52067da7f636b7a01d09858e903b6be8b55ad377070958d87d4e656df028bae2

Analysis

max time kernel
182s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2024 05:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-10_f3c51382c846d2f78709c9c58f96655f_goldeneye.exe
Size

344KB
MD5

f3c51382c846d2f78709c9c58f96655f
SHA1

98d88a64138a4b79a6d62e136ac2837f5726a124
SHA256

52067da7f636b7a01d09858e903b6be8b55ad377070958d87d4e656df028bae2
SHA512

4f5f8b768f23c35ef10fa27d15e6e1f0d5747558dad0355059ea8abf60921efbeeffe7716d98ce64853e0889616f7a3b84eee0855b0d8d74dfc758711ee84ab0
SSDEEP

3072:mEGh0ojlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGVlqOe2MUVg3v2IneKcAEcA

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{728B6E7D-4127-4d5e-ACD6-DAF0C3A76377}\stubpath = "C:\\Windows\\{728B6E7D-4127-4d5e-ACD6-DAF0C3A76377}.exe"	{5AEF169D-57B2-49b6-8D89-ECC56D67D4EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77C5B19C-C37B-4e6c-AA93-F7D1FE521B0A}	{728B6E7D-4127-4d5e-ACD6-DAF0C3A76377}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77C5B19C-C37B-4e6c-AA93-F7D1FE521B0A}\stubpath = "C:\\Windows\\{77C5B19C-C37B-4e6c-AA93-F7D1FE521B0A}.exe"	{728B6E7D-4127-4d5e-ACD6-DAF0C3A76377}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18266147-FF74-4700-BD47-F3C3E0FFE3F6}	2024-01-10_f3c51382c846d2f78709c9c58f96655f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D1E45E8-1CB6-47fa-9A2D-7F7FAF5EC78C}	{A795ADE2-0BEF-4ca4-AFE3-37D7A387BCF3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51967F67-D3AB-45aa-9395-6E8814CF8A43}	{7D1E45E8-1CB6-47fa-9A2D-7F7FAF5EC78C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AEF169D-57B2-49b6-8D89-ECC56D67D4EC}	{D315A02F-4336-4d4b-9161-973816E44AEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D58E2CBF-8921-42a9-8F5D-5947546A2F2C}\stubpath = "C:\\Windows\\{D58E2CBF-8921-42a9-8F5D-5947546A2F2C}.exe"	{208FC857-3E9A-4bcd-9815-D133517C0EC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D315A02F-4336-4d4b-9161-973816E44AEF}	{D58E2CBF-8921-42a9-8F5D-5947546A2F2C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D315A02F-4336-4d4b-9161-973816E44AEF}\stubpath = "C:\\Windows\\{D315A02F-4336-4d4b-9161-973816E44AEF}.exe"	{D58E2CBF-8921-42a9-8F5D-5947546A2F2C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A795ADE2-0BEF-4ca4-AFE3-37D7A387BCF3}\stubpath = "C:\\Windows\\{A795ADE2-0BEF-4ca4-AFE3-37D7A387BCF3}.exe"	{18266147-FF74-4700-BD47-F3C3E0FFE3F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D1E45E8-1CB6-47fa-9A2D-7F7FAF5EC78C}\stubpath = "C:\\Windows\\{7D1E45E8-1CB6-47fa-9A2D-7F7FAF5EC78C}.exe"	{A795ADE2-0BEF-4ca4-AFE3-37D7A387BCF3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51967F67-D3AB-45aa-9395-6E8814CF8A43}\stubpath = "C:\\Windows\\{51967F67-D3AB-45aa-9395-6E8814CF8A43}.exe"	{7D1E45E8-1CB6-47fa-9A2D-7F7FAF5EC78C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{208FC857-3E9A-4bcd-9815-D133517C0EC2}	{51967F67-D3AB-45aa-9395-6E8814CF8A43}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FCB92003-FB7B-4bc4-AD52-94E004F178EA}	{77C5B19C-C37B-4e6c-AA93-F7D1FE521B0A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C698E84F-945C-45fa-A876-2068694A9AB7}	{FCB92003-FB7B-4bc4-AD52-94E004F178EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C698E84F-945C-45fa-A876-2068694A9AB7}\stubpath = "C:\\Windows\\{C698E84F-945C-45fa-A876-2068694A9AB7}.exe"	{FCB92003-FB7B-4bc4-AD52-94E004F178EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18266147-FF74-4700-BD47-F3C3E0FFE3F6}\stubpath = "C:\\Windows\\{18266147-FF74-4700-BD47-F3C3E0FFE3F6}.exe"	2024-01-10_f3c51382c846d2f78709c9c58f96655f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{208FC857-3E9A-4bcd-9815-D133517C0EC2}\stubpath = "C:\\Windows\\{208FC857-3E9A-4bcd-9815-D133517C0EC2}.exe"	{51967F67-D3AB-45aa-9395-6E8814CF8A43}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D58E2CBF-8921-42a9-8F5D-5947546A2F2C}	{208FC857-3E9A-4bcd-9815-D133517C0EC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{728B6E7D-4127-4d5e-ACD6-DAF0C3A76377}	{5AEF169D-57B2-49b6-8D89-ECC56D67D4EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A795ADE2-0BEF-4ca4-AFE3-37D7A387BCF3}	{18266147-FF74-4700-BD47-F3C3E0FFE3F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AEF169D-57B2-49b6-8D89-ECC56D67D4EC}\stubpath = "C:\\Windows\\{5AEF169D-57B2-49b6-8D89-ECC56D67D4EC}.exe"	{D315A02F-4336-4d4b-9161-973816E44AEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FCB92003-FB7B-4bc4-AD52-94E004F178EA}\stubpath = "C:\\Windows\\{FCB92003-FB7B-4bc4-AD52-94E004F178EA}.exe"	{77C5B19C-C37B-4e6c-AA93-F7D1FE521B0A}.exe

Executes dropped EXE 12 IoCs

pid	Process
1624	{18266147-FF74-4700-BD47-F3C3E0FFE3F6}.exe
4108	{A795ADE2-0BEF-4ca4-AFE3-37D7A387BCF3}.exe
4432	{7D1E45E8-1CB6-47fa-9A2D-7F7FAF5EC78C}.exe
4776	{51967F67-D3AB-45aa-9395-6E8814CF8A43}.exe
4108	{208FC857-3E9A-4bcd-9815-D133517C0EC2}.exe
3728	{D58E2CBF-8921-42a9-8F5D-5947546A2F2C}.exe
4408	{D315A02F-4336-4d4b-9161-973816E44AEF}.exe
4908	{5AEF169D-57B2-49b6-8D89-ECC56D67D4EC}.exe
3212	{728B6E7D-4127-4d5e-ACD6-DAF0C3A76377}.exe
2204	{77C5B19C-C37B-4e6c-AA93-F7D1FE521B0A}.exe
2540	{FCB92003-FB7B-4bc4-AD52-94E004F178EA}.exe
336	{C698E84F-945C-45fa-A876-2068694A9AB7}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{208FC857-3E9A-4bcd-9815-D133517C0EC2}.exe	{51967F67-D3AB-45aa-9395-6E8814CF8A43}.exe
File created	C:\Windows\{D315A02F-4336-4d4b-9161-973816E44AEF}.exe	{D58E2CBF-8921-42a9-8F5D-5947546A2F2C}.exe
File created	C:\Windows\{5AEF169D-57B2-49b6-8D89-ECC56D67D4EC}.exe	{D315A02F-4336-4d4b-9161-973816E44AEF}.exe
File created	C:\Windows\{77C5B19C-C37B-4e6c-AA93-F7D1FE521B0A}.exe	{728B6E7D-4127-4d5e-ACD6-DAF0C3A76377}.exe
File created	C:\Windows\{A795ADE2-0BEF-4ca4-AFE3-37D7A387BCF3}.exe	{18266147-FF74-4700-BD47-F3C3E0FFE3F6}.exe
File created	C:\Windows\{7D1E45E8-1CB6-47fa-9A2D-7F7FAF5EC78C}.exe	{A795ADE2-0BEF-4ca4-AFE3-37D7A387BCF3}.exe
File created	C:\Windows\{51967F67-D3AB-45aa-9395-6E8814CF8A43}.exe	{7D1E45E8-1CB6-47fa-9A2D-7F7FAF5EC78C}.exe
File created	C:\Windows\{D58E2CBF-8921-42a9-8F5D-5947546A2F2C}.exe	{208FC857-3E9A-4bcd-9815-D133517C0EC2}.exe
File created	C:\Windows\{728B6E7D-4127-4d5e-ACD6-DAF0C3A76377}.exe	{5AEF169D-57B2-49b6-8D89-ECC56D67D4EC}.exe
File created	C:\Windows\{FCB92003-FB7B-4bc4-AD52-94E004F178EA}.exe	{77C5B19C-C37B-4e6c-AA93-F7D1FE521B0A}.exe
File created	C:\Windows\{C698E84F-945C-45fa-A876-2068694A9AB7}.exe	{FCB92003-FB7B-4bc4-AD52-94E004F178EA}.exe
File created	C:\Windows\{18266147-FF74-4700-BD47-F3C3E0FFE3F6}.exe	2024-01-10_f3c51382c846d2f78709c9c58f96655f_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2148	2024-01-10_f3c51382c846d2f78709c9c58f96655f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1624	{18266147-FF74-4700-BD47-F3C3E0FFE3F6}.exe
Token: SeIncBasePriorityPrivilege	4108	{A795ADE2-0BEF-4ca4-AFE3-37D7A387BCF3}.exe
Token: SeIncBasePriorityPrivilege	4432	{7D1E45E8-1CB6-47fa-9A2D-7F7FAF5EC78C}.exe
Token: SeIncBasePriorityPrivilege	4776	{51967F67-D3AB-45aa-9395-6E8814CF8A43}.exe
Token: SeIncBasePriorityPrivilege	4108	{208FC857-3E9A-4bcd-9815-D133517C0EC2}.exe
Token: SeIncBasePriorityPrivilege	3728	{D58E2CBF-8921-42a9-8F5D-5947546A2F2C}.exe
Token: SeIncBasePriorityPrivilege	4408	{D315A02F-4336-4d4b-9161-973816E44AEF}.exe
Token: SeIncBasePriorityPrivilege	4908	{5AEF169D-57B2-49b6-8D89-ECC56D67D4EC}.exe
Token: SeIncBasePriorityPrivilege	3212	{728B6E7D-4127-4d5e-ACD6-DAF0C3A76377}.exe
Token: SeIncBasePriorityPrivilege	2204	{77C5B19C-C37B-4e6c-AA93-F7D1FE521B0A}.exe
Token: SeIncBasePriorityPrivilege	2540	{FCB92003-FB7B-4bc4-AD52-94E004F178EA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 1624	2148	2024-01-10_f3c51382c846d2f78709c9c58f96655f_goldeneye.exe	96
PID 2148 wrote to memory of 1624	2148	2024-01-10_f3c51382c846d2f78709c9c58f96655f_goldeneye.exe	96
PID 2148 wrote to memory of 1624	2148	2024-01-10_f3c51382c846d2f78709c9c58f96655f_goldeneye.exe	96
PID 2148 wrote to memory of 400	2148	2024-01-10_f3c51382c846d2f78709c9c58f96655f_goldeneye.exe	95
PID 2148 wrote to memory of 400	2148	2024-01-10_f3c51382c846d2f78709c9c58f96655f_goldeneye.exe	95
PID 2148 wrote to memory of 400	2148	2024-01-10_f3c51382c846d2f78709c9c58f96655f_goldeneye.exe	95
PID 1624 wrote to memory of 4108	1624	{18266147-FF74-4700-BD47-F3C3E0FFE3F6}.exe	100
PID 1624 wrote to memory of 4108	1624	{18266147-FF74-4700-BD47-F3C3E0FFE3F6}.exe	100
PID 1624 wrote to memory of 4108	1624	{18266147-FF74-4700-BD47-F3C3E0FFE3F6}.exe	100
PID 1624 wrote to memory of 3836	1624	{18266147-FF74-4700-BD47-F3C3E0FFE3F6}.exe	101
PID 1624 wrote to memory of 3836	1624	{18266147-FF74-4700-BD47-F3C3E0FFE3F6}.exe	101
PID 1624 wrote to memory of 3836	1624	{18266147-FF74-4700-BD47-F3C3E0FFE3F6}.exe	101
PID 4108 wrote to memory of 4432	4108	{A795ADE2-0BEF-4ca4-AFE3-37D7A387BCF3}.exe	103
PID 4108 wrote to memory of 4432	4108	{A795ADE2-0BEF-4ca4-AFE3-37D7A387BCF3}.exe	103
PID 4108 wrote to memory of 4432	4108	{A795ADE2-0BEF-4ca4-AFE3-37D7A387BCF3}.exe	103
PID 4108 wrote to memory of 1528	4108	{A795ADE2-0BEF-4ca4-AFE3-37D7A387BCF3}.exe	102
PID 4108 wrote to memory of 1528	4108	{A795ADE2-0BEF-4ca4-AFE3-37D7A387BCF3}.exe	102
PID 4108 wrote to memory of 1528	4108	{A795ADE2-0BEF-4ca4-AFE3-37D7A387BCF3}.exe	102
PID 4432 wrote to memory of 4776	4432	{7D1E45E8-1CB6-47fa-9A2D-7F7FAF5EC78C}.exe	106
PID 4432 wrote to memory of 4776	4432	{7D1E45E8-1CB6-47fa-9A2D-7F7FAF5EC78C}.exe	106
PID 4432 wrote to memory of 4776	4432	{7D1E45E8-1CB6-47fa-9A2D-7F7FAF5EC78C}.exe	106
PID 4432 wrote to memory of 2148	4432	{7D1E45E8-1CB6-47fa-9A2D-7F7FAF5EC78C}.exe	107
PID 4432 wrote to memory of 2148	4432	{7D1E45E8-1CB6-47fa-9A2D-7F7FAF5EC78C}.exe	107
PID 4432 wrote to memory of 2148	4432	{7D1E45E8-1CB6-47fa-9A2D-7F7FAF5EC78C}.exe	107
PID 4776 wrote to memory of 4108	4776	{51967F67-D3AB-45aa-9395-6E8814CF8A43}.exe	112
PID 4776 wrote to memory of 4108	4776	{51967F67-D3AB-45aa-9395-6E8814CF8A43}.exe	112
PID 4776 wrote to memory of 4108	4776	{51967F67-D3AB-45aa-9395-6E8814CF8A43}.exe	112
PID 4776 wrote to memory of 3280	4776	{51967F67-D3AB-45aa-9395-6E8814CF8A43}.exe	113
PID 4776 wrote to memory of 3280	4776	{51967F67-D3AB-45aa-9395-6E8814CF8A43}.exe	113
PID 4776 wrote to memory of 3280	4776	{51967F67-D3AB-45aa-9395-6E8814CF8A43}.exe	113
PID 4108 wrote to memory of 3728	4108	{208FC857-3E9A-4bcd-9815-D133517C0EC2}.exe	115
PID 4108 wrote to memory of 3728	4108	{208FC857-3E9A-4bcd-9815-D133517C0EC2}.exe	115
PID 4108 wrote to memory of 3728	4108	{208FC857-3E9A-4bcd-9815-D133517C0EC2}.exe	115
PID 4108 wrote to memory of 1132	4108	{208FC857-3E9A-4bcd-9815-D133517C0EC2}.exe	116
PID 4108 wrote to memory of 1132	4108	{208FC857-3E9A-4bcd-9815-D133517C0EC2}.exe	116
PID 4108 wrote to memory of 1132	4108	{208FC857-3E9A-4bcd-9815-D133517C0EC2}.exe	116
PID 3728 wrote to memory of 4408	3728	{D58E2CBF-8921-42a9-8F5D-5947546A2F2C}.exe	117
PID 3728 wrote to memory of 4408	3728	{D58E2CBF-8921-42a9-8F5D-5947546A2F2C}.exe	117
PID 3728 wrote to memory of 4408	3728	{D58E2CBF-8921-42a9-8F5D-5947546A2F2C}.exe	117
PID 3728 wrote to memory of 4432	3728	{D58E2CBF-8921-42a9-8F5D-5947546A2F2C}.exe	118
PID 3728 wrote to memory of 4432	3728	{D58E2CBF-8921-42a9-8F5D-5947546A2F2C}.exe	118
PID 3728 wrote to memory of 4432	3728	{D58E2CBF-8921-42a9-8F5D-5947546A2F2C}.exe	118
PID 4408 wrote to memory of 4908	4408	{D315A02F-4336-4d4b-9161-973816E44AEF}.exe	121
PID 4408 wrote to memory of 4908	4408	{D315A02F-4336-4d4b-9161-973816E44AEF}.exe	121
PID 4408 wrote to memory of 4908	4408	{D315A02F-4336-4d4b-9161-973816E44AEF}.exe	121
PID 4408 wrote to memory of 2884	4408	{D315A02F-4336-4d4b-9161-973816E44AEF}.exe	122
PID 4408 wrote to memory of 2884	4408	{D315A02F-4336-4d4b-9161-973816E44AEF}.exe	122
PID 4408 wrote to memory of 2884	4408	{D315A02F-4336-4d4b-9161-973816E44AEF}.exe	122
PID 4908 wrote to memory of 3212	4908	{5AEF169D-57B2-49b6-8D89-ECC56D67D4EC}.exe	123
PID 4908 wrote to memory of 3212	4908	{5AEF169D-57B2-49b6-8D89-ECC56D67D4EC}.exe	123
PID 4908 wrote to memory of 3212	4908	{5AEF169D-57B2-49b6-8D89-ECC56D67D4EC}.exe	123
PID 4908 wrote to memory of 1240	4908	{5AEF169D-57B2-49b6-8D89-ECC56D67D4EC}.exe	124
PID 4908 wrote to memory of 1240	4908	{5AEF169D-57B2-49b6-8D89-ECC56D67D4EC}.exe	124
PID 4908 wrote to memory of 1240	4908	{5AEF169D-57B2-49b6-8D89-ECC56D67D4EC}.exe	124
PID 3212 wrote to memory of 2204	3212	{728B6E7D-4127-4d5e-ACD6-DAF0C3A76377}.exe	125
PID 3212 wrote to memory of 2204	3212	{728B6E7D-4127-4d5e-ACD6-DAF0C3A76377}.exe	125
PID 3212 wrote to memory of 2204	3212	{728B6E7D-4127-4d5e-ACD6-DAF0C3A76377}.exe	125
PID 3212 wrote to memory of 400	3212	{728B6E7D-4127-4d5e-ACD6-DAF0C3A76377}.exe	126
PID 3212 wrote to memory of 400	3212	{728B6E7D-4127-4d5e-ACD6-DAF0C3A76377}.exe	126
PID 3212 wrote to memory of 400	3212	{728B6E7D-4127-4d5e-ACD6-DAF0C3A76377}.exe	126
PID 2204 wrote to memory of 2540	2204	{77C5B19C-C37B-4e6c-AA93-F7D1FE521B0A}.exe	127
PID 2204 wrote to memory of 2540	2204	{77C5B19C-C37B-4e6c-AA93-F7D1FE521B0A}.exe	127
PID 2204 wrote to memory of 2540	2204	{77C5B19C-C37B-4e6c-AA93-F7D1FE521B0A}.exe	127
PID 2204 wrote to memory of 2820	2204	{77C5B19C-C37B-4e6c-AA93-F7D1FE521B0A}.exe	128

C:\Users\Admin\AppData\Local\Temp\2024-01-10_f3c51382c846d2f78709c9c58f96655f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-10_f3c51382c846d2f78709c9c58f96655f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:400
- C:\Windows\{18266147-FF74-4700-BD47-F3C3E0FFE3F6}.exe
  C:\Windows\{18266147-FF74-4700-BD47-F3C3E0FFE3F6}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\{A795ADE2-0BEF-4ca4-AFE3-37D7A387BCF3}.exe
    C:\Windows\{A795ADE2-0BEF-4ca4-AFE3-37D7A387BCF3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4108
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A795A~1.EXE > nul
      4⤵
      PID:1528
  - - C:\Windows\{7D1E45E8-1CB6-47fa-9A2D-7F7FAF5EC78C}.exe
      C:\Windows\{7D1E45E8-1CB6-47fa-9A2D-7F7FAF5EC78C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4432
    - - C:\Windows\{51967F67-D3AB-45aa-9395-6E8814CF8A43}.exe
        
        C:\Windows\{51967F67-D3AB-45aa-9395-6E8814CF8A43}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4776
      - C:\Windows\{208FC857-3E9A-4bcd-9815-D133517C0EC2}.exe
        
        C:\Windows\{208FC857-3E9A-4bcd-9815-D133517C0EC2}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\{D58E2CBF-8921-42a9-8F5D-5947546A2F2C}.exe
        
        C:\Windows\{D58E2CBF-8921-42a9-8F5D-5947546A2F2C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\{D315A02F-4336-4d4b-9161-973816E44AEF}.exe
        
        C:\Windows\{D315A02F-4336-4d4b-9161-973816E44AEF}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\{5AEF169D-57B2-49b6-8D89-ECC56D67D4EC}.exe
        
        C:\Windows\{5AEF169D-57B2-49b6-8D89-ECC56D67D4EC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\{728B6E7D-4127-4d5e-ACD6-DAF0C3A76377}.exe
        
        C:\Windows\{728B6E7D-4127-4d5e-ACD6-DAF0C3A76377}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\{77C5B19C-C37B-4e6c-AA93-F7D1FE521B0A}.exe
        
        C:\Windows\{77C5B19C-C37B-4e6c-AA93-F7D1FE521B0A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\{FCB92003-FB7B-4bc4-AD52-94E004F178EA}.exe
        
        C:\Windows\{FCB92003-FB7B-4bc4-AD52-94E004F178EA}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
        
        C:\Windows\{C698E84F-945C-45fa-A876-2068694A9AB7}.exe
        
        C:\Windows\{C698E84F-945C-45fa-A876-2068694A9AB7}.exe
        13⤵
        Executes dropped EXE
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FCB92~1.EXE > nul
        13⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77C5B~1.EXE > nul
        12⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{728B6~1.EXE > nul
        11⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5AEF1~1.EXE > nul
        10⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D315A~1.EXE > nul
        9⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D58E2~1.EXE > nul
        8⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{208FC~1.EXE > nul
        7⤵
        
        PID:1132
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51967~1.EXE > nul
        6⤵
        
        PID:3280
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D1E4~1.EXE > nul
        5⤵
        
        PID:2148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{18266~1.EXE > nul
    3⤵
    PID:3836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{18266147-FF74-4700-BD47-F3C3E0FFE3F6}.exe

Filesize
130KB

MD5
c7c0c95b48514922b03e297aeed3573f

SHA1
eb2576cdb4162c73cc2d800b2a8f3cdaf88f7520

SHA256
adc9a7a22991690e0876a11196bc0781a7da1921b4f00a15d81a32131c4eb16d

SHA512
95d69593d388c4492cb42d8a30cb364bf773d5aecd4c87e22e7e86e4f39ec7b447e09cdcb42b64b28a20b05bcc5b33952ac619fa3f3cd9be975bf218cd81fc2c

Download Submit
C:\Windows\{18266147-FF74-4700-BD47-F3C3E0FFE3F6}.exe

Filesize
89KB

MD5
ff9ffc39de82645a0a6f634676f0dee8

SHA1
63b2bf29c5649519fe02a442f73b9d0db186e9a1

SHA256
4634cb88aa20331b03ea8c6c7669549890e2e6630d9b5e48631b10b99cd46f20

SHA512
c782a84b6f2fc22bda3ba64a8a302b3b3c1b48ae4a4c3168247e4eff44d4792d206f3195cfd6d94ef6dbc2484f6ebc34a42b72c280029243e66192faa89031d1

Download Submit
C:\Windows\{208FC857-3E9A-4bcd-9815-D133517C0EC2}.exe

Filesize
344KB

MD5
176a802de205a345821cddde44830bdb

SHA1
8df3a42cc78b4461020d5a18253285411c35a8b5

SHA256
9c7370cea8501404ade694377810531fd3cbd1df429005dc0023d060bcc504e5

SHA512
e66bcdcbd0d7469401ca1a2e052faf5de0823e3f5c2f88a13e1b2dfd71e8a22c7120906eeba5cd11664fe968a80cef1ebb0426a8cadbb2f536285bad8fbc712c

Download Submit
C:\Windows\{51967F67-D3AB-45aa-9395-6E8814CF8A43}.exe

Filesize
344KB

MD5
9e14661c03b20646fc3e39e7fbeb0794

SHA1
50c8d7236c5dc9296e805d605b92ec39807fb886

SHA256
69e67366409ef2d89cc3af46b4f4cee6b97c180eca134b09baf35903c6e8913d

SHA512
dcaabef322318c69b2dcde786515c234f5d69c8c085d928457fd7e41f5a01ccc33b79dea886510653466667f950458203e9bd4b414ba3145f0b839e31b1f762c

Download Submit
C:\Windows\{5AEF169D-57B2-49b6-8D89-ECC56D67D4EC}.exe

Filesize
344KB

MD5
353228ce9490fe8aa65a3a7f652c7c03

SHA1
1322f819582166614c27da41d0bbf150e58bb878

SHA256
9340ba073334bfa40a551e426d313933949741f7ab0cea5a7b5161cff7099950

SHA512
3a7ba87f722b2c92f0cd38ea1c30856a96ade693a261e00f15c419817b530ef74b621084db2eaa5c2ebd370aa8c1561009a0bd7ef048a887a4b21f53a968ab3b

Download Submit
C:\Windows\{728B6E7D-4127-4d5e-ACD6-DAF0C3A76377}.exe

Filesize
344KB

MD5
e9ee8e872ea3dd69f7ba66a132e6aedd

SHA1
2cd2ada38d0f19e60c5f184a0b0f822be791a0d8

SHA256
b90e0dc833107ada5245546307671fced5f15ec2b543bc4096509cde1fcd0766

SHA512
340ffceceea8c65e209fed4f4fb97d2ecf96f6c7fa0a0d83d50862a49e1f7785fa66f52c407158f2f96e5fdec1a116bb9f26cbb4c5a6cc5ed16233e3d4a77875

Download Submit
C:\Windows\{77C5B19C-C37B-4e6c-AA93-F7D1FE521B0A}.exe

Filesize
344KB

MD5
eae948bfb8f0a890553cd3de16987cef

SHA1
674b052567ce2ad19aecc5ef09d82708524ce96c

SHA256
e61ea4e4ee3e0a469c205523ea93ee42c4333c5895e282c6cb02dab7fbaf7011

SHA512
e5d749342ca9183cd1588816f47efa518f0f52d2aa83a490d6a3985175416950a1755d2d2a932795faee28c9ab5d22152180a4d3e4384bfdb73be3cac76d8bc4

Download Submit
C:\Windows\{7D1E45E8-1CB6-47fa-9A2D-7F7FAF5EC78C}.exe

Filesize
344KB

MD5
c299918ba5473bb546fddfcebd60c6d0

SHA1
2a4e97ed6c9bb0192ceca3b8941dfc1f85c4ebf6

SHA256
11e2e6286621acb15310801ef636f06557a5653f86869f40a82b1d38a838d591

SHA512
d14933c665b752f3037cfccd3380a20ccf8135dadedd2ea053a9a6e449abbe729f9c8705e8aa81ebe0be9c741a2114746b0640d890923c4fd49978f789cad9c5

Download Submit
C:\Windows\{A795ADE2-0BEF-4ca4-AFE3-37D7A387BCF3}.exe

Filesize
344KB

MD5
a831b34a4e7dbb6e8dd8643b93bd1481

SHA1
a22174f944a02d251383b6b7b3c5cda6703abffb

SHA256
8c4147b7a6cf962366cfb9198e8185dccea1a532d69cb83e21aaf85088d87230

SHA512
f1a8dd87f65eccab928e6f1c021ac2bcc586dc9bbe2bbc905eb3812931ad8a06a68c43ae0935dd134d9c5e7b526d32cebb731c4eb4a793d4412ae245ee96d59f

Download Submit
C:\Windows\{C698E84F-945C-45fa-A876-2068694A9AB7}.exe

Filesize
128KB

MD5
ec484cfd9879c8b1acbc95233b95f458

SHA1
a6c057ab50eadb1b76c9dac3ece9ebb435d10123

SHA256
8c799ac0cc65742c311cccedabc63961902aa0afc4b03c03820210eaa6ff5a5c

SHA512
8648f6802dc31f8701dbe95f0963b754d19e081ee9da7f9e052e77b9c92028dee25a15465af416eeee4804e7774ce3895e97229d4c111eab09a5746be80bb876

Download Submit
C:\Windows\{C698E84F-945C-45fa-A876-2068694A9AB7}.exe

Filesize
116KB

MD5
bc19f0d5fc9be185a01620eb55d13982

SHA1
f39e9e933ea63c4cdc1edd049da0e24a48cd88df

SHA256
c0f1a88633ebf640f0781db99f1b7007d7075ae2a02e71891d89e45095f85ff0

SHA512
e070e2c2ee1e6d16dbfc2bbd24a862b79c7a51da1aed261d7b394d784d479fe7c48f1c666e13ab65ad04ce3acf13a8adee6ac7ee57363c78477262e9c4a6a276

Download Submit
C:\Windows\{D315A02F-4336-4d4b-9161-973816E44AEF}.exe

Filesize
344KB

MD5
4c8f16966d6a5dd892b69c93aa29b886

SHA1
99a3509c060c419bd163b907844a564a8b5eacc0

SHA256
29b29148db6e79d67d1284bb1eaeab42d90ced1ca053aaea14b04744f4c3f691

SHA512
63e33c2cff8bf7055a9397e7c8dd7697e621891e0486610695ae4e2e4ef934fe8c2f9eb26a286b9b0a62b3bbcd4012d96e9c93568c95c639a58594f6a9c09562

Download Submit
C:\Windows\{D58E2CBF-8921-42a9-8F5D-5947546A2F2C}.exe

Filesize
344KB

MD5
2ed142f323178efb22ca9da01e02798d

SHA1
b872b91bfdacc1bcdf34ba74b875bdbac55f79a7

SHA256
6c86c88d6b295ae04cde5a97195e977cd5453752eabc41ff5f39f1b96f9fc253

SHA512
81f33e1a006885ba3cb88005302aac859b708f343937a1bf3dc873e383d5a04ff7673e12e97f3e98adea44d0fd907ba1f84b2c944895749972ff1b752647745e

Download Submit
C:\Windows\{FCB92003-FB7B-4bc4-AD52-94E004F178EA}.exe

Filesize
344KB

MD5
5b38562c1eac3de2df6a6613a44e0fe1

SHA1
c34170f2b252eb169e60ae1db48b6de6fc2788e6

SHA256
ed6a470551aea21f1d0923ed2ef8c5e7018772b851b4c8ea95da8a170e8c4b3d

SHA512
1e979bec0606f42ff4adda1ab9e1c88dc4ad4c72a59a4eb3d9c3d939464f4a164788bb90f82272fe46d8f6298a692d79988eca57a3234333b8e2c449a54781d1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads