a4e3fcfe923d1e2e0eb3e724158d157ba5560e246aa809d059b2c9f9aeb3527b

Analysis

max time kernel
148s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
12/01/2024, 05:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-11_109f7f8c53547d4268b77c2636d56eac_goldeneye.exe
Size

216KB
MD5

109f7f8c53547d4268b77c2636d56eac
SHA1

f0b3cc06f6a5bd55134b077348b25e60957afea8
SHA256

a4e3fcfe923d1e2e0eb3e724158d157ba5560e246aa809d059b2c9f9aeb3527b
SHA512

3b5c8aceef84cb3b5cc71ee7ededcfd15e565f3e274d5f05e4084c451fca463969aa9e0bfd9fb49ea4a8247e1923f2ab58d2700cd2e8dfb04698be733c20269e
SSDEEP

3072:jEGh0oRl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGLlEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17354196-0C1C-45ca-84D6-F3E14C1605EA}	{71CCFF6C-252F-42d5-AC0B-409E837A4FA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31C4369D-72B8-40d4-8ACE-22AE56A6292E}	{027B5D05-6A1A-49ac-8DEB-B06CD803A14B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7057B1A0-3D0A-44a8-A39E-8F0A816DC656}	{31C4369D-72B8-40d4-8ACE-22AE56A6292E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24E066C8-6778-4934-AFF8-B172D35FAB56}\stubpath = "C:\\Windows\\{24E066C8-6778-4934-AFF8-B172D35FAB56}.exe"	{0C137191-8082-45e5-BAB0-DACB687EB564}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A20CA1D7-4028-488c-8124-1C517AE54514}\stubpath = "C:\\Windows\\{A20CA1D7-4028-488c-8124-1C517AE54514}.exe"	{F0FFEE95-EC08-4431-89DB-638B4BE7EF93}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8920EFC-5F74-455c-8E8B-F64E17322BD9}	{A20CA1D7-4028-488c-8124-1C517AE54514}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71CCFF6C-252F-42d5-AC0B-409E837A4FA5}	2024-01-11_109f7f8c53547d4268b77c2636d56eac_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17354196-0C1C-45ca-84D6-F3E14C1605EA}\stubpath = "C:\\Windows\\{17354196-0C1C-45ca-84D6-F3E14C1605EA}.exe"	{71CCFF6C-252F-42d5-AC0B-409E837A4FA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31C4369D-72B8-40d4-8ACE-22AE56A6292E}\stubpath = "C:\\Windows\\{31C4369D-72B8-40d4-8ACE-22AE56A6292E}.exe"	{027B5D05-6A1A-49ac-8DEB-B06CD803A14B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C137191-8082-45e5-BAB0-DACB687EB564}	{7057B1A0-3D0A-44a8-A39E-8F0A816DC656}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24E066C8-6778-4934-AFF8-B172D35FAB56}	{0C137191-8082-45e5-BAB0-DACB687EB564}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0FFEE95-EC08-4431-89DB-638B4BE7EF93}\stubpath = "C:\\Windows\\{F0FFEE95-EC08-4431-89DB-638B4BE7EF93}.exe"	{4C8A0641-07F2-4a26-9B5D-172BD542F3E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8920EFC-5F74-455c-8E8B-F64E17322BD9}\stubpath = "C:\\Windows\\{D8920EFC-5F74-455c-8E8B-F64E17322BD9}.exe"	{A20CA1D7-4028-488c-8124-1C517AE54514}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71CCFF6C-252F-42d5-AC0B-409E837A4FA5}\stubpath = "C:\\Windows\\{71CCFF6C-252F-42d5-AC0B-409E837A4FA5}.exe"	2024-01-11_109f7f8c53547d4268b77c2636d56eac_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{027B5D05-6A1A-49ac-8DEB-B06CD803A14B}\stubpath = "C:\\Windows\\{027B5D05-6A1A-49ac-8DEB-B06CD803A14B}.exe"	{17354196-0C1C-45ca-84D6-F3E14C1605EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C137191-8082-45e5-BAB0-DACB687EB564}\stubpath = "C:\\Windows\\{0C137191-8082-45e5-BAB0-DACB687EB564}.exe"	{7057B1A0-3D0A-44a8-A39E-8F0A816DC656}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C8A0641-07F2-4a26-9B5D-172BD542F3E2}	{24E066C8-6778-4934-AFF8-B172D35FAB56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C8A0641-07F2-4a26-9B5D-172BD542F3E2}\stubpath = "C:\\Windows\\{4C8A0641-07F2-4a26-9B5D-172BD542F3E2}.exe"	{24E066C8-6778-4934-AFF8-B172D35FAB56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0FFEE95-EC08-4431-89DB-638B4BE7EF93}	{4C8A0641-07F2-4a26-9B5D-172BD542F3E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A20CA1D7-4028-488c-8124-1C517AE54514}	{F0FFEE95-EC08-4431-89DB-638B4BE7EF93}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{027B5D05-6A1A-49ac-8DEB-B06CD803A14B}	{17354196-0C1C-45ca-84D6-F3E14C1605EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7057B1A0-3D0A-44a8-A39E-8F0A816DC656}\stubpath = "C:\\Windows\\{7057B1A0-3D0A-44a8-A39E-8F0A816DC656}.exe"	{31C4369D-72B8-40d4-8ACE-22AE56A6292E}.exe

Executes dropped EXE 11 IoCs

pid	Process
4588	{71CCFF6C-252F-42d5-AC0B-409E837A4FA5}.exe
4484	{17354196-0C1C-45ca-84D6-F3E14C1605EA}.exe
3964	{027B5D05-6A1A-49ac-8DEB-B06CD803A14B}.exe
4488	{31C4369D-72B8-40d4-8ACE-22AE56A6292E}.exe
376	{7057B1A0-3D0A-44a8-A39E-8F0A816DC656}.exe
1412	{0C137191-8082-45e5-BAB0-DACB687EB564}.exe
3600	{24E066C8-6778-4934-AFF8-B172D35FAB56}.exe
4312	{4C8A0641-07F2-4a26-9B5D-172BD542F3E2}.exe
1576	{F0FFEE95-EC08-4431-89DB-638B4BE7EF93}.exe
4844	{A20CA1D7-4028-488c-8124-1C517AE54514}.exe
2616	{D8920EFC-5F74-455c-8E8B-F64E17322BD9}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{027B5D05-6A1A-49ac-8DEB-B06CD803A14B}.exe	{17354196-0C1C-45ca-84D6-F3E14C1605EA}.exe
File created	C:\Windows\{7057B1A0-3D0A-44a8-A39E-8F0A816DC656}.exe	{31C4369D-72B8-40d4-8ACE-22AE56A6292E}.exe
File created	C:\Windows\{24E066C8-6778-4934-AFF8-B172D35FAB56}.exe	{0C137191-8082-45e5-BAB0-DACB687EB564}.exe
File created	C:\Windows\{71CCFF6C-252F-42d5-AC0B-409E837A4FA5}.exe	2024-01-11_109f7f8c53547d4268b77c2636d56eac_goldeneye.exe
File created	C:\Windows\{31C4369D-72B8-40d4-8ACE-22AE56A6292E}.exe	{027B5D05-6A1A-49ac-8DEB-B06CD803A14B}.exe
File created	C:\Windows\{0C137191-8082-45e5-BAB0-DACB687EB564}.exe	{7057B1A0-3D0A-44a8-A39E-8F0A816DC656}.exe
File created	C:\Windows\{4C8A0641-07F2-4a26-9B5D-172BD542F3E2}.exe	{24E066C8-6778-4934-AFF8-B172D35FAB56}.exe
File created	C:\Windows\{F0FFEE95-EC08-4431-89DB-638B4BE7EF93}.exe	{4C8A0641-07F2-4a26-9B5D-172BD542F3E2}.exe
File created	C:\Windows\{A20CA1D7-4028-488c-8124-1C517AE54514}.exe	{F0FFEE95-EC08-4431-89DB-638B4BE7EF93}.exe
File created	C:\Windows\{D8920EFC-5F74-455c-8E8B-F64E17322BD9}.exe	{A20CA1D7-4028-488c-8124-1C517AE54514}.exe
File created	C:\Windows\{17354196-0C1C-45ca-84D6-F3E14C1605EA}.exe	{71CCFF6C-252F-42d5-AC0B-409E837A4FA5}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5028	2024-01-11_109f7f8c53547d4268b77c2636d56eac_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4588	{71CCFF6C-252F-42d5-AC0B-409E837A4FA5}.exe
Token: SeIncBasePriorityPrivilege	4484	{17354196-0C1C-45ca-84D6-F3E14C1605EA}.exe
Token: SeIncBasePriorityPrivilege	3964	{027B5D05-6A1A-49ac-8DEB-B06CD803A14B}.exe
Token: SeIncBasePriorityPrivilege	4488	{31C4369D-72B8-40d4-8ACE-22AE56A6292E}.exe
Token: SeIncBasePriorityPrivilege	376	{7057B1A0-3D0A-44a8-A39E-8F0A816DC656}.exe
Token: SeIncBasePriorityPrivilege	1412	{0C137191-8082-45e5-BAB0-DACB687EB564}.exe
Token: SeIncBasePriorityPrivilege	3600	{24E066C8-6778-4934-AFF8-B172D35FAB56}.exe
Token: SeIncBasePriorityPrivilege	4312	{4C8A0641-07F2-4a26-9B5D-172BD542F3E2}.exe
Token: SeIncBasePriorityPrivilege	1576	{F0FFEE95-EC08-4431-89DB-638B4BE7EF93}.exe
Token: SeIncBasePriorityPrivilege	4844	{A20CA1D7-4028-488c-8124-1C517AE54514}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 4588	5028	2024-01-11_109f7f8c53547d4268b77c2636d56eac_goldeneye.exe	98
PID 5028 wrote to memory of 4588	5028	2024-01-11_109f7f8c53547d4268b77c2636d56eac_goldeneye.exe	98
PID 5028 wrote to memory of 4588	5028	2024-01-11_109f7f8c53547d4268b77c2636d56eac_goldeneye.exe	98
PID 5028 wrote to memory of 3716	5028	2024-01-11_109f7f8c53547d4268b77c2636d56eac_goldeneye.exe	97
PID 5028 wrote to memory of 3716	5028	2024-01-11_109f7f8c53547d4268b77c2636d56eac_goldeneye.exe	97
PID 5028 wrote to memory of 3716	5028	2024-01-11_109f7f8c53547d4268b77c2636d56eac_goldeneye.exe	97
PID 4588 wrote to memory of 4484	4588	{71CCFF6C-252F-42d5-AC0B-409E837A4FA5}.exe	100
PID 4588 wrote to memory of 4484	4588	{71CCFF6C-252F-42d5-AC0B-409E837A4FA5}.exe	100
PID 4588 wrote to memory of 4484	4588	{71CCFF6C-252F-42d5-AC0B-409E837A4FA5}.exe	100
PID 4588 wrote to memory of 1000	4588	{71CCFF6C-252F-42d5-AC0B-409E837A4FA5}.exe	99
PID 4588 wrote to memory of 1000	4588	{71CCFF6C-252F-42d5-AC0B-409E837A4FA5}.exe	99
PID 4588 wrote to memory of 1000	4588	{71CCFF6C-252F-42d5-AC0B-409E837A4FA5}.exe	99
PID 4484 wrote to memory of 3964	4484	{17354196-0C1C-45ca-84D6-F3E14C1605EA}.exe	104
PID 4484 wrote to memory of 3964	4484	{17354196-0C1C-45ca-84D6-F3E14C1605EA}.exe	104
PID 4484 wrote to memory of 3964	4484	{17354196-0C1C-45ca-84D6-F3E14C1605EA}.exe	104
PID 4484 wrote to memory of 3044	4484	{17354196-0C1C-45ca-84D6-F3E14C1605EA}.exe	103
PID 4484 wrote to memory of 3044	4484	{17354196-0C1C-45ca-84D6-F3E14C1605EA}.exe	103
PID 4484 wrote to memory of 3044	4484	{17354196-0C1C-45ca-84D6-F3E14C1605EA}.exe	103
PID 3964 wrote to memory of 4488	3964	{027B5D05-6A1A-49ac-8DEB-B06CD803A14B}.exe	106
PID 3964 wrote to memory of 4488	3964	{027B5D05-6A1A-49ac-8DEB-B06CD803A14B}.exe	106
PID 3964 wrote to memory of 4488	3964	{027B5D05-6A1A-49ac-8DEB-B06CD803A14B}.exe	106
PID 3964 wrote to memory of 316	3964	{027B5D05-6A1A-49ac-8DEB-B06CD803A14B}.exe	105
PID 3964 wrote to memory of 316	3964	{027B5D05-6A1A-49ac-8DEB-B06CD803A14B}.exe	105
PID 3964 wrote to memory of 316	3964	{027B5D05-6A1A-49ac-8DEB-B06CD803A14B}.exe	105
PID 4488 wrote to memory of 376	4488	{31C4369D-72B8-40d4-8ACE-22AE56A6292E}.exe	108
PID 4488 wrote to memory of 376	4488	{31C4369D-72B8-40d4-8ACE-22AE56A6292E}.exe	108
PID 4488 wrote to memory of 376	4488	{31C4369D-72B8-40d4-8ACE-22AE56A6292E}.exe	108
PID 4488 wrote to memory of 5100	4488	{31C4369D-72B8-40d4-8ACE-22AE56A6292E}.exe	107
PID 4488 wrote to memory of 5100	4488	{31C4369D-72B8-40d4-8ACE-22AE56A6292E}.exe	107
PID 4488 wrote to memory of 5100	4488	{31C4369D-72B8-40d4-8ACE-22AE56A6292E}.exe	107
PID 376 wrote to memory of 1412	376	{7057B1A0-3D0A-44a8-A39E-8F0A816DC656}.exe	111
PID 376 wrote to memory of 1412	376	{7057B1A0-3D0A-44a8-A39E-8F0A816DC656}.exe	111
PID 376 wrote to memory of 1412	376	{7057B1A0-3D0A-44a8-A39E-8F0A816DC656}.exe	111
PID 376 wrote to memory of 2968	376	{7057B1A0-3D0A-44a8-A39E-8F0A816DC656}.exe	110
PID 376 wrote to memory of 2968	376	{7057B1A0-3D0A-44a8-A39E-8F0A816DC656}.exe	110
PID 376 wrote to memory of 2968	376	{7057B1A0-3D0A-44a8-A39E-8F0A816DC656}.exe	110
PID 1412 wrote to memory of 3600	1412	{0C137191-8082-45e5-BAB0-DACB687EB564}.exe	112
PID 1412 wrote to memory of 3600	1412	{0C137191-8082-45e5-BAB0-DACB687EB564}.exe	112
PID 1412 wrote to memory of 3600	1412	{0C137191-8082-45e5-BAB0-DACB687EB564}.exe	112
PID 1412 wrote to memory of 728	1412	{0C137191-8082-45e5-BAB0-DACB687EB564}.exe	113
PID 1412 wrote to memory of 728	1412	{0C137191-8082-45e5-BAB0-DACB687EB564}.exe	113
PID 1412 wrote to memory of 728	1412	{0C137191-8082-45e5-BAB0-DACB687EB564}.exe	113
PID 3600 wrote to memory of 4312	3600	{24E066C8-6778-4934-AFF8-B172D35FAB56}.exe	115
PID 3600 wrote to memory of 4312	3600	{24E066C8-6778-4934-AFF8-B172D35FAB56}.exe	115
PID 3600 wrote to memory of 4312	3600	{24E066C8-6778-4934-AFF8-B172D35FAB56}.exe	115
PID 3600 wrote to memory of 4588	3600	{24E066C8-6778-4934-AFF8-B172D35FAB56}.exe	114
PID 3600 wrote to memory of 4588	3600	{24E066C8-6778-4934-AFF8-B172D35FAB56}.exe	114
PID 3600 wrote to memory of 4588	3600	{24E066C8-6778-4934-AFF8-B172D35FAB56}.exe	114
PID 4312 wrote to memory of 1576	4312	{4C8A0641-07F2-4a26-9B5D-172BD542F3E2}.exe	121
PID 4312 wrote to memory of 1576	4312	{4C8A0641-07F2-4a26-9B5D-172BD542F3E2}.exe	121
PID 4312 wrote to memory of 1576	4312	{4C8A0641-07F2-4a26-9B5D-172BD542F3E2}.exe	121
PID 4312 wrote to memory of 2552	4312	{4C8A0641-07F2-4a26-9B5D-172BD542F3E2}.exe	120
PID 4312 wrote to memory of 2552	4312	{4C8A0641-07F2-4a26-9B5D-172BD542F3E2}.exe	120
PID 4312 wrote to memory of 2552	4312	{4C8A0641-07F2-4a26-9B5D-172BD542F3E2}.exe	120
PID 1576 wrote to memory of 4844	1576	{F0FFEE95-EC08-4431-89DB-638B4BE7EF93}.exe	122
PID 1576 wrote to memory of 4844	1576	{F0FFEE95-EC08-4431-89DB-638B4BE7EF93}.exe	122
PID 1576 wrote to memory of 4844	1576	{F0FFEE95-EC08-4431-89DB-638B4BE7EF93}.exe	122
PID 1576 wrote to memory of 4488	1576	{F0FFEE95-EC08-4431-89DB-638B4BE7EF93}.exe	123
PID 1576 wrote to memory of 4488	1576	{F0FFEE95-EC08-4431-89DB-638B4BE7EF93}.exe	123
PID 1576 wrote to memory of 4488	1576	{F0FFEE95-EC08-4431-89DB-638B4BE7EF93}.exe	123
PID 4844 wrote to memory of 2616	4844	{A20CA1D7-4028-488c-8124-1C517AE54514}.exe	125
PID 4844 wrote to memory of 2616	4844	{A20CA1D7-4028-488c-8124-1C517AE54514}.exe	125
PID 4844 wrote to memory of 2616	4844	{A20CA1D7-4028-488c-8124-1C517AE54514}.exe	125
PID 4844 wrote to memory of 1776	4844	{A20CA1D7-4028-488c-8124-1C517AE54514}.exe	126

C:\Users\Admin\AppData\Local\Temp\2024-01-11_109f7f8c53547d4268b77c2636d56eac_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-11_109f7f8c53547d4268b77c2636d56eac_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3716
- C:\Windows\{71CCFF6C-252F-42d5-AC0B-409E837A4FA5}.exe
  C:\Windows\{71CCFF6C-252F-42d5-AC0B-409E837A4FA5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{71CCF~1.EXE > nul
    3⤵
    PID:1000
- - C:\Windows\{17354196-0C1C-45ca-84D6-F3E14C1605EA}.exe
    C:\Windows\{17354196-0C1C-45ca-84D6-F3E14C1605EA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4484
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{17354~1.EXE > nul
      4⤵
      PID:3044
  - - C:\Windows\{027B5D05-6A1A-49ac-8DEB-B06CD803A14B}.exe
      C:\Windows\{027B5D05-6A1A-49ac-8DEB-B06CD803A14B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3964
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{027B5~1.EXE > nul
        5⤵
        
        PID:316
    - - C:\Windows\{31C4369D-72B8-40d4-8ACE-22AE56A6292E}.exe
        
        C:\Windows\{31C4369D-72B8-40d4-8ACE-22AE56A6292E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4488
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31C43~1.EXE > nul
        6⤵
        
        PID:5100
      - C:\Windows\{7057B1A0-3D0A-44a8-A39E-8F0A816DC656}.exe
        
        C:\Windows\{7057B1A0-3D0A-44a8-A39E-8F0A816DC656}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7057B~1.EXE > nul
        7⤵
        
        PID:2968
        
        C:\Windows\{0C137191-8082-45e5-BAB0-DACB687EB564}.exe
        
        C:\Windows\{0C137191-8082-45e5-BAB0-DACB687EB564}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\{24E066C8-6778-4934-AFF8-B172D35FAB56}.exe
        
        C:\Windows\{24E066C8-6778-4934-AFF8-B172D35FAB56}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24E06~1.EXE > nul
        9⤵
        
        PID:4588
        
        C:\Windows\{4C8A0641-07F2-4a26-9B5D-172BD542F3E2}.exe
        
        C:\Windows\{4C8A0641-07F2-4a26-9B5D-172BD542F3E2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C8A0~1.EXE > nul
        10⤵
        
        PID:2552
        
        C:\Windows\{F0FFEE95-EC08-4431-89DB-638B4BE7EF93}.exe
        
        C:\Windows\{F0FFEE95-EC08-4431-89DB-638B4BE7EF93}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\{A20CA1D7-4028-488c-8124-1C517AE54514}.exe
        
        C:\Windows\{A20CA1D7-4028-488c-8124-1C517AE54514}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\{D8920EFC-5F74-455c-8E8B-F64E17322BD9}.exe
        
        C:\Windows\{D8920EFC-5F74-455c-8E8B-F64E17322BD9}.exe
        12⤵
        Executes dropped EXE
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A20CA~1.EXE > nul
        12⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0FFE~1.EXE > nul
        11⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C137~1.EXE > nul
        8⤵
        
        PID:728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0C137191-8082-45e5-BAB0-DACB687EB564}.exe

Filesize
216KB

MD5
f207b2f4a8fb7dc2d16351777a5ad890

SHA1
af4e8a4f11b3fbae82a4e63b4be0a97f80ad666e

SHA256
a889dbb0635fcb81c16eb987c50ea618615d56e697683e7298509aff34fca5bf

SHA512
eb1645656b83cf7f18065af5407d8b43557408c680d29e22ef55b2c1dcb5c69806e3c4dc584402d78710cbb9c47bfcc50b9b023dd0730def70baa612b6b756d1

Download Submit
C:\Windows\{24E066C8-6778-4934-AFF8-B172D35FAB56}.exe

Filesize
216KB

MD5
93f8f399168f217b2c5ed1f08cface6e

SHA1
5578a59a26484b42212f6204ca9983c1d18bd2c7

SHA256
6d6d8c35a87c163abb8fba27d0ea01ba50b7f38c629a67bea283ec0c81d6345a

SHA512
54c58f00dda7d88085b0ed2c7e73b45be2b56971941be79cbe289ad9199a5de0074917bb5467e07ddc618e2b431d1089260c1ac4f201e2f05ebc31ae9f145907

Download Submit
C:\Windows\{4C8A0641-07F2-4a26-9B5D-172BD542F3E2}.exe

Filesize
216KB

MD5
3b20f5391d60fb5fff48d1ce42c41562

SHA1
ef7bd2056bfdb07a5eddbb91555cd0d2ec7534d0

SHA256
6c7248aa3fc9d6f9772572430c045640e57609339a1da1ab4456324c4f8bedba

SHA512
69e012a7fa44fc70fff876b437c3f953864185e805cc3bf8ff4c698d2cc86e10f2335a7a5685a5f223823085a12690a4e67ce0cd8a2f62b944fb73307ba56d00

Download Submit
C:\Windows\{7057B1A0-3D0A-44a8-A39E-8F0A816DC656}.exe

Filesize
216KB

MD5
c25110c7fd7d4a5a1a66b4f3eebf8fd4

SHA1
afd9cc4c71ff92a34cb291e49567129204c10f21

SHA256
1097d3a9bb2463d4344ba739ac68b0c20610ebc4be47ab6de3837210ae3130b2

SHA512
e324f06e22b6508d092b928a7cc66076bd46cf73e449282e7f3d517af62cc86d586e5c1feb2a02745d3b4f35c08da44c5924a0cd9e51e686e1e3ab21399ec2c2

Download Submit
C:\Windows\{A20CA1D7-4028-488c-8124-1C517AE54514}.exe

Filesize
216KB

MD5
fe8247338f516978b7e262bc55265993

SHA1
92ffee6be6a0da7b2d8aa9031a9ae14364bb174c

SHA256
fba6103406c9fe0b311bd28b386aa3e246dd98695e68f410dd743b93e7dbe44a

SHA512
2b475171505258dfa343f6a84e3391228196819dd3f2b4e396c837c4424390d6096b735461fe462ee0d2baa8a230935f34639a34b72fc4fed0c8051f8301c7ad

Download Submit
C:\Windows\{D8920EFC-5F74-455c-8E8B-F64E17322BD9}.exe

Filesize
216KB

MD5
c4a7486f28dad53f4e042c40322fd2f4

SHA1
7836bf9675dddb9f080b82f66ff59c3f6d9c8a66

SHA256
9f76f936f44d15344ce69197528c54b8f6014a9db2abeb465309ac4c25fc3876

SHA512
e09b5bc82463d0593e25c71dd5adbc9108ac745fd63a3b0305939fb8aaa3606c31c67e8b3e484535b6dce16eefe4ed43be0d85a335a8090b031762d71b44c163

Download Submit
C:\Windows\{F0FFEE95-EC08-4431-89DB-638B4BE7EF93}.exe

Filesize
216KB

MD5
7af34c7a1d396df53baaeb2e4899961f

SHA1
aba34767484d3cf92283c6a45c94a2ae3ac1fb52

SHA256
f595dc44b513d3ce1c5ba6852adf7ba03fc948587fc37bc57bf2347fde00ebe7

SHA512
f109deecfc380f52c665d265d92756e3b68afa68f13ac248079552c34b81133e95a0bab8e941d1ff4aa28749c38c3bd02b73a903b602fa0a869d264c8e9d4279

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads