69eef9d6d7cc8fd03910763b4b8ff60d0c75cb4cb8b9a14d9ee8fd2f0abcdffb

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
07/01/2024, 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-06_eae1bb9eb676d1d0056da791d0bdd39d_goldeneye.exe
Size

408KB
MD5

eae1bb9eb676d1d0056da791d0bdd39d
SHA1

118639db3f6a16fdb9b82564d887e1c25f5c8d0c
SHA256

69eef9d6d7cc8fd03910763b4b8ff60d0c75cb4cb8b9a14d9ee8fd2f0abcdffb
SHA512

05e32d9b5c66ee7ee7c217a36c4f94dab237343f5455379b016b717f57efabea1e8d537f4509760ffdff5eb15ae62f481c1a142a9566fb4076fa321d74db82a1
SSDEEP

3072:CEGh0o3l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGBldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{681D513A-85EF-47d4-B9D4-80071207DCF7}\stubpath = "C:\\Windows\\{681D513A-85EF-47d4-B9D4-80071207DCF7}.exe"	{F390A785-C2D7-422c-B5A5-E5CC97BDA1F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD8AEF9D-C710-4d6c-97D5-2D443F1692F3}	{5FC09D5D-860B-48d7-826D-13776B50C0FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD8AEF9D-C710-4d6c-97D5-2D443F1692F3}\stubpath = "C:\\Windows\\{DD8AEF9D-C710-4d6c-97D5-2D443F1692F3}.exe"	{5FC09D5D-860B-48d7-826D-13776B50C0FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F390A785-C2D7-422c-B5A5-E5CC97BDA1F5}\stubpath = "C:\\Windows\\{F390A785-C2D7-422c-B5A5-E5CC97BDA1F5}.exe"	{CE514150-33C3-476f-85D9-B718409405AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A11042CE-2A5C-4af7-807A-D5AB4B683141}	{681D513A-85EF-47d4-B9D4-80071207DCF7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A11042CE-2A5C-4af7-807A-D5AB4B683141}\stubpath = "C:\\Windows\\{A11042CE-2A5C-4af7-807A-D5AB4B683141}.exe"	{681D513A-85EF-47d4-B9D4-80071207DCF7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FC09D5D-860B-48d7-826D-13776B50C0FE}\stubpath = "C:\\Windows\\{5FC09D5D-860B-48d7-826D-13776B50C0FE}.exe"	{A11042CE-2A5C-4af7-807A-D5AB4B683141}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13E9C32B-60DC-45e9-BD44-6DE89BE31C8F}	{DD8AEF9D-C710-4d6c-97D5-2D443F1692F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0915834B-E9AB-424f-8170-4B27EBF501F9}\stubpath = "C:\\Windows\\{0915834B-E9AB-424f-8170-4B27EBF501F9}.exe"	2024-01-06_eae1bb9eb676d1d0056da791d0bdd39d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C38298E8-418E-4e77-91DC-671FFEF5806B}	{0915834B-E9AB-424f-8170-4B27EBF501F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39DFB511-7CB4-4756-8285-89FD8F8387A5}	{C38298E8-418E-4e77-91DC-671FFEF5806B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F6C357E-A497-4440-A44E-4CA186B6B43D}\stubpath = "C:\\Windows\\{7F6C357E-A497-4440-A44E-4CA186B6B43D}.exe"	{13E9C32B-60DC-45e9-BD44-6DE89BE31C8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13E9C32B-60DC-45e9-BD44-6DE89BE31C8F}\stubpath = "C:\\Windows\\{13E9C32B-60DC-45e9-BD44-6DE89BE31C8F}.exe"	{DD8AEF9D-C710-4d6c-97D5-2D443F1692F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE514150-33C3-476f-85D9-B718409405AB}\stubpath = "C:\\Windows\\{CE514150-33C3-476f-85D9-B718409405AB}.exe"	{39DFB511-7CB4-4756-8285-89FD8F8387A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{681D513A-85EF-47d4-B9D4-80071207DCF7}	{F390A785-C2D7-422c-B5A5-E5CC97BDA1F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FC09D5D-860B-48d7-826D-13776B50C0FE}	{A11042CE-2A5C-4af7-807A-D5AB4B683141}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE514150-33C3-476f-85D9-B718409405AB}	{39DFB511-7CB4-4756-8285-89FD8F8387A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F390A785-C2D7-422c-B5A5-E5CC97BDA1F5}	{CE514150-33C3-476f-85D9-B718409405AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F6C357E-A497-4440-A44E-4CA186B6B43D}	{13E9C32B-60DC-45e9-BD44-6DE89BE31C8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0915834B-E9AB-424f-8170-4B27EBF501F9}	2024-01-06_eae1bb9eb676d1d0056da791d0bdd39d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C38298E8-418E-4e77-91DC-671FFEF5806B}\stubpath = "C:\\Windows\\{C38298E8-418E-4e77-91DC-671FFEF5806B}.exe"	{0915834B-E9AB-424f-8170-4B27EBF501F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39DFB511-7CB4-4756-8285-89FD8F8387A5}\stubpath = "C:\\Windows\\{39DFB511-7CB4-4756-8285-89FD8F8387A5}.exe"	{C38298E8-418E-4e77-91DC-671FFEF5806B}.exe

Executes dropped EXE 11 IoCs

pid	Process
2788	{0915834B-E9AB-424f-8170-4B27EBF501F9}.exe
1932	{C38298E8-418E-4e77-91DC-671FFEF5806B}.exe
3712	{39DFB511-7CB4-4756-8285-89FD8F8387A5}.exe
4380	{CE514150-33C3-476f-85D9-B718409405AB}.exe
3980	{F390A785-C2D7-422c-B5A5-E5CC97BDA1F5}.exe
1860	{681D513A-85EF-47d4-B9D4-80071207DCF7}.exe
388	{A11042CE-2A5C-4af7-807A-D5AB4B683141}.exe
5332	{5FC09D5D-860B-48d7-826D-13776B50C0FE}.exe
5240	{DD8AEF9D-C710-4d6c-97D5-2D443F1692F3}.exe
5512	{13E9C32B-60DC-45e9-BD44-6DE89BE31C8F}.exe
3708	{7F6C357E-A497-4440-A44E-4CA186B6B43D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{5FC09D5D-860B-48d7-826D-13776B50C0FE}.exe	{A11042CE-2A5C-4af7-807A-D5AB4B683141}.exe
File created	C:\Windows\{DD8AEF9D-C710-4d6c-97D5-2D443F1692F3}.exe	{5FC09D5D-860B-48d7-826D-13776B50C0FE}.exe
File created	C:\Windows\{7F6C357E-A497-4440-A44E-4CA186B6B43D}.exe	{13E9C32B-60DC-45e9-BD44-6DE89BE31C8F}.exe
File created	C:\Windows\{C38298E8-418E-4e77-91DC-671FFEF5806B}.exe	{0915834B-E9AB-424f-8170-4B27EBF501F9}.exe
File created	C:\Windows\{CE514150-33C3-476f-85D9-B718409405AB}.exe	{39DFB511-7CB4-4756-8285-89FD8F8387A5}.exe
File created	C:\Windows\{F390A785-C2D7-422c-B5A5-E5CC97BDA1F5}.exe	{CE514150-33C3-476f-85D9-B718409405AB}.exe
File created	C:\Windows\{681D513A-85EF-47d4-B9D4-80071207DCF7}.exe	{F390A785-C2D7-422c-B5A5-E5CC97BDA1F5}.exe
File created	C:\Windows\{A11042CE-2A5C-4af7-807A-D5AB4B683141}.exe	{681D513A-85EF-47d4-B9D4-80071207DCF7}.exe
File created	C:\Windows\{13E9C32B-60DC-45e9-BD44-6DE89BE31C8F}.exe	{DD8AEF9D-C710-4d6c-97D5-2D443F1692F3}.exe
File created	C:\Windows\{0915834B-E9AB-424f-8170-4B27EBF501F9}.exe	2024-01-06_eae1bb9eb676d1d0056da791d0bdd39d_goldeneye.exe
File created	C:\Windows\{39DFB511-7CB4-4756-8285-89FD8F8387A5}.exe	{C38298E8-418E-4e77-91DC-671FFEF5806B}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4168	2024-01-06_eae1bb9eb676d1d0056da791d0bdd39d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2788	{0915834B-E9AB-424f-8170-4B27EBF501F9}.exe
Token: SeIncBasePriorityPrivilege	1932	{C38298E8-418E-4e77-91DC-671FFEF5806B}.exe
Token: SeIncBasePriorityPrivilege	3712	{39DFB511-7CB4-4756-8285-89FD8F8387A5}.exe
Token: SeIncBasePriorityPrivilege	4380	{CE514150-33C3-476f-85D9-B718409405AB}.exe
Token: SeIncBasePriorityPrivilege	3980	{F390A785-C2D7-422c-B5A5-E5CC97BDA1F5}.exe
Token: SeIncBasePriorityPrivilege	1860	{681D513A-85EF-47d4-B9D4-80071207DCF7}.exe
Token: SeIncBasePriorityPrivilege	388	{A11042CE-2A5C-4af7-807A-D5AB4B683141}.exe
Token: SeIncBasePriorityPrivilege	5332	{5FC09D5D-860B-48d7-826D-13776B50C0FE}.exe
Token: SeIncBasePriorityPrivilege	5240	{DD8AEF9D-C710-4d6c-97D5-2D443F1692F3}.exe
Token: SeIncBasePriorityPrivilege	5512	{13E9C32B-60DC-45e9-BD44-6DE89BE31C8F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4168 wrote to memory of 2788	4168	2024-01-06_eae1bb9eb676d1d0056da791d0bdd39d_goldeneye.exe	100
PID 4168 wrote to memory of 2788	4168	2024-01-06_eae1bb9eb676d1d0056da791d0bdd39d_goldeneye.exe	100
PID 4168 wrote to memory of 2788	4168	2024-01-06_eae1bb9eb676d1d0056da791d0bdd39d_goldeneye.exe	100
PID 4168 wrote to memory of 6028	4168	2024-01-06_eae1bb9eb676d1d0056da791d0bdd39d_goldeneye.exe	99
PID 4168 wrote to memory of 6028	4168	2024-01-06_eae1bb9eb676d1d0056da791d0bdd39d_goldeneye.exe	99
PID 4168 wrote to memory of 6028	4168	2024-01-06_eae1bb9eb676d1d0056da791d0bdd39d_goldeneye.exe	99
PID 2788 wrote to memory of 1932	2788	{0915834B-E9AB-424f-8170-4B27EBF501F9}.exe	102
PID 2788 wrote to memory of 1932	2788	{0915834B-E9AB-424f-8170-4B27EBF501F9}.exe	102
PID 2788 wrote to memory of 1932	2788	{0915834B-E9AB-424f-8170-4B27EBF501F9}.exe	102
PID 2788 wrote to memory of 5316	2788	{0915834B-E9AB-424f-8170-4B27EBF501F9}.exe	101
PID 2788 wrote to memory of 5316	2788	{0915834B-E9AB-424f-8170-4B27EBF501F9}.exe	101
PID 2788 wrote to memory of 5316	2788	{0915834B-E9AB-424f-8170-4B27EBF501F9}.exe	101
PID 1932 wrote to memory of 3712	1932	{C38298E8-418E-4e77-91DC-671FFEF5806B}.exe	106
PID 1932 wrote to memory of 3712	1932	{C38298E8-418E-4e77-91DC-671FFEF5806B}.exe	106
PID 1932 wrote to memory of 3712	1932	{C38298E8-418E-4e77-91DC-671FFEF5806B}.exe	106
PID 1932 wrote to memory of 548	1932	{C38298E8-418E-4e77-91DC-671FFEF5806B}.exe	105
PID 1932 wrote to memory of 548	1932	{C38298E8-418E-4e77-91DC-671FFEF5806B}.exe	105
PID 1932 wrote to memory of 548	1932	{C38298E8-418E-4e77-91DC-671FFEF5806B}.exe	105
PID 3712 wrote to memory of 4380	3712	{39DFB511-7CB4-4756-8285-89FD8F8387A5}.exe	108
PID 3712 wrote to memory of 4380	3712	{39DFB511-7CB4-4756-8285-89FD8F8387A5}.exe	108
PID 3712 wrote to memory of 4380	3712	{39DFB511-7CB4-4756-8285-89FD8F8387A5}.exe	108
PID 3712 wrote to memory of 5612	3712	{39DFB511-7CB4-4756-8285-89FD8F8387A5}.exe	107
PID 3712 wrote to memory of 5612	3712	{39DFB511-7CB4-4756-8285-89FD8F8387A5}.exe	107
PID 3712 wrote to memory of 5612	3712	{39DFB511-7CB4-4756-8285-89FD8F8387A5}.exe	107
PID 4380 wrote to memory of 3980	4380	{CE514150-33C3-476f-85D9-B718409405AB}.exe	110
PID 4380 wrote to memory of 3980	4380	{CE514150-33C3-476f-85D9-B718409405AB}.exe	110
PID 4380 wrote to memory of 3980	4380	{CE514150-33C3-476f-85D9-B718409405AB}.exe	110
PID 4380 wrote to memory of 4564	4380	{CE514150-33C3-476f-85D9-B718409405AB}.exe	109
PID 4380 wrote to memory of 4564	4380	{CE514150-33C3-476f-85D9-B718409405AB}.exe	109
PID 4380 wrote to memory of 4564	4380	{CE514150-33C3-476f-85D9-B718409405AB}.exe	109
PID 3980 wrote to memory of 1860	3980	{F390A785-C2D7-422c-B5A5-E5CC97BDA1F5}.exe	112
PID 3980 wrote to memory of 1860	3980	{F390A785-C2D7-422c-B5A5-E5CC97BDA1F5}.exe	112
PID 3980 wrote to memory of 1860	3980	{F390A785-C2D7-422c-B5A5-E5CC97BDA1F5}.exe	112
PID 3980 wrote to memory of 2876	3980	{F390A785-C2D7-422c-B5A5-E5CC97BDA1F5}.exe	113
PID 3980 wrote to memory of 2876	3980	{F390A785-C2D7-422c-B5A5-E5CC97BDA1F5}.exe	113
PID 3980 wrote to memory of 2876	3980	{F390A785-C2D7-422c-B5A5-E5CC97BDA1F5}.exe	113
PID 1860 wrote to memory of 388	1860	{681D513A-85EF-47d4-B9D4-80071207DCF7}.exe	115
PID 1860 wrote to memory of 388	1860	{681D513A-85EF-47d4-B9D4-80071207DCF7}.exe	115
PID 1860 wrote to memory of 388	1860	{681D513A-85EF-47d4-B9D4-80071207DCF7}.exe	115
PID 1860 wrote to memory of 64	1860	{681D513A-85EF-47d4-B9D4-80071207DCF7}.exe	114
PID 1860 wrote to memory of 64	1860	{681D513A-85EF-47d4-B9D4-80071207DCF7}.exe	114
PID 1860 wrote to memory of 64	1860	{681D513A-85EF-47d4-B9D4-80071207DCF7}.exe	114
PID 388 wrote to memory of 5332	388	{A11042CE-2A5C-4af7-807A-D5AB4B683141}.exe	116
PID 388 wrote to memory of 5332	388	{A11042CE-2A5C-4af7-807A-D5AB4B683141}.exe	116
PID 388 wrote to memory of 5332	388	{A11042CE-2A5C-4af7-807A-D5AB4B683141}.exe	116
PID 388 wrote to memory of 3392	388	{A11042CE-2A5C-4af7-807A-D5AB4B683141}.exe	117
PID 388 wrote to memory of 3392	388	{A11042CE-2A5C-4af7-807A-D5AB4B683141}.exe	117
PID 388 wrote to memory of 3392	388	{A11042CE-2A5C-4af7-807A-D5AB4B683141}.exe	117
PID 5332 wrote to memory of 5240	5332	{5FC09D5D-860B-48d7-826D-13776B50C0FE}.exe	123
PID 5332 wrote to memory of 5240	5332	{5FC09D5D-860B-48d7-826D-13776B50C0FE}.exe	123
PID 5332 wrote to memory of 5240	5332	{5FC09D5D-860B-48d7-826D-13776B50C0FE}.exe	123
PID 5332 wrote to memory of 4752	5332	{5FC09D5D-860B-48d7-826D-13776B50C0FE}.exe	122
PID 5332 wrote to memory of 4752	5332	{5FC09D5D-860B-48d7-826D-13776B50C0FE}.exe	122
PID 5332 wrote to memory of 4752	5332	{5FC09D5D-860B-48d7-826D-13776B50C0FE}.exe	122
PID 5240 wrote to memory of 5512	5240	{DD8AEF9D-C710-4d6c-97D5-2D443F1692F3}.exe	124
PID 5240 wrote to memory of 5512	5240	{DD8AEF9D-C710-4d6c-97D5-2D443F1692F3}.exe	124
PID 5240 wrote to memory of 5512	5240	{DD8AEF9D-C710-4d6c-97D5-2D443F1692F3}.exe	124
PID 5240 wrote to memory of 5172	5240	{DD8AEF9D-C710-4d6c-97D5-2D443F1692F3}.exe	125
PID 5240 wrote to memory of 5172	5240	{DD8AEF9D-C710-4d6c-97D5-2D443F1692F3}.exe	125
PID 5240 wrote to memory of 5172	5240	{DD8AEF9D-C710-4d6c-97D5-2D443F1692F3}.exe	125
PID 5512 wrote to memory of 3708	5512	{13E9C32B-60DC-45e9-BD44-6DE89BE31C8F}.exe	126
PID 5512 wrote to memory of 3708	5512	{13E9C32B-60DC-45e9-BD44-6DE89BE31C8F}.exe	126
PID 5512 wrote to memory of 3708	5512	{13E9C32B-60DC-45e9-BD44-6DE89BE31C8F}.exe	126
PID 5512 wrote to memory of 4724	5512	{13E9C32B-60DC-45e9-BD44-6DE89BE31C8F}.exe	127

C:\Users\Admin\AppData\Local\Temp\2024-01-06_eae1bb9eb676d1d0056da791d0bdd39d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-06_eae1bb9eb676d1d0056da791d0bdd39d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4168
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:6028
- C:\Windows\{0915834B-E9AB-424f-8170-4B27EBF501F9}.exe
  C:\Windows\{0915834B-E9AB-424f-8170-4B27EBF501F9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{09158~1.EXE > nul
    3⤵
    PID:5316
- - C:\Windows\{C38298E8-418E-4e77-91DC-671FFEF5806B}.exe
    C:\Windows\{C38298E8-418E-4e77-91DC-671FFEF5806B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C3829~1.EXE > nul
      4⤵
      PID:548
  - - C:\Windows\{39DFB511-7CB4-4756-8285-89FD8F8387A5}.exe
      C:\Windows\{39DFB511-7CB4-4756-8285-89FD8F8387A5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3712
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39DFB~1.EXE > nul
        5⤵
        
        PID:5612
    - - C:\Windows\{CE514150-33C3-476f-85D9-B718409405AB}.exe
        
        C:\Windows\{CE514150-33C3-476f-85D9-B718409405AB}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4380
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE514~1.EXE > nul
        6⤵
        
        PID:4564
      - C:\Windows\{F390A785-C2D7-422c-B5A5-E5CC97BDA1F5}.exe
        
        C:\Windows\{F390A785-C2D7-422c-B5A5-E5CC97BDA1F5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\{681D513A-85EF-47d4-B9D4-80071207DCF7}.exe
        
        C:\Windows\{681D513A-85EF-47d4-B9D4-80071207DCF7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{681D5~1.EXE > nul
        8⤵
        
        PID:64
        
        C:\Windows\{A11042CE-2A5C-4af7-807A-D5AB4B683141}.exe
        
        C:\Windows\{A11042CE-2A5C-4af7-807A-D5AB4B683141}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:388
        
        C:\Windows\{5FC09D5D-860B-48d7-826D-13776B50C0FE}.exe
        
        C:\Windows\{5FC09D5D-860B-48d7-826D-13776B50C0FE}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5FC09~1.EXE > nul
        10⤵
        
        PID:4752
        
        C:\Windows\{DD8AEF9D-C710-4d6c-97D5-2D443F1692F3}.exe
        
        C:\Windows\{DD8AEF9D-C710-4d6c-97D5-2D443F1692F3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5240
        
        C:\Windows\{13E9C32B-60DC-45e9-BD44-6DE89BE31C8F}.exe
        
        C:\Windows\{13E9C32B-60DC-45e9-BD44-6DE89BE31C8F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5512
        
        C:\Windows\{7F6C357E-A497-4440-A44E-4CA186B6B43D}.exe
        
        C:\Windows\{7F6C357E-A497-4440-A44E-4CA186B6B43D}.exe
        12⤵
        Executes dropped EXE
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13E9C~1.EXE > nul
        12⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD8AE~1.EXE > nul
        11⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1104~1.EXE > nul
        9⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F390A~1.EXE > nul
        7⤵
        
        PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{13E9C32B-60DC-45e9-BD44-6DE89BE31C8F}.exe

Filesize
408KB

MD5
d675c5a827c357b0b07638d45ae2ff47

SHA1
c67ffea9392c2bb179dd305fe16d1dcd4b907746

SHA256
c730f3a3a970688ce00b93a0f37a9cc7566b9b62b529415871b1d8d285f89b49

SHA512
44e3bbc0f320f680002f3cb9e84746a28a09e28a46257a9f18508f65fe7d8322c6d884777bc6fbfad08f51478a8a947d8c8cab8f644ce7dd72f2c8977a38b96b

Download Submit
C:\Windows\{39DFB511-7CB4-4756-8285-89FD8F8387A5}.exe

Filesize
257KB

MD5
f33d38366ff1f4be96dada61ef9c077a

SHA1
aded560a90383028a696de06e60a6b1361b16b36

SHA256
cced91e06e306d1c42e8514786e4edfbcdf6f73f717d75c0fa3446b1a8a09f74

SHA512
ee7e13c08109a8c97748ec608c8010716ee3b0dd1b18bfacc37bbca34d79b8ee1dcd8b2b397e4bc6ae9dd38187ff2d7e1ddeff9c7dee16ffd25c195f83bb771b

Download Submit
C:\Windows\{39DFB511-7CB4-4756-8285-89FD8F8387A5}.exe

Filesize
165KB

MD5
097bd651efc5b1fd2ec23c5b5126a6d9

SHA1
1937437140dfc0e781c3a16836772f1103413471

SHA256
cc2cdf3bf41a4cb0af2868bfa4905219fe1375e867390c42a5a823536407bfb3

SHA512
515045534455152c1337a8be3f68747d772e7e37b6268fb60d1a8e27ff87eeb2197e9298dc88529f18e262a4ecdda092d5573f169072d0f7425c2c21ec92e0c1

Download Submit
C:\Windows\{39DFB511-7CB4-4756-8285-89FD8F8387A5}.exe

Filesize
65KB

MD5
e0ed8ffb8ce784af34b7056ec428e57f

SHA1
a90da9a30c16bb05c47e8024aa2c791a4fc8626c

SHA256
204714257fe60cb8b9bcce76151e8397ee0aebb38ad4f2d0fb09812c552812a5

SHA512
29ec59833bb78c1aa433e7839db8091558b658a7f29556ccd56e5a72fa9c2d853800fd9ea06281fc2c5c4d8375dc57ec39b6b47413194822192fcc9b5f8a1029

Download Submit
C:\Windows\{5FC09D5D-860B-48d7-826D-13776B50C0FE}.exe

Filesize
408KB

MD5
93978cf689ebab70279892c236d36660

SHA1
28c547c2128d1bc33cabec9e6fbdf4dc9da8664a

SHA256
bda9815e37bd0b86468f6432b9a438ed365b610bcc6dbe5c50096da32ec9b40e

SHA512
5f4df103c0e5737564259a97a7356dc1519a57d76e3e54031a9fdae577aca9c436029c36469caf809d0f066250799e24c93fdb9e745d7e20739e3e451b84a58e

Download Submit
C:\Windows\{681D513A-85EF-47d4-B9D4-80071207DCF7}.exe

Filesize
408KB

MD5
68a26bedcf824d3166203f26a99bf723

SHA1
4c2508f482dee05a43465803b30c83895dcfc36a

SHA256
94ff8586b931a0aedebd7df3caa3b1dc7684b8d2395a8df6828e84f3acf44f81

SHA512
8903e636cc2c23eebf527b6312415dc0c97b424b83b2a2258aed9c003d98e0b1ba224f3b8bf5a53e4421e5349f25ce87ae53ccdcec31df9bfc4787e491bf6765

Download Submit
C:\Windows\{7F6C357E-A497-4440-A44E-4CA186B6B43D}.exe

Filesize
408KB

MD5
2376526abd1f4a450d78850f5dffe71a

SHA1
b8184aafaca0582a1cd206604f94cba4f7d25178

SHA256
84e585bd282b3bc2bddf386f59adf3b560123b1c6d439f212edd5d16840551f4

SHA512
84f370a919ecfd030b24d7b682abe046cd7631103c07a6abdd6f1de0ed5a2fbd28d7b80acb698a2b5aa0179776e491bf4ec5d1279a86519ab2f257ba6daca2fb

Download Submit
C:\Windows\{A11042CE-2A5C-4af7-807A-D5AB4B683141}.exe

Filesize
408KB

MD5
a6b2742fbfc37c4b0ceb271d966a07d7

SHA1
0c25497fd442f24fd1f3a703b93962ba14f83560

SHA256
0c5d1d0563b6ffe72b11f66a03a9e2edb72c311a67111e382b6b01a110795808

SHA512
6e7c04de963f215f0d6b8062c64e5ad350f75c9c04a6897b48bb5092b1e6df49429f988bd58048a5f878ed4fd9310ace8b1e331903b90ddcdd0de05ad0eab34e

Download Submit
C:\Windows\{C38298E8-418E-4e77-91DC-671FFEF5806B}.exe

Filesize
408KB

MD5
2de02451128ea9230e6887fce82e7cc4

SHA1
b8ad53273d6e9d4250e7ffbf46b6fa1d6e647607

SHA256
3ed5f756c2e8d7f951eca7e51734d196e145816a2cc4b92f00f5e51ba02ec6fa

SHA512
3dd6bfb445f0f3c0566b867944c7bfaafeed45aca36a266e1e69ee8897cb3e7d2ef2b7392e9f881ccc24e0350cf36151bbc9de275a234982c722e1c03054b47f

Download Submit
C:\Windows\{C38298E8-418E-4e77-91DC-671FFEF5806B}.exe

Filesize
257KB

MD5
680bd42112dda0be2dd354821a33c3ae

SHA1
84c529d3e9fa08556425b416536809d59954e1cf

SHA256
cf9eb7ef165302656db8111984f0c59b38c87a506d48d33747af8b1bcf9533b9

SHA512
03952ce71831e94303e626409f890632177c5c8bf49d645ed5d3b38c977fac201f80179a7b7cf7daaa6eaf17e77c3f80ce7c2d982db991ca0fa84926a9cc4786

Download Submit
C:\Windows\{CE514150-33C3-476f-85D9-B718409405AB}.exe

Filesize
408KB

MD5
a98b348ae33905dd57859f5869bbb883

SHA1
5a659373cee041a6b0ed70156faec1c0398f509b

SHA256
e807717714d9b5187e0a8a48138d6757d9425a79b7170e535606053ab3339611

SHA512
433162c509c68df2d05c20a9e84b898510c21852bd7b9188d3b2826e64aa494ff427806cc1c27db867529fc960a7b9134e9a75948b513653836fda9bcc3d4e3d

Download Submit
C:\Windows\{F390A785-C2D7-422c-B5A5-E5CC97BDA1F5}.exe

Filesize
408KB

MD5
4b92638008cab3825f4088b1f6abeb57

SHA1
bc80815fdf8872f7e2fa35ad5b00843936d5ccfc

SHA256
f7b321fbe12a2ba7769e2a4023728a3272bb0b0ee149725aab1e83aa45885bce

SHA512
76194897e1e141d03176ad7049d6983ecfe8501fbc0a5f9d8c0498898bb6b86e6fd02c452187d78f020b0987bcf3e7e47c494a32475344eafa0559e10a209ce3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads