memory of 3708	2464	{3FDF4AAE-7019-42fd-9E74-206AC75DF236}.exe	127
PID 700 wrote to memory of 4796	700	{17CF5318-7D38-4d34-A211-B2328618A2C9}.exe	130
PID 700 wrote to memory of 4796	700	{17CF5318-7D38-4d34-A211-B2328618A2C9}.exe	130
PID 700 wrote to memory of 4796	700	{17CF5318-7D38-4d34-A211-B2328618A2C9}.exe	130
PID 700 wrote to memory of 2888	700	{17CF5318-7D38-4d34-A211-B2328618A2C9}.exe	131
PID 700 wrote to memory of 2888	700	{17CF5318-7D38-4d34-A211-B2328618A2C9}.exe	131
PID 700 wrote to memory of 2888	700	{17CF5318-7D38-4d34-A211-B2328618A2C9}.exe	131

C:\Users\Admin\AppData\Local\Temp\2024-01-01_d79161d8be763949d02a1200640b507a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-01_d79161d8be763949d02a1200640b507a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\{5DBECC92-1144-47f7-984E-C9F474831F06}.exe
  C:\Windows\{5DBECC92-1144-47f7-984E-C9F474831F06}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4988
- - C:\Windows\{B7A3CAA9-06AD-417d-AC0B-3D1E6F92EC8A}.exe
    C:\Windows\{B7A3CAA9-06AD-417d-AC0B-3D1E6F92EC8A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4404
  - - C:\Windows\{1B0F0EBB-292B-46e3-B2A0-5DC9D63EE158}.exe
      C:\Windows\{1B0F0EBB-292B-46e3-B2A0-5DC9D63EE158}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4204
    - - C:\Windows\{D968FC5A-B491-436f-B204-7C0BAC795060}.exe
        
        C:\Windows\{D968FC5A-B491-436f-B204-7C0BAC795060}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1484
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D968F~1.EXE > nul
        6⤵
        
        PID:2844
      - C:\Windows\{C85AD3D6-16CA-402b-9008-7CE59B17122A}.exe
        
        C:\Windows\{C85AD3D6-16CA-402b-9008-7CE59B17122A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\{4F899DBA-7D16-4811-BB71-2D9248DEA30F}.exe
        
        C:\Windows\{4F899DBA-7D16-4811-BB71-2D9248DEA30F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\{F33D142A-9991-4b3f-BBC0-1291103325CF}.exe
        
        C:\Windows\{F33D142A-9991-4b3f-BBC0-1291103325CF}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\{3FDF4AAE-7019-42fd-9E74-206AC75DF236}.exe
        
        C:\Windows\{3FDF4AAE-7019-42fd-9E74-206AC75DF236}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\{17CF5318-7D38-4d34-A211-B2328618A2C9}.exe
        
        C:\Windows\{17CF5318-7D38-4d34-A211-B2328618A2C9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:700
        
        C:\Windows\{24D802E5-1EDF-4f05-92EA-AF63807ECD4D}.exe
        
        C:\Windows\{24D802E5-1EDF-4f05-92EA-AF63807ECD4D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17CF5~1.EXE > nul
        11⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3FDF4~1.EXE > nul
        10⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F33D1~1.EXE > nul
        9⤵
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4F899~1.EXE > nul
        8⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C85AD~1.EXE > nul
        7⤵
        
        PID:1256
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B0F0~1.EXE > nul
        5⤵
        
        PID:3412
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B7A3C~1.EXE > nul
      4⤵
      PID:2348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5DBEC~1.EXE > nul
    3⤵
    PID:396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{17CF5318-7D38-4d34-A211-B2328618A2C9}.exe

Filesize
380KB

MD5
63bbaa579e60b3a1689037b39f49e458

SHA1
675db42f231ba7db0bd8a7de95dbdc4c36ce1f99

SHA256
f16e468c3b5156090429eee60b12cf0eb6965b801aa9ebbc23bded0f10bde7b1

SHA512
167787eb6fcc5f154cb67605d9dc16e39dfc10de955f0856c9cc4328e5f5dbdaf7025e8ed7e866a8f19ae663b569ef07d0412fbfafa7067c61c3c4e058d3b71c

Download Submit
C:\Windows\{1B0F0EBB-292B-46e3-B2A0-5DC9D63EE158}.exe

Filesize
139KB

MD5
551fc254e8eab4879273259bb6a3dc97

SHA1
10184590b0cb0bcf8f712a2531018441a3330df1

SHA256
4433aeb3aba087ed82b93833f34920e273156ed6637a27eb39a15e1b6b795b24

SHA512
d74fffa261f4491fb8b2894e2288ac6bef25c88a525a1395811cad958a7ff9de3ce411bd1223b48d6acf180e7d7d3a32677f95f46ffacb21ce7c5c1f752cfec3

Download Submit
C:\Windows\{1B0F0EBB-292B-46e3-B2A0-5DC9D63EE158}.exe

Filesize
380KB

MD5
da5726b783ca008ed5f0609c7a695130

SHA1
c90c103ae6e0718ac956d8285cd335fc1a74d9f3

SHA256
0412e60cb3ae52da2160032d24e4a9e08d01236bf83ee2e3f9d53f44319ce504

SHA512
bcc4c189405001ec5aefcd66cc9b4d0b46b6d0b954dbe24281eea53b3dbe73697d11cdd0f4a118308e396e575aa757b62aeda1b048377815810a6d3d02323126

Download Submit
C:\Windows\{24D802E5-1EDF-4f05-92EA-AF63807ECD4D}.exe

Filesize
380KB

MD5
3ad92e3f391bdb4c26c34181b7fefd20

SHA1
746b5623937a9e12f544e199dc9c4de3f584d75f

SHA256
8d49905eb40ba5ff114c4f3e652ec2565dd040d9f7b8817009979a39c8e1544c

SHA512
4c3dfd0e0c77364346023aad2bd3ac8656153af0c65b3e27333182b915f887ecfed547d201b81d8a6fd9a095f2a42a87f30e0f5b634b41e3fcdf3ea10a64a624

Download Submit
C:\Windows\{3FDF4AAE-7019-42fd-9E74-206AC75DF236}.exe

Filesize
380KB

MD5
f2dde6388a17f328734526776aeb529e

SHA1
46c90c9ebd0965f733954ecb3ea3ea1e209bf67a

SHA256
8bcc08638f7f2b73e5d0455ba07fe12c062ee1e4112206ae06993573e4894ce0

SHA512
9ad64e105bd490a6f25a58903ecc85a93569d30767ac3a95560fd7b056b9063091f1bdbac06c33e7e76865630078b22fbb52cbda89d85b98c59466235015cd38

Download Submit
C:\Windows\{4F899DBA-7D16-4811-BB71-2D9248DEA30F}.exe

Filesize
220KB

MD5
2fb39126ff89f7146e6dcd69b9d5b36e

SHA1
8523c30469bff5a958f9111816bede43bf3461a8

SHA256
80dcae776a6f5380048a3e09cf57d0254c1e3b30d2f59741668142facd3915f4

SHA512
574423309f5f4386a50cb8332e06bb73fa6445138ed2a9a2e97ba1ffd5cd237426921d4f9573a4082ce2bf9717b2f46869468323ed24829ca976473ae35e30fe

Download Submit
C:\Windows\{4F899DBA-7D16-4811-BB71-2D9248DEA30F}.exe

Filesize
247KB

MD5
e28a3c085f99ee5ec96ae530145083e6

SHA1
96bb0a4a6bd878a44485d5771dcc9983ecfdfa39

SHA256
5a2973981a95f55f3ec0a01c08167c4200c724206575d76aedecd670ff839fec

SHA512
470d5388ecf9122e10c2ab33dc643722c58aae3974bf79c99784e7453dd702809f6ab5d61572382f77bb41b7e09184893d3015e36fcc0dff28eb521b68c95a5f

Download Submit
C:\Windows\{5DBECC92-1144-47f7-984E-C9F474831F06}.exe

Filesize
380KB

MD5
1946e2cef2a5e4cba8ee2718607531b3

SHA1
ef6f297ddaee57a1a9ae418e8e224d0610d5ad90

SHA256
79e6aa3cd0f7f6fc1f19d571ea953461da7b2f36dec4798220f2072d74b8ae7a

SHA512
9f2ff9f696c8b42797a78c6b7ea80c435d54c7de6e6d041afadf0eca288d046b5fd204abaeefdd8f41da39f130705abfa688b02b6669ffa784bbf36fc6aa7d8d

Download Submit
C:\Windows\{5DBECC92-1144-47f7-984E-C9F474831F06}.exe

Filesize
109KB

MD5
993e2a38562b232caee0d1bf00ff03e5

SHA1
c8c84e8ee67350d2c3ed3126b8d5634edbc00fc5

SHA256
28b9510b231ee1ba49531e62c42ae977dc0a4ba73c76a581d007426ad95be90b

SHA512
762c0f069e7c9ed96297daa58bd2889e0511aecf8dffa6a874095bf77d31acfac9ed0682d542b2057c9807746799350b2c9f19d6ec4cce039a20e2fa3ff6f3f4

Download Submit
C:\Windows\{B7A3CAA9-06AD-417d-AC0B-3D1E6F92EC8A}.exe

Filesize
380KB

MD5
ce94b158db22759057f0914aa2a667a1

SHA1
39d8ad0c2929361610f12e384b49345b47215621

SHA256
9479dbffecd8fab86dd0ebd891bc38f929a58b08668e51cc53aaf7198fd1e5f5

SHA512
6f5929fa8eb23cdad1094d99f7fa534ca2e99cbece727700e86e5b4d726f75a455e42cc4d41115a8744fb1109b38e256520e16b1deae05cea5bc01385271888f

Download Submit
C:\Windows\{C85AD3D6-16CA-402b-9008-7CE59B17122A}.exe

Filesize
181KB

MD5
d8b92c24125b710a2daca1ead337bd38

SHA1
6261d821507c6b8da3e7dded10bb72b318f3ae0d

SHA256
64be1ab1e59e3ed6affa9ac276c222f2c9d83e040cbe2db589199b66a1d107f7

SHA512
8c4c107abeb2d92313ab8c71762470b0b7e6e3970b5e5c7b560b86e548f5b88181893c2656c5de9059078c8dc1fde384b9f92ff789e0a9f7006ed90c9e00571f

Download Submit
C:\Windows\{C85AD3D6-16CA-402b-9008-7CE59B17122A}.exe

Filesize
79KB

MD5
39f39aadca1a7f14b58bbea8e63645a3

SHA1
cb71e71b3ceaf7222dd52491b496ecca21ffc243

SHA256
157ba7cb66f1cfa712f361e313ebd0b66700a3991cf10bcf3659a413ff3fdbf0

SHA512
426d5e2b93e87df7ec82b350eb88bf474eca2fe4495e0689dae40b5114e111baa1d0f84876bdac0ace11f7d1675032cb12f2f909ba57eb5e49f39deea0eb102f

Download Submit
C:\Windows\{D968FC5A-B491-436f-B204-7C0BAC795060}.exe

Filesize
26KB

MD5
9112ffa547f78155008d36d89a340447

SHA1
8c6b21baf64b9f8438d5f3689262343a94baf40c

SHA256
51a7bad296ee5517b9aaf1766cc26d7a9c9afba6be3db876ae4d3122c9a70710

SHA512
28027d63443826242d098bae31e6ad0732ae2c6743b29c0523c6f51a0d4bc314cfdb245d7a716e33907c6b3add91f36a460e72a0cd1440b4cc63da7e1c2be5d6

Download Submit
C:\Windows\{D968FC5A-B491-436f-B204-7C0BAC795060}.exe

Filesize
41KB

MD5
c542cda882e6467dfa32c8f17bdeda10

SHA1
a1dbb5883a1af23913bb3f2db44be9be652163c0

SHA256
b4b51d23b5a33212e8975b9783f0298deb1e2a550470bd88988de4a44cccd111

SHA512
33d5f2158af626725c774cd34a7f1a97ef0961962e1f5d21b40fbcf654edecd67fb1f86044252ca84a3a0533f7671b41e64b2b9b7eda3e4efc899f9008d0482e

Download Submit
C:\Windows\{F33D142A-9991-4b3f-BBC0-1291103325CF}.exe

Filesize
380KB

MD5
984529b2caa2d179d8ff4887a8841205

SHA1
45f6e8e690a45d3fc24bbad66cef6a4559409f18

SHA256
c2bcb743125fdc97b4d0068ffdc3d411e4dc27b61a2f7a65cb6329d90b3002f6

SHA512
7ca489e15c1e72f5e6cadd06a9bc4c3e1d608b25b5f4daf62e7c952ba3b75689850b65cddfb3d0c9355a6cf76de4d22637f5815e59b903dbfc4d7bf430252b91

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads