8e65267fc116d45b552ac590f2fa90ecede7b3012d39b8b01ff6bf7986c8744d

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2024 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-03_3fbaaef7612cf758a1e2a0c281e090a9_goldeneye.exe
Size

372KB
MD5

3fbaaef7612cf758a1e2a0c281e090a9
SHA1

6df89fe7d6eb05c3e243f2644a948de65e969ddc
SHA256

8e65267fc116d45b552ac590f2fa90ecede7b3012d39b8b01ff6bf7986c8744d
SHA512

8418acae9dff0d65121fa66538c51dfa2ff46eda9de2ccb547e8498e91c0ae8df31a0e539b59e4f73ffd4aad7fc652feb604525ee3a3f33708c4231f9ce529a1
SSDEEP

3072:CEGh0owlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGalkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{653D82E3-90FA-4d90-BD7E-D3533B155714}\stubpath = "C:\\Windows\\{653D82E3-90FA-4d90-BD7E-D3533B155714}.exe"	{B2074135-A07F-4e94-8ACE-422238F7A6FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F35D033-012C-4a6e-943B-DD6FCE23458B}	{653D82E3-90FA-4d90-BD7E-D3533B155714}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE87E101-E201-40b5-9D23-F037B6579D9B}	{C6740A17-0FD3-4e69-BAF4-E04F10403D8D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18F8D8FD-B5EC-4898-820C-02E3C0060820}	{CE87E101-E201-40b5-9D23-F037B6579D9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56394BF0-6EC4-424d-9C13-85B51D2B8A72}	{18F8D8FD-B5EC-4898-820C-02E3C0060820}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2074135-A07F-4e94-8ACE-422238F7A6FE}\stubpath = "C:\\Windows\\{B2074135-A07F-4e94-8ACE-422238F7A6FE}.exe"	{D5038153-471F-4ad5-AEFC-BF94F5551D0B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{653D82E3-90FA-4d90-BD7E-D3533B155714}	{B2074135-A07F-4e94-8ACE-422238F7A6FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15740313-DB0C-4aff-AFDA-2E6C08A5C4D3}	{A85D74F7-8BA1-4808-A88F-7785BF6C7489}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15740313-DB0C-4aff-AFDA-2E6C08A5C4D3}\stubpath = "C:\\Windows\\{15740313-DB0C-4aff-AFDA-2E6C08A5C4D3}.exe"	{A85D74F7-8BA1-4808-A88F-7785BF6C7489}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6740A17-0FD3-4e69-BAF4-E04F10403D8D}\stubpath = "C:\\Windows\\{C6740A17-0FD3-4e69-BAF4-E04F10403D8D}.exe"	{15740313-DB0C-4aff-AFDA-2E6C08A5C4D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18F8D8FD-B5EC-4898-820C-02E3C0060820}\stubpath = "C:\\Windows\\{18F8D8FD-B5EC-4898-820C-02E3C0060820}.exe"	{CE87E101-E201-40b5-9D23-F037B6579D9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C83FC41A-29C5-4896-AD33-ECB4BFC064D5}\stubpath = "C:\\Windows\\{C83FC41A-29C5-4896-AD33-ECB4BFC064D5}.exe"	{947E02B3-0905-4107-99A6-234055FC4B35}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5038153-471F-4ad5-AEFC-BF94F5551D0B}\stubpath = "C:\\Windows\\{D5038153-471F-4ad5-AEFC-BF94F5551D0B}.exe"	{C83FC41A-29C5-4896-AD33-ECB4BFC064D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2074135-A07F-4e94-8ACE-422238F7A6FE}	{D5038153-471F-4ad5-AEFC-BF94F5551D0B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F35D033-012C-4a6e-943B-DD6FCE23458B}\stubpath = "C:\\Windows\\{9F35D033-012C-4a6e-943B-DD6FCE23458B}.exe"	{653D82E3-90FA-4d90-BD7E-D3533B155714}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A85D74F7-8BA1-4808-A88F-7785BF6C7489}\stubpath = "C:\\Windows\\{A85D74F7-8BA1-4808-A88F-7785BF6C7489}.exe"	2024-07-03_3fbaaef7612cf758a1e2a0c281e090a9_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE87E101-E201-40b5-9D23-F037B6579D9B}\stubpath = "C:\\Windows\\{CE87E101-E201-40b5-9D23-F037B6579D9B}.exe"	{C6740A17-0FD3-4e69-BAF4-E04F10403D8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56394BF0-6EC4-424d-9C13-85B51D2B8A72}\stubpath = "C:\\Windows\\{56394BF0-6EC4-424d-9C13-85B51D2B8A72}.exe"	{18F8D8FD-B5EC-4898-820C-02E3C0060820}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C83FC41A-29C5-4896-AD33-ECB4BFC064D5}	{947E02B3-0905-4107-99A6-234055FC4B35}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5038153-471F-4ad5-AEFC-BF94F5551D0B}	{C83FC41A-29C5-4896-AD33-ECB4BFC064D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A85D74F7-8BA1-4808-A88F-7785BF6C7489}	2024-07-03_3fbaaef7612cf758a1e2a0c281e090a9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6740A17-0FD3-4e69-BAF4-E04F10403D8D}	{15740313-DB0C-4aff-AFDA-2E6C08A5C4D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{947E02B3-0905-4107-99A6-234055FC4B35}	{56394BF0-6EC4-424d-9C13-85B51D2B8A72}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{947E02B3-0905-4107-99A6-234055FC4B35}\stubpath = "C:\\Windows\\{947E02B3-0905-4107-99A6-234055FC4B35}.exe"	{56394BF0-6EC4-424d-9C13-85B51D2B8A72}.exe

Executes dropped EXE 12 IoCs

pid	Process
4456	{A85D74F7-8BA1-4808-A88F-7785BF6C7489}.exe
2132	{15740313-DB0C-4aff-AFDA-2E6C08A5C4D3}.exe
4292	{C6740A17-0FD3-4e69-BAF4-E04F10403D8D}.exe
1272	{CE87E101-E201-40b5-9D23-F037B6579D9B}.exe
5084	{18F8D8FD-B5EC-4898-820C-02E3C0060820}.exe
616	{56394BF0-6EC4-424d-9C13-85B51D2B8A72}.exe
4632	{947E02B3-0905-4107-99A6-234055FC4B35}.exe
1280	{C83FC41A-29C5-4896-AD33-ECB4BFC064D5}.exe
2444	{D5038153-471F-4ad5-AEFC-BF94F5551D0B}.exe
2052	{B2074135-A07F-4e94-8ACE-422238F7A6FE}.exe
660	{653D82E3-90FA-4d90-BD7E-D3533B155714}.exe
2592	{9F35D033-012C-4a6e-943B-DD6FCE23458B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{CE87E101-E201-40b5-9D23-F037B6579D9B}.exe	{C6740A17-0FD3-4e69-BAF4-E04F10403D8D}.exe
File created	C:\Windows\{18F8D8FD-B5EC-4898-820C-02E3C0060820}.exe	{CE87E101-E201-40b5-9D23-F037B6579D9B}.exe
File created	C:\Windows\{947E02B3-0905-4107-99A6-234055FC4B35}.exe	{56394BF0-6EC4-424d-9C13-85B51D2B8A72}.exe
File created	C:\Windows\{C83FC41A-29C5-4896-AD33-ECB4BFC064D5}.exe	{947E02B3-0905-4107-99A6-234055FC4B35}.exe
File created	C:\Windows\{653D82E3-90FA-4d90-BD7E-D3533B155714}.exe	{B2074135-A07F-4e94-8ACE-422238F7A6FE}.exe
File created	C:\Windows\{9F35D033-012C-4a6e-943B-DD6FCE23458B}.exe	{653D82E3-90FA-4d90-BD7E-D3533B155714}.exe
File created	C:\Windows\{A85D74F7-8BA1-4808-A88F-7785BF6C7489}.exe	2024-07-03_3fbaaef7612cf758a1e2a0c281e090a9_goldeneye.exe
File created	C:\Windows\{15740313-DB0C-4aff-AFDA-2E6C08A5C4D3}.exe	{A85D74F7-8BA1-4808-A88F-7785BF6C7489}.exe
File created	C:\Windows\{C6740A17-0FD3-4e69-BAF4-E04F10403D8D}.exe	{15740313-DB0C-4aff-AFDA-2E6C08A5C4D3}.exe
File created	C:\Windows\{56394BF0-6EC4-424d-9C13-85B51D2B8A72}.exe	{18F8D8FD-B5EC-4898-820C-02E3C0060820}.exe
File created	C:\Windows\{D5038153-471F-4ad5-AEFC-BF94F5551D0B}.exe	{C83FC41A-29C5-4896-AD33-ECB4BFC064D5}.exe
File created	C:\Windows\{B2074135-A07F-4e94-8ACE-422238F7A6FE}.exe	{D5038153-471F-4ad5-AEFC-BF94F5551D0B}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1156	2024-07-03_3fbaaef7612cf758a1e2a0c281e090a9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4456	{A85D74F7-8BA1-4808-A88F-7785BF6C7489}.exe
Token: SeIncBasePriorityPrivilege	2132	{15740313-DB0C-4aff-AFDA-2E6C08A5C4D3}.exe
Token: SeIncBasePriorityPrivilege	4292	{C6740A17-0FD3-4e69-BAF4-E04F10403D8D}.exe
Token: SeIncBasePriorityPrivilege	1272	{CE87E101-E201-40b5-9D23-F037B6579D9B}.exe
Token: SeIncBasePriorityPrivilege	5084	{18F8D8FD-B5EC-4898-820C-02E3C0060820}.exe
Token: SeIncBasePriorityPrivilege	616	{56394BF0-6EC4-424d-9C13-85B51D2B8A72}.exe
Token: SeIncBasePriorityPrivilege	4632	{947E02B3-0905-4107-99A6-234055FC4B35}.exe
Token: SeIncBasePriorityPrivilege	1280	{C83FC41A-29C5-4896-AD33-ECB4BFC064D5}.exe
Token: SeIncBasePriorityPrivilege	2444	{D5038153-471F-4ad5-AEFC-BF94F5551D0B}.exe
Token: SeIncBasePriorityPrivilege	2052	{B2074135-A07F-4e94-8ACE-422238F7A6FE}.exe
Token: SeIncBasePriorityPrivilege	660	{653D82E3-90FA-4d90-BD7E-D3533B155714}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1156 wrote to memory of 4456	1156	2024-07-03_3fbaaef7612cf758a1e2a0c281e090a9_goldeneye.exe	88
PID 1156 wrote to memory of 4456	1156	2024-07-03_3fbaaef7612cf758a1e2a0c281e090a9_goldeneye.exe	88
PID 1156 wrote to memory of 4456	1156	2024-07-03_3fbaaef7612cf758a1e2a0c281e090a9_goldeneye.exe	88
PID 1156 wrote to memory of 3872	1156	2024-07-03_3fbaaef7612cf758a1e2a0c281e090a9_goldeneye.exe	89
PID 1156 wrote to memory of 3872	1156	2024-07-03_3fbaaef7612cf758a1e2a0c281e090a9_goldeneye.exe	89
PID 1156 wrote to memory of 3872	1156	2024-07-03_3fbaaef7612cf758a1e2a0c281e090a9_goldeneye.exe	89
PID 4456 wrote to memory of 2132	4456	{A85D74F7-8BA1-4808-A88F-7785BF6C7489}.exe	97
PID 4456 wrote to memory of 2132	4456	{A85D74F7-8BA1-4808-A88F-7785BF6C7489}.exe	97
PID 4456 wrote to memory of 2132	4456	{A85D74F7-8BA1-4808-A88F-7785BF6C7489}.exe	97
PID 4456 wrote to memory of 3476	4456	{A85D74F7-8BA1-4808-A88F-7785BF6C7489}.exe	98
PID 4456 wrote to memory of 3476	4456	{A85D74F7-8BA1-4808-A88F-7785BF6C7489}.exe	98
PID 4456 wrote to memory of 3476	4456	{A85D74F7-8BA1-4808-A88F-7785BF6C7489}.exe	98
PID 2132 wrote to memory of 4292	2132	{15740313-DB0C-4aff-AFDA-2E6C08A5C4D3}.exe	102
PID 2132 wrote to memory of 4292	2132	{15740313-DB0C-4aff-AFDA-2E6C08A5C4D3}.exe	102
PID 2132 wrote to memory of 4292	2132	{15740313-DB0C-4aff-AFDA-2E6C08A5C4D3}.exe	102
PID 2132 wrote to memory of 4668	2132	{15740313-DB0C-4aff-AFDA-2E6C08A5C4D3}.exe	103
PID 2132 wrote to memory of 4668	2132	{15740313-DB0C-4aff-AFDA-2E6C08A5C4D3}.exe	103
PID 2132 wrote to memory of 4668	2132	{15740313-DB0C-4aff-AFDA-2E6C08A5C4D3}.exe	103
PID 4292 wrote to memory of 1272	4292	{C6740A17-0FD3-4e69-BAF4-E04F10403D8D}.exe	104
PID 4292 wrote to memory of 1272	4292	{C6740A17-0FD3-4e69-BAF4-E04F10403D8D}.exe	104
PID 4292 wrote to memory of 1272	4292	{C6740A17-0FD3-4e69-BAF4-E04F10403D8D}.exe	104
PID 4292 wrote to memory of 2624	4292	{C6740A17-0FD3-4e69-BAF4-E04F10403D8D}.exe	105
PID 4292 wrote to memory of 2624	4292	{C6740A17-0FD3-4e69-BAF4-E04F10403D8D}.exe	105
PID 4292 wrote to memory of 2624	4292	{C6740A17-0FD3-4e69-BAF4-E04F10403D8D}.exe	105
PID 1272 wrote to memory of 5084	1272	{CE87E101-E201-40b5-9D23-F037B6579D9B}.exe	106
PID 1272 wrote to memory of 5084	1272	{CE87E101-E201-40b5-9D23-F037B6579D9B}.exe	106
PID 1272 wrote to memory of 5084	1272	{CE87E101-E201-40b5-9D23-F037B6579D9B}.exe	106
PID 1272 wrote to memory of 1444	1272	{CE87E101-E201-40b5-9D23-F037B6579D9B}.exe	107
PID 1272 wrote to memory of 1444	1272	{CE87E101-E201-40b5-9D23-F037B6579D9B}.exe	107
PID 1272 wrote to memory of 1444	1272	{CE87E101-E201-40b5-9D23-F037B6579D9B}.exe	107
PID 5084 wrote to memory of 616	5084	{18F8D8FD-B5EC-4898-820C-02E3C0060820}.exe	109
PID 5084 wrote to memory of 616	5084	{18F8D8FD-B5EC-4898-820C-02E3C0060820}.exe	109
PID 5084 wrote to memory of 616	5084	{18F8D8FD-B5EC-4898-820C-02E3C0060820}.exe	109
PID 5084 wrote to memory of 776	5084	{18F8D8FD-B5EC-4898-820C-02E3C0060820}.exe	110
PID 5084 wrote to memory of 776	5084	{18F8D8FD-B5EC-4898-820C-02E3C0060820}.exe	110
PID 5084 wrote to memory of 776	5084	{18F8D8FD-B5EC-4898-820C-02E3C0060820}.exe	110
PID 616 wrote to memory of 4632	616	{56394BF0-6EC4-424d-9C13-85B51D2B8A72}.exe	111
PID 616 wrote to memory of 4632	616	{56394BF0-6EC4-424d-9C13-85B51D2B8A72}.exe	111
PID 616 wrote to memory of 4632	616	{56394BF0-6EC4-424d-9C13-85B51D2B8A72}.exe	111
PID 616 wrote to memory of 4248	616	{56394BF0-6EC4-424d-9C13-85B51D2B8A72}.exe	112
PID 616 wrote to memory of 4248	616	{56394BF0-6EC4-424d-9C13-85B51D2B8A72}.exe	112
PID 616 wrote to memory of 4248	616	{56394BF0-6EC4-424d-9C13-85B51D2B8A72}.exe	112
PID 4632 wrote to memory of 1280	4632	{947E02B3-0905-4107-99A6-234055FC4B35}.exe	119
PID 4632 wrote to memory of 1280	4632	{947E02B3-0905-4107-99A6-234055FC4B35}.exe	119
PID 4632 wrote to memory of 1280	4632	{947E02B3-0905-4107-99A6-234055FC4B35}.exe	119
PID 4632 wrote to memory of 444	4632	{947E02B3-0905-4107-99A6-234055FC4B35}.exe	120
PID 4632 wrote to memory of 444	4632	{947E02B3-0905-4107-99A6-234055FC4B35}.exe	120
PID 4632 wrote to memory of 444	4632	{947E02B3-0905-4107-99A6-234055FC4B35}.exe	120
PID 1280 wrote to memory of 2444	1280	{C83FC41A-29C5-4896-AD33-ECB4BFC064D5}.exe	121
PID 1280 wrote to memory of 2444	1280	{C83FC41A-29C5-4896-AD33-ECB4BFC064D5}.exe	121
PID 1280 wrote to memory of 2444	1280	{C83FC41A-29C5-4896-AD33-ECB4BFC064D5}.exe	121
PID 1280 wrote to memory of 436	1280	{C83FC41A-29C5-4896-AD33-ECB4BFC064D5}.exe	122
PID 1280 wrote to memory of 436	1280	{C83FC41A-29C5-4896-AD33-ECB4BFC064D5}.exe	122
PID 1280 wrote to memory of 436	1280	{C83FC41A-29C5-4896-AD33-ECB4BFC064D5}.exe	122
PID 2444 wrote to memory of 2052	2444	{D5038153-471F-4ad5-AEFC-BF94F5551D0B}.exe	123
PID 2444 wrote to memory of 2052	2444	{D5038153-471F-4ad5-AEFC-BF94F5551D0B}.exe	123
PID 2444 wrote to memory of 2052	2444	{D5038153-471F-4ad5-AEFC-BF94F5551D0B}.exe	123
PID 2444 wrote to memory of 4792	2444	{D5038153-471F-4ad5-AEFC-BF94F5551D0B}.exe	124
PID 2444 wrote to memory of 4792	2444	{D5038153-471F-4ad5-AEFC-BF94F5551D0B}.exe	124
PID 2444 wrote to memory of 4792	2444	{D5038153-471F-4ad5-AEFC-BF94F5551D0B}.exe	124
PID 2052 wrote to memory of 660	2052	{B2074135-A07F-4e94-8ACE-422238F7A6FE}.exe	128
PID 2052 wrote to memory of 660	2052	{B2074135-A07F-4e94-8ACE-422238F7A6FE}.exe	128
PID 2052 wrote to memory of 660	2052	{B2074135-A07F-4e94-8ACE-422238F7A6FE}.exe	128
PID 2052 wrote to memory of 2364	2052	{B2074135-A07F-4e94-8ACE-422238F7A6FE}.exe	129

C:\Users\Admin\AppData\Local\Temp\2024-07-03_3fbaaef7612cf758a1e2a0c281e090a9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-03_3fbaaef7612cf758a1e2a0c281e090a9_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156
- C:\Windows\{A85D74F7-8BA1-4808-A88F-7785BF6C7489}.exe
  C:\Windows\{A85D74F7-8BA1-4808-A88F-7785BF6C7489}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Windows\{15740313-DB0C-4aff-AFDA-2E6C08A5C4D3}.exe
    C:\Windows\{15740313-DB0C-4aff-AFDA-2E6C08A5C4D3}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Windows\{C6740A17-0FD3-4e69-BAF4-E04F10403D8D}.exe
      C:\Windows\{C6740A17-0FD3-4e69-BAF4-E04F10403D8D}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4292
    - - C:\Windows\{CE87E101-E201-40b5-9D23-F037B6579D9B}.exe
        
        C:\Windows\{CE87E101-E201-40b5-9D23-F037B6579D9B}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1272
      - C:\Windows\{18F8D8FD-B5EC-4898-820C-02E3C0060820}.exe
        
        C:\Windows\{18F8D8FD-B5EC-4898-820C-02E3C0060820}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\{56394BF0-6EC4-424d-9C13-85B51D2B8A72}.exe
        
        C:\Windows\{56394BF0-6EC4-424d-9C13-85B51D2B8A72}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:616
        
        C:\Windows\{947E02B3-0905-4107-99A6-234055FC4B35}.exe
        
        C:\Windows\{947E02B3-0905-4107-99A6-234055FC4B35}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\{C83FC41A-29C5-4896-AD33-ECB4BFC064D5}.exe
        
        C:\Windows\{C83FC41A-29C5-4896-AD33-ECB4BFC064D5}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Windows\{D5038153-471F-4ad5-AEFC-BF94F5551D0B}.exe
        
        C:\Windows\{D5038153-471F-4ad5-AEFC-BF94F5551D0B}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\{B2074135-A07F-4e94-8ACE-422238F7A6FE}.exe
        
        C:\Windows\{B2074135-A07F-4e94-8ACE-422238F7A6FE}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\{653D82E3-90FA-4d90-BD7E-D3533B155714}.exe
        
        C:\Windows\{653D82E3-90FA-4d90-BD7E-D3533B155714}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:660
        
        C:\Windows\{9F35D033-012C-4a6e-943B-DD6FCE23458B}.exe
        
        C:\Windows\{9F35D033-012C-4a6e-943B-DD6FCE23458B}.exe
        13⤵
        Executes dropped EXE
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{653D8~1.EXE > nul
        13⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2074~1.EXE > nul
        12⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5038~1.EXE > nul
        11⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C83FC~1.EXE > nul
        10⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{947E0~1.EXE > nul
        9⤵
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{56394~1.EXE > nul
        8⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18F8D~1.EXE > nul
        7⤵
        
        PID:776
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE87E~1.EXE > nul
        6⤵
        
        PID:1444
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6740~1.EXE > nul
        5⤵
        
        PID:2624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{15740~1.EXE > nul
      4⤵
      PID:4668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A85D7~1.EXE > nul
    3⤵
    PID:3476
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{15740313-DB0C-4aff-AFDA-2E6C08A5C4D3}.exe

Filesize
372KB

MD5
8028c66ea39828b928a716e41baf6e4b

SHA1
911dbefef1d7f68c3b69b11d498cf1b53ecd0a29

SHA256
4923228295a79e0e3661a9743512482b4759f83164c262680e0dc73963ad9210

SHA512
0dc1927057b39d0356f3a40e6b87a44688b3ff884c236bbb94d5e0062c4e37d97d4e07e2fe2f9aad73b7fed727e9b2a712bd4330bc93e01e92d97e4203edb4ab

Download Submit
C:\Windows\{18F8D8FD-B5EC-4898-820C-02E3C0060820}.exe

Filesize
372KB

MD5
8b784470b88c78f99362da5a5d3e1927

SHA1
a15ca8b72dd159e288bf1c5d1d1c61d7f4613418

SHA256
b5930f056c92bc00b5cb1e1a9ebbefd7a1150865a1c7a4ff9d04911145f000a6

SHA512
8953846284356dd8cc245f08e4c2c97770db928142b7a8fe6dc83dc770c3947e77a740cec0367fe48d7053cb754adbb42c56241519873db7d11b7f147c408050

Download Submit
C:\Windows\{56394BF0-6EC4-424d-9C13-85B51D2B8A72}.exe

Filesize
372KB

MD5
f2ba4cea66ecceecc8d9f26ab04700a3

SHA1
f0869ad97dbf658203059cf48559099fe950ef92

SHA256
3a88bdbfc57083aa768d48e6654176e5f47d0739e434bba24ae40875e787bfb8

SHA512
bf900337e66dd38db02ba9510220e858637e5a89fdedf184712faa2acc1334e8e222fb536b4da940df79f5ce8638f1546b29c1d0d6b7c93ecc0a79d9732308fb

Download Submit
C:\Windows\{653D82E3-90FA-4d90-BD7E-D3533B155714}.exe

Filesize
372KB

MD5
0d54060564d1aa97c9464f574cde3121

SHA1
f171fb2de19671e617f29eaafd7c9182896bb12e

SHA256
cd0d5fe9b1005e3086b4bc80232c87dfb149fa872662cd4fa7c7ea23f7e2c391

SHA512
5caf2b188b89118e8b9daf6cd7d9e17790403477c8c63b7cc75d5df75b6d68942331f00abd2f3b0e72a0d7d9b87ae86945ff02c272156592dca25dcb1d0b6132

Download Submit
C:\Windows\{947E02B3-0905-4107-99A6-234055FC4B35}.exe

Filesize
372KB

MD5
ebfa103aa325fefc6e57f9d23f831838

SHA1
497894bb3b2414ce4ddc92d0d1abc2fe0ebaabe3

SHA256
ebea27bb823f2915d4503fbd7fb431aa5712d89db1beb22592f1cdaca6c633ce

SHA512
954aaec108f9b2196c936bbe7737a5ae073123a66706dce3f33cf74e2794ef321195444904abc1d387d64d0a12ca3c8b8dacaf941489be76291bfed27e95fa7d

Download Submit
C:\Windows\{9F35D033-012C-4a6e-943B-DD6FCE23458B}.exe

Filesize
372KB

MD5
818b8ca887f0e0d165cc5d8fde1b2594

SHA1
62b791de7f92660b15712f51929656e4fe7a4cb3

SHA256
966d32f8873e53f5a02a8969e7620ae23684a7a61623c9ba7a99b8f8515dac16

SHA512
bf684466e2bc5ab501a5c2a343a6ed4e20059c1778cce085d3e9a4caca87d43149de22333b5ce170ce3c85f456634b2ea8537b867bc4b0ae04e0a577ad886281

Download Submit
C:\Windows\{A85D74F7-8BA1-4808-A88F-7785BF6C7489}.exe

Filesize
372KB

MD5
d4b4008b6fa21fdeb34381505f116934

SHA1
e236aaad807b5550a0ecc115c011355b97eb0089

SHA256
94ba197f8cc3ab7be173fa12e891f4462b54d9bcabafc86a61819f0cd4b06841

SHA512
fd755b44bf258be8ffde4b5e8861fe0995d454b24e75437dba3b5d388be62012e3156313dca2abc6b3e666a692a44392396b8247c4327ef6e0f39b9e1a435fac

Download Submit
C:\Windows\{B2074135-A07F-4e94-8ACE-422238F7A6FE}.exe

Filesize
372KB

MD5
44b11e61d30ff8910b3ba9138e13b942

SHA1
a1cf6b52dda337a5a46a5465c2ae905d9a001d32

SHA256
96f1b96496e3739fd1e1740044f922829ea4c412b1275d7e6734431b08dc1cd5

SHA512
2d83625495a203d32694bc3bf86220883fd9a0dc8b2dcff89d1e663fdaf22e997e2f52917417082d24796e132b04c99f7041eab91f2169f5d3ed0c803d04679c

Download Submit
C:\Windows\{C6740A17-0FD3-4e69-BAF4-E04F10403D8D}.exe

Filesize
372KB

MD5
499785a972a0c5080a1a69d57551f705

SHA1
b5360d2af665a69bbd6cde56af9da05dd8996399

SHA256
159de07722afe36abe1be85bd70c8a54aa0e0f4a68e5df5011a25cfcc404ae1c

SHA512
8739e153febe32317a6708c068b8fade0e1a04f0f76560d60a7aa62633263f62c7b9dd9279af11113b9d44c0af885c47bc1a968ad5e582b232945428ff6f6ec5

Download Submit
C:\Windows\{C83FC41A-29C5-4896-AD33-ECB4BFC064D5}.exe

Filesize
372KB

MD5
3a60bd4a3902bd56546b87dd7c135135

SHA1
3f8139921361909defdb2429aacf26b0188862ab

SHA256
94b56c0b5e5323c60c5ba7d3a7b6039d12187cba3538fd45c3d34748108a5da1

SHA512
5012d8b10e033acb3bf0d3629131917f8b788c17be6bb0f59615256729363020d7294840d7fc18ff976cdbfbdeba0e67f0de8d90fa53dfdaadfc4ea5fea20da8

Download Submit
C:\Windows\{CE87E101-E201-40b5-9D23-F037B6579D9B}.exe

Filesize
372KB

MD5
6cf343c9e834a9db03999d30a1450d0e

SHA1
a278638af4b8f1e90cd3b2b85fa86481d23d7ab8

SHA256
096715bfc31a165f97a625f59ae3315c90694c109748ca50c8d26cd2bcd3937a

SHA512
68d7cc75332384d326c452eb3dee2262b6dbaafbd2cc50b3b327a8650d405bbe30e6377f5d076294f2e8c73971e33c2038e6dec7c131ffe7d0e870d584d75b05

Download Submit
C:\Windows\{D5038153-471F-4ad5-AEFC-BF94F5551D0B}.exe

Filesize
372KB

MD5
aea5107d7e218e1368c6182a060eb684

SHA1
54da892d62cdb17b1fa789979f81b1588a4bd424

SHA256
9cd941f01aca35b23aeda589a50edff9aaef518f1bce2620092cb18fc1b1446d

SHA512
4e0e4b8a4cca0c6d8366c84871f70ac7956c9f0b5afeabb253ee15dfad5166feed16f0471cc91ee1e5d6b49c9b7ad375d46aaedd4f1573b43564c140838f52cb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads