6c4be54d8104f3af2b269efa3066b1137eff3256614d2e16387e1ba78a100ace

Analysis

max time kernel
149s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 20:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-03_96d16c18eaeb8544170f1ea22af77177_goldeneye.exe
Size

216KB
MD5

96d16c18eaeb8544170f1ea22af77177
SHA1

678e0f670539a4967fb9a79ca0cb25b763d1c9d1
SHA256

6c4be54d8104f3af2b269efa3066b1137eff3256614d2e16387e1ba78a100ace
SHA512

ca900c49cd341ddb61ac922e2cca2a2d543e2c6c64334e5f9cc28a49603a394ee28c2385e76216e3117c9ca88da8ced4193540938894aec7308a100d8a76f707
SSDEEP

3072:jEGh0otl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGvlEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{235CCE70-66EF-4fe0-A737-11D323BCD43C}	{CC0EA30E-97EF-439d-B788-FDA2C405CB0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{825A14B6-895B-49cb-84C2-EE15921D8F9C}\stubpath = "C:\\Windows\\{825A14B6-895B-49cb-84C2-EE15921D8F9C}.exe"	{CD700A72-4865-4bcf-9D4D-29D01EB909BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FCEBFC26-7F0D-4dd4-9823-E4599CF4DAE8}	{3D504E7E-5B6C-4c39-BE2F-5AD0698545AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FCEBFC26-7F0D-4dd4-9823-E4599CF4DAE8}\stubpath = "C:\\Windows\\{FCEBFC26-7F0D-4dd4-9823-E4599CF4DAE8}.exe"	{3D504E7E-5B6C-4c39-BE2F-5AD0698545AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6002C1C-04BB-4cbb-9E42-27EC91446A7F}\stubpath = "C:\\Windows\\{F6002C1C-04BB-4cbb-9E42-27EC91446A7F}.exe"	{FCEBFC26-7F0D-4dd4-9823-E4599CF4DAE8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D504E7E-5B6C-4c39-BE2F-5AD0698545AE}\stubpath = "C:\\Windows\\{3D504E7E-5B6C-4c39-BE2F-5AD0698545AE}.exe"	{825A14B6-895B-49cb-84C2-EE15921D8F9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B76B4B5-2DB1-41f5-8BE7-230309F01FD7}	2024-07-03_96d16c18eaeb8544170f1ea22af77177_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC0EA30E-97EF-439d-B788-FDA2C405CB0E}	{6B76B4B5-2DB1-41f5-8BE7-230309F01FD7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6958D665-5749-4271-8610-3B43D0AC463B}\stubpath = "C:\\Windows\\{6958D665-5749-4271-8610-3B43D0AC463B}.exe"	{235CCE70-66EF-4fe0-A737-11D323BCD43C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD700A72-4865-4bcf-9D4D-29D01EB909BD}	{280F07A7-E939-44ba-8DD6-69CD4D16B6E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{825A14B6-895B-49cb-84C2-EE15921D8F9C}	{CD700A72-4865-4bcf-9D4D-29D01EB909BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{010F6B7F-08FE-40e7-A514-0C834A263DA2}	{F6002C1C-04BB-4cbb-9E42-27EC91446A7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{235CCE70-66EF-4fe0-A737-11D323BCD43C}\stubpath = "C:\\Windows\\{235CCE70-66EF-4fe0-A737-11D323BCD43C}.exe"	{CC0EA30E-97EF-439d-B788-FDA2C405CB0E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{280F07A7-E939-44ba-8DD6-69CD4D16B6E1}	{A69E5A3A-F156-4aae-8C07-C111F4A8DA81}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD700A72-4865-4bcf-9D4D-29D01EB909BD}\stubpath = "C:\\Windows\\{CD700A72-4865-4bcf-9D4D-29D01EB909BD}.exe"	{280F07A7-E939-44ba-8DD6-69CD4D16B6E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D504E7E-5B6C-4c39-BE2F-5AD0698545AE}	{825A14B6-895B-49cb-84C2-EE15921D8F9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6002C1C-04BB-4cbb-9E42-27EC91446A7F}	{FCEBFC26-7F0D-4dd4-9823-E4599CF4DAE8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{280F07A7-E939-44ba-8DD6-69CD4D16B6E1}\stubpath = "C:\\Windows\\{280F07A7-E939-44ba-8DD6-69CD4D16B6E1}.exe"	{A69E5A3A-F156-4aae-8C07-C111F4A8DA81}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{010F6B7F-08FE-40e7-A514-0C834A263DA2}\stubpath = "C:\\Windows\\{010F6B7F-08FE-40e7-A514-0C834A263DA2}.exe"	{F6002C1C-04BB-4cbb-9E42-27EC91446A7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B76B4B5-2DB1-41f5-8BE7-230309F01FD7}\stubpath = "C:\\Windows\\{6B76B4B5-2DB1-41f5-8BE7-230309F01FD7}.exe"	2024-07-03_96d16c18eaeb8544170f1ea22af77177_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC0EA30E-97EF-439d-B788-FDA2C405CB0E}\stubpath = "C:\\Windows\\{CC0EA30E-97EF-439d-B788-FDA2C405CB0E}.exe"	{6B76B4B5-2DB1-41f5-8BE7-230309F01FD7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6958D665-5749-4271-8610-3B43D0AC463B}	{235CCE70-66EF-4fe0-A737-11D323BCD43C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A69E5A3A-F156-4aae-8C07-C111F4A8DA81}	{6958D665-5749-4271-8610-3B43D0AC463B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A69E5A3A-F156-4aae-8C07-C111F4A8DA81}\stubpath = "C:\\Windows\\{A69E5A3A-F156-4aae-8C07-C111F4A8DA81}.exe"	{6958D665-5749-4271-8610-3B43D0AC463B}.exe

Executes dropped EXE 12 IoCs

pid	Process
2036	{6B76B4B5-2DB1-41f5-8BE7-230309F01FD7}.exe
1576	{CC0EA30E-97EF-439d-B788-FDA2C405CB0E}.exe
3512	{235CCE70-66EF-4fe0-A737-11D323BCD43C}.exe
2500	{6958D665-5749-4271-8610-3B43D0AC463B}.exe
1316	{A69E5A3A-F156-4aae-8C07-C111F4A8DA81}.exe
4768	{280F07A7-E939-44ba-8DD6-69CD4D16B6E1}.exe
3208	{CD700A72-4865-4bcf-9D4D-29D01EB909BD}.exe
1172	{825A14B6-895B-49cb-84C2-EE15921D8F9C}.exe
4376	{3D504E7E-5B6C-4c39-BE2F-5AD0698545AE}.exe
4264	{FCEBFC26-7F0D-4dd4-9823-E4599CF4DAE8}.exe
4992	{F6002C1C-04BB-4cbb-9E42-27EC91446A7F}.exe
4800	{010F6B7F-08FE-40e7-A514-0C834A263DA2}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{3D504E7E-5B6C-4c39-BE2F-5AD0698545AE}.exe	{825A14B6-895B-49cb-84C2-EE15921D8F9C}.exe
File created	C:\Windows\{FCEBFC26-7F0D-4dd4-9823-E4599CF4DAE8}.exe	{3D504E7E-5B6C-4c39-BE2F-5AD0698545AE}.exe
File created	C:\Windows\{010F6B7F-08FE-40e7-A514-0C834A263DA2}.exe	{F6002C1C-04BB-4cbb-9E42-27EC91446A7F}.exe
File created	C:\Windows\{CC0EA30E-97EF-439d-B788-FDA2C405CB0E}.exe	{6B76B4B5-2DB1-41f5-8BE7-230309F01FD7}.exe
File created	C:\Windows\{235CCE70-66EF-4fe0-A737-11D323BCD43C}.exe	{CC0EA30E-97EF-439d-B788-FDA2C405CB0E}.exe
File created	C:\Windows\{280F07A7-E939-44ba-8DD6-69CD4D16B6E1}.exe	{A69E5A3A-F156-4aae-8C07-C111F4A8DA81}.exe
File created	C:\Windows\{CD700A72-4865-4bcf-9D4D-29D01EB909BD}.exe	{280F07A7-E939-44ba-8DD6-69CD4D16B6E1}.exe
File created	C:\Windows\{F6002C1C-04BB-4cbb-9E42-27EC91446A7F}.exe	{FCEBFC26-7F0D-4dd4-9823-E4599CF4DAE8}.exe
File created	C:\Windows\{6B76B4B5-2DB1-41f5-8BE7-230309F01FD7}.exe	2024-07-03_96d16c18eaeb8544170f1ea22af77177_goldeneye.exe
File created	C:\Windows\{6958D665-5749-4271-8610-3B43D0AC463B}.exe	{235CCE70-66EF-4fe0-A737-11D323BCD43C}.exe
File created	C:\Windows\{A69E5A3A-F156-4aae-8C07-C111F4A8DA81}.exe	{6958D665-5749-4271-8610-3B43D0AC463B}.exe
File created	C:\Windows\{825A14B6-895B-49cb-84C2-EE15921D8F9C}.exe	{CD700A72-4865-4bcf-9D4D-29D01EB909BD}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2560	2024-07-03_96d16c18eaeb8544170f1ea22af77177_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2036	{6B76B4B5-2DB1-41f5-8BE7-230309F01FD7}.exe
Token: SeIncBasePriorityPrivilege	1576	{CC0EA30E-97EF-439d-B788-FDA2C405CB0E}.exe
Token: SeIncBasePriorityPrivilege	3512	{235CCE70-66EF-4fe0-A737-11D323BCD43C}.exe
Token: SeIncBasePriorityPrivilege	2500	{6958D665-5749-4271-8610-3B43D0AC463B}.exe
Token: SeIncBasePriorityPrivilege	1316	{A69E5A3A-F156-4aae-8C07-C111F4A8DA81}.exe
Token: SeIncBasePriorityPrivilege	4768	{280F07A7-E939-44ba-8DD6-69CD4D16B6E1}.exe
Token: SeIncBasePriorityPrivilege	3208	{CD700A72-4865-4bcf-9D4D-29D01EB909BD}.exe
Token: SeIncBasePriorityPrivilege	1172	{825A14B6-895B-49cb-84C2-EE15921D8F9C}.exe
Token: SeIncBasePriorityPrivilege	4376	{3D504E7E-5B6C-4c39-BE2F-5AD0698545AE}.exe
Token: SeIncBasePriorityPrivilege	4264	{FCEBFC26-7F0D-4dd4-9823-E4599CF4DAE8}.exe
Token: SeIncBasePriorityPrivilege	4992	{F6002C1C-04BB-4cbb-9E42-27EC91446A7F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 2036	2560	2024-07-03_96d16c18eaeb8544170f1ea22af77177_goldeneye.exe	94
PID 2560 wrote to memory of 2036	2560	2024-07-03_96d16c18eaeb8544170f1ea22af77177_goldeneye.exe	94
PID 2560 wrote to memory of 2036	2560	2024-07-03_96d16c18eaeb8544170f1ea22af77177_goldeneye.exe	94
PID 2560 wrote to memory of 1204	2560	2024-07-03_96d16c18eaeb8544170f1ea22af77177_goldeneye.exe	95
PID 2560 wrote to memory of 1204	2560	2024-07-03_96d16c18eaeb8544170f1ea22af77177_goldeneye.exe	95
PID 2560 wrote to memory of 1204	2560	2024-07-03_96d16c18eaeb8544170f1ea22af77177_goldeneye.exe	95
PID 2036 wrote to memory of 1576	2036	{6B76B4B5-2DB1-41f5-8BE7-230309F01FD7}.exe	96
PID 2036 wrote to memory of 1576	2036	{6B76B4B5-2DB1-41f5-8BE7-230309F01FD7}.exe	96
PID 2036 wrote to memory of 1576	2036	{6B76B4B5-2DB1-41f5-8BE7-230309F01FD7}.exe	96
PID 2036 wrote to memory of 4948	2036	{6B76B4B5-2DB1-41f5-8BE7-230309F01FD7}.exe	97
PID 2036 wrote to memory of 4948	2036	{6B76B4B5-2DB1-41f5-8BE7-230309F01FD7}.exe	97
PID 2036 wrote to memory of 4948	2036	{6B76B4B5-2DB1-41f5-8BE7-230309F01FD7}.exe	97
PID 1576 wrote to memory of 3512	1576	{CC0EA30E-97EF-439d-B788-FDA2C405CB0E}.exe	101
PID 1576 wrote to memory of 3512	1576	{CC0EA30E-97EF-439d-B788-FDA2C405CB0E}.exe	101
PID 1576 wrote to memory of 3512	1576	{CC0EA30E-97EF-439d-B788-FDA2C405CB0E}.exe	101
PID 1576 wrote to memory of 1756	1576	{CC0EA30E-97EF-439d-B788-FDA2C405CB0E}.exe	102
PID 1576 wrote to memory of 1756	1576	{CC0EA30E-97EF-439d-B788-FDA2C405CB0E}.exe	102
PID 1576 wrote to memory of 1756	1576	{CC0EA30E-97EF-439d-B788-FDA2C405CB0E}.exe	102
PID 3512 wrote to memory of 2500	3512	{235CCE70-66EF-4fe0-A737-11D323BCD43C}.exe	103
PID 3512 wrote to memory of 2500	3512	{235CCE70-66EF-4fe0-A737-11D323BCD43C}.exe	103
PID 3512 wrote to memory of 2500	3512	{235CCE70-66EF-4fe0-A737-11D323BCD43C}.exe	103
PID 3512 wrote to memory of 436	3512	{235CCE70-66EF-4fe0-A737-11D323BCD43C}.exe	104
PID 3512 wrote to memory of 436	3512	{235CCE70-66EF-4fe0-A737-11D323BCD43C}.exe	104
PID 3512 wrote to memory of 436	3512	{235CCE70-66EF-4fe0-A737-11D323BCD43C}.exe	104
PID 2500 wrote to memory of 1316	2500	{6958D665-5749-4271-8610-3B43D0AC463B}.exe	105
PID 2500 wrote to memory of 1316	2500	{6958D665-5749-4271-8610-3B43D0AC463B}.exe	105
PID 2500 wrote to memory of 1316	2500	{6958D665-5749-4271-8610-3B43D0AC463B}.exe	105
PID 2500 wrote to memory of 820	2500	{6958D665-5749-4271-8610-3B43D0AC463B}.exe	106
PID 2500 wrote to memory of 820	2500	{6958D665-5749-4271-8610-3B43D0AC463B}.exe	106
PID 2500 wrote to memory of 820	2500	{6958D665-5749-4271-8610-3B43D0AC463B}.exe	106
PID 1316 wrote to memory of 4768	1316	{A69E5A3A-F156-4aae-8C07-C111F4A8DA81}.exe	108
PID 1316 wrote to memory of 4768	1316	{A69E5A3A-F156-4aae-8C07-C111F4A8DA81}.exe	108
PID 1316 wrote to memory of 4768	1316	{A69E5A3A-F156-4aae-8C07-C111F4A8DA81}.exe	108
PID 1316 wrote to memory of 3972	1316	{A69E5A3A-F156-4aae-8C07-C111F4A8DA81}.exe	109
PID 1316 wrote to memory of 3972	1316	{A69E5A3A-F156-4aae-8C07-C111F4A8DA81}.exe	109
PID 1316 wrote to memory of 3972	1316	{A69E5A3A-F156-4aae-8C07-C111F4A8DA81}.exe	109
PID 4768 wrote to memory of 3208	4768	{280F07A7-E939-44ba-8DD6-69CD4D16B6E1}.exe	110
PID 4768 wrote to memory of 3208	4768	{280F07A7-E939-44ba-8DD6-69CD4D16B6E1}.exe	110
PID 4768 wrote to memory of 3208	4768	{280F07A7-E939-44ba-8DD6-69CD4D16B6E1}.exe	110
PID 4768 wrote to memory of 4580	4768	{280F07A7-E939-44ba-8DD6-69CD4D16B6E1}.exe	111
PID 4768 wrote to memory of 4580	4768	{280F07A7-E939-44ba-8DD6-69CD4D16B6E1}.exe	111
PID 4768 wrote to memory of 4580	4768	{280F07A7-E939-44ba-8DD6-69CD4D16B6E1}.exe	111
PID 3208 wrote to memory of 1172	3208	{CD700A72-4865-4bcf-9D4D-29D01EB909BD}.exe	116
PID 3208 wrote to memory of 1172	3208	{CD700A72-4865-4bcf-9D4D-29D01EB909BD}.exe	116
PID 3208 wrote to memory of 1172	3208	{CD700A72-4865-4bcf-9D4D-29D01EB909BD}.exe	116
PID 3208 wrote to memory of 2524	3208	{CD700A72-4865-4bcf-9D4D-29D01EB909BD}.exe	117
PID 3208 wrote to memory of 2524	3208	{CD700A72-4865-4bcf-9D4D-29D01EB909BD}.exe	117
PID 3208 wrote to memory of 2524	3208	{CD700A72-4865-4bcf-9D4D-29D01EB909BD}.exe	117
PID 1172 wrote to memory of 4376	1172	{825A14B6-895B-49cb-84C2-EE15921D8F9C}.exe	121
PID 1172 wrote to memory of 4376	1172	{825A14B6-895B-49cb-84C2-EE15921D8F9C}.exe	121
PID 1172 wrote to memory of 4376	1172	{825A14B6-895B-49cb-84C2-EE15921D8F9C}.exe	121
PID 1172 wrote to memory of 3236	1172	{825A14B6-895B-49cb-84C2-EE15921D8F9C}.exe	122
PID 1172 wrote to memory of 3236	1172	{825A14B6-895B-49cb-84C2-EE15921D8F9C}.exe	122
PID 1172 wrote to memory of 3236	1172	{825A14B6-895B-49cb-84C2-EE15921D8F9C}.exe	122
PID 4376 wrote to memory of 4264	4376	{3D504E7E-5B6C-4c39-BE2F-5AD0698545AE}.exe	123
PID 4376 wrote to memory of 4264	4376	{3D504E7E-5B6C-4c39-BE2F-5AD0698545AE}.exe	123
PID 4376 wrote to memory of 4264	4376	{3D504E7E-5B6C-4c39-BE2F-5AD0698545AE}.exe	123
PID 4376 wrote to memory of 436	4376	{3D504E7E-5B6C-4c39-BE2F-5AD0698545AE}.exe	124
PID 4376 wrote to memory of 436	4376	{3D504E7E-5B6C-4c39-BE2F-5AD0698545AE}.exe	124
PID 4376 wrote to memory of 436	4376	{3D504E7E-5B6C-4c39-BE2F-5AD0698545AE}.exe	124
PID 4264 wrote to memory of 4992	4264	{FCEBFC26-7F0D-4dd4-9823-E4599CF4DAE8}.exe	128
PID 4264 wrote to memory of 4992	4264	{FCEBFC26-7F0D-4dd4-9823-E4599CF4DAE8}.exe	128
PID 4264 wrote to memory of 4992	4264	{FCEBFC26-7F0D-4dd4-9823-E4599CF4DAE8}.exe	128
PID 4264 wrote to memory of 4488	4264	{FCEBFC26-7F0D-4dd4-9823-E4599CF4DAE8}.exe	129

C:\Users\Admin\AppData\Local\Temp\2024-07-03_96d16c18eaeb8544170f1ea22af77177_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-03_96d16c18eaeb8544170f1ea22af77177_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Windows\{6B76B4B5-2DB1-41f5-8BE7-230309F01FD7}.exe
  C:\Windows\{6B76B4B5-2DB1-41f5-8BE7-230309F01FD7}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\{CC0EA30E-97EF-439d-B788-FDA2C405CB0E}.exe
    C:\Windows\{CC0EA30E-97EF-439d-B788-FDA2C405CB0E}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Windows\{235CCE70-66EF-4fe0-A737-11D323BCD43C}.exe
      C:\Windows\{235CCE70-66EF-4fe0-A737-11D323BCD43C}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3512
    - - C:\Windows\{6958D665-5749-4271-8610-3B43D0AC463B}.exe
        
        C:\Windows\{6958D665-5749-4271-8610-3B43D0AC463B}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2500
      - C:\Windows\{A69E5A3A-F156-4aae-8C07-C111F4A8DA81}.exe
        
        C:\Windows\{A69E5A3A-F156-4aae-8C07-C111F4A8DA81}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\{280F07A7-E939-44ba-8DD6-69CD4D16B6E1}.exe
        
        C:\Windows\{280F07A7-E939-44ba-8DD6-69CD4D16B6E1}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\{CD700A72-4865-4bcf-9D4D-29D01EB909BD}.exe
        
        C:\Windows\{CD700A72-4865-4bcf-9D4D-29D01EB909BD}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\{825A14B6-895B-49cb-84C2-EE15921D8F9C}.exe
        
        C:\Windows\{825A14B6-895B-49cb-84C2-EE15921D8F9C}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\{3D504E7E-5B6C-4c39-BE2F-5AD0698545AE}.exe
        
        C:\Windows\{3D504E7E-5B6C-4c39-BE2F-5AD0698545AE}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\{FCEBFC26-7F0D-4dd4-9823-E4599CF4DAE8}.exe
        
        C:\Windows\{FCEBFC26-7F0D-4dd4-9823-E4599CF4DAE8}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\{F6002C1C-04BB-4cbb-9E42-27EC91446A7F}.exe
        
        C:\Windows\{F6002C1C-04BB-4cbb-9E42-27EC91446A7F}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4992
        
        C:\Windows\{010F6B7F-08FE-40e7-A514-0C834A263DA2}.exe
        
        C:\Windows\{010F6B7F-08FE-40e7-A514-0C834A263DA2}.exe
        13⤵
        Executes dropped EXE
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6002~1.EXE > nul
        13⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FCEBF~1.EXE > nul
        12⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D504~1.EXE > nul
        11⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{825A1~1.EXE > nul
        10⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD700~1.EXE > nul
        9⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{280F0~1.EXE > nul
        8⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A69E5~1.EXE > nul
        7⤵
        
        PID:3972
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6958D~1.EXE > nul
        6⤵
        
        PID:820
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{235CC~1.EXE > nul
        5⤵
        
        PID:436
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CC0EA~1.EXE > nul
      4⤵
      PID:1756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6B76B~1.EXE > nul
    3⤵
    PID:4948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{010F6B7F-08FE-40e7-A514-0C834A263DA2}.exe

Filesize
216KB

MD5
a3b4b14250b8b022504a10233f43329e

SHA1
b1548c454186b91205f87bf85770403cd5ce164e

SHA256
903cf3af277d6bd7f7ac61ea4cecccbdd33cd699818d966cfe533a6cd134c54a

SHA512
2d3e09e05185c904006552a23372ed02642a08c19770704682662978a65be50259464bc4b8109f78430ab4caf9a2ecb66eb4601829038ce2dd3d36718b2746f4

Download Submit
C:\Windows\{235CCE70-66EF-4fe0-A737-11D323BCD43C}.exe

Filesize
216KB

MD5
5e6bf43d1bd2d58fcea1f91ecaf01028

SHA1
4eeac65101aee74d1aa9b6c5e32544e185fcbe83

SHA256
ae0e87078043d789109ae912ec237c82e1dd159f10aa15f0492b62de4d9dee7d

SHA512
7b8d69e294068a1d6a529ade8bbff95d2eb840ede0cd400a3a019fa3f54d730d03ae741fc176ddf108e6af8cf8d37810653fd5772d12d535d9e0da4d424d6cf5

Download Submit
C:\Windows\{280F07A7-E939-44ba-8DD6-69CD4D16B6E1}.exe

Filesize
216KB

MD5
3eb50513527a0e850052d7fee12602b0

SHA1
e0bf6b4f9cbd73c51090347ac5a7ef2e4fb11f58

SHA256
1f5a487cb6e2f60cf8d046a2ce138fff4e247341089131555756c4724636736b

SHA512
aeaf0d5c3ca762dc6d1c4e414d8914d326e373a2c31bff3f47a8cb3621d51e24515a37409d742c95d7c12263429c6dce928b40e9baa9740a510edfa5009321aa

Download Submit
C:\Windows\{3D504E7E-5B6C-4c39-BE2F-5AD0698545AE}.exe

Filesize
216KB

MD5
9c7f03a5f159734c679a305f095ea963

SHA1
3a2744b5cb2a67f22aa537acc2323312223ccbe2

SHA256
e20fec0a34b14228e6f5b9ee134f2d977e745d7d335e6733c8b1bcb1c91bc46a

SHA512
96e940711bd6d8b3dea7402aa1eb4a3b94789ed3909e3a012c2a44f22573b87fb18f430052dca94d543dcefd78f6e6b283f07dd3a89a27d90b72c4cecec84674

Download Submit
C:\Windows\{6958D665-5749-4271-8610-3B43D0AC463B}.exe

Filesize
216KB

MD5
265e6a916ede44f41dfaf47265060ba2

SHA1
4ce5f5e99121792620377e12c1b0fb70435dbbb2

SHA256
74f13ae8847d35b60e1b416b5a3b7adf624661247e0a5510e44070efc154dc8b

SHA512
5431c6e74df99b7a8bf2ca55f69d7fc39c1af650cc9fb3854cd2870f180c038d2df6e77bc3bb19b05d38173dd7fadd0e63166b6b1eedb82b9033bbabd54266eb

Download Submit
C:\Windows\{6B76B4B5-2DB1-41f5-8BE7-230309F01FD7}.exe

Filesize
216KB

MD5
47dce74dcdb5a37700bf0be4ff8ca2d7

SHA1
08b877e72ed7811b40dbb6971efa2e807f9e5a9f

SHA256
70249d8a5a4913a577fad66e864d2b8fa7dcce83d35325263289ac9ee389bc04

SHA512
f88849128b05cd1abce7897ea8c10a16a266634bf96b19fd978c15d4b41f7a6865e184a9cd2ea84ececcfdca5d477d3fd091138ec5904d8c1fd82b0de7b7c1d3

Download Submit
C:\Windows\{825A14B6-895B-49cb-84C2-EE15921D8F9C}.exe

Filesize
216KB

MD5
2cbab1771b69173979799314e90e5c5c

SHA1
aef89a11a3138169629b4292c181384d3c846b14

SHA256
b470fe9dc17b6a6770b8f591f4d4c32d4eaf1c793dcca1fdf70ae649f6bdcda4

SHA512
ec959caed14615e8bf90998517b396f03b0c4196dc3c3037edebd10dc8f4614c4e2973faa5ed53552b705fb4475da02a2668a122c2e317a3ac406536c4fa824e

Download Submit
C:\Windows\{A69E5A3A-F156-4aae-8C07-C111F4A8DA81}.exe

Filesize
216KB

MD5
d7733f4866a1925f4564d6a505c9a0fa

SHA1
399a026742faf0f85ebd6e1df4ff22ea6f291589

SHA256
ee8b00a53f9473dde771eac96379211d16fb1e70fd68a187f144347875a997ce

SHA512
fbce668790606ec9674c20043b322112984d2d62e13974f487c7e39e58551c6cc2366473a028ec0b8a1dd55a6ceac75af6b827fe685c9022affefc8828ce3ebd

Download Submit
C:\Windows\{CC0EA30E-97EF-439d-B788-FDA2C405CB0E}.exe

Filesize
216KB

MD5
3f4e37d7bd1593099f823e36d9223d4c

SHA1
75672bbc0a6992e76e6c33026423ea79a6d96652

SHA256
435cfe14890246c223083755c8bc8743c99a2aa061396daf9738514d59f151cc

SHA512
073e16aa5642839092b6f082a25d1e2baedf6389a6e2a1e3ff2f8caa1072b500e68cbec662296ebb269c6277b13b722ce37442d01dce91c34e37ef9bd95fdaf7

Download Submit
C:\Windows\{CD700A72-4865-4bcf-9D4D-29D01EB909BD}.exe

Filesize
216KB

MD5
670601aa09c15a745b28cc2b2f314a0c

SHA1
f20a000c4e41f723cda6b0880549cca318dc8811

SHA256
da5bc4a3c6cee3e64e30fe3197b97534706e7a0aa1c160832934738f86232ce1

SHA512
3e51999ce66126ad2422540ccce8c8a9a58dbe4a4e7d6ba089da55a2c7fd5d564ab7a9fba856ddcf4c2e545c133d508278f1e467720f986f88d7f8bff322e280

Download Submit
C:\Windows\{F6002C1C-04BB-4cbb-9E42-27EC91446A7F}.exe

Filesize
216KB

MD5
73e5044776450e9162509a03d61dc413

SHA1
426042f1349b4594921455691873281a9866f3c5

SHA256
33ff873ec0162c10af0a3a46cab8557b2c04403383606111f37bef478757c71e

SHA512
dcd703b8fd079bcbc764d72c7c3aa89c42d70e8fe0a096bdbc4c711a6aca87281b223d2f0fa7b7cfc3759bc3cf124c7e403fa918df362300be217fe94a76e1fa

Download Submit
C:\Windows\{FCEBFC26-7F0D-4dd4-9823-E4599CF4DAE8}.exe

Filesize
216KB

MD5
7235f35972be09ac54d8ec075988a27d

SHA1
a20c17abd62c3e3a1655d6d82375e643962f4666

SHA256
89f8317fd3896efcc2f6c6a8818bb222aebeea1d14c3549c46e752d655cc303a

SHA512
f3c6cfd7163a6615cec8a6d817ac0ba935b97f0318ff43f577fee78bef478df9e364e05fd72e0a3ee5a614ad2efa08a48892547bfd5022afddb7f59f7301eb8b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads