01b51bc50ab3fac97bba039bcf778aa4965626db8475765721fe259cbef146cf

Analysis

max time kernel
188s
max time network
202s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2024 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-09_0e24a835f1878de60bf1d300e4ae1d1f_goldeneye.exe
Size

408KB
MD5

0e24a835f1878de60bf1d300e4ae1d1f
SHA1

8255348bcd8349f850825089fe3b4d728d6a56a1
SHA256

01b51bc50ab3fac97bba039bcf778aa4965626db8475765721fe259cbef146cf
SHA512

06633ee2fa3067a8810894b229453ce36d5cc2cc1687f50678f1c99ea9ab727a310a59a8d5c2db9c3dba67fea4b2eb9055a1968303d3d28ea221dc3761ed6485
SSDEEP

3072:CEGh0oRl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGfldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C47C6C5-43A8-49ea-8E78-08790E17B2A7}\stubpath = "C:\\Windows\\{2C47C6C5-43A8-49ea-8E78-08790E17B2A7}.exe"	{73CE15FC-C00B-43b8-8487-8111A070A50F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C32C3D4-4F20-4198-9B14-8D4092EDC212}	{393E7223-4ECF-4d30-916D-2DC6E8A75F29}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC734D1E-1056-43fe-B8DE-B40ADDBE6171}\stubpath = "C:\\Windows\\{BC734D1E-1056-43fe-B8DE-B40ADDBE6171}.exe"	{8C32C3D4-4F20-4198-9B14-8D4092EDC212}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{997C22E0-988E-47ac-B917-1E6A088CF594}\stubpath = "C:\\Windows\\{997C22E0-988E-47ac-B917-1E6A088CF594}.exe"	{BC734D1E-1056-43fe-B8DE-B40ADDBE6171}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B464CC62-0702-44a5-A1DF-32393B32F65E}\stubpath = "C:\\Windows\\{B464CC62-0702-44a5-A1DF-32393B32F65E}.exe"	{997C22E0-988E-47ac-B917-1E6A088CF594}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73CE15FC-C00B-43b8-8487-8111A070A50F}	{BDF15478-1A09-4969-8F17-F7EA3500E20E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C47C6C5-43A8-49ea-8E78-08790E17B2A7}	{73CE15FC-C00B-43b8-8487-8111A070A50F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{393E7223-4ECF-4d30-916D-2DC6E8A75F29}	{2C47C6C5-43A8-49ea-8E78-08790E17B2A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{393E7223-4ECF-4d30-916D-2DC6E8A75F29}\stubpath = "C:\\Windows\\{393E7223-4ECF-4d30-916D-2DC6E8A75F29}.exe"	{2C47C6C5-43A8-49ea-8E78-08790E17B2A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{902D043B-8D26-4318-BB7A-0EBED2059A7E}	{B464CC62-0702-44a5-A1DF-32393B32F65E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{902D043B-8D26-4318-BB7A-0EBED2059A7E}\stubpath = "C:\\Windows\\{902D043B-8D26-4318-BB7A-0EBED2059A7E}.exe"	{B464CC62-0702-44a5-A1DF-32393B32F65E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDF15478-1A09-4969-8F17-F7EA3500E20E}\stubpath = "C:\\Windows\\{BDF15478-1A09-4969-8F17-F7EA3500E20E}.exe"	2024-01-09_0e24a835f1878de60bf1d300e4ae1d1f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73CE15FC-C00B-43b8-8487-8111A070A50F}\stubpath = "C:\\Windows\\{73CE15FC-C00B-43b8-8487-8111A070A50F}.exe"	{BDF15478-1A09-4969-8F17-F7EA3500E20E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C32C3D4-4F20-4198-9B14-8D4092EDC212}\stubpath = "C:\\Windows\\{8C32C3D4-4F20-4198-9B14-8D4092EDC212}.exe"	{393E7223-4ECF-4d30-916D-2DC6E8A75F29}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC734D1E-1056-43fe-B8DE-B40ADDBE6171}	{8C32C3D4-4F20-4198-9B14-8D4092EDC212}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A35811B1-BB52-4f79-9023-7FF8D5DA5737}	{902D043B-8D26-4318-BB7A-0EBED2059A7E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDF15478-1A09-4969-8F17-F7EA3500E20E}	2024-01-09_0e24a835f1878de60bf1d300e4ae1d1f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{997C22E0-988E-47ac-B917-1E6A088CF594}	{BC734D1E-1056-43fe-B8DE-B40ADDBE6171}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B464CC62-0702-44a5-A1DF-32393B32F65E}	{997C22E0-988E-47ac-B917-1E6A088CF594}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A35811B1-BB52-4f79-9023-7FF8D5DA5737}\stubpath = "C:\\Windows\\{A35811B1-BB52-4f79-9023-7FF8D5DA5737}.exe"	{902D043B-8D26-4318-BB7A-0EBED2059A7E}.exe

Executes dropped EXE 10 IoCs

pid	Process
5108	{BDF15478-1A09-4969-8F17-F7EA3500E20E}.exe
2368	{73CE15FC-C00B-43b8-8487-8111A070A50F}.exe
1752	{2C47C6C5-43A8-49ea-8E78-08790E17B2A7}.exe
3576	{393E7223-4ECF-4d30-916D-2DC6E8A75F29}.exe
1264	{8C32C3D4-4F20-4198-9B14-8D4092EDC212}.exe
1712	{BC734D1E-1056-43fe-B8DE-B40ADDBE6171}.exe
4944	{997C22E0-988E-47ac-B917-1E6A088CF594}.exe
404	{B464CC62-0702-44a5-A1DF-32393B32F65E}.exe
4672	{902D043B-8D26-4318-BB7A-0EBED2059A7E}.exe
2528	{A35811B1-BB52-4f79-9023-7FF8D5DA5737}.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\{8C32C3D4-4F20-4198-9B14-8D4092EDC212}.exe	{393E7223-4ECF-4d30-916D-2DC6E8A75F29}.exe
File created	C:\Windows\{BC734D1E-1056-43fe-B8DE-B40ADDBE6171}.exe	{8C32C3D4-4F20-4198-9B14-8D4092EDC212}.exe
File created	C:\Windows\{997C22E0-988E-47ac-B917-1E6A088CF594}.exe	{BC734D1E-1056-43fe-B8DE-B40ADDBE6171}.exe
File created	C:\Windows\{B464CC62-0702-44a5-A1DF-32393B32F65E}.exe	{997C22E0-988E-47ac-B917-1E6A088CF594}.exe
File created	C:\Windows\{73CE15FC-C00B-43b8-8487-8111A070A50F}.exe	{BDF15478-1A09-4969-8F17-F7EA3500E20E}.exe
File created	C:\Windows\{2C47C6C5-43A8-49ea-8E78-08790E17B2A7}.exe	{73CE15FC-C00B-43b8-8487-8111A070A50F}.exe
File created	C:\Windows\{393E7223-4ECF-4d30-916D-2DC6E8A75F29}.exe	{2C47C6C5-43A8-49ea-8E78-08790E17B2A7}.exe
File created	C:\Windows\{BDF15478-1A09-4969-8F17-F7EA3500E20E}.exe	2024-01-09_0e24a835f1878de60bf1d300e4ae1d1f_goldeneye.exe
File created	C:\Windows\{902D043B-8D26-4318-BB7A-0EBED2059A7E}.exe	{B464CC62-0702-44a5-A1DF-32393B32F65E}.exe
File created	C:\Windows\{A35811B1-BB52-4f79-9023-7FF8D5DA5737}.exe	{902D043B-8D26-4318-BB7A-0EBED2059A7E}.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2660	2024-01-09_0e24a835f1878de60bf1d300e4ae1d1f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	5108	{BDF15478-1A09-4969-8F17-F7EA3500E20E}.exe
Token: SeIncBasePriorityPrivilege	2368	{73CE15FC-C00B-43b8-8487-8111A070A50F}.exe
Token: SeIncBasePriorityPrivilege	1752	{2C47C6C5-43A8-49ea-8E78-08790E17B2A7}.exe
Token: SeIncBasePriorityPrivilege	3576	{393E7223-4ECF-4d30-916D-2DC6E8A75F29}.exe
Token: SeIncBasePriorityPrivilege	1264	{8C32C3D4-4F20-4198-9B14-8D4092EDC212}.exe
Token: SeIncBasePriorityPrivilege	1712	{BC734D1E-1056-43fe-B8DE-B40ADDBE6171}.exe
Token: SeIncBasePriorityPrivilege	4944	{997C22E0-988E-47ac-B917-1E6A088CF594}.exe
Token: SeIncBasePriorityPrivilege	404	{B464CC62-0702-44a5-A1DF-32393B32F65E}.exe
Token: SeIncBasePriorityPrivilege	4672	{902D043B-8D26-4318-BB7A-0EBED2059A7E}.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 5108	2660	2024-01-09_0e24a835f1878de60bf1d300e4ae1d1f_goldeneye.exe	91
PID 2660 wrote to memory of 5108	2660	2024-01-09_0e24a835f1878de60bf1d300e4ae1d1f_goldeneye.exe	91
PID 2660 wrote to memory of 5108	2660	2024-01-09_0e24a835f1878de60bf1d300e4ae1d1f_goldeneye.exe	91
PID 2660 wrote to memory of 2596	2660	2024-01-09_0e24a835f1878de60bf1d300e4ae1d1f_goldeneye.exe	92
PID 2660 wrote to memory of 2596	2660	2024-01-09_0e24a835f1878de60bf1d300e4ae1d1f_goldeneye.exe	92
PID 2660 wrote to memory of 2596	2660	2024-01-09_0e24a835f1878de60bf1d300e4ae1d1f_goldeneye.exe	92
PID 5108 wrote to memory of 2368	5108	{BDF15478-1A09-4969-8F17-F7EA3500E20E}.exe	94
PID 5108 wrote to memory of 2368	5108	{BDF15478-1A09-4969-8F17-F7EA3500E20E}.exe	94
PID 5108 wrote to memory of 2368	5108	{BDF15478-1A09-4969-8F17-F7EA3500E20E}.exe	94
PID 5108 wrote to memory of 4620	5108	{BDF15478-1A09-4969-8F17-F7EA3500E20E}.exe	95
PID 5108 wrote to memory of 4620	5108	{BDF15478-1A09-4969-8F17-F7EA3500E20E}.exe	95
PID 5108 wrote to memory of 4620	5108	{BDF15478-1A09-4969-8F17-F7EA3500E20E}.exe	95
PID 2368 wrote to memory of 1752	2368	{73CE15FC-C00B-43b8-8487-8111A070A50F}.exe	96
PID 2368 wrote to memory of 1752	2368	{73CE15FC-C00B-43b8-8487-8111A070A50F}.exe	96
PID 2368 wrote to memory of 1752	2368	{73CE15FC-C00B-43b8-8487-8111A070A50F}.exe	96
PID 2368 wrote to memory of 2212	2368	{73CE15FC-C00B-43b8-8487-8111A070A50F}.exe	97
PID 2368 wrote to memory of 2212	2368	{73CE15FC-C00B-43b8-8487-8111A070A50F}.exe	97
PID 2368 wrote to memory of 2212	2368	{73CE15FC-C00B-43b8-8487-8111A070A50F}.exe	97
PID 1752 wrote to memory of 3576	1752	{2C47C6C5-43A8-49ea-8E78-08790E17B2A7}.exe	104
PID 1752 wrote to memory of 3576	1752	{2C47C6C5-43A8-49ea-8E78-08790E17B2A7}.exe	104
PID 1752 wrote to memory of 3576	1752	{2C47C6C5-43A8-49ea-8E78-08790E17B2A7}.exe	104
PID 1752 wrote to memory of 2144	1752	{2C47C6C5-43A8-49ea-8E78-08790E17B2A7}.exe	105
PID 1752 wrote to memory of 2144	1752	{2C47C6C5-43A8-49ea-8E78-08790E17B2A7}.exe	105
PID 1752 wrote to memory of 2144	1752	{2C47C6C5-43A8-49ea-8E78-08790E17B2A7}.exe	105
PID 3576 wrote to memory of 1264	3576	{393E7223-4ECF-4d30-916D-2DC6E8A75F29}.exe	110
PID 3576 wrote to memory of 1264	3576	{393E7223-4ECF-4d30-916D-2DC6E8A75F29}.exe	110
PID 3576 wrote to memory of 1264	3576	{393E7223-4ECF-4d30-916D-2DC6E8A75F29}.exe	110
PID 3576 wrote to memory of 4636	3576	{393E7223-4ECF-4d30-916D-2DC6E8A75F29}.exe	111
PID 3576 wrote to memory of 4636	3576	{393E7223-4ECF-4d30-916D-2DC6E8A75F29}.exe	111
PID 3576 wrote to memory of 4636	3576	{393E7223-4ECF-4d30-916D-2DC6E8A75F29}.exe	111
PID 1264 wrote to memory of 1712	1264	{8C32C3D4-4F20-4198-9B14-8D4092EDC212}.exe	112
PID 1264 wrote to memory of 1712	1264	{8C32C3D4-4F20-4198-9B14-8D4092EDC212}.exe	112
PID 1264 wrote to memory of 1712	1264	{8C32C3D4-4F20-4198-9B14-8D4092EDC212}.exe	112
PID 1264 wrote to memory of 3624	1264	{8C32C3D4-4F20-4198-9B14-8D4092EDC212}.exe	113
PID 1264 wrote to memory of 3624	1264	{8C32C3D4-4F20-4198-9B14-8D4092EDC212}.exe	113
PID 1264 wrote to memory of 3624	1264	{8C32C3D4-4F20-4198-9B14-8D4092EDC212}.exe	113
PID 1712 wrote to memory of 4944	1712	{BC734D1E-1056-43fe-B8DE-B40ADDBE6171}.exe	114
PID 1712 wrote to memory of 4944	1712	{BC734D1E-1056-43fe-B8DE-B40ADDBE6171}.exe	114
PID 1712 wrote to memory of 4944	1712	{BC734D1E-1056-43fe-B8DE-B40ADDBE6171}.exe	114
PID 1712 wrote to memory of 2380	1712	{BC734D1E-1056-43fe-B8DE-B40ADDBE6171}.exe	115
PID 1712 wrote to memory of 2380	1712	{BC734D1E-1056-43fe-B8DE-B40ADDBE6171}.exe	115
PID 1712 wrote to memory of 2380	1712	{BC734D1E-1056-43fe-B8DE-B40ADDBE6171}.exe	115
PID 4944 wrote to memory of 404	4944	{997C22E0-988E-47ac-B917-1E6A088CF594}.exe	116
PID 4944 wrote to memory of 404	4944	{997C22E0-988E-47ac-B917-1E6A088CF594}.exe	116
PID 4944 wrote to memory of 404	4944	{997C22E0-988E-47ac-B917-1E6A088CF594}.exe	116
PID 4944 wrote to memory of 804	4944	{997C22E0-988E-47ac-B917-1E6A088CF594}.exe	117
PID 4944 wrote to memory of 804	4944	{997C22E0-988E-47ac-B917-1E6A088CF594}.exe	117
PID 4944 wrote to memory of 804	4944	{997C22E0-988E-47ac-B917-1E6A088CF594}.exe	117
PID 404 wrote to memory of 4672	404	{B464CC62-0702-44a5-A1DF-32393B32F65E}.exe	119
PID 404 wrote to memory of 4672	404	{B464CC62-0702-44a5-A1DF-32393B32F65E}.exe	119
PID 404 wrote to memory of 4672	404	{B464CC62-0702-44a5-A1DF-32393B32F65E}.exe	119
PID 404 wrote to memory of 2192	404	{B464CC62-0702-44a5-A1DF-32393B32F65E}.exe	120
PID 404 wrote to memory of 2192	404	{B464CC62-0702-44a5-A1DF-32393B32F65E}.exe	120
PID 404 wrote to memory of 2192	404	{B464CC62-0702-44a5-A1DF-32393B32F65E}.exe	120
PID 4672 wrote to memory of 2528	4672	{902D043B-8D26-4318-BB7A-0EBED2059A7E}.exe	121
PID 4672 wrote to memory of 2528	4672	{902D043B-8D26-4318-BB7A-0EBED2059A7E}.exe	121
PID 4672 wrote to memory of 2528	4672	{902D043B-8D26-4318-BB7A-0EBED2059A7E}.exe	121
PID 4672 wrote to memory of 2780	4672	{902D043B-8D26-4318-BB7A-0EBED2059A7E}.exe	122
PID 4672 wrote to memory of 2780	4672	{902D043B-8D26-4318-BB7A-0EBED2059A7E}.exe	122
PID 4672 wrote to memory of 2780	4672	{902D043B-8D26-4318-BB7A-0EBED2059A7E}.exe	122

C:\Users\Admin\AppData\Local\Temp\2024-01-09_0e24a835f1878de60bf1d300e4ae1d1f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-09_0e24a835f1878de60bf1d300e4ae1d1f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\{BDF15478-1A09-4969-8F17-F7EA3500E20E}.exe
  C:\Windows\{BDF15478-1A09-4969-8F17-F7EA3500E20E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Windows\{73CE15FC-C00B-43b8-8487-8111A070A50F}.exe
    C:\Windows\{73CE15FC-C00B-43b8-8487-8111A070A50F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - C:\Windows\{2C47C6C5-43A8-49ea-8E78-08790E17B2A7}.exe
      C:\Windows\{2C47C6C5-43A8-49ea-8E78-08790E17B2A7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1752
    - - C:\Windows\{393E7223-4ECF-4d30-916D-2DC6E8A75F29}.exe
        
        C:\Windows\{393E7223-4ECF-4d30-916D-2DC6E8A75F29}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3576
      - C:\Windows\{8C32C3D4-4F20-4198-9B14-8D4092EDC212}.exe
        
        C:\Windows\{8C32C3D4-4F20-4198-9B14-8D4092EDC212}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\{BC734D1E-1056-43fe-B8DE-B40ADDBE6171}.exe
        
        C:\Windows\{BC734D1E-1056-43fe-B8DE-B40ADDBE6171}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\{997C22E0-988E-47ac-B917-1E6A088CF594}.exe
        
        C:\Windows\{997C22E0-988E-47ac-B917-1E6A088CF594}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\{B464CC62-0702-44a5-A1DF-32393B32F65E}.exe
        
        C:\Windows\{B464CC62-0702-44a5-A1DF-32393B32F65E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\{902D043B-8D26-4318-BB7A-0EBED2059A7E}.exe
        
        C:\Windows\{902D043B-8D26-4318-BB7A-0EBED2059A7E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\{A35811B1-BB52-4f79-9023-7FF8D5DA5737}.exe
        
        C:\Windows\{A35811B1-BB52-4f79-9023-7FF8D5DA5737}.exe
        11⤵
        Executes dropped EXE
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{902D0~1.EXE > nul
        11⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B464C~1.EXE > nul
        10⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{997C2~1.EXE > nul
        9⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC734~1.EXE > nul
        8⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C32C~1.EXE > nul
        7⤵
        
        PID:3624
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{393E7~1.EXE > nul
        6⤵
        
        PID:4636
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C47C~1.EXE > nul
        5⤵
        
        PID:2144
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{73CE1~1.EXE > nul
      4⤵
      PID:2212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BDF15~1.EXE > nul
    3⤵
    PID:4620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2C47C6C5-43A8-49ea-8E78-08790E17B2A7}.exe

Filesize
408KB

MD5
4c97ccdfcc6e88e95bc059cbb89338a7

SHA1
076ac469b5e2c7246eb228e9e114669ebcd678cc

SHA256
f07d167d7944d1554df9ca2a56cc5c871722d2dd76082b910c72f000da353ca1

SHA512
5aee6fd706193983bc804490d2d0c5052c0e9e974e8f581542e6cb2c4b9cd86af0d9fd5f399ac9d37225dc9621e89fbada5c674cda97e85cfd6289b676b4dd44

Download Submit
C:\Windows\{2C47C6C5-43A8-49ea-8E78-08790E17B2A7}.exe

Filesize
384KB

MD5
c97f063e1d6cdfd8271886473f39e99b

SHA1
524c42141c6f2d9f9f05d82a16f73c4fc58069ac

SHA256
0670bc693ab62f9c6d7621a41c7cb2d83a2c3fc55015ca61453fe3b0170c7df8

SHA512
03b55ee027537933ea631a627d2b7a8c691978a7ebd9eb69a687b8a31c4a9f5e9896433ac987e9f28c5d3bc8d775500b51a042b8d454f73edac94f1392512eb5

Download Submit
C:\Windows\{393E7223-4ECF-4d30-916D-2DC6E8A75F29}.exe

Filesize
408KB

MD5
a6f6b46c0923fc931b1d2648bdb86047

SHA1
4c1385c8caf5bf4e304218c092acfddb4a801dab

SHA256
57160e7a3fd7361eb52b973b073a7be99ed0b775a3601c8b6f9a21049897dd8c

SHA512
1425b8bbc0d32b2d15d4ce72b0753c945bd1c542202c427c447b4bee5cc307e0fa80a14d1aa811434dd7053768cb1c87559532612977e447048b159683a1a16d

Download Submit
C:\Windows\{73CE15FC-C00B-43b8-8487-8111A070A50F}.exe

Filesize
408KB

MD5
c5075921383cb06677a5f7d23cfd5121

SHA1
5254edd2b231968c31d96ef23577b267c16d7f60

SHA256
14e44efd183e1d89e5b3fc584b4298a785466f9184a1c2941f496c15cabed5b3

SHA512
7c41804463ca37263a2a481129ad9ec498d460fbf3335ed4fdda29167b868f85d104c9e231fa9fb63af38a96583edef09e1151794ac5d207c0875f71218c2260

Download Submit
C:\Windows\{8C32C3D4-4F20-4198-9B14-8D4092EDC212}.exe

Filesize
408KB

MD5
1a58a3aa9fccc0e91e830eb2ab076a5c

SHA1
0a11b4a8660ebef37410a3a78c08466e338925c0

SHA256
53e99a0ff84346182be60c6b902a6dcd9f961d573f87c5fd528ec82a9d3cb4c7

SHA512
8f16a573264d649df74ab4b653623f42832233e955e6e2dc31068003536c55eb7abd399f4916156d3e14c30c65a0ec793338634b36b8de366e83e85ab05b0b05

Download Submit
C:\Windows\{902D043B-8D26-4318-BB7A-0EBED2059A7E}.exe

Filesize
408KB

MD5
586d288b97f84206895c8d70de7dcb43

SHA1
984bea77582c1b15ffedde502d1b1dbce1bdfe6c

SHA256
c2ecde06972f70da18ea8a7f52a2195fa29a1180edfbe2ecbe2a9310070497d7

SHA512
9b032bc1ec5b464f981c3ff16b947da7573432f4ccb4afa43f339fb67d7a7ec3a000da3b44bb9b155792902d1881db592f09a446c7e631afa85c3b3266ce7720

Download Submit
C:\Windows\{997C22E0-988E-47ac-B917-1E6A088CF594}.exe

Filesize
408KB

MD5
e2908ffed6be021d8b0d182a9cef3aba

SHA1
8d4a115e6244073df64d776f56d91d6e36fecdc2

SHA256
0130d70b5b0e49dc4eb65f742038388aa08d20e67c49b44bdcbc8e2bf7b07b9f

SHA512
cab6f0da92fa142670141722e764a27e80a34d30369a24f722bf9eb13d84ce5aa3d761c8a345b0e54a14efe716e67bab0897bc3811607ffece100de712a91949

Download Submit
C:\Windows\{A35811B1-BB52-4f79-9023-7FF8D5DA5737}.exe

Filesize
408KB

MD5
87f7843f5f245df565a095c7c3620bfb

SHA1
f924541cfb58f379fbea15a065c22aaa3e7162bf

SHA256
0f05d895eb988371dc962beb8fd9c7d2dc87af08f7e10523a626d88a2efc2160

SHA512
05d27a0633b2ac96a4b6429138ef142a9559cb40b03b3698bc6c0c1788827f2f2b7fc656e68599895418117dab7221601504d21169aed7f5015eeaefc99c22c2

Download Submit
C:\Windows\{B464CC62-0702-44a5-A1DF-32393B32F65E}.exe

Filesize
408KB

MD5
2a6ab53d60c502f26e93fd9e015bb94d

SHA1
a466df5f0a9c62af7ce0127188ef2188c49a6b30

SHA256
16fa3353f59e4b3f4b4fd4d22682be53c5a1971f2e3dcc2082caa7a79a2ef5a4

SHA512
8d9a6918b65f05ce0c8ca7dc040b9a45f99b217598fbdbba933962bada14d67495c45a9d53bcb04c3785bc61d13113c73d6fd6448f17bcef83f9b4c5fa82c586

Download Submit
C:\Windows\{BC734D1E-1056-43fe-B8DE-B40ADDBE6171}.exe

Filesize
408KB

MD5
61273ff3882a9ce31f30364cd68fd0ed

SHA1
3da6fa2b3ff0f0e20b93d68131ae69eb0dda02dd

SHA256
b8b5b72453ecbe5cc56bc4e1199a0e9b6abab3ce1718c466177295d17544e82c

SHA512
c505923f7edb2b1249d5a36c96bab4d2b1489dd749e790e6baaaacb2e57f8b3b6556e2d6adf273c2f8a7dcdd277a4ea1c39453219e434f4ebba80451890e8b12

Download Submit
C:\Windows\{BDF15478-1A09-4969-8F17-F7EA3500E20E}.exe

Filesize
175KB

MD5
5b8dc61ece8b48e5ff81c7562e5095f1

SHA1
620de30503dfefd3de62bf54d9dc01498bebea5e

SHA256
b7c9f14c34563c30fb662c1bacaa192da514a1341111fe7fb3b7efe396f01e90

SHA512
9747cad8923f541ffc3727d7a48ca2c353ab91978aa194959d094f68a2c2010750588ff22715c6a59394abf14d78bd60beecc40da9541104f7766af2e72a09c1

Download Submit
C:\Windows\{BDF15478-1A09-4969-8F17-F7EA3500E20E}.exe

Filesize
408KB

MD5
b23084c9d3c8d58de8e2d0c887633f38

SHA1
b228c3a8b1961f3a8cf29b3e604f9db0c59df1ff

SHA256
adec8fc0078b77b6a902745b16593d957848532a51fd6487392f002b716cd021

SHA512
25f5c9c6f80dfb911efad35edfb537a3919c78e3027fab3ec1f51bfee05e5d844483ce1a9c72753bd6133cb8eb1dd44d0451ad23f5228c6e717ef6b6022db4e3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads