fcd19b10a30d9e8f7b6f516bbe4e77409f4e4941ad2e9ed84b3eda9be1f43ea3

Analysis

max time kernel
131s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2024, 05:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-10_09542eb3f843082cb066399a55c2c19f_goldeneye.exe
Size

380KB
MD5

09542eb3f843082cb066399a55c2c19f
SHA1

fd70e3561afc3ebad4ac6aeb35c8cf56197c7a8e
SHA256

fcd19b10a30d9e8f7b6f516bbe4e77409f4e4941ad2e9ed84b3eda9be1f43ea3
SHA512

c6d737c7c2ee22d4e36a4c8b0a27c8e7c3bf1169682d31cedec5d0b4a0e4c39c6d0798d47411ee08eec53c5699069272b08e8c49c3b0f4819f5e7a70d219284d
SSDEEP

3072:mEGh0oQlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGWl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95AC22AC-517D-4a69-86B4-8E05AC9BD00B}	{F4D8102F-39AA-4f1b-B60D-8E71E969711A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB3BC300-2000-49a6-BEAB-D1345709994D}	{0F097416-D36F-47e0-B7AE-606634771734}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47D1B5C1-1439-426d-B3C1-68B43964C2D9}	{AB3BC300-2000-49a6-BEAB-D1345709994D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1C6A2F4-6335-4939-B617-E62D1E7F7E27}\stubpath = "C:\\Windows\\{C1C6A2F4-6335-4939-B617-E62D1E7F7E27}.exe"	{1ECF0A86-A394-4ba2-9E58-AA64D859523B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1ECF0A86-A394-4ba2-9E58-AA64D859523B}\stubpath = "C:\\Windows\\{1ECF0A86-A394-4ba2-9E58-AA64D859523B}.exe"	{8BEF9D70-ED15-4e03-B7FB-30F4AB352429}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4D8102F-39AA-4f1b-B60D-8E71E969711A}	{C1C6A2F4-6335-4939-B617-E62D1E7F7E27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4D8102F-39AA-4f1b-B60D-8E71E969711A}\stubpath = "C:\\Windows\\{F4D8102F-39AA-4f1b-B60D-8E71E969711A}.exe"	{C1C6A2F4-6335-4939-B617-E62D1E7F7E27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F097416-D36F-47e0-B7AE-606634771734}\stubpath = "C:\\Windows\\{0F097416-D36F-47e0-B7AE-606634771734}.exe"	{CC7E42AE-8459-4e37-A9A4-5F569C04A1F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BEF9D70-ED15-4e03-B7FB-30F4AB352429}\stubpath = "C:\\Windows\\{8BEF9D70-ED15-4e03-B7FB-30F4AB352429}.exe"	2024-01-10_09542eb3f843082cb066399a55c2c19f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1C6A2F4-6335-4939-B617-E62D1E7F7E27}	{1ECF0A86-A394-4ba2-9E58-AA64D859523B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44004A7F-0B04-4385-BDB1-50FF56CBDD51}	{95AC22AC-517D-4a69-86B4-8E05AC9BD00B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC7E42AE-8459-4e37-A9A4-5F569C04A1F2}	{44004A7F-0B04-4385-BDB1-50FF56CBDD51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F097416-D36F-47e0-B7AE-606634771734}	{CC7E42AE-8459-4e37-A9A4-5F569C04A1F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB3BC300-2000-49a6-BEAB-D1345709994D}\stubpath = "C:\\Windows\\{AB3BC300-2000-49a6-BEAB-D1345709994D}.exe"	{0F097416-D36F-47e0-B7AE-606634771734}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47D1B5C1-1439-426d-B3C1-68B43964C2D9}\stubpath = "C:\\Windows\\{47D1B5C1-1439-426d-B3C1-68B43964C2D9}.exe"	{AB3BC300-2000-49a6-BEAB-D1345709994D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BEF9D70-ED15-4e03-B7FB-30F4AB352429}	2024-01-10_09542eb3f843082cb066399a55c2c19f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95AC22AC-517D-4a69-86B4-8E05AC9BD00B}\stubpath = "C:\\Windows\\{95AC22AC-517D-4a69-86B4-8E05AC9BD00B}.exe"	{F4D8102F-39AA-4f1b-B60D-8E71E969711A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44004A7F-0B04-4385-BDB1-50FF56CBDD51}\stubpath = "C:\\Windows\\{44004A7F-0B04-4385-BDB1-50FF56CBDD51}.exe"	{95AC22AC-517D-4a69-86B4-8E05AC9BD00B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC7E42AE-8459-4e37-A9A4-5F569C04A1F2}\stubpath = "C:\\Windows\\{CC7E42AE-8459-4e37-A9A4-5F569C04A1F2}.exe"	{44004A7F-0B04-4385-BDB1-50FF56CBDD51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1ECF0A86-A394-4ba2-9E58-AA64D859523B}	{8BEF9D70-ED15-4e03-B7FB-30F4AB352429}.exe

Executes dropped EXE 10 IoCs

pid	Process
3616	{8BEF9D70-ED15-4e03-B7FB-30F4AB352429}.exe
2792	{1ECF0A86-A394-4ba2-9E58-AA64D859523B}.exe
1508	{C1C6A2F4-6335-4939-B617-E62D1E7F7E27}.exe
3156	{F4D8102F-39AA-4f1b-B60D-8E71E969711A}.exe
4288	{95AC22AC-517D-4a69-86B4-8E05AC9BD00B}.exe
4712	{44004A7F-0B04-4385-BDB1-50FF56CBDD51}.exe
3616	{CC7E42AE-8459-4e37-A9A4-5F569C04A1F2}.exe
1292	{0F097416-D36F-47e0-B7AE-606634771734}.exe
4004	{AB3BC300-2000-49a6-BEAB-D1345709994D}.exe
3300	{47D1B5C1-1439-426d-B3C1-68B43964C2D9}.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\{47D1B5C1-1439-426d-B3C1-68B43964C2D9}.exe	{AB3BC300-2000-49a6-BEAB-D1345709994D}.exe
File created	C:\Windows\{C1C6A2F4-6335-4939-B617-E62D1E7F7E27}.exe	{1ECF0A86-A394-4ba2-9E58-AA64D859523B}.exe
File created	C:\Windows\{F4D8102F-39AA-4f1b-B60D-8E71E969711A}.exe	{C1C6A2F4-6335-4939-B617-E62D1E7F7E27}.exe
File created	C:\Windows\{95AC22AC-517D-4a69-86B4-8E05AC9BD00B}.exe	{F4D8102F-39AA-4f1b-B60D-8E71E969711A}.exe
File created	C:\Windows\{AB3BC300-2000-49a6-BEAB-D1345709994D}.exe	{0F097416-D36F-47e0-B7AE-606634771734}.exe
File created	C:\Windows\{0F097416-D36F-47e0-B7AE-606634771734}.exe	{CC7E42AE-8459-4e37-A9A4-5F569C04A1F2}.exe
File created	C:\Windows\{8BEF9D70-ED15-4e03-B7FB-30F4AB352429}.exe	2024-01-10_09542eb3f843082cb066399a55c2c19f_goldeneye.exe
File created	C:\Windows\{1ECF0A86-A394-4ba2-9E58-AA64D859523B}.exe	{8BEF9D70-ED15-4e03-B7FB-30F4AB352429}.exe
File created	C:\Windows\{44004A7F-0B04-4385-BDB1-50FF56CBDD51}.exe	{95AC22AC-517D-4a69-86B4-8E05AC9BD00B}.exe
File created	C:\Windows\{CC7E42AE-8459-4e37-A9A4-5F569C04A1F2}.exe	{44004A7F-0B04-4385-BDB1-50FF56CBDD51}.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3800	2024-01-10_09542eb3f843082cb066399a55c2c19f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3616	{8BEF9D70-ED15-4e03-B7FB-30F4AB352429}.exe
Token: SeIncBasePriorityPrivilege	2792	{1ECF0A86-A394-4ba2-9E58-AA64D859523B}.exe
Token: SeIncBasePriorityPrivilege	1508	{C1C6A2F4-6335-4939-B617-E62D1E7F7E27}.exe
Token: SeIncBasePriorityPrivilege	3156	{F4D8102F-39AA-4f1b-B60D-8E71E969711A}.exe
Token: SeIncBasePriorityPrivilege	4288	{95AC22AC-517D-4a69-86B4-8E05AC9BD00B}.exe
Token: SeIncBasePriorityPrivilege	4712	{44004A7F-0B04-4385-BDB1-50FF56CBDD51}.exe
Token: SeIncBasePriorityPrivilege	3616	{CC7E42AE-8459-4e37-A9A4-5F569C04A1F2}.exe
Token: SeIncBasePriorityPrivilege	1292	{0F097416-D36F-47e0-B7AE-606634771734}.exe
Token: SeIncBasePriorityPrivilege	4004	{AB3BC300-2000-49a6-BEAB-D1345709994D}.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 3800 wrote to memory of 3616	3800	2024-01-10_09542eb3f843082cb066399a55c2c19f_goldeneye.exe	99
PID 3800 wrote to memory of 3616	3800	2024-01-10_09542eb3f843082cb066399a55c2c19f_goldeneye.exe	99
PID 3800 wrote to memory of 3616	3800	2024-01-10_09542eb3f843082cb066399a55c2c19f_goldeneye.exe	99
PID 3800 wrote to memory of 3260	3800	2024-01-10_09542eb3f843082cb066399a55c2c19f_goldeneye.exe	98
PID 3800 wrote to memory of 3260	3800	2024-01-10_09542eb3f843082cb066399a55c2c19f_goldeneye.exe	98
PID 3800 wrote to memory of 3260	3800	2024-01-10_09542eb3f843082cb066399a55c2c19f_goldeneye.exe	98
PID 3616 wrote to memory of 2792	3616	{8BEF9D70-ED15-4e03-B7FB-30F4AB352429}.exe	101
PID 3616 wrote to memory of 2792	3616	{8BEF9D70-ED15-4e03-B7FB-30F4AB352429}.exe	101
PID 3616 wrote to memory of 2792	3616	{8BEF9D70-ED15-4e03-B7FB-30F4AB352429}.exe	101
PID 3616 wrote to memory of 668	3616	{8BEF9D70-ED15-4e03-B7FB-30F4AB352429}.exe	100
PID 3616 wrote to memory of 668	3616	{8BEF9D70-ED15-4e03-B7FB-30F4AB352429}.exe	100
PID 3616 wrote to memory of 668	3616	{8BEF9D70-ED15-4e03-B7FB-30F4AB352429}.exe	100
PID 2792 wrote to memory of 1508	2792	{1ECF0A86-A394-4ba2-9E58-AA64D859523B}.exe	105
PID 2792 wrote to memory of 1508	2792	{1ECF0A86-A394-4ba2-9E58-AA64D859523B}.exe	105
PID 2792 wrote to memory of 1508	2792	{1ECF0A86-A394-4ba2-9E58-AA64D859523B}.exe	105
PID 2792 wrote to memory of 2596	2792	{1ECF0A86-A394-4ba2-9E58-AA64D859523B}.exe	104
PID 2792 wrote to memory of 2596	2792	{1ECF0A86-A394-4ba2-9E58-AA64D859523B}.exe	104
PID 2792 wrote to memory of 2596	2792	{1ECF0A86-A394-4ba2-9E58-AA64D859523B}.exe	104
PID 1508 wrote to memory of 3156	1508	{C1C6A2F4-6335-4939-B617-E62D1E7F7E27}.exe	107
PID 1508 wrote to memory of 3156	1508	{C1C6A2F4-6335-4939-B617-E62D1E7F7E27}.exe	107
PID 1508 wrote to memory of 3156	1508	{C1C6A2F4-6335-4939-B617-E62D1E7F7E27}.exe	107
PID 1508 wrote to memory of 4348	1508	{C1C6A2F4-6335-4939-B617-E62D1E7F7E27}.exe	106
PID 1508 wrote to memory of 4348	1508	{C1C6A2F4-6335-4939-B617-E62D1E7F7E27}.exe	106
PID 1508 wrote to memory of 4348	1508	{C1C6A2F4-6335-4939-B617-E62D1E7F7E27}.exe	106
PID 3156 wrote to memory of 4288	3156	{F4D8102F-39AA-4f1b-B60D-8E71E969711A}.exe	109
PID 3156 wrote to memory of 4288	3156	{F4D8102F-39AA-4f1b-B60D-8E71E969711A}.exe	109
PID 3156 wrote to memory of 4288	3156	{F4D8102F-39AA-4f1b-B60D-8E71E969711A}.exe	109
PID 3156 wrote to memory of 1960	3156	{F4D8102F-39AA-4f1b-B60D-8E71E969711A}.exe	108
PID 3156 wrote to memory of 1960	3156	{F4D8102F-39AA-4f1b-B60D-8E71E969711A}.exe	108
PID 3156 wrote to memory of 1960	3156	{F4D8102F-39AA-4f1b-B60D-8E71E969711A}.exe	108
PID 4288 wrote to memory of 4712	4288	{95AC22AC-517D-4a69-86B4-8E05AC9BD00B}.exe	112
PID 4288 wrote to memory of 4712	4288	{95AC22AC-517D-4a69-86B4-8E05AC9BD00B}.exe	112
PID 4288 wrote to memory of 4712	4288	{95AC22AC-517D-4a69-86B4-8E05AC9BD00B}.exe	112
PID 4288 wrote to memory of 3292	4288	{95AC22AC-517D-4a69-86B4-8E05AC9BD00B}.exe	111
PID 4288 wrote to memory of 3292	4288	{95AC22AC-517D-4a69-86B4-8E05AC9BD00B}.exe	111
PID 4288 wrote to memory of 3292	4288	{95AC22AC-517D-4a69-86B4-8E05AC9BD00B}.exe	111
PID 4712 wrote to memory of 3616	4712	{44004A7F-0B04-4385-BDB1-50FF56CBDD51}.exe	113
PID 4712 wrote to memory of 3616	4712	{44004A7F-0B04-4385-BDB1-50FF56CBDD51}.exe	113
PID 4712 wrote to memory of 3616	4712	{44004A7F-0B04-4385-BDB1-50FF56CBDD51}.exe	113
PID 4712 wrote to memory of 3944	4712	{44004A7F-0B04-4385-BDB1-50FF56CBDD51}.exe	114
PID 4712 wrote to memory of 3944	4712	{44004A7F-0B04-4385-BDB1-50FF56CBDD51}.exe	114
PID 4712 wrote to memory of 3944	4712	{44004A7F-0B04-4385-BDB1-50FF56CBDD51}.exe	114
PID 3616 wrote to memory of 1292	3616	{CC7E42AE-8459-4e37-A9A4-5F569C04A1F2}.exe	116
PID 3616 wrote to memory of 1292	3616	{CC7E42AE-8459-4e37-A9A4-5F569C04A1F2}.exe	116
PID 3616 wrote to memory of 1292	3616	{CC7E42AE-8459-4e37-A9A4-5F569C04A1F2}.exe	116
PID 3616 wrote to memory of 4252	3616	{CC7E42AE-8459-4e37-A9A4-5F569C04A1F2}.exe	115
PID 3616 wrote to memory of 4252	3616	{CC7E42AE-8459-4e37-A9A4-5F569C04A1F2}.exe	115
PID 3616 wrote to memory of 4252	3616	{CC7E42AE-8459-4e37-A9A4-5F569C04A1F2}.exe	115
PID 1292 wrote to memory of 4004	1292	{0F097416-D36F-47e0-B7AE-606634771734}.exe	122
PID 1292 wrote to memory of 4004	1292	{0F097416-D36F-47e0-B7AE-606634771734}.exe	122
PID 1292 wrote to memory of 4004	1292	{0F097416-D36F-47e0-B7AE-606634771734}.exe	122
PID 1292 wrote to memory of 3156	1292	{0F097416-D36F-47e0-B7AE-606634771734}.exe	121
PID 1292 wrote to memory of 3156	1292	{0F097416-D36F-47e0-B7AE-606634771734}.exe	121
PID 1292 wrote to memory of 3156	1292	{0F097416-D36F-47e0-B7AE-606634771734}.exe	121
PID 4004 wrote to memory of 3300	4004	{AB3BC300-2000-49a6-BEAB-D1345709994D}.exe	125
PID 4004 wrote to memory of 3300	4004	{AB3BC300-2000-49a6-BEAB-D1345709994D}.exe	125
PID 4004 wrote to memory of 3300	4004	{AB3BC300-2000-49a6-BEAB-D1345709994D}.exe	125
PID 4004 wrote to memory of 1372	4004	{AB3BC300-2000-49a6-BEAB-D1345709994D}.exe	124
PID 4004 wrote to memory of 1372	4004	{AB3BC300-2000-49a6-BEAB-D1345709994D}.exe	124
PID 4004 wrote to memory of 1372	4004	{AB3BC300-2000-49a6-BEAB-D1345709994D}.exe	124

C:\Users\Admin\AppData\Local\Temp\2024-01-10_09542eb3f843082cb066399a55c2c19f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-10_09542eb3f843082cb066399a55c2c19f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3260
- C:\Windows\{8BEF9D70-ED15-4e03-B7FB-30F4AB352429}.exe
  C:\Windows\{8BEF9D70-ED15-4e03-B7FB-30F4AB352429}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8BEF9~1.EXE > nul
    3⤵
    PID:668
- - C:\Windows\{1ECF0A86-A394-4ba2-9E58-AA64D859523B}.exe
    C:\Windows\{1ECF0A86-A394-4ba2-9E58-AA64D859523B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1ECF0~1.EXE > nul
      4⤵
      PID:2596
  - - C:\Windows\{C1C6A2F4-6335-4939-B617-E62D1E7F7E27}.exe
      C:\Windows\{C1C6A2F4-6335-4939-B617-E62D1E7F7E27}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1508
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1C6A~1.EXE > nul
        5⤵
        
        PID:4348
    - - C:\Windows\{F4D8102F-39AA-4f1b-B60D-8E71E969711A}.exe
        
        C:\Windows\{F4D8102F-39AA-4f1b-B60D-8E71E969711A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3156
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F4D81~1.EXE > nul
        6⤵
        
        PID:1960
      - C:\Windows\{95AC22AC-517D-4a69-86B4-8E05AC9BD00B}.exe
        
        C:\Windows\{95AC22AC-517D-4a69-86B4-8E05AC9BD00B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95AC2~1.EXE > nul
        7⤵
        
        PID:3292
        
        C:\Windows\{44004A7F-0B04-4385-BDB1-50FF56CBDD51}.exe
        
        C:\Windows\{44004A7F-0B04-4385-BDB1-50FF56CBDD51}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\{CC7E42AE-8459-4e37-A9A4-5F569C04A1F2}.exe
        
        C:\Windows\{CC7E42AE-8459-4e37-A9A4-5F569C04A1F2}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC7E4~1.EXE > nul
        9⤵
        
        PID:4252
        
        C:\Windows\{0F097416-D36F-47e0-B7AE-606634771734}.exe
        
        C:\Windows\{0F097416-D36F-47e0-B7AE-606634771734}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F097~1.EXE > nul
        10⤵
        
        PID:3156
        
        C:\Windows\{AB3BC300-2000-49a6-BEAB-D1345709994D}.exe
        
        C:\Windows\{AB3BC300-2000-49a6-BEAB-D1345709994D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB3BC~1.EXE > nul
        11⤵
        
        PID:1372
        
        C:\Windows\{47D1B5C1-1439-426d-B3C1-68B43964C2D9}.exe
        
        C:\Windows\{47D1B5C1-1439-426d-B3C1-68B43964C2D9}.exe
        11⤵
        Executes dropped EXE
        
        PID:3300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47D1B~1.EXE > nul
        12⤵
        
        PID:392
        
        C:\Windows\{1DDF77B1-11D5-4726-8CC5-52B024B1E681}.exe
        
        C:\Windows\{1DDF77B1-11D5-4726-8CC5-52B024B1E681}.exe
        12⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44004~1.EXE > nul
        8⤵
        
        PID:3944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F097416-D36F-47e0-B7AE-606634771734}.exe

Filesize
93KB

MD5
0989139e934a0bb261aeea314e76113e

SHA1
e5e496532ef83d16f506573fc6d158e96cea93cb

SHA256
07bb456590db6c8e8cd12802e052d38011ece8ea3b5da504f3482ecfc32f75c2

SHA512
b54bc72f884775161bd902a1dcde499e1b78579f059487126bf627cf7f55ce645cb8c31720020bd0e3ff9adfa5a10104f28bf482d32c5f05e4358d0ed96dfe17

Download Submit
C:\Windows\{0F097416-D36F-47e0-B7AE-606634771734}.exe

Filesize
92KB

MD5
42ad8c9bf548f3f14ba606c8c3a57b0e

SHA1
6391db921b83cf26c66332e6a1678851e4720a7d

SHA256
cc162e47e2c0fad12dd91323d324af5cebfab54a189f77be2c2162bf21d87203

SHA512
2f5027dee3215e636f202c085d851a70e0355451eac53f8ec629722359c3abb0b0370dfbaf0bcebbc04593b5d04a3d568c7d83d58cdbbc3160105c682dd9290d

Download Submit
C:\Windows\{1DDF77B1-11D5-4726-8CC5-52B024B1E681}.exe

Filesize
380KB

MD5
58e1bf120182c1da49efeb4093254350

SHA1
89e97efc8a9de568c8326df072f375bd16b2e548

SHA256
a15dd12e9fd6105f70c716119e0c63b85d6dd7a273500bd5ee7415392da11f0e

SHA512
deda0bd131fd51ee39edb5e8f4f8d8345ece2a5ed9f90240ce7713d5d5a2ad734647a0793740e2a05d5c59e2063c2931d45b2bf46c33c166dca2816fcb3a4985

Download Submit
C:\Windows\{1ECF0A86-A394-4ba2-9E58-AA64D859523B}.exe

Filesize
380KB

MD5
8e1c79c2914d948d3dbc7d85be73d716

SHA1
6ad1e2d3af5bc925f5230565803674f911d17ebd

SHA256
e8bbc2a7fc0c09b84572ea481080eee796796d322a7eb38e67f2bc7d17ac206d

SHA512
b12de75850d62f335b68a34e23c04db9ccd9c86668733870267ff12e9a7dd56cf7bea7e3dc4ee75315c50b6ec8dba363f892890d9dc5f9cb81a061e7919854b0

Download Submit
C:\Windows\{44004A7F-0B04-4385-BDB1-50FF56CBDD51}.exe

Filesize
380KB

MD5
a89d1d156c1503d29309cbfee52873e9

SHA1
d38cc64e186303105ab81e745d63cc831ed120f7

SHA256
dbef60ec00d15d7db3b6f2c9b22fb2d894f0845fff0acb045d5ffc2d1385e379

SHA512
e8787f6bede688cc76ee286587ff1fa8d278a7c0a0ad5b57753ec79883ca7f7bea15d18549216cd0bc0f58aa894b785f28d5ed89fe7bb2330df2d1e67552c45d

Download Submit
C:\Windows\{47D1B5C1-1439-426d-B3C1-68B43964C2D9}.exe

Filesize
380KB

MD5
a4d2b073d56c2c41cb78a14049326261

SHA1
ed4ff56792972dd1ac94dd5ed0ce3e1969ec87f7

SHA256
d10c7300aeafb9e50e2fc0f0db5a3f3e36a2a3e6227010bd0bac80474a8642ba

SHA512
048acf800aaad3647284feb1982af9cdf594deee9f72a27f384469d0c425aa15a190a32143d75bae2e30a824f1d7a9b7821a488b5363b25c00c48e2a66d547a4

Download Submit
C:\Windows\{8BEF9D70-ED15-4e03-B7FB-30F4AB352429}.exe

Filesize
380KB

MD5
b12f449f47025bc3e7a42e534df3059d

SHA1
b5466446d9f38107c26fb308d9d8fcd01fe393ed

SHA256
0425cb965ffaa365f36bc39bf3744119292978eb8942b96a1919a7df0d01e070

SHA512
3f80302ebc8fff15a9b3cf46bc497ccdb0be950c0b8b2d79d678bb1b19a4634be162f0058f6ebc4e62d285b6798b821784af4d09ab0f440230a39c61780eab1c

Download Submit
C:\Windows\{AB3BC300-2000-49a6-BEAB-D1345709994D}.exe

Filesize
380KB

MD5
a9a0029eb41165139c7d6b05b6488e32

SHA1
4ed2c25b7e8ceb7697588c5e138977cf74940eb9

SHA256
80b64f2181f55a2aa6c1624680b8282f326c17a3642b4492ffe478ab463a52dd

SHA512
bd57dc3675a38b8f8b9e6cef53c3b3139bc1a1a1826b34b50da9216273f82229ba92cc6242c1dc89605aa45c195640ba338444d71a65a9cf1092544003728ea2

Download Submit
C:\Windows\{C1C6A2F4-6335-4939-B617-E62D1E7F7E27}.exe

Filesize
380KB

MD5
f82465c372a762289c1727d7f0dd6a98

SHA1
ff54d6038d66bc6f118319686804cf2d34b001c0

SHA256
6550f4bdde7df1dd0bfea472f4d6fe4545dbf76520204da406e53b45935d8b5d

SHA512
13acc1fa883c2b0aa2a7fb0b9b4b4e264d2d891e23a604c6a40af4fac93236d6bf77be66b9a291e4e752fb15ffdd72bb72d51924178a58615edd0a2aec1d2bdd

Download Submit
C:\Windows\{C1C6A2F4-6335-4939-B617-E62D1E7F7E27}.exe

Filesize
93KB

MD5
b38eaf0b929ee2a792f1566ae0c4434a

SHA1
dbecd0b9abf61cf7707f52c97d72fad97f910e92

SHA256
96d1af30a4dccb849a4a8fe4a5eb0f9078585685e613a479f4403137dcbfe9c8

SHA512
0a0e7da28129f89700291b0209d42a4d4c986e41f0a22df859705c5656e2e216c9393ed6b6fc93f2f696263408bae1ab8b60efd9491b60f1126af83c01abf53a

Download Submit
C:\Windows\{CC7E42AE-8459-4e37-A9A4-5F569C04A1F2}.exe

Filesize
291KB

MD5
3898e88620a4a47f5addf15d53fda6d5

SHA1
13a93bff705eda6a2fc0ad4731a50b4d3a689714

SHA256
a9df0c8fc222ccbddd86d6d48467d26d5e56b8c13f6c119fec58a61fea6a40c3

SHA512
6c54c39fb20f41bcf8f6ebca4123df92b4918f89c28738f4c72c4fccad4d5621949e5dec82eb54eef59e0bb1ddcd97184c71fd3262ad1dabe97ae242b3c5daf2

Download Submit
C:\Windows\{CC7E42AE-8459-4e37-A9A4-5F569C04A1F2}.exe

Filesize
380KB

MD5
472c58b3203018a83736e68f7e17bf87

SHA1
0777fd56f23d295bd1e0b824240445a1c2ee7cf3

SHA256
d7e75e45b109cf3c48f1a0525105948af00aed8a40e77780f9d0b10faa264f94

SHA512
18c95a32d7a0fb54d8bc2e2e1c3674c30159a00607212508bb5e858350c89fe28756ca19f5d3d0a56add75128d0844e409f3016eb87e68ddc6bc138145f21d9d

Download Submit
C:\Windows\{F4D8102F-39AA-4f1b-B60D-8E71E969711A}.exe

Filesize
380KB

MD5
445dbb96337d20de04f3ff389af5ba6a

SHA1
a6e1b5f8fe4c38140aac1bf9489054397561c858

SHA256
86dcdb757b03820eb639d9cf5bd73bf389454dccd502a2b9faeafdf220f7ba32

SHA512
26772848fe8a06d5bca0401886ff0b6d35bdcebe729f2127b5c6391eba3beabd9697047389dba32f0d05fe22687e5975956f3826b92d5ae603afe0bf2eafc7e2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads