01976a193493c409aa40d65c3c3665c4a68b916b1ef437887f46909725d4324a

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-23_17affbb99b7adcb6152a9395497f0bf9_goldeneye.exe
Size

204KB
MD5

17affbb99b7adcb6152a9395497f0bf9
SHA1

0fb5b5585a2d6e3a64aae4f71a8c626e17b54d1c
SHA256

01976a193493c409aa40d65c3c3665c4a68b916b1ef437887f46909725d4324a
SHA512

4c88fa1a5fe8494a10a9bca813fa36de76ab89a6564c245d71295a7dd9eae5a70b60b530f71526c58738f32c58bfc97ae68ee699830a21076890ddbb087927e3
SSDEEP

1536:1EGh0oRcl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oKl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A35612B9-12CC-49dd-8FC4-43787B0AF3AD}	{E71860BA-EB37-4a76-8A41-F890D96B69EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6D68FFC-5A9D-439b-8744-63049A5E3B7A}	{632BAC7B-9422-4e57-AE60-3F7C2F564060}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC68DA89-8EF2-4dc4-BAD6-D1A1E3106B8F}	{B93215B0-FF5B-4725-9611-0A28424351D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E71860BA-EB37-4a76-8A41-F890D96B69EA}	{CC68DA89-8EF2-4dc4-BAD6-D1A1E3106B8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E71860BA-EB37-4a76-8A41-F890D96B69EA}\stubpath = "C:\\Windows\\{E71860BA-EB37-4a76-8A41-F890D96B69EA}.exe"	{CC68DA89-8EF2-4dc4-BAD6-D1A1E3106B8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2FDD6E1-8CBF-475b-BD21-AB957F6DB785}	2024-07-23_17affbb99b7adcb6152a9395497f0bf9_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{632BAC7B-9422-4e57-AE60-3F7C2F564060}\stubpath = "C:\\Windows\\{632BAC7B-9422-4e57-AE60-3F7C2F564060}.exe"	{8F104087-F04B-4df7-8A12-F026A60FE497}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6D68FFC-5A9D-439b-8744-63049A5E3B7A}\stubpath = "C:\\Windows\\{F6D68FFC-5A9D-439b-8744-63049A5E3B7A}.exe"	{632BAC7B-9422-4e57-AE60-3F7C2F564060}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF68AB12-0B79-4c29-AE44-26E3B2494FF2}	{F6D68FFC-5A9D-439b-8744-63049A5E3B7A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88F2D87E-7429-4fe0-80BB-09184AC2EB2E}\stubpath = "C:\\Windows\\{88F2D87E-7429-4fe0-80BB-09184AC2EB2E}.exe"	{A35612B9-12CC-49dd-8FC4-43787B0AF3AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6B6D083-CA53-471d-AD40-5E82C60F2AB8}	{C2FDD6E1-8CBF-475b-BD21-AB957F6DB785}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6B6D083-CA53-471d-AD40-5E82C60F2AB8}\stubpath = "C:\\Windows\\{B6B6D083-CA53-471d-AD40-5E82C60F2AB8}.exe"	{C2FDD6E1-8CBF-475b-BD21-AB957F6DB785}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F104087-F04B-4df7-8A12-F026A60FE497}	{B6B6D083-CA53-471d-AD40-5E82C60F2AB8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A35612B9-12CC-49dd-8FC4-43787B0AF3AD}\stubpath = "C:\\Windows\\{A35612B9-12CC-49dd-8FC4-43787B0AF3AD}.exe"	{E71860BA-EB37-4a76-8A41-F890D96B69EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B93215B0-FF5B-4725-9611-0A28424351D4}	{EF68AB12-0B79-4c29-AE44-26E3B2494FF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B93215B0-FF5B-4725-9611-0A28424351D4}\stubpath = "C:\\Windows\\{B93215B0-FF5B-4725-9611-0A28424351D4}.exe"	{EF68AB12-0B79-4c29-AE44-26E3B2494FF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC68DA89-8EF2-4dc4-BAD6-D1A1E3106B8F}\stubpath = "C:\\Windows\\{CC68DA89-8EF2-4dc4-BAD6-D1A1E3106B8F}.exe"	{B93215B0-FF5B-4725-9611-0A28424351D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88F2D87E-7429-4fe0-80BB-09184AC2EB2E}	{A35612B9-12CC-49dd-8FC4-43787B0AF3AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2FDD6E1-8CBF-475b-BD21-AB957F6DB785}\stubpath = "C:\\Windows\\{C2FDD6E1-8CBF-475b-BD21-AB957F6DB785}.exe"	2024-07-23_17affbb99b7adcb6152a9395497f0bf9_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F104087-F04B-4df7-8A12-F026A60FE497}\stubpath = "C:\\Windows\\{8F104087-F04B-4df7-8A12-F026A60FE497}.exe"	{B6B6D083-CA53-471d-AD40-5E82C60F2AB8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{632BAC7B-9422-4e57-AE60-3F7C2F564060}	{8F104087-F04B-4df7-8A12-F026A60FE497}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF68AB12-0B79-4c29-AE44-26E3B2494FF2}\stubpath = "C:\\Windows\\{EF68AB12-0B79-4c29-AE44-26E3B2494FF2}.exe"	{F6D68FFC-5A9D-439b-8744-63049A5E3B7A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B60515FB-16C9-4926-A419-49AAA7462110}	{88F2D87E-7429-4fe0-80BB-09184AC2EB2E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B60515FB-16C9-4926-A419-49AAA7462110}\stubpath = "C:\\Windows\\{B60515FB-16C9-4926-A419-49AAA7462110}.exe"	{88F2D87E-7429-4fe0-80BB-09184AC2EB2E}.exe

Deletes itself 1 IoCs

pid	Process
2928	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2824	{C2FDD6E1-8CBF-475b-BD21-AB957F6DB785}.exe
4484	{B6B6D083-CA53-471d-AD40-5E82C60F2AB8}.exe
3160	{8F104087-F04B-4df7-8A12-F026A60FE497}.exe
5108	{632BAC7B-9422-4e57-AE60-3F7C2F564060}.exe
3792	{F6D68FFC-5A9D-439b-8744-63049A5E3B7A}.exe
4312	{EF68AB12-0B79-4c29-AE44-26E3B2494FF2}.exe
32	{B93215B0-FF5B-4725-9611-0A28424351D4}.exe
4708	{CC68DA89-8EF2-4dc4-BAD6-D1A1E3106B8F}.exe
2156	{E71860BA-EB37-4a76-8A41-F890D96B69EA}.exe
3952	{A35612B9-12CC-49dd-8FC4-43787B0AF3AD}.exe
2228	{88F2D87E-7429-4fe0-80BB-09184AC2EB2E}.exe
2996	{B60515FB-16C9-4926-A419-49AAA7462110}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C2FDD6E1-8CBF-475b-BD21-AB957F6DB785}.exe	2024-07-23_17affbb99b7adcb6152a9395497f0bf9_goldeneye.exe
File created	C:\Windows\{EF68AB12-0B79-4c29-AE44-26E3B2494FF2}.exe	{F6D68FFC-5A9D-439b-8744-63049A5E3B7A}.exe
File created	C:\Windows\{B93215B0-FF5B-4725-9611-0A28424351D4}.exe	{EF68AB12-0B79-4c29-AE44-26E3B2494FF2}.exe
File created	C:\Windows\{88F2D87E-7429-4fe0-80BB-09184AC2EB2E}.exe	{A35612B9-12CC-49dd-8FC4-43787B0AF3AD}.exe
File created	C:\Windows\{B60515FB-16C9-4926-A419-49AAA7462110}.exe	{88F2D87E-7429-4fe0-80BB-09184AC2EB2E}.exe
File created	C:\Windows\{E71860BA-EB37-4a76-8A41-F890D96B69EA}.exe	{CC68DA89-8EF2-4dc4-BAD6-D1A1E3106B8F}.exe
File created	C:\Windows\{A35612B9-12CC-49dd-8FC4-43787B0AF3AD}.exe	{E71860BA-EB37-4a76-8A41-F890D96B69EA}.exe
File created	C:\Windows\{B6B6D083-CA53-471d-AD40-5E82C60F2AB8}.exe	{C2FDD6E1-8CBF-475b-BD21-AB957F6DB785}.exe
File created	C:\Windows\{8F104087-F04B-4df7-8A12-F026A60FE497}.exe	{B6B6D083-CA53-471d-AD40-5E82C60F2AB8}.exe
File created	C:\Windows\{632BAC7B-9422-4e57-AE60-3F7C2F564060}.exe	{8F104087-F04B-4df7-8A12-F026A60FE497}.exe
File created	C:\Windows\{F6D68FFC-5A9D-439b-8744-63049A5E3B7A}.exe	{632BAC7B-9422-4e57-AE60-3F7C2F564060}.exe
File created	C:\Windows\{CC68DA89-8EF2-4dc4-BAD6-D1A1E3106B8F}.exe	{B93215B0-FF5B-4725-9611-0A28424351D4}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1388	2024-07-23_17affbb99b7adcb6152a9395497f0bf9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2824	{C2FDD6E1-8CBF-475b-BD21-AB957F6DB785}.exe
Token: SeIncBasePriorityPrivilege	4484	{B6B6D083-CA53-471d-AD40-5E82C60F2AB8}.exe
Token: SeIncBasePriorityPrivilege	3160	{8F104087-F04B-4df7-8A12-F026A60FE497}.exe
Token: SeIncBasePriorityPrivilege	5108	{632BAC7B-9422-4e57-AE60-3F7C2F564060}.exe
Token: SeIncBasePriorityPrivilege	3792	{F6D68FFC-5A9D-439b-8744-63049A5E3B7A}.exe
Token: SeIncBasePriorityPrivilege	4312	{EF68AB12-0B79-4c29-AE44-26E3B2494FF2}.exe
Token: SeIncBasePriorityPrivilege	32	{B93215B0-FF5B-4725-9611-0A28424351D4}.exe
Token: SeIncBasePriorityPrivilege	4708	{CC68DA89-8EF2-4dc4-BAD6-D1A1E3106B8F}.exe
Token: SeIncBasePriorityPrivilege	2156	{E71860BA-EB37-4a76-8A41-F890D96B69EA}.exe
Token: SeIncBasePriorityPrivilege	3952	{A35612B9-12CC-49dd-8FC4-43787B0AF3AD}.exe
Token: SeIncBasePriorityPrivilege	2228	{88F2D87E-7429-4fe0-80BB-09184AC2EB2E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 2824	1388	2024-07-23_17affbb99b7adcb6152a9395497f0bf9_goldeneye.exe	93
PID 1388 wrote to memory of 2824	1388	2024-07-23_17affbb99b7adcb6152a9395497f0bf9_goldeneye.exe	93
PID 1388 wrote to memory of 2824	1388	2024-07-23_17affbb99b7adcb6152a9395497f0bf9_goldeneye.exe	93
PID 1388 wrote to memory of 2928	1388	2024-07-23_17affbb99b7adcb6152a9395497f0bf9_goldeneye.exe	94
PID 1388 wrote to memory of 2928	1388	2024-07-23_17affbb99b7adcb6152a9395497f0bf9_goldeneye.exe	94
PID 1388 wrote to memory of 2928	1388	2024-07-23_17affbb99b7adcb6152a9395497f0bf9_goldeneye.exe	94
PID 2824 wrote to memory of 4484	2824	{C2FDD6E1-8CBF-475b-BD21-AB957F6DB785}.exe	96
PID 2824 wrote to memory of 4484	2824	{C2FDD6E1-8CBF-475b-BD21-AB957F6DB785}.exe	96
PID 2824 wrote to memory of 4484	2824	{C2FDD6E1-8CBF-475b-BD21-AB957F6DB785}.exe	96
PID 2824 wrote to memory of 4540	2824	{C2FDD6E1-8CBF-475b-BD21-AB957F6DB785}.exe	97
PID 2824 wrote to memory of 4540	2824	{C2FDD6E1-8CBF-475b-BD21-AB957F6DB785}.exe	97
PID 2824 wrote to memory of 4540	2824	{C2FDD6E1-8CBF-475b-BD21-AB957F6DB785}.exe	97
PID 4484 wrote to memory of 3160	4484	{B6B6D083-CA53-471d-AD40-5E82C60F2AB8}.exe	101
PID 4484 wrote to memory of 3160	4484	{B6B6D083-CA53-471d-AD40-5E82C60F2AB8}.exe	101
PID 4484 wrote to memory of 3160	4484	{B6B6D083-CA53-471d-AD40-5E82C60F2AB8}.exe	101
PID 4484 wrote to memory of 4420	4484	{B6B6D083-CA53-471d-AD40-5E82C60F2AB8}.exe	102
PID 4484 wrote to memory of 4420	4484	{B6B6D083-CA53-471d-AD40-5E82C60F2AB8}.exe	102
PID 4484 wrote to memory of 4420	4484	{B6B6D083-CA53-471d-AD40-5E82C60F2AB8}.exe	102
PID 3160 wrote to memory of 5108	3160	{8F104087-F04B-4df7-8A12-F026A60FE497}.exe	103
PID 3160 wrote to memory of 5108	3160	{8F104087-F04B-4df7-8A12-F026A60FE497}.exe	103
PID 3160 wrote to memory of 5108	3160	{8F104087-F04B-4df7-8A12-F026A60FE497}.exe	103
PID 3160 wrote to memory of 3624	3160	{8F104087-F04B-4df7-8A12-F026A60FE497}.exe	104
PID 3160 wrote to memory of 3624	3160	{8F104087-F04B-4df7-8A12-F026A60FE497}.exe	104
PID 3160 wrote to memory of 3624	3160	{8F104087-F04B-4df7-8A12-F026A60FE497}.exe	104
PID 5108 wrote to memory of 3792	5108	{632BAC7B-9422-4e57-AE60-3F7C2F564060}.exe	105
PID 5108 wrote to memory of 3792	5108	{632BAC7B-9422-4e57-AE60-3F7C2F564060}.exe	105
PID 5108 wrote to memory of 3792	5108	{632BAC7B-9422-4e57-AE60-3F7C2F564060}.exe	105
PID 5108 wrote to memory of 3448	5108	{632BAC7B-9422-4e57-AE60-3F7C2F564060}.exe	106
PID 5108 wrote to memory of 3448	5108	{632BAC7B-9422-4e57-AE60-3F7C2F564060}.exe	106
PID 5108 wrote to memory of 3448	5108	{632BAC7B-9422-4e57-AE60-3F7C2F564060}.exe	106
PID 3792 wrote to memory of 4312	3792	{F6D68FFC-5A9D-439b-8744-63049A5E3B7A}.exe	108
PID 3792 wrote to memory of 4312	3792	{F6D68FFC-5A9D-439b-8744-63049A5E3B7A}.exe	108
PID 3792 wrote to memory of 4312	3792	{F6D68FFC-5A9D-439b-8744-63049A5E3B7A}.exe	108
PID 3792 wrote to memory of 1192	3792	{F6D68FFC-5A9D-439b-8744-63049A5E3B7A}.exe	109
PID 3792 wrote to memory of 1192	3792	{F6D68FFC-5A9D-439b-8744-63049A5E3B7A}.exe	109
PID 3792 wrote to memory of 1192	3792	{F6D68FFC-5A9D-439b-8744-63049A5E3B7A}.exe	109
PID 4312 wrote to memory of 32	4312	{EF68AB12-0B79-4c29-AE44-26E3B2494FF2}.exe	110
PID 4312 wrote to memory of 32	4312	{EF68AB12-0B79-4c29-AE44-26E3B2494FF2}.exe	110
PID 4312 wrote to memory of 32	4312	{EF68AB12-0B79-4c29-AE44-26E3B2494FF2}.exe	110
PID 4312 wrote to memory of 4412	4312	{EF68AB12-0B79-4c29-AE44-26E3B2494FF2}.exe	111
PID 4312 wrote to memory of 4412	4312	{EF68AB12-0B79-4c29-AE44-26E3B2494FF2}.exe	111
PID 4312 wrote to memory of 4412	4312	{EF68AB12-0B79-4c29-AE44-26E3B2494FF2}.exe	111
PID 32 wrote to memory of 4708	32	{B93215B0-FF5B-4725-9611-0A28424351D4}.exe	114
PID 32 wrote to memory of 4708	32	{B93215B0-FF5B-4725-9611-0A28424351D4}.exe	114
PID 32 wrote to memory of 4708	32	{B93215B0-FF5B-4725-9611-0A28424351D4}.exe	114
PID 32 wrote to memory of 3768	32	{B93215B0-FF5B-4725-9611-0A28424351D4}.exe	115
PID 32 wrote to memory of 3768	32	{B93215B0-FF5B-4725-9611-0A28424351D4}.exe	115
PID 32 wrote to memory of 3768	32	{B93215B0-FF5B-4725-9611-0A28424351D4}.exe	115
PID 4708 wrote to memory of 2156	4708	{CC68DA89-8EF2-4dc4-BAD6-D1A1E3106B8F}.exe	118
PID 4708 wrote to memory of 2156	4708	{CC68DA89-8EF2-4dc4-BAD6-D1A1E3106B8F}.exe	118
PID 4708 wrote to memory of 2156	4708	{CC68DA89-8EF2-4dc4-BAD6-D1A1E3106B8F}.exe	118
PID 4708 wrote to memory of 1684	4708	{CC68DA89-8EF2-4dc4-BAD6-D1A1E3106B8F}.exe	119
PID 4708 wrote to memory of 1684	4708	{CC68DA89-8EF2-4dc4-BAD6-D1A1E3106B8F}.exe	119
PID 4708 wrote to memory of 1684	4708	{CC68DA89-8EF2-4dc4-BAD6-D1A1E3106B8F}.exe	119
PID 2156 wrote to memory of 3952	2156	{E71860BA-EB37-4a76-8A41-F890D96B69EA}.exe	120
PID 2156 wrote to memory of 3952	2156	{E71860BA-EB37-4a76-8A41-F890D96B69EA}.exe	120
PID 2156 wrote to memory of 3952	2156	{E71860BA-EB37-4a76-8A41-F890D96B69EA}.exe	120
PID 2156 wrote to memory of 1772	2156	{E71860BA-EB37-4a76-8A41-F890D96B69EA}.exe	121
PID 2156 wrote to memory of 1772	2156	{E71860BA-EB37-4a76-8A41-F890D96B69EA}.exe	121
PID 2156 wrote to memory of 1772	2156	{E71860BA-EB37-4a76-8A41-F890D96B69EA}.exe	121
PID 3952 wrote to memory of 2228	3952	{A35612B9-12CC-49dd-8FC4-43787B0AF3AD}.exe	127
PID 3952 wrote to memory of 2228	3952	{A35612B9-12CC-49dd-8FC4-43787B0AF3AD}.exe	127
PID 3952 wrote to memory of 2228	3952	{A35612B9-12CC-49dd-8FC4-43787B0AF3AD}.exe	127
PID 3952 wrote to memory of 3436	3952	{A35612B9-12CC-49dd-8FC4-43787B0AF3AD}.exe	128

C:\Users\Admin\AppData\Local\Temp\2024-07-23_17affbb99b7adcb6152a9395497f0bf9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-23_17affbb99b7adcb6152a9395497f0bf9_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Windows\{C2FDD6E1-8CBF-475b-BD21-AB957F6DB785}.exe
  C:\Windows\{C2FDD6E1-8CBF-475b-BD21-AB957F6DB785}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\{B6B6D083-CA53-471d-AD40-5E82C60F2AB8}.exe
    C:\Windows\{B6B6D083-CA53-471d-AD40-5E82C60F2AB8}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4484
  - - C:\Windows\{8F104087-F04B-4df7-8A12-F026A60FE497}.exe
      C:\Windows\{8F104087-F04B-4df7-8A12-F026A60FE497}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3160
    - - C:\Windows\{632BAC7B-9422-4e57-AE60-3F7C2F564060}.exe
        
        C:\Windows\{632BAC7B-9422-4e57-AE60-3F7C2F564060}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5108
      - C:\Windows\{F6D68FFC-5A9D-439b-8744-63049A5E3B7A}.exe
        
        C:\Windows\{F6D68FFC-5A9D-439b-8744-63049A5E3B7A}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3792
        
        C:\Windows\{EF68AB12-0B79-4c29-AE44-26E3B2494FF2}.exe
        
        C:\Windows\{EF68AB12-0B79-4c29-AE44-26E3B2494FF2}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\{B93215B0-FF5B-4725-9611-0A28424351D4}.exe
        
        C:\Windows\{B93215B0-FF5B-4725-9611-0A28424351D4}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:32
        
        C:\Windows\{CC68DA89-8EF2-4dc4-BAD6-D1A1E3106B8F}.exe
        
        C:\Windows\{CC68DA89-8EF2-4dc4-BAD6-D1A1E3106B8F}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\{E71860BA-EB37-4a76-8A41-F890D96B69EA}.exe
        
        C:\Windows\{E71860BA-EB37-4a76-8A41-F890D96B69EA}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\{A35612B9-12CC-49dd-8FC4-43787B0AF3AD}.exe
        
        C:\Windows\{A35612B9-12CC-49dd-8FC4-43787B0AF3AD}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\{88F2D87E-7429-4fe0-80BB-09184AC2EB2E}.exe
        
        C:\Windows\{88F2D87E-7429-4fe0-80BB-09184AC2EB2E}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
        
        C:\Windows\{B60515FB-16C9-4926-A419-49AAA7462110}.exe
        
        C:\Windows\{B60515FB-16C9-4926-A419-49AAA7462110}.exe
        13⤵
        Executes dropped EXE
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88F2D~1.EXE > nul
        13⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3561~1.EXE > nul
        12⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7186~1.EXE > nul
        11⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC68D~1.EXE > nul
        10⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9321~1.EXE > nul
        9⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF68A~1.EXE > nul
        8⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6D68~1.EXE > nul
        7⤵
        
        PID:1192
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{632BA~1.EXE > nul
        6⤵
        
        PID:3448
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F104~1.EXE > nul
        5⤵
        
        PID:3624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B6B6D~1.EXE > nul
      4⤵
      PID:4420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C2FDD~1.EXE > nul
    3⤵
    PID:4540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{632BAC7B-9422-4e57-AE60-3F7C2F564060}.exe

Filesize
204KB

MD5
fcd2acd17b60e6ed0719f92c98241bcc

SHA1
2bcb79e0a0f69f8695b88baf7a0e95e838a4157d

SHA256
dbf652b1da3f78895169d0d47d24c4bcf60c838a4103e1daadaa5185dc080de4

SHA512
6d466f6666d00b4eb9aa828e88f5c0292d52f62679a62d3885b822575e072c2d06c731fde2ca06980763b3c2ade29972ac92a446c5a05e4f00d0ccf2e52f6f14

Download Submit
C:\Windows\{88F2D87E-7429-4fe0-80BB-09184AC2EB2E}.exe

Filesize
204KB

MD5
b84cb16ca10ea88e6e652bee3cc1048d

SHA1
5a73f14faf807558e36e619e4b07755efe954214

SHA256
77eaf4bb9a2a73e8b5c3b7d29551e6285777a66eb38a4459d3417b3e5e123966

SHA512
0cf21d5746135c2e3cad1909484929a9c46fd5effc4b46a0541fea083046e30778112772adfe1809bb0e8a5044f3cd0a9edc9a4ea90a718ddc62ee599becfadc

Download Submit
C:\Windows\{8F104087-F04B-4df7-8A12-F026A60FE497}.exe

Filesize
204KB

MD5
d43d1fd59e446c1448d150e7e2566a85

SHA1
90bbe348c61f760d237ffa8f3e618d96a368c4e5

SHA256
1c409581341ead254ad6d7a6179edea53dfbfcb2ee063c51bf0aa52f34447302

SHA512
d3aecb50de66956c1b679e315304fa29f3a4f12fa7e6ad9e6447ce1d91bbd3cce62aa10804b174eb6f35c6fdd6182f6f46f3148e648dad4eff59a75c08cf4e18

Download Submit
C:\Windows\{A35612B9-12CC-49dd-8FC4-43787B0AF3AD}.exe

Filesize
204KB

MD5
0011bd33572e8ca2c11b9d5068b4b5ed

SHA1
2b88d60664cf9395dcd36f83d06f423bbcf01a31

SHA256
ccba2fcc52677033f00942e94451f037f9e594c1fec00f63224c7e2982cb4c61

SHA512
3a97bb6b5a5e29cc131f94356e9ff84651212194df88aef34e3d62ce00ea5c78dfc41e4aefbaff63fe870899037bf2f60ff1eace8950e7d148fff539635b855c

Download Submit
C:\Windows\{B60515FB-16C9-4926-A419-49AAA7462110}.exe

Filesize
204KB

MD5
0a7286ebee40d4df10fcbf32e6559768

SHA1
b5a0e11b99960a2f95f7c1fb4deb6ff3f29fe959

SHA256
eeef954c1724050aaff76a008e5f2a7b054178fbc588bee7bb5247ae621670cd

SHA512
d01d52c5de7422ee8194a32ab5460f00b600d3730db0c273c11b51508a53f37dd35facb3f9d5339878ae00763c5a2d46584fb9e055c281e4047e381d3e0218a3

Download Submit
C:\Windows\{B6B6D083-CA53-471d-AD40-5E82C60F2AB8}.exe

Filesize
204KB

MD5
12482622e9d65c7a814d4895a2045767

SHA1
9e6175c3f2975d0b9ec917d68d9b9aaf605f656e

SHA256
7058fbc5d5009c35fb4f1eb3095479583a1cbf7afd74294f8cfad7d14ec7a13f

SHA512
9fa066887fa3f6b46b4d6b5e43288981ea636e0899dafd0d942dae006b228a586d675063065eab01e192f1fc852becfb1c453992ca6913a6276ce6acdc470fe6

Download Submit
C:\Windows\{B93215B0-FF5B-4725-9611-0A28424351D4}.exe

Filesize
204KB

MD5
4f1505f8f0c5e761fdffbae34ef12089

SHA1
84b3a88d0a0beaea9d4160e82c05cd57c36953ed

SHA256
cb0053f6f5ef1744299fc96a0c61c270991e0ba07db1559d3dec41820c9526c7

SHA512
df0796a28066069408135faba4856531e93fe5091451e88d3fb0099a284487e1a201aa72f951e7d0fc9098b22fa5cf6607415561d6833e73c3f138b033db66b4

Download Submit
C:\Windows\{C2FDD6E1-8CBF-475b-BD21-AB957F6DB785}.exe

Filesize
204KB

MD5
feefc414c1bdab1df442a903fdf6e6f2

SHA1
0d14a261ce533450d8fd039f41ccc42ff36d7ba7

SHA256
39718696c26b97d7de8241e35212bf93572d83c100510d838cf7cce185650e8d

SHA512
a338aa08eadf21e6486b5d07e2f5a48d17f5e481b4456c7d35fac4cb23690e53026590b7adb19cf4f96102eb55e6fca8266b75711be3ec2f75b2f4c896f09166

Download Submit
C:\Windows\{CC68DA89-8EF2-4dc4-BAD6-D1A1E3106B8F}.exe

Filesize
204KB

MD5
1ce06701c76b6eebb486ddb0da98280d

SHA1
c576d3c15f977478bbf126d2633d7707feb637b5

SHA256
0b88aeb425f8471e3e90100fb6755ae27019998063bb101e15e6b86c6db21604

SHA512
a660201fa0a1dda1890604e491b6ee1514469068a0917dd442fbe567d661aa595d3604a9670142ffce87da534b72e137b3fc73af075144e00b55521167e70a3e

Download Submit
C:\Windows\{E71860BA-EB37-4a76-8A41-F890D96B69EA}.exe

Filesize
204KB

MD5
f8de9f5ca95be54a144e328e896e26cc

SHA1
992fbf61c8c04f2da9e41c9a6ae389384450105e

SHA256
327af8b6c3cc9d0f3a6780fc81ace49c0af4c02b3fc1e550ed30d5f7aa1fb953

SHA512
b5f665090a29a7e43f5976c8a4c77ae3c4ea55121ac4bb8b25574fe796236a02cbd7aca9440b5d2ac0fe733ca8ab21fb3f36b32b5a48db8b34eceeb8c4cf63fb

Download Submit
C:\Windows\{EF68AB12-0B79-4c29-AE44-26E3B2494FF2}.exe

Filesize
204KB

MD5
1d1738be18676e48b926945f55e4543d

SHA1
025b7d85b8a43ae35f4d3f87d73bbfc05d133769

SHA256
28c88cc14af3bfd946bfa5322e526e7acef03fc8ab85f42b7929f22662a252ac

SHA512
8c94c8123e46c2f0b2eb3ab618c2e7961e8e59e2c5ed7b53d1ec50ec87a586ad8b0130a4262fb46275d4219bd6864667bfcd81061d795d70f862845fdff0c720

Download Submit
C:\Windows\{F6D68FFC-5A9D-439b-8744-63049A5E3B7A}.exe

Filesize
204KB

MD5
0ca32f438d93ca590e3db72bb0d2272c

SHA1
29c641fa026b1424f3f1b5c57b52f6091a48d04c

SHA256
ffc24f54ad77fc097f12e29c2c27faede67c48e26ce0f4b23ee8b0f7eac0324d

SHA512
cb3138980725ca9c4dde8015ec48bff1b0a315d9b806e5244f579148705b9d07a1f73d3b472c6bb2cd60cd67905787bbe4a4e7a922b465b81a1b3d82708f2237

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads