05f2dc9dee89dfb567407d5bf2981dddf38bc6edfa97f07083a009596bf73e7b

Analysis

max time kernel
149s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-10_3c673abff1148d61f14b2c06f50c598a_goldeneye.exe
Size

180KB
MD5

3c673abff1148d61f14b2c06f50c598a
SHA1

f76438cb13c2140271d4dcf17a7f0706a87419a9
SHA256

05f2dc9dee89dfb567407d5bf2981dddf38bc6edfa97f07083a009596bf73e7b
SHA512

4eef387db98f2d347f4e0591b57f6036bf4c4dcffb2464e8a0b71e17d7287594c7d3455a0cc810b939f92f2c9a2bbc4b30880f2e587b445955b7ef697285715d
SSDEEP

3072:jEGh0oUlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGSl5eKcAEc

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E240941C-03DC-4c7f-9694-F67E931B0D16}\stubpath = "C:\\Windows\\{E240941C-03DC-4c7f-9694-F67E931B0D16}.exe"	{77D5D156-A4D2-42d8-B192-72427A75A0B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{728AF9A4-7C40-4df8-8A65-AB6AE15AF709}	{E240941C-03DC-4c7f-9694-F67E931B0D16}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35CC8C49-9B0A-4834-817B-62AACCE3B7DD}	{4E63A322-BF65-40a3-B2D0-1218B1922792}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8494C883-DD24-4d2f-B29E-47806CAF9B79}\stubpath = "C:\\Windows\\{8494C883-DD24-4d2f-B29E-47806CAF9B79}.exe"	{E0958FCE-996D-4e6a-A030-E00E01BCD17B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77D5D156-A4D2-42d8-B192-72427A75A0B4}\stubpath = "C:\\Windows\\{77D5D156-A4D2-42d8-B192-72427A75A0B4}.exe"	{3CBCCEF6-87B1-4bca-91C6-680DEE803BA8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E240941C-03DC-4c7f-9694-F67E931B0D16}	{77D5D156-A4D2-42d8-B192-72427A75A0B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C436A0BB-401D-46c8-A6DB-C8955A19F231}	{35CC8C49-9B0A-4834-817B-62AACCE3B7DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A7E342D-2B56-43e3-9FB4-FDB69C5EAF2F}	2024-07-10_3c673abff1148d61f14b2c06f50c598a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0958FCE-996D-4e6a-A030-E00E01BCD17B}\stubpath = "C:\\Windows\\{E0958FCE-996D-4e6a-A030-E00E01BCD17B}.exe"	{3A7E342D-2B56-43e3-9FB4-FDB69C5EAF2F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{728AF9A4-7C40-4df8-8A65-AB6AE15AF709}\stubpath = "C:\\Windows\\{728AF9A4-7C40-4df8-8A65-AB6AE15AF709}.exe"	{E240941C-03DC-4c7f-9694-F67E931B0D16}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6D21EB7-40F0-40b0-BFFF-3AF12C66E9E0}	{728AF9A4-7C40-4df8-8A65-AB6AE15AF709}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6D21EB7-40F0-40b0-BFFF-3AF12C66E9E0}\stubpath = "C:\\Windows\\{D6D21EB7-40F0-40b0-BFFF-3AF12C66E9E0}.exe"	{728AF9A4-7C40-4df8-8A65-AB6AE15AF709}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E63A322-BF65-40a3-B2D0-1218B1922792}	{D6D21EB7-40F0-40b0-BFFF-3AF12C66E9E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35CC8C49-9B0A-4834-817B-62AACCE3B7DD}\stubpath = "C:\\Windows\\{35CC8C49-9B0A-4834-817B-62AACCE3B7DD}.exe"	{4E63A322-BF65-40a3-B2D0-1218B1922792}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C436A0BB-401D-46c8-A6DB-C8955A19F231}\stubpath = "C:\\Windows\\{C436A0BB-401D-46c8-A6DB-C8955A19F231}.exe"	{35CC8C49-9B0A-4834-817B-62AACCE3B7DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A7E342D-2B56-43e3-9FB4-FDB69C5EAF2F}\stubpath = "C:\\Windows\\{3A7E342D-2B56-43e3-9FB4-FDB69C5EAF2F}.exe"	2024-07-10_3c673abff1148d61f14b2c06f50c598a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CBCCEF6-87B1-4bca-91C6-680DEE803BA8}	{8494C883-DD24-4d2f-B29E-47806CAF9B79}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD5F14B1-D1AE-4e98-9EA2-F7CC2EBF06F2}\stubpath = "C:\\Windows\\{AD5F14B1-D1AE-4e98-9EA2-F7CC2EBF06F2}.exe"	{C436A0BB-401D-46c8-A6DB-C8955A19F231}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CBCCEF6-87B1-4bca-91C6-680DEE803BA8}\stubpath = "C:\\Windows\\{3CBCCEF6-87B1-4bca-91C6-680DEE803BA8}.exe"	{8494C883-DD24-4d2f-B29E-47806CAF9B79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77D5D156-A4D2-42d8-B192-72427A75A0B4}	{3CBCCEF6-87B1-4bca-91C6-680DEE803BA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E63A322-BF65-40a3-B2D0-1218B1922792}\stubpath = "C:\\Windows\\{4E63A322-BF65-40a3-B2D0-1218B1922792}.exe"	{D6D21EB7-40F0-40b0-BFFF-3AF12C66E9E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD5F14B1-D1AE-4e98-9EA2-F7CC2EBF06F2}	{C436A0BB-401D-46c8-A6DB-C8955A19F231}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0958FCE-996D-4e6a-A030-E00E01BCD17B}	{3A7E342D-2B56-43e3-9FB4-FDB69C5EAF2F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8494C883-DD24-4d2f-B29E-47806CAF9B79}	{E0958FCE-996D-4e6a-A030-E00E01BCD17B}.exe

Executes dropped EXE 12 IoCs

pid	Process
4476	{3A7E342D-2B56-43e3-9FB4-FDB69C5EAF2F}.exe
3024	{E0958FCE-996D-4e6a-A030-E00E01BCD17B}.exe
4848	{8494C883-DD24-4d2f-B29E-47806CAF9B79}.exe
2588	{3CBCCEF6-87B1-4bca-91C6-680DEE803BA8}.exe
4204	{77D5D156-A4D2-42d8-B192-72427A75A0B4}.exe
1824	{E240941C-03DC-4c7f-9694-F67E931B0D16}.exe
3104	{728AF9A4-7C40-4df8-8A65-AB6AE15AF709}.exe
3424	{D6D21EB7-40F0-40b0-BFFF-3AF12C66E9E0}.exe
5108	{4E63A322-BF65-40a3-B2D0-1218B1922792}.exe
2300	{35CC8C49-9B0A-4834-817B-62AACCE3B7DD}.exe
1572	{C436A0BB-401D-46c8-A6DB-C8955A19F231}.exe
1872	{AD5F14B1-D1AE-4e98-9EA2-F7CC2EBF06F2}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{E0958FCE-996D-4e6a-A030-E00E01BCD17B}.exe	{3A7E342D-2B56-43e3-9FB4-FDB69C5EAF2F}.exe
File created	C:\Windows\{77D5D156-A4D2-42d8-B192-72427A75A0B4}.exe	{3CBCCEF6-87B1-4bca-91C6-680DEE803BA8}.exe
File created	C:\Windows\{E240941C-03DC-4c7f-9694-F67E931B0D16}.exe	{77D5D156-A4D2-42d8-B192-72427A75A0B4}.exe
File created	C:\Windows\{728AF9A4-7C40-4df8-8A65-AB6AE15AF709}.exe	{E240941C-03DC-4c7f-9694-F67E931B0D16}.exe
File created	C:\Windows\{35CC8C49-9B0A-4834-817B-62AACCE3B7DD}.exe	{4E63A322-BF65-40a3-B2D0-1218B1922792}.exe
File created	C:\Windows\{C436A0BB-401D-46c8-A6DB-C8955A19F231}.exe	{35CC8C49-9B0A-4834-817B-62AACCE3B7DD}.exe
File created	C:\Windows\{AD5F14B1-D1AE-4e98-9EA2-F7CC2EBF06F2}.exe	{C436A0BB-401D-46c8-A6DB-C8955A19F231}.exe
File created	C:\Windows\{3A7E342D-2B56-43e3-9FB4-FDB69C5EAF2F}.exe	2024-07-10_3c673abff1148d61f14b2c06f50c598a_goldeneye.exe
File created	C:\Windows\{8494C883-DD24-4d2f-B29E-47806CAF9B79}.exe	{E0958FCE-996D-4e6a-A030-E00E01BCD17B}.exe
File created	C:\Windows\{3CBCCEF6-87B1-4bca-91C6-680DEE803BA8}.exe	{8494C883-DD24-4d2f-B29E-47806CAF9B79}.exe
File created	C:\Windows\{D6D21EB7-40F0-40b0-BFFF-3AF12C66E9E0}.exe	{728AF9A4-7C40-4df8-8A65-AB6AE15AF709}.exe
File created	C:\Windows\{4E63A322-BF65-40a3-B2D0-1218B1922792}.exe	{D6D21EB7-40F0-40b0-BFFF-3AF12C66E9E0}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4292	2024-07-10_3c673abff1148d61f14b2c06f50c598a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4476	{3A7E342D-2B56-43e3-9FB4-FDB69C5EAF2F}.exe
Token: SeIncBasePriorityPrivilege	3024	{E0958FCE-996D-4e6a-A030-E00E01BCD17B}.exe
Token: SeIncBasePriorityPrivilege	4848	{8494C883-DD24-4d2f-B29E-47806CAF9B79}.exe
Token: SeIncBasePriorityPrivilege	2588	{3CBCCEF6-87B1-4bca-91C6-680DEE803BA8}.exe
Token: SeIncBasePriorityPrivilege	4204	{77D5D156-A4D2-42d8-B192-72427A75A0B4}.exe
Token: SeIncBasePriorityPrivilege	1824	{E240941C-03DC-4c7f-9694-F67E931B0D16}.exe
Token: SeIncBasePriorityPrivilege	3104	{728AF9A4-7C40-4df8-8A65-AB6AE15AF709}.exe
Token: SeIncBasePriorityPrivilege	3424	{D6D21EB7-40F0-40b0-BFFF-3AF12C66E9E0}.exe
Token: SeIncBasePriorityPrivilege	5108	{4E63A322-BF65-40a3-B2D0-1218B1922792}.exe
Token: SeIncBasePriorityPrivilege	2300	{35CC8C49-9B0A-4834-817B-62AACCE3B7DD}.exe
Token: SeIncBasePriorityPrivilege	1572	{C436A0BB-401D-46c8-A6DB-C8955A19F231}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4292 wrote to memory of 4476	4292	2024-07-10_3c673abff1148d61f14b2c06f50c598a_goldeneye.exe	85
PID 4292 wrote to memory of 4476	4292	2024-07-10_3c673abff1148d61f14b2c06f50c598a_goldeneye.exe	85
PID 4292 wrote to memory of 4476	4292	2024-07-10_3c673abff1148d61f14b2c06f50c598a_goldeneye.exe	85
PID 4292 wrote to memory of 208	4292	2024-07-10_3c673abff1148d61f14b2c06f50c598a_goldeneye.exe	86
PID 4292 wrote to memory of 208	4292	2024-07-10_3c673abff1148d61f14b2c06f50c598a_goldeneye.exe	86
PID 4292 wrote to memory of 208	4292	2024-07-10_3c673abff1148d61f14b2c06f50c598a_goldeneye.exe	86
PID 4476 wrote to memory of 3024	4476	{3A7E342D-2B56-43e3-9FB4-FDB69C5EAF2F}.exe	87
PID 4476 wrote to memory of 3024	4476	{3A7E342D-2B56-43e3-9FB4-FDB69C5EAF2F}.exe	87
PID 4476 wrote to memory of 3024	4476	{3A7E342D-2B56-43e3-9FB4-FDB69C5EAF2F}.exe	87
PID 4476 wrote to memory of 4996	4476	{3A7E342D-2B56-43e3-9FB4-FDB69C5EAF2F}.exe	88
PID 4476 wrote to memory of 4996	4476	{3A7E342D-2B56-43e3-9FB4-FDB69C5EAF2F}.exe	88
PID 4476 wrote to memory of 4996	4476	{3A7E342D-2B56-43e3-9FB4-FDB69C5EAF2F}.exe	88
PID 3024 wrote to memory of 4848	3024	{E0958FCE-996D-4e6a-A030-E00E01BCD17B}.exe	92
PID 3024 wrote to memory of 4848	3024	{E0958FCE-996D-4e6a-A030-E00E01BCD17B}.exe	92
PID 3024 wrote to memory of 4848	3024	{E0958FCE-996D-4e6a-A030-E00E01BCD17B}.exe	92
PID 3024 wrote to memory of 1936	3024	{E0958FCE-996D-4e6a-A030-E00E01BCD17B}.exe	93
PID 3024 wrote to memory of 1936	3024	{E0958FCE-996D-4e6a-A030-E00E01BCD17B}.exe	93
PID 3024 wrote to memory of 1936	3024	{E0958FCE-996D-4e6a-A030-E00E01BCD17B}.exe	93
PID 4848 wrote to memory of 2588	4848	{8494C883-DD24-4d2f-B29E-47806CAF9B79}.exe	94
PID 4848 wrote to memory of 2588	4848	{8494C883-DD24-4d2f-B29E-47806CAF9B79}.exe	94
PID 4848 wrote to memory of 2588	4848	{8494C883-DD24-4d2f-B29E-47806CAF9B79}.exe	94
PID 4848 wrote to memory of 1476	4848	{8494C883-DD24-4d2f-B29E-47806CAF9B79}.exe	95
PID 4848 wrote to memory of 1476	4848	{8494C883-DD24-4d2f-B29E-47806CAF9B79}.exe	95
PID 4848 wrote to memory of 1476	4848	{8494C883-DD24-4d2f-B29E-47806CAF9B79}.exe	95
PID 2588 wrote to memory of 4204	2588	{3CBCCEF6-87B1-4bca-91C6-680DEE803BA8}.exe	96
PID 2588 wrote to memory of 4204	2588	{3CBCCEF6-87B1-4bca-91C6-680DEE803BA8}.exe	96
PID 2588 wrote to memory of 4204	2588	{3CBCCEF6-87B1-4bca-91C6-680DEE803BA8}.exe	96
PID 2588 wrote to memory of 3848	2588	{3CBCCEF6-87B1-4bca-91C6-680DEE803BA8}.exe	97
PID 2588 wrote to memory of 3848	2588	{3CBCCEF6-87B1-4bca-91C6-680DEE803BA8}.exe	97
PID 2588 wrote to memory of 3848	2588	{3CBCCEF6-87B1-4bca-91C6-680DEE803BA8}.exe	97
PID 4204 wrote to memory of 1824	4204	{77D5D156-A4D2-42d8-B192-72427A75A0B4}.exe	98
PID 4204 wrote to memory of 1824	4204	{77D5D156-A4D2-42d8-B192-72427A75A0B4}.exe	98
PID 4204 wrote to memory of 1824	4204	{77D5D156-A4D2-42d8-B192-72427A75A0B4}.exe	98
PID 4204 wrote to memory of 4324	4204	{77D5D156-A4D2-42d8-B192-72427A75A0B4}.exe	99
PID 4204 wrote to memory of 4324	4204	{77D5D156-A4D2-42d8-B192-72427A75A0B4}.exe	99
PID 4204 wrote to memory of 4324	4204	{77D5D156-A4D2-42d8-B192-72427A75A0B4}.exe	99
PID 1824 wrote to memory of 3104	1824	{E240941C-03DC-4c7f-9694-F67E931B0D16}.exe	100
PID 1824 wrote to memory of 3104	1824	{E240941C-03DC-4c7f-9694-F67E931B0D16}.exe	100
PID 1824 wrote to memory of 3104	1824	{E240941C-03DC-4c7f-9694-F67E931B0D16}.exe	100
PID 1824 wrote to memory of 1912	1824	{E240941C-03DC-4c7f-9694-F67E931B0D16}.exe	101
PID 1824 wrote to memory of 1912	1824	{E240941C-03DC-4c7f-9694-F67E931B0D16}.exe	101
PID 1824 wrote to memory of 1912	1824	{E240941C-03DC-4c7f-9694-F67E931B0D16}.exe	101
PID 3104 wrote to memory of 3424	3104	{728AF9A4-7C40-4df8-8A65-AB6AE15AF709}.exe	102
PID 3104 wrote to memory of 3424	3104	{728AF9A4-7C40-4df8-8A65-AB6AE15AF709}.exe	102
PID 3104 wrote to memory of 3424	3104	{728AF9A4-7C40-4df8-8A65-AB6AE15AF709}.exe	102
PID 3104 wrote to memory of 4320	3104	{728AF9A4-7C40-4df8-8A65-AB6AE15AF709}.exe	103
PID 3104 wrote to memory of 4320	3104	{728AF9A4-7C40-4df8-8A65-AB6AE15AF709}.exe	103
PID 3104 wrote to memory of 4320	3104	{728AF9A4-7C40-4df8-8A65-AB6AE15AF709}.exe	103
PID 3424 wrote to memory of 5108	3424	{D6D21EB7-40F0-40b0-BFFF-3AF12C66E9E0}.exe	104
PID 3424 wrote to memory of 5108	3424	{D6D21EB7-40F0-40b0-BFFF-3AF12C66E9E0}.exe	104
PID 3424 wrote to memory of 5108	3424	{D6D21EB7-40F0-40b0-BFFF-3AF12C66E9E0}.exe	104
PID 3424 wrote to memory of 1020	3424	{D6D21EB7-40F0-40b0-BFFF-3AF12C66E9E0}.exe	105
PID 3424 wrote to memory of 1020	3424	{D6D21EB7-40F0-40b0-BFFF-3AF12C66E9E0}.exe	105
PID 3424 wrote to memory of 1020	3424	{D6D21EB7-40F0-40b0-BFFF-3AF12C66E9E0}.exe	105
PID 5108 wrote to memory of 2300	5108	{4E63A322-BF65-40a3-B2D0-1218B1922792}.exe	106
PID 5108 wrote to memory of 2300	5108	{4E63A322-BF65-40a3-B2D0-1218B1922792}.exe	106
PID 5108 wrote to memory of 2300	5108	{4E63A322-BF65-40a3-B2D0-1218B1922792}.exe	106
PID 5108 wrote to memory of 2436	5108	{4E63A322-BF65-40a3-B2D0-1218B1922792}.exe	107
PID 5108 wrote to memory of 2436	5108	{4E63A322-BF65-40a3-B2D0-1218B1922792}.exe	107
PID 5108 wrote to memory of 2436	5108	{4E63A322-BF65-40a3-B2D0-1218B1922792}.exe	107
PID 2300 wrote to memory of 1572	2300	{35CC8C49-9B0A-4834-817B-62AACCE3B7DD}.exe	108
PID 2300 wrote to memory of 1572	2300	{35CC8C49-9B0A-4834-817B-62AACCE3B7DD}.exe	108
PID 2300 wrote to memory of 1572	2300	{35CC8C49-9B0A-4834-817B-62AACCE3B7DD}.exe	108
PID 2300 wrote to memory of 3908	2300	{35CC8C49-9B0A-4834-817B-62AACCE3B7DD}.exe	109

C:\Users\Admin\AppData\Local\Temp\2024-07-10_3c673abff1148d61f14b2c06f50c598a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-10_3c673abff1148d61f14b2c06f50c598a_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4292
- C:\Windows\{3A7E342D-2B56-43e3-9FB4-FDB69C5EAF2F}.exe
  C:\Windows\{3A7E342D-2B56-43e3-9FB4-FDB69C5EAF2F}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4476
- - C:\Windows\{E0958FCE-996D-4e6a-A030-E00E01BCD17B}.exe
    C:\Windows\{E0958FCE-996D-4e6a-A030-E00E01BCD17B}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\{8494C883-DD24-4d2f-B29E-47806CAF9B79}.exe
      C:\Windows\{8494C883-DD24-4d2f-B29E-47806CAF9B79}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4848
    - - C:\Windows\{3CBCCEF6-87B1-4bca-91C6-680DEE803BA8}.exe
        
        C:\Windows\{3CBCCEF6-87B1-4bca-91C6-680DEE803BA8}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2588
      - C:\Windows\{77D5D156-A4D2-42d8-B192-72427A75A0B4}.exe
        
        C:\Windows\{77D5D156-A4D2-42d8-B192-72427A75A0B4}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\{E240941C-03DC-4c7f-9694-F67E931B0D16}.exe
        
        C:\Windows\{E240941C-03DC-4c7f-9694-F67E931B0D16}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\{728AF9A4-7C40-4df8-8A65-AB6AE15AF709}.exe
        
        C:\Windows\{728AF9A4-7C40-4df8-8A65-AB6AE15AF709}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\{D6D21EB7-40F0-40b0-BFFF-3AF12C66E9E0}.exe
        
        C:\Windows\{D6D21EB7-40F0-40b0-BFFF-3AF12C66E9E0}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\{4E63A322-BF65-40a3-B2D0-1218B1922792}.exe
        
        C:\Windows\{4E63A322-BF65-40a3-B2D0-1218B1922792}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\{35CC8C49-9B0A-4834-817B-62AACCE3B7DD}.exe
        
        C:\Windows\{35CC8C49-9B0A-4834-817B-62AACCE3B7DD}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\{C436A0BB-401D-46c8-A6DB-C8955A19F231}.exe
        
        C:\Windows\{C436A0BB-401D-46c8-A6DB-C8955A19F231}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
        
        C:\Windows\{AD5F14B1-D1AE-4e98-9EA2-F7CC2EBF06F2}.exe
        
        C:\Windows\{AD5F14B1-D1AE-4e98-9EA2-F7CC2EBF06F2}.exe
        13⤵
        Executes dropped EXE
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C436A~1.EXE > nul
        13⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35CC8~1.EXE > nul
        12⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E63A~1.EXE > nul
        11⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6D21~1.EXE > nul
        10⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{728AF~1.EXE > nul
        9⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2409~1.EXE > nul
        8⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77D5D~1.EXE > nul
        7⤵
        
        PID:4324
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3CBCC~1.EXE > nul
        6⤵
        
        PID:3848
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8494C~1.EXE > nul
        5⤵
        
        PID:1476
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E0958~1.EXE > nul
      4⤵
      PID:1936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3A7E3~1.EXE > nul
    3⤵
    PID:4996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{35CC8C49-9B0A-4834-817B-62AACCE3B7DD}.exe

Filesize
180KB

MD5
8a9504c1af4bdde91bd4486b1c023f75

SHA1
ae7acabf24a7cd428efd05712fbf7bd72d963660

SHA256
166a8323cc513dfef17f852dc07bdc0238ffe2747f9aed2c8d3f821eda174468

SHA512
f7b7de86f04325a6cec87b234be92e8d27438908a217af3232c6b0c72bce452682117a4c0bab3be945ac12390ef45a12f1aa603aa2157be80c8406c22b1192f3

Download Submit
C:\Windows\{3A7E342D-2B56-43e3-9FB4-FDB69C5EAF2F}.exe

Filesize
180KB

MD5
f1d7fca74e8fa0e87300e1c2f174292a

SHA1
eeb6d352594e39363f738b4930b381e01acc2737

SHA256
bbc967c7902f4f59e21020510645583b7b9390642f73b32830f93509504f2f26

SHA512
c93e0eecf6059af8d17d167d238d61af47e61c73310417ac7cb5e4f703ef80719ea13b8d9fc5113d9f9d39a1bfbc8c6d92b89780bc914243c1fddcf9412bf41c

Download Submit
C:\Windows\{3CBCCEF6-87B1-4bca-91C6-680DEE803BA8}.exe

Filesize
180KB

MD5
b2ebf6d0db2b1db4ba4be17e835afcb7

SHA1
45296d78f6fee3ebf341bee88a356f0bacd2621a

SHA256
25b144f3d005871546ec809af92b0e1faa9d23a225768bd8befd0605142ae136

SHA512
e8d7eef4ab74ecedde14485bbc8e55eb5e71db1b14dd450fe1d582b5205c97a0e86a8e037654edba4a9018ec36ca5c449f9ba3ab26cf714c602967d335ae58e6

Download Submit
C:\Windows\{4E63A322-BF65-40a3-B2D0-1218B1922792}.exe

Filesize
180KB

MD5
9129b172e2ee05919c3917921cf8b9ae

SHA1
942d9063c7ff289295b8d01579e201d09370a991

SHA256
d74ef4ecc90b826824778c86309d6a09b88361a4f3f6eecbf0250abd51660d7c

SHA512
9aa622893d2e6b0d3e9ec38312e166797b19a787dae7bf7bccd36d879f9222e41d981316b38ab38d58f4d30d1a0ddf89e1822c11d31f0eb35cd159c74791da20

Download Submit
C:\Windows\{728AF9A4-7C40-4df8-8A65-AB6AE15AF709}.exe

Filesize
180KB

MD5
f8babda02091d7c0cc70c653c8df3d41

SHA1
2de8903075120c8eb4aa37d214f344e85c273e8d

SHA256
d13d6c20435b95974b60d23da09b125c69bcd9501c8acc7a7ec4ae49f8f53816

SHA512
4b7a1950d1a13a140d828fa7266dd656a9be815dbc175f7822ee25ce279739e19d58e4bb4e94a04f8268872152de70211e16734bcfdf26af1d94e619be218554

Download Submit
C:\Windows\{77D5D156-A4D2-42d8-B192-72427A75A0B4}.exe

Filesize
180KB

MD5
d2c730e56003ef8863bfed6681e9a19e

SHA1
c37db3238b1e26ce82fd19e0be8bc85b4e353004

SHA256
f26c149e1c274e93df9367cf5472c879485b22f7bfa72b3a34e3189738cda901

SHA512
3d019340c5fe0597a6905b745e6c51cdd33bc3a494c3710ceb6f3a49dd683ae59d1b4e2581161090b33ca87e2f2949f6a378e10f4a539bc3bcb85d55040e02b0

Download Submit
C:\Windows\{8494C883-DD24-4d2f-B29E-47806CAF9B79}.exe

Filesize
180KB

MD5
17c91b9490c81d7d2ca696337f8a2083

SHA1
a1e3a1c4b21f5bfc36a546db2a80fbf1229787d6

SHA256
84420d78b0ba010de7575443502b437c9aaadf1e9310917be3c5b4992e1a87d2

SHA512
cee8ccd45ba44610852171ada624ecdcdf109eb7531d43e3ffc06f11a970fe84f6a70e6ae1ba7ea5c1ccf67d423ce14b9fa5144566dd685cd9de570f792f86b0

Download Submit
C:\Windows\{AD5F14B1-D1AE-4e98-9EA2-F7CC2EBF06F2}.exe

Filesize
180KB

MD5
b3434e101280248533cc871cf67313f6

SHA1
5d2e9c38dac822cd6c5de016ef242651172ff404

SHA256
72202986d58b78c0d52e0b3fa13eb759947bdb9a98754253f1e85ad6d7ee0406

SHA512
3572878ad1be1e5ed4193ebd91b2bb4a1eff2d821ef0077cb0ee99d07b6421c4b174636effc90c9b06ed8f30314c079daae170c18231b3e50410c3a728be390c

Download Submit
C:\Windows\{C436A0BB-401D-46c8-A6DB-C8955A19F231}.exe

Filesize
180KB

MD5
5d5130aed604398e11f043e14b72327d

SHA1
bc29c112d282266a57d8203df9f2061a2044d674

SHA256
a78de7b8563e925d6d58a05f455de3dc8f3624b2bb41f05d471b3170172d310c

SHA512
b731ce891da85bc4dd8d652a21d3ff638502f2defa055131b42fa81abdc0963be2d80ee186ef02b01af0297b9e6cdded21542274af15146f1c76183f4dedbfa7

Download Submit
C:\Windows\{D6D21EB7-40F0-40b0-BFFF-3AF12C66E9E0}.exe

Filesize
180KB

MD5
4a2e21e9e88ea68e9425a86e37e16b5c

SHA1
b36b451574a10794cfc58d414d3b3af9e1c7fd98

SHA256
ec8a17e12491d669864bf65eab2ac574a748bf22b2e946aaae51d513052e2987

SHA512
e3272d9f692b86fc7153438b223607096cd5142f1e728509ae6764473251288ab522615733332d3b43490e20eb7de3129646752b732fa77c6862cea3bae584d2

Download Submit
C:\Windows\{E0958FCE-996D-4e6a-A030-E00E01BCD17B}.exe

Filesize
180KB

MD5
11d43575eb1671cb2427544e7aa59a55

SHA1
90a5d60bd621cfa1b93f29ddbd6fb06bd7a3c154

SHA256
05a9328be5bf80af20072a5a089fe17b2d28e29356a5b477822193ddcfb5062b

SHA512
0b7bbfa4b188a1b9be9c87d0646fa0570dbd6757348fb44a991f9b77d43a527e4bd0f61ae4a97d8f1e38b3f7944f2b1442976cae9bf9ee6b7a8b916654f1fb4b

Download Submit
C:\Windows\{E240941C-03DC-4c7f-9694-F67E931B0D16}.exe

Filesize
180KB

MD5
bafc9522e4025689ad1ec28c39933bc1

SHA1
77d1ad87fa0ec90b108bd67c67dbef99d2478c02

SHA256
250e2ef19d69c713fcd276ec495d09f4f95a0199f11c6512644042d127d1ad7b

SHA512
9faf2ae1560b89539f3ce8fe71ed49b19413b9f8a550d99254bef8d1e5aa8936960bfd885a7db54f8e65d6c0ece5e812df8353d6dd4349fb86345d69b74ab627

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads