eb32eac617c5f6cbcccef40435be6248c8fc0f37bcd88b4a469b2bd0aa950644

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06-07-2024 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-06_240b9b866b234c381a19d838845e09b4_goldeneye.exe
Size

408KB
MD5

240b9b866b234c381a19d838845e09b4
SHA1

16a8b971fb1e2e77f5531343407a6f38093df330
SHA256

eb32eac617c5f6cbcccef40435be6248c8fc0f37bcd88b4a469b2bd0aa950644
SHA512

1a133f651c0deb212f4fe363cf988cec3f86cea579adce22a4592b78287b7d79bafd4350dceccb8b60d289853e724003e9b8c8323a12eee1b0a3419b4e19a79e
SSDEEP

3072:CEGh0oDl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGVldOe2MUVg3vTeKcAEciTBqr3jy9

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46916315-4FDD-4f4b-9BC8-6C1EF1237E9C}	{EB2EFC69-53A5-461f-B42D-BE0ED21299C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E83214BA-FA0A-4bfb-BDD6-A46C19C6A1C7}	{DE9CD352-F39E-48f7-811F-BE8D742443E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB990CBD-6756-486e-8891-332963737ACC}	{17C1A81C-4BEA-40d6-AB95-6E3A59001C51}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB2EFC69-53A5-461f-B42D-BE0ED21299C8}\stubpath = "C:\\Windows\\{EB2EFC69-53A5-461f-B42D-BE0ED21299C8}.exe"	2024-07-06_240b9b866b234c381a19d838845e09b4_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C43C61DE-763D-45eb-8BCF-68F521B1DC22}	{0595E90B-DD1B-47b3-8D39-EBB79986EE5D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C43C61DE-763D-45eb-8BCF-68F521B1DC22}\stubpath = "C:\\Windows\\{C43C61DE-763D-45eb-8BCF-68F521B1DC22}.exe"	{0595E90B-DD1B-47b3-8D39-EBB79986EE5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE9CD352-F39E-48f7-811F-BE8D742443E2}	{7F9A39BC-5961-4970-91C5-DD66D73F418F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E83214BA-FA0A-4bfb-BDD6-A46C19C6A1C7}\stubpath = "C:\\Windows\\{E83214BA-FA0A-4bfb-BDD6-A46C19C6A1C7}.exe"	{DE9CD352-F39E-48f7-811F-BE8D742443E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB990CBD-6756-486e-8891-332963737ACC}\stubpath = "C:\\Windows\\{AB990CBD-6756-486e-8891-332963737ACC}.exe"	{17C1A81C-4BEA-40d6-AB95-6E3A59001C51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46E91BB6-B8AA-4350-B92F-0FB83668F8E8}	{96749B0C-6B7C-4ac5-8CFC-4CC0853A3598}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F6B9414-6166-47e2-B5F8-94973E27F3AD}\stubpath = "C:\\Windows\\{0F6B9414-6166-47e2-B5F8-94973E27F3AD}.exe"	{46E91BB6-B8AA-4350-B92F-0FB83668F8E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB2EFC69-53A5-461f-B42D-BE0ED21299C8}	2024-07-06_240b9b866b234c381a19d838845e09b4_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F9A39BC-5961-4970-91C5-DD66D73F418F}	{C43C61DE-763D-45eb-8BCF-68F521B1DC22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17C1A81C-4BEA-40d6-AB95-6E3A59001C51}	{E83214BA-FA0A-4bfb-BDD6-A46C19C6A1C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96749B0C-6B7C-4ac5-8CFC-4CC0853A3598}	{AB990CBD-6756-486e-8891-332963737ACC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96749B0C-6B7C-4ac5-8CFC-4CC0853A3598}\stubpath = "C:\\Windows\\{96749B0C-6B7C-4ac5-8CFC-4CC0853A3598}.exe"	{AB990CBD-6756-486e-8891-332963737ACC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0595E90B-DD1B-47b3-8D39-EBB79986EE5D}\stubpath = "C:\\Windows\\{0595E90B-DD1B-47b3-8D39-EBB79986EE5D}.exe"	{46916315-4FDD-4f4b-9BC8-6C1EF1237E9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0595E90B-DD1B-47b3-8D39-EBB79986EE5D}	{46916315-4FDD-4f4b-9BC8-6C1EF1237E9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F9A39BC-5961-4970-91C5-DD66D73F418F}\stubpath = "C:\\Windows\\{7F9A39BC-5961-4970-91C5-DD66D73F418F}.exe"	{C43C61DE-763D-45eb-8BCF-68F521B1DC22}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE9CD352-F39E-48f7-811F-BE8D742443E2}\stubpath = "C:\\Windows\\{DE9CD352-F39E-48f7-811F-BE8D742443E2}.exe"	{7F9A39BC-5961-4970-91C5-DD66D73F418F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17C1A81C-4BEA-40d6-AB95-6E3A59001C51}\stubpath = "C:\\Windows\\{17C1A81C-4BEA-40d6-AB95-6E3A59001C51}.exe"	{E83214BA-FA0A-4bfb-BDD6-A46C19C6A1C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46E91BB6-B8AA-4350-B92F-0FB83668F8E8}\stubpath = "C:\\Windows\\{46E91BB6-B8AA-4350-B92F-0FB83668F8E8}.exe"	{96749B0C-6B7C-4ac5-8CFC-4CC0853A3598}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F6B9414-6166-47e2-B5F8-94973E27F3AD}	{46E91BB6-B8AA-4350-B92F-0FB83668F8E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46916315-4FDD-4f4b-9BC8-6C1EF1237E9C}\stubpath = "C:\\Windows\\{46916315-4FDD-4f4b-9BC8-6C1EF1237E9C}.exe"	{EB2EFC69-53A5-461f-B42D-BE0ED21299C8}.exe

Executes dropped EXE 12 IoCs

pid	Process
4172	{EB2EFC69-53A5-461f-B42D-BE0ED21299C8}.exe
2668	{46916315-4FDD-4f4b-9BC8-6C1EF1237E9C}.exe
448	{0595E90B-DD1B-47b3-8D39-EBB79986EE5D}.exe
4184	{C43C61DE-763D-45eb-8BCF-68F521B1DC22}.exe
3956	{7F9A39BC-5961-4970-91C5-DD66D73F418F}.exe
1180	{DE9CD352-F39E-48f7-811F-BE8D742443E2}.exe
1356	{E83214BA-FA0A-4bfb-BDD6-A46C19C6A1C7}.exe
3616	{17C1A81C-4BEA-40d6-AB95-6E3A59001C51}.exe
4796	{AB990CBD-6756-486e-8891-332963737ACC}.exe
4332	{96749B0C-6B7C-4ac5-8CFC-4CC0853A3598}.exe
2068	{46E91BB6-B8AA-4350-B92F-0FB83668F8E8}.exe
3784	{0F6B9414-6166-47e2-B5F8-94973E27F3AD}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{46916315-4FDD-4f4b-9BC8-6C1EF1237E9C}.exe	{EB2EFC69-53A5-461f-B42D-BE0ED21299C8}.exe
File created	C:\Windows\{0595E90B-DD1B-47b3-8D39-EBB79986EE5D}.exe	{46916315-4FDD-4f4b-9BC8-6C1EF1237E9C}.exe
File created	C:\Windows\{AB990CBD-6756-486e-8891-332963737ACC}.exe	{17C1A81C-4BEA-40d6-AB95-6E3A59001C51}.exe
File created	C:\Windows\{96749B0C-6B7C-4ac5-8CFC-4CC0853A3598}.exe	{AB990CBD-6756-486e-8891-332963737ACC}.exe
File created	C:\Windows\{46E91BB6-B8AA-4350-B92F-0FB83668F8E8}.exe	{96749B0C-6B7C-4ac5-8CFC-4CC0853A3598}.exe
File created	C:\Windows\{0F6B9414-6166-47e2-B5F8-94973E27F3AD}.exe	{46E91BB6-B8AA-4350-B92F-0FB83668F8E8}.exe
File created	C:\Windows\{EB2EFC69-53A5-461f-B42D-BE0ED21299C8}.exe	2024-07-06_240b9b866b234c381a19d838845e09b4_goldeneye.exe
File created	C:\Windows\{C43C61DE-763D-45eb-8BCF-68F521B1DC22}.exe	{0595E90B-DD1B-47b3-8D39-EBB79986EE5D}.exe
File created	C:\Windows\{7F9A39BC-5961-4970-91C5-DD66D73F418F}.exe	{C43C61DE-763D-45eb-8BCF-68F521B1DC22}.exe
File created	C:\Windows\{DE9CD352-F39E-48f7-811F-BE8D742443E2}.exe	{7F9A39BC-5961-4970-91C5-DD66D73F418F}.exe
File created	C:\Windows\{E83214BA-FA0A-4bfb-BDD6-A46C19C6A1C7}.exe	{DE9CD352-F39E-48f7-811F-BE8D742443E2}.exe
File created	C:\Windows\{17C1A81C-4BEA-40d6-AB95-6E3A59001C51}.exe	{E83214BA-FA0A-4bfb-BDD6-A46C19C6A1C7}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4820	2024-07-06_240b9b866b234c381a19d838845e09b4_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4172	{EB2EFC69-53A5-461f-B42D-BE0ED21299C8}.exe
Token: SeIncBasePriorityPrivilege	2668	{46916315-4FDD-4f4b-9BC8-6C1EF1237E9C}.exe
Token: SeIncBasePriorityPrivilege	448	{0595E90B-DD1B-47b3-8D39-EBB79986EE5D}.exe
Token: SeIncBasePriorityPrivilege	4184	{C43C61DE-763D-45eb-8BCF-68F521B1DC22}.exe
Token: SeIncBasePriorityPrivilege	3956	{7F9A39BC-5961-4970-91C5-DD66D73F418F}.exe
Token: SeIncBasePriorityPrivilege	1180	{DE9CD352-F39E-48f7-811F-BE8D742443E2}.exe
Token: SeIncBasePriorityPrivilege	1356	{E83214BA-FA0A-4bfb-BDD6-A46C19C6A1C7}.exe
Token: SeIncBasePriorityPrivilege	3616	{17C1A81C-4BEA-40d6-AB95-6E3A59001C51}.exe
Token: SeIncBasePriorityPrivilege	4796	{AB990CBD-6756-486e-8891-332963737ACC}.exe
Token: SeIncBasePriorityPrivilege	4332	{96749B0C-6B7C-4ac5-8CFC-4CC0853A3598}.exe
Token: SeIncBasePriorityPrivilege	2068	{46E91BB6-B8AA-4350-B92F-0FB83668F8E8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 4172	4820	2024-07-06_240b9b866b234c381a19d838845e09b4_goldeneye.exe	85
PID 4820 wrote to memory of 4172	4820	2024-07-06_240b9b866b234c381a19d838845e09b4_goldeneye.exe	85
PID 4820 wrote to memory of 4172	4820	2024-07-06_240b9b866b234c381a19d838845e09b4_goldeneye.exe	85
PID 4820 wrote to memory of 2572	4820	2024-07-06_240b9b866b234c381a19d838845e09b4_goldeneye.exe	86
PID 4820 wrote to memory of 2572	4820	2024-07-06_240b9b866b234c381a19d838845e09b4_goldeneye.exe	86
PID 4820 wrote to memory of 2572	4820	2024-07-06_240b9b866b234c381a19d838845e09b4_goldeneye.exe	86
PID 4172 wrote to memory of 2668	4172	{EB2EFC69-53A5-461f-B42D-BE0ED21299C8}.exe	87
PID 4172 wrote to memory of 2668	4172	{EB2EFC69-53A5-461f-B42D-BE0ED21299C8}.exe	87
PID 4172 wrote to memory of 2668	4172	{EB2EFC69-53A5-461f-B42D-BE0ED21299C8}.exe	87
PID 4172 wrote to memory of 2144	4172	{EB2EFC69-53A5-461f-B42D-BE0ED21299C8}.exe	88
PID 4172 wrote to memory of 2144	4172	{EB2EFC69-53A5-461f-B42D-BE0ED21299C8}.exe	88
PID 4172 wrote to memory of 2144	4172	{EB2EFC69-53A5-461f-B42D-BE0ED21299C8}.exe	88
PID 2668 wrote to memory of 448	2668	{46916315-4FDD-4f4b-9BC8-6C1EF1237E9C}.exe	92
PID 2668 wrote to memory of 448	2668	{46916315-4FDD-4f4b-9BC8-6C1EF1237E9C}.exe	92
PID 2668 wrote to memory of 448	2668	{46916315-4FDD-4f4b-9BC8-6C1EF1237E9C}.exe	92
PID 2668 wrote to memory of 3248	2668	{46916315-4FDD-4f4b-9BC8-6C1EF1237E9C}.exe	93
PID 2668 wrote to memory of 3248	2668	{46916315-4FDD-4f4b-9BC8-6C1EF1237E9C}.exe	93
PID 2668 wrote to memory of 3248	2668	{46916315-4FDD-4f4b-9BC8-6C1EF1237E9C}.exe	93
PID 448 wrote to memory of 4184	448	{0595E90B-DD1B-47b3-8D39-EBB79986EE5D}.exe	94
PID 448 wrote to memory of 4184	448	{0595E90B-DD1B-47b3-8D39-EBB79986EE5D}.exe	94
PID 448 wrote to memory of 4184	448	{0595E90B-DD1B-47b3-8D39-EBB79986EE5D}.exe	94
PID 448 wrote to memory of 2936	448	{0595E90B-DD1B-47b3-8D39-EBB79986EE5D}.exe	95
PID 448 wrote to memory of 2936	448	{0595E90B-DD1B-47b3-8D39-EBB79986EE5D}.exe	95
PID 448 wrote to memory of 2936	448	{0595E90B-DD1B-47b3-8D39-EBB79986EE5D}.exe	95
PID 4184 wrote to memory of 3956	4184	{C43C61DE-763D-45eb-8BCF-68F521B1DC22}.exe	96
PID 4184 wrote to memory of 3956	4184	{C43C61DE-763D-45eb-8BCF-68F521B1DC22}.exe	96
PID 4184 wrote to memory of 3956	4184	{C43C61DE-763D-45eb-8BCF-68F521B1DC22}.exe	96
PID 4184 wrote to memory of 4792	4184	{C43C61DE-763D-45eb-8BCF-68F521B1DC22}.exe	97
PID 4184 wrote to memory of 4792	4184	{C43C61DE-763D-45eb-8BCF-68F521B1DC22}.exe	97
PID 4184 wrote to memory of 4792	4184	{C43C61DE-763D-45eb-8BCF-68F521B1DC22}.exe	97
PID 3956 wrote to memory of 1180	3956	{7F9A39BC-5961-4970-91C5-DD66D73F418F}.exe	98
PID 3956 wrote to memory of 1180	3956	{7F9A39BC-5961-4970-91C5-DD66D73F418F}.exe	98
PID 3956 wrote to memory of 1180	3956	{7F9A39BC-5961-4970-91C5-DD66D73F418F}.exe	98
PID 3956 wrote to memory of 4848	3956	{7F9A39BC-5961-4970-91C5-DD66D73F418F}.exe	99
PID 3956 wrote to memory of 4848	3956	{7F9A39BC-5961-4970-91C5-DD66D73F418F}.exe	99
PID 3956 wrote to memory of 4848	3956	{7F9A39BC-5961-4970-91C5-DD66D73F418F}.exe	99
PID 1180 wrote to memory of 1356	1180	{DE9CD352-F39E-48f7-811F-BE8D742443E2}.exe	100
PID 1180 wrote to memory of 1356	1180	{DE9CD352-F39E-48f7-811F-BE8D742443E2}.exe	100
PID 1180 wrote to memory of 1356	1180	{DE9CD352-F39E-48f7-811F-BE8D742443E2}.exe	100
PID 1180 wrote to memory of 992	1180	{DE9CD352-F39E-48f7-811F-BE8D742443E2}.exe	101
PID 1180 wrote to memory of 992	1180	{DE9CD352-F39E-48f7-811F-BE8D742443E2}.exe	101
PID 1180 wrote to memory of 992	1180	{DE9CD352-F39E-48f7-811F-BE8D742443E2}.exe	101
PID 1356 wrote to memory of 3616	1356	{E83214BA-FA0A-4bfb-BDD6-A46C19C6A1C7}.exe	102
PID 1356 wrote to memory of 3616	1356	{E83214BA-FA0A-4bfb-BDD6-A46C19C6A1C7}.exe	102
PID 1356 wrote to memory of 3616	1356	{E83214BA-FA0A-4bfb-BDD6-A46C19C6A1C7}.exe	102
PID 1356 wrote to memory of 2688	1356	{E83214BA-FA0A-4bfb-BDD6-A46C19C6A1C7}.exe	103
PID 1356 wrote to memory of 2688	1356	{E83214BA-FA0A-4bfb-BDD6-A46C19C6A1C7}.exe	103
PID 1356 wrote to memory of 2688	1356	{E83214BA-FA0A-4bfb-BDD6-A46C19C6A1C7}.exe	103
PID 3616 wrote to memory of 4796	3616	{17C1A81C-4BEA-40d6-AB95-6E3A59001C51}.exe	104
PID 3616 wrote to memory of 4796	3616	{17C1A81C-4BEA-40d6-AB95-6E3A59001C51}.exe	104
PID 3616 wrote to memory of 4796	3616	{17C1A81C-4BEA-40d6-AB95-6E3A59001C51}.exe	104
PID 3616 wrote to memory of 3032	3616	{17C1A81C-4BEA-40d6-AB95-6E3A59001C51}.exe	105
PID 3616 wrote to memory of 3032	3616	{17C1A81C-4BEA-40d6-AB95-6E3A59001C51}.exe	105
PID 3616 wrote to memory of 3032	3616	{17C1A81C-4BEA-40d6-AB95-6E3A59001C51}.exe	105
PID 4796 wrote to memory of 4332	4796	{AB990CBD-6756-486e-8891-332963737ACC}.exe	106
PID 4796 wrote to memory of 4332	4796	{AB990CBD-6756-486e-8891-332963737ACC}.exe	106
PID 4796 wrote to memory of 4332	4796	{AB990CBD-6756-486e-8891-332963737ACC}.exe	106
PID 4796 wrote to memory of 4456	4796	{AB990CBD-6756-486e-8891-332963737ACC}.exe	107
PID 4796 wrote to memory of 4456	4796	{AB990CBD-6756-486e-8891-332963737ACC}.exe	107
PID 4796 wrote to memory of 4456	4796	{AB990CBD-6756-486e-8891-332963737ACC}.exe	107
PID 4332 wrote to memory of 2068	4332	{96749B0C-6B7C-4ac5-8CFC-4CC0853A3598}.exe	108
PID 4332 wrote to memory of 2068	4332	{96749B0C-6B7C-4ac5-8CFC-4CC0853A3598}.exe	108
PID 4332 wrote to memory of 2068	4332	{96749B0C-6B7C-4ac5-8CFC-4CC0853A3598}.exe	108
PID 4332 wrote to memory of 3380	4332	{96749B0C-6B7C-4ac5-8CFC-4CC0853A3598}.exe	109

C:\Users\Admin\AppData\Local\Temp\2024-07-06_240b9b866b234c381a19d838845e09b4_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-06_240b9b866b234c381a19d838845e09b4_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Windows\{EB2EFC69-53A5-461f-B42D-BE0ED21299C8}.exe
  C:\Windows\{EB2EFC69-53A5-461f-B42D-BE0ED21299C8}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4172
- - C:\Windows\{46916315-4FDD-4f4b-9BC8-6C1EF1237E9C}.exe
    C:\Windows\{46916315-4FDD-4f4b-9BC8-6C1EF1237E9C}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\{0595E90B-DD1B-47b3-8D39-EBB79986EE5D}.exe
      C:\Windows\{0595E90B-DD1B-47b3-8D39-EBB79986EE5D}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:448
    - - C:\Windows\{C43C61DE-763D-45eb-8BCF-68F521B1DC22}.exe
        
        C:\Windows\{C43C61DE-763D-45eb-8BCF-68F521B1DC22}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4184
      - C:\Windows\{7F9A39BC-5961-4970-91C5-DD66D73F418F}.exe
        
        C:\Windows\{7F9A39BC-5961-4970-91C5-DD66D73F418F}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\{DE9CD352-F39E-48f7-811F-BE8D742443E2}.exe
        
        C:\Windows\{DE9CD352-F39E-48f7-811F-BE8D742443E2}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\{E83214BA-FA0A-4bfb-BDD6-A46C19C6A1C7}.exe
        
        C:\Windows\{E83214BA-FA0A-4bfb-BDD6-A46C19C6A1C7}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\{17C1A81C-4BEA-40d6-AB95-6E3A59001C51}.exe
        
        C:\Windows\{17C1A81C-4BEA-40d6-AB95-6E3A59001C51}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\{AB990CBD-6756-486e-8891-332963737ACC}.exe
        
        C:\Windows\{AB990CBD-6756-486e-8891-332963737ACC}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\{96749B0C-6B7C-4ac5-8CFC-4CC0853A3598}.exe
        
        C:\Windows\{96749B0C-6B7C-4ac5-8CFC-4CC0853A3598}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\{46E91BB6-B8AA-4350-B92F-0FB83668F8E8}.exe
        
        C:\Windows\{46E91BB6-B8AA-4350-B92F-0FB83668F8E8}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\{0F6B9414-6166-47e2-B5F8-94973E27F3AD}.exe
        
        C:\Windows\{0F6B9414-6166-47e2-B5F8-94973E27F3AD}.exe
        13⤵
        Executes dropped EXE
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46E91~1.EXE > nul
        13⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96749~1.EXE > nul
        12⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB990~1.EXE > nul
        11⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17C1A~1.EXE > nul
        10⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8321~1.EXE > nul
        9⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DE9CD~1.EXE > nul
        8⤵
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F9A3~1.EXE > nul
        7⤵
        
        PID:4848
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C43C6~1.EXE > nul
        6⤵
        
        PID:4792
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0595E~1.EXE > nul
        5⤵
        
        PID:2936
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{46916~1.EXE > nul
      4⤵
      PID:3248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EB2EF~1.EXE > nul
    3⤵
    PID:2144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0595E90B-DD1B-47b3-8D39-EBB79986EE5D}.exe

Filesize
408KB

MD5
063551f7b52e8f5305d8e6bcc509175b

SHA1
088afe21342caecce37bbc9a3e6bd8ccf18b87a9

SHA256
f800b9e140bfae545ed50607daaaf910ba97a1d2e3397167ae683f4e1726c926

SHA512
ded5e7572efa4651ddc1bddc8408ccbbf371b8c07f19ce2d1822394ebb40fd5fb5828b9f80ef4ef61a03e1d626b2578c00ed6bc31cab4ffd664f647c6f30457c

Download Submit
C:\Windows\{0F6B9414-6166-47e2-B5F8-94973E27F3AD}.exe

Filesize
408KB

MD5
da39c9c3d2defc21812231560d95764e

SHA1
1f2b018305ddadcb26ab44156dab96fbe4a68fe8

SHA256
cfb0aa6e3ab1382bcc4e1846ad5b1e2ee8ba4b10aa47b15e4a775815ef6c1511

SHA512
86f796f09f85771a4606e63254022f5b7439915aaca014fefb1d72a6be4cafaf279c74ecfd552fc7cb32736147226a28f120761c80e46fff00be1750d53fde67

Download Submit
C:\Windows\{17C1A81C-4BEA-40d6-AB95-6E3A59001C51}.exe

Filesize
408KB

MD5
7aebe203e133283ee8ecbe4460cdfe96

SHA1
08f5927156d61c298379912a12380758d3273c09

SHA256
251661af5467fa1e87dfad1dd078922e600b012c65baff2ffa44b83badb275ca

SHA512
bd58a8aa7226a6f2d88424a3813549673c405b07d01876c21fcc2408da2fbab370959ca95961781387e753b623e8642de38a3dabc40952300c141fa8a6a22793

Download Submit
C:\Windows\{46916315-4FDD-4f4b-9BC8-6C1EF1237E9C}.exe

Filesize
408KB

MD5
67de7e582875a70ed8d6c1b20f71e03c

SHA1
1d42e2551850057fb61eebebc8ea0ef5e8702d04

SHA256
abde8f6e4cb2a2ae973cdb4de75c159e76a5768df75f8e109894fd40b26923b7

SHA512
5702c765b04006a352c9f7181470463b6c26cb9cf962c2054508efa53d58424675e61ced1aed9d2b7b67ceef82201203739033a619aa54213e8a298dd1fe686a

Download Submit
C:\Windows\{46E91BB6-B8AA-4350-B92F-0FB83668F8E8}.exe

Filesize
408KB

MD5
a169f4483fe6a6bb19d3369900bd5101

SHA1
ad912c19026d77d4cafd1768b10511ea1861e2e8

SHA256
692f958921d6498cd40ee46667cfa2d334c651ca8d535e2d83583b8c1e3cef9c

SHA512
a63d4c85248520de69dfcc0178dd0a21cae2ed297c0fdbc9d686415eae9e2e92fdcc4298f03295669c86a0e743f1beb5ee668b28bbb3aa46ed77bb8c562d4498

Download Submit
C:\Windows\{7F9A39BC-5961-4970-91C5-DD66D73F418F}.exe

Filesize
408KB

MD5
5c3d3caec7f7556c09c078da18238417

SHA1
0eb4a3e091dae9788c0c940e28124848455d408d

SHA256
547558497ff61138f39029de994443e50bcd6d946aded55f60d708471e98544b

SHA512
8fecbe903a893cae4aacb449d67442297b6ca88e7dc401cd5753f17a46ac62bb25b031bfe86a1fa4da1669ae759b54920425754343bf99d59e363e2f1134c8ce

Download Submit
C:\Windows\{96749B0C-6B7C-4ac5-8CFC-4CC0853A3598}.exe

Filesize
408KB

MD5
653af080cfb818b4a295595f68fd8b7b

SHA1
54e1d1126c3807ac8bec4d32fc64edd63d1c4aa2

SHA256
26ee9f09c09aa123f00d38146dfd6cb407b9279d67faddc08a47a990c62493d7

SHA512
a4af789f473ca3ac655581c0acc267ba8270b52129afe37e5429d1120583223800c37a345a11984ee5bbac92ffca33ce5fbd813f5da4b7cd3c9e6ea17bb36753

Download Submit
C:\Windows\{AB990CBD-6756-486e-8891-332963737ACC}.exe

Filesize
408KB

MD5
854d6512ccf1d1468a5b96a1fe7b2799

SHA1
c465ec91380ec65314b0f9c467e762e06e7a9894

SHA256
7a358a3466be7fe8e84b04a79a2436c5e4a5fb25db805df50a801033f18c9908

SHA512
e54fa637b185df6a89f4143c23a220339d921dd6cbab382d1f18452d5fcadb612408bb08c012c91d299d5e76f061f40a62e29c3b978a8b9fda9b7bb0139242a1

Download Submit
C:\Windows\{C43C61DE-763D-45eb-8BCF-68F521B1DC22}.exe

Filesize
408KB

MD5
fa8c5f616923a4a4a0e0ec0746a8688f

SHA1
6cbbffc3a915c49db2ffd61a39e2fe226a476fc9

SHA256
e78465c24ddee18c3062780e8fff0b5ea593c383a45560357dbaa972105a9cdf

SHA512
50e1b3fefa4b46c046da94e81f626b631ecdc16ba32f474cfa37ca4caa51e9fe2836ceba256a2674f1bb9e9dbec9a67a1d76b1749518b1f7ea4f496835cdfec9

Download Submit
C:\Windows\{DE9CD352-F39E-48f7-811F-BE8D742443E2}.exe

Filesize
408KB

MD5
f6bc4d24b586605cc2f4cd414f2ebdf3

SHA1
af39f6242670be1fe88c5ceef2b4c554ec473705

SHA256
6510fe5a528ff99d8d6e776cd2b116b85d9b9bf5e57550ae8cb092a3d2aa31eb

SHA512
3f231b8877896569b09146d0fc04d63927643158745236c86de3c076a828a6c210abcf9cfa6e0ef21df4a713f15444d0f510b25ab522c15245c24f97f75001dd

Download Submit
C:\Windows\{E83214BA-FA0A-4bfb-BDD6-A46C19C6A1C7}.exe

Filesize
408KB

MD5
a76d549ecea0df1e9eb7442b889f0f71

SHA1
1ed0ffd04f727ac05ce2ee7e0bbc87016311d70f

SHA256
06a0137f87e22ad929fbf9eed595226d8f389fb3de36c2c4c49a0dad484380f9

SHA512
6ebb72bfb8a932dfebf7339e3674b400581590d9c68974966f323d340cb9285d33ca4c0729810fd7e66ced1266ff554550fa0dc09a46d4da929fc25e4ace3bce

Download Submit
C:\Windows\{EB2EFC69-53A5-461f-B42D-BE0ED21299C8}.exe

Filesize
408KB

MD5
ade13ee5c5c8256ceef7094212970494

SHA1
610e69ed566662b19c3c358a127f1093e61ad4a8

SHA256
e1aae7970d7dae78b45af74333ccac35b0b0aae988386506aa6c51c79f009634

SHA512
8001c23c86acb7d337ce4cb3c28b9ca3294fbec8cbff990d6fdde07b2402571d360b4a26efe1b2c92052fb034f60175d0a4826dab66ad276e13cc61e6417a6f9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads