d68bad69edcdbf10e83f7c81a6c69efd4be09a87d213ca48d96a5008977dd922

Analysis

max time kernel
168s
max time network
197s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2024 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-10_f6d490aa629a670aeff60be2fea1bb01_goldeneye.exe
Size

204KB
MD5

f6d490aa629a670aeff60be2fea1bb01
SHA1

30657646cdfa807647d1447a874342588a4b1789
SHA256

d68bad69edcdbf10e83f7c81a6c69efd4be09a87d213ca48d96a5008977dd922
SHA512

39ae7fffc241e311d9cd2a6aa93bb8ee8ad7d2e303633e6388c0ba20cc3127b70762d707f32e10021a80080ab45451069276cb59a03793fc96e2b0b94a67c653
SSDEEP

1536:1EGh0ogl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0ogl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18815AA8-3BC1-4db4-8C2D-6C16B09930E0}	{748153ED-1F2E-44b1-A93B-AE1C3A73DE7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18815AA8-3BC1-4db4-8C2D-6C16B09930E0}\stubpath = "C:\\Windows\\{18815AA8-3BC1-4db4-8C2D-6C16B09930E0}.exe"	{748153ED-1F2E-44b1-A93B-AE1C3A73DE7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D82F0991-A723-48b0-9CFB-857413E1697D}\stubpath = "C:\\Windows\\{D82F0991-A723-48b0-9CFB-857413E1697D}.exe"	{F2D5A728-4066-4a76-A154-596DBAC05648}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA8F94B2-BF26-481b-A46E-DB8F1F9781D6}\stubpath = "C:\\Windows\\{AA8F94B2-BF26-481b-A46E-DB8F1F9781D6}.exe"	{D82F0991-A723-48b0-9CFB-857413E1697D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB16E7FA-C869-4dd6-95D0-9C41A9645412}	2024-01-10_f6d490aa629a670aeff60be2fea1bb01_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABDB0021-060D-474e-A763-CB1904A3510D}\stubpath = "C:\\Windows\\{ABDB0021-060D-474e-A763-CB1904A3510D}.exe"	{DB16E7FA-C869-4dd6-95D0-9C41A9645412}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F3AB232-0EFD-48ea-95A1-3724CFC6595C}\stubpath = "C:\\Windows\\{7F3AB232-0EFD-48ea-95A1-3724CFC6595C}.exe"	{ABDB0021-060D-474e-A763-CB1904A3510D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB16E7FA-C869-4dd6-95D0-9C41A9645412}\stubpath = "C:\\Windows\\{DB16E7FA-C869-4dd6-95D0-9C41A9645412}.exe"	2024-01-10_f6d490aa629a670aeff60be2fea1bb01_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F3AB232-0EFD-48ea-95A1-3724CFC6595C}	{ABDB0021-060D-474e-A763-CB1904A3510D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16E1C1BD-01B0-4be2-B06B-6442DE12541B}\stubpath = "C:\\Windows\\{16E1C1BD-01B0-4be2-B06B-6442DE12541B}.exe"	{7F3AB232-0EFD-48ea-95A1-3724CFC6595C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0ADC2B8-470F-41c3-B181-2EF62035A087}\stubpath = "C:\\Windows\\{A0ADC2B8-470F-41c3-B181-2EF62035A087}.exe"	{18815AA8-3BC1-4db4-8C2D-6C16B09930E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D82F0991-A723-48b0-9CFB-857413E1697D}	{F2D5A728-4066-4a76-A154-596DBAC05648}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABDB0021-060D-474e-A763-CB1904A3510D}	{DB16E7FA-C869-4dd6-95D0-9C41A9645412}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{748153ED-1F2E-44b1-A93B-AE1C3A73DE7F}	{4281CAA5-54DF-4073-BF46-A2C599613CAE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{748153ED-1F2E-44b1-A93B-AE1C3A73DE7F}\stubpath = "C:\\Windows\\{748153ED-1F2E-44b1-A93B-AE1C3A73DE7F}.exe"	{4281CAA5-54DF-4073-BF46-A2C599613CAE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0ADC2B8-470F-41c3-B181-2EF62035A087}	{18815AA8-3BC1-4db4-8C2D-6C16B09930E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2D5A728-4066-4a76-A154-596DBAC05648}	{A0ADC2B8-470F-41c3-B181-2EF62035A087}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2D5A728-4066-4a76-A154-596DBAC05648}\stubpath = "C:\\Windows\\{F2D5A728-4066-4a76-A154-596DBAC05648}.exe"	{A0ADC2B8-470F-41c3-B181-2EF62035A087}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA8F94B2-BF26-481b-A46E-DB8F1F9781D6}	{D82F0991-A723-48b0-9CFB-857413E1697D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16E1C1BD-01B0-4be2-B06B-6442DE12541B}	{7F3AB232-0EFD-48ea-95A1-3724CFC6595C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4281CAA5-54DF-4073-BF46-A2C599613CAE}	{16E1C1BD-01B0-4be2-B06B-6442DE12541B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4281CAA5-54DF-4073-BF46-A2C599613CAE}\stubpath = "C:\\Windows\\{4281CAA5-54DF-4073-BF46-A2C599613CAE}.exe"	{16E1C1BD-01B0-4be2-B06B-6442DE12541B}.exe

Executes dropped EXE 11 IoCs

pid	Process
1760	{DB16E7FA-C869-4dd6-95D0-9C41A9645412}.exe
1404	{ABDB0021-060D-474e-A763-CB1904A3510D}.exe
5060	{7F3AB232-0EFD-48ea-95A1-3724CFC6595C}.exe
1208	{16E1C1BD-01B0-4be2-B06B-6442DE12541B}.exe
1320	{4281CAA5-54DF-4073-BF46-A2C599613CAE}.exe
1392	{748153ED-1F2E-44b1-A93B-AE1C3A73DE7F}.exe
3188	{18815AA8-3BC1-4db4-8C2D-6C16B09930E0}.exe
1164	{A0ADC2B8-470F-41c3-B181-2EF62035A087}.exe
3600	{F2D5A728-4066-4a76-A154-596DBAC05648}.exe
1268	{D82F0991-A723-48b0-9CFB-857413E1697D}.exe
4332	{AA8F94B2-BF26-481b-A46E-DB8F1F9781D6}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{18815AA8-3BC1-4db4-8C2D-6C16B09930E0}.exe	{748153ED-1F2E-44b1-A93B-AE1C3A73DE7F}.exe
File created	C:\Windows\{A0ADC2B8-470F-41c3-B181-2EF62035A087}.exe	{18815AA8-3BC1-4db4-8C2D-6C16B09930E0}.exe
File created	C:\Windows\{F2D5A728-4066-4a76-A154-596DBAC05648}.exe	{A0ADC2B8-470F-41c3-B181-2EF62035A087}.exe
File created	C:\Windows\{D82F0991-A723-48b0-9CFB-857413E1697D}.exe	{F2D5A728-4066-4a76-A154-596DBAC05648}.exe
File created	C:\Windows\{AA8F94B2-BF26-481b-A46E-DB8F1F9781D6}.exe	{D82F0991-A723-48b0-9CFB-857413E1697D}.exe
File created	C:\Windows\{4281CAA5-54DF-4073-BF46-A2C599613CAE}.exe	{16E1C1BD-01B0-4be2-B06B-6442DE12541B}.exe
File created	C:\Windows\{ABDB0021-060D-474e-A763-CB1904A3510D}.exe	{DB16E7FA-C869-4dd6-95D0-9C41A9645412}.exe
File created	C:\Windows\{7F3AB232-0EFD-48ea-95A1-3724CFC6595C}.exe	{ABDB0021-060D-474e-A763-CB1904A3510D}.exe
File created	C:\Windows\{16E1C1BD-01B0-4be2-B06B-6442DE12541B}.exe	{7F3AB232-0EFD-48ea-95A1-3724CFC6595C}.exe
File created	C:\Windows\{748153ED-1F2E-44b1-A93B-AE1C3A73DE7F}.exe	{4281CAA5-54DF-4073-BF46-A2C599613CAE}.exe
File created	C:\Windows\{DB16E7FA-C869-4dd6-95D0-9C41A9645412}.exe	2024-01-10_f6d490aa629a670aeff60be2fea1bb01_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4088	2024-01-10_f6d490aa629a670aeff60be2fea1bb01_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1760	{DB16E7FA-C869-4dd6-95D0-9C41A9645412}.exe
Token: SeIncBasePriorityPrivilege	1404	{ABDB0021-060D-474e-A763-CB1904A3510D}.exe
Token: SeIncBasePriorityPrivilege	5060	{7F3AB232-0EFD-48ea-95A1-3724CFC6595C}.exe
Token: SeIncBasePriorityPrivilege	1208	{16E1C1BD-01B0-4be2-B06B-6442DE12541B}.exe
Token: SeIncBasePriorityPrivilege	1320	{4281CAA5-54DF-4073-BF46-A2C599613CAE}.exe
Token: SeIncBasePriorityPrivilege	1392	{748153ED-1F2E-44b1-A93B-AE1C3A73DE7F}.exe
Token: SeIncBasePriorityPrivilege	3188	{18815AA8-3BC1-4db4-8C2D-6C16B09930E0}.exe
Token: SeIncBasePriorityPrivilege	1164	{A0ADC2B8-470F-41c3-B181-2EF62035A087}.exe
Token: SeIncBasePriorityPrivilege	3600	{F2D5A728-4066-4a76-A154-596DBAC05648}.exe
Token: SeIncBasePriorityPrivilege	1268	{D82F0991-A723-48b0-9CFB-857413E1697D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4088 wrote to memory of 1760	4088	2024-01-10_f6d490aa629a670aeff60be2fea1bb01_goldeneye.exe	93
PID 4088 wrote to memory of 1760	4088	2024-01-10_f6d490aa629a670aeff60be2fea1bb01_goldeneye.exe	93
PID 4088 wrote to memory of 1760	4088	2024-01-10_f6d490aa629a670aeff60be2fea1bb01_goldeneye.exe	93
PID 4088 wrote to memory of 1788	4088	2024-01-10_f6d490aa629a670aeff60be2fea1bb01_goldeneye.exe	94
PID 4088 wrote to memory of 1788	4088	2024-01-10_f6d490aa629a670aeff60be2fea1bb01_goldeneye.exe	94
PID 4088 wrote to memory of 1788	4088	2024-01-10_f6d490aa629a670aeff60be2fea1bb01_goldeneye.exe	94
PID 1760 wrote to memory of 1404	1760	{DB16E7FA-C869-4dd6-95D0-9C41A9645412}.exe	97
PID 1760 wrote to memory of 1404	1760	{DB16E7FA-C869-4dd6-95D0-9C41A9645412}.exe	97
PID 1760 wrote to memory of 1404	1760	{DB16E7FA-C869-4dd6-95D0-9C41A9645412}.exe	97
PID 1760 wrote to memory of 3648	1760	{DB16E7FA-C869-4dd6-95D0-9C41A9645412}.exe	98
PID 1760 wrote to memory of 3648	1760	{DB16E7FA-C869-4dd6-95D0-9C41A9645412}.exe	98
PID 1760 wrote to memory of 3648	1760	{DB16E7FA-C869-4dd6-95D0-9C41A9645412}.exe	98
PID 1404 wrote to memory of 5060	1404	{ABDB0021-060D-474e-A763-CB1904A3510D}.exe	100
PID 1404 wrote to memory of 5060	1404	{ABDB0021-060D-474e-A763-CB1904A3510D}.exe	100
PID 1404 wrote to memory of 5060	1404	{ABDB0021-060D-474e-A763-CB1904A3510D}.exe	100
PID 1404 wrote to memory of 64	1404	{ABDB0021-060D-474e-A763-CB1904A3510D}.exe	101
PID 1404 wrote to memory of 64	1404	{ABDB0021-060D-474e-A763-CB1904A3510D}.exe	101
PID 1404 wrote to memory of 64	1404	{ABDB0021-060D-474e-A763-CB1904A3510D}.exe	101
PID 5060 wrote to memory of 1208	5060	{7F3AB232-0EFD-48ea-95A1-3724CFC6595C}.exe	106
PID 5060 wrote to memory of 1208	5060	{7F3AB232-0EFD-48ea-95A1-3724CFC6595C}.exe	106
PID 5060 wrote to memory of 1208	5060	{7F3AB232-0EFD-48ea-95A1-3724CFC6595C}.exe	106
PID 5060 wrote to memory of 4844	5060	{7F3AB232-0EFD-48ea-95A1-3724CFC6595C}.exe	107
PID 5060 wrote to memory of 4844	5060	{7F3AB232-0EFD-48ea-95A1-3724CFC6595C}.exe	107
PID 5060 wrote to memory of 4844	5060	{7F3AB232-0EFD-48ea-95A1-3724CFC6595C}.exe	107
PID 1208 wrote to memory of 1320	1208	{16E1C1BD-01B0-4be2-B06B-6442DE12541B}.exe	111
PID 1208 wrote to memory of 1320	1208	{16E1C1BD-01B0-4be2-B06B-6442DE12541B}.exe	111
PID 1208 wrote to memory of 1320	1208	{16E1C1BD-01B0-4be2-B06B-6442DE12541B}.exe	111
PID 1208 wrote to memory of 4692	1208	{16E1C1BD-01B0-4be2-B06B-6442DE12541B}.exe	110
PID 1208 wrote to memory of 4692	1208	{16E1C1BD-01B0-4be2-B06B-6442DE12541B}.exe	110
PID 1208 wrote to memory of 4692	1208	{16E1C1BD-01B0-4be2-B06B-6442DE12541B}.exe	110
PID 1320 wrote to memory of 1392	1320	{4281CAA5-54DF-4073-BF46-A2C599613CAE}.exe	113
PID 1320 wrote to memory of 1392	1320	{4281CAA5-54DF-4073-BF46-A2C599613CAE}.exe	113
PID 1320 wrote to memory of 1392	1320	{4281CAA5-54DF-4073-BF46-A2C599613CAE}.exe	113
PID 1320 wrote to memory of 5084	1320	{4281CAA5-54DF-4073-BF46-A2C599613CAE}.exe	114
PID 1320 wrote to memory of 5084	1320	{4281CAA5-54DF-4073-BF46-A2C599613CAE}.exe	114
PID 1320 wrote to memory of 5084	1320	{4281CAA5-54DF-4073-BF46-A2C599613CAE}.exe	114
PID 1392 wrote to memory of 3188	1392	{748153ED-1F2E-44b1-A93B-AE1C3A73DE7F}.exe	115
PID 1392 wrote to memory of 3188	1392	{748153ED-1F2E-44b1-A93B-AE1C3A73DE7F}.exe	115
PID 1392 wrote to memory of 3188	1392	{748153ED-1F2E-44b1-A93B-AE1C3A73DE7F}.exe	115
PID 1392 wrote to memory of 1760	1392	{748153ED-1F2E-44b1-A93B-AE1C3A73DE7F}.exe	116
PID 1392 wrote to memory of 1760	1392	{748153ED-1F2E-44b1-A93B-AE1C3A73DE7F}.exe	116
PID 1392 wrote to memory of 1760	1392	{748153ED-1F2E-44b1-A93B-AE1C3A73DE7F}.exe	116
PID 3188 wrote to memory of 1164	3188	{18815AA8-3BC1-4db4-8C2D-6C16B09930E0}.exe	117
PID 3188 wrote to memory of 1164	3188	{18815AA8-3BC1-4db4-8C2D-6C16B09930E0}.exe	117
PID 3188 wrote to memory of 1164	3188	{18815AA8-3BC1-4db4-8C2D-6C16B09930E0}.exe	117
PID 3188 wrote to memory of 4000	3188	{18815AA8-3BC1-4db4-8C2D-6C16B09930E0}.exe	118
PID 3188 wrote to memory of 4000	3188	{18815AA8-3BC1-4db4-8C2D-6C16B09930E0}.exe	118
PID 3188 wrote to memory of 4000	3188	{18815AA8-3BC1-4db4-8C2D-6C16B09930E0}.exe	118
PID 1164 wrote to memory of 3600	1164	{A0ADC2B8-470F-41c3-B181-2EF62035A087}.exe	119
PID 1164 wrote to memory of 3600	1164	{A0ADC2B8-470F-41c3-B181-2EF62035A087}.exe	119
PID 1164 wrote to memory of 3600	1164	{A0ADC2B8-470F-41c3-B181-2EF62035A087}.exe	119
PID 1164 wrote to memory of 1568	1164	{A0ADC2B8-470F-41c3-B181-2EF62035A087}.exe	120
PID 1164 wrote to memory of 1568	1164	{A0ADC2B8-470F-41c3-B181-2EF62035A087}.exe	120
PID 1164 wrote to memory of 1568	1164	{A0ADC2B8-470F-41c3-B181-2EF62035A087}.exe	120
PID 3600 wrote to memory of 1268	3600	{F2D5A728-4066-4a76-A154-596DBAC05648}.exe	128
PID 3600 wrote to memory of 1268	3600	{F2D5A728-4066-4a76-A154-596DBAC05648}.exe	128
PID 3600 wrote to memory of 1268	3600	{F2D5A728-4066-4a76-A154-596DBAC05648}.exe	128
PID 3600 wrote to memory of 3472	3600	{F2D5A728-4066-4a76-A154-596DBAC05648}.exe	127
PID 3600 wrote to memory of 3472	3600	{F2D5A728-4066-4a76-A154-596DBAC05648}.exe	127
PID 3600 wrote to memory of 3472	3600	{F2D5A728-4066-4a76-A154-596DBAC05648}.exe	127
PID 1268 wrote to memory of 4332	1268	{D82F0991-A723-48b0-9CFB-857413E1697D}.exe	129
PID 1268 wrote to memory of 4332	1268	{D82F0991-A723-48b0-9CFB-857413E1697D}.exe	129
PID 1268 wrote to memory of 4332	1268	{D82F0991-A723-48b0-9CFB-857413E1697D}.exe	129
PID 1268 wrote to memory of 2520	1268	{D82F0991-A723-48b0-9CFB-857413E1697D}.exe	130

C:\Users\Admin\AppData\Local\Temp\2024-01-10_f6d490aa629a670aeff60be2fea1bb01_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-10_f6d490aa629a670aeff60be2fea1bb01_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Windows\{DB16E7FA-C869-4dd6-95D0-9C41A9645412}.exe
  C:\Windows\{DB16E7FA-C869-4dd6-95D0-9C41A9645412}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\{ABDB0021-060D-474e-A763-CB1904A3510D}.exe
    C:\Windows\{ABDB0021-060D-474e-A763-CB1904A3510D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1404
  - - C:\Windows\{7F3AB232-0EFD-48ea-95A1-3724CFC6595C}.exe
      C:\Windows\{7F3AB232-0EFD-48ea-95A1-3724CFC6595C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5060
    - - C:\Windows\{16E1C1BD-01B0-4be2-B06B-6442DE12541B}.exe
        
        C:\Windows\{16E1C1BD-01B0-4be2-B06B-6442DE12541B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1208
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16E1C~1.EXE > nul
        6⤵
        
        PID:4692
      - C:\Windows\{4281CAA5-54DF-4073-BF46-A2C599613CAE}.exe
        
        C:\Windows\{4281CAA5-54DF-4073-BF46-A2C599613CAE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\{748153ED-1F2E-44b1-A93B-AE1C3A73DE7F}.exe
        
        C:\Windows\{748153ED-1F2E-44b1-A93B-AE1C3A73DE7F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\{18815AA8-3BC1-4db4-8C2D-6C16B09930E0}.exe
        
        C:\Windows\{18815AA8-3BC1-4db4-8C2D-6C16B09930E0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\{A0ADC2B8-470F-41c3-B181-2EF62035A087}.exe
        
        C:\Windows\{A0ADC2B8-470F-41c3-B181-2EF62035A087}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\{F2D5A728-4066-4a76-A154-596DBAC05648}.exe
        
        C:\Windows\{F2D5A728-4066-4a76-A154-596DBAC05648}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2D5A~1.EXE > nul
        11⤵
        
        PID:3472
        
        C:\Windows\{D82F0991-A723-48b0-9CFB-857413E1697D}.exe
        
        C:\Windows\{D82F0991-A723-48b0-9CFB-857413E1697D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\{AA8F94B2-BF26-481b-A46E-DB8F1F9781D6}.exe
        
        C:\Windows\{AA8F94B2-BF26-481b-A46E-DB8F1F9781D6}.exe
        12⤵
        Executes dropped EXE
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D82F0~1.EXE > nul
        12⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0ADC~1.EXE > nul
        10⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18815~1.EXE > nul
        9⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74815~1.EXE > nul
        8⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4281C~1.EXE > nul
        7⤵
        
        PID:5084
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F3AB~1.EXE > nul
        5⤵
        
        PID:4844
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{ABDB0~1.EXE > nul
      4⤵
      PID:64
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DB16E~1.EXE > nul
    3⤵
    PID:3648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{16E1C1BD-01B0-4be2-B06B-6442DE12541B}.exe

Filesize
204KB

MD5
b1058c4a34ebe5d0e74710a3f7d48967

SHA1
4ef439b31c41bfab8a57d95a517f1bbbe9ddfa81

SHA256
14555e9c95a637245e180f7e0d55912d35efdfebc55aa4498a5fb122a1479ef5

SHA512
baf5db14a71d931b08b77fca9474b031fb361ab8e409549e0a559e3eed72c6c1fcba4c7faada9b4b8b627ccc8c8caa6e880e2fe484a34f1de32a1788fc9d103b

Download Submit
C:\Windows\{18815AA8-3BC1-4db4-8C2D-6C16B09930E0}.exe

Filesize
204KB

MD5
da5291a0c37c4f4d95631972406ede83

SHA1
e1eb7e94a192a549584ef59e3befa8f4b121bffa

SHA256
96fca723adb9c6b3e117c46be9906257a313e4da19359128309691c3dee23662

SHA512
f011b2548a0819b8492957e7c70e7545587428cd2fe839d8ac7be336ae59e1b24fbd550ccb920b00fefec6883e7094db2d23879294b0c7dee2378f7be0098f14

Download Submit
C:\Windows\{4281CAA5-54DF-4073-BF46-A2C599613CAE}.exe

Filesize
204KB

MD5
03cba7fe08099c2790ef766980da1c2b

SHA1
b9614309ed36db9e3e8043942881d5fce2167e41

SHA256
a40dbd76c6b53f017f1357cfd011bcd9fbbb783a9226fd60985b55e99ad6e9dd

SHA512
e270bac60c5c1fe4ec61e4395d9161d74f797ee2c80488beb01155ebcf92dd1405d7e327298b1796b4805fc67e16e5a6afb89bbe7c57b3677d793ca874ca1f2c

Download Submit
C:\Windows\{748153ED-1F2E-44b1-A93B-AE1C3A73DE7F}.exe

Filesize
204KB

MD5
9a6ac1c5d4c3419cf5e78253248d9d7c

SHA1
0757a0f6cc52517093bc982d34f668b9c705ee79

SHA256
df7f9f0f4a8cef2b91d0eed12032973afc328d34d02baa11325ae63b756c511d

SHA512
d296399826fde118be1a7294a6282bfa6c31584325e6b1b5b825aa5f5491737e8da5c0813e7e64931abac24f04ff6fb325c1cb52d3d7c6b86dc94709f4fcd07b

Download Submit
C:\Windows\{7F3AB232-0EFD-48ea-95A1-3724CFC6595C}.exe

Filesize
204KB

MD5
8d0c0c748d7197c6afa2287c320ed3f4

SHA1
b54bf4b2d69c9e1ccaa044e19647873f023ad4e4

SHA256
e181cec65e8abeddf24d4cfc94da7d35676046ac747c452c9b11df3f3d763337

SHA512
15dd43a4dc81370f1e0f0b0b783d631eb685b4ff3d25542fcc9faf01c3095566adb8322931c8079bc229316dd99e47d9c6fe3faf9294685d52cd51d43ff64eff

Download Submit
C:\Windows\{A0ADC2B8-470F-41c3-B181-2EF62035A087}.exe

Filesize
204KB

MD5
f0f7c0d45a26907ab8784b612e30a1c4

SHA1
e8c03e30e83799905d4e8e36c5815f5a1c5698ed

SHA256
c714f3b4445edb172e70687fd8d851b4e842f878ad8214a29a64f8c75a4475f8

SHA512
e4683b12e0a165ac96de910b3b5d4cac2ad66eb7d3f89ef9ca00746bf551cf58791e216a74a668c669383962a8496580184f3d264f4b21cc80a2ec0a66de0ce6

Download Submit
C:\Windows\{AA8F94B2-BF26-481b-A46E-DB8F1F9781D6}.exe

Filesize
204KB

MD5
113fde12525d53956f5187460280fa96

SHA1
56055284ea65e7cd16b6855cf150d8d7219935aa

SHA256
537c3f344d74f851970ae25e53052183a495ef266d7996e37e00c5bd6da06396

SHA512
1a85dcb382ca538a986e7e625cf0beb0b048ede0d47753bf8b99beabdda85cd279966651163aa4392e3463f9d5e7e075275071ca3feb1c12ac907fec6a56f5fe

Download Submit
C:\Windows\{ABDB0021-060D-474e-A763-CB1904A3510D}.exe

Filesize
204KB

MD5
fd40faea95bd7e88dd8ddc50899f7d59

SHA1
ef4a32668fa90cc49be26939001dbbd377e44f57

SHA256
f8998ba41b51a391e733bc8a41d67020bd5068fc3c0f1e188da5ab56dc55283e

SHA512
ff81cc8ca50828c7e1bea749ae928de799a73cb24f1ce856689e6546f3a143228db6aa79acfb6c6e1407ef03cfe78f32784d175df67f40f660176bad117a5028

Download Submit
C:\Windows\{D82F0991-A723-48b0-9CFB-857413E1697D}.exe

Filesize
204KB

MD5
4ce053f46868ac92e7e6c5c3d6fbd77d

SHA1
c0eab6203ec039900f846ccb210a666910e9229d

SHA256
f38f76fb65087c8df619c01d22d4612377700406c3b1359ed183f56633e280ff

SHA512
10cc6c85eb8acd5aea3821c87e6235d1f21dc880a9485ccc8c495245301a961ff68b075f5974ed43ca770f3f49ac2f7ab802b308fcb5b11cfda4b4acae2f5701

Download Submit
C:\Windows\{DB16E7FA-C869-4dd6-95D0-9C41A9645412}.exe

Filesize
204KB

MD5
9336079aceb809c9c20bffb81ee812aa

SHA1
8b2a8a4cbf985046a65149e81511276c8b0e84f5

SHA256
2c51186d60cb8df861a87fd00a0201485e6d89355ae56d448839dc139556e1ac

SHA512
0bb7c00a044c806e273226a745d0b6d0ab64ee9b6eec4963f89829917c92b85cc65319e830c68e3dba77d0acafa515908c1c3ed80c86daf6844ef5fb143bc4d5

Download Submit
C:\Windows\{F2D5A728-4066-4a76-A154-596DBAC05648}.exe

Filesize
204KB

MD5
0d4c8ae7e20d828573e13674f65717fa

SHA1
76fecffbbac639138d442e9d5ca00f85e61be903

SHA256
fd854fa370e9b56337e65130cbf4446a675f073e0cdc73eecf9e62d6de3d784c

SHA512
73d1b8993b62907373659e628d94cdff3e002a3d56adc8c4f1a4f9a25cb431a2d1abb4d1125d697bb247019608e4258bf6cfe0403c174a348c44b4625446a5fd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads