d243e8cb84d370b6fad5657ce29ed44611a7375a582731e34706edcb4bdba1c9

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2024 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-04_994c614a58af12a4580fdb0065ac385e_goldeneye.exe
Size

216KB
MD5

994c614a58af12a4580fdb0065ac385e
SHA1

71dde59f4d7c1639eaba42ce9d493e8ffe4eb264
SHA256

d243e8cb84d370b6fad5657ce29ed44611a7375a582731e34706edcb4bdba1c9
SHA512

27cda735992861d6cf0f19f894b9030855bf9c926216afa9c91c608107d5535ea285f47b7f72f32abc0b1c45dbf10c811a7e0db3638412e0d3fd23f602fef8f4
SSDEEP

3072:jEGh0oEl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGGlEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E0813A4-366E-48d5-8BC8-E6498831A598}	{4EA19960-9D68-4440-A5D6-F78090F1BFD1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{074D194C-A1DB-491b-813D-1B6FCAAC8103}\stubpath = "C:\\Windows\\{074D194C-A1DB-491b-813D-1B6FCAAC8103}.exe"	{6B42A68E-79DF-42ab-AB45-41495255DB95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{425514F7-533B-4f20-87F0-58FA25638EB3}\stubpath = "C:\\Windows\\{425514F7-533B-4f20-87F0-58FA25638EB3}.exe"	{C473AD96-1977-4932-8B55-D2A843959BA2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{103825B5-C126-4bb1-83F9-911098F40B92}\stubpath = "C:\\Windows\\{103825B5-C126-4bb1-83F9-911098F40B92}.exe"	{87BFC2CC-4580-4372-95AD-25947C44E354}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87BFC2CC-4580-4372-95AD-25947C44E354}\stubpath = "C:\\Windows\\{87BFC2CC-4580-4372-95AD-25947C44E354}.exe"	{D3E6F24F-A49C-49a1-8356-518FFFF842D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE56838E-7389-4edf-9FD9-139C9FCC654A}\stubpath = "C:\\Windows\\{BE56838E-7389-4edf-9FD9-139C9FCC654A}.exe"	{103825B5-C126-4bb1-83F9-911098F40B92}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C874B39F-381C-4ff0-A670-5C8FD8BD4422}	{BE56838E-7389-4edf-9FD9-139C9FCC654A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B42A68E-79DF-42ab-AB45-41495255DB95}\stubpath = "C:\\Windows\\{6B42A68E-79DF-42ab-AB45-41495255DB95}.exe"	{99786A2E-11AA-456d-84D1-1CC820ABB8CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{074D194C-A1DB-491b-813D-1B6FCAAC8103}	{6B42A68E-79DF-42ab-AB45-41495255DB95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87BFC2CC-4580-4372-95AD-25947C44E354}	{D3E6F24F-A49C-49a1-8356-518FFFF842D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C874B39F-381C-4ff0-A670-5C8FD8BD4422}\stubpath = "C:\\Windows\\{C874B39F-381C-4ff0-A670-5C8FD8BD4422}.exe"	{BE56838E-7389-4edf-9FD9-139C9FCC654A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EA19960-9D68-4440-A5D6-F78090F1BFD1}	{C874B39F-381C-4ff0-A670-5C8FD8BD4422}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B42A68E-79DF-42ab-AB45-41495255DB95}	{99786A2E-11AA-456d-84D1-1CC820ABB8CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C473AD96-1977-4932-8B55-D2A843959BA2}\stubpath = "C:\\Windows\\{C473AD96-1977-4932-8B55-D2A843959BA2}.exe"	{074D194C-A1DB-491b-813D-1B6FCAAC8103}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{425514F7-533B-4f20-87F0-58FA25638EB3}	{C473AD96-1977-4932-8B55-D2A843959BA2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE56838E-7389-4edf-9FD9-139C9FCC654A}	{103825B5-C126-4bb1-83F9-911098F40B92}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3E6F24F-A49C-49a1-8356-518FFFF842D8}\stubpath = "C:\\Windows\\{D3E6F24F-A49C-49a1-8356-518FFFF842D8}.exe"	2024-07-04_994c614a58af12a4580fdb0065ac385e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{103825B5-C126-4bb1-83F9-911098F40B92}	{87BFC2CC-4580-4372-95AD-25947C44E354}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4EA19960-9D68-4440-A5D6-F78090F1BFD1}\stubpath = "C:\\Windows\\{4EA19960-9D68-4440-A5D6-F78090F1BFD1}.exe"	{C874B39F-381C-4ff0-A670-5C8FD8BD4422}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E0813A4-366E-48d5-8BC8-E6498831A598}\stubpath = "C:\\Windows\\{6E0813A4-366E-48d5-8BC8-E6498831A598}.exe"	{4EA19960-9D68-4440-A5D6-F78090F1BFD1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99786A2E-11AA-456d-84D1-1CC820ABB8CD}	{6E0813A4-366E-48d5-8BC8-E6498831A598}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99786A2E-11AA-456d-84D1-1CC820ABB8CD}\stubpath = "C:\\Windows\\{99786A2E-11AA-456d-84D1-1CC820ABB8CD}.exe"	{6E0813A4-366E-48d5-8BC8-E6498831A598}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C473AD96-1977-4932-8B55-D2A843959BA2}	{074D194C-A1DB-491b-813D-1B6FCAAC8103}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3E6F24F-A49C-49a1-8356-518FFFF842D8}	2024-07-04_994c614a58af12a4580fdb0065ac385e_goldeneye.exe

Executes dropped EXE 12 IoCs

pid	Process
4220	{D3E6F24F-A49C-49a1-8356-518FFFF842D8}.exe
512	{87BFC2CC-4580-4372-95AD-25947C44E354}.exe
2540	{103825B5-C126-4bb1-83F9-911098F40B92}.exe
2692	{BE56838E-7389-4edf-9FD9-139C9FCC654A}.exe
1908	{C874B39F-381C-4ff0-A670-5C8FD8BD4422}.exe
1644	{4EA19960-9D68-4440-A5D6-F78090F1BFD1}.exe
812	{6E0813A4-366E-48d5-8BC8-E6498831A598}.exe
3512	{99786A2E-11AA-456d-84D1-1CC820ABB8CD}.exe
2136	{6B42A68E-79DF-42ab-AB45-41495255DB95}.exe
2788	{074D194C-A1DB-491b-813D-1B6FCAAC8103}.exe
2456	{C473AD96-1977-4932-8B55-D2A843959BA2}.exe
5076	{425514F7-533B-4f20-87F0-58FA25638EB3}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{425514F7-533B-4f20-87F0-58FA25638EB3}.exe	{C473AD96-1977-4932-8B55-D2A843959BA2}.exe
File created	C:\Windows\{D3E6F24F-A49C-49a1-8356-518FFFF842D8}.exe	2024-07-04_994c614a58af12a4580fdb0065ac385e_goldeneye.exe
File created	C:\Windows\{87BFC2CC-4580-4372-95AD-25947C44E354}.exe	{D3E6F24F-A49C-49a1-8356-518FFFF842D8}.exe
File created	C:\Windows\{103825B5-C126-4bb1-83F9-911098F40B92}.exe	{87BFC2CC-4580-4372-95AD-25947C44E354}.exe
File created	C:\Windows\{BE56838E-7389-4edf-9FD9-139C9FCC654A}.exe	{103825B5-C126-4bb1-83F9-911098F40B92}.exe
File created	C:\Windows\{C473AD96-1977-4932-8B55-D2A843959BA2}.exe	{074D194C-A1DB-491b-813D-1B6FCAAC8103}.exe
File created	C:\Windows\{074D194C-A1DB-491b-813D-1B6FCAAC8103}.exe	{6B42A68E-79DF-42ab-AB45-41495255DB95}.exe
File created	C:\Windows\{C874B39F-381C-4ff0-A670-5C8FD8BD4422}.exe	{BE56838E-7389-4edf-9FD9-139C9FCC654A}.exe
File created	C:\Windows\{4EA19960-9D68-4440-A5D6-F78090F1BFD1}.exe	{C874B39F-381C-4ff0-A670-5C8FD8BD4422}.exe
File created	C:\Windows\{6E0813A4-366E-48d5-8BC8-E6498831A598}.exe	{4EA19960-9D68-4440-A5D6-F78090F1BFD1}.exe
File created	C:\Windows\{99786A2E-11AA-456d-84D1-1CC820ABB8CD}.exe	{6E0813A4-366E-48d5-8BC8-E6498831A598}.exe
File created	C:\Windows\{6B42A68E-79DF-42ab-AB45-41495255DB95}.exe	{99786A2E-11AA-456d-84D1-1CC820ABB8CD}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5076	2024-07-04_994c614a58af12a4580fdb0065ac385e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4220	{D3E6F24F-A49C-49a1-8356-518FFFF842D8}.exe
Token: SeIncBasePriorityPrivilege	512	{87BFC2CC-4580-4372-95AD-25947C44E354}.exe
Token: SeIncBasePriorityPrivilege	2540	{103825B5-C126-4bb1-83F9-911098F40B92}.exe
Token: SeIncBasePriorityPrivilege	2692	{BE56838E-7389-4edf-9FD9-139C9FCC654A}.exe
Token: SeIncBasePriorityPrivilege	1908	{C874B39F-381C-4ff0-A670-5C8FD8BD4422}.exe
Token: SeIncBasePriorityPrivilege	1644	{4EA19960-9D68-4440-A5D6-F78090F1BFD1}.exe
Token: SeIncBasePriorityPrivilege	812	{6E0813A4-366E-48d5-8BC8-E6498831A598}.exe
Token: SeIncBasePriorityPrivilege	3512	{99786A2E-11AA-456d-84D1-1CC820ABB8CD}.exe
Token: SeIncBasePriorityPrivilege	2136	{6B42A68E-79DF-42ab-AB45-41495255DB95}.exe
Token: SeIncBasePriorityPrivilege	2788	{074D194C-A1DB-491b-813D-1B6FCAAC8103}.exe
Token: SeIncBasePriorityPrivilege	2456	{C473AD96-1977-4932-8B55-D2A843959BA2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 4220	5076	2024-07-04_994c614a58af12a4580fdb0065ac385e_goldeneye.exe	85
PID 5076 wrote to memory of 4220	5076	2024-07-04_994c614a58af12a4580fdb0065ac385e_goldeneye.exe	85
PID 5076 wrote to memory of 4220	5076	2024-07-04_994c614a58af12a4580fdb0065ac385e_goldeneye.exe	85
PID 5076 wrote to memory of 3836	5076	2024-07-04_994c614a58af12a4580fdb0065ac385e_goldeneye.exe	86
PID 5076 wrote to memory of 3836	5076	2024-07-04_994c614a58af12a4580fdb0065ac385e_goldeneye.exe	86
PID 5076 wrote to memory of 3836	5076	2024-07-04_994c614a58af12a4580fdb0065ac385e_goldeneye.exe	86
PID 4220 wrote to memory of 512	4220	{D3E6F24F-A49C-49a1-8356-518FFFF842D8}.exe	90
PID 4220 wrote to memory of 512	4220	{D3E6F24F-A49C-49a1-8356-518FFFF842D8}.exe	90
PID 4220 wrote to memory of 512	4220	{D3E6F24F-A49C-49a1-8356-518FFFF842D8}.exe	90
PID 4220 wrote to memory of 2620	4220	{D3E6F24F-A49C-49a1-8356-518FFFF842D8}.exe	91
PID 4220 wrote to memory of 2620	4220	{D3E6F24F-A49C-49a1-8356-518FFFF842D8}.exe	91
PID 4220 wrote to memory of 2620	4220	{D3E6F24F-A49C-49a1-8356-518FFFF842D8}.exe	91
PID 512 wrote to memory of 2540	512	{87BFC2CC-4580-4372-95AD-25947C44E354}.exe	94
PID 512 wrote to memory of 2540	512	{87BFC2CC-4580-4372-95AD-25947C44E354}.exe	94
PID 512 wrote to memory of 2540	512	{87BFC2CC-4580-4372-95AD-25947C44E354}.exe	94
PID 512 wrote to memory of 4992	512	{87BFC2CC-4580-4372-95AD-25947C44E354}.exe	95
PID 512 wrote to memory of 4992	512	{87BFC2CC-4580-4372-95AD-25947C44E354}.exe	95
PID 512 wrote to memory of 4992	512	{87BFC2CC-4580-4372-95AD-25947C44E354}.exe	95
PID 2540 wrote to memory of 2692	2540	{103825B5-C126-4bb1-83F9-911098F40B92}.exe	96
PID 2540 wrote to memory of 2692	2540	{103825B5-C126-4bb1-83F9-911098F40B92}.exe	96
PID 2540 wrote to memory of 2692	2540	{103825B5-C126-4bb1-83F9-911098F40B92}.exe	96
PID 2540 wrote to memory of 4076	2540	{103825B5-C126-4bb1-83F9-911098F40B92}.exe	97
PID 2540 wrote to memory of 4076	2540	{103825B5-C126-4bb1-83F9-911098F40B92}.exe	97
PID 2540 wrote to memory of 4076	2540	{103825B5-C126-4bb1-83F9-911098F40B92}.exe	97
PID 2692 wrote to memory of 1908	2692	{BE56838E-7389-4edf-9FD9-139C9FCC654A}.exe	98
PID 2692 wrote to memory of 1908	2692	{BE56838E-7389-4edf-9FD9-139C9FCC654A}.exe	98
PID 2692 wrote to memory of 1908	2692	{BE56838E-7389-4edf-9FD9-139C9FCC654A}.exe	98
PID 2692 wrote to memory of 2796	2692	{BE56838E-7389-4edf-9FD9-139C9FCC654A}.exe	99
PID 2692 wrote to memory of 2796	2692	{BE56838E-7389-4edf-9FD9-139C9FCC654A}.exe	99
PID 2692 wrote to memory of 2796	2692	{BE56838E-7389-4edf-9FD9-139C9FCC654A}.exe	99
PID 1908 wrote to memory of 1644	1908	{C874B39F-381C-4ff0-A670-5C8FD8BD4422}.exe	100
PID 1908 wrote to memory of 1644	1908	{C874B39F-381C-4ff0-A670-5C8FD8BD4422}.exe	100
PID 1908 wrote to memory of 1644	1908	{C874B39F-381C-4ff0-A670-5C8FD8BD4422}.exe	100
PID 1908 wrote to memory of 3628	1908	{C874B39F-381C-4ff0-A670-5C8FD8BD4422}.exe	101
PID 1908 wrote to memory of 3628	1908	{C874B39F-381C-4ff0-A670-5C8FD8BD4422}.exe	101
PID 1908 wrote to memory of 3628	1908	{C874B39F-381C-4ff0-A670-5C8FD8BD4422}.exe	101
PID 1644 wrote to memory of 812	1644	{4EA19960-9D68-4440-A5D6-F78090F1BFD1}.exe	102
PID 1644 wrote to memory of 812	1644	{4EA19960-9D68-4440-A5D6-F78090F1BFD1}.exe	102
PID 1644 wrote to memory of 812	1644	{4EA19960-9D68-4440-A5D6-F78090F1BFD1}.exe	102
PID 1644 wrote to memory of 2616	1644	{4EA19960-9D68-4440-A5D6-F78090F1BFD1}.exe	103
PID 1644 wrote to memory of 2616	1644	{4EA19960-9D68-4440-A5D6-F78090F1BFD1}.exe	103
PID 1644 wrote to memory of 2616	1644	{4EA19960-9D68-4440-A5D6-F78090F1BFD1}.exe	103
PID 812 wrote to memory of 3512	812	{6E0813A4-366E-48d5-8BC8-E6498831A598}.exe	104
PID 812 wrote to memory of 3512	812	{6E0813A4-366E-48d5-8BC8-E6498831A598}.exe	104
PID 812 wrote to memory of 3512	812	{6E0813A4-366E-48d5-8BC8-E6498831A598}.exe	104
PID 812 wrote to memory of 3908	812	{6E0813A4-366E-48d5-8BC8-E6498831A598}.exe	105
PID 812 wrote to memory of 3908	812	{6E0813A4-366E-48d5-8BC8-E6498831A598}.exe	105
PID 812 wrote to memory of 3908	812	{6E0813A4-366E-48d5-8BC8-E6498831A598}.exe	105
PID 3512 wrote to memory of 2136	3512	{99786A2E-11AA-456d-84D1-1CC820ABB8CD}.exe	106
PID 3512 wrote to memory of 2136	3512	{99786A2E-11AA-456d-84D1-1CC820ABB8CD}.exe	106
PID 3512 wrote to memory of 2136	3512	{99786A2E-11AA-456d-84D1-1CC820ABB8CD}.exe	106
PID 3512 wrote to memory of 3080	3512	{99786A2E-11AA-456d-84D1-1CC820ABB8CD}.exe	107
PID 3512 wrote to memory of 3080	3512	{99786A2E-11AA-456d-84D1-1CC820ABB8CD}.exe	107
PID 3512 wrote to memory of 3080	3512	{99786A2E-11AA-456d-84D1-1CC820ABB8CD}.exe	107
PID 2136 wrote to memory of 2788	2136	{6B42A68E-79DF-42ab-AB45-41495255DB95}.exe	108
PID 2136 wrote to memory of 2788	2136	{6B42A68E-79DF-42ab-AB45-41495255DB95}.exe	108
PID 2136 wrote to memory of 2788	2136	{6B42A68E-79DF-42ab-AB45-41495255DB95}.exe	108
PID 2136 wrote to memory of 1424	2136	{6B42A68E-79DF-42ab-AB45-41495255DB95}.exe	109
PID 2136 wrote to memory of 1424	2136	{6B42A68E-79DF-42ab-AB45-41495255DB95}.exe	109
PID 2136 wrote to memory of 1424	2136	{6B42A68E-79DF-42ab-AB45-41495255DB95}.exe	109
PID 2788 wrote to memory of 2456	2788	{074D194C-A1DB-491b-813D-1B6FCAAC8103}.exe	110
PID 2788 wrote to memory of 2456	2788	{074D194C-A1DB-491b-813D-1B6FCAAC8103}.exe	110
PID 2788 wrote to memory of 2456	2788	{074D194C-A1DB-491b-813D-1B6FCAAC8103}.exe	110
PID 2788 wrote to memory of 916	2788	{074D194C-A1DB-491b-813D-1B6FCAAC8103}.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-07-04_994c614a58af12a4580fdb0065ac385e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-04_994c614a58af12a4580fdb0065ac385e_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Windows\{D3E6F24F-A49C-49a1-8356-518FFFF842D8}.exe
  C:\Windows\{D3E6F24F-A49C-49a1-8356-518FFFF842D8}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4220
- - C:\Windows\{87BFC2CC-4580-4372-95AD-25947C44E354}.exe
    C:\Windows\{87BFC2CC-4580-4372-95AD-25947C44E354}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:512
  - - C:\Windows\{103825B5-C126-4bb1-83F9-911098F40B92}.exe
      C:\Windows\{103825B5-C126-4bb1-83F9-911098F40B92}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Windows\{BE56838E-7389-4edf-9FD9-139C9FCC654A}.exe
        
        C:\Windows\{BE56838E-7389-4edf-9FD9-139C9FCC654A}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2692
      - C:\Windows\{C874B39F-381C-4ff0-A670-5C8FD8BD4422}.exe
        
        C:\Windows\{C874B39F-381C-4ff0-A670-5C8FD8BD4422}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\{4EA19960-9D68-4440-A5D6-F78090F1BFD1}.exe
        
        C:\Windows\{4EA19960-9D68-4440-A5D6-F78090F1BFD1}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\{6E0813A4-366E-48d5-8BC8-E6498831A598}.exe
        
        C:\Windows\{6E0813A4-366E-48d5-8BC8-E6498831A598}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Windows\{99786A2E-11AA-456d-84D1-1CC820ABB8CD}.exe
        
        C:\Windows\{99786A2E-11AA-456d-84D1-1CC820ABB8CD}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\{6B42A68E-79DF-42ab-AB45-41495255DB95}.exe
        
        C:\Windows\{6B42A68E-79DF-42ab-AB45-41495255DB95}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\{074D194C-A1DB-491b-813D-1B6FCAAC8103}.exe
        
        C:\Windows\{074D194C-A1DB-491b-813D-1B6FCAAC8103}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\{C473AD96-1977-4932-8B55-D2A843959BA2}.exe
        
        C:\Windows\{C473AD96-1977-4932-8B55-D2A843959BA2}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
        
        C:\Windows\{425514F7-533B-4f20-87F0-58FA25638EB3}.exe
        
        C:\Windows\{425514F7-533B-4f20-87F0-58FA25638EB3}.exe
        13⤵
        Executes dropped EXE
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C473A~1.EXE > nul
        13⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{074D1~1.EXE > nul
        12⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B42A~1.EXE > nul
        11⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99786~1.EXE > nul
        10⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E081~1.EXE > nul
        9⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4EA19~1.EXE > nul
        8⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C874B~1.EXE > nul
        7⤵
        
        PID:3628
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE568~1.EXE > nul
        6⤵
        
        PID:2796
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10382~1.EXE > nul
        5⤵
        
        PID:4076
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{87BFC~1.EXE > nul
      4⤵
      PID:4992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D3E6F~1.EXE > nul
    3⤵
    PID:2620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{074D194C-A1DB-491b-813D-1B6FCAAC8103}.exe

Filesize
216KB

MD5
a0cf31def06ed038afd96990eb81970e

SHA1
7681c187ce9748886f5cde6f07b874e09ba8ee2c

SHA256
ae6141bf14089359e53306742185419b6a8a22213e65b17b0ea11c02c9268668

SHA512
2af82f3ea01501d52e15ca445e1aa744fa7569b091540d481f38af5e4eb04d7bb668dabc73a67ad623046f687a0b8bef7679b29fa6696e7d43913a3099d8d378

Download Submit
C:\Windows\{103825B5-C126-4bb1-83F9-911098F40B92}.exe

Filesize
216KB

MD5
720f9604116d234b481e0cd43cc31249

SHA1
ef3d3a3f3ebc00dce76d022703de5e3a3b29cd33

SHA256
0b64c4d3b9ad9c5cdcb7cc5238f3facac74f1114de874754a47c1d4bfef0aa60

SHA512
e184fb456514daebd2892baf738b35601b968aa21f030f514dd95e6cd41bed189adb77d91dcfa755de98d3014b75cab7013b98beb19c1d368d547925abff3166

Download Submit
C:\Windows\{425514F7-533B-4f20-87F0-58FA25638EB3}.exe

Filesize
216KB

MD5
628ee280a7b9a0998244f6be7c3b3384

SHA1
ab14d3a910255e2f4c85e27b44a5acd9d6eb78a1

SHA256
53512a41a698a8989c3a12c8240bb03329289d9928195acc203bfaa1d780015b

SHA512
e6e63745f11df7555bad6c6088dfa817c01816184649a6c7846b058c88aab010ccc2d047a76835c2e969d57a34497290d0f0e9f8c7b81aebe249d9a9c3477013

Download Submit
C:\Windows\{4EA19960-9D68-4440-A5D6-F78090F1BFD1}.exe

Filesize
216KB

MD5
35583ed1737ac65be1e1d95b76471685

SHA1
231e59bba4eb12f2a86117c59f2c150ee70d4c53

SHA256
03a76180bee6547e8e80850a31e33193e621e6cdc625fa4012b49e9c15ee19b7

SHA512
7f4d356c45818238b2f1711f64d0aaadcafc1875112d22c3e8b54a3836f4c8e3e106d039a3f390fa7f50369d7407c9181ab21724b553ebaeda9ba7c8a8cf6f81

Download Submit
C:\Windows\{6B42A68E-79DF-42ab-AB45-41495255DB95}.exe

Filesize
216KB

MD5
d0508c912ac0ac6fad5ee3ff60c3c0b1

SHA1
67c6d94b024d7878a70bf60f6af300913a795f89

SHA256
9565ff76005a159dc1566fe26520890fff4d9d599467a45858ceacbcd3ef5204

SHA512
9bdb0bb1b24f9aa49a1d5fbf142d846b637deb2ee930998af967fb40ce826bdbb9c221bcfc04e8c96fca121a985e0579001b66a76f6715124b65ea2973f1c30f

Download Submit
C:\Windows\{6E0813A4-366E-48d5-8BC8-E6498831A598}.exe

Filesize
216KB

MD5
e61e58dd5f91277d8424c17cf4ea92ca

SHA1
2fe291a0a116fddc8e15c372cf3e21bbb6caf250

SHA256
a513b3875c38569eaa521117a8737d52728a186a2dbf7fa5676a930fc65b7e13

SHA512
fb060c359f53ea0af74308cfcd283f1fdb8f31eec56922ee47b90ab48538e04dcc15fad36c475dd71a1fe81107211134eb303df744e888af2b666837568766c8

Download Submit
C:\Windows\{87BFC2CC-4580-4372-95AD-25947C44E354}.exe

Filesize
216KB

MD5
06135b28a4ad05dd2b92da0e8c5a8ef9

SHA1
e38b28eebace07ca0f360aea68f7a0508304b1cb

SHA256
bfc9ea0fa65aa31ab5024a04975cc060b0ace2c0109e3498c77b29002bcda181

SHA512
fc78deb08608398c0ae19ed5e61d851cf238fd22a1b2b04554709e063ab2852cdf12421d3ea1dae45798fbbe7331625b4cc92fe29fffe2214fa3960e6f83ca3d

Download Submit
C:\Windows\{99786A2E-11AA-456d-84D1-1CC820ABB8CD}.exe

Filesize
216KB

MD5
69ba6d7d49438a649b75b33d6f5fc34d

SHA1
6c362dea05270cb5d10b10b13af0e9e1fc82a738

SHA256
4d10a1410caa7eea758a64248b4b0d45155889ba11f8b9747fe72634e2c33290

SHA512
6bb8e146a8891706b4a2107926e2b134ba7f280ae5c47995dccbd0857275f5762dd5831637014921ceb14ed1b2758ae9c5b70baa464768dfbb7ea2546d5d0e7c

Download Submit
C:\Windows\{BE56838E-7389-4edf-9FD9-139C9FCC654A}.exe

Filesize
216KB

MD5
b74ad633676c3d08a91fbf392abed7fa

SHA1
5dd3bf6e47d0aa43e256acd9abaa506120e204de

SHA256
a647ee07444256adb66d5dbbaca4e54e7015a0cc62dd24b790c6e603fd983ead

SHA512
49ff9e04373ccdaf16acacec999985264480b749928c68300143586ec6544e89aaafdfb6dfb93379cf9fae27ff0d416cf441fc1ef5b3155473afc37477e99432

Download Submit
C:\Windows\{C473AD96-1977-4932-8B55-D2A843959BA2}.exe

Filesize
216KB

MD5
0e01c641f07fc001bb22daff4445e0d7

SHA1
4404f7fc83e88c42a61c5eb042f8c58ebe3967c3

SHA256
7a7e7060c00ddf43bebce076afb5456b1709fc002285252fa1e069462882a05e

SHA512
00d0299ecffbbd08dc6c47bbdb2b938e7765d95327b8d0288307b1333c5441edafb11d4fd697472aeaefb8eef91280a054101f9785da133c749010eb6a95348c

Download Submit
C:\Windows\{C874B39F-381C-4ff0-A670-5C8FD8BD4422}.exe

Filesize
216KB

MD5
b64ef364a6ee3a30b891e052d902cba3

SHA1
455ba7c4aabba6803112800d775b4d19def672d6

SHA256
fd41840978464348850db8b09d3bcfdd410bfaa37032aed4ec1ead72ff321eb2

SHA512
1b8b60e4adcde053a39e97678c25522d6274d29c1bf9c8f7fd8a75d81989644b7ff742af89176f80e99e4fe6edd0c0b3337b3922ee281fcdc87d1394e3fe36c6

Download Submit
C:\Windows\{D3E6F24F-A49C-49a1-8356-518FFFF842D8}.exe

Filesize
216KB

MD5
3ab9eba947d0ea9760bd2a6e4c820a39

SHA1
ddd66e547131044834b42477280c9a4960bb1906

SHA256
676a3f4576003f82f2eb462c3d3455ee503c0e7dec745180252279eb116cef08

SHA512
d283b264f55626602e8627515cb3fa75c6ebe24f2d0ae475595bce4b299c1b849b29d9c7aef19f4a0da8cfcd94530f117a7989d3841da6d36100bca4b28c8ff3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads