22619fe784199c98f5038808fd937e7863410fe441afcc61e54cbcabbca523da

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2024 20:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-04_55b36f32de2c5684d76a1ea16efae169_goldeneye.exe
Size

372KB
MD5

55b36f32de2c5684d76a1ea16efae169
SHA1

f19d53ddfbe08cd1aad6b4baa7ece7c4501a9443
SHA256

22619fe784199c98f5038808fd937e7863410fe441afcc61e54cbcabbca523da
SHA512

43b695cd33c7cc96f53175f16c7c622ecf8526d0338a5eea60e49713709c5112d8c06cc5fb222263f52f7955ac5bfea54940d58ff3faab6f5c22451fc8aaa9e5
SSDEEP

3072:CEGh0o4lMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGKlkOe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0345409A-047C-480a-AD00-985C4E8B0CFD}	{4C608AF2-1EEE-49fe-8C0D-FD833AD34F7C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E2C8405-415D-448a-8127-498102EC0FDE}\stubpath = "C:\\Windows\\{6E2C8405-415D-448a-8127-498102EC0FDE}.exe"	{D2BE89D2-71C2-4ecf-B910-C6520B236F9E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C13A75C-7F3E-4ea9-91AC-BB8C65C553B9}	{609E67E7-FC5E-49c7-A2B1-26AFE73B2810}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C13A75C-7F3E-4ea9-91AC-BB8C65C553B9}\stubpath = "C:\\Windows\\{0C13A75C-7F3E-4ea9-91AC-BB8C65C553B9}.exe"	{609E67E7-FC5E-49c7-A2B1-26AFE73B2810}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD1175C8-E556-49f6-878B-F0CAE30040A3}	{EB924017-8615-406e-A4CB-C9E493465F40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD1175C8-E556-49f6-878B-F0CAE30040A3}\stubpath = "C:\\Windows\\{FD1175C8-E556-49f6-878B-F0CAE30040A3}.exe"	{EB924017-8615-406e-A4CB-C9E493465F40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68688389-1C13-45eb-B540-7A9615075BC8}\stubpath = "C:\\Windows\\{68688389-1C13-45eb-B540-7A9615075BC8}.exe"	{1B9A1C5D-9AFF-4eea-87E6-05BAB6276C8A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{854DFCAF-94C8-4929-9373-2B24FF4C9F17}\stubpath = "C:\\Windows\\{854DFCAF-94C8-4929-9373-2B24FF4C9F17}.exe"	{0345409A-047C-480a-AD00-985C4E8B0CFD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E2C8405-415D-448a-8127-498102EC0FDE}	{D2BE89D2-71C2-4ecf-B910-C6520B236F9E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB924017-8615-406e-A4CB-C9E493465F40}\stubpath = "C:\\Windows\\{EB924017-8615-406e-A4CB-C9E493465F40}.exe"	{0C13A75C-7F3E-4ea9-91AC-BB8C65C553B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B9A1C5D-9AFF-4eea-87E6-05BAB6276C8A}	{0F3945BF-C798-49b7-8063-09B6AA0A4CF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0345409A-047C-480a-AD00-985C4E8B0CFD}\stubpath = "C:\\Windows\\{0345409A-047C-480a-AD00-985C4E8B0CFD}.exe"	{4C608AF2-1EEE-49fe-8C0D-FD833AD34F7C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{854DFCAF-94C8-4929-9373-2B24FF4C9F17}	{0345409A-047C-480a-AD00-985C4E8B0CFD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2BE89D2-71C2-4ecf-B910-C6520B236F9E}	{854DFCAF-94C8-4929-9373-2B24FF4C9F17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2BE89D2-71C2-4ecf-B910-C6520B236F9E}\stubpath = "C:\\Windows\\{D2BE89D2-71C2-4ecf-B910-C6520B236F9E}.exe"	{854DFCAF-94C8-4929-9373-2B24FF4C9F17}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{609E67E7-FC5E-49c7-A2B1-26AFE73B2810}	{6E2C8405-415D-448a-8127-498102EC0FDE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{609E67E7-FC5E-49c7-A2B1-26AFE73B2810}\stubpath = "C:\\Windows\\{609E67E7-FC5E-49c7-A2B1-26AFE73B2810}.exe"	{6E2C8405-415D-448a-8127-498102EC0FDE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB924017-8615-406e-A4CB-C9E493465F40}	{0C13A75C-7F3E-4ea9-91AC-BB8C65C553B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F3945BF-C798-49b7-8063-09B6AA0A4CF8}\stubpath = "C:\\Windows\\{0F3945BF-C798-49b7-8063-09B6AA0A4CF8}.exe"	2024-07-04_55b36f32de2c5684d76a1ea16efae169_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B9A1C5D-9AFF-4eea-87E6-05BAB6276C8A}\stubpath = "C:\\Windows\\{1B9A1C5D-9AFF-4eea-87E6-05BAB6276C8A}.exe"	{0F3945BF-C798-49b7-8063-09B6AA0A4CF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68688389-1C13-45eb-B540-7A9615075BC8}	{1B9A1C5D-9AFF-4eea-87E6-05BAB6276C8A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C608AF2-1EEE-49fe-8C0D-FD833AD34F7C}	{68688389-1C13-45eb-B540-7A9615075BC8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C608AF2-1EEE-49fe-8C0D-FD833AD34F7C}\stubpath = "C:\\Windows\\{4C608AF2-1EEE-49fe-8C0D-FD833AD34F7C}.exe"	{68688389-1C13-45eb-B540-7A9615075BC8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F3945BF-C798-49b7-8063-09B6AA0A4CF8}	2024-07-04_55b36f32de2c5684d76a1ea16efae169_goldeneye.exe

Executes dropped EXE 11 IoCs

pid	Process
4348	{0F3945BF-C798-49b7-8063-09B6AA0A4CF8}.exe
4064	{1B9A1C5D-9AFF-4eea-87E6-05BAB6276C8A}.exe
3304	{68688389-1C13-45eb-B540-7A9615075BC8}.exe
3132	{4C608AF2-1EEE-49fe-8C0D-FD833AD34F7C}.exe
668	{0345409A-047C-480a-AD00-985C4E8B0CFD}.exe
3476	{854DFCAF-94C8-4929-9373-2B24FF4C9F17}.exe
4908	{D2BE89D2-71C2-4ecf-B910-C6520B236F9E}.exe
2564	{6E2C8405-415D-448a-8127-498102EC0FDE}.exe
4572	{609E67E7-FC5E-49c7-A2B1-26AFE73B2810}.exe
3968	{0C13A75C-7F3E-4ea9-91AC-BB8C65C553B9}.exe
3864	{EB924017-8615-406e-A4CB-C9E493465F40}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{854DFCAF-94C8-4929-9373-2B24FF4C9F17}.exe	{0345409A-047C-480a-AD00-985C4E8B0CFD}.exe
File created	C:\Windows\{609E67E7-FC5E-49c7-A2B1-26AFE73B2810}.exe	{6E2C8405-415D-448a-8127-498102EC0FDE}.exe
File created	C:\Windows\{0C13A75C-7F3E-4ea9-91AC-BB8C65C553B9}.exe	{609E67E7-FC5E-49c7-A2B1-26AFE73B2810}.exe
File created	C:\Windows\{0F3945BF-C798-49b7-8063-09B6AA0A4CF8}.exe	2024-07-04_55b36f32de2c5684d76a1ea16efae169_goldeneye.exe
File created	C:\Windows\{1B9A1C5D-9AFF-4eea-87E6-05BAB6276C8A}.exe	{0F3945BF-C798-49b7-8063-09B6AA0A4CF8}.exe
File created	C:\Windows\{4C608AF2-1EEE-49fe-8C0D-FD833AD34F7C}.exe	{68688389-1C13-45eb-B540-7A9615075BC8}.exe
File created	C:\Windows\{6E2C8405-415D-448a-8127-498102EC0FDE}.exe	{D2BE89D2-71C2-4ecf-B910-C6520B236F9E}.exe
File created	C:\Windows\{EB924017-8615-406e-A4CB-C9E493465F40}.exe	{0C13A75C-7F3E-4ea9-91AC-BB8C65C553B9}.exe
File created	C:\Windows\{68688389-1C13-45eb-B540-7A9615075BC8}.exe	{1B9A1C5D-9AFF-4eea-87E6-05BAB6276C8A}.exe
File created	C:\Windows\{0345409A-047C-480a-AD00-985C4E8B0CFD}.exe	{4C608AF2-1EEE-49fe-8C0D-FD833AD34F7C}.exe
File created	C:\Windows\{D2BE89D2-71C2-4ecf-B910-C6520B236F9E}.exe	{854DFCAF-94C8-4929-9373-2B24FF4C9F17}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4652	2024-07-04_55b36f32de2c5684d76a1ea16efae169_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4348	{0F3945BF-C798-49b7-8063-09B6AA0A4CF8}.exe
Token: SeIncBasePriorityPrivilege	4064	{1B9A1C5D-9AFF-4eea-87E6-05BAB6276C8A}.exe
Token: SeIncBasePriorityPrivilege	3304	{68688389-1C13-45eb-B540-7A9615075BC8}.exe
Token: SeIncBasePriorityPrivilege	3132	{4C608AF2-1EEE-49fe-8C0D-FD833AD34F7C}.exe
Token: SeIncBasePriorityPrivilege	668	{0345409A-047C-480a-AD00-985C4E8B0CFD}.exe
Token: SeIncBasePriorityPrivilege	3476	{854DFCAF-94C8-4929-9373-2B24FF4C9F17}.exe
Token: SeIncBasePriorityPrivilege	4908	{D2BE89D2-71C2-4ecf-B910-C6520B236F9E}.exe
Token: SeIncBasePriorityPrivilege	2564	{6E2C8405-415D-448a-8127-498102EC0FDE}.exe
Token: SeIncBasePriorityPrivilege	4572	{609E67E7-FC5E-49c7-A2B1-26AFE73B2810}.exe
Token: SeIncBasePriorityPrivilege	3968	{0C13A75C-7F3E-4ea9-91AC-BB8C65C553B9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4652 wrote to memory of 4348	4652	2024-07-04_55b36f32de2c5684d76a1ea16efae169_goldeneye.exe	83
PID 4652 wrote to memory of 4348	4652	2024-07-04_55b36f32de2c5684d76a1ea16efae169_goldeneye.exe	83
PID 4652 wrote to memory of 4348	4652	2024-07-04_55b36f32de2c5684d76a1ea16efae169_goldeneye.exe	83
PID 4652 wrote to memory of 2928	4652	2024-07-04_55b36f32de2c5684d76a1ea16efae169_goldeneye.exe	84
PID 4652 wrote to memory of 2928	4652	2024-07-04_55b36f32de2c5684d76a1ea16efae169_goldeneye.exe	84
PID 4652 wrote to memory of 2928	4652	2024-07-04_55b36f32de2c5684d76a1ea16efae169_goldeneye.exe	84
PID 4348 wrote to memory of 4064	4348	{0F3945BF-C798-49b7-8063-09B6AA0A4CF8}.exe	85
PID 4348 wrote to memory of 4064	4348	{0F3945BF-C798-49b7-8063-09B6AA0A4CF8}.exe	85
PID 4348 wrote to memory of 4064	4348	{0F3945BF-C798-49b7-8063-09B6AA0A4CF8}.exe	85
PID 4348 wrote to memory of 2444	4348	{0F3945BF-C798-49b7-8063-09B6AA0A4CF8}.exe	86
PID 4348 wrote to memory of 2444	4348	{0F3945BF-C798-49b7-8063-09B6AA0A4CF8}.exe	86
PID 4348 wrote to memory of 2444	4348	{0F3945BF-C798-49b7-8063-09B6AA0A4CF8}.exe	86
PID 4064 wrote to memory of 3304	4064	{1B9A1C5D-9AFF-4eea-87E6-05BAB6276C8A}.exe	88
PID 4064 wrote to memory of 3304	4064	{1B9A1C5D-9AFF-4eea-87E6-05BAB6276C8A}.exe	88
PID 4064 wrote to memory of 3304	4064	{1B9A1C5D-9AFF-4eea-87E6-05BAB6276C8A}.exe	88
PID 4064 wrote to memory of 2720	4064	{1B9A1C5D-9AFF-4eea-87E6-05BAB6276C8A}.exe	89
PID 4064 wrote to memory of 2720	4064	{1B9A1C5D-9AFF-4eea-87E6-05BAB6276C8A}.exe	89
PID 4064 wrote to memory of 2720	4064	{1B9A1C5D-9AFF-4eea-87E6-05BAB6276C8A}.exe	89
PID 3304 wrote to memory of 3132	3304	{68688389-1C13-45eb-B540-7A9615075BC8}.exe	90
PID 3304 wrote to memory of 3132	3304	{68688389-1C13-45eb-B540-7A9615075BC8}.exe	90
PID 3304 wrote to memory of 3132	3304	{68688389-1C13-45eb-B540-7A9615075BC8}.exe	90
PID 3304 wrote to memory of 920	3304	{68688389-1C13-45eb-B540-7A9615075BC8}.exe	91
PID 3304 wrote to memory of 920	3304	{68688389-1C13-45eb-B540-7A9615075BC8}.exe	91
PID 3304 wrote to memory of 920	3304	{68688389-1C13-45eb-B540-7A9615075BC8}.exe	91
PID 3132 wrote to memory of 668	3132	{4C608AF2-1EEE-49fe-8C0D-FD833AD34F7C}.exe	92
PID 3132 wrote to memory of 668	3132	{4C608AF2-1EEE-49fe-8C0D-FD833AD34F7C}.exe	92
PID 3132 wrote to memory of 668	3132	{4C608AF2-1EEE-49fe-8C0D-FD833AD34F7C}.exe	92
PID 3132 wrote to memory of 3064	3132	{4C608AF2-1EEE-49fe-8C0D-FD833AD34F7C}.exe	93
PID 3132 wrote to memory of 3064	3132	{4C608AF2-1EEE-49fe-8C0D-FD833AD34F7C}.exe	93
PID 3132 wrote to memory of 3064	3132	{4C608AF2-1EEE-49fe-8C0D-FD833AD34F7C}.exe	93
PID 668 wrote to memory of 3476	668	{0345409A-047C-480a-AD00-985C4E8B0CFD}.exe	94
PID 668 wrote to memory of 3476	668	{0345409A-047C-480a-AD00-985C4E8B0CFD}.exe	94
PID 668 wrote to memory of 3476	668	{0345409A-047C-480a-AD00-985C4E8B0CFD}.exe	94
PID 668 wrote to memory of 4000	668	{0345409A-047C-480a-AD00-985C4E8B0CFD}.exe	95
PID 668 wrote to memory of 4000	668	{0345409A-047C-480a-AD00-985C4E8B0CFD}.exe	95
PID 668 wrote to memory of 4000	668	{0345409A-047C-480a-AD00-985C4E8B0CFD}.exe	95
PID 3476 wrote to memory of 4908	3476	{854DFCAF-94C8-4929-9373-2B24FF4C9F17}.exe	96
PID 3476 wrote to memory of 4908	3476	{854DFCAF-94C8-4929-9373-2B24FF4C9F17}.exe	96
PID 3476 wrote to memory of 4908	3476	{854DFCAF-94C8-4929-9373-2B24FF4C9F17}.exe	96
PID 3476 wrote to memory of 3108	3476	{854DFCAF-94C8-4929-9373-2B24FF4C9F17}.exe	97
PID 3476 wrote to memory of 3108	3476	{854DFCAF-94C8-4929-9373-2B24FF4C9F17}.exe	97
PID 3476 wrote to memory of 3108	3476	{854DFCAF-94C8-4929-9373-2B24FF4C9F17}.exe	97
PID 4908 wrote to memory of 2564	4908	{D2BE89D2-71C2-4ecf-B910-C6520B236F9E}.exe	98
PID 4908 wrote to memory of 2564	4908	{D2BE89D2-71C2-4ecf-B910-C6520B236F9E}.exe	98
PID 4908 wrote to memory of 2564	4908	{D2BE89D2-71C2-4ecf-B910-C6520B236F9E}.exe	98
PID 4908 wrote to memory of 208	4908	{D2BE89D2-71C2-4ecf-B910-C6520B236F9E}.exe	99
PID 4908 wrote to memory of 208	4908	{D2BE89D2-71C2-4ecf-B910-C6520B236F9E}.exe	99
PID 4908 wrote to memory of 208	4908	{D2BE89D2-71C2-4ecf-B910-C6520B236F9E}.exe	99
PID 2564 wrote to memory of 4572	2564	{6E2C8405-415D-448a-8127-498102EC0FDE}.exe	100
PID 2564 wrote to memory of 4572	2564	{6E2C8405-415D-448a-8127-498102EC0FDE}.exe	100
PID 2564 wrote to memory of 4572	2564	{6E2C8405-415D-448a-8127-498102EC0FDE}.exe	100
PID 2564 wrote to memory of 840	2564	{6E2C8405-415D-448a-8127-498102EC0FDE}.exe	101
PID 2564 wrote to memory of 840	2564	{6E2C8405-415D-448a-8127-498102EC0FDE}.exe	101
PID 2564 wrote to memory of 840	2564	{6E2C8405-415D-448a-8127-498102EC0FDE}.exe	101
PID 4572 wrote to memory of 3968	4572	{609E67E7-FC5E-49c7-A2B1-26AFE73B2810}.exe	102
PID 4572 wrote to memory of 3968	4572	{609E67E7-FC5E-49c7-A2B1-26AFE73B2810}.exe	102
PID 4572 wrote to memory of 3968	4572	{609E67E7-FC5E-49c7-A2B1-26AFE73B2810}.exe	102
PID 4572 wrote to memory of 3920	4572	{609E67E7-FC5E-49c7-A2B1-26AFE73B2810}.exe	103
PID 4572 wrote to memory of 3920	4572	{609E67E7-FC5E-49c7-A2B1-26AFE73B2810}.exe	103
PID 4572 wrote to memory of 3920	4572	{609E67E7-FC5E-49c7-A2B1-26AFE73B2810}.exe	103
PID 3968 wrote to memory of 3864	3968	{0C13A75C-7F3E-4ea9-91AC-BB8C65C553B9}.exe	104
PID 3968 wrote to memory of 3864	3968	{0C13A75C-7F3E-4ea9-91AC-BB8C65C553B9}.exe	104
PID 3968 wrote to memory of 3864	3968	{0C13A75C-7F3E-4ea9-91AC-BB8C65C553B9}.exe	104
PID 3968 wrote to memory of 4504	3968	{0C13A75C-7F3E-4ea9-91AC-BB8C65C553B9}.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-07-04_55b36f32de2c5684d76a1ea16efae169_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-04_55b36f32de2c5684d76a1ea16efae169_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4652
- C:\Windows\{0F3945BF-C798-49b7-8063-09B6AA0A4CF8}.exe
  C:\Windows\{0F3945BF-C798-49b7-8063-09B6AA0A4CF8}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4348
- - C:\Windows\{1B9A1C5D-9AFF-4eea-87E6-05BAB6276C8A}.exe
    C:\Windows\{1B9A1C5D-9AFF-4eea-87E6-05BAB6276C8A}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4064
  - - C:\Windows\{68688389-1C13-45eb-B540-7A9615075BC8}.exe
      C:\Windows\{68688389-1C13-45eb-B540-7A9615075BC8}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3304
    - - C:\Windows\{4C608AF2-1EEE-49fe-8C0D-FD833AD34F7C}.exe
        
        C:\Windows\{4C608AF2-1EEE-49fe-8C0D-FD833AD34F7C}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3132
      - C:\Windows\{0345409A-047C-480a-AD00-985C4E8B0CFD}.exe
        
        C:\Windows\{0345409A-047C-480a-AD00-985C4E8B0CFD}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:668
        
        C:\Windows\{854DFCAF-94C8-4929-9373-2B24FF4C9F17}.exe
        
        C:\Windows\{854DFCAF-94C8-4929-9373-2B24FF4C9F17}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\{D2BE89D2-71C2-4ecf-B910-C6520B236F9E}.exe
        
        C:\Windows\{D2BE89D2-71C2-4ecf-B910-C6520B236F9E}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\{6E2C8405-415D-448a-8127-498102EC0FDE}.exe
        
        C:\Windows\{6E2C8405-415D-448a-8127-498102EC0FDE}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\{609E67E7-FC5E-49c7-A2B1-26AFE73B2810}.exe
        
        C:\Windows\{609E67E7-FC5E-49c7-A2B1-26AFE73B2810}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\{0C13A75C-7F3E-4ea9-91AC-BB8C65C553B9}.exe
        
        C:\Windows\{0C13A75C-7F3E-4ea9-91AC-BB8C65C553B9}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\{EB924017-8615-406e-A4CB-C9E493465F40}.exe
        
        C:\Windows\{EB924017-8615-406e-A4CB-C9E493465F40}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        
        PID:3864
        
        C:\Windows\{FD1175C8-E556-49f6-878B-F0CAE30040A3}.exe
        
        C:\Windows\{FD1175C8-E556-49f6-878B-F0CAE30040A3}.exe
        13⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB924~1.EXE > nul
        13⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C13A~1.EXE > nul
        12⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{609E6~1.EXE > nul
        11⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E2C8~1.EXE > nul
        10⤵
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2BE8~1.EXE > nul
        9⤵
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{854DF~1.EXE > nul
        8⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03454~1.EXE > nul
        7⤵
        
        PID:4000
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C608~1.EXE > nul
        6⤵
        
        PID:3064
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68688~1.EXE > nul
        5⤵
        
        PID:920
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1B9A1~1.EXE > nul
      4⤵
      PID:2720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0F394~1.EXE > nul
    3⤵
    PID:2444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0345409A-047C-480a-AD00-985C4E8B0CFD}.exe

Filesize
372KB

MD5
24b0c5624c7cb260018d554ebd3a4850

SHA1
adcdd2a4d86f0d8f3587c27b918247fe9296b36f

SHA256
4f7bdc754bde99e7d5ab89156d413d98ea343672de453b73b844aeb4e529c02a

SHA512
8c5e9f0e7bf50621503f49b661c3b76fbe2f40f076cb8601622d4936134f531ca50e2b50226de7dae12dd19a0b86bb0a9b881ef514c01c6067fa5a79f952b2ea

Download Submit
C:\Windows\{0C13A75C-7F3E-4ea9-91AC-BB8C65C553B9}.exe

Filesize
372KB

MD5
67488cb73647cabf9c27a1edf40195e4

SHA1
ffbebe350e56c5fb557c33483d6bf56219a60152

SHA256
95b524bb79231592ec89f8699d36de20fdc9ebe83744b9d8b80bc8fe246610fc

SHA512
145373f0e98d8f1a698f8bd9d492e646a40aeb9f3ad613dfe3216e6afc129842c8cb30eca7371a10543e168bc3016be934c0101238ab6c091a7c05812432f1ac

Download Submit
C:\Windows\{0F3945BF-C798-49b7-8063-09B6AA0A4CF8}.exe

Filesize
372KB

MD5
e9fbee8f5bdc11de1ab97cd6ed1fb337

SHA1
aa76482ee9b1fbac95d21c2112e6a01b8139d8a4

SHA256
fc9427227bd73221306d599f279f3b571dd77a23122a7fc1cad444ccea3c583b

SHA512
b2cf1e61839ae6c1a47c1a8fc3aa409ac2057f93659a8fbaa89085ccc5c0cf71d386bc6bc33ae0a547d72fcec074d6353076ad66647646c07384bfa4a7862bad

Download Submit
C:\Windows\{1B9A1C5D-9AFF-4eea-87E6-05BAB6276C8A}.exe

Filesize
372KB

MD5
ff60095cc24e0e857e02ffed6b1feb17

SHA1
743d94094e2875e9d66946c686f5f62e6a225c97

SHA256
c79dcd142bf77f2c488b835b0bb7a6f7648922e1084cdfe647f0eb24fbfb884c

SHA512
06773be19a7fe52b2e1bc12f82f35423305631aec7400cbaed043ca27aa976f4589c5a78d95f9238bcc29bf470cb1c129f7494a46a6bc86b5ab199be2e32d131

Download Submit
C:\Windows\{4C608AF2-1EEE-49fe-8C0D-FD833AD34F7C}.exe

Filesize
372KB

MD5
1650020eb3f1459cd9f7f85af370fbc2

SHA1
3180339ccfcabaedced3f0aa750eaa00d98dfcc7

SHA256
484ba1773db51826c5a61cf98ef59d75f595bc87ba29bf5ac4aedd4813bf9c39

SHA512
7a44774e3f11622396d9ea3ff17fb2bbe94831b73a046af8e58ee4ac44e5f0d8eaecfefff3a6e24d269c80c011464b59117e095fe576f462ff1ec9dc00033fe2

Download Submit
C:\Windows\{609E67E7-FC5E-49c7-A2B1-26AFE73B2810}.exe

Filesize
372KB

MD5
02fa26258130ec0fd8a24dee3ce44c8d

SHA1
80249668d1e2c20113d43a7dadf1ac1947be45aa

SHA256
4d9eb7b12bbaaaca1a847a841eb021a2acf0f6831a5266d16074591e512afa1c

SHA512
0e384f928b1b2a690c7d1482b2806845688ca9624065cec2b58f8cd179e7df9fbb350eedcc976f4760386409b4c2c918216c6de85f6532fcbb9e0d9ce2ccbbaf

Download Submit
C:\Windows\{68688389-1C13-45eb-B540-7A9615075BC8}.exe

Filesize
372KB

MD5
78d684f5c06c6f693b8dac0e3682cff6

SHA1
aaf13862d9b3cb1868c16dd81581a03dc3aee836

SHA256
53f29970599ec1fbc27fad079cdaa82ed3640408003647b78eed5bd7f7136b72

SHA512
181c41cb8221c96647ccba0a7eff4716162ccc6f8dd6a1b1c8b9363a377b0092ad5985898aa88ca1a3ddf3f2ab131852869f0cb81db869173a22ca64f37a6565

Download Submit
C:\Windows\{6E2C8405-415D-448a-8127-498102EC0FDE}.exe

Filesize
372KB

MD5
9d0550a30c56fc48123e0237d48a0385

SHA1
9a9f89d1222d1bd8ac6d837632a656340f788416

SHA256
bed5c3ef291999e3831ce27857401b0da431be70f39e1cf143e8f24044595153

SHA512
6342e4de8859261b1749bfee42f164e47d14e527c4fa9b5909be05ae8f8d8beac69f8eb3b1d965744ab84eb0e60cbccc09e605bb855e9c047589de22e28fd604

Download Submit
C:\Windows\{854DFCAF-94C8-4929-9373-2B24FF4C9F17}.exe

Filesize
372KB

MD5
26a326bf216484dfb4b072d24534705b

SHA1
590b7ad017fdd097031709067ca2322d6606731b

SHA256
69bf8725b5a6b32b58ffc569ad7be6a535b8607d5113e7e5686b7dfdd078ef5f

SHA512
c0bf2f6acca83e6884e999725dc17978e86123ef2041c3920e6c8cceac28a81fd29d553374b273f9e14a8dbbe12ca7d99e447f88f68fd72ecf5f4d939fe71974

Download Submit
C:\Windows\{D2BE89D2-71C2-4ecf-B910-C6520B236F9E}.exe

Filesize
372KB

MD5
e563d904f71d7d1b8754a127b72f5714

SHA1
ffd43ffe361c5b2543c0ff31dfe2ec902b9fb597

SHA256
c67727fbc146bda78651ad5fbb5e8069d2370f824faa571b48a337b224d2c7a2

SHA512
6c9313348108bc683ac9feb4ac1afb89f1e10a9f48b6ef7c8670bf5e37d39a189b6db27a0d16efcb0cb4978a053f5874379277a467dd90c96c625e0343e3599a

Download Submit
C:\Windows\{EB924017-8615-406e-A4CB-C9E493465F40}.exe

Filesize
372KB

MD5
f3ff4535296d4c32b5e87d292e531db3

SHA1
489454b300d6a312b94efd243dc10becd9975c6f

SHA256
84ea1492a104b0564aeac6e2afa81c5eb64e03a2ba765fe7661c94629b02858c

SHA512
6a6c37ad4c0a327811a1ffc596760085e1d9d61f93fb2606f3f73e204a59943d5323bd6d47981c11161a0d8083423d4da6fc5f6d5f974555a454400f94226bc4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads