4ac52bd5deb722c3d2a876cc097bf9e54bc99c7a8a071b609786b7374a1db2ac

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2024, 11:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-07-05_995e06b3b30ac64e16eb56fad8edcfed_goldeneye.exe
Size

344KB
MD5

995e06b3b30ac64e16eb56fad8edcfed
SHA1

fefbdd9cabd1022cab66a06c3b64b8138cb2af0c
SHA256

4ac52bd5deb722c3d2a876cc097bf9e54bc99c7a8a071b609786b7374a1db2ac
SHA512

f5a4abdc1105f01fdcdf70951775d0562fe26771764fd031c44e8889e5736825f03482e87a1a172f8a36b3464d3d34d8ab7cda3203fe409544154e0af51e70b4
SSDEEP

3072:mEGh0oqlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGwlqOe2MUVg3v2IneKcAEcA

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E146CD6D-C5F4-4c0d-8480-33411370BC9F}\stubpath = "C:\\Windows\\{E146CD6D-C5F4-4c0d-8480-33411370BC9F}.exe"	2024-07-05_995e06b3b30ac64e16eb56fad8edcfed_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71F55B4E-14C8-416e-923C-A4D2F4D7EB2B}\stubpath = "C:\\Windows\\{71F55B4E-14C8-416e-923C-A4D2F4D7EB2B}.exe"	{E146CD6D-C5F4-4c0d-8480-33411370BC9F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CEA991A-80ED-4539-99B2-0137D249D395}	{36AC1A6A-9DFD-4631-8E24-F5F1D172FFD7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97F6C309-595E-4110-8009-6AD40A46EB81}	{ED357FB7-DA83-4afe-9C1F-A56E8EB74EA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A24E7E73-89A2-41b1-925D-EAD6B229E8D1}	{97F6C309-595E-4110-8009-6AD40A46EB81}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7B16C73-0D88-48a3-8CDE-86AB3155CA9B}\stubpath = "C:\\Windows\\{E7B16C73-0D88-48a3-8CDE-86AB3155CA9B}.exe"	{A24E7E73-89A2-41b1-925D-EAD6B229E8D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B6047CD-F92C-4a93-8B0A-7F74B3889977}	{E7B16C73-0D88-48a3-8CDE-86AB3155CA9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36AC1A6A-9DFD-4631-8E24-F5F1D172FFD7}	{71F55B4E-14C8-416e-923C-A4D2F4D7EB2B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7B16C73-0D88-48a3-8CDE-86AB3155CA9B}	{A24E7E73-89A2-41b1-925D-EAD6B229E8D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B113D6CB-3023-4117-9F34-37D6CE0528F1}\stubpath = "C:\\Windows\\{B113D6CB-3023-4117-9F34-37D6CE0528F1}.exe"	{169ABF98-615C-49a4-8CF0-F17AEDBFA003}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C00BBA24-BF88-4d8d-8ADF-5C3F3CCB3B6F}	{B113D6CB-3023-4117-9F34-37D6CE0528F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C00BBA24-BF88-4d8d-8ADF-5C3F3CCB3B6F}\stubpath = "C:\\Windows\\{C00BBA24-BF88-4d8d-8ADF-5C3F3CCB3B6F}.exe"	{B113D6CB-3023-4117-9F34-37D6CE0528F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E146CD6D-C5F4-4c0d-8480-33411370BC9F}	2024-07-05_995e06b3b30ac64e16eb56fad8edcfed_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71F55B4E-14C8-416e-923C-A4D2F4D7EB2B}	{E146CD6D-C5F4-4c0d-8480-33411370BC9F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36AC1A6A-9DFD-4631-8E24-F5F1D172FFD7}\stubpath = "C:\\Windows\\{36AC1A6A-9DFD-4631-8E24-F5F1D172FFD7}.exe"	{71F55B4E-14C8-416e-923C-A4D2F4D7EB2B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED357FB7-DA83-4afe-9C1F-A56E8EB74EA9}	{8CEA991A-80ED-4539-99B2-0137D249D395}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED357FB7-DA83-4afe-9C1F-A56E8EB74EA9}\stubpath = "C:\\Windows\\{ED357FB7-DA83-4afe-9C1F-A56E8EB74EA9}.exe"	{8CEA991A-80ED-4539-99B2-0137D249D395}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{169ABF98-615C-49a4-8CF0-F17AEDBFA003}\stubpath = "C:\\Windows\\{169ABF98-615C-49a4-8CF0-F17AEDBFA003}.exe"	{3B6047CD-F92C-4a93-8B0A-7F74B3889977}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CEA991A-80ED-4539-99B2-0137D249D395}\stubpath = "C:\\Windows\\{8CEA991A-80ED-4539-99B2-0137D249D395}.exe"	{36AC1A6A-9DFD-4631-8E24-F5F1D172FFD7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97F6C309-595E-4110-8009-6AD40A46EB81}\stubpath = "C:\\Windows\\{97F6C309-595E-4110-8009-6AD40A46EB81}.exe"	{ED357FB7-DA83-4afe-9C1F-A56E8EB74EA9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A24E7E73-89A2-41b1-925D-EAD6B229E8D1}\stubpath = "C:\\Windows\\{A24E7E73-89A2-41b1-925D-EAD6B229E8D1}.exe"	{97F6C309-595E-4110-8009-6AD40A46EB81}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B6047CD-F92C-4a93-8B0A-7F74B3889977}\stubpath = "C:\\Windows\\{3B6047CD-F92C-4a93-8B0A-7F74B3889977}.exe"	{E7B16C73-0D88-48a3-8CDE-86AB3155CA9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{169ABF98-615C-49a4-8CF0-F17AEDBFA003}	{3B6047CD-F92C-4a93-8B0A-7F74B3889977}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B113D6CB-3023-4117-9F34-37D6CE0528F1}	{169ABF98-615C-49a4-8CF0-F17AEDBFA003}.exe

Executes dropped EXE 12 IoCs

pid	Process
4956	{E146CD6D-C5F4-4c0d-8480-33411370BC9F}.exe
4828	{71F55B4E-14C8-416e-923C-A4D2F4D7EB2B}.exe
1052	{36AC1A6A-9DFD-4631-8E24-F5F1D172FFD7}.exe
364	{8CEA991A-80ED-4539-99B2-0137D249D395}.exe
3352	{ED357FB7-DA83-4afe-9C1F-A56E8EB74EA9}.exe
4928	{97F6C309-595E-4110-8009-6AD40A46EB81}.exe
2396	{A24E7E73-89A2-41b1-925D-EAD6B229E8D1}.exe
884	{E7B16C73-0D88-48a3-8CDE-86AB3155CA9B}.exe
2920	{3B6047CD-F92C-4a93-8B0A-7F74B3889977}.exe
3824	{169ABF98-615C-49a4-8CF0-F17AEDBFA003}.exe
4544	{B113D6CB-3023-4117-9F34-37D6CE0528F1}.exe
2748	{C00BBA24-BF88-4d8d-8ADF-5C3F3CCB3B6F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{8CEA991A-80ED-4539-99B2-0137D249D395}.exe	{36AC1A6A-9DFD-4631-8E24-F5F1D172FFD7}.exe
File created	C:\Windows\{ED357FB7-DA83-4afe-9C1F-A56E8EB74EA9}.exe	{8CEA991A-80ED-4539-99B2-0137D249D395}.exe
File created	C:\Windows\{97F6C309-595E-4110-8009-6AD40A46EB81}.exe	{ED357FB7-DA83-4afe-9C1F-A56E8EB74EA9}.exe
File created	C:\Windows\{A24E7E73-89A2-41b1-925D-EAD6B229E8D1}.exe	{97F6C309-595E-4110-8009-6AD40A46EB81}.exe
File created	C:\Windows\{E7B16C73-0D88-48a3-8CDE-86AB3155CA9B}.exe	{A24E7E73-89A2-41b1-925D-EAD6B229E8D1}.exe
File created	C:\Windows\{3B6047CD-F92C-4a93-8B0A-7F74B3889977}.exe	{E7B16C73-0D88-48a3-8CDE-86AB3155CA9B}.exe
File created	C:\Windows\{169ABF98-615C-49a4-8CF0-F17AEDBFA003}.exe	{3B6047CD-F92C-4a93-8B0A-7F74B3889977}.exe
File created	C:\Windows\{E146CD6D-C5F4-4c0d-8480-33411370BC9F}.exe	2024-07-05_995e06b3b30ac64e16eb56fad8edcfed_goldeneye.exe
File created	C:\Windows\{36AC1A6A-9DFD-4631-8E24-F5F1D172FFD7}.exe	{71F55B4E-14C8-416e-923C-A4D2F4D7EB2B}.exe
File created	C:\Windows\{B113D6CB-3023-4117-9F34-37D6CE0528F1}.exe	{169ABF98-615C-49a4-8CF0-F17AEDBFA003}.exe
File created	C:\Windows\{C00BBA24-BF88-4d8d-8ADF-5C3F3CCB3B6F}.exe	{B113D6CB-3023-4117-9F34-37D6CE0528F1}.exe
File created	C:\Windows\{71F55B4E-14C8-416e-923C-A4D2F4D7EB2B}.exe	{E146CD6D-C5F4-4c0d-8480-33411370BC9F}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1976	2024-07-05_995e06b3b30ac64e16eb56fad8edcfed_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4956	{E146CD6D-C5F4-4c0d-8480-33411370BC9F}.exe
Token: SeIncBasePriorityPrivilege	4828	{71F55B4E-14C8-416e-923C-A4D2F4D7EB2B}.exe
Token: SeIncBasePriorityPrivilege	1052	{36AC1A6A-9DFD-4631-8E24-F5F1D172FFD7}.exe
Token: SeIncBasePriorityPrivilege	364	{8CEA991A-80ED-4539-99B2-0137D249D395}.exe
Token: SeIncBasePriorityPrivilege	3352	{ED357FB7-DA83-4afe-9C1F-A56E8EB74EA9}.exe
Token: SeIncBasePriorityPrivilege	4928	{97F6C309-595E-4110-8009-6AD40A46EB81}.exe
Token: SeIncBasePriorityPrivilege	2396	{A24E7E73-89A2-41b1-925D-EAD6B229E8D1}.exe
Token: SeIncBasePriorityPrivilege	884	{E7B16C73-0D88-48a3-8CDE-86AB3155CA9B}.exe
Token: SeIncBasePriorityPrivilege	2920	{3B6047CD-F92C-4a93-8B0A-7F74B3889977}.exe
Token: SeIncBasePriorityPrivilege	3824	{169ABF98-615C-49a4-8CF0-F17AEDBFA003}.exe
Token: SeIncBasePriorityPrivilege	4544	{B113D6CB-3023-4117-9F34-37D6CE0528F1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 4956	1976	2024-07-05_995e06b3b30ac64e16eb56fad8edcfed_goldeneye.exe	85
PID 1976 wrote to memory of 4956	1976	2024-07-05_995e06b3b30ac64e16eb56fad8edcfed_goldeneye.exe	85
PID 1976 wrote to memory of 4956	1976	2024-07-05_995e06b3b30ac64e16eb56fad8edcfed_goldeneye.exe	85
PID 1976 wrote to memory of 1004	1976	2024-07-05_995e06b3b30ac64e16eb56fad8edcfed_goldeneye.exe	86
PID 1976 wrote to memory of 1004	1976	2024-07-05_995e06b3b30ac64e16eb56fad8edcfed_goldeneye.exe	86
PID 1976 wrote to memory of 1004	1976	2024-07-05_995e06b3b30ac64e16eb56fad8edcfed_goldeneye.exe	86
PID 4956 wrote to memory of 4828	4956	{E146CD6D-C5F4-4c0d-8480-33411370BC9F}.exe	87
PID 4956 wrote to memory of 4828	4956	{E146CD6D-C5F4-4c0d-8480-33411370BC9F}.exe	87
PID 4956 wrote to memory of 4828	4956	{E146CD6D-C5F4-4c0d-8480-33411370BC9F}.exe	87
PID 4956 wrote to memory of 1144	4956	{E146CD6D-C5F4-4c0d-8480-33411370BC9F}.exe	88
PID 4956 wrote to memory of 1144	4956	{E146CD6D-C5F4-4c0d-8480-33411370BC9F}.exe	88
PID 4956 wrote to memory of 1144	4956	{E146CD6D-C5F4-4c0d-8480-33411370BC9F}.exe	88
PID 4828 wrote to memory of 1052	4828	{71F55B4E-14C8-416e-923C-A4D2F4D7EB2B}.exe	92
PID 4828 wrote to memory of 1052	4828	{71F55B4E-14C8-416e-923C-A4D2F4D7EB2B}.exe	92
PID 4828 wrote to memory of 1052	4828	{71F55B4E-14C8-416e-923C-A4D2F4D7EB2B}.exe	92
PID 4828 wrote to memory of 464	4828	{71F55B4E-14C8-416e-923C-A4D2F4D7EB2B}.exe	93
PID 4828 wrote to memory of 464	4828	{71F55B4E-14C8-416e-923C-A4D2F4D7EB2B}.exe	93
PID 4828 wrote to memory of 464	4828	{71F55B4E-14C8-416e-923C-A4D2F4D7EB2B}.exe	93
PID 1052 wrote to memory of 364	1052	{36AC1A6A-9DFD-4631-8E24-F5F1D172FFD7}.exe	94
PID 1052 wrote to memory of 364	1052	{36AC1A6A-9DFD-4631-8E24-F5F1D172FFD7}.exe	94
PID 1052 wrote to memory of 364	1052	{36AC1A6A-9DFD-4631-8E24-F5F1D172FFD7}.exe	94
PID 1052 wrote to memory of 3432	1052	{36AC1A6A-9DFD-4631-8E24-F5F1D172FFD7}.exe	95
PID 1052 wrote to memory of 3432	1052	{36AC1A6A-9DFD-4631-8E24-F5F1D172FFD7}.exe	95
PID 1052 wrote to memory of 3432	1052	{36AC1A6A-9DFD-4631-8E24-F5F1D172FFD7}.exe	95
PID 364 wrote to memory of 3352	364	{8CEA991A-80ED-4539-99B2-0137D249D395}.exe	96
PID 364 wrote to memory of 3352	364	{8CEA991A-80ED-4539-99B2-0137D249D395}.exe	96
PID 364 wrote to memory of 3352	364	{8CEA991A-80ED-4539-99B2-0137D249D395}.exe	96
PID 364 wrote to memory of 4292	364	{8CEA991A-80ED-4539-99B2-0137D249D395}.exe	97
PID 364 wrote to memory of 4292	364	{8CEA991A-80ED-4539-99B2-0137D249D395}.exe	97
PID 364 wrote to memory of 4292	364	{8CEA991A-80ED-4539-99B2-0137D249D395}.exe	97
PID 3352 wrote to memory of 4928	3352	{ED357FB7-DA83-4afe-9C1F-A56E8EB74EA9}.exe	98
PID 3352 wrote to memory of 4928	3352	{ED357FB7-DA83-4afe-9C1F-A56E8EB74EA9}.exe	98
PID 3352 wrote to memory of 4928	3352	{ED357FB7-DA83-4afe-9C1F-A56E8EB74EA9}.exe	98
PID 3352 wrote to memory of 5092	3352	{ED357FB7-DA83-4afe-9C1F-A56E8EB74EA9}.exe	99
PID 3352 wrote to memory of 5092	3352	{ED357FB7-DA83-4afe-9C1F-A56E8EB74EA9}.exe	99
PID 3352 wrote to memory of 5092	3352	{ED357FB7-DA83-4afe-9C1F-A56E8EB74EA9}.exe	99
PID 4928 wrote to memory of 2396	4928	{97F6C309-595E-4110-8009-6AD40A46EB81}.exe	100
PID 4928 wrote to memory of 2396	4928	{97F6C309-595E-4110-8009-6AD40A46EB81}.exe	100
PID 4928 wrote to memory of 2396	4928	{97F6C309-595E-4110-8009-6AD40A46EB81}.exe	100
PID 4928 wrote to memory of 3476	4928	{97F6C309-595E-4110-8009-6AD40A46EB81}.exe	101
PID 4928 wrote to memory of 3476	4928	{97F6C309-595E-4110-8009-6AD40A46EB81}.exe	101
PID 4928 wrote to memory of 3476	4928	{97F6C309-595E-4110-8009-6AD40A46EB81}.exe	101
PID 2396 wrote to memory of 884	2396	{A24E7E73-89A2-41b1-925D-EAD6B229E8D1}.exe	102
PID 2396 wrote to memory of 884	2396	{A24E7E73-89A2-41b1-925D-EAD6B229E8D1}.exe	102
PID 2396 wrote to memory of 884	2396	{A24E7E73-89A2-41b1-925D-EAD6B229E8D1}.exe	102
PID 2396 wrote to memory of 952	2396	{A24E7E73-89A2-41b1-925D-EAD6B229E8D1}.exe	103
PID 2396 wrote to memory of 952	2396	{A24E7E73-89A2-41b1-925D-EAD6B229E8D1}.exe	103
PID 2396 wrote to memory of 952	2396	{A24E7E73-89A2-41b1-925D-EAD6B229E8D1}.exe	103
PID 884 wrote to memory of 2920	884	{E7B16C73-0D88-48a3-8CDE-86AB3155CA9B}.exe	104
PID 884 wrote to memory of 2920	884	{E7B16C73-0D88-48a3-8CDE-86AB3155CA9B}.exe	104
PID 884 wrote to memory of 2920	884	{E7B16C73-0D88-48a3-8CDE-86AB3155CA9B}.exe	104
PID 884 wrote to memory of 2940	884	{E7B16C73-0D88-48a3-8CDE-86AB3155CA9B}.exe	105
PID 884 wrote to memory of 2940	884	{E7B16C73-0D88-48a3-8CDE-86AB3155CA9B}.exe	105
PID 884 wrote to memory of 2940	884	{E7B16C73-0D88-48a3-8CDE-86AB3155CA9B}.exe	105
PID 2920 wrote to memory of 3824	2920	{3B6047CD-F92C-4a93-8B0A-7F74B3889977}.exe	106
PID 2920 wrote to memory of 3824	2920	{3B6047CD-F92C-4a93-8B0A-7F74B3889977}.exe	106
PID 2920 wrote to memory of 3824	2920	{3B6047CD-F92C-4a93-8B0A-7F74B3889977}.exe	106
PID 2920 wrote to memory of 3228	2920	{3B6047CD-F92C-4a93-8B0A-7F74B3889977}.exe	107
PID 2920 wrote to memory of 3228	2920	{3B6047CD-F92C-4a93-8B0A-7F74B3889977}.exe	107
PID 2920 wrote to memory of 3228	2920	{3B6047CD-F92C-4a93-8B0A-7F74B3889977}.exe	107
PID 3824 wrote to memory of 4544	3824	{169ABF98-615C-49a4-8CF0-F17AEDBFA003}.exe	108
PID 3824 wrote to memory of 4544	3824	{169ABF98-615C-49a4-8CF0-F17AEDBFA003}.exe	108
PID 3824 wrote to memory of 4544	3824	{169ABF98-615C-49a4-8CF0-F17AEDBFA003}.exe	108
PID 3824 wrote to memory of 1812	3824	{169ABF98-615C-49a4-8CF0-F17AEDBFA003}.exe	109

C:\Users\Admin\AppData\Local\Temp\2024-07-05_995e06b3b30ac64e16eb56fad8edcfed_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-05_995e06b3b30ac64e16eb56fad8edcfed_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\{E146CD6D-C5F4-4c0d-8480-33411370BC9F}.exe
  C:\Windows\{E146CD6D-C5F4-4c0d-8480-33411370BC9F}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Windows\{71F55B4E-14C8-416e-923C-A4D2F4D7EB2B}.exe
    C:\Windows\{71F55B4E-14C8-416e-923C-A4D2F4D7EB2B}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4828
  - - C:\Windows\{36AC1A6A-9DFD-4631-8E24-F5F1D172FFD7}.exe
      C:\Windows\{36AC1A6A-9DFD-4631-8E24-F5F1D172FFD7}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1052
    - - C:\Windows\{8CEA991A-80ED-4539-99B2-0137D249D395}.exe
        
        C:\Windows\{8CEA991A-80ED-4539-99B2-0137D249D395}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:364
      - C:\Windows\{ED357FB7-DA83-4afe-9C1F-A56E8EB74EA9}.exe
        
        C:\Windows\{ED357FB7-DA83-4afe-9C1F-A56E8EB74EA9}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3352
        
        C:\Windows\{97F6C309-595E-4110-8009-6AD40A46EB81}.exe
        
        C:\Windows\{97F6C309-595E-4110-8009-6AD40A46EB81}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\{A24E7E73-89A2-41b1-925D-EAD6B229E8D1}.exe
        
        C:\Windows\{A24E7E73-89A2-41b1-925D-EAD6B229E8D1}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\{E7B16C73-0D88-48a3-8CDE-86AB3155CA9B}.exe
        
        C:\Windows\{E7B16C73-0D88-48a3-8CDE-86AB3155CA9B}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\{3B6047CD-F92C-4a93-8B0A-7F74B3889977}.exe
        
        C:\Windows\{3B6047CD-F92C-4a93-8B0A-7F74B3889977}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\{169ABF98-615C-49a4-8CF0-F17AEDBFA003}.exe
        
        C:\Windows\{169ABF98-615C-49a4-8CF0-F17AEDBFA003}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3824
        
        C:\Windows\{B113D6CB-3023-4117-9F34-37D6CE0528F1}.exe
        
        C:\Windows\{B113D6CB-3023-4117-9F34-37D6CE0528F1}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4544
        
        C:\Windows\{C00BBA24-BF88-4d8d-8ADF-5C3F3CCB3B6F}.exe
        
        C:\Windows\{C00BBA24-BF88-4d8d-8ADF-5C3F3CCB3B6F}.exe
        13⤵
        Executes dropped EXE
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B113D~1.EXE > nul
        13⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{169AB~1.EXE > nul
        12⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B604~1.EXE > nul
        11⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7B16~1.EXE > nul
        10⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A24E7~1.EXE > nul
        9⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97F6C~1.EXE > nul
        8⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED357~1.EXE > nul
        7⤵
        
        PID:5092
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CEA9~1.EXE > nul
        6⤵
        
        PID:4292
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36AC1~1.EXE > nul
        5⤵
        
        PID:3432
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{71F55~1.EXE > nul
      4⤵
      PID:464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E146C~1.EXE > nul
    3⤵
    PID:1144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{169ABF98-615C-49a4-8CF0-F17AEDBFA003}.exe

Filesize
344KB

MD5
53868b875b2b9985367f249be326417f

SHA1
ed55dcce778923d13d446862719e952ac49152c8

SHA256
626bc9a845b79e1d3c8c6eef235c71a3e4a6d518950cb56bff36e7b0f4ebe2ac

SHA512
0926549c549e2035d23670fb65fc4bab5f4ba2108abb8be4f0de6d32319fd3edd4811cdde6997e8513d0791446a68a1dde9e5569faa881e3e73cc27da509b289

Download Submit
C:\Windows\{36AC1A6A-9DFD-4631-8E24-F5F1D172FFD7}.exe

Filesize
344KB

MD5
5a870ccee1b5fcd4beadf7d53204b953

SHA1
cd2d59d528f20bff2ba792dde499d87f585260cb

SHA256
5923a0d5443959a0e83e900d595553783e332a21f1bb901649cd6d03cf44db89

SHA512
3d40af29704cc45325862eada2403cf3adb4af542d0ce6fe72f6d7e3cd02f5360e195244ed060f886472af6fd133a5b4c96f116fec0869d95ac22abad8bbf582

Download Submit
C:\Windows\{3B6047CD-F92C-4a93-8B0A-7F74B3889977}.exe

Filesize
344KB

MD5
6b2e7a3f980c1bcde0acf44bd113fbc9

SHA1
6421ce85552ceb8a87365118f75372a4230e3e9a

SHA256
a86afce160f8ff9dd4315e7d658574f6d57368ff1e06da8f47b1143524adf699

SHA512
812172ce625d1489c9a21546336ad052ba2fd4aee8d602dd4ca70c9adc87532944c6aa212908494e77856616f6947abb99dfd0d5bc4b5a14c6a3bebbd300285c

Download Submit
C:\Windows\{71F55B4E-14C8-416e-923C-A4D2F4D7EB2B}.exe

Filesize
344KB

MD5
347991cf119c11473b4c6d4ba0e9d880

SHA1
5bfc4a50f5655769f44d2b71dab9dc39d2cc0c7e

SHA256
a3d125fdcce96d0536369a1c8aaf8eea79af0052ac7c9e5906cd3f21767ac0ea

SHA512
313c45967cbf0bbd9443932e306d297d0d6a9ab81cae1804bc09fe384af960d6a808775deca621b10e97e12350869f383fe5e7b755d8f7d7106400e58926cf8b

Download Submit
C:\Windows\{8CEA991A-80ED-4539-99B2-0137D249D395}.exe

Filesize
344KB

MD5
7e3d70416241975eb2925cd98a8a770d

SHA1
508771e07c062915483a69a67e0c2dee3d4e263b

SHA256
3e752a2b6d9d350537578ef84bf48b6257a3c0b43f8cd36700e260ba876cec18

SHA512
503372147bd9057023cbcef27ca929b8786b3865304f5719ecb6c3b3112375f5e216932cb2ec38af59ef541fbf709f4746848711fe0226dab29bb4ec196dfb4c

Download Submit
C:\Windows\{97F6C309-595E-4110-8009-6AD40A46EB81}.exe

Filesize
344KB

MD5
0ca38a0b58c28f6817b891d1b50b453c

SHA1
93ade6b4f4658da5caea9d17e01ecf911459b2dc

SHA256
21fbd5299d8d95fad665282102f782db740cfa2b5560d8869317cc961e455a95

SHA512
1b76da0db9e404b26e1b4dfeed515710b725390ebc227235203d601315b7faee14404bbfa17942d7577579eedf312a09c607de052f9598485a497c50b7b274a4

Download Submit
C:\Windows\{A24E7E73-89A2-41b1-925D-EAD6B229E8D1}.exe

Filesize
344KB

MD5
a18b75d5a9e0bcc3e64318d73bbc0e89

SHA1
62364a69df0109a9c530ee93dc60f7ee0c434c3e

SHA256
7d6f91aaba60a41eb31e409f93ab371d4178fecef7da210a913c3050cdae29ca

SHA512
cd6436893de28e720b764fce5d60e3d5f29306b5e56f144092a32e44f7de99fbec950ef274b5751ecc90fbaded7d1c51d3a5cffab207e83fc660c5c82c776ca7

Download Submit
C:\Windows\{B113D6CB-3023-4117-9F34-37D6CE0528F1}.exe

Filesize
344KB

MD5
92b7bad5261134fb69555f46fa806b44

SHA1
74a25a87783265402086bb2916581b87bbf5ec4d

SHA256
915c9ff0230328379676e7556b16d2186754ebc193dd10318ba50de398afedf1

SHA512
21d37a335e346f4bf1f256db1b12fc330222680e178a50af0943bd511bb18b01eea60e1de8858f439674ea32c6d26990875d5f5de47e960443f2ab6f1920b428

Download Submit
C:\Windows\{C00BBA24-BF88-4d8d-8ADF-5C3F3CCB3B6F}.exe

Filesize
344KB

MD5
04bc51be5782e39c3ec5b026a8888d81

SHA1
bbf876aba73bdfecfb78a2f3b2a168718b24d0e1

SHA256
7d67238f2bc06e1a9895db682e70c341c50018224abc1efb469f4b5e21ef4a1f

SHA512
7b1b9122bdc0c25f7660b81c15a9cd5ff55659f8f2eb33f7bd8e55a068a65583013cca463895fb87ab01a5b71d6bbd28b8e51d89a224ce772a245619dfbae2e1

Download Submit
C:\Windows\{E146CD6D-C5F4-4c0d-8480-33411370BC9F}.exe

Filesize
344KB

MD5
da45c6b0b1a98755b9c9c787ead53315

SHA1
734e107c3d73c4a592587063937b70fac4709d84

SHA256
c10e108eea6ba908d7ca8056b4846d826c7780181b9bf573f653c704ef2e7cfa

SHA512
79746d11fbdae3ec53170a8eabc62fb2ad3e65d2db2f649df62dd2ddd8678eb53dea742518f48388798dd979b9f3531d9b3b6d1b28b9777e0d19b89041f73699

Download Submit
C:\Windows\{E7B16C73-0D88-48a3-8CDE-86AB3155CA9B}.exe

Filesize
344KB

MD5
7fdda015b62b3e0204ca1245bb9f5ad6

SHA1
153a0af9e563eb7a13dd1b4b05ce988fad236f0c

SHA256
8fa6f9c09a187e1c5c8e67a238b9b416097209f860fc22e9cae34337ca05d260

SHA512
ff9b27bbcbfc9ad10f1e3871453c55acf4aa3e011c1565ae1fc01ff25a08c9eaf48ae9b35740b18a3b8161fd54c0b5ff39f00b3af7f8529bf944a2adc8b3c99e

Download Submit
C:\Windows\{ED357FB7-DA83-4afe-9C1F-A56E8EB74EA9}.exe

Filesize
344KB

MD5
9078074e507e732d2353b7c8cf244113

SHA1
606df98936252d0dc83bc17af79aeeb4ba5aa6c2

SHA256
485472d9176e2c6bd0b8469d76cc3e645fca6905fbe2955c4436fecd21bd0ff6

SHA512
ffcd29020a69c292ccd2eaf7bbef3d33e25ab49a6335c5ceb273a8d69fb6da75c35ed777e862df80911c89d3aa0a6d8e0dc7c07535944f3e2fcb822704b02922

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads