1b58cc07cb73cc43f5ef55a7bcf9a69ac3ef0936f67c6e4925f0379e4f165a1b

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/01/2024, 05:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-11_41711efce360ef96928dfcd05993272e_goldeneye.exe
Size

380KB
MD5

41711efce360ef96928dfcd05993272e
SHA1

e427b3f523ccaaaec8ec1f343468e6d91f933605
SHA256

1b58cc07cb73cc43f5ef55a7bcf9a69ac3ef0936f67c6e4925f0379e4f165a1b
SHA512

4803db238990c5dbd8815c6b69d0e8afbafd8a99bf6c19432eff54087ca6081eb49fe79facaea7e50b5e9066c5f093f92c70795b3630e1ff519d56ec281fb497
SSDEEP

3072:mEGh0oPlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGJl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D3968E2-3354-4985-B9DC-83ADD8BB5840}\stubpath = "C:\\Windows\\{1D3968E2-3354-4985-B9DC-83ADD8BB5840}.exe"	{6ABB2F9C-E011-4ed8-AD60-769F93F7A7A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A89CFBC-FB46-4023-83B0-4494AA954FB3}\stubpath = "C:\\Windows\\{1A89CFBC-FB46-4023-83B0-4494AA954FB3}.exe"	{C4AA7D33-DB45-46cd-9DFC-5F898CCCD94B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD3E16A0-39C8-4748-A596-E6A6C6DF28B3}	{1A89CFBC-FB46-4023-83B0-4494AA954FB3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4AA7D33-DB45-46cd-9DFC-5F898CCCD94B}\stubpath = "C:\\Windows\\{C4AA7D33-DB45-46cd-9DFC-5F898CCCD94B}.exe"	{1E55D10B-C1F6-43ee-8CD7-876152DE8266}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD3E16A0-39C8-4748-A596-E6A6C6DF28B3}\stubpath = "C:\\Windows\\{FD3E16A0-39C8-4748-A596-E6A6C6DF28B3}.exe"	{1A89CFBC-FB46-4023-83B0-4494AA954FB3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6ABB2F9C-E011-4ed8-AD60-769F93F7A7A5}	2024-01-11_41711efce360ef96928dfcd05993272e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6ABB2F9C-E011-4ed8-AD60-769F93F7A7A5}\stubpath = "C:\\Windows\\{6ABB2F9C-E011-4ed8-AD60-769F93F7A7A5}.exe"	2024-01-11_41711efce360ef96928dfcd05993272e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CF8B4C2-60C8-447b-9493-AAEEA9768BB4}	{1D3968E2-3354-4985-B9DC-83ADD8BB5840}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CF8B4C2-60C8-447b-9493-AAEEA9768BB4}\stubpath = "C:\\Windows\\{3CF8B4C2-60C8-447b-9493-AAEEA9768BB4}.exe"	{1D3968E2-3354-4985-B9DC-83ADD8BB5840}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E55D10B-C1F6-43ee-8CD7-876152DE8266}\stubpath = "C:\\Windows\\{1E55D10B-C1F6-43ee-8CD7-876152DE8266}.exe"	{25C9F1B9-9F91-4e10-A855-DF08A1FFEF1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4AA7D33-DB45-46cd-9DFC-5F898CCCD94B}	{1E55D10B-C1F6-43ee-8CD7-876152DE8266}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A89CFBC-FB46-4023-83B0-4494AA954FB3}	{C4AA7D33-DB45-46cd-9DFC-5F898CCCD94B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7BA526C5-49B4-4343-B6A0-7B9AD8372E53}\stubpath = "C:\\Windows\\{7BA526C5-49B4-4343-B6A0-7B9AD8372E53}.exe"	{FD3E16A0-39C8-4748-A596-E6A6C6DF28B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B20005F0-5B52-4df6-B775-13CC57A09B22}	{7E73DD65-80C2-47b9-A712-83CB660B2160}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B20005F0-5B52-4df6-B775-13CC57A09B22}\stubpath = "C:\\Windows\\{B20005F0-5B52-4df6-B775-13CC57A09B22}.exe"	{7E73DD65-80C2-47b9-A712-83CB660B2160}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86B62638-3312-47b6-BA78-F492CD4B0365}	{B20005F0-5B52-4df6-B775-13CC57A09B22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25C9F1B9-9F91-4e10-A855-DF08A1FFEF1E}	{86B62638-3312-47b6-BA78-F492CD4B0365}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25C9F1B9-9F91-4e10-A855-DF08A1FFEF1E}\stubpath = "C:\\Windows\\{25C9F1B9-9F91-4e10-A855-DF08A1FFEF1E}.exe"	{86B62638-3312-47b6-BA78-F492CD4B0365}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E55D10B-C1F6-43ee-8CD7-876152DE8266}	{25C9F1B9-9F91-4e10-A855-DF08A1FFEF1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7BA526C5-49B4-4343-B6A0-7B9AD8372E53}	{FD3E16A0-39C8-4748-A596-E6A6C6DF28B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D3968E2-3354-4985-B9DC-83ADD8BB5840}	{6ABB2F9C-E011-4ed8-AD60-769F93F7A7A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E73DD65-80C2-47b9-A712-83CB660B2160}	{3CF8B4C2-60C8-447b-9493-AAEEA9768BB4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E73DD65-80C2-47b9-A712-83CB660B2160}\stubpath = "C:\\Windows\\{7E73DD65-80C2-47b9-A712-83CB660B2160}.exe"	{3CF8B4C2-60C8-447b-9493-AAEEA9768BB4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86B62638-3312-47b6-BA78-F492CD4B0365}\stubpath = "C:\\Windows\\{86B62638-3312-47b6-BA78-F492CD4B0365}.exe"	{B20005F0-5B52-4df6-B775-13CC57A09B22}.exe

Executes dropped EXE 11 IoCs

pid	Process
4312	{6ABB2F9C-E011-4ed8-AD60-769F93F7A7A5}.exe
4464	{1D3968E2-3354-4985-B9DC-83ADD8BB5840}.exe
4384	{3CF8B4C2-60C8-447b-9493-AAEEA9768BB4}.exe
636	{7E73DD65-80C2-47b9-A712-83CB660B2160}.exe
4312	{B20005F0-5B52-4df6-B775-13CC57A09B22}.exe
1908	{86B62638-3312-47b6-BA78-F492CD4B0365}.exe
3924	{25C9F1B9-9F91-4e10-A855-DF08A1FFEF1E}.exe
4480	{1E55D10B-C1F6-43ee-8CD7-876152DE8266}.exe
3744	{C4AA7D33-DB45-46cd-9DFC-5F898CCCD94B}.exe
3972	{1A89CFBC-FB46-4023-83B0-4494AA954FB3}.exe
2284	{FD3E16A0-39C8-4748-A596-E6A6C6DF28B3}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{6ABB2F9C-E011-4ed8-AD60-769F93F7A7A5}.exe	2024-01-11_41711efce360ef96928dfcd05993272e_goldeneye.exe
File created	C:\Windows\{7E73DD65-80C2-47b9-A712-83CB660B2160}.exe	{3CF8B4C2-60C8-447b-9493-AAEEA9768BB4}.exe
File created	C:\Windows\{86B62638-3312-47b6-BA78-F492CD4B0365}.exe	{B20005F0-5B52-4df6-B775-13CC57A09B22}.exe
File created	C:\Windows\{25C9F1B9-9F91-4e10-A855-DF08A1FFEF1E}.exe	{86B62638-3312-47b6-BA78-F492CD4B0365}.exe
File created	C:\Windows\{1E55D10B-C1F6-43ee-8CD7-876152DE8266}.exe	{25C9F1B9-9F91-4e10-A855-DF08A1FFEF1E}.exe
File created	C:\Windows\{1A89CFBC-FB46-4023-83B0-4494AA954FB3}.exe	{C4AA7D33-DB45-46cd-9DFC-5F898CCCD94B}.exe
File created	C:\Windows\{FD3E16A0-39C8-4748-A596-E6A6C6DF28B3}.exe	{1A89CFBC-FB46-4023-83B0-4494AA954FB3}.exe
File created	C:\Windows\{1D3968E2-3354-4985-B9DC-83ADD8BB5840}.exe	{6ABB2F9C-E011-4ed8-AD60-769F93F7A7A5}.exe
File created	C:\Windows\{3CF8B4C2-60C8-447b-9493-AAEEA9768BB4}.exe	{1D3968E2-3354-4985-B9DC-83ADD8BB5840}.exe
File created	C:\Windows\{B20005F0-5B52-4df6-B775-13CC57A09B22}.exe	{7E73DD65-80C2-47b9-A712-83CB660B2160}.exe
File created	C:\Windows\{C4AA7D33-DB45-46cd-9DFC-5F898CCCD94B}.exe	{1E55D10B-C1F6-43ee-8CD7-876152DE8266}.exe
File created	C:\Windows\{7BA526C5-49B4-4343-B6A0-7B9AD8372E53}.exe	{FD3E16A0-39C8-4748-A596-E6A6C6DF28B3}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3948	2024-01-11_41711efce360ef96928dfcd05993272e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4312	{6ABB2F9C-E011-4ed8-AD60-769F93F7A7A5}.exe
Token: SeIncBasePriorityPrivilege	4464	{1D3968E2-3354-4985-B9DC-83ADD8BB5840}.exe
Token: SeIncBasePriorityPrivilege	4384	{3CF8B4C2-60C8-447b-9493-AAEEA9768BB4}.exe
Token: SeIncBasePriorityPrivilege	636	{7E73DD65-80C2-47b9-A712-83CB660B2160}.exe
Token: SeIncBasePriorityPrivilege	4312	{B20005F0-5B52-4df6-B775-13CC57A09B22}.exe
Token: SeIncBasePriorityPrivilege	1908	{86B62638-3312-47b6-BA78-F492CD4B0365}.exe
Token: SeIncBasePriorityPrivilege	3924	{25C9F1B9-9F91-4e10-A855-DF08A1FFEF1E}.exe
Token: SeIncBasePriorityPrivilege	4480	{1E55D10B-C1F6-43ee-8CD7-876152DE8266}.exe
Token: SeIncBasePriorityPrivilege	3744	{C4AA7D33-DB45-46cd-9DFC-5F898CCCD94B}.exe
Token: SeIncBasePriorityPrivilege	3972	{1A89CFBC-FB46-4023-83B0-4494AA954FB3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3948 wrote to memory of 4312	3948	2024-01-11_41711efce360ef96928dfcd05993272e_goldeneye.exe	94
PID 3948 wrote to memory of 4312	3948	2024-01-11_41711efce360ef96928dfcd05993272e_goldeneye.exe	94
PID 3948 wrote to memory of 4312	3948	2024-01-11_41711efce360ef96928dfcd05993272e_goldeneye.exe	94
PID 3948 wrote to memory of 404	3948	2024-01-11_41711efce360ef96928dfcd05993272e_goldeneye.exe	95
PID 3948 wrote to memory of 404	3948	2024-01-11_41711efce360ef96928dfcd05993272e_goldeneye.exe	95
PID 3948 wrote to memory of 404	3948	2024-01-11_41711efce360ef96928dfcd05993272e_goldeneye.exe	95
PID 4312 wrote to memory of 4464	4312	{6ABB2F9C-E011-4ed8-AD60-769F93F7A7A5}.exe	101
PID 4312 wrote to memory of 4464	4312	{6ABB2F9C-E011-4ed8-AD60-769F93F7A7A5}.exe	101
PID 4312 wrote to memory of 4464	4312	{6ABB2F9C-E011-4ed8-AD60-769F93F7A7A5}.exe	101
PID 4312 wrote to memory of 3008	4312	{6ABB2F9C-E011-4ed8-AD60-769F93F7A7A5}.exe	100
PID 4312 wrote to memory of 3008	4312	{6ABB2F9C-E011-4ed8-AD60-769F93F7A7A5}.exe	100
PID 4312 wrote to memory of 3008	4312	{6ABB2F9C-E011-4ed8-AD60-769F93F7A7A5}.exe	100
PID 4464 wrote to memory of 4384	4464	{1D3968E2-3354-4985-B9DC-83ADD8BB5840}.exe	104
PID 4464 wrote to memory of 4384	4464	{1D3968E2-3354-4985-B9DC-83ADD8BB5840}.exe	104
PID 4464 wrote to memory of 4384	4464	{1D3968E2-3354-4985-B9DC-83ADD8BB5840}.exe	104
PID 4464 wrote to memory of 3312	4464	{1D3968E2-3354-4985-B9DC-83ADD8BB5840}.exe	105
PID 4464 wrote to memory of 3312	4464	{1D3968E2-3354-4985-B9DC-83ADD8BB5840}.exe	105
PID 4464 wrote to memory of 3312	4464	{1D3968E2-3354-4985-B9DC-83ADD8BB5840}.exe	105
PID 4384 wrote to memory of 636	4384	{3CF8B4C2-60C8-447b-9493-AAEEA9768BB4}.exe	109
PID 4384 wrote to memory of 636	4384	{3CF8B4C2-60C8-447b-9493-AAEEA9768BB4}.exe	109
PID 4384 wrote to memory of 636	4384	{3CF8B4C2-60C8-447b-9493-AAEEA9768BB4}.exe	109
PID 4384 wrote to memory of 2428	4384	{3CF8B4C2-60C8-447b-9493-AAEEA9768BB4}.exe	110
PID 4384 wrote to memory of 2428	4384	{3CF8B4C2-60C8-447b-9493-AAEEA9768BB4}.exe	110
PID 4384 wrote to memory of 2428	4384	{3CF8B4C2-60C8-447b-9493-AAEEA9768BB4}.exe	110
PID 636 wrote to memory of 4312	636	{7E73DD65-80C2-47b9-A712-83CB660B2160}.exe	111
PID 636 wrote to memory of 4312	636	{7E73DD65-80C2-47b9-A712-83CB660B2160}.exe	111
PID 636 wrote to memory of 4312	636	{7E73DD65-80C2-47b9-A712-83CB660B2160}.exe	111
PID 636 wrote to memory of 1956	636	{7E73DD65-80C2-47b9-A712-83CB660B2160}.exe	112
PID 636 wrote to memory of 1956	636	{7E73DD65-80C2-47b9-A712-83CB660B2160}.exe	112
PID 636 wrote to memory of 1956	636	{7E73DD65-80C2-47b9-A712-83CB660B2160}.exe	112
PID 4312 wrote to memory of 1908	4312	{B20005F0-5B52-4df6-B775-13CC57A09B22}.exe	115
PID 4312 wrote to memory of 1908	4312	{B20005F0-5B52-4df6-B775-13CC57A09B22}.exe	115
PID 4312 wrote to memory of 1908	4312	{B20005F0-5B52-4df6-B775-13CC57A09B22}.exe	115
PID 4312 wrote to memory of 548	4312	{B20005F0-5B52-4df6-B775-13CC57A09B22}.exe	116
PID 4312 wrote to memory of 548	4312	{B20005F0-5B52-4df6-B775-13CC57A09B22}.exe	116
PID 4312 wrote to memory of 548	4312	{B20005F0-5B52-4df6-B775-13CC57A09B22}.exe	116
PID 1908 wrote to memory of 3924	1908	{86B62638-3312-47b6-BA78-F492CD4B0365}.exe	118
PID 1908 wrote to memory of 3924	1908	{86B62638-3312-47b6-BA78-F492CD4B0365}.exe	118
PID 1908 wrote to memory of 3924	1908	{86B62638-3312-47b6-BA78-F492CD4B0365}.exe	118
PID 1908 wrote to memory of 4836	1908	{86B62638-3312-47b6-BA78-F492CD4B0365}.exe	119
PID 1908 wrote to memory of 4836	1908	{86B62638-3312-47b6-BA78-F492CD4B0365}.exe	119
PID 1908 wrote to memory of 4836	1908	{86B62638-3312-47b6-BA78-F492CD4B0365}.exe	119
PID 3924 wrote to memory of 4480	3924	{25C9F1B9-9F91-4e10-A855-DF08A1FFEF1E}.exe	120
PID 3924 wrote to memory of 4480	3924	{25C9F1B9-9F91-4e10-A855-DF08A1FFEF1E}.exe	120
PID 3924 wrote to memory of 4480	3924	{25C9F1B9-9F91-4e10-A855-DF08A1FFEF1E}.exe	120
PID 3924 wrote to memory of 4888	3924	{25C9F1B9-9F91-4e10-A855-DF08A1FFEF1E}.exe	121
PID 3924 wrote to memory of 4888	3924	{25C9F1B9-9F91-4e10-A855-DF08A1FFEF1E}.exe	121
PID 3924 wrote to memory of 4888	3924	{25C9F1B9-9F91-4e10-A855-DF08A1FFEF1E}.exe	121
PID 4480 wrote to memory of 3744	4480	{1E55D10B-C1F6-43ee-8CD7-876152DE8266}.exe	122
PID 4480 wrote to memory of 3744	4480	{1E55D10B-C1F6-43ee-8CD7-876152DE8266}.exe	122
PID 4480 wrote to memory of 3744	4480	{1E55D10B-C1F6-43ee-8CD7-876152DE8266}.exe	122
PID 4480 wrote to memory of 2300	4480	{1E55D10B-C1F6-43ee-8CD7-876152DE8266}.exe	123
PID 4480 wrote to memory of 2300	4480	{1E55D10B-C1F6-43ee-8CD7-876152DE8266}.exe	123
PID 4480 wrote to memory of 2300	4480	{1E55D10B-C1F6-43ee-8CD7-876152DE8266}.exe	123
PID 3744 wrote to memory of 3972	3744	{C4AA7D33-DB45-46cd-9DFC-5F898CCCD94B}.exe	124
PID 3744 wrote to memory of 3972	3744	{C4AA7D33-DB45-46cd-9DFC-5F898CCCD94B}.exe	124
PID 3744 wrote to memory of 3972	3744	{C4AA7D33-DB45-46cd-9DFC-5F898CCCD94B}.exe	124
PID 3744 wrote to memory of 3380	3744	{C4AA7D33-DB45-46cd-9DFC-5F898CCCD94B}.exe	125
PID 3744 wrote to memory of 3380	3744	{C4AA7D33-DB45-46cd-9DFC-5F898CCCD94B}.exe	125
PID 3744 wrote to memory of 3380	3744	{C4AA7D33-DB45-46cd-9DFC-5F898CCCD94B}.exe	125
PID 3972 wrote to memory of 2284	3972	{1A89CFBC-FB46-4023-83B0-4494AA954FB3}.exe	128
PID 3972 wrote to memory of 2284	3972	{1A89CFBC-FB46-4023-83B0-4494AA954FB3}.exe	128
PID 3972 wrote to memory of 2284	3972	{1A89CFBC-FB46-4023-83B0-4494AA954FB3}.exe	128
PID 3972 wrote to memory of 916	3972	{1A89CFBC-FB46-4023-83B0-4494AA954FB3}.exe	129

C:\Users\Admin\AppData\Local\Temp\2024-01-11_41711efce360ef96928dfcd05993272e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-11_41711efce360ef96928dfcd05993272e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3948
- C:\Windows\{6ABB2F9C-E011-4ed8-AD60-769F93F7A7A5}.exe
  C:\Windows\{6ABB2F9C-E011-4ed8-AD60-769F93F7A7A5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6ABB2~1.EXE > nul
    3⤵
    PID:3008
- - C:\Windows\{1D3968E2-3354-4985-B9DC-83ADD8BB5840}.exe
    C:\Windows\{1D3968E2-3354-4985-B9DC-83ADD8BB5840}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4464
  - - C:\Windows\{3CF8B4C2-60C8-447b-9493-AAEEA9768BB4}.exe
      C:\Windows\{3CF8B4C2-60C8-447b-9493-AAEEA9768BB4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4384
    - - C:\Windows\{7E73DD65-80C2-47b9-A712-83CB660B2160}.exe
        
        C:\Windows\{7E73DD65-80C2-47b9-A712-83CB660B2160}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:636
      - C:\Windows\{B20005F0-5B52-4df6-B775-13CC57A09B22}.exe
        
        C:\Windows\{B20005F0-5B52-4df6-B775-13CC57A09B22}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\{86B62638-3312-47b6-BA78-F492CD4B0365}.exe
        
        C:\Windows\{86B62638-3312-47b6-BA78-F492CD4B0365}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\{25C9F1B9-9F91-4e10-A855-DF08A1FFEF1E}.exe
        
        C:\Windows\{25C9F1B9-9F91-4e10-A855-DF08A1FFEF1E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\{1E55D10B-C1F6-43ee-8CD7-876152DE8266}.exe
        
        C:\Windows\{1E55D10B-C1F6-43ee-8CD7-876152DE8266}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\{C4AA7D33-DB45-46cd-9DFC-5F898CCCD94B}.exe
        
        C:\Windows\{C4AA7D33-DB45-46cd-9DFC-5F898CCCD94B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3744
        
        C:\Windows\{1A89CFBC-FB46-4023-83B0-4494AA954FB3}.exe
        
        C:\Windows\{1A89CFBC-FB46-4023-83B0-4494AA954FB3}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\{FD3E16A0-39C8-4748-A596-E6A6C6DF28B3}.exe
        
        C:\Windows\{FD3E16A0-39C8-4748-A596-E6A6C6DF28B3}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A89C~1.EXE > nul
        12⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4AA7~1.EXE > nul
        11⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E55D~1.EXE > nul
        10⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{25C9F~1.EXE > nul
        9⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86B62~1.EXE > nul
        8⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2000~1.EXE > nul
        7⤵
        
        PID:548
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E73D~1.EXE > nul
        6⤵
        
        PID:1956
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3CF8B~1.EXE > nul
        5⤵
        
        PID:2428
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1D396~1.EXE > nul
      4⤵
      PID:3312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1A89CFBC-FB46-4023-83B0-4494AA954FB3}.exe

Filesize
380KB

MD5
1df3d65968c48dd9dea3517b9c57949a

SHA1
cbe818c12ac52c7bfe720e5db4eb900af95a1831

SHA256
e1a2776f026664ae8a7b2576b4ebb6a22344b8edf4e8bfeb1ce2d3a4b789fd6b

SHA512
007a973afa800e531d31fb41fbc30c9e0f0a8f0c8e50102ceeda9e9ed54611055ea602c425d5a48eaf047eff30c647c630951884ef8deddd82e170c6c529b935

Download Submit
C:\Windows\{1D3968E2-3354-4985-B9DC-83ADD8BB5840}.exe

Filesize
240KB

MD5
a245ea75c1ed69723373e3073d07de0d

SHA1
779c6b5d325dbc808b6e2d6598722caa34f4e89e

SHA256
867ae3906641956f1a54e4199f1c11ad5c54c1579e93c03c3acc0c4b01d5994c

SHA512
ff2be61034ba7a10de22b924d1e20646b1c9cf70c963c80ac2a6966ffd3c836f9b57064b6d558c89eeb61af1a9a2e732122e9cfd2d7a316ff771aa857fef77a5

Download Submit
C:\Windows\{1D3968E2-3354-4985-B9DC-83ADD8BB5840}.exe

Filesize
380KB

MD5
d8ff4d48f3118751d086d2c85120801b

SHA1
cdb907132d58e2c447807b7e659df644d9a91f6b

SHA256
44d9837c50a2e715bd5a073454b00779c8926da161281901bba7a28640032e84

SHA512
bf88660a93ddfca682890c1adc9c6605ff5af511438e04bfea8fbba75fb39bc68dccdab1adc4e118c62e3bd96f718e5d5cdbb39b070c8b65158e8dc38abae3a5

Download Submit
C:\Windows\{1E55D10B-C1F6-43ee-8CD7-876152DE8266}.exe

Filesize
163KB

MD5
ef60bb02d3be88db9335881db7a51d2d

SHA1
a0db1696f23d00e32e5ef19d65f4fad038f7b022

SHA256
ae4d7923bc97c5696b391aca60e26cbb217a17a8c622413712c34a6331620423

SHA512
fc7d02bbac545473aeff544799b582c0e0b58ca2aaeb58d712221ce0d025462c0968677e0cfaa7cbfa5261d69d8301551a7cfb4e06202c82fcc6c6b4ca35e55e

Download Submit
C:\Windows\{1E55D10B-C1F6-43ee-8CD7-876152DE8266}.exe

Filesize
267KB

MD5
5eaa86992e04c79ec076c2fd90cdd814

SHA1
804e0be6e1d929e254648a1ba5c6237946f4e1b4

SHA256
e4b9b20f6d216dd70f16d50e3376488e65d2015a693f78d11855c2ff247b32d7

SHA512
6ca9cb2dd6eb80c5e15de7a4876e7539139f904f28c20465f66d95e9ae6acf3197664b74abb9900cc3c3dd017a6fc087cc15f8bbeed715bd927ded40b44c0320

Download Submit
C:\Windows\{25C9F1B9-9F91-4e10-A855-DF08A1FFEF1E}.exe

Filesize
380KB

MD5
3b55952244500d42cd0b08d061dd40c9

SHA1
fa49dcb8040d723e76a582190ce34765d126846b

SHA256
faaab29642ff1912ec3d45f43ddb4a7432126a1dac677c89a3d36b39edd994cf

SHA512
f3563355dbf790ed7747683e2e1c1ace29353c5d99d8a35417716d09555f10a1825751c626957f83b3368fd17e670275a44d1a85687bb08b7a98c41eea4c68d6

Download Submit
C:\Windows\{25C9F1B9-9F91-4e10-A855-DF08A1FFEF1E}.exe

Filesize
254KB

MD5
f2a923c406cfed592faff0d9b5b56b97

SHA1
91274b16d1bdfa1ae4d2993c53b5d3f925e9a60f

SHA256
16c0ed3a15372a2abdf715216f6595d75cb0cfd158f50b0d8f757f624f266eb7

SHA512
491547f56e2aa921b6e57d133f119a9932517a352e5fe57848a43aa183d791d6c3102f60ca63e596ced16ddc2ff1291e1f80870c0debd5eb5fa155be97800d87

Download Submit
C:\Windows\{3CF8B4C2-60C8-447b-9493-AAEEA9768BB4}.exe

Filesize
201KB

MD5
7afdfbe22f0cbae11249c060d97116b3

SHA1
b1b17d041f4a403e20879149a9a0e960ef06464e

SHA256
dfa6a466825fda4b9af1ab1d162a86cc60743bd40cad87362827fae6c3bf66de

SHA512
02d76e094503a6055913b170a74b39f077e588622ec76d09032991955fa3d8158285bf46df36a4a9990d62a8a8b7b5982a908833908edaa5243fbdc4a94c48fc

Download Submit
C:\Windows\{3CF8B4C2-60C8-447b-9493-AAEEA9768BB4}.exe

Filesize
167KB

MD5
e2b3f33d3759f8a96a38792d5e2cf663

SHA1
27d9ad3f48d708a603324ff2aa16ed3fe75191dc

SHA256
f812ec25e2a3b73f33f541f75c7a20b6b1577d973fb7e4eda2272a348c6aa466

SHA512
8d5cd7346a82020c10a7cd1d717d0eb6ff053cc67e60e3f4f3667b1660bf1ac570629bad59fc79c80a05e3274e5542c366e7b70ab1b381ad2fd34a04a56606bc

Download Submit
C:\Windows\{3CF8B4C2-60C8-447b-9493-AAEEA9768BB4}.exe

Filesize
311KB

MD5
a11b424fffe6ef48333209cba7351be6

SHA1
9ef37e3d68db47c00686dc412066d7a2470434e8

SHA256
b68ad8449821e4447231d313a145626729e495fb48397a79d7bfa7901a19c248

SHA512
57dc8ea12f14aeae2e0f4cad7922d9bf4790eadbaad0a00b6ab4af74e0d58353012e3766663abc639e3f515c8b1398f415cb82c096054b8b7f9eee7ca537ffb9

Download Submit
C:\Windows\{6ABB2F9C-E011-4ed8-AD60-769F93F7A7A5}.exe

Filesize
50KB

MD5
58bf8618108143ab496cd036729aa641

SHA1
48faf9c65e6195df6f57f255f71490731759ecb7

SHA256
b07552562d2b29df980140e356577571831246f29297367d431fca8e64c113e5

SHA512
b7511d7bbde22c960c9ef6741c1f0afc711290e340b7791a86e208ea97352255259861f2fd3348e2d657c399724ad2094d050ec0d5de68925ca06ec09978b251

Download Submit
C:\Windows\{6ABB2F9C-E011-4ed8-AD60-769F93F7A7A5}.exe

Filesize
60KB

MD5
824a74f125e289e9b84867204de11859

SHA1
1ebb2e5000c5eec71bee8fbc2b637abb1269aa69

SHA256
4dc9b89b2ece2dba03cb4e051c9017da60ea21f8b3a156038003dfcf9a090a3e

SHA512
a46c46b355643eea6580fd10009966fa767efeab83fefd74713d031671c12973155d7acfc550d948c53565428ad1e27b7996f1c4747308364ff9b8535a38c280

Download Submit
C:\Windows\{7E73DD65-80C2-47b9-A712-83CB660B2160}.exe

Filesize
19KB

MD5
7863d735a42cd466ab649bbeccf148b1

SHA1
193ab7f40fe0fb4869c08bf8b936397279a47eb0

SHA256
25f8d0afac109fdbf1486517d568e96a6ab0c4b3151d5c11e14ce7ee48960069

SHA512
f4ecc9e9ea080f1622d1e7426ce4a2541b371abf38db88baed193aabd77c29e9f1e21da714ec20d546cbecce00dd95ad4dcb993b48e8ee2c69fe66055444bb47

Download Submit
C:\Windows\{7E73DD65-80C2-47b9-A712-83CB660B2160}.exe

Filesize
26KB

MD5
2772621ef180f19fc9c809ec665ed7df

SHA1
6780bd09490cb191b32f5f6934579f8af1c34f0a

SHA256
13060c3195b0edfdbd6de58ec9ee9a16c505d14557549de3d9b26120002a991a

SHA512
002f0aaa9372482529e71fc2f0ebf1974ecff7a92ee70c39423819115a27f236f5de9f988e758b9347335a36bb8a1cba204e0720dadbb911688bf98ac41e35b7

Download Submit
C:\Windows\{86B62638-3312-47b6-BA78-F492CD4B0365}.exe

Filesize
380KB

MD5
4903e39dc3017d9cd401143d11eec30c

SHA1
4172492f1555bc4d439f70fbb39e556b5038cf95

SHA256
b4680107dd2c6cafd26eddb0319e6f4c260e80007368dcfb10a7e3fe785fcd34

SHA512
daf9a2b07d532d5736ad16e780e03e0e721406c1c83cd4dcdd086cb5d23c92d536d19625bf0ae23ea68fb772677eb918cccb881eaef755fe255e1caaeb52e68f

Download Submit
C:\Windows\{B20005F0-5B52-4df6-B775-13CC57A09B22}.exe

Filesize
176KB

MD5
272c07b8b43c20b6a7a168449182b1a2

SHA1
fa03039dc2c8e2529ac3d82d6e67315475ade37e

SHA256
275013cea1f2476cac8882c1948aa4b962ca33c53d7e9529c3168026910181e9

SHA512
58c113a33a85adc9bb3eb37e6121e4aa40faa66d94e275bf1a25987e42e01919b39d5c8d61bd09af074082cb9bff13c69d4e8ba02390dc3b724115d622165a0c

Download Submit
C:\Windows\{B20005F0-5B52-4df6-B775-13CC57A09B22}.exe

Filesize
196KB

MD5
7725e6137592fa0991a11d950de194ce

SHA1
5c85fd16105dd8b305872ba71d8d0e9ddae33e7c

SHA256
d2e3c2b297d90893dc42a6c4aaece33ce3e92bfcd55bb4091a4a1fc683452434

SHA512
46866cbe10866a739ede960e3a76780d1e46bc55c1b2b0b9d422a873170ac3bba3c36c36aa5891669a2f379aba5c0dfef70c08fd54c40513c28f46dfc54c7e0e

Download Submit
C:\Windows\{C4AA7D33-DB45-46cd-9DFC-5F898CCCD94B}.exe

Filesize
380KB

MD5
bdd9a0862eabe2d85d900a221a305ef5

SHA1
ec332a1f0f34b2ce98c01bfc192d2d4ab423cfab

SHA256
44bf907a66165979893631e0bc2a1c45bcb1948c739e7033aefc68d5d2e2aa46

SHA512
3c9f5864ae2b1e98763e2c2671dc9df27ccf146fb2428bb3ffc79f1c1a79c01ee5267bacb7a132f10bc6741b2daf9de6cf17c62c7afec44ca5205ad0a14a7ccb

Download Submit
C:\Windows\{FD3E16A0-39C8-4748-A596-E6A6C6DF28B3}.exe

Filesize
380KB

MD5
9ff14c1f6d4c05b6e31eb70660b7bd4a

SHA1
0981f63c21e8750ec94654189936109d6bd2105e

SHA256
036f8c3c57575b9f7cb3b006e04f95382c89e10ea0a1601e92bba89f458795e1

SHA512
90abcd4124df609cb4720677a6ebd16cd47686ef279c1a30269e9541ac5f7d32aeb24a2f0592deaeb90529b5fc5f873fb3ea388f0c3e8a2e9b753fae6a23404c

Download Submit
memory/4480-32-0x00000000775C0000-0x000000007763A000-memory.dmp

Filesize
488KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads