b32070931fb6dcb1a68dbdf756f473dbb19ea11621a0a96981015347ddbc9d96

Analysis

max time kernel
149s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 12:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-23_2ac8f98cf65f94bd698cdca803e6ea7c_goldeneye.exe
Size

408KB
MD5

2ac8f98cf65f94bd698cdca803e6ea7c
SHA1

bb043d61d39ef15db486f5aef70d9f269604fcfe
SHA256

b32070931fb6dcb1a68dbdf756f473dbb19ea11621a0a96981015347ddbc9d96
SHA512

012d3c30cf0139413d60d8e17ebd935f771556a92cb9098b842d046f48231cc7fe274628c4e5de85e59f11bbb45c9066ddc307f1a2246d9188926b05a9078bad
SSDEEP

3072:CEGh0oSl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG4ldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6D844C7-36FE-4fc5-9B9D-A15811748F54}\stubpath = "C:\\Windows\\{F6D844C7-36FE-4fc5-9B9D-A15811748F54}.exe"	{962C9FCB-99DF-420c-8EC9-A1A422A32282}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8FB59C3-52CC-4aa2-BF3B-540949B6394A}	{A57C5C70-1BC5-4982-8980-7A29081106E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77BCEE9C-3B58-4148-8543-D15605EC709A}	{EE620395-DB74-4615-A07D-29260F31E28D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86304F50-D4EB-4e46-816C-84EDD20EBD98}	{B73267E4-3E69-427b-9211-CD2B31F0256C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86304F50-D4EB-4e46-816C-84EDD20EBD98}\stubpath = "C:\\Windows\\{86304F50-D4EB-4e46-816C-84EDD20EBD98}.exe"	{B73267E4-3E69-427b-9211-CD2B31F0256C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A57C5C70-1BC5-4982-8980-7A29081106E9}\stubpath = "C:\\Windows\\{A57C5C70-1BC5-4982-8980-7A29081106E9}.exe"	{F6D844C7-36FE-4fc5-9B9D-A15811748F54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B6105AB-2A7D-4f35-B656-60B0A271A42A}\stubpath = "C:\\Windows\\{4B6105AB-2A7D-4f35-B656-60B0A271A42A}.exe"	2024-07-23_2ac8f98cf65f94bd698cdca803e6ea7c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{722733AC-5248-4ff2-991C-C24395903EDF}	{4B6105AB-2A7D-4f35-B656-60B0A271A42A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{722733AC-5248-4ff2-991C-C24395903EDF}\stubpath = "C:\\Windows\\{722733AC-5248-4ff2-991C-C24395903EDF}.exe"	{4B6105AB-2A7D-4f35-B656-60B0A271A42A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64223613-7D8B-4208-ACFE-052B1787FD13}	{722733AC-5248-4ff2-991C-C24395903EDF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6D844C7-36FE-4fc5-9B9D-A15811748F54}	{962C9FCB-99DF-420c-8EC9-A1A422A32282}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE620395-DB74-4615-A07D-29260F31E28D}	{0B3FF417-0EC7-4768-B030-386253B00E42}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE620395-DB74-4615-A07D-29260F31E28D}\stubpath = "C:\\Windows\\{EE620395-DB74-4615-A07D-29260F31E28D}.exe"	{0B3FF417-0EC7-4768-B030-386253B00E42}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77BCEE9C-3B58-4148-8543-D15605EC709A}\stubpath = "C:\\Windows\\{77BCEE9C-3B58-4148-8543-D15605EC709A}.exe"	{EE620395-DB74-4615-A07D-29260F31E28D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B6105AB-2A7D-4f35-B656-60B0A271A42A}	2024-07-23_2ac8f98cf65f94bd698cdca803e6ea7c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64223613-7D8B-4208-ACFE-052B1787FD13}\stubpath = "C:\\Windows\\{64223613-7D8B-4208-ACFE-052B1787FD13}.exe"	{722733AC-5248-4ff2-991C-C24395903EDF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{962C9FCB-99DF-420c-8EC9-A1A422A32282}\stubpath = "C:\\Windows\\{962C9FCB-99DF-420c-8EC9-A1A422A32282}.exe"	{64223613-7D8B-4208-ACFE-052B1787FD13}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A57C5C70-1BC5-4982-8980-7A29081106E9}	{F6D844C7-36FE-4fc5-9B9D-A15811748F54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B3FF417-0EC7-4768-B030-386253B00E42}	{B8FB59C3-52CC-4aa2-BF3B-540949B6394A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B73267E4-3E69-427b-9211-CD2B31F0256C}	{77BCEE9C-3B58-4148-8543-D15605EC709A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B73267E4-3E69-427b-9211-CD2B31F0256C}\stubpath = "C:\\Windows\\{B73267E4-3E69-427b-9211-CD2B31F0256C}.exe"	{77BCEE9C-3B58-4148-8543-D15605EC709A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{962C9FCB-99DF-420c-8EC9-A1A422A32282}	{64223613-7D8B-4208-ACFE-052B1787FD13}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8FB59C3-52CC-4aa2-BF3B-540949B6394A}\stubpath = "C:\\Windows\\{B8FB59C3-52CC-4aa2-BF3B-540949B6394A}.exe"	{A57C5C70-1BC5-4982-8980-7A29081106E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B3FF417-0EC7-4768-B030-386253B00E42}\stubpath = "C:\\Windows\\{0B3FF417-0EC7-4768-B030-386253B00E42}.exe"	{B8FB59C3-52CC-4aa2-BF3B-540949B6394A}.exe

Executes dropped EXE 12 IoCs

pid	Process
2032	{4B6105AB-2A7D-4f35-B656-60B0A271A42A}.exe
4520	{722733AC-5248-4ff2-991C-C24395903EDF}.exe
2776	{64223613-7D8B-4208-ACFE-052B1787FD13}.exe
2612	{962C9FCB-99DF-420c-8EC9-A1A422A32282}.exe
4664	{F6D844C7-36FE-4fc5-9B9D-A15811748F54}.exe
4724	{A57C5C70-1BC5-4982-8980-7A29081106E9}.exe
3548	{B8FB59C3-52CC-4aa2-BF3B-540949B6394A}.exe
4488	{0B3FF417-0EC7-4768-B030-386253B00E42}.exe
1820	{EE620395-DB74-4615-A07D-29260F31E28D}.exe
216	{77BCEE9C-3B58-4148-8543-D15605EC709A}.exe
4348	{B73267E4-3E69-427b-9211-CD2B31F0256C}.exe
3508	{86304F50-D4EB-4e46-816C-84EDD20EBD98}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{4B6105AB-2A7D-4f35-B656-60B0A271A42A}.exe	2024-07-23_2ac8f98cf65f94bd698cdca803e6ea7c_goldeneye.exe
File created	C:\Windows\{64223613-7D8B-4208-ACFE-052B1787FD13}.exe	{722733AC-5248-4ff2-991C-C24395903EDF}.exe
File created	C:\Windows\{B8FB59C3-52CC-4aa2-BF3B-540949B6394A}.exe	{A57C5C70-1BC5-4982-8980-7A29081106E9}.exe
File created	C:\Windows\{EE620395-DB74-4615-A07D-29260F31E28D}.exe	{0B3FF417-0EC7-4768-B030-386253B00E42}.exe
File created	C:\Windows\{B73267E4-3E69-427b-9211-CD2B31F0256C}.exe	{77BCEE9C-3B58-4148-8543-D15605EC709A}.exe
File created	C:\Windows\{86304F50-D4EB-4e46-816C-84EDD20EBD98}.exe	{B73267E4-3E69-427b-9211-CD2B31F0256C}.exe
File created	C:\Windows\{722733AC-5248-4ff2-991C-C24395903EDF}.exe	{4B6105AB-2A7D-4f35-B656-60B0A271A42A}.exe
File created	C:\Windows\{962C9FCB-99DF-420c-8EC9-A1A422A32282}.exe	{64223613-7D8B-4208-ACFE-052B1787FD13}.exe
File created	C:\Windows\{F6D844C7-36FE-4fc5-9B9D-A15811748F54}.exe	{962C9FCB-99DF-420c-8EC9-A1A422A32282}.exe
File created	C:\Windows\{A57C5C70-1BC5-4982-8980-7A29081106E9}.exe	{F6D844C7-36FE-4fc5-9B9D-A15811748F54}.exe
File created	C:\Windows\{0B3FF417-0EC7-4768-B030-386253B00E42}.exe	{B8FB59C3-52CC-4aa2-BF3B-540949B6394A}.exe
File created	C:\Windows\{77BCEE9C-3B58-4148-8543-D15605EC709A}.exe	{EE620395-DB74-4615-A07D-29260F31E28D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3352	2024-07-23_2ac8f98cf65f94bd698cdca803e6ea7c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2032	{4B6105AB-2A7D-4f35-B656-60B0A271A42A}.exe
Token: SeIncBasePriorityPrivilege	4520	{722733AC-5248-4ff2-991C-C24395903EDF}.exe
Token: SeIncBasePriorityPrivilege	2776	{64223613-7D8B-4208-ACFE-052B1787FD13}.exe
Token: SeIncBasePriorityPrivilege	2612	{962C9FCB-99DF-420c-8EC9-A1A422A32282}.exe
Token: SeIncBasePriorityPrivilege	4664	{F6D844C7-36FE-4fc5-9B9D-A15811748F54}.exe
Token: SeIncBasePriorityPrivilege	4724	{A57C5C70-1BC5-4982-8980-7A29081106E9}.exe
Token: SeIncBasePriorityPrivilege	3548	{B8FB59C3-52CC-4aa2-BF3B-540949B6394A}.exe
Token: SeIncBasePriorityPrivilege	4488	{0B3FF417-0EC7-4768-B030-386253B00E42}.exe
Token: SeIncBasePriorityPrivilege	1820	{EE620395-DB74-4615-A07D-29260F31E28D}.exe
Token: SeIncBasePriorityPrivilege	216	{77BCEE9C-3B58-4148-8543-D15605EC709A}.exe
Token: SeIncBasePriorityPrivilege	4348	{B73267E4-3E69-427b-9211-CD2B31F0256C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3352 wrote to memory of 2032	3352	2024-07-23_2ac8f98cf65f94bd698cdca803e6ea7c_goldeneye.exe	90
PID 3352 wrote to memory of 2032	3352	2024-07-23_2ac8f98cf65f94bd698cdca803e6ea7c_goldeneye.exe	90
PID 3352 wrote to memory of 2032	3352	2024-07-23_2ac8f98cf65f94bd698cdca803e6ea7c_goldeneye.exe	90
PID 3352 wrote to memory of 2580	3352	2024-07-23_2ac8f98cf65f94bd698cdca803e6ea7c_goldeneye.exe	91
PID 3352 wrote to memory of 2580	3352	2024-07-23_2ac8f98cf65f94bd698cdca803e6ea7c_goldeneye.exe	91
PID 3352 wrote to memory of 2580	3352	2024-07-23_2ac8f98cf65f94bd698cdca803e6ea7c_goldeneye.exe	91
PID 2032 wrote to memory of 4520	2032	{4B6105AB-2A7D-4f35-B656-60B0A271A42A}.exe	97
PID 2032 wrote to memory of 4520	2032	{4B6105AB-2A7D-4f35-B656-60B0A271A42A}.exe	97
PID 2032 wrote to memory of 4520	2032	{4B6105AB-2A7D-4f35-B656-60B0A271A42A}.exe	97
PID 2032 wrote to memory of 532	2032	{4B6105AB-2A7D-4f35-B656-60B0A271A42A}.exe	98
PID 2032 wrote to memory of 532	2032	{4B6105AB-2A7D-4f35-B656-60B0A271A42A}.exe	98
PID 2032 wrote to memory of 532	2032	{4B6105AB-2A7D-4f35-B656-60B0A271A42A}.exe	98
PID 4520 wrote to memory of 2776	4520	{722733AC-5248-4ff2-991C-C24395903EDF}.exe	102
PID 4520 wrote to memory of 2776	4520	{722733AC-5248-4ff2-991C-C24395903EDF}.exe	102
PID 4520 wrote to memory of 2776	4520	{722733AC-5248-4ff2-991C-C24395903EDF}.exe	102
PID 4520 wrote to memory of 2064	4520	{722733AC-5248-4ff2-991C-C24395903EDF}.exe	103
PID 4520 wrote to memory of 2064	4520	{722733AC-5248-4ff2-991C-C24395903EDF}.exe	103
PID 4520 wrote to memory of 2064	4520	{722733AC-5248-4ff2-991C-C24395903EDF}.exe	103
PID 2776 wrote to memory of 2612	2776	{64223613-7D8B-4208-ACFE-052B1787FD13}.exe	104
PID 2776 wrote to memory of 2612	2776	{64223613-7D8B-4208-ACFE-052B1787FD13}.exe	104
PID 2776 wrote to memory of 2612	2776	{64223613-7D8B-4208-ACFE-052B1787FD13}.exe	104
PID 2776 wrote to memory of 1172	2776	{64223613-7D8B-4208-ACFE-052B1787FD13}.exe	105
PID 2776 wrote to memory of 1172	2776	{64223613-7D8B-4208-ACFE-052B1787FD13}.exe	105
PID 2776 wrote to memory of 1172	2776	{64223613-7D8B-4208-ACFE-052B1787FD13}.exe	105
PID 2612 wrote to memory of 4664	2612	{962C9FCB-99DF-420c-8EC9-A1A422A32282}.exe	107
PID 2612 wrote to memory of 4664	2612	{962C9FCB-99DF-420c-8EC9-A1A422A32282}.exe	107
PID 2612 wrote to memory of 4664	2612	{962C9FCB-99DF-420c-8EC9-A1A422A32282}.exe	107
PID 2612 wrote to memory of 696	2612	{962C9FCB-99DF-420c-8EC9-A1A422A32282}.exe	108
PID 2612 wrote to memory of 696	2612	{962C9FCB-99DF-420c-8EC9-A1A422A32282}.exe	108
PID 2612 wrote to memory of 696	2612	{962C9FCB-99DF-420c-8EC9-A1A422A32282}.exe	108
PID 4664 wrote to memory of 4724	4664	{F6D844C7-36FE-4fc5-9B9D-A15811748F54}.exe	110
PID 4664 wrote to memory of 4724	4664	{F6D844C7-36FE-4fc5-9B9D-A15811748F54}.exe	110
PID 4664 wrote to memory of 4724	4664	{F6D844C7-36FE-4fc5-9B9D-A15811748F54}.exe	110
PID 4664 wrote to memory of 4688	4664	{F6D844C7-36FE-4fc5-9B9D-A15811748F54}.exe	111
PID 4664 wrote to memory of 4688	4664	{F6D844C7-36FE-4fc5-9B9D-A15811748F54}.exe	111
PID 4664 wrote to memory of 4688	4664	{F6D844C7-36FE-4fc5-9B9D-A15811748F54}.exe	111
PID 4724 wrote to memory of 3548	4724	{A57C5C70-1BC5-4982-8980-7A29081106E9}.exe	112
PID 4724 wrote to memory of 3548	4724	{A57C5C70-1BC5-4982-8980-7A29081106E9}.exe	112
PID 4724 wrote to memory of 3548	4724	{A57C5C70-1BC5-4982-8980-7A29081106E9}.exe	112
PID 4724 wrote to memory of 1052	4724	{A57C5C70-1BC5-4982-8980-7A29081106E9}.exe	113
PID 4724 wrote to memory of 1052	4724	{A57C5C70-1BC5-4982-8980-7A29081106E9}.exe	113
PID 4724 wrote to memory of 1052	4724	{A57C5C70-1BC5-4982-8980-7A29081106E9}.exe	113
PID 3548 wrote to memory of 4488	3548	{B8FB59C3-52CC-4aa2-BF3B-540949B6394A}.exe	121
PID 3548 wrote to memory of 4488	3548	{B8FB59C3-52CC-4aa2-BF3B-540949B6394A}.exe	121
PID 3548 wrote to memory of 4488	3548	{B8FB59C3-52CC-4aa2-BF3B-540949B6394A}.exe	121
PID 3548 wrote to memory of 1072	3548	{B8FB59C3-52CC-4aa2-BF3B-540949B6394A}.exe	122
PID 3548 wrote to memory of 1072	3548	{B8FB59C3-52CC-4aa2-BF3B-540949B6394A}.exe	122
PID 3548 wrote to memory of 1072	3548	{B8FB59C3-52CC-4aa2-BF3B-540949B6394A}.exe	122
PID 4488 wrote to memory of 1820	4488	{0B3FF417-0EC7-4768-B030-386253B00E42}.exe	123
PID 4488 wrote to memory of 1820	4488	{0B3FF417-0EC7-4768-B030-386253B00E42}.exe	123
PID 4488 wrote to memory of 1820	4488	{0B3FF417-0EC7-4768-B030-386253B00E42}.exe	123
PID 4488 wrote to memory of 4756	4488	{0B3FF417-0EC7-4768-B030-386253B00E42}.exe	124
PID 4488 wrote to memory of 4756	4488	{0B3FF417-0EC7-4768-B030-386253B00E42}.exe	124
PID 4488 wrote to memory of 4756	4488	{0B3FF417-0EC7-4768-B030-386253B00E42}.exe	124
PID 1820 wrote to memory of 216	1820	{EE620395-DB74-4615-A07D-29260F31E28D}.exe	125
PID 1820 wrote to memory of 216	1820	{EE620395-DB74-4615-A07D-29260F31E28D}.exe	125
PID 1820 wrote to memory of 216	1820	{EE620395-DB74-4615-A07D-29260F31E28D}.exe	125
PID 1820 wrote to memory of 2940	1820	{EE620395-DB74-4615-A07D-29260F31E28D}.exe	126
PID 1820 wrote to memory of 2940	1820	{EE620395-DB74-4615-A07D-29260F31E28D}.exe	126
PID 1820 wrote to memory of 2940	1820	{EE620395-DB74-4615-A07D-29260F31E28D}.exe	126
PID 216 wrote to memory of 4348	216	{77BCEE9C-3B58-4148-8543-D15605EC709A}.exe	130
PID 216 wrote to memory of 4348	216	{77BCEE9C-3B58-4148-8543-D15605EC709A}.exe	130
PID 216 wrote to memory of 4348	216	{77BCEE9C-3B58-4148-8543-D15605EC709A}.exe	130
PID 216 wrote to memory of 4896	216	{77BCEE9C-3B58-4148-8543-D15605EC709A}.exe	131

C:\Users\Admin\AppData\Local\Temp\2024-07-23_2ac8f98cf65f94bd698cdca803e6ea7c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-23_2ac8f98cf65f94bd698cdca803e6ea7c_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3352
- C:\Windows\{4B6105AB-2A7D-4f35-B656-60B0A271A42A}.exe
  C:\Windows\{4B6105AB-2A7D-4f35-B656-60B0A271A42A}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\{722733AC-5248-4ff2-991C-C24395903EDF}.exe
    C:\Windows\{722733AC-5248-4ff2-991C-C24395903EDF}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4520
  - - C:\Windows\{64223613-7D8B-4208-ACFE-052B1787FD13}.exe
      C:\Windows\{64223613-7D8B-4208-ACFE-052B1787FD13}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Windows\{962C9FCB-99DF-420c-8EC9-A1A422A32282}.exe
        
        C:\Windows\{962C9FCB-99DF-420c-8EC9-A1A422A32282}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2612
      - C:\Windows\{F6D844C7-36FE-4fc5-9B9D-A15811748F54}.exe
        
        C:\Windows\{F6D844C7-36FE-4fc5-9B9D-A15811748F54}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\{A57C5C70-1BC5-4982-8980-7A29081106E9}.exe
        
        C:\Windows\{A57C5C70-1BC5-4982-8980-7A29081106E9}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\{B8FB59C3-52CC-4aa2-BF3B-540949B6394A}.exe
        
        C:\Windows\{B8FB59C3-52CC-4aa2-BF3B-540949B6394A}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\{0B3FF417-0EC7-4768-B030-386253B00E42}.exe
        
        C:\Windows\{0B3FF417-0EC7-4768-B030-386253B00E42}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\{EE620395-DB74-4615-A07D-29260F31E28D}.exe
        
        C:\Windows\{EE620395-DB74-4615-A07D-29260F31E28D}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\{77BCEE9C-3B58-4148-8543-D15605EC709A}.exe
        
        C:\Windows\{77BCEE9C-3B58-4148-8543-D15605EC709A}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\{B73267E4-3E69-427b-9211-CD2B31F0256C}.exe
        
        C:\Windows\{B73267E4-3E69-427b-9211-CD2B31F0256C}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4348
        
        C:\Windows\{86304F50-D4EB-4e46-816C-84EDD20EBD98}.exe
        
        C:\Windows\{86304F50-D4EB-4e46-816C-84EDD20EBD98}.exe
        13⤵
        Executes dropped EXE
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7326~1.EXE > nul
        13⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77BCE~1.EXE > nul
        12⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE620~1.EXE > nul
        11⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B3FF~1.EXE > nul
        10⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8FB5~1.EXE > nul
        9⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A57C5~1.EXE > nul
        8⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6D84~1.EXE > nul
        7⤵
        
        PID:4688
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{962C9~1.EXE > nul
        6⤵
        
        PID:696
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64223~1.EXE > nul
        5⤵
        
        PID:1172
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{72273~1.EXE > nul
      4⤵
      PID:2064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4B610~1.EXE > nul
    3⤵
    PID:532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0B3FF417-0EC7-4768-B030-386253B00E42}.exe

Filesize
408KB

MD5
3bef576b83b092fce2dc9b735f8d002e

SHA1
0ae638bd12ea18c182c84adadd72184a03a5824e

SHA256
bb448ebff33d4fbbcb2476e4c0169bf8e3c6d7accad912ca1285d9f63a256d48

SHA512
b24e868bd2a4b5b2b05090cb01d7baa369a103264d468638557c2a489571b4e61193f5c8606d8a3c2801fba1061742f4179ce6a49582ccb7c11488674e3d1fbd

Download Submit
C:\Windows\{4B6105AB-2A7D-4f35-B656-60B0A271A42A}.exe

Filesize
408KB

MD5
4a7fce95aa070f23315ed3fe1650f16c

SHA1
a6b2ae136cf5ed0d917748b6074db6ba5f01d9f8

SHA256
4d8efec3a3459dc5446facbd4bda1bd15d80de115a3c3bbdcc97847174c69b9b

SHA512
a01ed6cfb8a6ad73db2cc52976bfd6d8b32f473b893af697b60fa0f2e4e4b538a6eef58acde605fc0026778512a3ad403fc993badfec0c47c8b48748c8a37015

Download Submit
C:\Windows\{64223613-7D8B-4208-ACFE-052B1787FD13}.exe

Filesize
408KB

MD5
f1975be86bba15a9005c3fba2dc0ccf5

SHA1
7d351dc9f30f5cbe48dbf5553a9b5d08883902ad

SHA256
8cfb85c99f983914132e0eb237b58fbfc819016517d937564719a796d6c410d2

SHA512
1722243419945d2fd18461d96b166c623ad9c11f673cc102689262fb5cddaf75c6855ff6f788ce96c2418455afc4190d29d4f92c632aeeab819f938f9bf96cf0

Download Submit
C:\Windows\{722733AC-5248-4ff2-991C-C24395903EDF}.exe

Filesize
408KB

MD5
5619d3a7728129d5f494dc26a9e38822

SHA1
28bb3bc32d938dec5e1377c64b437bdacee832de

SHA256
efe7b4e21157d0a1d7458feb4f07a7e97813cfa66a6aace61e700470afabb453

SHA512
9993abb1ba93bc0172f49e6e9560b7940fb479d181bec46485f5edf275407a0eb9395bd46c39873d282c3ef046216a031b285f60d63cf7aac9e4c11cb2647f49

Download Submit
C:\Windows\{77BCEE9C-3B58-4148-8543-D15605EC709A}.exe

Filesize
408KB

MD5
64474288b2e40bbbd4403fa633e41d24

SHA1
a22304fcf9cbb6d15fb07d566f5eb5ac3ebe4505

SHA256
3cb3cb631e690be096b07d6f059d3d25da60447065bae179741932fbf4b90d81

SHA512
b1f15b933c7b7965e9e8a6d5ea10f06096a147e2337bc8e7462bae57d69d59560f1e96334ff84e35833bd2d8a2fca96aece0401ec9e644db45d086b75cea9042

Download Submit
C:\Windows\{86304F50-D4EB-4e46-816C-84EDD20EBD98}.exe

Filesize
408KB

MD5
303f35ba5c205b295d71038f85eb2c96

SHA1
e7d6d4d8dd25335eb3e2f06c3c1718fb492830b5

SHA256
92043db597dc6b67ed947e43193967c3765f69f825ecea122060d3d2c75984ac

SHA512
74fbb339482122c105bc5ddb2a67ddc20c9c86681a6e38c0962cdf399defe75d1582b30954ff690430d154a6e5818dfa7cd8a0b72999b455aa80b5e95d939e6d

Download Submit
C:\Windows\{962C9FCB-99DF-420c-8EC9-A1A422A32282}.exe

Filesize
408KB

MD5
f5d846603cc76fa2a56a2e6335f08c75

SHA1
7b4e8bc0a81c531a51e1e0d8b46d8baf2a0f35fb

SHA256
6d5639e7542e8532be6b43a96fb7171c2b0cba76ef4baa5f209c5f08faac3f8b

SHA512
94eec2f53669ace2f1b3319be00da342b432057a4efa0044d89f7296558d73ab3763d3a36c1b51cc3201e53f756ae687ab630c91bc7b0c7d9a9312f71ae34886

Download Submit
C:\Windows\{A57C5C70-1BC5-4982-8980-7A29081106E9}.exe

Filesize
408KB

MD5
b562eef932fb0a64960a83cef57e5f6a

SHA1
fb7e6761b71d4c292296e4d1ff8c0c274332380d

SHA256
5ac0129f7b7901fe84c4c3d25b7a12ff7fb90dae561a1061267bc7f7c0a76c4e

SHA512
a744eb04568d6a08e04fc8c5031df91646d12ae6a80dc6367ec7380e1cee0f7d87a0be6080d77c4d3b4402ce0723c7547201f026694fd0166b1b6a38df7a19e7

Download Submit
C:\Windows\{B73267E4-3E69-427b-9211-CD2B31F0256C}.exe

Filesize
408KB

MD5
6bcd955edd0e7a3e0d06ddad9c9fda78

SHA1
a328372f4acf15e4942950a5bbe40109c8e46d3f

SHA256
d4d68ceea1317f400955cbf84185cf2c72f792a314b20554ec0990bc58ccd718

SHA512
fcde5858370ad77314ef1f7648641292954142f30461eaec10fdc01e771316bea3268988ea83963c4b288165d898bffaaf1fa2d7db983f11c64b34904be7965b

Download Submit
C:\Windows\{B8FB59C3-52CC-4aa2-BF3B-540949B6394A}.exe

Filesize
408KB

MD5
940f1dfeb4e2fb54a245bb7d6d5a5fe5

SHA1
c9df003fd2adc022019241624e6472ec1bb0821e

SHA256
a531beca4ec6050d8da9cbe1d325f343de15bab77d6879e29f460c8b8d0a2374

SHA512
1be11288d4aef5c72aa179a33928c0fa4b77b24d0246c918b4487dbc375513c3578c7e5a219711fe02b1381028f5cde78f1dd603a610942228fe2e89c53afe41

Download Submit
C:\Windows\{EE620395-DB74-4615-A07D-29260F31E28D}.exe

Filesize
408KB

MD5
e8a0444bfe726c7c3b5b9f232ee20bf8

SHA1
5c340badbe104ad419e288ad43706eb8ffd1bb51

SHA256
f5980f77c18e7fabe3b2ca26437122ad5c7b1105fe2902da5b706e7e7cf4e1f5

SHA512
96c28a1b3d8f697881625ccd22a60cb962d64b6eb3f58755131cc5a414ba49969fb0146945758a8a64d21b357c16f286c3158686cb6262bb3ca778e2763485e2

Download Submit
C:\Windows\{F6D844C7-36FE-4fc5-9B9D-A15811748F54}.exe

Filesize
408KB

MD5
37c040b957d6284c3636c473c49fc296

SHA1
7fd29b049007652795917f8f28d23e82fc2c5caa

SHA256
233880fd4ac4554a50534f93684ba849aabf9493e9e1a841e55102cc32556297

SHA512
2ac6074599e8b91adca6453ee9a747215c6738cc4246a42025fb52a9cfcf285ef4f972901001e9b24bce5ef3141f4fb3d298d3b16654d94eafd366267444a4f2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads