c874df1b2f36ac03e4a69201a9f169e9977509b8b535ea84ccec8751c5fdc4ff

Analysis

max time kernel
150s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09/01/2024, 06:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-08_d3e431ce5f868f3509c4f6865089e9b2_goldeneye.exe
Size

380KB
MD5

d3e431ce5f868f3509c4f6865089e9b2
SHA1

894478346d6a5bd34fd673f85b0552f47e81e44d
SHA256

c874df1b2f36ac03e4a69201a9f169e9977509b8b535ea84ccec8751c5fdc4ff
SHA512

1184c46d8a1add4147d00f2763bd5dbe9382400d2af965fb88d9ce24a38cb897e3d4e0342a4c36c586f9898d57772462d4c347d23a06d51f4914253eb4f2508f
SSDEEP

3072:mEGh0oelPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGkl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88F60186-5855-4e14-91D0-D4957096FD03}	{539EC6FA-DE1B-42d1-805D-0FD77B3CFE48}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21946304-6B2B-4868-A2A2-C79B59CD644B}	{88F60186-5855-4e14-91D0-D4957096FD03}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2DCF154-1E5A-4fc9-A6D5-CA66736377FA}\stubpath = "C:\\Windows\\{A2DCF154-1E5A-4fc9-A6D5-CA66736377FA}.exe"	{CBF709C0-084E-4a41-A088-0291962E9A5D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8541A59-0837-4752-9F53-4DB3DCBC0D6E}\stubpath = "C:\\Windows\\{D8541A59-0837-4752-9F53-4DB3DCBC0D6E}.exe"	{A2DCF154-1E5A-4fc9-A6D5-CA66736377FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E219B395-6699-49f5-A8D5-6667FEC440EF}\stubpath = "C:\\Windows\\{E219B395-6699-49f5-A8D5-6667FEC440EF}.exe"	{4C4CEDF5-65CF-4de7-ACDD-C43AC2E15273}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46784124-26FE-4806-AFEB-45B1B2AF23EA}	2024-01-08_d3e431ce5f868f3509c4f6865089e9b2_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46784124-26FE-4806-AFEB-45B1B2AF23EA}\stubpath = "C:\\Windows\\{46784124-26FE-4806-AFEB-45B1B2AF23EA}.exe"	2024-01-08_d3e431ce5f868f3509c4f6865089e9b2_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21946304-6B2B-4868-A2A2-C79B59CD644B}\stubpath = "C:\\Windows\\{21946304-6B2B-4868-A2A2-C79B59CD644B}.exe"	{88F60186-5855-4e14-91D0-D4957096FD03}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D4E4C87-B918-4239-87AC-9D477601583A}\stubpath = "C:\\Windows\\{9D4E4C87-B918-4239-87AC-9D477601583A}.exe"	{21946304-6B2B-4868-A2A2-C79B59CD644B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA72EE68-1EFC-4756-BE99-36065FAD9087}	{9D4E4C87-B918-4239-87AC-9D477601583A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBF709C0-084E-4a41-A088-0291962E9A5D}	{DA72EE68-1EFC-4756-BE99-36065FAD9087}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88F60186-5855-4e14-91D0-D4957096FD03}\stubpath = "C:\\Windows\\{88F60186-5855-4e14-91D0-D4957096FD03}.exe"	{539EC6FA-DE1B-42d1-805D-0FD77B3CFE48}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBF709C0-084E-4a41-A088-0291962E9A5D}\stubpath = "C:\\Windows\\{CBF709C0-084E-4a41-A088-0291962E9A5D}.exe"	{DA72EE68-1EFC-4756-BE99-36065FAD9087}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8541A59-0837-4752-9F53-4DB3DCBC0D6E}	{A2DCF154-1E5A-4fc9-A6D5-CA66736377FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C4CEDF5-65CF-4de7-ACDD-C43AC2E15273}	{D8541A59-0837-4752-9F53-4DB3DCBC0D6E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C4CEDF5-65CF-4de7-ACDD-C43AC2E15273}\stubpath = "C:\\Windows\\{4C4CEDF5-65CF-4de7-ACDD-C43AC2E15273}.exe"	{D8541A59-0837-4752-9F53-4DB3DCBC0D6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E219B395-6699-49f5-A8D5-6667FEC440EF}	{4C4CEDF5-65CF-4de7-ACDD-C43AC2E15273}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{539EC6FA-DE1B-42d1-805D-0FD77B3CFE48}	{46784124-26FE-4806-AFEB-45B1B2AF23EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{539EC6FA-DE1B-42d1-805D-0FD77B3CFE48}\stubpath = "C:\\Windows\\{539EC6FA-DE1B-42d1-805D-0FD77B3CFE48}.exe"	{46784124-26FE-4806-AFEB-45B1B2AF23EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D4E4C87-B918-4239-87AC-9D477601583A}	{21946304-6B2B-4868-A2A2-C79B59CD644B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA72EE68-1EFC-4756-BE99-36065FAD9087}\stubpath = "C:\\Windows\\{DA72EE68-1EFC-4756-BE99-36065FAD9087}.exe"	{9D4E4C87-B918-4239-87AC-9D477601583A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2DCF154-1E5A-4fc9-A6D5-CA66736377FA}	{CBF709C0-084E-4a41-A088-0291962E9A5D}.exe

Executes dropped EXE 11 IoCs

pid	Process
3312	{46784124-26FE-4806-AFEB-45B1B2AF23EA}.exe
2472	{539EC6FA-DE1B-42d1-805D-0FD77B3CFE48}.exe
4844	{88F60186-5855-4e14-91D0-D4957096FD03}.exe
1256	{21946304-6B2B-4868-A2A2-C79B59CD644B}.exe
220	{9D4E4C87-B918-4239-87AC-9D477601583A}.exe
3484	{DA72EE68-1EFC-4756-BE99-36065FAD9087}.exe
4024	{CBF709C0-084E-4a41-A088-0291962E9A5D}.exe
3440	{A2DCF154-1E5A-4fc9-A6D5-CA66736377FA}.exe
4780	{D8541A59-0837-4752-9F53-4DB3DCBC0D6E}.exe
4216	{4C4CEDF5-65CF-4de7-ACDD-C43AC2E15273}.exe
3896	{E219B395-6699-49f5-A8D5-6667FEC440EF}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{9D4E4C87-B918-4239-87AC-9D477601583A}.exe	{21946304-6B2B-4868-A2A2-C79B59CD644B}.exe
File created	C:\Windows\{46784124-26FE-4806-AFEB-45B1B2AF23EA}.exe	2024-01-08_d3e431ce5f868f3509c4f6865089e9b2_goldeneye.exe
File created	C:\Windows\{21946304-6B2B-4868-A2A2-C79B59CD644B}.exe	{88F60186-5855-4e14-91D0-D4957096FD03}.exe
File created	C:\Windows\{DA72EE68-1EFC-4756-BE99-36065FAD9087}.exe	{9D4E4C87-B918-4239-87AC-9D477601583A}.exe
File created	C:\Windows\{CBF709C0-084E-4a41-A088-0291962E9A5D}.exe	{DA72EE68-1EFC-4756-BE99-36065FAD9087}.exe
File created	C:\Windows\{A2DCF154-1E5A-4fc9-A6D5-CA66736377FA}.exe	{CBF709C0-084E-4a41-A088-0291962E9A5D}.exe
File created	C:\Windows\{D8541A59-0837-4752-9F53-4DB3DCBC0D6E}.exe	{A2DCF154-1E5A-4fc9-A6D5-CA66736377FA}.exe
File created	C:\Windows\{4C4CEDF5-65CF-4de7-ACDD-C43AC2E15273}.exe	{D8541A59-0837-4752-9F53-4DB3DCBC0D6E}.exe
File created	C:\Windows\{E219B395-6699-49f5-A8D5-6667FEC440EF}.exe	{4C4CEDF5-65CF-4de7-ACDD-C43AC2E15273}.exe
File created	C:\Windows\{539EC6FA-DE1B-42d1-805D-0FD77B3CFE48}.exe	{46784124-26FE-4806-AFEB-45B1B2AF23EA}.exe
File created	C:\Windows\{88F60186-5855-4e14-91D0-D4957096FD03}.exe	{539EC6FA-DE1B-42d1-805D-0FD77B3CFE48}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1800	2024-01-08_d3e431ce5f868f3509c4f6865089e9b2_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3312	{46784124-26FE-4806-AFEB-45B1B2AF23EA}.exe
Token: SeIncBasePriorityPrivilege	2472	{539EC6FA-DE1B-42d1-805D-0FD77B3CFE48}.exe
Token: SeIncBasePriorityPrivilege	4844	{88F60186-5855-4e14-91D0-D4957096FD03}.exe
Token: SeIncBasePriorityPrivilege	1256	{21946304-6B2B-4868-A2A2-C79B59CD644B}.exe
Token: SeIncBasePriorityPrivilege	220	{9D4E4C87-B918-4239-87AC-9D477601583A}.exe
Token: SeIncBasePriorityPrivilege	3484	{DA72EE68-1EFC-4756-BE99-36065FAD9087}.exe
Token: SeIncBasePriorityPrivilege	4024	{CBF709C0-084E-4a41-A088-0291962E9A5D}.exe
Token: SeIncBasePriorityPrivilege	3440	{A2DCF154-1E5A-4fc9-A6D5-CA66736377FA}.exe
Token: SeIncBasePriorityPrivilege	4780	{D8541A59-0837-4752-9F53-4DB3DCBC0D6E}.exe
Token: SeIncBasePriorityPrivilege	4216	{4C4CEDF5-65CF-4de7-ACDD-C43AC2E15273}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 3312	1800	2024-01-08_d3e431ce5f868f3509c4f6865089e9b2_goldeneye.exe	94
PID 1800 wrote to memory of 3312	1800	2024-01-08_d3e431ce5f868f3509c4f6865089e9b2_goldeneye.exe	94
PID 1800 wrote to memory of 3312	1800	2024-01-08_d3e431ce5f868f3509c4f6865089e9b2_goldeneye.exe	94
PID 1800 wrote to memory of 4284	1800	2024-01-08_d3e431ce5f868f3509c4f6865089e9b2_goldeneye.exe	95
PID 1800 wrote to memory of 4284	1800	2024-01-08_d3e431ce5f868f3509c4f6865089e9b2_goldeneye.exe	95
PID 1800 wrote to memory of 4284	1800	2024-01-08_d3e431ce5f868f3509c4f6865089e9b2_goldeneye.exe	95
PID 3312 wrote to memory of 2472	3312	{46784124-26FE-4806-AFEB-45B1B2AF23EA}.exe	98
PID 3312 wrote to memory of 2472	3312	{46784124-26FE-4806-AFEB-45B1B2AF23EA}.exe	98
PID 3312 wrote to memory of 2472	3312	{46784124-26FE-4806-AFEB-45B1B2AF23EA}.exe	98
PID 3312 wrote to memory of 4408	3312	{46784124-26FE-4806-AFEB-45B1B2AF23EA}.exe	99
PID 3312 wrote to memory of 4408	3312	{46784124-26FE-4806-AFEB-45B1B2AF23EA}.exe	99
PID 3312 wrote to memory of 4408	3312	{46784124-26FE-4806-AFEB-45B1B2AF23EA}.exe	99
PID 2472 wrote to memory of 4844	2472	{539EC6FA-DE1B-42d1-805D-0FD77B3CFE48}.exe	102
PID 2472 wrote to memory of 4844	2472	{539EC6FA-DE1B-42d1-805D-0FD77B3CFE48}.exe	102
PID 2472 wrote to memory of 4844	2472	{539EC6FA-DE1B-42d1-805D-0FD77B3CFE48}.exe	102
PID 2472 wrote to memory of 3580	2472	{539EC6FA-DE1B-42d1-805D-0FD77B3CFE48}.exe	101
PID 2472 wrote to memory of 3580	2472	{539EC6FA-DE1B-42d1-805D-0FD77B3CFE48}.exe	101
PID 2472 wrote to memory of 3580	2472	{539EC6FA-DE1B-42d1-805D-0FD77B3CFE48}.exe	101
PID 4844 wrote to memory of 1256	4844	{88F60186-5855-4e14-91D0-D4957096FD03}.exe	107
PID 4844 wrote to memory of 1256	4844	{88F60186-5855-4e14-91D0-D4957096FD03}.exe	107
PID 4844 wrote to memory of 1256	4844	{88F60186-5855-4e14-91D0-D4957096FD03}.exe	107
PID 4844 wrote to memory of 4668	4844	{88F60186-5855-4e14-91D0-D4957096FD03}.exe	108
PID 4844 wrote to memory of 4668	4844	{88F60186-5855-4e14-91D0-D4957096FD03}.exe	108
PID 4844 wrote to memory of 4668	4844	{88F60186-5855-4e14-91D0-D4957096FD03}.exe	108
PID 1256 wrote to memory of 220	1256	{21946304-6B2B-4868-A2A2-C79B59CD644B}.exe	111
PID 1256 wrote to memory of 220	1256	{21946304-6B2B-4868-A2A2-C79B59CD644B}.exe	111
PID 1256 wrote to memory of 220	1256	{21946304-6B2B-4868-A2A2-C79B59CD644B}.exe	111
PID 1256 wrote to memory of 2112	1256	{21946304-6B2B-4868-A2A2-C79B59CD644B}.exe	112
PID 1256 wrote to memory of 2112	1256	{21946304-6B2B-4868-A2A2-C79B59CD644B}.exe	112
PID 1256 wrote to memory of 2112	1256	{21946304-6B2B-4868-A2A2-C79B59CD644B}.exe	112
PID 220 wrote to memory of 3484	220	{9D4E4C87-B918-4239-87AC-9D477601583A}.exe	114
PID 220 wrote to memory of 3484	220	{9D4E4C87-B918-4239-87AC-9D477601583A}.exe	114
PID 220 wrote to memory of 3484	220	{9D4E4C87-B918-4239-87AC-9D477601583A}.exe	114
PID 220 wrote to memory of 4032	220	{9D4E4C87-B918-4239-87AC-9D477601583A}.exe	115
PID 220 wrote to memory of 4032	220	{9D4E4C87-B918-4239-87AC-9D477601583A}.exe	115
PID 220 wrote to memory of 4032	220	{9D4E4C87-B918-4239-87AC-9D477601583A}.exe	115
PID 3484 wrote to memory of 4024	3484	{DA72EE68-1EFC-4756-BE99-36065FAD9087}.exe	116
PID 3484 wrote to memory of 4024	3484	{DA72EE68-1EFC-4756-BE99-36065FAD9087}.exe	116
PID 3484 wrote to memory of 4024	3484	{DA72EE68-1EFC-4756-BE99-36065FAD9087}.exe	116
PID 3484 wrote to memory of 5032	3484	{DA72EE68-1EFC-4756-BE99-36065FAD9087}.exe	117
PID 3484 wrote to memory of 5032	3484	{DA72EE68-1EFC-4756-BE99-36065FAD9087}.exe	117
PID 3484 wrote to memory of 5032	3484	{DA72EE68-1EFC-4756-BE99-36065FAD9087}.exe	117
PID 4024 wrote to memory of 3440	4024	{CBF709C0-084E-4a41-A088-0291962E9A5D}.exe	118
PID 4024 wrote to memory of 3440	4024	{CBF709C0-084E-4a41-A088-0291962E9A5D}.exe	118
PID 4024 wrote to memory of 3440	4024	{CBF709C0-084E-4a41-A088-0291962E9A5D}.exe	118
PID 4024 wrote to memory of 4672	4024	{CBF709C0-084E-4a41-A088-0291962E9A5D}.exe	119
PID 4024 wrote to memory of 4672	4024	{CBF709C0-084E-4a41-A088-0291962E9A5D}.exe	119
PID 4024 wrote to memory of 4672	4024	{CBF709C0-084E-4a41-A088-0291962E9A5D}.exe	119
PID 3440 wrote to memory of 4780	3440	{A2DCF154-1E5A-4fc9-A6D5-CA66736377FA}.exe	123
PID 3440 wrote to memory of 4780	3440	{A2DCF154-1E5A-4fc9-A6D5-CA66736377FA}.exe	123
PID 3440 wrote to memory of 4780	3440	{A2DCF154-1E5A-4fc9-A6D5-CA66736377FA}.exe	123
PID 3440 wrote to memory of 3368	3440	{A2DCF154-1E5A-4fc9-A6D5-CA66736377FA}.exe	124
PID 3440 wrote to memory of 3368	3440	{A2DCF154-1E5A-4fc9-A6D5-CA66736377FA}.exe	124
PID 3440 wrote to memory of 3368	3440	{A2DCF154-1E5A-4fc9-A6D5-CA66736377FA}.exe	124
PID 4780 wrote to memory of 4216	4780	{D8541A59-0837-4752-9F53-4DB3DCBC0D6E}.exe	125
PID 4780 wrote to memory of 4216	4780	{D8541A59-0837-4752-9F53-4DB3DCBC0D6E}.exe	125
PID 4780 wrote to memory of 4216	4780	{D8541A59-0837-4752-9F53-4DB3DCBC0D6E}.exe	125
PID 4780 wrote to memory of 3248	4780	{D8541A59-0837-4752-9F53-4DB3DCBC0D6E}.exe	126
PID 4780 wrote to memory of 3248	4780	{D8541A59-0837-4752-9F53-4DB3DCBC0D6E}.exe	126
PID 4780 wrote to memory of 3248	4780	{D8541A59-0837-4752-9F53-4DB3DCBC0D6E}.exe	126
PID 4216 wrote to memory of 3896	4216	{4C4CEDF5-65CF-4de7-ACDD-C43AC2E15273}.exe	127
PID 4216 wrote to memory of 3896	4216	{4C4CEDF5-65CF-4de7-ACDD-C43AC2E15273}.exe	127
PID 4216 wrote to memory of 3896	4216	{4C4CEDF5-65CF-4de7-ACDD-C43AC2E15273}.exe	127
PID 4216 wrote to memory of 964	4216	{4C4CEDF5-65CF-4de7-ACDD-C43AC2E15273}.exe	128

C:\Users\Admin\AppData\Local\Temp\2024-01-08_d3e431ce5f868f3509c4f6865089e9b2_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-08_d3e431ce5f868f3509c4f6865089e9b2_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\{46784124-26FE-4806-AFEB-45B1B2AF23EA}.exe
  C:\Windows\{46784124-26FE-4806-AFEB-45B1B2AF23EA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3312
- - C:\Windows\{539EC6FA-DE1B-42d1-805D-0FD77B3CFE48}.exe
    C:\Windows\{539EC6FA-DE1B-42d1-805D-0FD77B3CFE48}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{539EC~1.EXE > nul
      4⤵
      PID:3580
  - - C:\Windows\{88F60186-5855-4e14-91D0-D4957096FD03}.exe
      C:\Windows\{88F60186-5855-4e14-91D0-D4957096FD03}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4844
    - - C:\Windows\{21946304-6B2B-4868-A2A2-C79B59CD644B}.exe
        
        C:\Windows\{21946304-6B2B-4868-A2A2-C79B59CD644B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1256
      - C:\Windows\{9D4E4C87-B918-4239-87AC-9D477601583A}.exe
        
        C:\Windows\{9D4E4C87-B918-4239-87AC-9D477601583A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\{DA72EE68-1EFC-4756-BE99-36065FAD9087}.exe
        
        C:\Windows\{DA72EE68-1EFC-4756-BE99-36065FAD9087}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\{CBF709C0-084E-4a41-A088-0291962E9A5D}.exe
        
        C:\Windows\{CBF709C0-084E-4a41-A088-0291962E9A5D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\{A2DCF154-1E5A-4fc9-A6D5-CA66736377FA}.exe
        
        C:\Windows\{A2DCF154-1E5A-4fc9-A6D5-CA66736377FA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3440
        
        C:\Windows\{D8541A59-0837-4752-9F53-4DB3DCBC0D6E}.exe
        
        C:\Windows\{D8541A59-0837-4752-9F53-4DB3DCBC0D6E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\{4C4CEDF5-65CF-4de7-ACDD-C43AC2E15273}.exe
        
        C:\Windows\{4C4CEDF5-65CF-4de7-ACDD-C43AC2E15273}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\{E219B395-6699-49f5-A8D5-6667FEC440EF}.exe
        
        C:\Windows\{E219B395-6699-49f5-A8D5-6667FEC440EF}.exe
        12⤵
        Executes dropped EXE
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C4CE~1.EXE > nul
        12⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8541~1.EXE > nul
        11⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2DCF~1.EXE > nul
        10⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CBF70~1.EXE > nul
        9⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA72E~1.EXE > nul
        8⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D4E4~1.EXE > nul
        7⤵
        
        PID:4032
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21946~1.EXE > nul
        6⤵
        
        PID:2112
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88F60~1.EXE > nul
        5⤵
        
        PID:4668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{46784~1.EXE > nul
    3⤵
    PID:4408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{21946304-6B2B-4868-A2A2-C79B59CD644B}.exe

Filesize
380KB

MD5
129be8f2daefa979d155660d99f5b89c

SHA1
263749d00649f42205256e91be0786e2c55717fb

SHA256
2c8068b12945a50480822f601de5dff69d3e445ea1498f67b07490e35a931bf6

SHA512
06e1dc68f64e96caa1ee1dd223a2ceb47d2c253dc4d0ac7d4c01fda9bcd3187f64b0dcb41fa5114535eaf712a45ae8ad1fba123915a45d90c6d6a2768c353c2e

Download Submit
C:\Windows\{46784124-26FE-4806-AFEB-45B1B2AF23EA}.exe

Filesize
380KB

MD5
7aa8e35ef2d1d986985f78697077b477

SHA1
73a85316a7ccf3a65aa0ade56a89d407c6e31481

SHA256
725d187fdd6a2682b1122c8eec3a60f53b1e23b7bec0e4bc1f2b9e8d3d5a4dff

SHA512
92e485c633928a649dc932e19da9b8c44346b265c75f29f4ec39add1170f9c7bfd6170bdc3f82a2d42346c2b949bcc55e95e557dc593ac11be6a872dac815a24

Download Submit
C:\Windows\{4C4CEDF5-65CF-4de7-ACDD-C43AC2E15273}.exe

Filesize
380KB

MD5
12e2699c065ace306a1633abf1b7d89b

SHA1
1a19a8bf5204c9f4cc44bc3a04bb629f8f7d31ac

SHA256
e3939cb6413cc052d985bb67ffbe6d99fd758fb187b2b5d9e73067ce629d3e16

SHA512
222c7b5a083dee138a46c8ebad012c168d58e0382b7f53089a8e3336282bb7d337014904af5ed81cc58103795eaef09a442922402ddacbc664fb3465672bdd07

Download Submit
C:\Windows\{539EC6FA-DE1B-42d1-805D-0FD77B3CFE48}.exe

Filesize
380KB

MD5
df2b19c3b532e444bc1a3b7c74e7bdaa

SHA1
65b6e60c3589cc4d80bec19a899787d60d0a0c2d

SHA256
e32426ce9c2734403601de590885e33866d9224d553c0f47565a24561f74670c

SHA512
97ec8691f1825d7b3452dee6fe02b7b22e1bb1d3313f6cbc76c0ebab75dd5255d470d060e983ff2e29797a686adf128d5d22105e799ad29bb8a239237d48a33c

Download Submit
C:\Windows\{88F60186-5855-4e14-91D0-D4957096FD03}.exe

Filesize
380KB

MD5
46a95807e42fe88b799ab5d04b077504

SHA1
d6811a066635c5d082ced1a3606726855eefb34b

SHA256
aaa785db2b58d0aaae1d901ec78786aa5a6475ad03bdc19ca56036eb786d3e3f

SHA512
61eee85da63c077660b3928ce85d7198a78a2d73cf67d572e6f04ba0f7434cd54699acfd4bef4b1cf357b2939c0fb6afa8cabaa7b9109d3d9e34093bb87014ca

Download Submit
C:\Windows\{9D4E4C87-B918-4239-87AC-9D477601583A}.exe

Filesize
380KB

MD5
5af405b4c65271bc6fc0e43f1702da79

SHA1
e576cb169790824cf57c29d2664d633d0cb3e2b7

SHA256
2f11ae92c0222d0108f26beb965f9edfb931dd2a63230d93a4bd71648c5be2dd

SHA512
0274f489cd71e84bb071ad1097fbdda43c47faa82981261bd108fdb33a7270a58b20f640da36e66a2c667f08c14f966e65af31a951ae47b3c41362d5f24da0ff

Download Submit
C:\Windows\{A2DCF154-1E5A-4fc9-A6D5-CA66736377FA}.exe

Filesize
380KB

MD5
73e3df1d59d0a078fb87034135879f22

SHA1
6a984cbeb687b62bf5c5d8ac21c78e52e80b4281

SHA256
3441a8af254461815a604f017171e8af7edf5605a0101e8756cb5dc88684f31f

SHA512
0225d701c12c1536dd1dbd510fdedf620eeb3a4bd738edf51c7ace82371a329808bb29534974741301da219fc47d4442d58053f78dd4897fb88ccd99eaa12101

Download Submit
C:\Windows\{CBF709C0-084E-4a41-A088-0291962E9A5D}.exe

Filesize
380KB

MD5
85db69eff9def80ba77ccf743647d14f

SHA1
7c4ff6aafc744b003d99406d60c64d21b701a634

SHA256
3f62ef5d278e85aeb3e2b107e77a0225aefa3723c05ef08f5e18c917e0ca59b1

SHA512
e070cbce6d71f88b28b82c5fe5c1b85fd4eafe8150bad7211a9ba58708ae538f3eda5335956dbb0eb31d3e79f5af795eb5fd90bca01417a38701be0a77d5cf86

Download Submit
C:\Windows\{D8541A59-0837-4752-9F53-4DB3DCBC0D6E}.exe

Filesize
380KB

MD5
cfecfe8e429f5f54af838cbcefb1dd61

SHA1
bf182bcc33e9f46d498238364d47fc6ab2550381

SHA256
cb2b9acf4a2931e8c521a5e8f72b8cf0a14f0ddb314f2a1eb8cff24d3558ba14

SHA512
bffb1410af218e412675130c26f6872b41db36e56292d248b699849a401d3b2eea4ee6600a51af03a325b3fb495e2d1b7009e5754d2e70c3c5d02f7c5c27d75e

Download Submit
C:\Windows\{DA72EE68-1EFC-4756-BE99-36065FAD9087}.exe

Filesize
380KB

MD5
15233ed176258d7edd882f11745d8b85

SHA1
1d0c81584d4a0900ca682761b88f29959f42c385

SHA256
3204288fe1331f4ea381bf75f5003ee732fb5d98b01359c0efe1d17c1dbb143e

SHA512
9b253ac3ae5c34d1f0b44ab6dda4cd4173fa5a2d48bf3f2a552d90439dc54d2fa2724248278b1dd7295af4d6125f23b8fcb41a6bfd1af8a1f962257c3dbf4755

Download Submit
C:\Windows\{E219B395-6699-49f5-A8D5-6667FEC440EF}.exe

Filesize
380KB

MD5
a1f524929d8c7954b5d47c196779acd8

SHA1
9b21c40403b6d58d61c401a4334c815e57fdc8bc

SHA256
4badd76f6b38fa634da2151cd8d0fee5a69ce74bfbfff4540c350ec6ccb51fa6

SHA512
901b7e75bf97985ef74b17b2aa4dc8163c4152faf3ceaef8a19555e8a166a152bc67b085d9b45dc3bc79bfa046043e0bd49a6b8a2098c1ad81126174a918beeb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads