1883c1aca345f266478bd50a1b94522a70bd8081f50de5af29a5cfcf869dcac5

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2024, 11:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-29_931a009c1c430c6d1bfcd56424666a23_goldeneye.exe
Size

168KB
MD5

931a009c1c430c6d1bfcd56424666a23
SHA1

ae862029ba6e50ae9dd5e7ce6df58b4026d780d2
SHA256

1883c1aca345f266478bd50a1b94522a70bd8081f50de5af29a5cfcf869dcac5
SHA512

c08c38473ad74339ea5b3826f80fede1a103fadbe335d5e7ba6033a42fce26effec176027e855a3b7cc1305478acec79b7fdb4b44aca89fc6b07ac97feaa19d4
SSDEEP

1536:1EGh0oYlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oYlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BE9BAAA-80C7-45c1-A4D2-6BCA7AD578F2}\stubpath = "C:\\Windows\\{1BE9BAAA-80C7-45c1-A4D2-6BCA7AD578F2}.exe"	{F54C24BC-4B60-4416-917E-83AEE14E7AB2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E9807F8-63B8-4fa4-BA79-02D6D756104A}\stubpath = "C:\\Windows\\{0E9807F8-63B8-4fa4-BA79-02D6D756104A}.exe"	{1BE9BAAA-80C7-45c1-A4D2-6BCA7AD578F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{477FE129-5FFC-425d-98E9-91A07B528A1B}	{0E9807F8-63B8-4fa4-BA79-02D6D756104A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{143788D9-4693-447c-BB8C-19544043F52B}\stubpath = "C:\\Windows\\{143788D9-4693-447c-BB8C-19544043F52B}.exe"	{FFEAE45C-4266-4aff-924F-AB27F0325884}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F54C24BC-4B60-4416-917E-83AEE14E7AB2}\stubpath = "C:\\Windows\\{F54C24BC-4B60-4416-917E-83AEE14E7AB2}.exe"	{143788D9-4693-447c-BB8C-19544043F52B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BE9BAAA-80C7-45c1-A4D2-6BCA7AD578F2}	{F54C24BC-4B60-4416-917E-83AEE14E7AB2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{477FE129-5FFC-425d-98E9-91A07B528A1B}\stubpath = "C:\\Windows\\{477FE129-5FFC-425d-98E9-91A07B528A1B}.exe"	{0E9807F8-63B8-4fa4-BA79-02D6D756104A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3FCC5D4-BEA5-4ab8-9797-61696E3059B9}	{477FE129-5FFC-425d-98E9-91A07B528A1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13235294-715E-454a-885C-8AA31AA8F24F}	{B3FCC5D4-BEA5-4ab8-9797-61696E3059B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C854C58-4452-4524-B609-BAE4867D42B3}	{13235294-715E-454a-885C-8AA31AA8F24F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C854C58-4452-4524-B609-BAE4867D42B3}\stubpath = "C:\\Windows\\{3C854C58-4452-4524-B609-BAE4867D42B3}.exe"	{13235294-715E-454a-885C-8AA31AA8F24F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{143788D9-4693-447c-BB8C-19544043F52B}	{FFEAE45C-4266-4aff-924F-AB27F0325884}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F54C24BC-4B60-4416-917E-83AEE14E7AB2}	{143788D9-4693-447c-BB8C-19544043F52B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C800A38-9423-4337-B294-381D38E2F6EE}\stubpath = "C:\\Windows\\{6C800A38-9423-4337-B294-381D38E2F6EE}.exe"	{F3657051-C412-4911-A7E9-85813D6FD51E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3657051-C412-4911-A7E9-85813D6FD51E}	{3C854C58-4452-4524-B609-BAE4867D42B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3657051-C412-4911-A7E9-85813D6FD51E}\stubpath = "C:\\Windows\\{F3657051-C412-4911-A7E9-85813D6FD51E}.exe"	{3C854C58-4452-4524-B609-BAE4867D42B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E9807F8-63B8-4fa4-BA79-02D6D756104A}	{1BE9BAAA-80C7-45c1-A4D2-6BCA7AD578F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3FCC5D4-BEA5-4ab8-9797-61696E3059B9}\stubpath = "C:\\Windows\\{B3FCC5D4-BEA5-4ab8-9797-61696E3059B9}.exe"	{477FE129-5FFC-425d-98E9-91A07B528A1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C800A38-9423-4337-B294-381D38E2F6EE}	{F3657051-C412-4911-A7E9-85813D6FD51E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE7538D5-8552-4592-84AA-60ED6D4587A8}	{6C800A38-9423-4337-B294-381D38E2F6EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FFEAE45C-4266-4aff-924F-AB27F0325884}	2024-06-29_931a009c1c430c6d1bfcd56424666a23_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FFEAE45C-4266-4aff-924F-AB27F0325884}\stubpath = "C:\\Windows\\{FFEAE45C-4266-4aff-924F-AB27F0325884}.exe"	2024-06-29_931a009c1c430c6d1bfcd56424666a23_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13235294-715E-454a-885C-8AA31AA8F24F}\stubpath = "C:\\Windows\\{13235294-715E-454a-885C-8AA31AA8F24F}.exe"	{B3FCC5D4-BEA5-4ab8-9797-61696E3059B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE7538D5-8552-4592-84AA-60ED6D4587A8}\stubpath = "C:\\Windows\\{AE7538D5-8552-4592-84AA-60ED6D4587A8}.exe"	{6C800A38-9423-4337-B294-381D38E2F6EE}.exe

Executes dropped EXE 12 IoCs

pid	Process
3456	{FFEAE45C-4266-4aff-924F-AB27F0325884}.exe
3516	{143788D9-4693-447c-BB8C-19544043F52B}.exe
2724	{F54C24BC-4B60-4416-917E-83AEE14E7AB2}.exe
1384	{1BE9BAAA-80C7-45c1-A4D2-6BCA7AD578F2}.exe
1388	{0E9807F8-63B8-4fa4-BA79-02D6D756104A}.exe
4272	{477FE129-5FFC-425d-98E9-91A07B528A1B}.exe
988	{B3FCC5D4-BEA5-4ab8-9797-61696E3059B9}.exe
4384	{13235294-715E-454a-885C-8AA31AA8F24F}.exe
2492	{3C854C58-4452-4524-B609-BAE4867D42B3}.exe
2696	{F3657051-C412-4911-A7E9-85813D6FD51E}.exe
4352	{6C800A38-9423-4337-B294-381D38E2F6EE}.exe
1088	{AE7538D5-8552-4592-84AA-60ED6D4587A8}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{3C854C58-4452-4524-B609-BAE4867D42B3}.exe	{13235294-715E-454a-885C-8AA31AA8F24F}.exe
File created	C:\Windows\{F3657051-C412-4911-A7E9-85813D6FD51E}.exe	{3C854C58-4452-4524-B609-BAE4867D42B3}.exe
File created	C:\Windows\{6C800A38-9423-4337-B294-381D38E2F6EE}.exe	{F3657051-C412-4911-A7E9-85813D6FD51E}.exe
File created	C:\Windows\{AE7538D5-8552-4592-84AA-60ED6D4587A8}.exe	{6C800A38-9423-4337-B294-381D38E2F6EE}.exe
File created	C:\Windows\{143788D9-4693-447c-BB8C-19544043F52B}.exe	{FFEAE45C-4266-4aff-924F-AB27F0325884}.exe
File created	C:\Windows\{F54C24BC-4B60-4416-917E-83AEE14E7AB2}.exe	{143788D9-4693-447c-BB8C-19544043F52B}.exe
File created	C:\Windows\{1BE9BAAA-80C7-45c1-A4D2-6BCA7AD578F2}.exe	{F54C24BC-4B60-4416-917E-83AEE14E7AB2}.exe
File created	C:\Windows\{B3FCC5D4-BEA5-4ab8-9797-61696E3059B9}.exe	{477FE129-5FFC-425d-98E9-91A07B528A1B}.exe
File created	C:\Windows\{FFEAE45C-4266-4aff-924F-AB27F0325884}.exe	2024-06-29_931a009c1c430c6d1bfcd56424666a23_goldeneye.exe
File created	C:\Windows\{0E9807F8-63B8-4fa4-BA79-02D6D756104A}.exe	{1BE9BAAA-80C7-45c1-A4D2-6BCA7AD578F2}.exe
File created	C:\Windows\{477FE129-5FFC-425d-98E9-91A07B528A1B}.exe	{0E9807F8-63B8-4fa4-BA79-02D6D756104A}.exe
File created	C:\Windows\{13235294-715E-454a-885C-8AA31AA8F24F}.exe	{B3FCC5D4-BEA5-4ab8-9797-61696E3059B9}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4804	2024-06-29_931a009c1c430c6d1bfcd56424666a23_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3456	{FFEAE45C-4266-4aff-924F-AB27F0325884}.exe
Token: SeIncBasePriorityPrivilege	3516	{143788D9-4693-447c-BB8C-19544043F52B}.exe
Token: SeIncBasePriorityPrivilege	2724	{F54C24BC-4B60-4416-917E-83AEE14E7AB2}.exe
Token: SeIncBasePriorityPrivilege	1384	{1BE9BAAA-80C7-45c1-A4D2-6BCA7AD578F2}.exe
Token: SeIncBasePriorityPrivilege	1388	{0E9807F8-63B8-4fa4-BA79-02D6D756104A}.exe
Token: SeIncBasePriorityPrivilege	4272	{477FE129-5FFC-425d-98E9-91A07B528A1B}.exe
Token: SeIncBasePriorityPrivilege	988	{B3FCC5D4-BEA5-4ab8-9797-61696E3059B9}.exe
Token: SeIncBasePriorityPrivilege	4384	{13235294-715E-454a-885C-8AA31AA8F24F}.exe
Token: SeIncBasePriorityPrivilege	2492	{3C854C58-4452-4524-B609-BAE4867D42B3}.exe
Token: SeIncBasePriorityPrivilege	2696	{F3657051-C412-4911-A7E9-85813D6FD51E}.exe
Token: SeIncBasePriorityPrivilege	4352	{6C800A38-9423-4337-B294-381D38E2F6EE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 3456	4804	2024-06-29_931a009c1c430c6d1bfcd56424666a23_goldeneye.exe	87
PID 4804 wrote to memory of 3456	4804	2024-06-29_931a009c1c430c6d1bfcd56424666a23_goldeneye.exe	87
PID 4804 wrote to memory of 3456	4804	2024-06-29_931a009c1c430c6d1bfcd56424666a23_goldeneye.exe	87
PID 4804 wrote to memory of 3236	4804	2024-06-29_931a009c1c430c6d1bfcd56424666a23_goldeneye.exe	88
PID 4804 wrote to memory of 3236	4804	2024-06-29_931a009c1c430c6d1bfcd56424666a23_goldeneye.exe	88
PID 4804 wrote to memory of 3236	4804	2024-06-29_931a009c1c430c6d1bfcd56424666a23_goldeneye.exe	88
PID 3456 wrote to memory of 3516	3456	{FFEAE45C-4266-4aff-924F-AB27F0325884}.exe	89
PID 3456 wrote to memory of 3516	3456	{FFEAE45C-4266-4aff-924F-AB27F0325884}.exe	89
PID 3456 wrote to memory of 3516	3456	{FFEAE45C-4266-4aff-924F-AB27F0325884}.exe	89
PID 3456 wrote to memory of 3616	3456	{FFEAE45C-4266-4aff-924F-AB27F0325884}.exe	90
PID 3456 wrote to memory of 3616	3456	{FFEAE45C-4266-4aff-924F-AB27F0325884}.exe	90
PID 3456 wrote to memory of 3616	3456	{FFEAE45C-4266-4aff-924F-AB27F0325884}.exe	90
PID 3516 wrote to memory of 2724	3516	{143788D9-4693-447c-BB8C-19544043F52B}.exe	93
PID 3516 wrote to memory of 2724	3516	{143788D9-4693-447c-BB8C-19544043F52B}.exe	93
PID 3516 wrote to memory of 2724	3516	{143788D9-4693-447c-BB8C-19544043F52B}.exe	93
PID 3516 wrote to memory of 4856	3516	{143788D9-4693-447c-BB8C-19544043F52B}.exe	94
PID 3516 wrote to memory of 4856	3516	{143788D9-4693-447c-BB8C-19544043F52B}.exe	94
PID 3516 wrote to memory of 4856	3516	{143788D9-4693-447c-BB8C-19544043F52B}.exe	94
PID 2724 wrote to memory of 1384	2724	{F54C24BC-4B60-4416-917E-83AEE14E7AB2}.exe	95
PID 2724 wrote to memory of 1384	2724	{F54C24BC-4B60-4416-917E-83AEE14E7AB2}.exe	95
PID 2724 wrote to memory of 1384	2724	{F54C24BC-4B60-4416-917E-83AEE14E7AB2}.exe	95
PID 2724 wrote to memory of 4380	2724	{F54C24BC-4B60-4416-917E-83AEE14E7AB2}.exe	96
PID 2724 wrote to memory of 4380	2724	{F54C24BC-4B60-4416-917E-83AEE14E7AB2}.exe	96
PID 2724 wrote to memory of 4380	2724	{F54C24BC-4B60-4416-917E-83AEE14E7AB2}.exe	96
PID 1384 wrote to memory of 1388	1384	{1BE9BAAA-80C7-45c1-A4D2-6BCA7AD578F2}.exe	97
PID 1384 wrote to memory of 1388	1384	{1BE9BAAA-80C7-45c1-A4D2-6BCA7AD578F2}.exe	97
PID 1384 wrote to memory of 1388	1384	{1BE9BAAA-80C7-45c1-A4D2-6BCA7AD578F2}.exe	97
PID 1384 wrote to memory of 4260	1384	{1BE9BAAA-80C7-45c1-A4D2-6BCA7AD578F2}.exe	98
PID 1384 wrote to memory of 4260	1384	{1BE9BAAA-80C7-45c1-A4D2-6BCA7AD578F2}.exe	98
PID 1384 wrote to memory of 4260	1384	{1BE9BAAA-80C7-45c1-A4D2-6BCA7AD578F2}.exe	98
PID 1388 wrote to memory of 4272	1388	{0E9807F8-63B8-4fa4-BA79-02D6D756104A}.exe	99
PID 1388 wrote to memory of 4272	1388	{0E9807F8-63B8-4fa4-BA79-02D6D756104A}.exe	99
PID 1388 wrote to memory of 4272	1388	{0E9807F8-63B8-4fa4-BA79-02D6D756104A}.exe	99
PID 1388 wrote to memory of 4980	1388	{0E9807F8-63B8-4fa4-BA79-02D6D756104A}.exe	100
PID 1388 wrote to memory of 4980	1388	{0E9807F8-63B8-4fa4-BA79-02D6D756104A}.exe	100
PID 1388 wrote to memory of 4980	1388	{0E9807F8-63B8-4fa4-BA79-02D6D756104A}.exe	100
PID 4272 wrote to memory of 988	4272	{477FE129-5FFC-425d-98E9-91A07B528A1B}.exe	101
PID 4272 wrote to memory of 988	4272	{477FE129-5FFC-425d-98E9-91A07B528A1B}.exe	101
PID 4272 wrote to memory of 988	4272	{477FE129-5FFC-425d-98E9-91A07B528A1B}.exe	101
PID 4272 wrote to memory of 1876	4272	{477FE129-5FFC-425d-98E9-91A07B528A1B}.exe	102
PID 4272 wrote to memory of 1876	4272	{477FE129-5FFC-425d-98E9-91A07B528A1B}.exe	102
PID 4272 wrote to memory of 1876	4272	{477FE129-5FFC-425d-98E9-91A07B528A1B}.exe	102
PID 988 wrote to memory of 4384	988	{B3FCC5D4-BEA5-4ab8-9797-61696E3059B9}.exe	103
PID 988 wrote to memory of 4384	988	{B3FCC5D4-BEA5-4ab8-9797-61696E3059B9}.exe	103
PID 988 wrote to memory of 4384	988	{B3FCC5D4-BEA5-4ab8-9797-61696E3059B9}.exe	103
PID 988 wrote to memory of 1896	988	{B3FCC5D4-BEA5-4ab8-9797-61696E3059B9}.exe	104
PID 988 wrote to memory of 1896	988	{B3FCC5D4-BEA5-4ab8-9797-61696E3059B9}.exe	104
PID 988 wrote to memory of 1896	988	{B3FCC5D4-BEA5-4ab8-9797-61696E3059B9}.exe	104
PID 4384 wrote to memory of 2492	4384	{13235294-715E-454a-885C-8AA31AA8F24F}.exe	105
PID 4384 wrote to memory of 2492	4384	{13235294-715E-454a-885C-8AA31AA8F24F}.exe	105
PID 4384 wrote to memory of 2492	4384	{13235294-715E-454a-885C-8AA31AA8F24F}.exe	105
PID 4384 wrote to memory of 2568	4384	{13235294-715E-454a-885C-8AA31AA8F24F}.exe	106
PID 4384 wrote to memory of 2568	4384	{13235294-715E-454a-885C-8AA31AA8F24F}.exe	106
PID 4384 wrote to memory of 2568	4384	{13235294-715E-454a-885C-8AA31AA8F24F}.exe	106
PID 2492 wrote to memory of 2696	2492	{3C854C58-4452-4524-B609-BAE4867D42B3}.exe	107
PID 2492 wrote to memory of 2696	2492	{3C854C58-4452-4524-B609-BAE4867D42B3}.exe	107
PID 2492 wrote to memory of 2696	2492	{3C854C58-4452-4524-B609-BAE4867D42B3}.exe	107
PID 2492 wrote to memory of 3704	2492	{3C854C58-4452-4524-B609-BAE4867D42B3}.exe	108
PID 2492 wrote to memory of 3704	2492	{3C854C58-4452-4524-B609-BAE4867D42B3}.exe	108
PID 2492 wrote to memory of 3704	2492	{3C854C58-4452-4524-B609-BAE4867D42B3}.exe	108
PID 2696 wrote to memory of 4352	2696	{F3657051-C412-4911-A7E9-85813D6FD51E}.exe	109
PID 2696 wrote to memory of 4352	2696	{F3657051-C412-4911-A7E9-85813D6FD51E}.exe	109
PID 2696 wrote to memory of 4352	2696	{F3657051-C412-4911-A7E9-85813D6FD51E}.exe	109
PID 2696 wrote to memory of 208	2696	{F3657051-C412-4911-A7E9-85813D6FD51E}.exe	110

C:\Users\Admin\AppData\Local\Temp\2024-06-29_931a009c1c430c6d1bfcd56424666a23_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_931a009c1c430c6d1bfcd56424666a23_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Windows\{FFEAE45C-4266-4aff-924F-AB27F0325884}.exe
  C:\Windows\{FFEAE45C-4266-4aff-924F-AB27F0325884}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3456
- - C:\Windows\{143788D9-4693-447c-BB8C-19544043F52B}.exe
    C:\Windows\{143788D9-4693-447c-BB8C-19544043F52B}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3516
  - - C:\Windows\{F54C24BC-4B60-4416-917E-83AEE14E7AB2}.exe
      C:\Windows\{F54C24BC-4B60-4416-917E-83AEE14E7AB2}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\{1BE9BAAA-80C7-45c1-A4D2-6BCA7AD578F2}.exe
        
        C:\Windows\{1BE9BAAA-80C7-45c1-A4D2-6BCA7AD578F2}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1384
      - C:\Windows\{0E9807F8-63B8-4fa4-BA79-02D6D756104A}.exe
        
        C:\Windows\{0E9807F8-63B8-4fa4-BA79-02D6D756104A}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\{477FE129-5FFC-425d-98E9-91A07B528A1B}.exe
        
        C:\Windows\{477FE129-5FFC-425d-98E9-91A07B528A1B}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\{B3FCC5D4-BEA5-4ab8-9797-61696E3059B9}.exe
        
        C:\Windows\{B3FCC5D4-BEA5-4ab8-9797-61696E3059B9}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:988
        
        C:\Windows\{13235294-715E-454a-885C-8AA31AA8F24F}.exe
        
        C:\Windows\{13235294-715E-454a-885C-8AA31AA8F24F}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\{3C854C58-4452-4524-B609-BAE4867D42B3}.exe
        
        C:\Windows\{3C854C58-4452-4524-B609-BAE4867D42B3}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\{F3657051-C412-4911-A7E9-85813D6FD51E}.exe
        
        C:\Windows\{F3657051-C412-4911-A7E9-85813D6FD51E}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\{6C800A38-9423-4337-B294-381D38E2F6EE}.exe
        
        C:\Windows\{6C800A38-9423-4337-B294-381D38E2F6EE}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4352
        
        C:\Windows\{AE7538D5-8552-4592-84AA-60ED6D4587A8}.exe
        
        C:\Windows\{AE7538D5-8552-4592-84AA-60ED6D4587A8}.exe
        13⤵
        Executes dropped EXE
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C800~1.EXE > nul
        13⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F3657~1.EXE > nul
        12⤵
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C854~1.EXE > nul
        11⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13235~1.EXE > nul
        10⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3FCC~1.EXE > nul
        9⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{477FE~1.EXE > nul
        8⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E980~1.EXE > nul
        7⤵
        
        PID:4980
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1BE9B~1.EXE > nul
        6⤵
        
        PID:4260
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F54C2~1.EXE > nul
        5⤵
        
        PID:4380
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{14378~1.EXE > nul
      4⤵
      PID:4856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FFEAE~1.EXE > nul
    3⤵
    PID:3616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0E9807F8-63B8-4fa4-BA79-02D6D756104A}.exe

Filesize
168KB

MD5
267661061e68d5e70d05149fce5744c5

SHA1
b57ee362f83e289eb0cda8deea5b5a370f5a46b4

SHA256
74dfe5691c1a3a56801539c172087ed23206651c6f54ac93343b695662ffc5be

SHA512
f5c4e7ae45293c66b90495bd29e8a4c6801dd5049f6e9c385fed9dae6dca192504dd09075b23c5cd83baf4590ca620a95b898337f3f01df8198bdf8a27b30dc4

Download Submit
C:\Windows\{13235294-715E-454a-885C-8AA31AA8F24F}.exe

Filesize
168KB

MD5
81ef9e8491c151c56dbdbca6f00c9687

SHA1
c6fd642016dc4ae6968de63217450e7f23cbb027

SHA256
31d9302a245343fbebf580aae485b39956ad4e725f8396e99f66e448e9b61b8a

SHA512
72b2f5fed7d9aff35f8ee491eb78c62effad1ebd7bbc16b3b1eb5ff7bb55b14dd46d80c37e09d6c03191f6025d0e3201a8b92d0cb93a005a02008f03362add68

Download Submit
C:\Windows\{143788D9-4693-447c-BB8C-19544043F52B}.exe

Filesize
168KB

MD5
04b33b34516f8f54bdcedbf60bd17967

SHA1
50f164350bb0ceb7ac150847ff085e720b9db088

SHA256
41272d22f41beb658748cccd1043c08d4065bcf2f97fbe4d42a65c225c02e613

SHA512
52e8d3a5a2c161bd1c48857939853e76989df98b94945dce76b4d22f269940f4c1d33e7041d3a5ff19d8000b88cf678d8f4e3bd38e86dc658211d76bf932f042

Download Submit
C:\Windows\{1BE9BAAA-80C7-45c1-A4D2-6BCA7AD578F2}.exe

Filesize
168KB

MD5
e7bc32c5aacd0aa33702229f12dbb011

SHA1
c4e723e7decfa47062de2c02e9f6ddb99cde5895

SHA256
fb6dd7eb451de2a733023d9f72a3ef544eaee2b897747a89e0e6a9977bb69a6a

SHA512
77b300639c1d0ca486fc1d3951477642dd06b74e9d327538b0d49c51667562c4088273e3a99f0e8e920ef142fb8706cc89cd98a22207425545f0f06d328c1d02

Download Submit
C:\Windows\{3C854C58-4452-4524-B609-BAE4867D42B3}.exe

Filesize
168KB

MD5
c1c3d2ef66ace5f1f37319280b8a25b4

SHA1
8c6f476d549d000c9639bc4854648313a48954e7

SHA256
d8faf2cca347faede8e05ef655d260c068607d77fe4abad13f57aae0b15697de

SHA512
c436271c267d7063a257dede91a2442d9f7fb4bbbd2097c11dc5a7815ccd583fe82c3e2611d002fc09fb9bfd6c4520e455623f61e5b8a9fb23d04be1fab9c18c

Download Submit
C:\Windows\{477FE129-5FFC-425d-98E9-91A07B528A1B}.exe

Filesize
168KB

MD5
26548516fa6fe465652dd230680e234c

SHA1
5fba5d33c0a6d80315723df2b62e1e3a0a6922b2

SHA256
9293dcced7fec3252379635051b4982ada17c5ba866f6c0a987036cf219c0277

SHA512
b0f168a9b223cf8555878c60853c1d45b4218b0d469545ed66e93bddea7e7c77e74b3e7c5457b9915bcc70dcfec73ac5e04f65abddf63e78ff69a87779105e2d

Download Submit
C:\Windows\{6C800A38-9423-4337-B294-381D38E2F6EE}.exe

Filesize
168KB

MD5
c386e10150b43e923532f8e148c41192

SHA1
ea6e354d409233e5ba09fba609198945c148c300

SHA256
e2810b8c94a96feb42ffbb4d3d4fe63a90ff8497a0193570731888d458bb1ad4

SHA512
b6f4944144afddb595773f33a61b84859b2cf6f6f4a42fcd8b1766fab0e98a93c06b50fd51ad2e10c5cdd28e76d9b816a95a3e1982a4ec5c0b17c96483d52ea4

Download Submit
C:\Windows\{AE7538D5-8552-4592-84AA-60ED6D4587A8}.exe

Filesize
168KB

MD5
3ce1a2e408a9219759b918572beb5c67

SHA1
a120665d418d6f989b37836585d2f9d4564ba09a

SHA256
1d52071025fe51deb23e2a122ec90a6ee504d8ddef171a9cf20d90e9d62547e1

SHA512
8a7f9575c9fe2520787e8bf8a052c4650d5d861f193b4c6822ab2f8d439ddc175288d5d9d8acf5115e61a98826c67a11c603970deed742686b1bca4cb35d2979

Download Submit
C:\Windows\{B3FCC5D4-BEA5-4ab8-9797-61696E3059B9}.exe

Filesize
168KB

MD5
9923ac5d2b1f6ecde6e692fda8ab3374

SHA1
320f3735c65410360669d92a23da2ad3ebfcccd8

SHA256
77d4e6bf5ddb0f7680a72624e3dd183446eabae60beef6c50fcd201b36c3ce49

SHA512
257e43aaad9cf9775f413321b20543807b9d6f7b97278ed3aaee60c7f97458cb20caa6d03140075112a6a8f32c3f32984c3bb5ff3bfb28268012ea30ce5a3bc1

Download Submit
C:\Windows\{F3657051-C412-4911-A7E9-85813D6FD51E}.exe

Filesize
168KB

MD5
1adc7e1f988e683586e500d322e82f80

SHA1
de093179ca0e406ddf9d163f1c1e9bc9db6e695b

SHA256
f9d320666c4167129f069941f7982f54f6498a8585f4e7a48a2f8bf9f905e3b7

SHA512
6144c2cfed5abb15c6913337b46da27bcff75cce7a8a83994f63bd4e12c16e29f52f00908858479584eb71133b8855c0ad034f927fa97f6dd927d392ebe90275

Download Submit
C:\Windows\{F54C24BC-4B60-4416-917E-83AEE14E7AB2}.exe

Filesize
168KB

MD5
d41891013b293187ca4a1d2b6bf1e038

SHA1
397848b460ca608cbead8ce4e163891be18c7d15

SHA256
036c61ff2a91ed05c48b5d11da2acda6d1b4fa27a481bb64eed0fb780078c254

SHA512
1c95c699939731ad2b7f5e99c076f260e8030f52695984fdacb57d5c19b2843a676e057f6ca5ce83600cd6cf461c78d888508a26acdb7756b27cd32e1d2f8ea6

Download Submit
C:\Windows\{FFEAE45C-4266-4aff-924F-AB27F0325884}.exe

Filesize
168KB

MD5
f3432d7d6dbc93a815c157013f00cc0a

SHA1
1bd5471672b6c6d35c272c47214b2a3765361f71

SHA256
1df3c103b91fc3029032d06bb40aad64928cea61d3d72f46497bc5f6a1df1180

SHA512
5d5b682df5934ba528f00c90fba5c8d2a801c42f89a19a3c991f454b5b1e932f3ceef2452d728435e7cfb86874c14c81ae53e18dd149ea9f00b52ecb91a0b5e6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads