ee815f26d1fa69f8a179c778c17917b0385bbd3c51de0ada58b761d7c858ea7d

Analysis

max time kernel
125s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09/01/2024, 06:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-08_9cd49b1b7bec8cb0701913d84553af82_goldeneye.exe
Size

168KB
MD5

9cd49b1b7bec8cb0701913d84553af82
SHA1

355a4b637da3de97678841f6ee702af95dc00d5a
SHA256

ee815f26d1fa69f8a179c778c17917b0385bbd3c51de0ada58b761d7c858ea7d
SHA512

848a933aee3d96886e6391bf70b96de8624f9c40c13aaa362d54f60715efa58dca05fa075563276e378ca88100e0a9ca101445383dbe52628e20c0dca7f0c828
SSDEEP

1536:1EGh0oZlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oZlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E47B1654-C771-4e34-8B34-9AD175F43191}	{A23DDEF4-AE31-4926-95D9-A092F357099E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF98222F-74C1-4d2d-A550-57DCE2A3CAC3}	{4595E3C2-834B-4ef2-8830-7C41FD225569}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF759EF7-4130-4a55-B6DE-4324E8B8B712}\stubpath = "C:\\Windows\\{BF759EF7-4130-4a55-B6DE-4324E8B8B712}.exe"	{D918ACD3-8557-4100-B8EB-0D449D494240}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B6C8BB0-091C-4057-8B13-1A594A9D9565}\stubpath = "C:\\Windows\\{8B6C8BB0-091C-4057-8B13-1A594A9D9565}.exe"	{BF759EF7-4130-4a55-B6DE-4324E8B8B712}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4595E3C2-834B-4ef2-8830-7C41FD225569}	{D974A49B-52FA-4249-8DB5-EBEEC997C308}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF98222F-74C1-4d2d-A550-57DCE2A3CAC3}\stubpath = "C:\\Windows\\{BF98222F-74C1-4d2d-A550-57DCE2A3CAC3}.exe"	{4595E3C2-834B-4ef2-8830-7C41FD225569}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D918ACD3-8557-4100-B8EB-0D449D494240}	{BF98222F-74C1-4d2d-A550-57DCE2A3CAC3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A23DDEF4-AE31-4926-95D9-A092F357099E}	{8B6C8BB0-091C-4057-8B13-1A594A9D9565}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7ABB9D83-50CA-4505-A70F-4EBA06327F13}\stubpath = "C:\\Windows\\{7ABB9D83-50CA-4505-A70F-4EBA06327F13}.exe"	{E47B1654-C771-4e34-8B34-9AD175F43191}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C2E62C0-1F0A-4348-8660-4B631356C8C4}	2024-01-08_9cd49b1b7bec8cb0701913d84553af82_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D974A49B-52FA-4249-8DB5-EBEEC997C308}	{2C2E62C0-1F0A-4348-8660-4B631356C8C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D974A49B-52FA-4249-8DB5-EBEEC997C308}\stubpath = "C:\\Windows\\{D974A49B-52FA-4249-8DB5-EBEEC997C308}.exe"	{2C2E62C0-1F0A-4348-8660-4B631356C8C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7ABB9D83-50CA-4505-A70F-4EBA06327F13}	{E47B1654-C771-4e34-8B34-9AD175F43191}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4595E3C2-834B-4ef2-8830-7C41FD225569}\stubpath = "C:\\Windows\\{4595E3C2-834B-4ef2-8830-7C41FD225569}.exe"	{D974A49B-52FA-4249-8DB5-EBEEC997C308}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D918ACD3-8557-4100-B8EB-0D449D494240}\stubpath = "C:\\Windows\\{D918ACD3-8557-4100-B8EB-0D449D494240}.exe"	{BF98222F-74C1-4d2d-A550-57DCE2A3CAC3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B6C8BB0-091C-4057-8B13-1A594A9D9565}	{BF759EF7-4130-4a55-B6DE-4324E8B8B712}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E47B1654-C771-4e34-8B34-9AD175F43191}\stubpath = "C:\\Windows\\{E47B1654-C771-4e34-8B34-9AD175F43191}.exe"	{A23DDEF4-AE31-4926-95D9-A092F357099E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C2E62C0-1F0A-4348-8660-4B631356C8C4}\stubpath = "C:\\Windows\\{2C2E62C0-1F0A-4348-8660-4B631356C8C4}.exe"	2024-01-08_9cd49b1b7bec8cb0701913d84553af82_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF759EF7-4130-4a55-B6DE-4324E8B8B712}	{D918ACD3-8557-4100-B8EB-0D449D494240}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A23DDEF4-AE31-4926-95D9-A092F357099E}\stubpath = "C:\\Windows\\{A23DDEF4-AE31-4926-95D9-A092F357099E}.exe"	{8B6C8BB0-091C-4057-8B13-1A594A9D9565}.exe

Executes dropped EXE 10 IoCs

pid	Process
2784	{2C2E62C0-1F0A-4348-8660-4B631356C8C4}.exe
1248	{D974A49B-52FA-4249-8DB5-EBEEC997C308}.exe
1960	{4595E3C2-834B-4ef2-8830-7C41FD225569}.exe
2232	{BF98222F-74C1-4d2d-A550-57DCE2A3CAC3}.exe
3200	{D918ACD3-8557-4100-B8EB-0D449D494240}.exe
4960	{BF759EF7-4130-4a55-B6DE-4324E8B8B712}.exe
4460	{8B6C8BB0-091C-4057-8B13-1A594A9D9565}.exe
4440	{A23DDEF4-AE31-4926-95D9-A092F357099E}.exe
4372	{E47B1654-C771-4e34-8B34-9AD175F43191}.exe
3860	{7ABB9D83-50CA-4505-A70F-4EBA06327F13}.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\{4595E3C2-834B-4ef2-8830-7C41FD225569}.exe	{D974A49B-52FA-4249-8DB5-EBEEC997C308}.exe
File created	C:\Windows\{8B6C8BB0-091C-4057-8B13-1A594A9D9565}.exe	{BF759EF7-4130-4a55-B6DE-4324E8B8B712}.exe
File created	C:\Windows\{A23DDEF4-AE31-4926-95D9-A092F357099E}.exe	{8B6C8BB0-091C-4057-8B13-1A594A9D9565}.exe
File created	C:\Windows\{E47B1654-C771-4e34-8B34-9AD175F43191}.exe	{A23DDEF4-AE31-4926-95D9-A092F357099E}.exe
File created	C:\Windows\{7ABB9D83-50CA-4505-A70F-4EBA06327F13}.exe	{E47B1654-C771-4e34-8B34-9AD175F43191}.exe
File created	C:\Windows\{2C2E62C0-1F0A-4348-8660-4B631356C8C4}.exe	2024-01-08_9cd49b1b7bec8cb0701913d84553af82_goldeneye.exe
File created	C:\Windows\{BF98222F-74C1-4d2d-A550-57DCE2A3CAC3}.exe	{4595E3C2-834B-4ef2-8830-7C41FD225569}.exe
File created	C:\Windows\{D918ACD3-8557-4100-B8EB-0D449D494240}.exe	{BF98222F-74C1-4d2d-A550-57DCE2A3CAC3}.exe
File created	C:\Windows\{BF759EF7-4130-4a55-B6DE-4324E8B8B712}.exe	{D918ACD3-8557-4100-B8EB-0D449D494240}.exe
File created	C:\Windows\{D974A49B-52FA-4249-8DB5-EBEEC997C308}.exe	{2C2E62C0-1F0A-4348-8660-4B631356C8C4}.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4080	2024-01-08_9cd49b1b7bec8cb0701913d84553af82_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2784	{2C2E62C0-1F0A-4348-8660-4B631356C8C4}.exe
Token: SeIncBasePriorityPrivilege	1248	{D974A49B-52FA-4249-8DB5-EBEEC997C308}.exe
Token: SeIncBasePriorityPrivilege	1960	{4595E3C2-834B-4ef2-8830-7C41FD225569}.exe
Token: SeIncBasePriorityPrivilege	2232	{BF98222F-74C1-4d2d-A550-57DCE2A3CAC3}.exe
Token: SeIncBasePriorityPrivilege	3200	{D918ACD3-8557-4100-B8EB-0D449D494240}.exe
Token: SeIncBasePriorityPrivilege	4960	{BF759EF7-4130-4a55-B6DE-4324E8B8B712}.exe
Token: SeIncBasePriorityPrivilege	4460	{8B6C8BB0-091C-4057-8B13-1A594A9D9565}.exe
Token: SeIncBasePriorityPrivilege	4440	{A23DDEF4-AE31-4926-95D9-A092F357099E}.exe
Token: SeIncBasePriorityPrivilege	4372	{E47B1654-C771-4e34-8B34-9AD175F43191}.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 2784	4080	2024-01-08_9cd49b1b7bec8cb0701913d84553af82_goldeneye.exe	98
PID 4080 wrote to memory of 2784	4080	2024-01-08_9cd49b1b7bec8cb0701913d84553af82_goldeneye.exe	98
PID 4080 wrote to memory of 2784	4080	2024-01-08_9cd49b1b7bec8cb0701913d84553af82_goldeneye.exe	98
PID 4080 wrote to memory of 4460	4080	2024-01-08_9cd49b1b7bec8cb0701913d84553af82_goldeneye.exe	97
PID 4080 wrote to memory of 4460	4080	2024-01-08_9cd49b1b7bec8cb0701913d84553af82_goldeneye.exe	97
PID 4080 wrote to memory of 4460	4080	2024-01-08_9cd49b1b7bec8cb0701913d84553af82_goldeneye.exe	97
PID 2784 wrote to memory of 1248	2784	{2C2E62C0-1F0A-4348-8660-4B631356C8C4}.exe	101
PID 2784 wrote to memory of 1248	2784	{2C2E62C0-1F0A-4348-8660-4B631356C8C4}.exe	101
PID 2784 wrote to memory of 1248	2784	{2C2E62C0-1F0A-4348-8660-4B631356C8C4}.exe	101
PID 2784 wrote to memory of 2128	2784	{2C2E62C0-1F0A-4348-8660-4B631356C8C4}.exe	102
PID 2784 wrote to memory of 2128	2784	{2C2E62C0-1F0A-4348-8660-4B631356C8C4}.exe	102
PID 2784 wrote to memory of 2128	2784	{2C2E62C0-1F0A-4348-8660-4B631356C8C4}.exe	102
PID 1248 wrote to memory of 1960	1248	{D974A49B-52FA-4249-8DB5-EBEEC997C308}.exe	105
PID 1248 wrote to memory of 1960	1248	{D974A49B-52FA-4249-8DB5-EBEEC997C308}.exe	105
PID 1248 wrote to memory of 1960	1248	{D974A49B-52FA-4249-8DB5-EBEEC997C308}.exe	105
PID 1248 wrote to memory of 5028	1248	{D974A49B-52FA-4249-8DB5-EBEEC997C308}.exe	104
PID 1248 wrote to memory of 5028	1248	{D974A49B-52FA-4249-8DB5-EBEEC997C308}.exe	104
PID 1248 wrote to memory of 5028	1248	{D974A49B-52FA-4249-8DB5-EBEEC997C308}.exe	104
PID 1960 wrote to memory of 2232	1960	{4595E3C2-834B-4ef2-8830-7C41FD225569}.exe	112
PID 1960 wrote to memory of 2232	1960	{4595E3C2-834B-4ef2-8830-7C41FD225569}.exe	112
PID 1960 wrote to memory of 2232	1960	{4595E3C2-834B-4ef2-8830-7C41FD225569}.exe	112
PID 1960 wrote to memory of 3760	1960	{4595E3C2-834B-4ef2-8830-7C41FD225569}.exe	111
PID 1960 wrote to memory of 3760	1960	{4595E3C2-834B-4ef2-8830-7C41FD225569}.exe	111
PID 1960 wrote to memory of 3760	1960	{4595E3C2-834B-4ef2-8830-7C41FD225569}.exe	111
PID 2232 wrote to memory of 3200	2232	{BF98222F-74C1-4d2d-A550-57DCE2A3CAC3}.exe	114
PID 2232 wrote to memory of 3200	2232	{BF98222F-74C1-4d2d-A550-57DCE2A3CAC3}.exe	114
PID 2232 wrote to memory of 3200	2232	{BF98222F-74C1-4d2d-A550-57DCE2A3CAC3}.exe	114
PID 2232 wrote to memory of 488	2232	{BF98222F-74C1-4d2d-A550-57DCE2A3CAC3}.exe	113
PID 2232 wrote to memory of 488	2232	{BF98222F-74C1-4d2d-A550-57DCE2A3CAC3}.exe	113
PID 2232 wrote to memory of 488	2232	{BF98222F-74C1-4d2d-A550-57DCE2A3CAC3}.exe	113
PID 3200 wrote to memory of 4960	3200	{D918ACD3-8557-4100-B8EB-0D449D494240}.exe	120
PID 3200 wrote to memory of 4960	3200	{D918ACD3-8557-4100-B8EB-0D449D494240}.exe	120
PID 3200 wrote to memory of 4960	3200	{D918ACD3-8557-4100-B8EB-0D449D494240}.exe	120
PID 3200 wrote to memory of 2060	3200	{D918ACD3-8557-4100-B8EB-0D449D494240}.exe	119
PID 3200 wrote to memory of 2060	3200	{D918ACD3-8557-4100-B8EB-0D449D494240}.exe	119
PID 3200 wrote to memory of 2060	3200	{D918ACD3-8557-4100-B8EB-0D449D494240}.exe	119
PID 4960 wrote to memory of 4460	4960	{BF759EF7-4130-4a55-B6DE-4324E8B8B712}.exe	122
PID 4960 wrote to memory of 4460	4960	{BF759EF7-4130-4a55-B6DE-4324E8B8B712}.exe	122
PID 4960 wrote to memory of 4460	4960	{BF759EF7-4130-4a55-B6DE-4324E8B8B712}.exe	122
PID 4960 wrote to memory of 1496	4960	{BF759EF7-4130-4a55-B6DE-4324E8B8B712}.exe	123
PID 4960 wrote to memory of 1496	4960	{BF759EF7-4130-4a55-B6DE-4324E8B8B712}.exe	123
PID 4960 wrote to memory of 1496	4960	{BF759EF7-4130-4a55-B6DE-4324E8B8B712}.exe	123
PID 4460 wrote to memory of 4440	4460	{8B6C8BB0-091C-4057-8B13-1A594A9D9565}.exe	125
PID 4460 wrote to memory of 4440	4460	{8B6C8BB0-091C-4057-8B13-1A594A9D9565}.exe	125
PID 4460 wrote to memory of 4440	4460	{8B6C8BB0-091C-4057-8B13-1A594A9D9565}.exe	125
PID 4460 wrote to memory of 736	4460	{8B6C8BB0-091C-4057-8B13-1A594A9D9565}.exe	124
PID 4460 wrote to memory of 736	4460	{8B6C8BB0-091C-4057-8B13-1A594A9D9565}.exe	124
PID 4460 wrote to memory of 736	4460	{8B6C8BB0-091C-4057-8B13-1A594A9D9565}.exe	124
PID 4440 wrote to memory of 4372	4440	{A23DDEF4-AE31-4926-95D9-A092F357099E}.exe	127
PID 4440 wrote to memory of 4372	4440	{A23DDEF4-AE31-4926-95D9-A092F357099E}.exe	127
PID 4440 wrote to memory of 4372	4440	{A23DDEF4-AE31-4926-95D9-A092F357099E}.exe	127
PID 4440 wrote to memory of 3560	4440	{A23DDEF4-AE31-4926-95D9-A092F357099E}.exe	126
PID 4440 wrote to memory of 3560	4440	{A23DDEF4-AE31-4926-95D9-A092F357099E}.exe	126
PID 4440 wrote to memory of 3560	4440	{A23DDEF4-AE31-4926-95D9-A092F357099E}.exe	126
PID 4372 wrote to memory of 3860	4372	{E47B1654-C771-4e34-8B34-9AD175F43191}.exe	128
PID 4372 wrote to memory of 3860	4372	{E47B1654-C771-4e34-8B34-9AD175F43191}.exe	128
PID 4372 wrote to memory of 3860	4372	{E47B1654-C771-4e34-8B34-9AD175F43191}.exe	128
PID 4372 wrote to memory of 2888	4372	{E47B1654-C771-4e34-8B34-9AD175F43191}.exe	129
PID 4372 wrote to memory of 2888	4372	{E47B1654-C771-4e34-8B34-9AD175F43191}.exe	129
PID 4372 wrote to memory of 2888	4372	{E47B1654-C771-4e34-8B34-9AD175F43191}.exe	129

C:\Users\Admin\AppData\Local\Temp\2024-01-08_9cd49b1b7bec8cb0701913d84553af82_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-08_9cd49b1b7bec8cb0701913d84553af82_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4460
- C:\Windows\{2C2E62C0-1F0A-4348-8660-4B631356C8C4}.exe
  C:\Windows\{2C2E62C0-1F0A-4348-8660-4B631356C8C4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\{D974A49B-52FA-4249-8DB5-EBEEC997C308}.exe
    C:\Windows\{D974A49B-52FA-4249-8DB5-EBEEC997C308}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D974A~1.EXE > nul
      4⤵
      PID:5028
  - - C:\Windows\{4595E3C2-834B-4ef2-8830-7C41FD225569}.exe
      C:\Windows\{4595E3C2-834B-4ef2-8830-7C41FD225569}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1960
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4595E~1.EXE > nul
        5⤵
        
        PID:3760
    - - C:\Windows\{BF98222F-74C1-4d2d-A550-57DCE2A3CAC3}.exe
        
        C:\Windows\{BF98222F-74C1-4d2d-A550-57DCE2A3CAC3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2232
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF982~1.EXE > nul
        6⤵
        
        PID:488
      - C:\Windows\{D918ACD3-8557-4100-B8EB-0D449D494240}.exe
        
        C:\Windows\{D918ACD3-8557-4100-B8EB-0D449D494240}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D918A~1.EXE > nul
        7⤵
        
        PID:2060
        
        C:\Windows\{BF759EF7-4130-4a55-B6DE-4324E8B8B712}.exe
        
        C:\Windows\{BF759EF7-4130-4a55-B6DE-4324E8B8B712}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\{8B6C8BB0-091C-4057-8B13-1A594A9D9565}.exe
        
        C:\Windows\{8B6C8BB0-091C-4057-8B13-1A594A9D9565}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B6C8~1.EXE > nul
        9⤵
        
        PID:736
        
        C:\Windows\{A23DDEF4-AE31-4926-95D9-A092F357099E}.exe
        
        C:\Windows\{A23DDEF4-AE31-4926-95D9-A092F357099E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A23DD~1.EXE > nul
        10⤵
        
        PID:3560
        
        C:\Windows\{E47B1654-C771-4e34-8B34-9AD175F43191}.exe
        
        C:\Windows\{E47B1654-C771-4e34-8B34-9AD175F43191}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\{7ABB9D83-50CA-4505-A70F-4EBA06327F13}.exe
        
        C:\Windows\{7ABB9D83-50CA-4505-A70F-4EBA06327F13}.exe
        11⤵
        Executes dropped EXE
        
        PID:3860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7ABB9~1.EXE > nul
        12⤵
        
        PID:2232
        
        C:\Windows\{68FD226F-ED89-4c63-B6C0-E48C28E302F8}.exe
        
        C:\Windows\{68FD226F-ED89-4c63-B6C0-E48C28E302F8}.exe
        12⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E47B1~1.EXE > nul
        11⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF759~1.EXE > nul
        8⤵
        
        PID:1496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2C2E6~1.EXE > nul
    3⤵
    PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2C2E62C0-1F0A-4348-8660-4B631356C8C4}.exe

Filesize
168KB

MD5
d0b89a143e913f9e2f10d803ef708ea9

SHA1
1ddbd2154d3dd89b291ccd63da2a09f5caed5f2f

SHA256
a916ad2036917dbc218546d0470430eede2a22f6e62820cd2ef98650ea7a3bad

SHA512
3a162d7df2fa2bd9d1c96e5a63ee57bf802c199706f78d7d1edac921419ca6d5907afe5bb8456d2699ab2ebe28b3c7c5aa05530c621897b3751d2424ae7c85ee

Download Submit
C:\Windows\{4595E3C2-834B-4ef2-8830-7C41FD225569}.exe

Filesize
33KB

MD5
eff4d8966cbd61cfbc56581af8d93f7c

SHA1
a745aac26744e37d4a8b59ba352a46f52c24601d

SHA256
354232404f6f867cfb9edcc72d8af75d33d30baeb587ab055f62696a38a2477c

SHA512
e4aefd6bc01a72a9ed42d4da9ca0010500397c687362f2bf3c81dcf9d400edf3593b4882d3ecec9aa35080e58ee0c0f7a29ce4f07e9d49ad1b728220f517646c

Download Submit
C:\Windows\{4595E3C2-834B-4ef2-8830-7C41FD225569}.exe

Filesize
162KB

MD5
e66b63a101e8412895528bbe774a9098

SHA1
3855cc4d19f2f99c8c8b2d8926e8a7ceb5a28b2f

SHA256
53e3ad289ad75277fbb2525447b7366a4b792d85e6744a101df8cb1051a42535

SHA512
6029ce12731429a71835cd7c751bcbb23a3eccec608bd709e035eec0ddc5b8cd4b5bd1da8bcb536fca339243724210bc0fef14d182d013e6f2d87108a215e299

Download Submit
C:\Windows\{4595E3C2-834B-4ef2-8830-7C41FD225569}.exe

Filesize
75KB

MD5
5262d492a96aa338af797acaf21546e5

SHA1
a6112600c66d03966da53f6d1669147aac90e002

SHA256
d22d7b844a6546039e3a6a1acd7926bf657d32a85ebd11646af0156d34e95b96

SHA512
24f9b1e9944ef42d7193a6072adf96387a4ef15d32877cd30b306e23a07c0c779ce48d67b4f6f907a53cfe6e69851f6e4ac5e0b87721f398b3275e02c6223185

Download Submit
C:\Windows\{68FD226F-ED89-4c63-B6C0-E48C28E302F8}.exe

Filesize
118KB

MD5
45a56c39112aced6465a3082a4657c73

SHA1
b22cecdefe04651cca47793071a793f7d1bc9b40

SHA256
3f33420f44d390bfee29408fc1c7995b10e4a05f0c0ebdb14968a12314b23c32

SHA512
f73f3f9839bd2668b62200927bd071f3d9b586db36cfb4efb02434bbbbc0a1c695796b8611e87bd9049dd5e9dbd73aaccda0daa67635b020917262e11b90a47e

Download Submit
C:\Windows\{68FD226F-ED89-4c63-B6C0-E48C28E302F8}.exe

Filesize
138KB

MD5
62acbf309b60512e878c4f8e627bba50

SHA1
c9d9740058d90a9fe945ac2aca6d9c82dc606cfc

SHA256
e1247c696c9e367fc6748ab7703f72bb02bebbc577e182a521f6a111c7ba1e75

SHA512
7379d74f71a9f1b296f2f2f1f71106d7f2caf7b3230e05fdfc53f10b4984fe9e8eaa25cb24758066e6976e4bfbefce906f58228e2c9d430cc0f474877c992a0f

Download Submit
C:\Windows\{7ABB9D83-50CA-4505-A70F-4EBA06327F13}.exe

Filesize
34KB

MD5
a929e72ac0ab73bdd708017e9f403498

SHA1
b941cab80320f172213c12ad9da8154ddcd72454

SHA256
828bad0cc508ec0e844733ffe119ad44b0a686dce90c891c9913f96f7bcfd824

SHA512
d9d4ae747e415f349bf56aab3e8cc6b3a50ac554fa8f5ca4057bcf151e17c393c7a44783ee05b0fdd0739c34d8233f8790f4614663be23e2eff1fb323761325e

Download Submit
C:\Windows\{7ABB9D83-50CA-4505-A70F-4EBA06327F13}.exe

Filesize
13KB

MD5
ccd0bea503f29e56e4d50e3605e747a8

SHA1
440904ce2a331a222881d74d42d8c6647b3d658b

SHA256
b1585a9d423754aa079517945b795d64cf48e301e274a879d53c6a61e3c1cb24

SHA512
b8ca6001dd45142922a22b3de651e1e363f7b0447f4078366fca07aaecf2d478bda44256447b42e36025ef52277b8dc9526361ddfac6ec8626416484ef242ae7

Download Submit
C:\Windows\{8B6C8BB0-091C-4057-8B13-1A594A9D9565}.exe

Filesize
123KB

MD5
9bf761d1774be8f012506bc489226190

SHA1
a4f37c8be1b543af81e88aadcb5c8553beb308d5

SHA256
aa27f02af1f233546eaae4be586fd517d048bc72355ae609b566c0a862e43b42

SHA512
e7bfaa38a72228deab20a0194f17750e07e916aa6a948b827d37fb456978d799a891dac02d11b0d5b47526dd43fbd5d0b9d9712e114269d6d5cd17f8796f0d7e

Download Submit
C:\Windows\{8B6C8BB0-091C-4057-8B13-1A594A9D9565}.exe

Filesize
168KB

MD5
5eb39ad08689f9a0226909848cc72437

SHA1
4be5ae067eaac283672ba8dd9b9997b69cb1cdce

SHA256
a7bdec7754e59f3fd34b228d62c8ec8f891b5ab3099f530bc4ead5c2e1bfdabc

SHA512
89fd363c8427ed9324cf4bacd4298a457dcbf705ea2e0746187b7f16d1b20ec8fdc7d1051d98b03de62bc6033611f1e65a0fee41e5eee0b59dbdfe2d8e358706

Download Submit
C:\Windows\{A23DDEF4-AE31-4926-95D9-A092F357099E}.exe

Filesize
102KB

MD5
4e72817b6fe716b50610c40184335a4b

SHA1
ab116955fc16ed624a83e8bd34da58ae3acc7375

SHA256
1058af09430306667efcbf05c30dbd105d28f0c35a8d9fcabeae447fb339d358

SHA512
42ad6cfb08d89af066f45251b7fffe171239eeac46f2948d50e4d4268b0f4921fe6c0701a5362f8fa957f626c80d54f5cd3acb5abc12a06a001de0d2fec2739e

Download Submit
C:\Windows\{A23DDEF4-AE31-4926-95D9-A092F357099E}.exe

Filesize
108KB

MD5
ed8f362bc4198d57e0381cda8ab7d3c6

SHA1
589e4b30a47805752582cd5dbb3fa9f004b670f8

SHA256
649f62477ff44bd76877e1ad9b43e34a0524f8e23d7a69bd7c091537a7fafcc8

SHA512
2293c2ecd98a55f1de2f09d92d69a4e9c9c357f76e615dbf5617081dbc20596d7e613eff2c8949ad9a5ef6b19daa06a7917f7535ea3c204824819b6e65513114

Download Submit
C:\Windows\{BF759EF7-4130-4a55-B6DE-4324E8B8B712}.exe

Filesize
28KB

MD5
4b5b4c066d90b5f9ed36cc2abfd9acc1

SHA1
eb94368a1d7902d73db6a2ac96bc08d5b4919643

SHA256
7f809ef67b8ef1a43e00eb71e0aeb982427dfbf5638e127feb80d25655c507b7

SHA512
6c0122c1f1d0def1ee6dedfd852f2680a77f6bd99e138e16733df17d1060added8232a56bc29ce0b1d0518ca8af529e94cd6af7538e41fb5cd21099063b7414e

Download Submit
C:\Windows\{BF759EF7-4130-4a55-B6DE-4324E8B8B712}.exe

Filesize
45KB

MD5
83e0e40ec3ec8b8ad5683d45678b4914

SHA1
d41827bcd442ffeafb63730d967e6a04e8cc76b1

SHA256
47796cac58947a7b953b6ef1c3f6d1e9bddf3854add8f85aa7806dde8cc915c2

SHA512
62e86d118c43c2a3f6f1c2cdbae5d748d6df2adcd9f68d5f351c42013534770e0a9707382754823bc463738705582e3e9950d6d1fbd450452d825400969ea7fb

Download Submit
C:\Windows\{BF98222F-74C1-4d2d-A550-57DCE2A3CAC3}.exe

Filesize
23KB

MD5
e57a2eb02927061ca23df1dbfd9ece6d

SHA1
c06c87651e7d560f952ed25754d6ae73eb39d682

SHA256
54088641fa6594ecbcbb157d0b808de4ffcdd5cb5bc37faa800fa612de3b8c1f

SHA512
416c1453ef6df41c9422a09098b85850c082b4c66f2ce54bf63eb0a7dcfa8e681045fc40a63f848dff511f952256cbc166dfd1c0ba1148a01e3437e61766edf8

Download Submit
C:\Windows\{BF98222F-74C1-4d2d-A550-57DCE2A3CAC3}.exe

Filesize
35KB

MD5
005a1ffc394616a93c2a57cf8282d1a3

SHA1
d962817cd75d8de274cd15b77b44be65ecfed4fc

SHA256
dfaaa62d2f76d9f33d0ebd8f13d04abbbe873dd9ca0d1e04157b19e6c6db2bfe

SHA512
5b9c0a592f22c5ac0cc830568eb74885dce9325d4d4375132c71e4248e386d1950a66c095bba242d823321dd5fb4b8891a4375997467bf45486a8ef99b221a21

Download Submit
C:\Windows\{D918ACD3-8557-4100-B8EB-0D449D494240}.exe

Filesize
24KB

MD5
612e8bc20ff9d088f0ccf3679186ae0a

SHA1
3dff8be65263850a66b7611a14c9e2479833db79

SHA256
3a80212fcfc1078de5feb1717068941081eb0b53830a3d46c98c89e14151e666

SHA512
d4162bda750aa1270c1ee5d79ec61e6eaa81a3818bafeb77877bae0ec84bb7f2891c242cdf15ccf7fedd45779dd4273c0b95b11dcd502e175bcf6f6ea8a8bf9c

Download Submit
C:\Windows\{D974A49B-52FA-4249-8DB5-EBEEC997C308}.exe

Filesize
168KB

MD5
4155969ddbad516aa8ac017241405978

SHA1
987ce270949d8a351c0a810c6d2a62815733cde7

SHA256
aaf33611a057a60f91bb432c83c3218d861955556f30575004beb0a395a8ae9f

SHA512
02748cbbb56bf385f0e8158b1c7deea27f49d48af0f53bf49a07607a4b4d03ecf4b38e2cce7c67a474bdc3cdf9efccd18d9c022de873d937ad8d753162a2d61f

Download Submit
C:\Windows\{E47B1654-C771-4e34-8B34-9AD175F43191}.exe

Filesize
115KB

MD5
f9bf9480d21a180ab327fc7ed3758501

SHA1
80eb5fa99d82c4bf14b4b261a1fd2a9ab44a773c

SHA256
ebad5570f90742c7154002defbc1cb0469d27ca0689076a0c181f2c2f3dd09c5

SHA512
89656513653e153727c01d0712c92f189f360f0bf962ee869bf6b96b60ec1f8865775a7f7f8f08b42de60ab4d594049ac073234de149f9d1e984c346df5b0fce

Download Submit
C:\Windows\{E47B1654-C771-4e34-8B34-9AD175F43191}.exe

Filesize
85KB

MD5
a06784e8911bfbc8d9328e6d7ffad4e2

SHA1
979870384993f0903ff8f148b13585aeccb12a52

SHA256
a04838ebf1867a1e3d77a47ac6ae1fc460985667fb6c8d44fd280381ad02cb8a

SHA512
2a3ed8e0db625b6b934e090aaada082e8158c3ed9766030a16249500f24eed3bcdf74a193c5b823bb8ee93d2a34784909c29883380a3cd5a9a5198761c36d4d8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads