38c8fb05f8ce388a8ddd02e39dcc1928037e3a325c5e919ea0bb8b9753441393

Analysis

max time kernel
189s
max time network
218s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2024, 05:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-10_09b052b259a1146cfec5f332089c2d8e_goldeneye.exe
Size

180KB
MD5

09b052b259a1146cfec5f332089c2d8e
SHA1

fb0718b51db55f120347de226cb3fa343f7950d8
SHA256

38c8fb05f8ce388a8ddd02e39dcc1928037e3a325c5e919ea0bb8b9753441393
SHA512

3a9d928f29e135e38c7e6b49c88c447de507c1ff5837503f7b224083f75bc3fe55efb2c2403c04a15aeb6407faeb8c27c057216dd00457b1e368af21881221bc
SSDEEP

3072:jEGh0oMlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGyl5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4247AB66-C148-4d27-A210-98AE41E4A2AA}\stubpath = "C:\\Windows\\{4247AB66-C148-4d27-A210-98AE41E4A2AA}.exe"	{B273EDB8-B6AF-4259-95C7-F2886A214598}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D71DA80-2CEE-413e-8476-0ECD216A51F1}\stubpath = "C:\\Windows\\{2D71DA80-2CEE-413e-8476-0ECD216A51F1}.exe"	{4247AB66-C148-4d27-A210-98AE41E4A2AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74060B4B-D59F-41fd-A1A0-C59B6701BBFD}	{2D71DA80-2CEE-413e-8476-0ECD216A51F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E10B49D9-DC29-4231-B75A-F4121D33CEF2}	{74060B4B-D59F-41fd-A1A0-C59B6701BBFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F17A167-BA58-4ecb-896E-3E2FB8FE5547}\stubpath = "C:\\Windows\\{7F17A167-BA58-4ecb-896E-3E2FB8FE5547}.exe"	{C09AC486-CD75-45b1-9E25-392F116A0319}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B273EDB8-B6AF-4259-95C7-F2886A214598}	2024-01-10_09b052b259a1146cfec5f332089c2d8e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B273EDB8-B6AF-4259-95C7-F2886A214598}\stubpath = "C:\\Windows\\{B273EDB8-B6AF-4259-95C7-F2886A214598}.exe"	2024-01-10_09b052b259a1146cfec5f332089c2d8e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4247AB66-C148-4d27-A210-98AE41E4A2AA}	{B273EDB8-B6AF-4259-95C7-F2886A214598}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F17A167-BA58-4ecb-896E-3E2FB8FE5547}	{C09AC486-CD75-45b1-9E25-392F116A0319}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74060B4B-D59F-41fd-A1A0-C59B6701BBFD}\stubpath = "C:\\Windows\\{74060B4B-D59F-41fd-A1A0-C59B6701BBFD}.exe"	{2D71DA80-2CEE-413e-8476-0ECD216A51F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E10B49D9-DC29-4231-B75A-F4121D33CEF2}\stubpath = "C:\\Windows\\{E10B49D9-DC29-4231-B75A-F4121D33CEF2}.exe"	{74060B4B-D59F-41fd-A1A0-C59B6701BBFD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5572A2B3-A588-4279-AF06-1E44D07E18D8}	{E10B49D9-DC29-4231-B75A-F4121D33CEF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{387E017D-802E-4faa-B5F2-4A7064F0F286}\stubpath = "C:\\Windows\\{387E017D-802E-4faa-B5F2-4A7064F0F286}.exe"	{952779BE-4430-461b-B5FB-A1E8EAA64B68}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C09AC486-CD75-45b1-9E25-392F116A0319}	{387E017D-802E-4faa-B5F2-4A7064F0F286}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C09AC486-CD75-45b1-9E25-392F116A0319}\stubpath = "C:\\Windows\\{C09AC486-CD75-45b1-9E25-392F116A0319}.exe"	{387E017D-802E-4faa-B5F2-4A7064F0F286}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5572A2B3-A588-4279-AF06-1E44D07E18D8}\stubpath = "C:\\Windows\\{5572A2B3-A588-4279-AF06-1E44D07E18D8}.exe"	{E10B49D9-DC29-4231-B75A-F4121D33CEF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{952779BE-4430-461b-B5FB-A1E8EAA64B68}	{5572A2B3-A588-4279-AF06-1E44D07E18D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{952779BE-4430-461b-B5FB-A1E8EAA64B68}\stubpath = "C:\\Windows\\{952779BE-4430-461b-B5FB-A1E8EAA64B68}.exe"	{5572A2B3-A588-4279-AF06-1E44D07E18D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D71DA80-2CEE-413e-8476-0ECD216A51F1}	{4247AB66-C148-4d27-A210-98AE41E4A2AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{387E017D-802E-4faa-B5F2-4A7064F0F286}	{952779BE-4430-461b-B5FB-A1E8EAA64B68}.exe

Executes dropped EXE 10 IoCs

pid	Process
4060	{B273EDB8-B6AF-4259-95C7-F2886A214598}.exe
3712	{4247AB66-C148-4d27-A210-98AE41E4A2AA}.exe
3408	{2D71DA80-2CEE-413e-8476-0ECD216A51F1}.exe
2536	{74060B4B-D59F-41fd-A1A0-C59B6701BBFD}.exe
1188	{E10B49D9-DC29-4231-B75A-F4121D33CEF2}.exe
1312	{5572A2B3-A588-4279-AF06-1E44D07E18D8}.exe
4292	{952779BE-4430-461b-B5FB-A1E8EAA64B68}.exe
4604	{387E017D-802E-4faa-B5F2-4A7064F0F286}.exe
4176	{C09AC486-CD75-45b1-9E25-392F116A0319}.exe
2408	{7F17A167-BA58-4ecb-896E-3E2FB8FE5547}.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\{387E017D-802E-4faa-B5F2-4A7064F0F286}.exe	{952779BE-4430-461b-B5FB-A1E8EAA64B68}.exe
File created	C:\Windows\{7F17A167-BA58-4ecb-896E-3E2FB8FE5547}.exe	{C09AC486-CD75-45b1-9E25-392F116A0319}.exe
File created	C:\Windows\{4247AB66-C148-4d27-A210-98AE41E4A2AA}.exe	{B273EDB8-B6AF-4259-95C7-F2886A214598}.exe
File created	C:\Windows\{2D71DA80-2CEE-413e-8476-0ECD216A51F1}.exe	{4247AB66-C148-4d27-A210-98AE41E4A2AA}.exe
File created	C:\Windows\{74060B4B-D59F-41fd-A1A0-C59B6701BBFD}.exe	{2D71DA80-2CEE-413e-8476-0ECD216A51F1}.exe
File created	C:\Windows\{952779BE-4430-461b-B5FB-A1E8EAA64B68}.exe	{5572A2B3-A588-4279-AF06-1E44D07E18D8}.exe
File created	C:\Windows\{C09AC486-CD75-45b1-9E25-392F116A0319}.exe	{387E017D-802E-4faa-B5F2-4A7064F0F286}.exe
File created	C:\Windows\{B273EDB8-B6AF-4259-95C7-F2886A214598}.exe	2024-01-10_09b052b259a1146cfec5f332089c2d8e_goldeneye.exe
File created	C:\Windows\{E10B49D9-DC29-4231-B75A-F4121D33CEF2}.exe	{74060B4B-D59F-41fd-A1A0-C59B6701BBFD}.exe
File created	C:\Windows\{5572A2B3-A588-4279-AF06-1E44D07E18D8}.exe	{E10B49D9-DC29-4231-B75A-F4121D33CEF2}.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3476	2024-01-10_09b052b259a1146cfec5f332089c2d8e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4060	{B273EDB8-B6AF-4259-95C7-F2886A214598}.exe
Token: SeIncBasePriorityPrivilege	3712	{4247AB66-C148-4d27-A210-98AE41E4A2AA}.exe
Token: SeIncBasePriorityPrivilege	3408	{2D71DA80-2CEE-413e-8476-0ECD216A51F1}.exe
Token: SeIncBasePriorityPrivilege	2536	{74060B4B-D59F-41fd-A1A0-C59B6701BBFD}.exe
Token: SeIncBasePriorityPrivilege	1188	{E10B49D9-DC29-4231-B75A-F4121D33CEF2}.exe
Token: SeIncBasePriorityPrivilege	1312	{5572A2B3-A588-4279-AF06-1E44D07E18D8}.exe
Token: SeIncBasePriorityPrivilege	4292	{952779BE-4430-461b-B5FB-A1E8EAA64B68}.exe
Token: SeIncBasePriorityPrivilege	4604	{387E017D-802E-4faa-B5F2-4A7064F0F286}.exe
Token: SeIncBasePriorityPrivilege	4176	{C09AC486-CD75-45b1-9E25-392F116A0319}.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 3476 wrote to memory of 4060	3476	2024-01-10_09b052b259a1146cfec5f332089c2d8e_goldeneye.exe	93
PID 3476 wrote to memory of 4060	3476	2024-01-10_09b052b259a1146cfec5f332089c2d8e_goldeneye.exe	93
PID 3476 wrote to memory of 4060	3476	2024-01-10_09b052b259a1146cfec5f332089c2d8e_goldeneye.exe	93
PID 3476 wrote to memory of 896	3476	2024-01-10_09b052b259a1146cfec5f332089c2d8e_goldeneye.exe	94
PID 3476 wrote to memory of 896	3476	2024-01-10_09b052b259a1146cfec5f332089c2d8e_goldeneye.exe	94
PID 3476 wrote to memory of 896	3476	2024-01-10_09b052b259a1146cfec5f332089c2d8e_goldeneye.exe	94
PID 4060 wrote to memory of 3712	4060	{B273EDB8-B6AF-4259-95C7-F2886A214598}.exe	97
PID 4060 wrote to memory of 3712	4060	{B273EDB8-B6AF-4259-95C7-F2886A214598}.exe	97
PID 4060 wrote to memory of 3712	4060	{B273EDB8-B6AF-4259-95C7-F2886A214598}.exe	97
PID 4060 wrote to memory of 4984	4060	{B273EDB8-B6AF-4259-95C7-F2886A214598}.exe	96
PID 4060 wrote to memory of 4984	4060	{B273EDB8-B6AF-4259-95C7-F2886A214598}.exe	96
PID 4060 wrote to memory of 4984	4060	{B273EDB8-B6AF-4259-95C7-F2886A214598}.exe	96
PID 3712 wrote to memory of 3408	3712	{4247AB66-C148-4d27-A210-98AE41E4A2AA}.exe	105
PID 3712 wrote to memory of 3408	3712	{4247AB66-C148-4d27-A210-98AE41E4A2AA}.exe	105
PID 3712 wrote to memory of 3408	3712	{4247AB66-C148-4d27-A210-98AE41E4A2AA}.exe	105
PID 3712 wrote to memory of 4980	3712	{4247AB66-C148-4d27-A210-98AE41E4A2AA}.exe	104
PID 3712 wrote to memory of 4980	3712	{4247AB66-C148-4d27-A210-98AE41E4A2AA}.exe	104
PID 3712 wrote to memory of 4980	3712	{4247AB66-C148-4d27-A210-98AE41E4A2AA}.exe	104
PID 3408 wrote to memory of 2536	3408	{2D71DA80-2CEE-413e-8476-0ECD216A51F1}.exe	107
PID 3408 wrote to memory of 2536	3408	{2D71DA80-2CEE-413e-8476-0ECD216A51F1}.exe	107
PID 3408 wrote to memory of 2536	3408	{2D71DA80-2CEE-413e-8476-0ECD216A51F1}.exe	107
PID 3408 wrote to memory of 4920	3408	{2D71DA80-2CEE-413e-8476-0ECD216A51F1}.exe	108
PID 3408 wrote to memory of 4920	3408	{2D71DA80-2CEE-413e-8476-0ECD216A51F1}.exe	108
PID 3408 wrote to memory of 4920	3408	{2D71DA80-2CEE-413e-8476-0ECD216A51F1}.exe	108
PID 2536 wrote to memory of 1188	2536	{74060B4B-D59F-41fd-A1A0-C59B6701BBFD}.exe	109
PID 2536 wrote to memory of 1188	2536	{74060B4B-D59F-41fd-A1A0-C59B6701BBFD}.exe	109
PID 2536 wrote to memory of 1188	2536	{74060B4B-D59F-41fd-A1A0-C59B6701BBFD}.exe	109
PID 2536 wrote to memory of 4932	2536	{74060B4B-D59F-41fd-A1A0-C59B6701BBFD}.exe	110
PID 2536 wrote to memory of 4932	2536	{74060B4B-D59F-41fd-A1A0-C59B6701BBFD}.exe	110
PID 2536 wrote to memory of 4932	2536	{74060B4B-D59F-41fd-A1A0-C59B6701BBFD}.exe	110
PID 1188 wrote to memory of 1312	1188	{E10B49D9-DC29-4231-B75A-F4121D33CEF2}.exe	111
PID 1188 wrote to memory of 1312	1188	{E10B49D9-DC29-4231-B75A-F4121D33CEF2}.exe	111
PID 1188 wrote to memory of 1312	1188	{E10B49D9-DC29-4231-B75A-F4121D33CEF2}.exe	111
PID 1188 wrote to memory of 2372	1188	{E10B49D9-DC29-4231-B75A-F4121D33CEF2}.exe	112
PID 1188 wrote to memory of 2372	1188	{E10B49D9-DC29-4231-B75A-F4121D33CEF2}.exe	112
PID 1188 wrote to memory of 2372	1188	{E10B49D9-DC29-4231-B75A-F4121D33CEF2}.exe	112
PID 1312 wrote to memory of 4292	1312	{5572A2B3-A588-4279-AF06-1E44D07E18D8}.exe	115
PID 1312 wrote to memory of 4292	1312	{5572A2B3-A588-4279-AF06-1E44D07E18D8}.exe	115
PID 1312 wrote to memory of 4292	1312	{5572A2B3-A588-4279-AF06-1E44D07E18D8}.exe	115
PID 1312 wrote to memory of 4640	1312	{5572A2B3-A588-4279-AF06-1E44D07E18D8}.exe	116
PID 1312 wrote to memory of 4640	1312	{5572A2B3-A588-4279-AF06-1E44D07E18D8}.exe	116
PID 1312 wrote to memory of 4640	1312	{5572A2B3-A588-4279-AF06-1E44D07E18D8}.exe	116
PID 4292 wrote to memory of 4604	4292	{952779BE-4430-461b-B5FB-A1E8EAA64B68}.exe	119
PID 4292 wrote to memory of 4604	4292	{952779BE-4430-461b-B5FB-A1E8EAA64B68}.exe	119
PID 4292 wrote to memory of 4604	4292	{952779BE-4430-461b-B5FB-A1E8EAA64B68}.exe	119
PID 4292 wrote to memory of 416	4292	{952779BE-4430-461b-B5FB-A1E8EAA64B68}.exe	120
PID 4292 wrote to memory of 416	4292	{952779BE-4430-461b-B5FB-A1E8EAA64B68}.exe	120
PID 4292 wrote to memory of 416	4292	{952779BE-4430-461b-B5FB-A1E8EAA64B68}.exe	120
PID 4604 wrote to memory of 4176	4604	{387E017D-802E-4faa-B5F2-4A7064F0F286}.exe	121
PID 4604 wrote to memory of 4176	4604	{387E017D-802E-4faa-B5F2-4A7064F0F286}.exe	121
PID 4604 wrote to memory of 4176	4604	{387E017D-802E-4faa-B5F2-4A7064F0F286}.exe	121
PID 4604 wrote to memory of 3972	4604	{387E017D-802E-4faa-B5F2-4A7064F0F286}.exe	122
PID 4604 wrote to memory of 3972	4604	{387E017D-802E-4faa-B5F2-4A7064F0F286}.exe	122
PID 4604 wrote to memory of 3972	4604	{387E017D-802E-4faa-B5F2-4A7064F0F286}.exe	122
PID 4176 wrote to memory of 2408	4176	{C09AC486-CD75-45b1-9E25-392F116A0319}.exe	123
PID 4176 wrote to memory of 2408	4176	{C09AC486-CD75-45b1-9E25-392F116A0319}.exe	123
PID 4176 wrote to memory of 2408	4176	{C09AC486-CD75-45b1-9E25-392F116A0319}.exe	123
PID 4176 wrote to memory of 4656	4176	{C09AC486-CD75-45b1-9E25-392F116A0319}.exe	124
PID 4176 wrote to memory of 4656	4176	{C09AC486-CD75-45b1-9E25-392F116A0319}.exe	124
PID 4176 wrote to memory of 4656	4176	{C09AC486-CD75-45b1-9E25-392F116A0319}.exe	124

C:\Users\Admin\AppData\Local\Temp\2024-01-10_09b052b259a1146cfec5f332089c2d8e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-10_09b052b259a1146cfec5f332089c2d8e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3476
- C:\Windows\{B273EDB8-B6AF-4259-95C7-F2886A214598}.exe
  C:\Windows\{B273EDB8-B6AF-4259-95C7-F2886A214598}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B273E~1.EXE > nul
    3⤵
    PID:4984
- - C:\Windows\{4247AB66-C148-4d27-A210-98AE41E4A2AA}.exe
    C:\Windows\{4247AB66-C148-4d27-A210-98AE41E4A2AA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3712
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4247A~1.EXE > nul
      4⤵
      PID:4980
  - - C:\Windows\{2D71DA80-2CEE-413e-8476-0ECD216A51F1}.exe
      C:\Windows\{2D71DA80-2CEE-413e-8476-0ECD216A51F1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3408
    - - C:\Windows\{74060B4B-D59F-41fd-A1A0-C59B6701BBFD}.exe
        
        C:\Windows\{74060B4B-D59F-41fd-A1A0-C59B6701BBFD}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2536
      - C:\Windows\{E10B49D9-DC29-4231-B75A-F4121D33CEF2}.exe
        
        C:\Windows\{E10B49D9-DC29-4231-B75A-F4121D33CEF2}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\{5572A2B3-A588-4279-AF06-1E44D07E18D8}.exe
        
        C:\Windows\{5572A2B3-A588-4279-AF06-1E44D07E18D8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\{952779BE-4430-461b-B5FB-A1E8EAA64B68}.exe
        
        C:\Windows\{952779BE-4430-461b-B5FB-A1E8EAA64B68}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\{387E017D-802E-4faa-B5F2-4A7064F0F286}.exe
        
        C:\Windows\{387E017D-802E-4faa-B5F2-4A7064F0F286}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\{C09AC486-CD75-45b1-9E25-392F116A0319}.exe
        
        C:\Windows\{C09AC486-CD75-45b1-9E25-392F116A0319}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\{7F17A167-BA58-4ecb-896E-3E2FB8FE5547}.exe
        
        C:\Windows\{7F17A167-BA58-4ecb-896E-3E2FB8FE5547}.exe
        11⤵
        Executes dropped EXE
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C09AC~1.EXE > nul
        11⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{387E0~1.EXE > nul
        10⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95277~1.EXE > nul
        9⤵
        
        PID:416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5572A~1.EXE > nul
        8⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E10B4~1.EXE > nul
        7⤵
        
        PID:2372
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74060~1.EXE > nul
        6⤵
        
        PID:4932
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D71D~1.EXE > nul
        5⤵
        
        PID:4920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2D71DA80-2CEE-413e-8476-0ECD216A51F1}.exe

Filesize
5KB

MD5
00867a7d504be5fb031101c2050f9bb9

SHA1
1e2cdeba51e41d81713eba021b269fc0c7f4530b

SHA256
229c08cf8ea1198e9827ec146a8ef445e2d0a1eccb1358ea8953e82bd7536a60

SHA512
aa2ca57eccf9c8f2113051ee0371e20c3f03f4927c822a05ea87da16b23be0ad2c4d0872ef00c610f9b8909f7d539f4ce0c9a64c4edac0a6c9d90fef89417f5f

Download Submit
C:\Windows\{2D71DA80-2CEE-413e-8476-0ECD216A51F1}.exe

Filesize
57KB

MD5
c6e1266407cf358af066d566450e8a10

SHA1
e4737c49eef376cfc14ab325a706884d37bc6ae0

SHA256
368aa4159ef4eae4218ed2abe89334712e434fc997fbf2c601342ce42bdd7e9c

SHA512
6212dc20a24c387b212822f3e4ebddf3c2c82779d4012f780e7a33940664f284e75dc2afc6f71565fc784db2968733cae3df4665b4a42b70635b147fd4e486b7

Download Submit
C:\Windows\{387E017D-802E-4faa-B5F2-4A7064F0F286}.exe

Filesize
180KB

MD5
6dd1b75e9c74bcc47d0ef6e0fcf245ea

SHA1
ff069b668932ce1fdcf5a1fbab710cf4c2ae5196

SHA256
c9904630056dda04d9faa151889780944e2e2ccca5049fbf9a55a14ebdbdfc70

SHA512
64fef8ea0ce7f3b2452fbdf35160d294d957be347a9448eb5c5f39f6514b313caf86ebdf6f41903459dbe704a424b3680dc36e6fa0af8ae3ab8dc1e9d36f4af2

Download Submit
C:\Windows\{4247AB66-C148-4d27-A210-98AE41E4A2AA}.exe

Filesize
32KB

MD5
6054c4657ff135b6ec1d76762f66c475

SHA1
72a5c93011759e35d36200da7cf99e9180b25f4c

SHA256
6ea10e5d4f8eeaf5775d5f4fc815cf60c826cfa9abd11e565a86487625be2e46

SHA512
53dab11e274782568e506e814ec86fef197b817bb749012e78a3637215c16293802837f7c6037aec71b736417f16aece2c76309c07673f6c26cdb692ca46097c

Download Submit
C:\Windows\{5572A2B3-A588-4279-AF06-1E44D07E18D8}.exe

Filesize
180KB

MD5
6b642430a4d70e1f72f623fd25001fa2

SHA1
9c12c5227ca0d7952dc3928f7c85bab250d3ceee

SHA256
8dd000843466928178677885d3c1a071077a3381b3ed2c62109eeb5776cb2c9b

SHA512
193a0575f3d93f76e5f67c976b35b95256705e71ed134b95d4dae869bc4e4945b459acd1f7d7cd4b5db21353d55ebbb5314eecfcfe8c223c59866dbe1ddb511f

Download Submit
C:\Windows\{74060B4B-D59F-41fd-A1A0-C59B6701BBFD}.exe

Filesize
31KB

MD5
04e6bf7331f72db670c52da5cc794317

SHA1
0a7c1093fb60a25281e16e9ffed72361093d5947

SHA256
7c3f08b8f4dcbf4f64d2cd9ba9c69e12297ed86062e0108c1285b7fc1c15cb7a

SHA512
b550cdf2f6ee69f1eb98aeec10a7940ceb82a5c6599c1ea8fb3a511b01c5c06fdb5f478aaa319dcd53bf09a08c0ac39e655838980688bb6de312da0cfe519c34

Download Submit
C:\Windows\{7F17A167-BA58-4ecb-896E-3E2FB8FE5547}.exe

Filesize
180KB

MD5
3e10a5a7d1dc05d2760de67b7430d057

SHA1
fec1a3095e6a97f9a7f113cb6d9c91c0d3840271

SHA256
91ffc2ad1f1b0f1476a8679688bc793657fa194aa8f03098c6ef342082ade1c6

SHA512
da5d2ac5853c64964fc8b1eff7659b6d2b11b5f0638bc2bdc77679813d3ac5f6b66b114079f1a576a1afcc094515e3b616e499cd808703e0169c4c58256fc74c

Download Submit
C:\Windows\{952779BE-4430-461b-B5FB-A1E8EAA64B68}.exe

Filesize
180KB

MD5
727ee28aecc59e2b12d35ea589d8d8f0

SHA1
ac8703f459d2e9394b1000d1098ca904e119a1b5

SHA256
f2500a92d47d371072bec3f0e0dad0a34aebec43c73140677be5aa7e8986f6d1

SHA512
2d0c5876b591afa7da2ffa4bbf71c82cbbf7d700611693b66a10f09323ce8bed479d1f71b17dbcc0d43cd82acc7db09209e41653a7e96cf51e48a84c3bb7a6e4

Download Submit
C:\Windows\{B273EDB8-B6AF-4259-95C7-F2886A214598}.exe

Filesize
37KB

MD5
2fe1ae40e3e7b3c4f2f3331df7e50d97

SHA1
fafa685da8369c634db6e40081df6e431cee2562

SHA256
74beb01583e52261bfebb47fa050ed36db419546376f8cab0dac0c0982a7b3ae

SHA512
5f748f2f8db25acc720c837c8e188e0a2ffdc85164b308e097d0b89e0dbb444189b1405d3fd45ef516d9afc33e23d905321484a5210f7d2e0862e3a38562e207

Download Submit
C:\Windows\{B273EDB8-B6AF-4259-95C7-F2886A214598}.exe

Filesize
1KB

MD5
4bc0c8a9188ba80b6b1d123f1538b01c

SHA1
f970f1d1eb981593f5dce6c92a843c45a5c93db2

SHA256
8d808b2a37d78acca7fb3cf18ce2a6c378433f6f09a1700955074eec9d0673ec

SHA512
c9ee2ff3915c0df23c16a774bcd2e4a8584e4d938b10e998e95e7095975d88c825c7d1d681916823e64f9076d739769afadff629f6aa608e4e14a41b9d5b5bd4

Download Submit
C:\Windows\{C09AC486-CD75-45b1-9E25-392F116A0319}.exe

Filesize
180KB

MD5
32aeccac5c2fd94911ec6424dbe0d747

SHA1
af4d6bd9710478dfa1270719320a68ce27bba125

SHA256
012dede6555f9033670fdebbccc50e825f9aee0acc05390a68b3d7ec0f0fac08

SHA512
f851ea02b9ca56c9e568518ca37247492fb5d1b29051c1ec172c92baac05ca236760d0d8eac34685fce34b8152c3d7c7718bef00a40dbed55a0208b562c95392

Download Submit
C:\Windows\{E10B49D9-DC29-4231-B75A-F4121D33CEF2}.exe

Filesize
180KB

MD5
7826ed50e88b1cb583ced6f5bb205650

SHA1
b5e0fb461570b1b3350448f6b21757a3da3c1d7d

SHA256
954194ef54e282107cd04bdfede4cdfce8decd4c87096c4dd4ec90e64860b476

SHA512
88e206cd955e6a58dd5c4ed7b5663b4fa293964686dc6acb51bcc333915b99a33c078b25b7bb6ac31b414ce130e6572864231d22af95cfe4423d78fa2f4a8a76

Download Submit
C:\Windows\{E10B49D9-DC29-4231-B75A-F4121D33CEF2}.exe

Filesize
149KB

MD5
4134b2d230d2def6b8f4c7be11cffa1f

SHA1
e852bdc4cbbdd008a372ad73c486b356fdad0683

SHA256
370f110dec53f71326df5a8c46bb669742daa5e13ffbf44243f7a2cefbb4f9e8

SHA512
5452870e0aeaa61c0b8432e44eec453ca27ed1c0c7b7f8bd9ecd6678dfc9bdc0b4b4e789e6e07571c8e478664f899061b50ed263c32fa205ffc00205bf283175

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads