0daf9fad0b1cd00cd699c7e98083a9fb574b3013a7bed80668864522a28b0852

Analysis

max time kernel
156s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2024, 05:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-10_0c12ca2e409da390bc1b6764252c7153_goldeneye.exe
Size

168KB
MD5

0c12ca2e409da390bc1b6764252c7153
SHA1

0b21435a7fef4bb88a71da2f0f397ad6213baccf
SHA256

0daf9fad0b1cd00cd699c7e98083a9fb574b3013a7bed80668864522a28b0852
SHA512

882f94dd7857ac77c2b3357b83e8b4de9ff80d2f9556694f5a9669f2e6972dd9a36d8865a5c4052328697c46ae6d6a8951bddaa06a2d1048abe40de901286d72
SSDEEP

1536:1EGh0oUlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oUlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C50C8A4F-C08D-4bbc-B014-E5D57BF86CEB}	{5D048BBB-D603-49cd-914E-DD87F2CA87E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C50C8A4F-C08D-4bbc-B014-E5D57BF86CEB}\stubpath = "C:\\Windows\\{C50C8A4F-C08D-4bbc-B014-E5D57BF86CEB}.exe"	{5D048BBB-D603-49cd-914E-DD87F2CA87E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE6E9D74-1B99-47e9-8352-B98EF55B208B}\stubpath = "C:\\Windows\\{CE6E9D74-1B99-47e9-8352-B98EF55B208B}.exe"	{64937078-C45C-45d3-B31F-37B800345509}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3241F3DD-9267-4ed3-8075-558D1C3A94BF}	{A506F3FD-3F99-4a6c-94D8-BD10C7EE3DAA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3241F3DD-9267-4ed3-8075-558D1C3A94BF}\stubpath = "C:\\Windows\\{3241F3DD-9267-4ed3-8075-558D1C3A94BF}.exe"	{A506F3FD-3F99-4a6c-94D8-BD10C7EE3DAA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D048BBB-D603-49cd-914E-DD87F2CA87E7}\stubpath = "C:\\Windows\\{5D048BBB-D603-49cd-914E-DD87F2CA87E7}.exe"	2024-01-10_0c12ca2e409da390bc1b6764252c7153_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64937078-C45C-45d3-B31F-37B800345509}\stubpath = "C:\\Windows\\{64937078-C45C-45d3-B31F-37B800345509}.exe"	{C50C8A4F-C08D-4bbc-B014-E5D57BF86CEB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE6E9D74-1B99-47e9-8352-B98EF55B208B}	{64937078-C45C-45d3-B31F-37B800345509}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C948160-2D35-4e61-B85F-D584134738CB}	{CE6E9D74-1B99-47e9-8352-B98EF55B208B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C948160-2D35-4e61-B85F-D584134738CB}\stubpath = "C:\\Windows\\{4C948160-2D35-4e61-B85F-D584134738CB}.exe"	{CE6E9D74-1B99-47e9-8352-B98EF55B208B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B06BEE3-725B-43ec-9BF2-ECAA82C231EF}\stubpath = "C:\\Windows\\{6B06BEE3-725B-43ec-9BF2-ECAA82C231EF}.exe"	{AA4372D3-69E2-4fbb-9C26-D7A051B21FC5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A506F3FD-3F99-4a6c-94D8-BD10C7EE3DAA}	{6B06BEE3-725B-43ec-9BF2-ECAA82C231EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A506F3FD-3F99-4a6c-94D8-BD10C7EE3DAA}\stubpath = "C:\\Windows\\{A506F3FD-3F99-4a6c-94D8-BD10C7EE3DAA}.exe"	{6B06BEE3-725B-43ec-9BF2-ECAA82C231EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64937078-C45C-45d3-B31F-37B800345509}	{C50C8A4F-C08D-4bbc-B014-E5D57BF86CEB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69DF9AB2-C301-4aba-A154-BFA42EBEE2AA}	{4C948160-2D35-4e61-B85F-D584134738CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D048BBB-D603-49cd-914E-DD87F2CA87E7}	2024-01-10_0c12ca2e409da390bc1b6764252c7153_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA4372D3-69E2-4fbb-9C26-D7A051B21FC5}	{69DF9AB2-C301-4aba-A154-BFA42EBEE2AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA4372D3-69E2-4fbb-9C26-D7A051B21FC5}\stubpath = "C:\\Windows\\{AA4372D3-69E2-4fbb-9C26-D7A051B21FC5}.exe"	{69DF9AB2-C301-4aba-A154-BFA42EBEE2AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B06BEE3-725B-43ec-9BF2-ECAA82C231EF}	{AA4372D3-69E2-4fbb-9C26-D7A051B21FC5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69DF9AB2-C301-4aba-A154-BFA42EBEE2AA}\stubpath = "C:\\Windows\\{69DF9AB2-C301-4aba-A154-BFA42EBEE2AA}.exe"	{4C948160-2D35-4e61-B85F-D584134738CB}.exe

Executes dropped EXE 10 IoCs

pid	Process
1620	{5D048BBB-D603-49cd-914E-DD87F2CA87E7}.exe
1308	{C50C8A4F-C08D-4bbc-B014-E5D57BF86CEB}.exe
2976	{64937078-C45C-45d3-B31F-37B800345509}.exe
4636	{CE6E9D74-1B99-47e9-8352-B98EF55B208B}.exe
1268	{4C948160-2D35-4e61-B85F-D584134738CB}.exe
3320	{69DF9AB2-C301-4aba-A154-BFA42EBEE2AA}.exe
4440	{AA4372D3-69E2-4fbb-9C26-D7A051B21FC5}.exe
4288	{6B06BEE3-725B-43ec-9BF2-ECAA82C231EF}.exe
4856	{A506F3FD-3F99-4a6c-94D8-BD10C7EE3DAA}.exe
2060	{3241F3DD-9267-4ed3-8075-558D1C3A94BF}.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\{64937078-C45C-45d3-B31F-37B800345509}.exe	{C50C8A4F-C08D-4bbc-B014-E5D57BF86CEB}.exe
File created	C:\Windows\{CE6E9D74-1B99-47e9-8352-B98EF55B208B}.exe	{64937078-C45C-45d3-B31F-37B800345509}.exe
File created	C:\Windows\{69DF9AB2-C301-4aba-A154-BFA42EBEE2AA}.exe	{4C948160-2D35-4e61-B85F-D584134738CB}.exe
File created	C:\Windows\{6B06BEE3-725B-43ec-9BF2-ECAA82C231EF}.exe	{AA4372D3-69E2-4fbb-9C26-D7A051B21FC5}.exe
File created	C:\Windows\{A506F3FD-3F99-4a6c-94D8-BD10C7EE3DAA}.exe	{6B06BEE3-725B-43ec-9BF2-ECAA82C231EF}.exe
File created	C:\Windows\{5D048BBB-D603-49cd-914E-DD87F2CA87E7}.exe	2024-01-10_0c12ca2e409da390bc1b6764252c7153_goldeneye.exe
File created	C:\Windows\{C50C8A4F-C08D-4bbc-B014-E5D57BF86CEB}.exe	{5D048BBB-D603-49cd-914E-DD87F2CA87E7}.exe
File created	C:\Windows\{4C948160-2D35-4e61-B85F-D584134738CB}.exe	{CE6E9D74-1B99-47e9-8352-B98EF55B208B}.exe
File created	C:\Windows\{AA4372D3-69E2-4fbb-9C26-D7A051B21FC5}.exe	{69DF9AB2-C301-4aba-A154-BFA42EBEE2AA}.exe
File created	C:\Windows\{3241F3DD-9267-4ed3-8075-558D1C3A94BF}.exe	{A506F3FD-3F99-4a6c-94D8-BD10C7EE3DAA}.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1428	2024-01-10_0c12ca2e409da390bc1b6764252c7153_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1620	{5D048BBB-D603-49cd-914E-DD87F2CA87E7}.exe
Token: SeIncBasePriorityPrivilege	1308	{C50C8A4F-C08D-4bbc-B014-E5D57BF86CEB}.exe
Token: SeIncBasePriorityPrivilege	2976	{64937078-C45C-45d3-B31F-37B800345509}.exe
Token: SeIncBasePriorityPrivilege	4636	{CE6E9D74-1B99-47e9-8352-B98EF55B208B}.exe
Token: SeIncBasePriorityPrivilege	1268	{4C948160-2D35-4e61-B85F-D584134738CB}.exe
Token: SeIncBasePriorityPrivilege	3320	{69DF9AB2-C301-4aba-A154-BFA42EBEE2AA}.exe
Token: SeIncBasePriorityPrivilege	4440	{AA4372D3-69E2-4fbb-9C26-D7A051B21FC5}.exe
Token: SeIncBasePriorityPrivilege	4288	{6B06BEE3-725B-43ec-9BF2-ECAA82C231EF}.exe
Token: SeIncBasePriorityPrivilege	4856	{A506F3FD-3F99-4a6c-94D8-BD10C7EE3DAA}.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 1620	1428	2024-01-10_0c12ca2e409da390bc1b6764252c7153_goldeneye.exe	94
PID 1428 wrote to memory of 1620	1428	2024-01-10_0c12ca2e409da390bc1b6764252c7153_goldeneye.exe	94
PID 1428 wrote to memory of 1620	1428	2024-01-10_0c12ca2e409da390bc1b6764252c7153_goldeneye.exe	94
PID 1428 wrote to memory of 4272	1428	2024-01-10_0c12ca2e409da390bc1b6764252c7153_goldeneye.exe	95
PID 1428 wrote to memory of 4272	1428	2024-01-10_0c12ca2e409da390bc1b6764252c7153_goldeneye.exe	95
PID 1428 wrote to memory of 4272	1428	2024-01-10_0c12ca2e409da390bc1b6764252c7153_goldeneye.exe	95
PID 1620 wrote to memory of 1308	1620	{5D048BBB-D603-49cd-914E-DD87F2CA87E7}.exe	98
PID 1620 wrote to memory of 1308	1620	{5D048BBB-D603-49cd-914E-DD87F2CA87E7}.exe	98
PID 1620 wrote to memory of 1308	1620	{5D048BBB-D603-49cd-914E-DD87F2CA87E7}.exe	98
PID 1620 wrote to memory of 3560	1620	{5D048BBB-D603-49cd-914E-DD87F2CA87E7}.exe	97
PID 1620 wrote to memory of 3560	1620	{5D048BBB-D603-49cd-914E-DD87F2CA87E7}.exe	97
PID 1620 wrote to memory of 3560	1620	{5D048BBB-D603-49cd-914E-DD87F2CA87E7}.exe	97
PID 1308 wrote to memory of 2976	1308	{C50C8A4F-C08D-4bbc-B014-E5D57BF86CEB}.exe	99
PID 1308 wrote to memory of 2976	1308	{C50C8A4F-C08D-4bbc-B014-E5D57BF86CEB}.exe	99
PID 1308 wrote to memory of 2976	1308	{C50C8A4F-C08D-4bbc-B014-E5D57BF86CEB}.exe	99
PID 1308 wrote to memory of 3364	1308	{C50C8A4F-C08D-4bbc-B014-E5D57BF86CEB}.exe	100
PID 1308 wrote to memory of 3364	1308	{C50C8A4F-C08D-4bbc-B014-E5D57BF86CEB}.exe	100
PID 1308 wrote to memory of 3364	1308	{C50C8A4F-C08D-4bbc-B014-E5D57BF86CEB}.exe	100
PID 2976 wrote to memory of 4636	2976	{64937078-C45C-45d3-B31F-37B800345509}.exe	101
PID 2976 wrote to memory of 4636	2976	{64937078-C45C-45d3-B31F-37B800345509}.exe	101
PID 2976 wrote to memory of 4636	2976	{64937078-C45C-45d3-B31F-37B800345509}.exe	101
PID 2976 wrote to memory of 396	2976	{64937078-C45C-45d3-B31F-37B800345509}.exe	102
PID 2976 wrote to memory of 396	2976	{64937078-C45C-45d3-B31F-37B800345509}.exe	102
PID 2976 wrote to memory of 396	2976	{64937078-C45C-45d3-B31F-37B800345509}.exe	102
PID 4636 wrote to memory of 1268	4636	{CE6E9D74-1B99-47e9-8352-B98EF55B208B}.exe	108
PID 4636 wrote to memory of 1268	4636	{CE6E9D74-1B99-47e9-8352-B98EF55B208B}.exe	108
PID 4636 wrote to memory of 1268	4636	{CE6E9D74-1B99-47e9-8352-B98EF55B208B}.exe	108
PID 4636 wrote to memory of 4432	4636	{CE6E9D74-1B99-47e9-8352-B98EF55B208B}.exe	109
PID 4636 wrote to memory of 4432	4636	{CE6E9D74-1B99-47e9-8352-B98EF55B208B}.exe	109
PID 4636 wrote to memory of 4432	4636	{CE6E9D74-1B99-47e9-8352-B98EF55B208B}.exe	109
PID 1268 wrote to memory of 3320	1268	{4C948160-2D35-4e61-B85F-D584134738CB}.exe	112
PID 1268 wrote to memory of 3320	1268	{4C948160-2D35-4e61-B85F-D584134738CB}.exe	112
PID 1268 wrote to memory of 3320	1268	{4C948160-2D35-4e61-B85F-D584134738CB}.exe	112
PID 1268 wrote to memory of 3216	1268	{4C948160-2D35-4e61-B85F-D584134738CB}.exe	113
PID 1268 wrote to memory of 3216	1268	{4C948160-2D35-4e61-B85F-D584134738CB}.exe	113
PID 1268 wrote to memory of 3216	1268	{4C948160-2D35-4e61-B85F-D584134738CB}.exe	113
PID 3320 wrote to memory of 4440	3320	{69DF9AB2-C301-4aba-A154-BFA42EBEE2AA}.exe	114
PID 3320 wrote to memory of 4440	3320	{69DF9AB2-C301-4aba-A154-BFA42EBEE2AA}.exe	114
PID 3320 wrote to memory of 4440	3320	{69DF9AB2-C301-4aba-A154-BFA42EBEE2AA}.exe	114
PID 3320 wrote to memory of 1604	3320	{69DF9AB2-C301-4aba-A154-BFA42EBEE2AA}.exe	115
PID 3320 wrote to memory of 1604	3320	{69DF9AB2-C301-4aba-A154-BFA42EBEE2AA}.exe	115
PID 3320 wrote to memory of 1604	3320	{69DF9AB2-C301-4aba-A154-BFA42EBEE2AA}.exe	115
PID 4440 wrote to memory of 4288	4440	{AA4372D3-69E2-4fbb-9C26-D7A051B21FC5}.exe	119
PID 4440 wrote to memory of 4288	4440	{AA4372D3-69E2-4fbb-9C26-D7A051B21FC5}.exe	119
PID 4440 wrote to memory of 4288	4440	{AA4372D3-69E2-4fbb-9C26-D7A051B21FC5}.exe	119
PID 4440 wrote to memory of 1284	4440	{AA4372D3-69E2-4fbb-9C26-D7A051B21FC5}.exe	120
PID 4440 wrote to memory of 1284	4440	{AA4372D3-69E2-4fbb-9C26-D7A051B21FC5}.exe	120
PID 4440 wrote to memory of 1284	4440	{AA4372D3-69E2-4fbb-9C26-D7A051B21FC5}.exe	120
PID 4288 wrote to memory of 4856	4288	{6B06BEE3-725B-43ec-9BF2-ECAA82C231EF}.exe	123
PID 4288 wrote to memory of 4856	4288	{6B06BEE3-725B-43ec-9BF2-ECAA82C231EF}.exe	123
PID 4288 wrote to memory of 4856	4288	{6B06BEE3-725B-43ec-9BF2-ECAA82C231EF}.exe	123
PID 4288 wrote to memory of 2168	4288	{6B06BEE3-725B-43ec-9BF2-ECAA82C231EF}.exe	124
PID 4288 wrote to memory of 2168	4288	{6B06BEE3-725B-43ec-9BF2-ECAA82C231EF}.exe	124
PID 4288 wrote to memory of 2168	4288	{6B06BEE3-725B-43ec-9BF2-ECAA82C231EF}.exe	124
PID 4856 wrote to memory of 2060	4856	{A506F3FD-3F99-4a6c-94D8-BD10C7EE3DAA}.exe	125
PID 4856 wrote to memory of 2060	4856	{A506F3FD-3F99-4a6c-94D8-BD10C7EE3DAA}.exe	125
PID 4856 wrote to memory of 2060	4856	{A506F3FD-3F99-4a6c-94D8-BD10C7EE3DAA}.exe	125
PID 4856 wrote to memory of 4180	4856	{A506F3FD-3F99-4a6c-94D8-BD10C7EE3DAA}.exe	126
PID 4856 wrote to memory of 4180	4856	{A506F3FD-3F99-4a6c-94D8-BD10C7EE3DAA}.exe	126
PID 4856 wrote to memory of 4180	4856	{A506F3FD-3F99-4a6c-94D8-BD10C7EE3DAA}.exe	126

C:\Users\Admin\AppData\Local\Temp\2024-01-10_0c12ca2e409da390bc1b6764252c7153_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-10_0c12ca2e409da390bc1b6764252c7153_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Windows\{5D048BBB-D603-49cd-914E-DD87F2CA87E7}.exe
  C:\Windows\{5D048BBB-D603-49cd-914E-DD87F2CA87E7}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5D048~1.EXE > nul
    3⤵
    PID:3560
- - C:\Windows\{C50C8A4F-C08D-4bbc-B014-E5D57BF86CEB}.exe
    C:\Windows\{C50C8A4F-C08D-4bbc-B014-E5D57BF86CEB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1308
  - - C:\Windows\{64937078-C45C-45d3-B31F-37B800345509}.exe
      C:\Windows\{64937078-C45C-45d3-B31F-37B800345509}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2976
    - - C:\Windows\{CE6E9D74-1B99-47e9-8352-B98EF55B208B}.exe
        
        C:\Windows\{CE6E9D74-1B99-47e9-8352-B98EF55B208B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4636
      - C:\Windows\{4C948160-2D35-4e61-B85F-D584134738CB}.exe
        
        C:\Windows\{4C948160-2D35-4e61-B85F-D584134738CB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\{69DF9AB2-C301-4aba-A154-BFA42EBEE2AA}.exe
        
        C:\Windows\{69DF9AB2-C301-4aba-A154-BFA42EBEE2AA}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\{AA4372D3-69E2-4fbb-9C26-D7A051B21FC5}.exe
        
        C:\Windows\{AA4372D3-69E2-4fbb-9C26-D7A051B21FC5}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\{6B06BEE3-725B-43ec-9BF2-ECAA82C231EF}.exe
        
        C:\Windows\{6B06BEE3-725B-43ec-9BF2-ECAA82C231EF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\{A506F3FD-3F99-4a6c-94D8-BD10C7EE3DAA}.exe
        
        C:\Windows\{A506F3FD-3F99-4a6c-94D8-BD10C7EE3DAA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\{3241F3DD-9267-4ed3-8075-558D1C3A94BF}.exe
        
        C:\Windows\{3241F3DD-9267-4ed3-8075-558D1C3A94BF}.exe
        11⤵
        Executes dropped EXE
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A506F~1.EXE > nul
        11⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B06B~1.EXE > nul
        10⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA437~1.EXE > nul
        9⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69DF9~1.EXE > nul
        8⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C948~1.EXE > nul
        7⤵
        
        PID:3216
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE6E9~1.EXE > nul
        6⤵
        
        PID:4432
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64937~1.EXE > nul
        5⤵
        
        PID:396
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C50C8~1.EXE > nul
      4⤵
      PID:3364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3241F3DD-9267-4ed3-8075-558D1C3A94BF}.exe

Filesize
168KB

MD5
e6ab727ac316300eff2418c51134e4e1

SHA1
89f16f5f73afbca75bed509f5eea3ee918836a63

SHA256
6924c3e5d5e16c2d90760d7aa54ba24ff4218815b7fac7d46145f398631c2b74

SHA512
cc33b4e25b94e1567ad6734c1d94f2eeee9098591568697ecbd6d3afd50e04e172c6462802c87d80518d4640f5bdb7aa399e49a83783bdd99d9b6fc627d9a9b3

Download Submit
C:\Windows\{4C948160-2D35-4e61-B85F-D584134738CB}.exe

Filesize
168KB

MD5
f51e8cc0c1955b084c97febfeb5b5e73

SHA1
ba25d5a23c814c44421c08a3fe790bcbf6b01f03

SHA256
90657ec6e480cacd5f829e4e3ae7219ea6c8e14bc83987c7c7d6503d6ba9bfa5

SHA512
c089e26c886846d50a609aa0cd9deb2ad45bdac6642ee3aa9924f57402c721e76d513af4a3f84f826968d36e973e8a581a3b04257b28db5a5002e8ad776a9f26

Download Submit
C:\Windows\{5D048BBB-D603-49cd-914E-DD87F2CA87E7}.exe

Filesize
168KB

MD5
2345e1b8d21ee532e186b9315668cf67

SHA1
b05b00aecd9ad1a866a23572dc84767cfb159b06

SHA256
c6a5d89138decd5d70947421e06f0ceaefa6bf6a698ee956ecbb2936b1d0a6a6

SHA512
2d175998cec9fe0ab951fd9b9bba9d3efb7206b422c389a0394e34a6b2a29af41e40a7cef54841b3253e97e431d93b21afe38d054594319227e8f5ff38090368

Download Submit
C:\Windows\{64937078-C45C-45d3-B31F-37B800345509}.exe

Filesize
168KB

MD5
935fab252c20a4f3ee0a530470668fa9

SHA1
95337b5dca1fff0ca837b76bfac2ce20a58b125c

SHA256
f0feb086e8badaf15aa71e856c62f7dc2979470af1c8c4d71b7844447f78af7d

SHA512
491fb68a2d382bde140f8a80f2fec5a59dd6e9f8bd0cc210da6d41fd002b65f583d40379997a8ee5b3af25bd566d2050b3cb7fca9bf23e3b952a4c9f116d6a65

Download Submit
C:\Windows\{69DF9AB2-C301-4aba-A154-BFA42EBEE2AA}.exe

Filesize
168KB

MD5
fff0c561930cbe56c053eb345a2f66fd

SHA1
267efddad4790c01b347057d4dc7e9577dffd775

SHA256
c0ab8717077ac402242f1bc35f11a54c1ee3b728cea7c14397a8f351bc5b06a1

SHA512
89047493b43b496616214e8b7bcc9f3fefecdede9563956d4a6f2f8486c85a52b33832e4deb55cf60a4536808c77168194211b230eb7528f10ce59e7b9b8bf45

Download Submit
C:\Windows\{6B06BEE3-725B-43ec-9BF2-ECAA82C231EF}.exe

Filesize
168KB

MD5
9b1a246f96757da81784832ff74378c5

SHA1
da1c63398599cf6bc64d0d89be6cad79b70059df

SHA256
ab81794d86db69ac01ba1742d414e84c219c700abbae15e0a16399df822bf5c3

SHA512
8fdeaf9b8878ae9eb04b291dcd460b89a6be9639d041c6e681b83b366cdba812cbb6e8a0a942e99a80103ef7428b6797a37c331b417a38d63e25947d26dd3acb

Download Submit
C:\Windows\{A506F3FD-3F99-4a6c-94D8-BD10C7EE3DAA}.exe

Filesize
168KB

MD5
f60d1243aaeac049876b72db1c3b20e0

SHA1
8d6543d8118d35748eac0bbc532d1b053962c539

SHA256
27d5d6851fd59b3da49ed73724122f5f67cebb4ac39a0eff62f5c509306e0027

SHA512
6a5b7226312cdf62c3eed8f54e3f2065739c8db35e2c4ce30fa4002fbc66e994d0646e47d50abcc1652d8287bee61ec27104ab76ce1c8988110cd6672fb123d4

Download Submit
C:\Windows\{AA4372D3-69E2-4fbb-9C26-D7A051B21FC5}.exe

Filesize
168KB

MD5
cee2f4dfa30c17072886b2701e2fd394

SHA1
6033133124c334c61fa63ec249f613c962000991

SHA256
eb29c88d1132b3f82a69ed65f3c527d3df79a85d6f1f672a98309430fcfcdb77

SHA512
4259a2adc534f239d4813fec4eb537c47637eb21968fef59bb33b1f2ca5942fd76035351fe0f0ec5193c3d3cb649d70f7a275e470715b2fa6d4d7a055439cb6f

Download Submit
C:\Windows\{C50C8A4F-C08D-4bbc-B014-E5D57BF86CEB}.exe

Filesize
168KB

MD5
de7b737d703b078b69b2f25ee0aca2de

SHA1
1462453af5553eeec6517cfd9c26c95d49eca670

SHA256
18cc513b23a4a2d9ffcdc68b266d0fdc30d295b2b7fc297c057b452b87924121

SHA512
bf4b7e5b463acfef43f88b9ecac613ad30e75d751d3bcff5bc5e64ab95ef13eaa6047a41eee9ef823ed35fb87a0b0d195811205aade16987acedc28e02a2bbb5

Download Submit
C:\Windows\{CE6E9D74-1B99-47e9-8352-B98EF55B208B}.exe

Filesize
168KB

MD5
73358ebfe2c794705077a1d0d0516d2e

SHA1
47b74009349e5cc3b8f456b4082cc36baae2e4e1

SHA256
01f43abb405373aaa224912a4ce65afc6176e21286d5747baf1b5b2a730ac140

SHA512
0d22537aa17d14241ca79294bf234c39058533ad821c8f47e7a623a4c6771ca64177cf8cb647ac4c99a2031281c4c89900a130ca0a02cc8da4ed64c55cd91e1e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads