b118ff36da43e8c3d04df058ea2b931d96e7a187698adf38aed8bbadc0e60663

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09/01/2024, 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-08_ecd4b53631e983c33da2f6bb31061098_goldeneye.exe
Size

408KB
MD5

ecd4b53631e983c33da2f6bb31061098
SHA1

27daaa7195c7bde30b46092da8e4335b0a04789c
SHA256

b118ff36da43e8c3d04df058ea2b931d96e7a187698adf38aed8bbadc0e60663
SHA512

17c78ba3fb73d854155cc93f9ac99860e6f485d8a90e3aa290e9f2932ebca70f159657e651f36b49519ee9a4dd00b6a4d1999de45c2c9d8b05d8fe0c8747509a
SSDEEP

3072:CEGh0o6l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGAldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F22B4F8F-D60F-4b40-BB1E-1E8B8E67176B}\stubpath = "C:\\Windows\\{F22B4F8F-D60F-4b40-BB1E-1E8B8E67176B}.exe"	{DE4752CB-7A6C-4a52-A81B-17337D28E391}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E1EB456-3BFE-455b-B60C-089539E8CC71}	{4C2E607B-2110-4dfd-B949-1A1D1857DE2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E1EB456-3BFE-455b-B60C-089539E8CC71}\stubpath = "C:\\Windows\\{7E1EB456-3BFE-455b-B60C-089539E8CC71}.exe"	{4C2E607B-2110-4dfd-B949-1A1D1857DE2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75F63BCF-9F8C-4afb-A6C0-C6CACE263368}\stubpath = "C:\\Windows\\{75F63BCF-9F8C-4afb-A6C0-C6CACE263368}.exe"	{A6D302DB-AFC1-43b8-955D-0BBAA0808DFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DFE8F20-E377-4d08-BC6F-0FB9D1671797}\stubpath = "C:\\Windows\\{8DFE8F20-E377-4d08-BC6F-0FB9D1671797}.exe"	{64FDAAC8-857A-43c4-BA03-7703F76D5E37}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64FDAAC8-857A-43c4-BA03-7703F76D5E37}	{75F63BCF-9F8C-4afb-A6C0-C6CACE263368}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32C27900-070D-4501-A877-E8B2E0950547}\stubpath = "C:\\Windows\\{32C27900-070D-4501-A877-E8B2E0950547}.exe"	{F22B4F8F-D60F-4b40-BB1E-1E8B8E67176B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C2E607B-2110-4dfd-B949-1A1D1857DE2E}	{3BE0748F-7CB2-4eca-A9CE-5F874C399126}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6D302DB-AFC1-43b8-955D-0BBAA0808DFD}	2024-01-08_ecd4b53631e983c33da2f6bb31061098_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75F63BCF-9F8C-4afb-A6C0-C6CACE263368}	{A6D302DB-AFC1-43b8-955D-0BBAA0808DFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF25F31F-7D9A-4b8f-9853-00F869BF8100}\stubpath = "C:\\Windows\\{FF25F31F-7D9A-4b8f-9853-00F869BF8100}.exe"	{8DFE8F20-E377-4d08-BC6F-0FB9D1671797}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE4752CB-7A6C-4a52-A81B-17337D28E391}	{C74D5C29-9A71-45d5-9ED4-D621006A647B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F22B4F8F-D60F-4b40-BB1E-1E8B8E67176B}	{DE4752CB-7A6C-4a52-A81B-17337D28E391}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6D302DB-AFC1-43b8-955D-0BBAA0808DFD}\stubpath = "C:\\Windows\\{A6D302DB-AFC1-43b8-955D-0BBAA0808DFD}.exe"	2024-01-08_ecd4b53631e983c33da2f6bb31061098_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF25F31F-7D9A-4b8f-9853-00F869BF8100}	{8DFE8F20-E377-4d08-BC6F-0FB9D1671797}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C74D5C29-9A71-45d5-9ED4-D621006A647B}	{FF25F31F-7D9A-4b8f-9853-00F869BF8100}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C74D5C29-9A71-45d5-9ED4-D621006A647B}\stubpath = "C:\\Windows\\{C74D5C29-9A71-45d5-9ED4-D621006A647B}.exe"	{FF25F31F-7D9A-4b8f-9853-00F869BF8100}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE4752CB-7A6C-4a52-A81B-17337D28E391}\stubpath = "C:\\Windows\\{DE4752CB-7A6C-4a52-A81B-17337D28E391}.exe"	{C74D5C29-9A71-45d5-9ED4-D621006A647B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32C27900-070D-4501-A877-E8B2E0950547}	{F22B4F8F-D60F-4b40-BB1E-1E8B8E67176B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BE0748F-7CB2-4eca-A9CE-5F874C399126}	{32C27900-070D-4501-A877-E8B2E0950547}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BE0748F-7CB2-4eca-A9CE-5F874C399126}\stubpath = "C:\\Windows\\{3BE0748F-7CB2-4eca-A9CE-5F874C399126}.exe"	{32C27900-070D-4501-A877-E8B2E0950547}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64FDAAC8-857A-43c4-BA03-7703F76D5E37}\stubpath = "C:\\Windows\\{64FDAAC8-857A-43c4-BA03-7703F76D5E37}.exe"	{75F63BCF-9F8C-4afb-A6C0-C6CACE263368}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DFE8F20-E377-4d08-BC6F-0FB9D1671797}	{64FDAAC8-857A-43c4-BA03-7703F76D5E37}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C2E607B-2110-4dfd-B949-1A1D1857DE2E}\stubpath = "C:\\Windows\\{4C2E607B-2110-4dfd-B949-1A1D1857DE2E}.exe"	{3BE0748F-7CB2-4eca-A9CE-5F874C399126}.exe

Executes dropped EXE 12 IoCs

pid	Process
4836	{A6D302DB-AFC1-43b8-955D-0BBAA0808DFD}.exe
3104	{75F63BCF-9F8C-4afb-A6C0-C6CACE263368}.exe
4208	{64FDAAC8-857A-43c4-BA03-7703F76D5E37}.exe
1332	{8DFE8F20-E377-4d08-BC6F-0FB9D1671797}.exe
3740	{FF25F31F-7D9A-4b8f-9853-00F869BF8100}.exe
3588	{C74D5C29-9A71-45d5-9ED4-D621006A647B}.exe
2068	{DE4752CB-7A6C-4a52-A81B-17337D28E391}.exe
940	{F22B4F8F-D60F-4b40-BB1E-1E8B8E67176B}.exe
1752	{32C27900-070D-4501-A877-E8B2E0950547}.exe
832	{3BE0748F-7CB2-4eca-A9CE-5F874C399126}.exe
860	{4C2E607B-2110-4dfd-B949-1A1D1857DE2E}.exe
3748	{7E1EB456-3BFE-455b-B60C-089539E8CC71}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{3BE0748F-7CB2-4eca-A9CE-5F874C399126}.exe	{32C27900-070D-4501-A877-E8B2E0950547}.exe
File created	C:\Windows\{4C2E607B-2110-4dfd-B949-1A1D1857DE2E}.exe	{3BE0748F-7CB2-4eca-A9CE-5F874C399126}.exe
File created	C:\Windows\{7E1EB456-3BFE-455b-B60C-089539E8CC71}.exe	{4C2E607B-2110-4dfd-B949-1A1D1857DE2E}.exe
File created	C:\Windows\{A6D302DB-AFC1-43b8-955D-0BBAA0808DFD}.exe	2024-01-08_ecd4b53631e983c33da2f6bb31061098_goldeneye.exe
File created	C:\Windows\{75F63BCF-9F8C-4afb-A6C0-C6CACE263368}.exe	{A6D302DB-AFC1-43b8-955D-0BBAA0808DFD}.exe
File created	C:\Windows\{C74D5C29-9A71-45d5-9ED4-D621006A647B}.exe	{FF25F31F-7D9A-4b8f-9853-00F869BF8100}.exe
File created	C:\Windows\{DE4752CB-7A6C-4a52-A81B-17337D28E391}.exe	{C74D5C29-9A71-45d5-9ED4-D621006A647B}.exe
File created	C:\Windows\{F22B4F8F-D60F-4b40-BB1E-1E8B8E67176B}.exe	{DE4752CB-7A6C-4a52-A81B-17337D28E391}.exe
File created	C:\Windows\{32C27900-070D-4501-A877-E8B2E0950547}.exe	{F22B4F8F-D60F-4b40-BB1E-1E8B8E67176B}.exe
File created	C:\Windows\{64FDAAC8-857A-43c4-BA03-7703F76D5E37}.exe	{75F63BCF-9F8C-4afb-A6C0-C6CACE263368}.exe
File created	C:\Windows\{8DFE8F20-E377-4d08-BC6F-0FB9D1671797}.exe	{64FDAAC8-857A-43c4-BA03-7703F76D5E37}.exe
File created	C:\Windows\{FF25F31F-7D9A-4b8f-9853-00F869BF8100}.exe	{8DFE8F20-E377-4d08-BC6F-0FB9D1671797}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2804	2024-01-08_ecd4b53631e983c33da2f6bb31061098_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4836	{A6D302DB-AFC1-43b8-955D-0BBAA0808DFD}.exe
Token: SeIncBasePriorityPrivilege	3104	{75F63BCF-9F8C-4afb-A6C0-C6CACE263368}.exe
Token: SeIncBasePriorityPrivilege	4208	{64FDAAC8-857A-43c4-BA03-7703F76D5E37}.exe
Token: SeIncBasePriorityPrivilege	1332	{8DFE8F20-E377-4d08-BC6F-0FB9D1671797}.exe
Token: SeIncBasePriorityPrivilege	3740	{FF25F31F-7D9A-4b8f-9853-00F869BF8100}.exe
Token: SeIncBasePriorityPrivilege	3588	{C74D5C29-9A71-45d5-9ED4-D621006A647B}.exe
Token: SeIncBasePriorityPrivilege	2068	{DE4752CB-7A6C-4a52-A81B-17337D28E391}.exe
Token: SeIncBasePriorityPrivilege	940	{F22B4F8F-D60F-4b40-BB1E-1E8B8E67176B}.exe
Token: SeIncBasePriorityPrivilege	1752	{32C27900-070D-4501-A877-E8B2E0950547}.exe
Token: SeIncBasePriorityPrivilege	832	{3BE0748F-7CB2-4eca-A9CE-5F874C399126}.exe
Token: SeIncBasePriorityPrivilege	860	{4C2E607B-2110-4dfd-B949-1A1D1857DE2E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 4836	2804	2024-01-08_ecd4b53631e983c33da2f6bb31061098_goldeneye.exe	99
PID 2804 wrote to memory of 4836	2804	2024-01-08_ecd4b53631e983c33da2f6bb31061098_goldeneye.exe	99
PID 2804 wrote to memory of 4836	2804	2024-01-08_ecd4b53631e983c33da2f6bb31061098_goldeneye.exe	99
PID 2804 wrote to memory of 3320	2804	2024-01-08_ecd4b53631e983c33da2f6bb31061098_goldeneye.exe	98
PID 2804 wrote to memory of 3320	2804	2024-01-08_ecd4b53631e983c33da2f6bb31061098_goldeneye.exe	98
PID 2804 wrote to memory of 3320	2804	2024-01-08_ecd4b53631e983c33da2f6bb31061098_goldeneye.exe	98
PID 4836 wrote to memory of 3104	4836	{A6D302DB-AFC1-43b8-955D-0BBAA0808DFD}.exe	100
PID 4836 wrote to memory of 3104	4836	{A6D302DB-AFC1-43b8-955D-0BBAA0808DFD}.exe	100
PID 4836 wrote to memory of 3104	4836	{A6D302DB-AFC1-43b8-955D-0BBAA0808DFD}.exe	100
PID 4836 wrote to memory of 4908	4836	{A6D302DB-AFC1-43b8-955D-0BBAA0808DFD}.exe	101
PID 4836 wrote to memory of 4908	4836	{A6D302DB-AFC1-43b8-955D-0BBAA0808DFD}.exe	101
PID 4836 wrote to memory of 4908	4836	{A6D302DB-AFC1-43b8-955D-0BBAA0808DFD}.exe	101
PID 3104 wrote to memory of 4208	3104	{75F63BCF-9F8C-4afb-A6C0-C6CACE263368}.exe	105
PID 3104 wrote to memory of 4208	3104	{75F63BCF-9F8C-4afb-A6C0-C6CACE263368}.exe	105
PID 3104 wrote to memory of 4208	3104	{75F63BCF-9F8C-4afb-A6C0-C6CACE263368}.exe	105
PID 3104 wrote to memory of 4144	3104	{75F63BCF-9F8C-4afb-A6C0-C6CACE263368}.exe	104
PID 3104 wrote to memory of 4144	3104	{75F63BCF-9F8C-4afb-A6C0-C6CACE263368}.exe	104
PID 3104 wrote to memory of 4144	3104	{75F63BCF-9F8C-4afb-A6C0-C6CACE263368}.exe	104
PID 4208 wrote to memory of 1332	4208	{64FDAAC8-857A-43c4-BA03-7703F76D5E37}.exe	109
PID 4208 wrote to memory of 1332	4208	{64FDAAC8-857A-43c4-BA03-7703F76D5E37}.exe	109
PID 4208 wrote to memory of 1332	4208	{64FDAAC8-857A-43c4-BA03-7703F76D5E37}.exe	109
PID 4208 wrote to memory of 3904	4208	{64FDAAC8-857A-43c4-BA03-7703F76D5E37}.exe	108
PID 4208 wrote to memory of 3904	4208	{64FDAAC8-857A-43c4-BA03-7703F76D5E37}.exe	108
PID 4208 wrote to memory of 3904	4208	{64FDAAC8-857A-43c4-BA03-7703F76D5E37}.exe	108
PID 1332 wrote to memory of 3740	1332	{8DFE8F20-E377-4d08-BC6F-0FB9D1671797}.exe	111
PID 1332 wrote to memory of 3740	1332	{8DFE8F20-E377-4d08-BC6F-0FB9D1671797}.exe	111
PID 1332 wrote to memory of 3740	1332	{8DFE8F20-E377-4d08-BC6F-0FB9D1671797}.exe	111
PID 1332 wrote to memory of 3716	1332	{8DFE8F20-E377-4d08-BC6F-0FB9D1671797}.exe	110
PID 1332 wrote to memory of 3716	1332	{8DFE8F20-E377-4d08-BC6F-0FB9D1671797}.exe	110
PID 1332 wrote to memory of 3716	1332	{8DFE8F20-E377-4d08-BC6F-0FB9D1671797}.exe	110
PID 3740 wrote to memory of 3588	3740	{FF25F31F-7D9A-4b8f-9853-00F869BF8100}.exe	115
PID 3740 wrote to memory of 3588	3740	{FF25F31F-7D9A-4b8f-9853-00F869BF8100}.exe	115
PID 3740 wrote to memory of 3588	3740	{FF25F31F-7D9A-4b8f-9853-00F869BF8100}.exe	115
PID 3740 wrote to memory of 4224	3740	{FF25F31F-7D9A-4b8f-9853-00F869BF8100}.exe	114
PID 3740 wrote to memory of 4224	3740	{FF25F31F-7D9A-4b8f-9853-00F869BF8100}.exe	114
PID 3740 wrote to memory of 4224	3740	{FF25F31F-7D9A-4b8f-9853-00F869BF8100}.exe	114
PID 3588 wrote to memory of 2068	3588	{C74D5C29-9A71-45d5-9ED4-D621006A647B}.exe	118
PID 3588 wrote to memory of 2068	3588	{C74D5C29-9A71-45d5-9ED4-D621006A647B}.exe	118
PID 3588 wrote to memory of 2068	3588	{C74D5C29-9A71-45d5-9ED4-D621006A647B}.exe	118
PID 3588 wrote to memory of 4604	3588	{C74D5C29-9A71-45d5-9ED4-D621006A647B}.exe	117
PID 3588 wrote to memory of 4604	3588	{C74D5C29-9A71-45d5-9ED4-D621006A647B}.exe	117
PID 3588 wrote to memory of 4604	3588	{C74D5C29-9A71-45d5-9ED4-D621006A647B}.exe	117
PID 2068 wrote to memory of 940	2068	{DE4752CB-7A6C-4a52-A81B-17337D28E391}.exe	119
PID 2068 wrote to memory of 940	2068	{DE4752CB-7A6C-4a52-A81B-17337D28E391}.exe	119
PID 2068 wrote to memory of 940	2068	{DE4752CB-7A6C-4a52-A81B-17337D28E391}.exe	119
PID 2068 wrote to memory of 5032	2068	{DE4752CB-7A6C-4a52-A81B-17337D28E391}.exe	120
PID 2068 wrote to memory of 5032	2068	{DE4752CB-7A6C-4a52-A81B-17337D28E391}.exe	120
PID 2068 wrote to memory of 5032	2068	{DE4752CB-7A6C-4a52-A81B-17337D28E391}.exe	120
PID 940 wrote to memory of 1752	940	{F22B4F8F-D60F-4b40-BB1E-1E8B8E67176B}.exe	121
PID 940 wrote to memory of 1752	940	{F22B4F8F-D60F-4b40-BB1E-1E8B8E67176B}.exe	121
PID 940 wrote to memory of 1752	940	{F22B4F8F-D60F-4b40-BB1E-1E8B8E67176B}.exe	121
PID 940 wrote to memory of 4484	940	{F22B4F8F-D60F-4b40-BB1E-1E8B8E67176B}.exe	122
PID 940 wrote to memory of 4484	940	{F22B4F8F-D60F-4b40-BB1E-1E8B8E67176B}.exe	122
PID 940 wrote to memory of 4484	940	{F22B4F8F-D60F-4b40-BB1E-1E8B8E67176B}.exe	122
PID 1752 wrote to memory of 832	1752	{32C27900-070D-4501-A877-E8B2E0950547}.exe	123
PID 1752 wrote to memory of 832	1752	{32C27900-070D-4501-A877-E8B2E0950547}.exe	123
PID 1752 wrote to memory of 832	1752	{32C27900-070D-4501-A877-E8B2E0950547}.exe	123
PID 1752 wrote to memory of 4312	1752	{32C27900-070D-4501-A877-E8B2E0950547}.exe	124
PID 1752 wrote to memory of 4312	1752	{32C27900-070D-4501-A877-E8B2E0950547}.exe	124
PID 1752 wrote to memory of 4312	1752	{32C27900-070D-4501-A877-E8B2E0950547}.exe	124
PID 832 wrote to memory of 860	832	{3BE0748F-7CB2-4eca-A9CE-5F874C399126}.exe	125
PID 832 wrote to memory of 860	832	{3BE0748F-7CB2-4eca-A9CE-5F874C399126}.exe	125
PID 832 wrote to memory of 860	832	{3BE0748F-7CB2-4eca-A9CE-5F874C399126}.exe	125
PID 832 wrote to memory of 2712	832	{3BE0748F-7CB2-4eca-A9CE-5F874C399126}.exe	126

C:\Users\Admin\AppData\Local\Temp\2024-01-08_ecd4b53631e983c33da2f6bb31061098_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-08_ecd4b53631e983c33da2f6bb31061098_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3320
- C:\Windows\{A6D302DB-AFC1-43b8-955D-0BBAA0808DFD}.exe
  C:\Windows\{A6D302DB-AFC1-43b8-955D-0BBAA0808DFD}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Windows\{75F63BCF-9F8C-4afb-A6C0-C6CACE263368}.exe
    C:\Windows\{75F63BCF-9F8C-4afb-A6C0-C6CACE263368}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3104
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{75F63~1.EXE > nul
      4⤵
      PID:4144
  - - C:\Windows\{64FDAAC8-857A-43c4-BA03-7703F76D5E37}.exe
      C:\Windows\{64FDAAC8-857A-43c4-BA03-7703F76D5E37}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4208
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64FDA~1.EXE > nul
        5⤵
        
        PID:3904
    - - C:\Windows\{8DFE8F20-E377-4d08-BC6F-0FB9D1671797}.exe
        
        C:\Windows\{8DFE8F20-E377-4d08-BC6F-0FB9D1671797}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1332
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8DFE8~1.EXE > nul
        6⤵
        
        PID:3716
      - C:\Windows\{FF25F31F-7D9A-4b8f-9853-00F869BF8100}.exe
        
        C:\Windows\{FF25F31F-7D9A-4b8f-9853-00F869BF8100}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF25F~1.EXE > nul
        7⤵
        
        PID:4224
        
        C:\Windows\{C74D5C29-9A71-45d5-9ED4-D621006A647B}.exe
        
        C:\Windows\{C74D5C29-9A71-45d5-9ED4-D621006A647B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C74D5~1.EXE > nul
        8⤵
        
        PID:4604
        
        C:\Windows\{DE4752CB-7A6C-4a52-A81B-17337D28E391}.exe
        
        C:\Windows\{DE4752CB-7A6C-4a52-A81B-17337D28E391}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\{F22B4F8F-D60F-4b40-BB1E-1E8B8E67176B}.exe
        
        C:\Windows\{F22B4F8F-D60F-4b40-BB1E-1E8B8E67176B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\{32C27900-070D-4501-A877-E8B2E0950547}.exe
        
        C:\Windows\{32C27900-070D-4501-A877-E8B2E0950547}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\{3BE0748F-7CB2-4eca-A9CE-5F874C399126}.exe
        
        C:\Windows\{3BE0748F-7CB2-4eca-A9CE-5F874C399126}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Windows\{4C2E607B-2110-4dfd-B949-1A1D1857DE2E}.exe
        
        C:\Windows\{4C2E607B-2110-4dfd-B949-1A1D1857DE2E}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:860
        
        C:\Windows\{7E1EB456-3BFE-455b-B60C-089539E8CC71}.exe
        
        C:\Windows\{7E1EB456-3BFE-455b-B60C-089539E8CC71}.exe
        13⤵
        Executes dropped EXE
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C2E6~1.EXE > nul
        13⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3BE07~1.EXE > nul
        12⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32C27~1.EXE > nul
        11⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F22B4~1.EXE > nul
        10⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DE475~1.EXE > nul
        9⤵
        
        PID:5032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A6D30~1.EXE > nul
    3⤵
    PID:4908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{32C27900-070D-4501-A877-E8B2E0950547}.exe

Filesize
408KB

MD5
c1101812442aa116c65e35d6ebb84ea6

SHA1
0f432702e3cda2ed4a1a31b18eb89344659f904b

SHA256
655ee8f77f2aeb8f1becabdf5e551f5b69a7a8b8ad09748c88121a89afbeb6a2

SHA512
8150c4275400f2f25824cf617e591186cb503ef55eaf7a07daa3e78e096d249e930083b3345da03376772442ed03a5b21c8b07b3ff746dd68b3434ffaabee91d

Download Submit
C:\Windows\{3BE0748F-7CB2-4eca-A9CE-5F874C399126}.exe

Filesize
408KB

MD5
52bba6c81e2a8a39879839b9bc07f5d8

SHA1
a8f9ce7f6e808a368595dd712b4d7864a323f2e7

SHA256
b97c0f9edf8fcda54b98cc127b866c9c7c38263bfe34a11a65ed76bf8586a0cd

SHA512
7c7ceb4a0af7954e024057186068a14d54f818be3de2fb39e96bcce3b912f788044c05b8655df5f53ed71b440b3ec8b74bd0c162c7ae211810569d03aaed0800

Download Submit
C:\Windows\{4C2E607B-2110-4dfd-B949-1A1D1857DE2E}.exe

Filesize
408KB

MD5
4a17ad082163a4bcfedfe03ee5ad6ae8

SHA1
96127618b91cafd6b010782d701be15f63a6adf9

SHA256
d8208dcfdc3b566503bdd4791277cbd91f75669bdb8ed4341305577265181019

SHA512
cca1be27b3a43e9ca33a5f7415d35fd18cf0ab7a4c785ceb4c158741b23337ee1e74cb43090c3b0917a0c05bf459bdb91bcebf4db9ff1e4eeac1f77714be0157

Download Submit
C:\Windows\{64FDAAC8-857A-43c4-BA03-7703F76D5E37}.exe

Filesize
64KB

MD5
2cfed3d5066317657f46d371f095601f

SHA1
4eacf8fe96a7b4dd925e366be5a52b132f69a4e6

SHA256
4ecfb19d7e21f6cb31b922d893b20879ff2b5b3dece8d7709b4fa81e2ca41de7

SHA512
1721f204d35a49ba207e180aaa282445451d93d3f0121df59963adf85572f3959b867ec066ebd62028c55ddbcbc2f5b3ec645497c9a6c96da4ea21a90edae10b

Download Submit
C:\Windows\{64FDAAC8-857A-43c4-BA03-7703F76D5E37}.exe

Filesize
12KB

MD5
ebdf2ddafeb8b0a738967061bc6b13ab

SHA1
358f877a511ed09667ec48830c1a27e15cfc14c4

SHA256
460d17685810f7618d779fb2f5b04f1aafe7b85f28c41d00949e856ee38ea581

SHA512
7a565f06d00f9ad23e7698dd65401aa67577d979c499fff0acd95e09d169b682511f0d0eafa37c7b698e5cae3308379821ba9adf8723fe29a2b1e16404c135ec

Download Submit
C:\Windows\{64FDAAC8-857A-43c4-BA03-7703F76D5E37}.exe

Filesize
10KB

MD5
8fa45ff0be371346c6010a8fa99cd6d1

SHA1
313926454b271999d884d2ac6f8aa6607bcbd3c9

SHA256
a173732f62590b73303ba7ffc42dba7cd1bedc826bd7435ce7175d8decb45b30

SHA512
8045734da2f2fe0838c2b81e68dd3d2ca4e12c2b6b96d192d70a7b4ec60518ac6e3c3b5bac8c8e018fd9f58e3a84bfd19114b5a5a6f4915c5169bd6e709cf4f2

Download Submit
C:\Windows\{75F63BCF-9F8C-4afb-A6C0-C6CACE263368}.exe

Filesize
8KB

MD5
4e1ce1b95717019eed629ccefdd4a296

SHA1
8895a10862647ea171ca51c8896ce7c7925f8f86

SHA256
eb03f0894d772313e416d56a94fb6e4a87efb7aad80b670c471d243247cb2afb

SHA512
b5303346520f368dc4fe0885624e3572f6291c0234fae36c94a1d6ed7f0b2f1b70934ceba26aea4d284c466d76f1a8e4feaa64f68ab669f22de57da91ea15510

Download Submit
C:\Windows\{75F63BCF-9F8C-4afb-A6C0-C6CACE263368}.exe

Filesize
32KB

MD5
eff0cdd8b1ac5429084648f45a0a2c59

SHA1
320591b6911ebb6d8cf4a1e6da53821298bd315e

SHA256
83c16abc567f70b221ce9a26cfc0e046f1ccf529fe09666921f3584aa4208fa0

SHA512
4b92097596b265040586b7a5712aa1719297dabf2e731e8b7ccdb9db9d23535ca6afcdd277caa350da1be32a25119dd8f56a70a4c6a010c8da0e99ed15509d17

Download Submit
C:\Windows\{7E1EB456-3BFE-455b-B60C-089539E8CC71}.exe

Filesize
408KB

MD5
972f553b0291b82881e6136b04479ddf

SHA1
5ed808001bfc25c0e029bc6205c34fd309c58160

SHA256
d65f9fd7fc44661782a0516cc4ad4a0102fef6f63ff07a95a4f151489a69fcfe

SHA512
ac654d021170c4a75e372f2b0013641919ea0e0088dd242af8a1806a0b59129fd34c13d828ede06dbebe9d853e28858572432e5ccb05ceda1fe68d18670af22e

Download Submit
C:\Windows\{8DFE8F20-E377-4d08-BC6F-0FB9D1671797}.exe

Filesize
5KB

MD5
1249370d0f8c19718bc0ea808cfb087e

SHA1
4471b3b16da6b41fd4f74a1265faaa78df63437b

SHA256
4bdac780053496d36746b1f0bc3d35f9e5cf63576614ce27082f137bd1cb7af8

SHA512
93ca5406aabef5bb900db8c9acd5791058c84dad93317c04f9de355324c042b1ee1affaec9b826172811307148a98806a130c31ecf139ceba49c6e0744bd0f95

Download Submit
C:\Windows\{8DFE8F20-E377-4d08-BC6F-0FB9D1671797}.exe

Filesize
81KB

MD5
7f52baa591dd264a462af12cd84ab259

SHA1
626e8b4526810b1a60ac3071d8a6aa064f9e20ab

SHA256
70e27fcd030b4474f52af62c0a61a5e6594f24b45873126b57f0565cfb7dbd98

SHA512
908f9864314f71362a9eab7558c0dd5bad1f6bc51173ab2ab144d84b54152ddf04defcce47ed097fcee7cefbff73ef0c2a251a2a081352df83f8f7fca18c9bf1

Download Submit
C:\Windows\{A6D302DB-AFC1-43b8-955D-0BBAA0808DFD}.exe

Filesize
21KB

MD5
8d2bf4fa1fc647d5af0656e3c4309940

SHA1
6803a886db8be6c9a9bd8ac9809f9fcbbb81edde

SHA256
eac51514fee63ed0c793e4c555575176684757d1a27264dd9160b7ec086b6f28

SHA512
4002bba89f10cdd66ff43106674fa0069473877df5ab581c2ba1522c0d8e05cedeec8182f665d4278ebbdeb56bccb51102510a5c7fe1c4d46f45f9467bd84691

Download Submit
C:\Windows\{A6D302DB-AFC1-43b8-955D-0BBAA0808DFD}.exe

Filesize
9KB

MD5
110b08dd75ccb256544641798e31e3a3

SHA1
a6e2dcc3824a5ce355673e31f4c92bc2c6e23eda

SHA256
2f6bd5f1b5c25edb5974dc3bf2ee4c33690384617754263b5c70dfd8b92b7d3d

SHA512
7a8be06f8875522b124a8e46c734a5591875415670afc90b9ac62618cffe407cd9dd1b26576673077ddde9bf20e5e3b85551e9a16610c5716d47e4caff4ef27f

Download Submit
C:\Windows\{C74D5C29-9A71-45d5-9ED4-D621006A647B}.exe

Filesize
16KB

MD5
3375c6fb345096a0eb3a8f07db0018ae

SHA1
18a8548f854c76964f2cd3c2e0fda9b808044a7f

SHA256
2ca9ef1798e9401d241ce4fd0c4327159e0d97fcc5a5b54e18d30f4032b668ed

SHA512
0ee787b51d1e59f8eb64ce85046e8771ec6304f69c77d7727d37f9a2699142b925d12dfd208c0646684903e95146e37860f5716139073a7d4424d3f3beb62743

Download Submit
C:\Windows\{C74D5C29-9A71-45d5-9ED4-D621006A647B}.exe

Filesize
87KB

MD5
e5414981e741786aa0fcff0c5936e6e8

SHA1
605ea6a8959ac1c42c8ccf25d7a1af8e15393fe0

SHA256
b53391e9019584f111484dab29fd55ed0c4de0262740d2411ca696a3c638700f

SHA512
3e96abe8b199465e7af03ed5a096432e5166142cfa734ebc34bdbee9db3d38e67dd9a9f4d9162b281a1ff31ac0bf7681f9fe271bb6cb602bff0bd5701ed9f756

Download Submit
C:\Windows\{DE4752CB-7A6C-4a52-A81B-17337D28E391}.exe

Filesize
408KB

MD5
fdab8c4bc2ab0ecd326165556ab90a2f

SHA1
83722e1a8f75cb430f51a772e2fbb709c8514f48

SHA256
4286624ac5635c03b8978731d9966923c745499232e5aa6b35bace30f5acdb99

SHA512
b0ad13e9ddeb4de8ba734663e29eeb96156f9e5c89e19b5b67e7832b822e4c658a93528cd6c922c01b28b088403b41b4a07f7a6cc85396ff8e30be7e4ed6dd1a

Download Submit
C:\Windows\{F22B4F8F-D60F-4b40-BB1E-1E8B8E67176B}.exe

Filesize
408KB

MD5
ee4d457f5f728535265d0098efa662eb

SHA1
d944e380fc0e3463847605a481a6a2023c6c3ed9

SHA256
769ce04e1f760c2d260974272836476b6393a2703efd2f646806d9842da828d9

SHA512
7dfbf9f57beeb7547ae21669a69daed252dbf898d61621c3b55085ad34c6b7472cf2be2555ed158dfd12012a0f81116aa375e3c0a66b10b49f980fd90c7f780b

Download Submit
C:\Windows\{FF25F31F-7D9A-4b8f-9853-00F869BF8100}.exe

Filesize
1KB

MD5
e390d5e1c9a5f95b99521de37c76e69b

SHA1
37cde85109a08b3b0d68aef382e00b09f3768e2d

SHA256
80ca884b931bb88ac3c9c819bf370704a34239361066e032d31c01fe2e1ee4c6

SHA512
fad1ef08769adc38455e2b5a614e36854b41144719f164202398888d97d387dac4c98de29088b222fb2756fe416ef6deb4fdf88649aa55ea91de4927542f8e69

Download Submit
C:\Windows\{FF25F31F-7D9A-4b8f-9853-00F869BF8100}.exe

Filesize
408KB

MD5
0dae83ed5797cc94a6e224f608c1ade2

SHA1
4543fca6a78e855438eece776df90ccb0bfe8e9f

SHA256
8896599767367fd590df84d20558c83b08041cd9b209d0d585f1b247a287d9d1

SHA512
ed905f2301fc5c102a5d730f37acce3d00c28f52f315bbb5d7514b143c8e5144ecf27af499363e734aa74e4354d15df8769bc5c16e2a4c507ecbc82f5ecfb2d8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads