8402cf2d0ecde83317cb695ac39b7de10f8d8659e074df91aaf4f5a9acb2c465

Analysis

max time kernel
175s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-18_112b95a40e0f54f5a0a8e66f53b60516_goldeneye.exe
Size

197KB
MD5

112b95a40e0f54f5a0a8e66f53b60516
SHA1

b7658fa8f9aa15fd582c53a41482d51d211295d5
SHA256

8402cf2d0ecde83317cb695ac39b7de10f8d8659e074df91aaf4f5a9acb2c465
SHA512

ac84bd59d28ba2916616f67667781436cc1f3586c968a4462f334bb8b10cf43ed16ed55a9802fcff7971a17257bab5bdbdaf3acd9bebc97a1b923279271a36d4
SSDEEP

3072:jEGh0ohl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGzlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x000b00000002314d-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002323a-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000023240-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000023245-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000000070f-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000000070f-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000711-29.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006e5-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000000070f-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00040000000006e5-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7118216-523A-4dd5-B910-DC8CF9FE9ADC}	{B2D7B99A-EAF2-4f49-AF66-68D53EF704BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94285D76-AD77-47d4-82C9-069E793A2DFC}	{E7118216-523A-4dd5-B910-DC8CF9FE9ADC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BF155C7-7C5B-475c-9591-D93B210DFAD0}\stubpath = "C:\\Windows\\{1BF155C7-7C5B-475c-9591-D93B210DFAD0}.exe"	{0A1FC81C-D631-4e46-821F-9B1E93CDA237}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{022D2167-79E9-4e19-90B5-BDDF5567EA8D}	{1BF155C7-7C5B-475c-9591-D93B210DFAD0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{022D2167-79E9-4e19-90B5-BDDF5567EA8D}\stubpath = "C:\\Windows\\{022D2167-79E9-4e19-90B5-BDDF5567EA8D}.exe"	{1BF155C7-7C5B-475c-9591-D93B210DFAD0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A953B8A8-6520-4cc7-9C2A-256B9F39B20E}	{16A50209-B1A9-469c-B40E-D351F7712241}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F73C708-6ADF-493f-846B-DA261CD5DBBA}\stubpath = "C:\\Windows\\{7F73C708-6ADF-493f-846B-DA261CD5DBBA}.exe"	{08791EEB-D6E6-4304-8F50-ACB5BC84F955}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BF155C7-7C5B-475c-9591-D93B210DFAD0}	{0A1FC81C-D631-4e46-821F-9B1E93CDA237}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB4DFAA6-EE84-4ee1-8934-59D4DBCBC7F1}\stubpath = "C:\\Windows\\{BB4DFAA6-EE84-4ee1-8934-59D4DBCBC7F1}.exe"	{A953B8A8-6520-4cc7-9C2A-256B9F39B20E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08791EEB-D6E6-4304-8F50-ACB5BC84F955}	{94285D76-AD77-47d4-82C9-069E793A2DFC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F73C708-6ADF-493f-846B-DA261CD5DBBA}	{08791EEB-D6E6-4304-8F50-ACB5BC84F955}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7118216-523A-4dd5-B910-DC8CF9FE9ADC}\stubpath = "C:\\Windows\\{E7118216-523A-4dd5-B910-DC8CF9FE9ADC}.exe"	{B2D7B99A-EAF2-4f49-AF66-68D53EF704BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08791EEB-D6E6-4304-8F50-ACB5BC84F955}\stubpath = "C:\\Windows\\{08791EEB-D6E6-4304-8F50-ACB5BC84F955}.exe"	{94285D76-AD77-47d4-82C9-069E793A2DFC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A1FC81C-D631-4e46-821F-9B1E93CDA237}	2024-01-18_112b95a40e0f54f5a0a8e66f53b60516_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16A50209-B1A9-469c-B40E-D351F7712241}\stubpath = "C:\\Windows\\{16A50209-B1A9-469c-B40E-D351F7712241}.exe"	{022D2167-79E9-4e19-90B5-BDDF5567EA8D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB4DFAA6-EE84-4ee1-8934-59D4DBCBC7F1}	{A953B8A8-6520-4cc7-9C2A-256B9F39B20E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2D7B99A-EAF2-4f49-AF66-68D53EF704BB}	{BB4DFAA6-EE84-4ee1-8934-59D4DBCBC7F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94285D76-AD77-47d4-82C9-069E793A2DFC}\stubpath = "C:\\Windows\\{94285D76-AD77-47d4-82C9-069E793A2DFC}.exe"	{E7118216-523A-4dd5-B910-DC8CF9FE9ADC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A1FC81C-D631-4e46-821F-9B1E93CDA237}\stubpath = "C:\\Windows\\{0A1FC81C-D631-4e46-821F-9B1E93CDA237}.exe"	2024-01-18_112b95a40e0f54f5a0a8e66f53b60516_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16A50209-B1A9-469c-B40E-D351F7712241}	{022D2167-79E9-4e19-90B5-BDDF5567EA8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A953B8A8-6520-4cc7-9C2A-256B9F39B20E}\stubpath = "C:\\Windows\\{A953B8A8-6520-4cc7-9C2A-256B9F39B20E}.exe"	{16A50209-B1A9-469c-B40E-D351F7712241}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2D7B99A-EAF2-4f49-AF66-68D53EF704BB}\stubpath = "C:\\Windows\\{B2D7B99A-EAF2-4f49-AF66-68D53EF704BB}.exe"	{BB4DFAA6-EE84-4ee1-8934-59D4DBCBC7F1}.exe

Executes dropped EXE 11 IoCs

pid	Process
392	{0A1FC81C-D631-4e46-821F-9B1E93CDA237}.exe
1528	{1BF155C7-7C5B-475c-9591-D93B210DFAD0}.exe
3512	{022D2167-79E9-4e19-90B5-BDDF5567EA8D}.exe
1504	{16A50209-B1A9-469c-B40E-D351F7712241}.exe
776	{A953B8A8-6520-4cc7-9C2A-256B9F39B20E}.exe
3588	{BB4DFAA6-EE84-4ee1-8934-59D4DBCBC7F1}.exe
1824	{B2D7B99A-EAF2-4f49-AF66-68D53EF704BB}.exe
2496	{E7118216-523A-4dd5-B910-DC8CF9FE9ADC}.exe
2160	{94285D76-AD77-47d4-82C9-069E793A2DFC}.exe
1832	{08791EEB-D6E6-4304-8F50-ACB5BC84F955}.exe
1184	{7F73C708-6ADF-493f-846B-DA261CD5DBBA}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{08791EEB-D6E6-4304-8F50-ACB5BC84F955}.exe	{94285D76-AD77-47d4-82C9-069E793A2DFC}.exe
File created	C:\Windows\{0A1FC81C-D631-4e46-821F-9B1E93CDA237}.exe	2024-01-18_112b95a40e0f54f5a0a8e66f53b60516_goldeneye.exe
File created	C:\Windows\{A953B8A8-6520-4cc7-9C2A-256B9F39B20E}.exe	{16A50209-B1A9-469c-B40E-D351F7712241}.exe
File created	C:\Windows\{E7118216-523A-4dd5-B910-DC8CF9FE9ADC}.exe	{B2D7B99A-EAF2-4f49-AF66-68D53EF704BB}.exe
File created	C:\Windows\{94285D76-AD77-47d4-82C9-069E793A2DFC}.exe	{E7118216-523A-4dd5-B910-DC8CF9FE9ADC}.exe
File created	C:\Windows\{B2D7B99A-EAF2-4f49-AF66-68D53EF704BB}.exe	{BB4DFAA6-EE84-4ee1-8934-59D4DBCBC7F1}.exe
File created	C:\Windows\{7F73C708-6ADF-493f-846B-DA261CD5DBBA}.exe	{08791EEB-D6E6-4304-8F50-ACB5BC84F955}.exe
File created	C:\Windows\{1BF155C7-7C5B-475c-9591-D93B210DFAD0}.exe	{0A1FC81C-D631-4e46-821F-9B1E93CDA237}.exe
File created	C:\Windows\{022D2167-79E9-4e19-90B5-BDDF5567EA8D}.exe	{1BF155C7-7C5B-475c-9591-D93B210DFAD0}.exe
File created	C:\Windows\{16A50209-B1A9-469c-B40E-D351F7712241}.exe	{022D2167-79E9-4e19-90B5-BDDF5567EA8D}.exe
File created	C:\Windows\{BB4DFAA6-EE84-4ee1-8934-59D4DBCBC7F1}.exe	{A953B8A8-6520-4cc7-9C2A-256B9F39B20E}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4076	2024-01-18_112b95a40e0f54f5a0a8e66f53b60516_goldeneye.exe
Token: SeIncBasePriorityPrivilege	392	{0A1FC81C-D631-4e46-821F-9B1E93CDA237}.exe
Token: SeIncBasePriorityPrivilege	1528	{1BF155C7-7C5B-475c-9591-D93B210DFAD0}.exe
Token: SeIncBasePriorityPrivilege	3512	{022D2167-79E9-4e19-90B5-BDDF5567EA8D}.exe
Token: SeIncBasePriorityPrivilege	1504	{16A50209-B1A9-469c-B40E-D351F7712241}.exe
Token: SeIncBasePriorityPrivilege	776	{A953B8A8-6520-4cc7-9C2A-256B9F39B20E}.exe
Token: SeIncBasePriorityPrivilege	3588	{BB4DFAA6-EE84-4ee1-8934-59D4DBCBC7F1}.exe
Token: SeIncBasePriorityPrivilege	1824	{B2D7B99A-EAF2-4f49-AF66-68D53EF704BB}.exe
Token: SeIncBasePriorityPrivilege	2496	{E7118216-523A-4dd5-B910-DC8CF9FE9ADC}.exe
Token: SeIncBasePriorityPrivilege	2160	{94285D76-AD77-47d4-82C9-069E793A2DFC}.exe
Token: SeIncBasePriorityPrivilege	1832	{08791EEB-D6E6-4304-8F50-ACB5BC84F955}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4076 wrote to memory of 392	4076	2024-01-18_112b95a40e0f54f5a0a8e66f53b60516_goldeneye.exe	91
PID 4076 wrote to memory of 392	4076	2024-01-18_112b95a40e0f54f5a0a8e66f53b60516_goldeneye.exe	91
PID 4076 wrote to memory of 392	4076	2024-01-18_112b95a40e0f54f5a0a8e66f53b60516_goldeneye.exe	91
PID 4076 wrote to memory of 792	4076	2024-01-18_112b95a40e0f54f5a0a8e66f53b60516_goldeneye.exe	92
PID 4076 wrote to memory of 792	4076	2024-01-18_112b95a40e0f54f5a0a8e66f53b60516_goldeneye.exe	92
PID 4076 wrote to memory of 792	4076	2024-01-18_112b95a40e0f54f5a0a8e66f53b60516_goldeneye.exe	92
PID 392 wrote to memory of 1528	392	{0A1FC81C-D631-4e46-821F-9B1E93CDA237}.exe	96
PID 392 wrote to memory of 1528	392	{0A1FC81C-D631-4e46-821F-9B1E93CDA237}.exe	96
PID 392 wrote to memory of 1528	392	{0A1FC81C-D631-4e46-821F-9B1E93CDA237}.exe	96
PID 392 wrote to memory of 1636	392	{0A1FC81C-D631-4e46-821F-9B1E93CDA237}.exe	97
PID 392 wrote to memory of 1636	392	{0A1FC81C-D631-4e46-821F-9B1E93CDA237}.exe	97
PID 392 wrote to memory of 1636	392	{0A1FC81C-D631-4e46-821F-9B1E93CDA237}.exe	97
PID 1528 wrote to memory of 3512	1528	{1BF155C7-7C5B-475c-9591-D93B210DFAD0}.exe	102
PID 1528 wrote to memory of 3512	1528	{1BF155C7-7C5B-475c-9591-D93B210DFAD0}.exe	102
PID 1528 wrote to memory of 3512	1528	{1BF155C7-7C5B-475c-9591-D93B210DFAD0}.exe	102
PID 1528 wrote to memory of 1920	1528	{1BF155C7-7C5B-475c-9591-D93B210DFAD0}.exe	101
PID 1528 wrote to memory of 1920	1528	{1BF155C7-7C5B-475c-9591-D93B210DFAD0}.exe	101
PID 1528 wrote to memory of 1920	1528	{1BF155C7-7C5B-475c-9591-D93B210DFAD0}.exe	101
PID 3512 wrote to memory of 1504	3512	{022D2167-79E9-4e19-90B5-BDDF5567EA8D}.exe	103
PID 3512 wrote to memory of 1504	3512	{022D2167-79E9-4e19-90B5-BDDF5567EA8D}.exe	103
PID 3512 wrote to memory of 1504	3512	{022D2167-79E9-4e19-90B5-BDDF5567EA8D}.exe	103
PID 3512 wrote to memory of 4088	3512	{022D2167-79E9-4e19-90B5-BDDF5567EA8D}.exe	104
PID 3512 wrote to memory of 4088	3512	{022D2167-79E9-4e19-90B5-BDDF5567EA8D}.exe	104
PID 3512 wrote to memory of 4088	3512	{022D2167-79E9-4e19-90B5-BDDF5567EA8D}.exe	104
PID 1504 wrote to memory of 776	1504	{16A50209-B1A9-469c-B40E-D351F7712241}.exe	105
PID 1504 wrote to memory of 776	1504	{16A50209-B1A9-469c-B40E-D351F7712241}.exe	105
PID 1504 wrote to memory of 776	1504	{16A50209-B1A9-469c-B40E-D351F7712241}.exe	105
PID 1504 wrote to memory of 2832	1504	{16A50209-B1A9-469c-B40E-D351F7712241}.exe	106
PID 1504 wrote to memory of 2832	1504	{16A50209-B1A9-469c-B40E-D351F7712241}.exe	106
PID 1504 wrote to memory of 2832	1504	{16A50209-B1A9-469c-B40E-D351F7712241}.exe	106
PID 776 wrote to memory of 3588	776	{A953B8A8-6520-4cc7-9C2A-256B9F39B20E}.exe	107
PID 776 wrote to memory of 3588	776	{A953B8A8-6520-4cc7-9C2A-256B9F39B20E}.exe	107
PID 776 wrote to memory of 3588	776	{A953B8A8-6520-4cc7-9C2A-256B9F39B20E}.exe	107
PID 776 wrote to memory of 1340	776	{A953B8A8-6520-4cc7-9C2A-256B9F39B20E}.exe	108
PID 776 wrote to memory of 1340	776	{A953B8A8-6520-4cc7-9C2A-256B9F39B20E}.exe	108
PID 776 wrote to memory of 1340	776	{A953B8A8-6520-4cc7-9C2A-256B9F39B20E}.exe	108
PID 3588 wrote to memory of 1824	3588	{BB4DFAA6-EE84-4ee1-8934-59D4DBCBC7F1}.exe	109
PID 3588 wrote to memory of 1824	3588	{BB4DFAA6-EE84-4ee1-8934-59D4DBCBC7F1}.exe	109
PID 3588 wrote to memory of 1824	3588	{BB4DFAA6-EE84-4ee1-8934-59D4DBCBC7F1}.exe	109
PID 3588 wrote to memory of 4800	3588	{BB4DFAA6-EE84-4ee1-8934-59D4DBCBC7F1}.exe	110
PID 3588 wrote to memory of 4800	3588	{BB4DFAA6-EE84-4ee1-8934-59D4DBCBC7F1}.exe	110
PID 3588 wrote to memory of 4800	3588	{BB4DFAA6-EE84-4ee1-8934-59D4DBCBC7F1}.exe	110
PID 1824 wrote to memory of 2496	1824	{B2D7B99A-EAF2-4f49-AF66-68D53EF704BB}.exe	111
PID 1824 wrote to memory of 2496	1824	{B2D7B99A-EAF2-4f49-AF66-68D53EF704BB}.exe	111
PID 1824 wrote to memory of 2496	1824	{B2D7B99A-EAF2-4f49-AF66-68D53EF704BB}.exe	111
PID 1824 wrote to memory of 3760	1824	{B2D7B99A-EAF2-4f49-AF66-68D53EF704BB}.exe	112
PID 1824 wrote to memory of 3760	1824	{B2D7B99A-EAF2-4f49-AF66-68D53EF704BB}.exe	112
PID 1824 wrote to memory of 3760	1824	{B2D7B99A-EAF2-4f49-AF66-68D53EF704BB}.exe	112
PID 2496 wrote to memory of 2160	2496	{E7118216-523A-4dd5-B910-DC8CF9FE9ADC}.exe	113
PID 2496 wrote to memory of 2160	2496	{E7118216-523A-4dd5-B910-DC8CF9FE9ADC}.exe	113
PID 2496 wrote to memory of 2160	2496	{E7118216-523A-4dd5-B910-DC8CF9FE9ADC}.exe	113
PID 2496 wrote to memory of 976	2496	{E7118216-523A-4dd5-B910-DC8CF9FE9ADC}.exe	114
PID 2496 wrote to memory of 976	2496	{E7118216-523A-4dd5-B910-DC8CF9FE9ADC}.exe	114
PID 2496 wrote to memory of 976	2496	{E7118216-523A-4dd5-B910-DC8CF9FE9ADC}.exe	114
PID 2160 wrote to memory of 1832	2160	{94285D76-AD77-47d4-82C9-069E793A2DFC}.exe	115
PID 2160 wrote to memory of 1832	2160	{94285D76-AD77-47d4-82C9-069E793A2DFC}.exe	115
PID 2160 wrote to memory of 1832	2160	{94285D76-AD77-47d4-82C9-069E793A2DFC}.exe	115
PID 2160 wrote to memory of 464	2160	{94285D76-AD77-47d4-82C9-069E793A2DFC}.exe	116
PID 2160 wrote to memory of 464	2160	{94285D76-AD77-47d4-82C9-069E793A2DFC}.exe	116
PID 2160 wrote to memory of 464	2160	{94285D76-AD77-47d4-82C9-069E793A2DFC}.exe	116
PID 1832 wrote to memory of 1184	1832	{08791EEB-D6E6-4304-8F50-ACB5BC84F955}.exe	117
PID 1832 wrote to memory of 1184	1832	{08791EEB-D6E6-4304-8F50-ACB5BC84F955}.exe	117
PID 1832 wrote to memory of 1184	1832	{08791EEB-D6E6-4304-8F50-ACB5BC84F955}.exe	117
PID 1832 wrote to memory of 2920	1832	{08791EEB-D6E6-4304-8F50-ACB5BC84F955}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-01-18_112b95a40e0f54f5a0a8e66f53b60516_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-18_112b95a40e0f54f5a0a8e66f53b60516_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Windows\{0A1FC81C-D631-4e46-821F-9B1E93CDA237}.exe
  C:\Windows\{0A1FC81C-D631-4e46-821F-9B1E93CDA237}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:392
- - C:\Windows\{1BF155C7-7C5B-475c-9591-D93B210DFAD0}.exe
    C:\Windows\{1BF155C7-7C5B-475c-9591-D93B210DFAD0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1528
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1BF15~1.EXE > nul
      4⤵
      PID:1920
  - - C:\Windows\{022D2167-79E9-4e19-90B5-BDDF5567EA8D}.exe
      C:\Windows\{022D2167-79E9-4e19-90B5-BDDF5567EA8D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3512
    - - C:\Windows\{16A50209-B1A9-469c-B40E-D351F7712241}.exe
        
        C:\Windows\{16A50209-B1A9-469c-B40E-D351F7712241}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1504
      - C:\Windows\{A953B8A8-6520-4cc7-9C2A-256B9F39B20E}.exe
        
        C:\Windows\{A953B8A8-6520-4cc7-9C2A-256B9F39B20E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:776
        
        C:\Windows\{BB4DFAA6-EE84-4ee1-8934-59D4DBCBC7F1}.exe
        
        C:\Windows\{BB4DFAA6-EE84-4ee1-8934-59D4DBCBC7F1}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\{B2D7B99A-EAF2-4f49-AF66-68D53EF704BB}.exe
        
        C:\Windows\{B2D7B99A-EAF2-4f49-AF66-68D53EF704BB}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\{E7118216-523A-4dd5-B910-DC8CF9FE9ADC}.exe
        
        C:\Windows\{E7118216-523A-4dd5-B910-DC8CF9FE9ADC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\{94285D76-AD77-47d4-82C9-069E793A2DFC}.exe
        
        C:\Windows\{94285D76-AD77-47d4-82C9-069E793A2DFC}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\{08791EEB-D6E6-4304-8F50-ACB5BC84F955}.exe
        
        C:\Windows\{08791EEB-D6E6-4304-8F50-ACB5BC84F955}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\{7F73C708-6ADF-493f-846B-DA261CD5DBBA}.exe
        
        C:\Windows\{7F73C708-6ADF-493f-846B-DA261CD5DBBA}.exe
        12⤵
        Executes dropped EXE
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08791~1.EXE > nul
        12⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94285~1.EXE > nul
        11⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7118~1.EXE > nul
        10⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2D7B~1.EXE > nul
        9⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB4DF~1.EXE > nul
        8⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A953B~1.EXE > nul
        7⤵
        
        PID:1340
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16A50~1.EXE > nul
        6⤵
        
        PID:2832
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{022D2~1.EXE > nul
        5⤵
        
        PID:4088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0A1FC~1.EXE > nul
    3⤵
    PID:1636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{022D2167-79E9-4e19-90B5-BDDF5567EA8D}.exe

Filesize
197KB

MD5
3577e1b52d5eba447ad12d2a2ea649b8

SHA1
4d49867a4b0e10d14d88303479e484c4eb1d65e7

SHA256
7a32172e652c7eb1b5a2feeb4148e5762e3553e73cf2c5b4ff52560432f65269

SHA512
77b2f5037bc2e7fafad379cd45a00785f1f616c79481f4457701946f3f37e53fcf1712f19de09f597a6d1a430405d4f26a9deaf73ee63863d6878b6061f777d5

Download Submit
C:\Windows\{08791EEB-D6E6-4304-8F50-ACB5BC84F955}.exe

Filesize
197KB

MD5
550fffbb81db2ea5e539b6e3c3b3b032

SHA1
b10124089d72a433d9830e264a82f8230bd35ed7

SHA256
23ccdb413e5a948fea4fda72ec3d2e3d19b8416ecc3b3cc1ee9a60f91dcaee33

SHA512
035286300428579e7aff9f52e72d9446c15d2b7d84e0e8d643aac6e95cead142cbac79e7b2dde6467aa15ecdf367a0ce69b2bc44372b25b2a87e3616f61afe04

Download Submit
C:\Windows\{0A1FC81C-D631-4e46-821F-9B1E93CDA237}.exe

Filesize
197KB

MD5
a624f015217f96dcbee5824549b70b3e

SHA1
7ddb9fe8ca53adc56ef4380cba582012505a62c7

SHA256
e991989280ce9388dd56ff2bc631b60b33879f3fe9538a718a92f7e8861e75f2

SHA512
cb9622727e6ea94a38e10b043e9a9ce835d1f388b85a01c8a7c6d8b69546243e99313a6c700b23fb4b8889b0d7e6bdb718846da5c1a32724179181afb25c441f

Download Submit
C:\Windows\{16A50209-B1A9-469c-B40E-D351F7712241}.exe

Filesize
197KB

MD5
a3f5e3b7185dc6fcce727296acff06f6

SHA1
e363898d8f5f24b5906e2532edcc9a169adde7fc

SHA256
2c5e9b65808f1477cf1424b71bf571b67b7831ccfd9da51d75b11425be56ecf7

SHA512
36c9b2fadaaa54fcff3993e6c23872d3487bff718fea8533128ec5205196a5b555c0ee0c3a1fe985ec648808f385ec597dc7655fa069238d3135bcfb6b14a69f

Download Submit
C:\Windows\{1BF155C7-7C5B-475c-9591-D93B210DFAD0}.exe

Filesize
197KB

MD5
5713e8218f85ea313b259d7b2934aa50

SHA1
d8fe44a0b2e7a6225da741264aee094c62980c58

SHA256
e7452b74cd80ba479b4cd83396deef837bf3e737035617d53ca4e8f4ba1da794

SHA512
9c16b12983e7779d5e0270dec11ce4477e96983a710d1b1a3fc6dfbc71fb2b279c6f37410c6b588984ef689604e05fc832abfe49d7e8a0a07a752b242538b9e3

Download Submit
C:\Windows\{7F73C708-6ADF-493f-846B-DA261CD5DBBA}.exe

Filesize
197KB

MD5
73a0987c2af335c86483b17b5112ea93

SHA1
cdc8eebe3520834b24dc98096da175c30225b337

SHA256
0302245f44f13ee29287133ccc093bbda2e7f2890719830d11afd2b8bcc77934

SHA512
dc4966b84faa6bff425467e10b8fa6f1af3ae8ffa944fa026c15b38bb19bd1ac2e8c0c411e240a5c66a07abdf730d99f4ea89a55d03a27c38ce49966bcda0ec1

Download Submit
C:\Windows\{94285D76-AD77-47d4-82C9-069E793A2DFC}.exe

Filesize
197KB

MD5
cc567a97634de3bbcbbf8fbb6884d919

SHA1
bd1a4deb4c5091fa22049b65f39372c16dbd8ab8

SHA256
3e20d536f2ae67703e45383427b7be74886d76616e584eafeea0fd5b3e942b6e

SHA512
d63f5dfb483424d67018e0e2504cf6d393212ea1aa2b02e9ce5d2c77bf170a373254cd42de2a35ff6120a1e6f67fd7d28528802d637b09d4a28ff7a4337f9cd6

Download Submit
C:\Windows\{A953B8A8-6520-4cc7-9C2A-256B9F39B20E}.exe

Filesize
197KB

MD5
637b8de7f0d9e129fe7f8f6eeb0ccd70

SHA1
777a4c1bfb759d568369fa6ea2fcf88ff4b8886a

SHA256
3adc73f1d3ec378c6b07c7b3f1a532b1d27fefe42692acc93e4f61b63c0d0594

SHA512
8978724fbb86f9390adc4d18e33b0407aff6cfe16c5748b45f6eb511c3205eea7ec466a4809e4da5d170ca0ed015dd3ca5cae9d943758e3961746f1b1b1c4965

Download Submit
C:\Windows\{B2D7B99A-EAF2-4f49-AF66-68D53EF704BB}.exe

Filesize
197KB

MD5
b98cde97d12b05dc4ea32b4e85043b13

SHA1
aee94c6177d012128ed3fd8ffe6d93a0b06c2076

SHA256
86d57b984dd1b4d3a09e463d0824c9a439a1d2617ff9cddfd3eb9b06e0c9dc49

SHA512
26c7b55f20fe341404273edacbfadf912bcb55ed0f2a4809047d24f81ecca80b08e5355ed90dd35504eea3315a162db7dacee434f0a8dc6e7a256253d0c51832

Download Submit
C:\Windows\{BB4DFAA6-EE84-4ee1-8934-59D4DBCBC7F1}.exe

Filesize
197KB

MD5
2dcd6178853e959f5c4957fcd105c24f

SHA1
a23e21715bfca90e8155acc54b4f0fa8166d15af

SHA256
d8144dc140899a2de95bcd622506b7e1a6a3724b7cd0d1db6c4bb7e1d5c4c667

SHA512
c1ce385d1a8111e9ea7ab1978ea5360dc764c0ba74b568831d44fb9150fe640c904369ee2528aeaed3c59c230a495791ee995af68d8309adfbd23c115605e304

Download Submit
C:\Windows\{E7118216-523A-4dd5-B910-DC8CF9FE9ADC}.exe

Filesize
197KB

MD5
2dda4f36776edc9ef2c1467fc8c81d06

SHA1
422e9b455e69a38372871ba59b9317695d95acbe

SHA256
1b409a4a5bab70577cb06ff92415501a127be010af1883e986e09d6641745103

SHA512
b007af08edbb1649945d89a12defb10c74747ecbad666b246a532b85eb62cae5ef1d2f5df31507c8f1eb6a901affa18262f163dd67ebb6796fe3642bee024544

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads