fcd19b10a30d9e8f7b6f516bbe4e77409f4e4941ad2e9ed84b3eda9be1f43ea3

Analysis

max time kernel
138s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
11-01-2024 05:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-10_09542eb3f843082cb066399a55c2c19f_goldeneye.exe
Size

380KB
MD5

09542eb3f843082cb066399a55c2c19f
SHA1

fd70e3561afc3ebad4ac6aeb35c8cf56197c7a8e
SHA256

fcd19b10a30d9e8f7b6f516bbe4e77409f4e4941ad2e9ed84b3eda9be1f43ea3
SHA512

c6d737c7c2ee22d4e36a4c8b0a27c8e7c3bf1169682d31cedec5d0b4a0e4c39c6d0798d47411ee08eec53c5699069272b08e8c49c3b0f4819f5e7a70d219284d
SSDEEP

3072:mEGh0oQlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGWl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE1CC0D1-2E46-4742-A8F9-343445DC3787}\stubpath = "C:\\Windows\\{CE1CC0D1-2E46-4742-A8F9-343445DC3787}.exe"	{8C261C48-93AA-4bd6-8CE7-048FAA8C63D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74FFAECB-7615-4bb4-9CAB-B81DE7EE6DC6}	{71474F81-9F55-4179-ADAC-691EDEEAAFF1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74FFAECB-7615-4bb4-9CAB-B81DE7EE6DC6}\stubpath = "C:\\Windows\\{74FFAECB-7615-4bb4-9CAB-B81DE7EE6DC6}.exe"	{71474F81-9F55-4179-ADAC-691EDEEAAFF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B32C73A-1873-43bf-B49A-6A82D6184666}	{74FFAECB-7615-4bb4-9CAB-B81DE7EE6DC6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C261C48-93AA-4bd6-8CE7-048FAA8C63D6}	{45F9B76A-9261-442e-B24F-037EF6A2EE0B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C261C48-93AA-4bd6-8CE7-048FAA8C63D6}\stubpath = "C:\\Windows\\{8C261C48-93AA-4bd6-8CE7-048FAA8C63D6}.exe"	{45F9B76A-9261-442e-B24F-037EF6A2EE0B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{989D7486-F5E6-4e90-8579-BAC03BA938A3}	{0B6D2D13-21C4-44b8-853B-8F46CF3AC921}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{989D7486-F5E6-4e90-8579-BAC03BA938A3}\stubpath = "C:\\Windows\\{989D7486-F5E6-4e90-8579-BAC03BA938A3}.exe"	{0B6D2D13-21C4-44b8-853B-8F46CF3AC921}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71474F81-9F55-4179-ADAC-691EDEEAAFF1}	{989D7486-F5E6-4e90-8579-BAC03BA938A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4086E78C-7B18-4a89-9D2C-7C09DC13A20E}	{95BB1203-2043-4ed3-B935-6D87F6F65FCE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1B36330-7CFF-4010-8AED-C932C1E21466}	2024-01-10_09542eb3f843082cb066399a55c2c19f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45F9B76A-9261-442e-B24F-037EF6A2EE0B}\stubpath = "C:\\Windows\\{45F9B76A-9261-442e-B24F-037EF6A2EE0B}.exe"	{B1B36330-7CFF-4010-8AED-C932C1E21466}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B6D2D13-21C4-44b8-853B-8F46CF3AC921}	{CE1CC0D1-2E46-4742-A8F9-343445DC3787}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71474F81-9F55-4179-ADAC-691EDEEAAFF1}\stubpath = "C:\\Windows\\{71474F81-9F55-4179-ADAC-691EDEEAAFF1}.exe"	{989D7486-F5E6-4e90-8579-BAC03BA938A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B32C73A-1873-43bf-B49A-6A82D6184666}\stubpath = "C:\\Windows\\{7B32C73A-1873-43bf-B49A-6A82D6184666}.exe"	{74FFAECB-7615-4bb4-9CAB-B81DE7EE6DC6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95BB1203-2043-4ed3-B935-6D87F6F65FCE}	{7B32C73A-1873-43bf-B49A-6A82D6184666}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1B36330-7CFF-4010-8AED-C932C1E21466}\stubpath = "C:\\Windows\\{B1B36330-7CFF-4010-8AED-C932C1E21466}.exe"	2024-01-10_09542eb3f843082cb066399a55c2c19f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE1CC0D1-2E46-4742-A8F9-343445DC3787}	{8C261C48-93AA-4bd6-8CE7-048FAA8C63D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95BB1203-2043-4ed3-B935-6D87F6F65FCE}\stubpath = "C:\\Windows\\{95BB1203-2043-4ed3-B935-6D87F6F65FCE}.exe"	{7B32C73A-1873-43bf-B49A-6A82D6184666}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4086E78C-7B18-4a89-9D2C-7C09DC13A20E}\stubpath = "C:\\Windows\\{4086E78C-7B18-4a89-9D2C-7C09DC13A20E}.exe"	{95BB1203-2043-4ed3-B935-6D87F6F65FCE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45F9B76A-9261-442e-B24F-037EF6A2EE0B}	{B1B36330-7CFF-4010-8AED-C932C1E21466}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B6D2D13-21C4-44b8-853B-8F46CF3AC921}\stubpath = "C:\\Windows\\{0B6D2D13-21C4-44b8-853B-8F46CF3AC921}.exe"	{CE1CC0D1-2E46-4742-A8F9-343445DC3787}.exe

Deletes itself 1 IoCs

pid	Process
2164	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3068	{B1B36330-7CFF-4010-8AED-C932C1E21466}.exe
2708	{45F9B76A-9261-442e-B24F-037EF6A2EE0B}.exe
2664	{8C261C48-93AA-4bd6-8CE7-048FAA8C63D6}.exe
2648	{CE1CC0D1-2E46-4742-A8F9-343445DC3787}.exe
2568	{0B6D2D13-21C4-44b8-853B-8F46CF3AC921}.exe
1568	{989D7486-F5E6-4e90-8579-BAC03BA938A3}.exe
1704	{71474F81-9F55-4179-ADAC-691EDEEAAFF1}.exe
1444	{74FFAECB-7615-4bb4-9CAB-B81DE7EE6DC6}.exe
1684	{7B32C73A-1873-43bf-B49A-6A82D6184666}.exe
540	{95BB1203-2043-4ed3-B935-6D87F6F65FCE}.exe
560	{4086E78C-7B18-4a89-9D2C-7C09DC13A20E}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{74FFAECB-7615-4bb4-9CAB-B81DE7EE6DC6}.exe	{71474F81-9F55-4179-ADAC-691EDEEAAFF1}.exe
File created	C:\Windows\{45F9B76A-9261-442e-B24F-037EF6A2EE0B}.exe	{B1B36330-7CFF-4010-8AED-C932C1E21466}.exe
File created	C:\Windows\{8C261C48-93AA-4bd6-8CE7-048FAA8C63D6}.exe	{45F9B76A-9261-442e-B24F-037EF6A2EE0B}.exe
File created	C:\Windows\{CE1CC0D1-2E46-4742-A8F9-343445DC3787}.exe	{8C261C48-93AA-4bd6-8CE7-048FAA8C63D6}.exe
File created	C:\Windows\{989D7486-F5E6-4e90-8579-BAC03BA938A3}.exe	{0B6D2D13-21C4-44b8-853B-8F46CF3AC921}.exe
File created	C:\Windows\{95BB1203-2043-4ed3-B935-6D87F6F65FCE}.exe	{7B32C73A-1873-43bf-B49A-6A82D6184666}.exe
File created	C:\Windows\{4086E78C-7B18-4a89-9D2C-7C09DC13A20E}.exe	{95BB1203-2043-4ed3-B935-6D87F6F65FCE}.exe
File created	C:\Windows\{B1B36330-7CFF-4010-8AED-C932C1E21466}.exe	2024-01-10_09542eb3f843082cb066399a55c2c19f_goldeneye.exe
File created	C:\Windows\{0B6D2D13-21C4-44b8-853B-8F46CF3AC921}.exe	{CE1CC0D1-2E46-4742-A8F9-343445DC3787}.exe
File created	C:\Windows\{71474F81-9F55-4179-ADAC-691EDEEAAFF1}.exe	{989D7486-F5E6-4e90-8579-BAC03BA938A3}.exe
File created	C:\Windows\{7B32C73A-1873-43bf-B49A-6A82D6184666}.exe	{74FFAECB-7615-4bb4-9CAB-B81DE7EE6DC6}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2444	2024-01-10_09542eb3f843082cb066399a55c2c19f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3068	{B1B36330-7CFF-4010-8AED-C932C1E21466}.exe
Token: SeIncBasePriorityPrivilege	2708	{45F9B76A-9261-442e-B24F-037EF6A2EE0B}.exe
Token: SeIncBasePriorityPrivilege	2664	{8C261C48-93AA-4bd6-8CE7-048FAA8C63D6}.exe
Token: SeIncBasePriorityPrivilege	2648	{CE1CC0D1-2E46-4742-A8F9-343445DC3787}.exe
Token: SeIncBasePriorityPrivilege	2568	{0B6D2D13-21C4-44b8-853B-8F46CF3AC921}.exe
Token: SeIncBasePriorityPrivilege	1568	{989D7486-F5E6-4e90-8579-BAC03BA938A3}.exe
Token: SeIncBasePriorityPrivilege	1704	{71474F81-9F55-4179-ADAC-691EDEEAAFF1}.exe
Token: SeIncBasePriorityPrivilege	1444	{74FFAECB-7615-4bb4-9CAB-B81DE7EE6DC6}.exe
Token: SeIncBasePriorityPrivilege	1684	{7B32C73A-1873-43bf-B49A-6A82D6184666}.exe
Token: SeIncBasePriorityPrivilege	540	{95BB1203-2043-4ed3-B935-6D87F6F65FCE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 3068	2444	2024-01-10_09542eb3f843082cb066399a55c2c19f_goldeneye.exe	29
PID 2444 wrote to memory of 3068	2444	2024-01-10_09542eb3f843082cb066399a55c2c19f_goldeneye.exe	29
PID 2444 wrote to memory of 3068	2444	2024-01-10_09542eb3f843082cb066399a55c2c19f_goldeneye.exe	29
PID 2444 wrote to memory of 3068	2444	2024-01-10_09542eb3f843082cb066399a55c2c19f_goldeneye.exe	29
PID 2444 wrote to memory of 2164	2444	2024-01-10_09542eb3f843082cb066399a55c2c19f_goldeneye.exe	28
PID 2444 wrote to memory of 2164	2444	2024-01-10_09542eb3f843082cb066399a55c2c19f_goldeneye.exe	28
PID 2444 wrote to memory of 2164	2444	2024-01-10_09542eb3f843082cb066399a55c2c19f_goldeneye.exe	28
PID 2444 wrote to memory of 2164	2444	2024-01-10_09542eb3f843082cb066399a55c2c19f_goldeneye.exe	28
PID 3068 wrote to memory of 2708	3068	{B1B36330-7CFF-4010-8AED-C932C1E21466}.exe	30
PID 3068 wrote to memory of 2708	3068	{B1B36330-7CFF-4010-8AED-C932C1E21466}.exe	30
PID 3068 wrote to memory of 2708	3068	{B1B36330-7CFF-4010-8AED-C932C1E21466}.exe	30
PID 3068 wrote to memory of 2708	3068	{B1B36330-7CFF-4010-8AED-C932C1E21466}.exe	30
PID 3068 wrote to memory of 2744	3068	{B1B36330-7CFF-4010-8AED-C932C1E21466}.exe	31
PID 3068 wrote to memory of 2744	3068	{B1B36330-7CFF-4010-8AED-C932C1E21466}.exe	31
PID 3068 wrote to memory of 2744	3068	{B1B36330-7CFF-4010-8AED-C932C1E21466}.exe	31
PID 3068 wrote to memory of 2744	3068	{B1B36330-7CFF-4010-8AED-C932C1E21466}.exe	31
PID 2708 wrote to memory of 2664	2708	{45F9B76A-9261-442e-B24F-037EF6A2EE0B}.exe	32
PID 2708 wrote to memory of 2664	2708	{45F9B76A-9261-442e-B24F-037EF6A2EE0B}.exe	32
PID 2708 wrote to memory of 2664	2708	{45F9B76A-9261-442e-B24F-037EF6A2EE0B}.exe	32
PID 2708 wrote to memory of 2664	2708	{45F9B76A-9261-442e-B24F-037EF6A2EE0B}.exe	32
PID 2708 wrote to memory of 2640	2708	{45F9B76A-9261-442e-B24F-037EF6A2EE0B}.exe	33
PID 2708 wrote to memory of 2640	2708	{45F9B76A-9261-442e-B24F-037EF6A2EE0B}.exe	33
PID 2708 wrote to memory of 2640	2708	{45F9B76A-9261-442e-B24F-037EF6A2EE0B}.exe	33
PID 2708 wrote to memory of 2640	2708	{45F9B76A-9261-442e-B24F-037EF6A2EE0B}.exe	33
PID 2664 wrote to memory of 2648	2664	{8C261C48-93AA-4bd6-8CE7-048FAA8C63D6}.exe	34
PID 2664 wrote to memory of 2648	2664	{8C261C48-93AA-4bd6-8CE7-048FAA8C63D6}.exe	34
PID 2664 wrote to memory of 2648	2664	{8C261C48-93AA-4bd6-8CE7-048FAA8C63D6}.exe	34
PID 2664 wrote to memory of 2648	2664	{8C261C48-93AA-4bd6-8CE7-048FAA8C63D6}.exe	34
PID 2664 wrote to memory of 2480	2664	{8C261C48-93AA-4bd6-8CE7-048FAA8C63D6}.exe	35
PID 2664 wrote to memory of 2480	2664	{8C261C48-93AA-4bd6-8CE7-048FAA8C63D6}.exe	35
PID 2664 wrote to memory of 2480	2664	{8C261C48-93AA-4bd6-8CE7-048FAA8C63D6}.exe	35
PID 2664 wrote to memory of 2480	2664	{8C261C48-93AA-4bd6-8CE7-048FAA8C63D6}.exe	35
PID 2648 wrote to memory of 2568	2648	{CE1CC0D1-2E46-4742-A8F9-343445DC3787}.exe	38
PID 2648 wrote to memory of 2568	2648	{CE1CC0D1-2E46-4742-A8F9-343445DC3787}.exe	38
PID 2648 wrote to memory of 2568	2648	{CE1CC0D1-2E46-4742-A8F9-343445DC3787}.exe	38
PID 2648 wrote to memory of 2568	2648	{CE1CC0D1-2E46-4742-A8F9-343445DC3787}.exe	38
PID 2648 wrote to memory of 2548	2648	{CE1CC0D1-2E46-4742-A8F9-343445DC3787}.exe	39
PID 2648 wrote to memory of 2548	2648	{CE1CC0D1-2E46-4742-A8F9-343445DC3787}.exe	39
PID 2648 wrote to memory of 2548	2648	{CE1CC0D1-2E46-4742-A8F9-343445DC3787}.exe	39
PID 2648 wrote to memory of 2548	2648	{CE1CC0D1-2E46-4742-A8F9-343445DC3787}.exe	39
PID 2568 wrote to memory of 1568	2568	{0B6D2D13-21C4-44b8-853B-8F46CF3AC921}.exe	41
PID 2568 wrote to memory of 1568	2568	{0B6D2D13-21C4-44b8-853B-8F46CF3AC921}.exe	41
PID 2568 wrote to memory of 1568	2568	{0B6D2D13-21C4-44b8-853B-8F46CF3AC921}.exe	41
PID 2568 wrote to memory of 1568	2568	{0B6D2D13-21C4-44b8-853B-8F46CF3AC921}.exe	41
PID 2568 wrote to memory of 1836	2568	{0B6D2D13-21C4-44b8-853B-8F46CF3AC921}.exe	40
PID 2568 wrote to memory of 1836	2568	{0B6D2D13-21C4-44b8-853B-8F46CF3AC921}.exe	40
PID 2568 wrote to memory of 1836	2568	{0B6D2D13-21C4-44b8-853B-8F46CF3AC921}.exe	40
PID 2568 wrote to memory of 1836	2568	{0B6D2D13-21C4-44b8-853B-8F46CF3AC921}.exe	40
PID 1568 wrote to memory of 1704	1568	{989D7486-F5E6-4e90-8579-BAC03BA938A3}.exe	43
PID 1568 wrote to memory of 1704	1568	{989D7486-F5E6-4e90-8579-BAC03BA938A3}.exe	43
PID 1568 wrote to memory of 1704	1568	{989D7486-F5E6-4e90-8579-BAC03BA938A3}.exe	43
PID 1568 wrote to memory of 1704	1568	{989D7486-F5E6-4e90-8579-BAC03BA938A3}.exe	43
PID 1568 wrote to memory of 2812	1568	{989D7486-F5E6-4e90-8579-BAC03BA938A3}.exe	42
PID 1568 wrote to memory of 2812	1568	{989D7486-F5E6-4e90-8579-BAC03BA938A3}.exe	42
PID 1568 wrote to memory of 2812	1568	{989D7486-F5E6-4e90-8579-BAC03BA938A3}.exe	42
PID 1568 wrote to memory of 2812	1568	{989D7486-F5E6-4e90-8579-BAC03BA938A3}.exe	42
PID 1704 wrote to memory of 1444	1704	{71474F81-9F55-4179-ADAC-691EDEEAAFF1}.exe	44
PID 1704 wrote to memory of 1444	1704	{71474F81-9F55-4179-ADAC-691EDEEAAFF1}.exe	44
PID 1704 wrote to memory of 1444	1704	{71474F81-9F55-4179-ADAC-691EDEEAAFF1}.exe	44
PID 1704 wrote to memory of 1444	1704	{71474F81-9F55-4179-ADAC-691EDEEAAFF1}.exe	44
PID 1704 wrote to memory of 1776	1704	{71474F81-9F55-4179-ADAC-691EDEEAAFF1}.exe	45
PID 1704 wrote to memory of 1776	1704	{71474F81-9F55-4179-ADAC-691EDEEAAFF1}.exe	45
PID 1704 wrote to memory of 1776	1704	{71474F81-9F55-4179-ADAC-691EDEEAAFF1}.exe	45
PID 1704 wrote to memory of 1776	1704	{71474F81-9F55-4179-ADAC-691EDEEAAFF1}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-10_09542eb3f843082cb066399a55c2c19f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-10_09542eb3f843082cb066399a55c2c19f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2164
- C:\Windows\{B1B36330-7CFF-4010-8AED-C932C1E21466}.exe
  C:\Windows\{B1B36330-7CFF-4010-8AED-C932C1E21466}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\{45F9B76A-9261-442e-B24F-037EF6A2EE0B}.exe
    C:\Windows\{45F9B76A-9261-442e-B24F-037EF6A2EE0B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\{8C261C48-93AA-4bd6-8CE7-048FAA8C63D6}.exe
      C:\Windows\{8C261C48-93AA-4bd6-8CE7-048FAA8C63D6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\{CE1CC0D1-2E46-4742-A8F9-343445DC3787}.exe
        
        C:\Windows\{CE1CC0D1-2E46-4742-A8F9-343445DC3787}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2648
      - C:\Windows\{0B6D2D13-21C4-44b8-853B-8F46CF3AC921}.exe
        
        C:\Windows\{0B6D2D13-21C4-44b8-853B-8F46CF3AC921}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B6D2~1.EXE > nul
        7⤵
        
        PID:1836
        
        C:\Windows\{989D7486-F5E6-4e90-8579-BAC03BA938A3}.exe
        
        C:\Windows\{989D7486-F5E6-4e90-8579-BAC03BA938A3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{989D7~1.EXE > nul
        8⤵
        
        PID:2812
        
        C:\Windows\{71474F81-9F55-4179-ADAC-691EDEEAAFF1}.exe
        
        C:\Windows\{71474F81-9F55-4179-ADAC-691EDEEAAFF1}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\{74FFAECB-7615-4bb4-9CAB-B81DE7EE6DC6}.exe
        
        C:\Windows\{74FFAECB-7615-4bb4-9CAB-B81DE7EE6DC6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1444
        
        C:\Windows\{7B32C73A-1873-43bf-B49A-6A82D6184666}.exe
        
        C:\Windows\{7B32C73A-1873-43bf-B49A-6A82D6184666}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
        
        C:\Windows\{95BB1203-2043-4ed3-B935-6D87F6F65FCE}.exe
        
        C:\Windows\{95BB1203-2043-4ed3-B935-6D87F6F65FCE}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95BB1~1.EXE > nul
        12⤵
        
        PID:1036
        
        C:\Windows\{4086E78C-7B18-4a89-9D2C-7C09DC13A20E}.exe
        
        C:\Windows\{4086E78C-7B18-4a89-9D2C-7C09DC13A20E}.exe
        12⤵
        Executes dropped EXE
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B32C~1.EXE > nul
        11⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74FFA~1.EXE > nul
        10⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71474~1.EXE > nul
        9⤵
        
        PID:1776
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE1CC~1.EXE > nul
        6⤵
        
        PID:2548
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C261~1.EXE > nul
        5⤵
        
        PID:2480
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{45F9B~1.EXE > nul
      4⤵
      PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B1B36~1.EXE > nul
    3⤵
    PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{45F9B76A-9261-442e-B24F-037EF6A2EE0B}.exe

Filesize
380KB

MD5
7d5bafd7b68fcf2389cac93d90fb58cd

SHA1
1e6fa5d29b5fd71626959e19bc00eafebfe9e23e

SHA256
42e9485a37c01abe499d76855f7b28034eee8c8451282148b2d8e2ecaced15f2

SHA512
ba5173c127a059a6b31a282c0da11c43acfe08cdef60f028e63b17b9c89fe9a34e8287303b70c10638dee7556e0f685b90fc392488426594408e69e68aa99b58

Download Submit
C:\Windows\{71474F81-9F55-4179-ADAC-691EDEEAAFF1}.exe

Filesize
380KB

MD5
7cbc2f12824d020ebed5aa84076d0ab7

SHA1
c015661c8f6083267d8793b3bd8ace1641ffff9a

SHA256
8debc324878336d99fef7f2136e457adf735390665c8fa0046388f598e956edb

SHA512
08e4816c371bd3ea754cdf30a814e4281b3a45445542febecf73c69c0d8a22f6fc1b67937bac48b9fba6f597e5edfffd8065154c95f3ec5a1720e08591db5a99

Download Submit
C:\Windows\{71474F81-9F55-4179-ADAC-691EDEEAAFF1}.exe

Filesize
145KB

MD5
4e7010a252d5b47b938b015474324a46

SHA1
3c7e72264e0fbafffbb9440c7264c582bab8180f

SHA256
37ccf81a5d7d9e6e2ce2170ffe93f7fd475f5f03a73b75c50fbfe9f0510c1857

SHA512
2c97fc956544ff4632776e47bcee3cbbf7e9eaaea9bca1fd69a09d31d2385073eefa96c86e032361706662fb4e0808cd38c9b04a415feebdf46f17cc66440714

Download Submit
C:\Windows\{74FFAECB-7615-4bb4-9CAB-B81DE7EE6DC6}.exe

Filesize
192KB

MD5
75dec2084b7ad92c89f931211a4a60e6

SHA1
9ced5f452f6d28166b88432377a42d69a5177d0c

SHA256
231ca0360b81e835c1cc7942e0f26b188a3df696bdb3c21cdb8ed440b1bb1836

SHA512
09f2f18fc30d1e5f4f3f503677256cf37785b64018630842354fcb8bac2351601e40298bbb703b9cdf4a82f83ebf4cf575f28cb5aa2d6a10b7fa18e61b3054ff

Download Submit
C:\Windows\{7B32C73A-1873-43bf-B49A-6A82D6184666}.exe

Filesize
380KB

MD5
8492e8a2863853f42418d6289d18b82c

SHA1
f928e18bf8816aff992c8a7ef7b49d2f1a44e4d0

SHA256
b65fdf49cf593f2a9833bcb5eb5cecd652e48dcfa710c5831761769996c351d2

SHA512
ae0dfc7d7766163a2229a3c66c4832b858a6274953c9bbbc0eb5b992fd78ec3b16966c4a19ce48d9ff57f2f05c9411a2e5feff1e18fae75ddbbaadfd89c61337

Download Submit
C:\Windows\{8C261C48-93AA-4bd6-8CE7-048FAA8C63D6}.exe

Filesize
380KB

MD5
a0cb62c1b2b3f8ea30d82aad733ceb63

SHA1
354b4f1b7fdf558620e4dc0be215418327b6ff4d

SHA256
2e0e9fd6c7a166e45bcdbeac4727ff994ab0b395214902cdde58a4e7edb53422

SHA512
90b446beafe06a7853b8768bb424ddb98e4a3510a8386c6d5c1d5f802f6876d6d721f916c0ff70bbccd946f775a0164dee87744b6af706f54e085ea559b591fd

Download Submit
C:\Windows\{95BB1203-2043-4ed3-B935-6D87F6F65FCE}.exe

Filesize
380KB

MD5
d548185cff336b8a7f874c0f2ae3ecc9

SHA1
a7469fce5ae1adf8fa88b0ba6a85266ecd579319

SHA256
52acf3524cca0d43fbccf29abcb50abcb93a5fe3a8174cf147df9bcd7f2518f6

SHA512
97d383ff000a222a4d158899cf96ce993ee679855dd6aae742cd7b75ad151d6d6ed1202b5e7af1258817f1d10cafd7d4e9743bda828cb248ca02888d8a57ce49

Download Submit
C:\Windows\{989D7486-F5E6-4e90-8579-BAC03BA938A3}.exe

Filesize
380KB

MD5
783b4ee4ad5edc4dba73b0d821077f86

SHA1
78da05e53fbe34687496abd0ddb6aea2e0d871d9

SHA256
a7fdf6f4fd0751848899e932c110489b010ce2d28a64fd96b63cd1edc1ba027d

SHA512
5071b8ab35c4aaa2937b8eaa07a13614f678802971757d75c4fd2574a58651b2952ddce6a8f5be6c9781aa725dec25afad63e6dcc58bec2ec1d19625cf63422a

Download Submit
C:\Windows\{B1B36330-7CFF-4010-8AED-C932C1E21466}.exe

Filesize
380KB

MD5
fe8e44f28a063de41a7fca5488e9ddef

SHA1
525498e233fd909433246550290ba41b926594e6

SHA256
7c4e5fdf58b9adef01e5bef0ca91a721619128b5999052c9880d5f55d33c901f

SHA512
bae59c501cd027528bd89714964dde0f6db2ab72249976397f10150e9b6f01292547ef13321cdb9489183ead19e3adcfc84f66ac3cf9edc34650e4645fb26b11

Download Submit
C:\Windows\{CE1CC0D1-2E46-4742-A8F9-343445DC3787}.exe

Filesize
380KB

MD5
22e2512efe0c66f79d98c3ee2ef57c58

SHA1
94986ed26437fe4daaf9e9819fdecadc2419bf89

SHA256
1c14524150222cd1aa184b83d9cfe11445b437ab41355669167c435a4c26d193

SHA512
54082d216c7125b31db79ce30a751b1ddd19203659101d457d27fab4def33845d2b7d1ee206af19c4be81631759fcaa66140b511b67f71271d9729cd459831f7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads