bacb0dd6f226de00206c33c68f974a5f2c47845daaefe3fda6202413a9388135

Analysis

max time kernel
158s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2024 05:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-09_85a92a69c015e932e9f8c273d45ccbf9_goldeneye.exe
Size

204KB
MD5

85a92a69c015e932e9f8c273d45ccbf9
SHA1

cdf6fd2ccbffc91abcb47f85a5fe49b6114dc694
SHA256

bacb0dd6f226de00206c33c68f974a5f2c47845daaefe3fda6202413a9388135
SHA512

3a1601198ab8c4d9eb2708ee6e19604bfffe76e1cbeb6f3e239d9f3d6dde27b485fdd560880834bbdbb4072a8a1ff02f8b95e2c045fbf180040c62b2251ce777
SSDEEP

1536:1EGh0ojl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0ojl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AA87E4E-5D52-4531-A5CD-8F14440D5375}	{B67AA095-DE04-435f-8B83-2BEE0349B08A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1CBAA58-95F8-495c-B61F-F7CF1EAE6569}\stubpath = "C:\\Windows\\{A1CBAA58-95F8-495c-B61F-F7CF1EAE6569}.exe"	{81FCA63A-B9DD-4a0a-9152-9ECDA32D59B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{634E5745-7618-470f-9C7A-DB8D9B7DA1AE}	{A1CBAA58-95F8-495c-B61F-F7CF1EAE6569}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6900A6D2-4EF2-4e79-8D72-0C0F977E02C8}\stubpath = "C:\\Windows\\{6900A6D2-4EF2-4e79-8D72-0C0F977E02C8}.exe"	{634E5745-7618-470f-9C7A-DB8D9B7DA1AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4807E609-7841-4e43-8113-C39878061069}	{6900A6D2-4EF2-4e79-8D72-0C0F977E02C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FF94191-BE7B-4941-B5CE-DF93C2BCF2F2}	{8A72CFBA-405C-4afd-9F7A-8B5DBB0301E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FF94191-BE7B-4941-B5CE-DF93C2BCF2F2}\stubpath = "C:\\Windows\\{3FF94191-BE7B-4941-B5CE-DF93C2BCF2F2}.exe"	{8A72CFBA-405C-4afd-9F7A-8B5DBB0301E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81FCA63A-B9DD-4a0a-9152-9ECDA32D59B5}	2024-01-09_85a92a69c015e932e9f8c273d45ccbf9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1CBAA58-95F8-495c-B61F-F7CF1EAE6569}	{81FCA63A-B9DD-4a0a-9152-9ECDA32D59B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64429696-AF91-4f13-A59B-EAEBE6BAD0FC}	{4807E609-7841-4e43-8113-C39878061069}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64429696-AF91-4f13-A59B-EAEBE6BAD0FC}\stubpath = "C:\\Windows\\{64429696-AF91-4f13-A59B-EAEBE6BAD0FC}.exe"	{4807E609-7841-4e43-8113-C39878061069}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A72CFBA-405C-4afd-9F7A-8B5DBB0301E8}\stubpath = "C:\\Windows\\{8A72CFBA-405C-4afd-9F7A-8B5DBB0301E8}.exe"	{64429696-AF91-4f13-A59B-EAEBE6BAD0FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6616B4C7-9C51-487d-9D94-D19344400CAF}\stubpath = "C:\\Windows\\{6616B4C7-9C51-487d-9D94-D19344400CAF}.exe"	{A05BE4D2-44E7-446d-8B0B-EF02BDDA443C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{634E5745-7618-470f-9C7A-DB8D9B7DA1AE}\stubpath = "C:\\Windows\\{634E5745-7618-470f-9C7A-DB8D9B7DA1AE}.exe"	{A1CBAA58-95F8-495c-B61F-F7CF1EAE6569}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6900A6D2-4EF2-4e79-8D72-0C0F977E02C8}	{634E5745-7618-470f-9C7A-DB8D9B7DA1AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A72CFBA-405C-4afd-9F7A-8B5DBB0301E8}	{64429696-AF91-4f13-A59B-EAEBE6BAD0FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B67AA095-DE04-435f-8B83-2BEE0349B08A}	{3FF94191-BE7B-4941-B5CE-DF93C2BCF2F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B67AA095-DE04-435f-8B83-2BEE0349B08A}\stubpath = "C:\\Windows\\{B67AA095-DE04-435f-8B83-2BEE0349B08A}.exe"	{3FF94191-BE7B-4941-B5CE-DF93C2BCF2F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6616B4C7-9C51-487d-9D94-D19344400CAF}	{A05BE4D2-44E7-446d-8B0B-EF02BDDA443C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81FCA63A-B9DD-4a0a-9152-9ECDA32D59B5}\stubpath = "C:\\Windows\\{81FCA63A-B9DD-4a0a-9152-9ECDA32D59B5}.exe"	2024-01-09_85a92a69c015e932e9f8c273d45ccbf9_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4807E609-7841-4e43-8113-C39878061069}\stubpath = "C:\\Windows\\{4807E609-7841-4e43-8113-C39878061069}.exe"	{6900A6D2-4EF2-4e79-8D72-0C0F977E02C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AA87E4E-5D52-4531-A5CD-8F14440D5375}\stubpath = "C:\\Windows\\{9AA87E4E-5D52-4531-A5CD-8F14440D5375}.exe"	{B67AA095-DE04-435f-8B83-2BEE0349B08A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A05BE4D2-44E7-446d-8B0B-EF02BDDA443C}	{9AA87E4E-5D52-4531-A5CD-8F14440D5375}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A05BE4D2-44E7-446d-8B0B-EF02BDDA443C}\stubpath = "C:\\Windows\\{A05BE4D2-44E7-446d-8B0B-EF02BDDA443C}.exe"	{9AA87E4E-5D52-4531-A5CD-8F14440D5375}.exe

Executes dropped EXE 12 IoCs

pid	Process
3600	{81FCA63A-B9DD-4a0a-9152-9ECDA32D59B5}.exe
1168	{A1CBAA58-95F8-495c-B61F-F7CF1EAE6569}.exe
792	{634E5745-7618-470f-9C7A-DB8D9B7DA1AE}.exe
4952	{6900A6D2-4EF2-4e79-8D72-0C0F977E02C8}.exe
1160	{4807E609-7841-4e43-8113-C39878061069}.exe
1076	{64429696-AF91-4f13-A59B-EAEBE6BAD0FC}.exe
3716	{8A72CFBA-405C-4afd-9F7A-8B5DBB0301E8}.exe
3700	{3FF94191-BE7B-4941-B5CE-DF93C2BCF2F2}.exe
2528	{B67AA095-DE04-435f-8B83-2BEE0349B08A}.exe
3884	{9AA87E4E-5D52-4531-A5CD-8F14440D5375}.exe
3308	{A05BE4D2-44E7-446d-8B0B-EF02BDDA443C}.exe
4496	{6616B4C7-9C51-487d-9D94-D19344400CAF}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{634E5745-7618-470f-9C7A-DB8D9B7DA1AE}.exe	{A1CBAA58-95F8-495c-B61F-F7CF1EAE6569}.exe
File created	C:\Windows\{6900A6D2-4EF2-4e79-8D72-0C0F977E02C8}.exe	{634E5745-7618-470f-9C7A-DB8D9B7DA1AE}.exe
File created	C:\Windows\{8A72CFBA-405C-4afd-9F7A-8B5DBB0301E8}.exe	{64429696-AF91-4f13-A59B-EAEBE6BAD0FC}.exe
File created	C:\Windows\{3FF94191-BE7B-4941-B5CE-DF93C2BCF2F2}.exe	{8A72CFBA-405C-4afd-9F7A-8B5DBB0301E8}.exe
File created	C:\Windows\{B67AA095-DE04-435f-8B83-2BEE0349B08A}.exe	{3FF94191-BE7B-4941-B5CE-DF93C2BCF2F2}.exe
File created	C:\Windows\{81FCA63A-B9DD-4a0a-9152-9ECDA32D59B5}.exe	2024-01-09_85a92a69c015e932e9f8c273d45ccbf9_goldeneye.exe
File created	C:\Windows\{A1CBAA58-95F8-495c-B61F-F7CF1EAE6569}.exe	{81FCA63A-B9DD-4a0a-9152-9ECDA32D59B5}.exe
File created	C:\Windows\{9AA87E4E-5D52-4531-A5CD-8F14440D5375}.exe	{B67AA095-DE04-435f-8B83-2BEE0349B08A}.exe
File created	C:\Windows\{A05BE4D2-44E7-446d-8B0B-EF02BDDA443C}.exe	{9AA87E4E-5D52-4531-A5CD-8F14440D5375}.exe
File created	C:\Windows\{6616B4C7-9C51-487d-9D94-D19344400CAF}.exe	{A05BE4D2-44E7-446d-8B0B-EF02BDDA443C}.exe
File created	C:\Windows\{4807E609-7841-4e43-8113-C39878061069}.exe	{6900A6D2-4EF2-4e79-8D72-0C0F977E02C8}.exe
File created	C:\Windows\{64429696-AF91-4f13-A59B-EAEBE6BAD0FC}.exe	{4807E609-7841-4e43-8113-C39878061069}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4516	2024-01-09_85a92a69c015e932e9f8c273d45ccbf9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3600	{81FCA63A-B9DD-4a0a-9152-9ECDA32D59B5}.exe
Token: SeIncBasePriorityPrivilege	1168	{A1CBAA58-95F8-495c-B61F-F7CF1EAE6569}.exe
Token: SeIncBasePriorityPrivilege	792	{634E5745-7618-470f-9C7A-DB8D9B7DA1AE}.exe
Token: SeIncBasePriorityPrivilege	4952	{6900A6D2-4EF2-4e79-8D72-0C0F977E02C8}.exe
Token: SeIncBasePriorityPrivilege	1160	{4807E609-7841-4e43-8113-C39878061069}.exe
Token: SeIncBasePriorityPrivilege	1076	{64429696-AF91-4f13-A59B-EAEBE6BAD0FC}.exe
Token: SeIncBasePriorityPrivilege	3716	{8A72CFBA-405C-4afd-9F7A-8B5DBB0301E8}.exe
Token: SeIncBasePriorityPrivilege	3700	{3FF94191-BE7B-4941-B5CE-DF93C2BCF2F2}.exe
Token: SeIncBasePriorityPrivilege	2528	{B67AA095-DE04-435f-8B83-2BEE0349B08A}.exe
Token: SeIncBasePriorityPrivilege	3884	{9AA87E4E-5D52-4531-A5CD-8F14440D5375}.exe
Token: SeIncBasePriorityPrivilege	3308	{A05BE4D2-44E7-446d-8B0B-EF02BDDA443C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4516 wrote to memory of 3600	4516	2024-01-09_85a92a69c015e932e9f8c273d45ccbf9_goldeneye.exe	98
PID 4516 wrote to memory of 3600	4516	2024-01-09_85a92a69c015e932e9f8c273d45ccbf9_goldeneye.exe	98
PID 4516 wrote to memory of 3600	4516	2024-01-09_85a92a69c015e932e9f8c273d45ccbf9_goldeneye.exe	98
PID 4516 wrote to memory of 2700	4516	2024-01-09_85a92a69c015e932e9f8c273d45ccbf9_goldeneye.exe	97
PID 4516 wrote to memory of 2700	4516	2024-01-09_85a92a69c015e932e9f8c273d45ccbf9_goldeneye.exe	97
PID 4516 wrote to memory of 2700	4516	2024-01-09_85a92a69c015e932e9f8c273d45ccbf9_goldeneye.exe	97
PID 3600 wrote to memory of 1168	3600	{81FCA63A-B9DD-4a0a-9152-9ECDA32D59B5}.exe	101
PID 3600 wrote to memory of 1168	3600	{81FCA63A-B9DD-4a0a-9152-9ECDA32D59B5}.exe	101
PID 3600 wrote to memory of 1168	3600	{81FCA63A-B9DD-4a0a-9152-9ECDA32D59B5}.exe	101
PID 3600 wrote to memory of 4364	3600	{81FCA63A-B9DD-4a0a-9152-9ECDA32D59B5}.exe	102
PID 3600 wrote to memory of 4364	3600	{81FCA63A-B9DD-4a0a-9152-9ECDA32D59B5}.exe	102
PID 3600 wrote to memory of 4364	3600	{81FCA63A-B9DD-4a0a-9152-9ECDA32D59B5}.exe	102
PID 1168 wrote to memory of 792	1168	{A1CBAA58-95F8-495c-B61F-F7CF1EAE6569}.exe	104
PID 1168 wrote to memory of 792	1168	{A1CBAA58-95F8-495c-B61F-F7CF1EAE6569}.exe	104
PID 1168 wrote to memory of 792	1168	{A1CBAA58-95F8-495c-B61F-F7CF1EAE6569}.exe	104
PID 1168 wrote to memory of 1624	1168	{A1CBAA58-95F8-495c-B61F-F7CF1EAE6569}.exe	103
PID 1168 wrote to memory of 1624	1168	{A1CBAA58-95F8-495c-B61F-F7CF1EAE6569}.exe	103
PID 1168 wrote to memory of 1624	1168	{A1CBAA58-95F8-495c-B61F-F7CF1EAE6569}.exe	103
PID 792 wrote to memory of 4952	792	{634E5745-7618-470f-9C7A-DB8D9B7DA1AE}.exe	106
PID 792 wrote to memory of 4952	792	{634E5745-7618-470f-9C7A-DB8D9B7DA1AE}.exe	106
PID 792 wrote to memory of 4952	792	{634E5745-7618-470f-9C7A-DB8D9B7DA1AE}.exe	106
PID 792 wrote to memory of 852	792	{634E5745-7618-470f-9C7A-DB8D9B7DA1AE}.exe	107
PID 792 wrote to memory of 852	792	{634E5745-7618-470f-9C7A-DB8D9B7DA1AE}.exe	107
PID 792 wrote to memory of 852	792	{634E5745-7618-470f-9C7A-DB8D9B7DA1AE}.exe	107
PID 4952 wrote to memory of 1160	4952	{6900A6D2-4EF2-4e79-8D72-0C0F977E02C8}.exe	110
PID 4952 wrote to memory of 1160	4952	{6900A6D2-4EF2-4e79-8D72-0C0F977E02C8}.exe	110
PID 4952 wrote to memory of 1160	4952	{6900A6D2-4EF2-4e79-8D72-0C0F977E02C8}.exe	110
PID 4952 wrote to memory of 3556	4952	{6900A6D2-4EF2-4e79-8D72-0C0F977E02C8}.exe	111
PID 4952 wrote to memory of 3556	4952	{6900A6D2-4EF2-4e79-8D72-0C0F977E02C8}.exe	111
PID 4952 wrote to memory of 3556	4952	{6900A6D2-4EF2-4e79-8D72-0C0F977E02C8}.exe	111
PID 1160 wrote to memory of 1076	1160	{4807E609-7841-4e43-8113-C39878061069}.exe	115
PID 1160 wrote to memory of 1076	1160	{4807E609-7841-4e43-8113-C39878061069}.exe	115
PID 1160 wrote to memory of 1076	1160	{4807E609-7841-4e43-8113-C39878061069}.exe	115
PID 1160 wrote to memory of 852	1160	{4807E609-7841-4e43-8113-C39878061069}.exe	116
PID 1160 wrote to memory of 852	1160	{4807E609-7841-4e43-8113-C39878061069}.exe	116
PID 1160 wrote to memory of 852	1160	{4807E609-7841-4e43-8113-C39878061069}.exe	116
PID 1076 wrote to memory of 3716	1076	{64429696-AF91-4f13-A59B-EAEBE6BAD0FC}.exe	118
PID 1076 wrote to memory of 3716	1076	{64429696-AF91-4f13-A59B-EAEBE6BAD0FC}.exe	118
PID 1076 wrote to memory of 3716	1076	{64429696-AF91-4f13-A59B-EAEBE6BAD0FC}.exe	118
PID 1076 wrote to memory of 2708	1076	{64429696-AF91-4f13-A59B-EAEBE6BAD0FC}.exe	119
PID 1076 wrote to memory of 2708	1076	{64429696-AF91-4f13-A59B-EAEBE6BAD0FC}.exe	119
PID 1076 wrote to memory of 2708	1076	{64429696-AF91-4f13-A59B-EAEBE6BAD0FC}.exe	119
PID 3716 wrote to memory of 3700	3716	{8A72CFBA-405C-4afd-9F7A-8B5DBB0301E8}.exe	121
PID 3716 wrote to memory of 3700	3716	{8A72CFBA-405C-4afd-9F7A-8B5DBB0301E8}.exe	121
PID 3716 wrote to memory of 3700	3716	{8A72CFBA-405C-4afd-9F7A-8B5DBB0301E8}.exe	121
PID 3716 wrote to memory of 5016	3716	{8A72CFBA-405C-4afd-9F7A-8B5DBB0301E8}.exe	122
PID 3716 wrote to memory of 5016	3716	{8A72CFBA-405C-4afd-9F7A-8B5DBB0301E8}.exe	122
PID 3716 wrote to memory of 5016	3716	{8A72CFBA-405C-4afd-9F7A-8B5DBB0301E8}.exe	122
PID 3700 wrote to memory of 2528	3700	{3FF94191-BE7B-4941-B5CE-DF93C2BCF2F2}.exe	125
PID 3700 wrote to memory of 2528	3700	{3FF94191-BE7B-4941-B5CE-DF93C2BCF2F2}.exe	125
PID 3700 wrote to memory of 2528	3700	{3FF94191-BE7B-4941-B5CE-DF93C2BCF2F2}.exe	125
PID 3700 wrote to memory of 2924	3700	{3FF94191-BE7B-4941-B5CE-DF93C2BCF2F2}.exe	126
PID 3700 wrote to memory of 2924	3700	{3FF94191-BE7B-4941-B5CE-DF93C2BCF2F2}.exe	126
PID 3700 wrote to memory of 2924	3700	{3FF94191-BE7B-4941-B5CE-DF93C2BCF2F2}.exe	126
PID 2528 wrote to memory of 3884	2528	{B67AA095-DE04-435f-8B83-2BEE0349B08A}.exe	127
PID 2528 wrote to memory of 3884	2528	{B67AA095-DE04-435f-8B83-2BEE0349B08A}.exe	127
PID 2528 wrote to memory of 3884	2528	{B67AA095-DE04-435f-8B83-2BEE0349B08A}.exe	127
PID 2528 wrote to memory of 2324	2528	{B67AA095-DE04-435f-8B83-2BEE0349B08A}.exe	128
PID 2528 wrote to memory of 2324	2528	{B67AA095-DE04-435f-8B83-2BEE0349B08A}.exe	128
PID 2528 wrote to memory of 2324	2528	{B67AA095-DE04-435f-8B83-2BEE0349B08A}.exe	128
PID 3884 wrote to memory of 3308	3884	{9AA87E4E-5D52-4531-A5CD-8F14440D5375}.exe	129
PID 3884 wrote to memory of 3308	3884	{9AA87E4E-5D52-4531-A5CD-8F14440D5375}.exe	129
PID 3884 wrote to memory of 3308	3884	{9AA87E4E-5D52-4531-A5CD-8F14440D5375}.exe	129
PID 3884 wrote to memory of 4812	3884	{9AA87E4E-5D52-4531-A5CD-8F14440D5375}.exe	130

C:\Users\Admin\AppData\Local\Temp\2024-01-09_85a92a69c015e932e9f8c273d45ccbf9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-09_85a92a69c015e932e9f8c273d45ccbf9_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2700
- C:\Windows\{81FCA63A-B9DD-4a0a-9152-9ECDA32D59B5}.exe
  C:\Windows\{81FCA63A-B9DD-4a0a-9152-9ECDA32D59B5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3600
- - C:\Windows\{A1CBAA58-95F8-495c-B61F-F7CF1EAE6569}.exe
    C:\Windows\{A1CBAA58-95F8-495c-B61F-F7CF1EAE6569}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1168
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A1CBA~1.EXE > nul
      4⤵
      PID:1624
  - - C:\Windows\{634E5745-7618-470f-9C7A-DB8D9B7DA1AE}.exe
      C:\Windows\{634E5745-7618-470f-9C7A-DB8D9B7DA1AE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:792
    - - C:\Windows\{6900A6D2-4EF2-4e79-8D72-0C0F977E02C8}.exe
        
        C:\Windows\{6900A6D2-4EF2-4e79-8D72-0C0F977E02C8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4952
      - C:\Windows\{4807E609-7841-4e43-8113-C39878061069}.exe
        
        C:\Windows\{4807E609-7841-4e43-8113-C39878061069}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\{64429696-AF91-4f13-A59B-EAEBE6BAD0FC}.exe
        
        C:\Windows\{64429696-AF91-4f13-A59B-EAEBE6BAD0FC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\{8A72CFBA-405C-4afd-9F7A-8B5DBB0301E8}.exe
        
        C:\Windows\{8A72CFBA-405C-4afd-9F7A-8B5DBB0301E8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\{3FF94191-BE7B-4941-B5CE-DF93C2BCF2F2}.exe
        
        C:\Windows\{3FF94191-BE7B-4941-B5CE-DF93C2BCF2F2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\{B67AA095-DE04-435f-8B83-2BEE0349B08A}.exe
        
        C:\Windows\{B67AA095-DE04-435f-8B83-2BEE0349B08A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\{9AA87E4E-5D52-4531-A5CD-8F14440D5375}.exe
        
        C:\Windows\{9AA87E4E-5D52-4531-A5CD-8F14440D5375}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\{A05BE4D2-44E7-446d-8B0B-EF02BDDA443C}.exe
        
        C:\Windows\{A05BE4D2-44E7-446d-8B0B-EF02BDDA443C}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3308
        
        C:\Windows\{6616B4C7-9C51-487d-9D94-D19344400CAF}.exe
        
        C:\Windows\{6616B4C7-9C51-487d-9D94-D19344400CAF}.exe
        13⤵
        Executes dropped EXE
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A05BE~1.EXE > nul
        13⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9AA87~1.EXE > nul
        12⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B67AA~1.EXE > nul
        11⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3FF94~1.EXE > nul
        10⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A72C~1.EXE > nul
        9⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64429~1.EXE > nul
        8⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4807E~1.EXE > nul
        7⤵
        
        PID:852
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6900A~1.EXE > nul
        6⤵
        
        PID:3556
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{634E5~1.EXE > nul
        5⤵
        
        PID:852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{81FCA~1.EXE > nul
    3⤵
    PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3FF94191-BE7B-4941-B5CE-DF93C2BCF2F2}.exe

Filesize
204KB

MD5
3c826e0924317c67a88c60955e75071e

SHA1
8d8e2efba7e0cebed3cf66e2c9fdbfc336157d3c

SHA256
885352663250cfb82764850329226d4459a6c6047a4c1c085025727436e26bbd

SHA512
ea03de40cdae4c0b357d462b83e7a44f86516fe02668098777c43c814d7723ee3115ec96acfc82cf06729791a8798fe4c68d0099898b458f3002fccb5fa2b74f

Download Submit
C:\Windows\{4807E609-7841-4e43-8113-C39878061069}.exe

Filesize
204KB

MD5
d4bac15937336d2990ce31ca4d9ab344

SHA1
621010bb6076520ccdf4f69d6a056f317e69fd41

SHA256
dd3410b6bcd5844af76c171e8c583c60531410398ea4496201ef60fd6d341e13

SHA512
e7aa144ebe36c05d9b6712c5361d30fe7b762e34fc9751cebc8b197487320e6f0d9a482c4ec9f8742fe21e818f67031dd721cad0db863fd124d403d4ba10ebdb

Download Submit
C:\Windows\{634E5745-7618-470f-9C7A-DB8D9B7DA1AE}.exe

Filesize
204KB

MD5
d6ebb44cd7d8792ea3c41d75d4dfdfd6

SHA1
0227203ac5fec0406791e89736066538534bff10

SHA256
8ca7e4fa91eb68e6d224948f4825cf3698e000f183e3c1f4733b5992127254d4

SHA512
b4d9eeda460290110e14f55050a884b8a7dfafbbb0bcaa8753b85af28cea3d35b8ee3c37699cda21d1782b87462c680986601cfdd93be7a9b22db3f0fcf809d3

Download Submit
C:\Windows\{64429696-AF91-4f13-A59B-EAEBE6BAD0FC}.exe

Filesize
204KB

MD5
091ff58da91bb13bd9bc63333461cb16

SHA1
433abbbcbd21d1f3fcff508ba468c6eb8e59e23c

SHA256
012c7ebe6cf3b69833f95e00aa938e1bc9c1655a5e6c0270e888e5fb08a45e99

SHA512
e0f65347e180405ae73e72351b6f1cdffeb3528d6a30ede7be7fc4b652c15164cb732d1283e375ca1808a35637e071352036fca62ac1c2d077d38c19b9ad3aba

Download Submit
C:\Windows\{6616B4C7-9C51-487d-9D94-D19344400CAF}.exe

Filesize
204KB

MD5
53f007f1c3d1ee7807e774f0e7021f76

SHA1
e5fca1b9ac859c0693ede20945161fff85342976

SHA256
68c6fc94f00eff8ddc1eb7ddf7a50408970fd63bbacf7e521411f8d11ddbbf60

SHA512
2a13b02660f551d343af11b26a9b734aa4cba3f3d415e96ea80c1c5201c89db8aa01fe448f7bf7a0a1c82996a0d7dc6b885f568c743daffe71cf8d49071f2301

Download Submit
C:\Windows\{6900A6D2-4EF2-4e79-8D72-0C0F977E02C8}.exe

Filesize
204KB

MD5
7d2adb8ce871e6467cf2c8b1c0b9d4f3

SHA1
9746abb68070b9322a76ac32a5d766fefe513d02

SHA256
e0180fcd5c3e1aa60b6849127a2088bfdfd583d148c8110c7596d45fe883a1ce

SHA512
8602b722640c46452a904b8c3f28f8c489fa868e23503b4fda6b1184b566aeab3c2877bee6702f80496e0331802c3d31d244d81e8b9d85a3592130691d260604

Download Submit
C:\Windows\{81FCA63A-B9DD-4a0a-9152-9ECDA32D59B5}.exe

Filesize
204KB

MD5
e2a0271be0409028c6ddf5aa509ba896

SHA1
c2e7f4a44d3eb4a34e3058a631ae4d9a1d9488ec

SHA256
a49f5e35707b376b05d6263727d6d12c905fe679768ce9f7737d3f614e595baf

SHA512
2cfc7852edabcb6bb1c700874e5d8f82eec190fbcdeceb757b82539d74b99bfe78b1a7cbcd28103946b490569148af3f597e796c5ccb6fbb0071fc12d6bc98cb

Download Submit
C:\Windows\{8A72CFBA-405C-4afd-9F7A-8B5DBB0301E8}.exe

Filesize
204KB

MD5
4d6d88e5fb7e9a4037222f1faefb9bb3

SHA1
e8f4e2996cf02cf7f1c85aa2b79214d9490dbe11

SHA256
08cc512a39265d6325eb89bac84b2880934d5936cb2219e1f7315a5cc70ec602

SHA512
dab81d36a880df43b6b9fb0ada74c2a8fd9d501c6732176d365cc3ae6450963fb34ca012f3b0b6a807c6f867cdcf4c9517df63845dff54ff4647a76820e47890

Download Submit
C:\Windows\{9AA87E4E-5D52-4531-A5CD-8F14440D5375}.exe

Filesize
204KB

MD5
d3a0dd21e06d72c84cd248742a51ebc3

SHA1
d7348fe1e8ef4e8bd35b36e5f3d78fda4c709211

SHA256
36efca3d4f7c041aa0121c800028c4dfb71921bf0e9c3e329ded3be4fcf74c1f

SHA512
ef3f694a9818689cab9ee422eb1a3bc0cb205fede81c0df42ab30ef80732cc03f7a0399a1de5d95995dc102cb66c96806f3d3ae7b8929ab89a3507cbccb38f81

Download Submit
C:\Windows\{A05BE4D2-44E7-446d-8B0B-EF02BDDA443C}.exe

Filesize
204KB

MD5
7fd43d1b7c9f51478b1bf10f32dfef0d

SHA1
f5908483c6a9927232e2d4b9b029f239677dfc11

SHA256
294b4dab957bd803c88950c3083c85728fea23eadfb0a7861655216f072079a1

SHA512
a3af5d116dfbe40814e2ef6ae3ab953b5e8eeaee943af0cda3dfa3babed134e448472149793a3b0898473d508a1d9c7c6b7ab999afdb368bc880bd8fddd2192f

Download Submit
C:\Windows\{A1CBAA58-95F8-495c-B61F-F7CF1EAE6569}.exe

Filesize
204KB

MD5
b788db5cdbc9f52b485c7cbc7ae81ffc

SHA1
227140a2658d1567b900d15507a94111bb878d2f

SHA256
44c9e0d49bbf8aaf31b2d5054b8653504affe7a7fbe24ec9d77bd722ed6f674d

SHA512
ff711653911a99bd88991edf40e87a074a0336bdb92ee70fab28a8e9495453b68073f3ed3476750e5c5b97d0f124d8656eb986c9ac7ce98f91283ecc279dea9b

Download Submit
C:\Windows\{B67AA095-DE04-435f-8B83-2BEE0349B08A}.exe

Filesize
204KB

MD5
eba2ae3150eb372a14a73070e8da334d

SHA1
9ccd21741f40b7e80b65e9469e7e8edc3ecd2c08

SHA256
03789de2dc9a4567ff528b7d664c51f72458e8d82ad5addd1ff131464963ece1

SHA512
79fca4ebe4d20f38dd8ac06c5dd77bc6f243a21c272fa97d758f1c3370f0434a2606af70d9ab5ad2f1afc3c25c02e83c5ff84e998a3bc3682402d81e99d32237

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads