d3011b475b91aaaf3d13879c7aa0a03b6a4e52d8d05b636d43016f8fbdaf8894

Analysis

max time kernel
137s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-18_9c62d91d0ea75c6ec352e67d8712afd0_goldeneye.exe
Size

180KB
MD5

9c62d91d0ea75c6ec352e67d8712afd0
SHA1

a325e2b640d503bf0f8190850b64eea6db385ef9
SHA256

d3011b475b91aaaf3d13879c7aa0a03b6a4e52d8d05b636d43016f8fbdaf8894
SHA512

f0083971ab0db3227ad795f5812644e8d5ffca472ff55f3d8c16d260f9bdaa627520c31dd23a49dcecea57220ee61d095a2c2b5bf4ff99ff5265274c7bd009a0
SSDEEP

3072:jEGh0o8lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG2l5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00080000000231b9-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000231d1-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00060000000231f0-11.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00060000000232e9-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00060000000232e9-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000230e8-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000002334f-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000023350-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000009dc5-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023355-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000023485-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023355-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E98CC60F-113E-4eb7-9155-5EB5484A7FC0}	{B2570837-CACB-4d20-895C-ADDC4B47BC95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E98CC60F-113E-4eb7-9155-5EB5484A7FC0}\stubpath = "C:\\Windows\\{E98CC60F-113E-4eb7-9155-5EB5484A7FC0}.exe"	{B2570837-CACB-4d20-895C-ADDC4B47BC95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5775CCB8-07BB-4d9d-A38A-6FE43A38D285}\stubpath = "C:\\Windows\\{5775CCB8-07BB-4d9d-A38A-6FE43A38D285}.exe"	{E98CC60F-113E-4eb7-9155-5EB5484A7FC0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B40AA9F-33E1-4586-95AE-C488E47A672D}	{87E8F46C-D15F-421a-8E1B-3D3A45979344}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2B1C9C9-B21D-4588-8A9A-E509D31C7910}\stubpath = "C:\\Windows\\{F2B1C9C9-B21D-4588-8A9A-E509D31C7910}.exe"	{DFFBC6AC-F3DD-4001-987E-E9CCFE076330}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70FCF92C-1205-48b1-BAF8-E6E3F63D7C8D}	{F2B1C9C9-B21D-4588-8A9A-E509D31C7910}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D200E1F9-858C-4e36-8B7C-6B356DAA6218}	2024-01-18_9c62d91d0ea75c6ec352e67d8712afd0_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2570837-CACB-4d20-895C-ADDC4B47BC95}	{D200E1F9-858C-4e36-8B7C-6B356DAA6218}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A43E24E-0E85-4802-A5D6-9B577BBCE006}	{70FCF92C-1205-48b1-BAF8-E6E3F63D7C8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A43E24E-0E85-4802-A5D6-9B577BBCE006}\stubpath = "C:\\Windows\\{1A43E24E-0E85-4802-A5D6-9B577BBCE006}.exe"	{70FCF92C-1205-48b1-BAF8-E6E3F63D7C8D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFFBC6AC-F3DD-4001-987E-E9CCFE076330}	{6B40AA9F-33E1-4586-95AE-C488E47A672D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2570837-CACB-4d20-895C-ADDC4B47BC95}\stubpath = "C:\\Windows\\{B2570837-CACB-4d20-895C-ADDC4B47BC95}.exe"	{D200E1F9-858C-4e36-8B7C-6B356DAA6218}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87E8F46C-D15F-421a-8E1B-3D3A45979344}	{5775CCB8-07BB-4d9d-A38A-6FE43A38D285}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2B1C9C9-B21D-4588-8A9A-E509D31C7910}	{DFFBC6AC-F3DD-4001-987E-E9CCFE076330}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70FCF92C-1205-48b1-BAF8-E6E3F63D7C8D}\stubpath = "C:\\Windows\\{70FCF92C-1205-48b1-BAF8-E6E3F63D7C8D}.exe"	{F2B1C9C9-B21D-4588-8A9A-E509D31C7910}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6382C65-CEE4-4343-8C52-47FB7478C011}\stubpath = "C:\\Windows\\{F6382C65-CEE4-4343-8C52-47FB7478C011}.exe"	{1A43E24E-0E85-4802-A5D6-9B577BBCE006}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5775CCB8-07BB-4d9d-A38A-6FE43A38D285}	{E98CC60F-113E-4eb7-9155-5EB5484A7FC0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFFBC6AC-F3DD-4001-987E-E9CCFE076330}\stubpath = "C:\\Windows\\{DFFBC6AC-F3DD-4001-987E-E9CCFE076330}.exe"	{6B40AA9F-33E1-4586-95AE-C488E47A672D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B40AA9F-33E1-4586-95AE-C488E47A672D}\stubpath = "C:\\Windows\\{6B40AA9F-33E1-4586-95AE-C488E47A672D}.exe"	{87E8F46C-D15F-421a-8E1B-3D3A45979344}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6382C65-CEE4-4343-8C52-47FB7478C011}	{1A43E24E-0E85-4802-A5D6-9B577BBCE006}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D200E1F9-858C-4e36-8B7C-6B356DAA6218}\stubpath = "C:\\Windows\\{D200E1F9-858C-4e36-8B7C-6B356DAA6218}.exe"	2024-01-18_9c62d91d0ea75c6ec352e67d8712afd0_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87E8F46C-D15F-421a-8E1B-3D3A45979344}\stubpath = "C:\\Windows\\{87E8F46C-D15F-421a-8E1B-3D3A45979344}.exe"	{5775CCB8-07BB-4d9d-A38A-6FE43A38D285}.exe

Executes dropped EXE 11 IoCs

pid	Process
4688	{D200E1F9-858C-4e36-8B7C-6B356DAA6218}.exe
3268	{B2570837-CACB-4d20-895C-ADDC4B47BC95}.exe
4720	{E98CC60F-113E-4eb7-9155-5EB5484A7FC0}.exe
5080	{5775CCB8-07BB-4d9d-A38A-6FE43A38D285}.exe
208	{87E8F46C-D15F-421a-8E1B-3D3A45979344}.exe
4288	{6B40AA9F-33E1-4586-95AE-C488E47A672D}.exe
4776	{DFFBC6AC-F3DD-4001-987E-E9CCFE076330}.exe
3676	{F2B1C9C9-B21D-4588-8A9A-E509D31C7910}.exe
5056	{70FCF92C-1205-48b1-BAF8-E6E3F63D7C8D}.exe
1440	{1A43E24E-0E85-4802-A5D6-9B577BBCE006}.exe
4300	{F6382C65-CEE4-4343-8C52-47FB7478C011}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{87E8F46C-D15F-421a-8E1B-3D3A45979344}.exe	{5775CCB8-07BB-4d9d-A38A-6FE43A38D285}.exe
File created	C:\Windows\{6B40AA9F-33E1-4586-95AE-C488E47A672D}.exe	{87E8F46C-D15F-421a-8E1B-3D3A45979344}.exe
File created	C:\Windows\{F2B1C9C9-B21D-4588-8A9A-E509D31C7910}.exe	{DFFBC6AC-F3DD-4001-987E-E9CCFE076330}.exe
File created	C:\Windows\{F6382C65-CEE4-4343-8C52-47FB7478C011}.exe	{1A43E24E-0E85-4802-A5D6-9B577BBCE006}.exe
File created	C:\Windows\{B2570837-CACB-4d20-895C-ADDC4B47BC95}.exe	{D200E1F9-858C-4e36-8B7C-6B356DAA6218}.exe
File created	C:\Windows\{E98CC60F-113E-4eb7-9155-5EB5484A7FC0}.exe	{B2570837-CACB-4d20-895C-ADDC4B47BC95}.exe
File created	C:\Windows\{5775CCB8-07BB-4d9d-A38A-6FE43A38D285}.exe	{E98CC60F-113E-4eb7-9155-5EB5484A7FC0}.exe
File created	C:\Windows\{DFFBC6AC-F3DD-4001-987E-E9CCFE076330}.exe	{6B40AA9F-33E1-4586-95AE-C488E47A672D}.exe
File created	C:\Windows\{70FCF92C-1205-48b1-BAF8-E6E3F63D7C8D}.exe	{F2B1C9C9-B21D-4588-8A9A-E509D31C7910}.exe
File created	C:\Windows\{1A43E24E-0E85-4802-A5D6-9B577BBCE006}.exe	{70FCF92C-1205-48b1-BAF8-E6E3F63D7C8D}.exe
File created	C:\Windows\{D200E1F9-858C-4e36-8B7C-6B356DAA6218}.exe	2024-01-18_9c62d91d0ea75c6ec352e67d8712afd0_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4360	2024-01-18_9c62d91d0ea75c6ec352e67d8712afd0_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4688	{D200E1F9-858C-4e36-8B7C-6B356DAA6218}.exe
Token: SeIncBasePriorityPrivilege	3268	{B2570837-CACB-4d20-895C-ADDC4B47BC95}.exe
Token: SeIncBasePriorityPrivilege	4720	{E98CC60F-113E-4eb7-9155-5EB5484A7FC0}.exe
Token: SeIncBasePriorityPrivilege	5080	{5775CCB8-07BB-4d9d-A38A-6FE43A38D285}.exe
Token: SeIncBasePriorityPrivilege	208	{87E8F46C-D15F-421a-8E1B-3D3A45979344}.exe
Token: SeIncBasePriorityPrivilege	4288	{6B40AA9F-33E1-4586-95AE-C488E47A672D}.exe
Token: SeIncBasePriorityPrivilege	4776	{DFFBC6AC-F3DD-4001-987E-E9CCFE076330}.exe
Token: SeIncBasePriorityPrivilege	3676	{F2B1C9C9-B21D-4588-8A9A-E509D31C7910}.exe
Token: SeIncBasePriorityPrivilege	5056	{70FCF92C-1205-48b1-BAF8-E6E3F63D7C8D}.exe
Token: SeIncBasePriorityPrivilege	1440	{1A43E24E-0E85-4802-A5D6-9B577BBCE006}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4360 wrote to memory of 4688	4360	2024-01-18_9c62d91d0ea75c6ec352e67d8712afd0_goldeneye.exe	99
PID 4360 wrote to memory of 4688	4360	2024-01-18_9c62d91d0ea75c6ec352e67d8712afd0_goldeneye.exe	99
PID 4360 wrote to memory of 4688	4360	2024-01-18_9c62d91d0ea75c6ec352e67d8712afd0_goldeneye.exe	99
PID 4360 wrote to memory of 2292	4360	2024-01-18_9c62d91d0ea75c6ec352e67d8712afd0_goldeneye.exe	98
PID 4360 wrote to memory of 2292	4360	2024-01-18_9c62d91d0ea75c6ec352e67d8712afd0_goldeneye.exe	98
PID 4360 wrote to memory of 2292	4360	2024-01-18_9c62d91d0ea75c6ec352e67d8712afd0_goldeneye.exe	98
PID 4688 wrote to memory of 3268	4688	{D200E1F9-858C-4e36-8B7C-6B356DAA6218}.exe	100
PID 4688 wrote to memory of 3268	4688	{D200E1F9-858C-4e36-8B7C-6B356DAA6218}.exe	100
PID 4688 wrote to memory of 3268	4688	{D200E1F9-858C-4e36-8B7C-6B356DAA6218}.exe	100
PID 4688 wrote to memory of 2008	4688	{D200E1F9-858C-4e36-8B7C-6B356DAA6218}.exe	101
PID 4688 wrote to memory of 2008	4688	{D200E1F9-858C-4e36-8B7C-6B356DAA6218}.exe	101
PID 4688 wrote to memory of 2008	4688	{D200E1F9-858C-4e36-8B7C-6B356DAA6218}.exe	101
PID 3268 wrote to memory of 4720	3268	{B2570837-CACB-4d20-895C-ADDC4B47BC95}.exe	106
PID 3268 wrote to memory of 4720	3268	{B2570837-CACB-4d20-895C-ADDC4B47BC95}.exe	106
PID 3268 wrote to memory of 4720	3268	{B2570837-CACB-4d20-895C-ADDC4B47BC95}.exe	106
PID 3268 wrote to memory of 316	3268	{B2570837-CACB-4d20-895C-ADDC4B47BC95}.exe	105
PID 3268 wrote to memory of 316	3268	{B2570837-CACB-4d20-895C-ADDC4B47BC95}.exe	105
PID 3268 wrote to memory of 316	3268	{B2570837-CACB-4d20-895C-ADDC4B47BC95}.exe	105
PID 4720 wrote to memory of 5080	4720	{E98CC60F-113E-4eb7-9155-5EB5484A7FC0}.exe	107
PID 4720 wrote to memory of 5080	4720	{E98CC60F-113E-4eb7-9155-5EB5484A7FC0}.exe	107
PID 4720 wrote to memory of 5080	4720	{E98CC60F-113E-4eb7-9155-5EB5484A7FC0}.exe	107
PID 4720 wrote to memory of 1456	4720	{E98CC60F-113E-4eb7-9155-5EB5484A7FC0}.exe	108
PID 4720 wrote to memory of 1456	4720	{E98CC60F-113E-4eb7-9155-5EB5484A7FC0}.exe	108
PID 4720 wrote to memory of 1456	4720	{E98CC60F-113E-4eb7-9155-5EB5484A7FC0}.exe	108
PID 5080 wrote to memory of 208	5080	{5775CCB8-07BB-4d9d-A38A-6FE43A38D285}.exe	110
PID 5080 wrote to memory of 208	5080	{5775CCB8-07BB-4d9d-A38A-6FE43A38D285}.exe	110
PID 5080 wrote to memory of 208	5080	{5775CCB8-07BB-4d9d-A38A-6FE43A38D285}.exe	110
PID 5080 wrote to memory of 3648	5080	{5775CCB8-07BB-4d9d-A38A-6FE43A38D285}.exe	109
PID 5080 wrote to memory of 3648	5080	{5775CCB8-07BB-4d9d-A38A-6FE43A38D285}.exe	109
PID 5080 wrote to memory of 3648	5080	{5775CCB8-07BB-4d9d-A38A-6FE43A38D285}.exe	109
PID 208 wrote to memory of 4288	208	{87E8F46C-D15F-421a-8E1B-3D3A45979344}.exe	112
PID 208 wrote to memory of 4288	208	{87E8F46C-D15F-421a-8E1B-3D3A45979344}.exe	112
PID 208 wrote to memory of 4288	208	{87E8F46C-D15F-421a-8E1B-3D3A45979344}.exe	112
PID 208 wrote to memory of 2300	208	{87E8F46C-D15F-421a-8E1B-3D3A45979344}.exe	113
PID 208 wrote to memory of 2300	208	{87E8F46C-D15F-421a-8E1B-3D3A45979344}.exe	113
PID 208 wrote to memory of 2300	208	{87E8F46C-D15F-421a-8E1B-3D3A45979344}.exe	113
PID 4288 wrote to memory of 4776	4288	{6B40AA9F-33E1-4586-95AE-C488E47A672D}.exe	115
PID 4288 wrote to memory of 4776	4288	{6B40AA9F-33E1-4586-95AE-C488E47A672D}.exe	115
PID 4288 wrote to memory of 4776	4288	{6B40AA9F-33E1-4586-95AE-C488E47A672D}.exe	115
PID 4288 wrote to memory of 4832	4288	{6B40AA9F-33E1-4586-95AE-C488E47A672D}.exe	114
PID 4288 wrote to memory of 4832	4288	{6B40AA9F-33E1-4586-95AE-C488E47A672D}.exe	114
PID 4288 wrote to memory of 4832	4288	{6B40AA9F-33E1-4586-95AE-C488E47A672D}.exe	114
PID 4776 wrote to memory of 3676	4776	{DFFBC6AC-F3DD-4001-987E-E9CCFE076330}.exe	117
PID 4776 wrote to memory of 3676	4776	{DFFBC6AC-F3DD-4001-987E-E9CCFE076330}.exe	117
PID 4776 wrote to memory of 3676	4776	{DFFBC6AC-F3DD-4001-987E-E9CCFE076330}.exe	117
PID 4776 wrote to memory of 1436	4776	{DFFBC6AC-F3DD-4001-987E-E9CCFE076330}.exe	116
PID 4776 wrote to memory of 1436	4776	{DFFBC6AC-F3DD-4001-987E-E9CCFE076330}.exe	116
PID 4776 wrote to memory of 1436	4776	{DFFBC6AC-F3DD-4001-987E-E9CCFE076330}.exe	116
PID 3676 wrote to memory of 5056	3676	{F2B1C9C9-B21D-4588-8A9A-E509D31C7910}.exe	126
PID 3676 wrote to memory of 5056	3676	{F2B1C9C9-B21D-4588-8A9A-E509D31C7910}.exe	126
PID 3676 wrote to memory of 5056	3676	{F2B1C9C9-B21D-4588-8A9A-E509D31C7910}.exe	126
PID 3676 wrote to memory of 4496	3676	{F2B1C9C9-B21D-4588-8A9A-E509D31C7910}.exe	125
PID 3676 wrote to memory of 4496	3676	{F2B1C9C9-B21D-4588-8A9A-E509D31C7910}.exe	125
PID 3676 wrote to memory of 4496	3676	{F2B1C9C9-B21D-4588-8A9A-E509D31C7910}.exe	125
PID 5056 wrote to memory of 1440	5056	{70FCF92C-1205-48b1-BAF8-E6E3F63D7C8D}.exe	128
PID 5056 wrote to memory of 1440	5056	{70FCF92C-1205-48b1-BAF8-E6E3F63D7C8D}.exe	128
PID 5056 wrote to memory of 1440	5056	{70FCF92C-1205-48b1-BAF8-E6E3F63D7C8D}.exe	128
PID 5056 wrote to memory of 3768	5056	{70FCF92C-1205-48b1-BAF8-E6E3F63D7C8D}.exe	127
PID 5056 wrote to memory of 3768	5056	{70FCF92C-1205-48b1-BAF8-E6E3F63D7C8D}.exe	127
PID 5056 wrote to memory of 3768	5056	{70FCF92C-1205-48b1-BAF8-E6E3F63D7C8D}.exe	127
PID 1440 wrote to memory of 4300	1440	{1A43E24E-0E85-4802-A5D6-9B577BBCE006}.exe	129
PID 1440 wrote to memory of 4300	1440	{1A43E24E-0E85-4802-A5D6-9B577BBCE006}.exe	129
PID 1440 wrote to memory of 4300	1440	{1A43E24E-0E85-4802-A5D6-9B577BBCE006}.exe	129
PID 1440 wrote to memory of 5064	1440	{1A43E24E-0E85-4802-A5D6-9B577BBCE006}.exe	130

C:\Users\Admin\AppData\Local\Temp\2024-01-18_9c62d91d0ea75c6ec352e67d8712afd0_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-18_9c62d91d0ea75c6ec352e67d8712afd0_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4360
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2292
- C:\Windows\{D200E1F9-858C-4e36-8B7C-6B356DAA6218}.exe
  C:\Windows\{D200E1F9-858C-4e36-8B7C-6B356DAA6218}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4688
- - C:\Windows\{B2570837-CACB-4d20-895C-ADDC4B47BC95}.exe
    C:\Windows\{B2570837-CACB-4d20-895C-ADDC4B47BC95}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3268
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B2570~1.EXE > nul
      4⤵
      PID:316
  - - C:\Windows\{E98CC60F-113E-4eb7-9155-5EB5484A7FC0}.exe
      C:\Windows\{E98CC60F-113E-4eb7-9155-5EB5484A7FC0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4720
    - - C:\Windows\{5775CCB8-07BB-4d9d-A38A-6FE43A38D285}.exe
        
        C:\Windows\{5775CCB8-07BB-4d9d-A38A-6FE43A38D285}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5080
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5775C~1.EXE > nul
        6⤵
        
        PID:3648
      - C:\Windows\{87E8F46C-D15F-421a-8E1B-3D3A45979344}.exe
        
        C:\Windows\{87E8F46C-D15F-421a-8E1B-3D3A45979344}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Windows\{6B40AA9F-33E1-4586-95AE-C488E47A672D}.exe
        
        C:\Windows\{6B40AA9F-33E1-4586-95AE-C488E47A672D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B40A~1.EXE > nul
        8⤵
        
        PID:4832
        
        C:\Windows\{DFFBC6AC-F3DD-4001-987E-E9CCFE076330}.exe
        
        C:\Windows\{DFFBC6AC-F3DD-4001-987E-E9CCFE076330}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DFFBC~1.EXE > nul
        9⤵
        
        PID:1436
        
        C:\Windows\{F2B1C9C9-B21D-4588-8A9A-E509D31C7910}.exe
        
        C:\Windows\{F2B1C9C9-B21D-4588-8A9A-E509D31C7910}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2B1C~1.EXE > nul
        10⤵
        
        PID:4496
        
        C:\Windows\{70FCF92C-1205-48b1-BAF8-E6E3F63D7C8D}.exe
        
        C:\Windows\{70FCF92C-1205-48b1-BAF8-E6E3F63D7C8D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70FCF~1.EXE > nul
        11⤵
        
        PID:3768
        
        C:\Windows\{1A43E24E-0E85-4802-A5D6-9B577BBCE006}.exe
        
        C:\Windows\{1A43E24E-0E85-4802-A5D6-9B577BBCE006}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\{F6382C65-CEE4-4343-8C52-47FB7478C011}.exe
        
        C:\Windows\{F6382C65-CEE4-4343-8C52-47FB7478C011}.exe
        12⤵
        Executes dropped EXE
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A43E~1.EXE > nul
        12⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87E8F~1.EXE > nul
        7⤵
        
        PID:2300
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E98CC~1.EXE > nul
        5⤵
        
        PID:1456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D200E~1.EXE > nul
    3⤵
    PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1A43E24E-0E85-4802-A5D6-9B577BBCE006}.exe

Filesize
180KB

MD5
9981e2162d795a1ee91133e5108e1069

SHA1
7a02401abac3dc600f6a12edfa9bbf343b0ca2df

SHA256
fd563c17baee4a39033e67c9dba2d4c098aa1cbcc64ebc6db6931ef469b3343b

SHA512
06327b3b29ecc6eddce8cc78751fc502ca679c619270cc0a5ec06c1aa845eb42400a3b09eebbf6eaa94bd02fdeb6449caaeb1ee0c6b95be71d854c9114d0dc58

Download Submit
C:\Windows\{5775CCB8-07BB-4d9d-A38A-6FE43A38D285}.exe

Filesize
180KB

MD5
56dce29b1abbe11b5b21f7231e397ddd

SHA1
2e8752c7326fa2d993af63732489d58593d9209b

SHA256
46c72fee4f57773ec4bb8c685798f9b1b5d679d32a1fab9a4b5f916f5d358951

SHA512
8f8c10de0cbc7fc2e4286860200048d942044856c7763537e12ceb519cba53bab545cdcfc1762fd3e4689406c795e1ce065fd82b398f270253b67ca64ca32bbe

Download Submit
C:\Windows\{5775CCB8-07BB-4d9d-A38A-6FE43A38D285}.exe

Filesize
100KB

MD5
2e395fee0dfdddb178d331cad07fa6d8

SHA1
c2e4435700b3788247b6a18f5293e06b8d6c98ed

SHA256
b1b8710cc87d1813d6e64b9e4e3e4c3452733270fb749f71835ab56db9e7d13c

SHA512
8987b0b5b2c2c2cb662a161456b09869344375bba46747d9787a6e47650165beda0eb36979f5ee14321dace282dfd4e73ebe85a525c0da92a9149d6584b7e8a7

Download Submit
C:\Windows\{6B40AA9F-33E1-4586-95AE-C488E47A672D}.exe

Filesize
180KB

MD5
ef8d460e3f421b5b7af835baf8109cf2

SHA1
362621b83b530bc5074424106e6a5eb7be93d0ae

SHA256
47e2cf536e650b2e14d8502c5f2b681fc968bbccf668b697b980d429eaa474af

SHA512
a4cb1dc11f83ae500ff0b4c56a23dd63932d02d740a8b69fb49e479979bb19f53b968c0da9e0ed3277275202c17cd1642ca8e342da70322889451b7494e50641

Download Submit
C:\Windows\{70FCF92C-1205-48b1-BAF8-E6E3F63D7C8D}.exe

Filesize
180KB

MD5
57036d0722af304680b11fda1b660f76

SHA1
58085152c2b67f700b40b6f05c544aac332d1460

SHA256
5f2bf41994517fbcb61b6f14a50ac832fffde7c6b34568de791a78200176f83a

SHA512
2aef2e5674d9c5f93e7d66e508c1ed40bac29b12eb55cbe70e78c547362ed4383e1182b49dec2e197ccaf5ec765ce7a93c2349b7bdcb123c27ebf6d3ebbd18f1

Download Submit
C:\Windows\{87E8F46C-D15F-421a-8E1B-3D3A45979344}.exe

Filesize
180KB

MD5
876c4a5373bde0e472a00cf9c5eda389

SHA1
7bc4a6fbe816fe074b4e70d2f76acd15aba62306

SHA256
f631a81bcfa133c48affb759f28f9063273a13c6e1c781b8f67f9b8fdeeddde3

SHA512
7f53e11de39fc582c964604c24d7d68f7c889f6bea6bc61a472d5ee5b651254e96a1c0829a8afc9e87f30963e4db2973652de02f7b05c47b74cefd32738ca0ff

Download Submit
C:\Windows\{B2570837-CACB-4d20-895C-ADDC4B47BC95}.exe

Filesize
180KB

MD5
664043de08bfa0d836f68d7d681929e5

SHA1
de8695a6bfb9a50a9d405eafb545f93fe5290f12

SHA256
d5667d26373eb2d7e707d81311548df8bae9e13b7a57751991b8d01de8cd57f5

SHA512
a0a69882426ce41514f2ec5d7be13e45d1e7895fa739872744d0a0d0c5a1f62603d23f93302a8f7f1dee7ca5573b3546a4dc8c480cac6f641c93d5a28862f795

Download Submit
C:\Windows\{D200E1F9-858C-4e36-8B7C-6B356DAA6218}.exe

Filesize
180KB

MD5
966e56f9e5e1e68c984e66869c064838

SHA1
cbbbd6ab19a4f0e0393d6f091f68e5670d9115ba

SHA256
02e202ad67826539726d7c86ba0a9de939c13758066ca865a46a7b36f06b7c36

SHA512
9748af6b5a33de0bea519baace77e8831542e26a0e5b0ca2d5b670e2ea8f3f4b42cea89a370a5939d9ab9a77b15d356a526aebc726e6d165b3e8b639c08ec347

Download Submit
C:\Windows\{DFFBC6AC-F3DD-4001-987E-E9CCFE076330}.exe

Filesize
180KB

MD5
734af0fe758a96d0f206a6701b18ded4

SHA1
953a62fcd2e81110761a0559806f066feb399b85

SHA256
251b55222b5702bc19bfbd3880fe4278a8055b674ebadd4d34caeb7316877ac8

SHA512
62f0bce77535f6f70fe2404a72465588be22ac6a3aebcf5798150ddbd3c8a95b32b0b9f673d0224fb25e76f6c613b10e80da59d20753c0b5eb1896335f34b578

Download Submit
C:\Windows\{E98CC60F-113E-4eb7-9155-5EB5484A7FC0}.exe

Filesize
180KB

MD5
666deb60a2fd864ff78a9dbf8fb2a544

SHA1
a238c93f71672b610469c5dd725115cd76025ba6

SHA256
4e0b2bf5179899d748bb219f1c9d55422f7cb427eb2992b1c12b257c17ef90a4

SHA512
1d593f289c440b64494f6e1edd129efd292c80b6f4cc32b0045be55a718591cc960eedd33f0997b79ce71ff47ebc791507da5896f579664eee6a4e910ae616a6

Download Submit
C:\Windows\{F2B1C9C9-B21D-4588-8A9A-E509D31C7910}.exe

Filesize
180KB

MD5
d6acdfae17019e3ce0e2e4adf29b0524

SHA1
0fc482f57eca944daec3de45be48f39f9ef2acc4

SHA256
5a75c0e7168afbb6f4f331425a8463da497d0b63a8f47288c8aba0fd69a90b1c

SHA512
4c03d5bb5eb7eba4f103ae0f3ef27793d6a7bbc3f78b46f2f598a5ee12b8ac6213f8956a901f8e176e2b04109e5eafea72d99198af4a1134f23caf8962777ebb

Download Submit
C:\Windows\{F6382C65-CEE4-4343-8C52-47FB7478C011}.exe

Filesize
180KB

MD5
9e53a63e172eb3eaf9f510b32f3d56a5

SHA1
ecf70b1ce2dfb630380effd17c06ac8e847b88f3

SHA256
d2e70d3e670fc211bde00401d4107e7ddfd335046e122f9d54d3cc7b7d7d3965

SHA512
a46c62877a87c51fdc32c5eb9763c74861f0662ddc08a2ed9ff962c95b45063285d2ea90df2bfc1af2bed72935f41fae864dae3a5508b0392a293d58929fb58c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads