e80e615bc39b40f8c7ed568193c29893c7fa6fcf068541bfb40a768ca5130c39

Analysis

max time kernel
150s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-18_802d9acdcfaa66254239bdb94226ed94_goldeneye.exe
Size

168KB
MD5

802d9acdcfaa66254239bdb94226ed94
SHA1

902c9091efda132c9008aa30978a50eb6000e840
SHA256

e80e615bc39b40f8c7ed568193c29893c7fa6fcf068541bfb40a768ca5130c39
SHA512

4b7f6785223821ee2681850ca43694ec71466e256a9117bbb791e2d6e958ae5bc38b0a1ea31b3d0db58878680556317a76333561ba87a9f32034ef098c4c7f32
SSDEEP

1536:1EGh0o8lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o8lqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x0003000000022718-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023135-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023135-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023224-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023228-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023224-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000223fa-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023228-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000731-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000739-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88689CC6-14B5-4a09-8B48-4D4BA1A63FEE}	{D2964558-A1BB-4651-9D31-28AEBAC413AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C88F6708-6C22-4349-A940-CE183D22104D}\stubpath = "C:\\Windows\\{C88F6708-6C22-4349-A940-CE183D22104D}.exe"	{F5B7756A-E699-4099-85F4-1203DD32B072}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C59DE170-848B-4fb9-8B42-A1D2B4595FBD}	{C88F6708-6C22-4349-A940-CE183D22104D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21889BB1-6383-4fb2-ABD1-580F2532FA03}	{AF400845-AB1A-4f45-A2F5-40F20FAD1374}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA0B27E0-5527-43c5-9332-6EFF5403A66F}	{21889BB1-6383-4fb2-ABD1-580F2532FA03}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21889BB1-6383-4fb2-ABD1-580F2532FA03}\stubpath = "C:\\Windows\\{21889BB1-6383-4fb2-ABD1-580F2532FA03}.exe"	{AF400845-AB1A-4f45-A2F5-40F20FAD1374}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA0B27E0-5527-43c5-9332-6EFF5403A66F}\stubpath = "C:\\Windows\\{DA0B27E0-5527-43c5-9332-6EFF5403A66F}.exe"	{21889BB1-6383-4fb2-ABD1-580F2532FA03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7895060B-2C40-435e-A4AC-14E13D7C4BC9}	{88689CC6-14B5-4a09-8B48-4D4BA1A63FEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7895060B-2C40-435e-A4AC-14E13D7C4BC9}\stubpath = "C:\\Windows\\{7895060B-2C40-435e-A4AC-14E13D7C4BC9}.exe"	{88689CC6-14B5-4a09-8B48-4D4BA1A63FEE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75B3F48A-12DD-41e1-81AF-59C18AC1F264}	{7895060B-2C40-435e-A4AC-14E13D7C4BC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5B7756A-E699-4099-85F4-1203DD32B072}\stubpath = "C:\\Windows\\{F5B7756A-E699-4099-85F4-1203DD32B072}.exe"	{75B3F48A-12DD-41e1-81AF-59C18AC1F264}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF400845-AB1A-4f45-A2F5-40F20FAD1374}	{C59DE170-848B-4fb9-8B42-A1D2B4595FBD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF400845-AB1A-4f45-A2F5-40F20FAD1374}\stubpath = "C:\\Windows\\{AF400845-AB1A-4f45-A2F5-40F20FAD1374}.exe"	{C59DE170-848B-4fb9-8B42-A1D2B4595FBD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B960FB2-3DDB-483b-A165-A5AABBCD322B}	{DA0B27E0-5527-43c5-9332-6EFF5403A66F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2964558-A1BB-4651-9D31-28AEBAC413AD}	2024-01-18_802d9acdcfaa66254239bdb94226ed94_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2964558-A1BB-4651-9D31-28AEBAC413AD}\stubpath = "C:\\Windows\\{D2964558-A1BB-4651-9D31-28AEBAC413AD}.exe"	2024-01-18_802d9acdcfaa66254239bdb94226ed94_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75B3F48A-12DD-41e1-81AF-59C18AC1F264}\stubpath = "C:\\Windows\\{75B3F48A-12DD-41e1-81AF-59C18AC1F264}.exe"	{7895060B-2C40-435e-A4AC-14E13D7C4BC9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C88F6708-6C22-4349-A940-CE183D22104D}	{F5B7756A-E699-4099-85F4-1203DD32B072}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C59DE170-848B-4fb9-8B42-A1D2B4595FBD}\stubpath = "C:\\Windows\\{C59DE170-848B-4fb9-8B42-A1D2B4595FBD}.exe"	{C88F6708-6C22-4349-A940-CE183D22104D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88689CC6-14B5-4a09-8B48-4D4BA1A63FEE}\stubpath = "C:\\Windows\\{88689CC6-14B5-4a09-8B48-4D4BA1A63FEE}.exe"	{D2964558-A1BB-4651-9D31-28AEBAC413AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5B7756A-E699-4099-85F4-1203DD32B072}	{75B3F48A-12DD-41e1-81AF-59C18AC1F264}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B960FB2-3DDB-483b-A165-A5AABBCD322B}\stubpath = "C:\\Windows\\{8B960FB2-3DDB-483b-A165-A5AABBCD322B}.exe"	{DA0B27E0-5527-43c5-9332-6EFF5403A66F}.exe

Executes dropped EXE 10 IoCs

pid	Process
772	{D2964558-A1BB-4651-9D31-28AEBAC413AD}.exe
5060	{88689CC6-14B5-4a09-8B48-4D4BA1A63FEE}.exe
1380	{7895060B-2C40-435e-A4AC-14E13D7C4BC9}.exe
2868	{75B3F48A-12DD-41e1-81AF-59C18AC1F264}.exe
4964	{F5B7756A-E699-4099-85F4-1203DD32B072}.exe
4324	{C88F6708-6C22-4349-A940-CE183D22104D}.exe
2904	{C59DE170-848B-4fb9-8B42-A1D2B4595FBD}.exe
484	{AF400845-AB1A-4f45-A2F5-40F20FAD1374}.exe
4436	{21889BB1-6383-4fb2-ABD1-580F2532FA03}.exe
2296	{DA0B27E0-5527-43c5-9332-6EFF5403A66F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{88689CC6-14B5-4a09-8B48-4D4BA1A63FEE}.exe	{D2964558-A1BB-4651-9D31-28AEBAC413AD}.exe
File created	C:\Windows\{75B3F48A-12DD-41e1-81AF-59C18AC1F264}.exe	{7895060B-2C40-435e-A4AC-14E13D7C4BC9}.exe
File created	C:\Windows\{C88F6708-6C22-4349-A940-CE183D22104D}.exe	{F5B7756A-E699-4099-85F4-1203DD32B072}.exe
File created	C:\Windows\{AF400845-AB1A-4f45-A2F5-40F20FAD1374}.exe	{C59DE170-848B-4fb9-8B42-A1D2B4595FBD}.exe
File created	C:\Windows\{DA0B27E0-5527-43c5-9332-6EFF5403A66F}.exe	{21889BB1-6383-4fb2-ABD1-580F2532FA03}.exe
File created	C:\Windows\{8B960FB2-3DDB-483b-A165-A5AABBCD322B}.exe	{DA0B27E0-5527-43c5-9332-6EFF5403A66F}.exe
File created	C:\Windows\{D2964558-A1BB-4651-9D31-28AEBAC413AD}.exe	2024-01-18_802d9acdcfaa66254239bdb94226ed94_goldeneye.exe
File created	C:\Windows\{7895060B-2C40-435e-A4AC-14E13D7C4BC9}.exe	{88689CC6-14B5-4a09-8B48-4D4BA1A63FEE}.exe
File created	C:\Windows\{F5B7756A-E699-4099-85F4-1203DD32B072}.exe	{75B3F48A-12DD-41e1-81AF-59C18AC1F264}.exe
File created	C:\Windows\{C59DE170-848B-4fb9-8B42-A1D2B4595FBD}.exe	{C88F6708-6C22-4349-A940-CE183D22104D}.exe
File created	C:\Windows\{21889BB1-6383-4fb2-ABD1-580F2532FA03}.exe	{AF400845-AB1A-4f45-A2F5-40F20FAD1374}.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4776	2024-01-18_802d9acdcfaa66254239bdb94226ed94_goldeneye.exe
Token: SeIncBasePriorityPrivilege	772	{D2964558-A1BB-4651-9D31-28AEBAC413AD}.exe
Token: SeIncBasePriorityPrivilege	5060	{88689CC6-14B5-4a09-8B48-4D4BA1A63FEE}.exe
Token: SeIncBasePriorityPrivilege	1380	{7895060B-2C40-435e-A4AC-14E13D7C4BC9}.exe
Token: SeIncBasePriorityPrivilege	2868	{75B3F48A-12DD-41e1-81AF-59C18AC1F264}.exe
Token: SeIncBasePriorityPrivilege	4964	{F5B7756A-E699-4099-85F4-1203DD32B072}.exe
Token: SeIncBasePriorityPrivilege	4324	{C88F6708-6C22-4349-A940-CE183D22104D}.exe
Token: SeIncBasePriorityPrivilege	2904	{C59DE170-848B-4fb9-8B42-A1D2B4595FBD}.exe
Token: SeIncBasePriorityPrivilege	484	{AF400845-AB1A-4f45-A2F5-40F20FAD1374}.exe
Token: SeIncBasePriorityPrivilege	4436	{21889BB1-6383-4fb2-ABD1-580F2532FA03}.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 4776 wrote to memory of 772	4776	2024-01-18_802d9acdcfaa66254239bdb94226ed94_goldeneye.exe	89
PID 4776 wrote to memory of 772	4776	2024-01-18_802d9acdcfaa66254239bdb94226ed94_goldeneye.exe	89
PID 4776 wrote to memory of 772	4776	2024-01-18_802d9acdcfaa66254239bdb94226ed94_goldeneye.exe	89
PID 4776 wrote to memory of 3256	4776	2024-01-18_802d9acdcfaa66254239bdb94226ed94_goldeneye.exe	90
PID 4776 wrote to memory of 3256	4776	2024-01-18_802d9acdcfaa66254239bdb94226ed94_goldeneye.exe	90
PID 4776 wrote to memory of 3256	4776	2024-01-18_802d9acdcfaa66254239bdb94226ed94_goldeneye.exe	90
PID 772 wrote to memory of 5060	772	{D2964558-A1BB-4651-9D31-28AEBAC413AD}.exe	94
PID 772 wrote to memory of 5060	772	{D2964558-A1BB-4651-9D31-28AEBAC413AD}.exe	94
PID 772 wrote to memory of 5060	772	{D2964558-A1BB-4651-9D31-28AEBAC413AD}.exe	94
PID 772 wrote to memory of 228	772	{D2964558-A1BB-4651-9D31-28AEBAC413AD}.exe	93
PID 772 wrote to memory of 228	772	{D2964558-A1BB-4651-9D31-28AEBAC413AD}.exe	93
PID 772 wrote to memory of 228	772	{D2964558-A1BB-4651-9D31-28AEBAC413AD}.exe	93
PID 5060 wrote to memory of 1380	5060	{88689CC6-14B5-4a09-8B48-4D4BA1A63FEE}.exe	99
PID 5060 wrote to memory of 1380	5060	{88689CC6-14B5-4a09-8B48-4D4BA1A63FEE}.exe	99
PID 5060 wrote to memory of 1380	5060	{88689CC6-14B5-4a09-8B48-4D4BA1A63FEE}.exe	99
PID 5060 wrote to memory of 2756	5060	{88689CC6-14B5-4a09-8B48-4D4BA1A63FEE}.exe	98
PID 5060 wrote to memory of 2756	5060	{88689CC6-14B5-4a09-8B48-4D4BA1A63FEE}.exe	98
PID 5060 wrote to memory of 2756	5060	{88689CC6-14B5-4a09-8B48-4D4BA1A63FEE}.exe	98
PID 1380 wrote to memory of 2868	1380	{7895060B-2C40-435e-A4AC-14E13D7C4BC9}.exe	104
PID 1380 wrote to memory of 2868	1380	{7895060B-2C40-435e-A4AC-14E13D7C4BC9}.exe	104
PID 1380 wrote to memory of 2868	1380	{7895060B-2C40-435e-A4AC-14E13D7C4BC9}.exe	104
PID 1380 wrote to memory of 3656	1380	{7895060B-2C40-435e-A4AC-14E13D7C4BC9}.exe	105
PID 1380 wrote to memory of 3656	1380	{7895060B-2C40-435e-A4AC-14E13D7C4BC9}.exe	105
PID 1380 wrote to memory of 3656	1380	{7895060B-2C40-435e-A4AC-14E13D7C4BC9}.exe	105
PID 2868 wrote to memory of 4964	2868	{75B3F48A-12DD-41e1-81AF-59C18AC1F264}.exe	106
PID 2868 wrote to memory of 4964	2868	{75B3F48A-12DD-41e1-81AF-59C18AC1F264}.exe	106
PID 2868 wrote to memory of 4964	2868	{75B3F48A-12DD-41e1-81AF-59C18AC1F264}.exe	106
PID 2868 wrote to memory of 4936	2868	{75B3F48A-12DD-41e1-81AF-59C18AC1F264}.exe	107
PID 2868 wrote to memory of 4936	2868	{75B3F48A-12DD-41e1-81AF-59C18AC1F264}.exe	107
PID 2868 wrote to memory of 4936	2868	{75B3F48A-12DD-41e1-81AF-59C18AC1F264}.exe	107
PID 4964 wrote to memory of 4324	4964	{F5B7756A-E699-4099-85F4-1203DD32B072}.exe	108
PID 4964 wrote to memory of 4324	4964	{F5B7756A-E699-4099-85F4-1203DD32B072}.exe	108
PID 4964 wrote to memory of 4324	4964	{F5B7756A-E699-4099-85F4-1203DD32B072}.exe	108
PID 4964 wrote to memory of 1300	4964	{F5B7756A-E699-4099-85F4-1203DD32B072}.exe	109
PID 4964 wrote to memory of 1300	4964	{F5B7756A-E699-4099-85F4-1203DD32B072}.exe	109
PID 4964 wrote to memory of 1300	4964	{F5B7756A-E699-4099-85F4-1203DD32B072}.exe	109
PID 4324 wrote to memory of 2904	4324	{C88F6708-6C22-4349-A940-CE183D22104D}.exe	110
PID 4324 wrote to memory of 2904	4324	{C88F6708-6C22-4349-A940-CE183D22104D}.exe	110
PID 4324 wrote to memory of 2904	4324	{C88F6708-6C22-4349-A940-CE183D22104D}.exe	110
PID 4324 wrote to memory of 1804	4324	{C88F6708-6C22-4349-A940-CE183D22104D}.exe	111
PID 4324 wrote to memory of 1804	4324	{C88F6708-6C22-4349-A940-CE183D22104D}.exe	111
PID 4324 wrote to memory of 1804	4324	{C88F6708-6C22-4349-A940-CE183D22104D}.exe	111
PID 2904 wrote to memory of 484	2904	{C59DE170-848B-4fb9-8B42-A1D2B4595FBD}.exe	112
PID 2904 wrote to memory of 484	2904	{C59DE170-848B-4fb9-8B42-A1D2B4595FBD}.exe	112
PID 2904 wrote to memory of 484	2904	{C59DE170-848B-4fb9-8B42-A1D2B4595FBD}.exe	112
PID 2904 wrote to memory of 4652	2904	{C59DE170-848B-4fb9-8B42-A1D2B4595FBD}.exe	113
PID 2904 wrote to memory of 4652	2904	{C59DE170-848B-4fb9-8B42-A1D2B4595FBD}.exe	113
PID 2904 wrote to memory of 4652	2904	{C59DE170-848B-4fb9-8B42-A1D2B4595FBD}.exe	113
PID 484 wrote to memory of 4436	484	{AF400845-AB1A-4f45-A2F5-40F20FAD1374}.exe	114
PID 484 wrote to memory of 4436	484	{AF400845-AB1A-4f45-A2F5-40F20FAD1374}.exe	114
PID 484 wrote to memory of 4436	484	{AF400845-AB1A-4f45-A2F5-40F20FAD1374}.exe	114
PID 484 wrote to memory of 208	484	{AF400845-AB1A-4f45-A2F5-40F20FAD1374}.exe	115
PID 484 wrote to memory of 208	484	{AF400845-AB1A-4f45-A2F5-40F20FAD1374}.exe	115
PID 484 wrote to memory of 208	484	{AF400845-AB1A-4f45-A2F5-40F20FAD1374}.exe	115
PID 4436 wrote to memory of 2296	4436	{21889BB1-6383-4fb2-ABD1-580F2532FA03}.exe	116
PID 4436 wrote to memory of 2296	4436	{21889BB1-6383-4fb2-ABD1-580F2532FA03}.exe	116
PID 4436 wrote to memory of 2296	4436	{21889BB1-6383-4fb2-ABD1-580F2532FA03}.exe	116
PID 4436 wrote to memory of 4012	4436	{21889BB1-6383-4fb2-ABD1-580F2532FA03}.exe	117
PID 4436 wrote to memory of 4012	4436	{21889BB1-6383-4fb2-ABD1-580F2532FA03}.exe	117
PID 4436 wrote to memory of 4012	4436	{21889BB1-6383-4fb2-ABD1-580F2532FA03}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-01-18_802d9acdcfaa66254239bdb94226ed94_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-18_802d9acdcfaa66254239bdb94226ed94_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Windows\{D2964558-A1BB-4651-9D31-28AEBAC413AD}.exe
  C:\Windows\{D2964558-A1BB-4651-9D31-28AEBAC413AD}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D2964~1.EXE > nul
    3⤵
    PID:228
- - C:\Windows\{88689CC6-14B5-4a09-8B48-4D4BA1A63FEE}.exe
    C:\Windows\{88689CC6-14B5-4a09-8B48-4D4BA1A63FEE}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5060
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{88689~1.EXE > nul
      4⤵
      PID:2756
  - - C:\Windows\{7895060B-2C40-435e-A4AC-14E13D7C4BC9}.exe
      C:\Windows\{7895060B-2C40-435e-A4AC-14E13D7C4BC9}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1380
    - - C:\Windows\{75B3F48A-12DD-41e1-81AF-59C18AC1F264}.exe
        
        C:\Windows\{75B3F48A-12DD-41e1-81AF-59C18AC1F264}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2868
      - C:\Windows\{F5B7756A-E699-4099-85F4-1203DD32B072}.exe
        
        C:\Windows\{F5B7756A-E699-4099-85F4-1203DD32B072}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\{C88F6708-6C22-4349-A940-CE183D22104D}.exe
        
        C:\Windows\{C88F6708-6C22-4349-A940-CE183D22104D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\{C59DE170-848B-4fb9-8B42-A1D2B4595FBD}.exe
        
        C:\Windows\{C59DE170-848B-4fb9-8B42-A1D2B4595FBD}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\{AF400845-AB1A-4f45-A2F5-40F20FAD1374}.exe
        
        C:\Windows\{AF400845-AB1A-4f45-A2F5-40F20FAD1374}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:484
        
        C:\Windows\{21889BB1-6383-4fb2-ABD1-580F2532FA03}.exe
        
        C:\Windows\{21889BB1-6383-4fb2-ABD1-580F2532FA03}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\{DA0B27E0-5527-43c5-9332-6EFF5403A66F}.exe
        
        C:\Windows\{DA0B27E0-5527-43c5-9332-6EFF5403A66F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21889~1.EXE > nul
        11⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF400~1.EXE > nul
        10⤵
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C59DE~1.EXE > nul
        9⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C88F6~1.EXE > nul
        8⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F5B77~1.EXE > nul
        7⤵
        
        PID:1300
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75B3F~1.EXE > nul
        6⤵
        
        PID:4936
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78950~1.EXE > nul
        5⤵
        
        PID:3656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{21889BB1-6383-4fb2-ABD1-580F2532FA03}.exe

Filesize
168KB

MD5
6b7873397b4541e74facdcd8d56ce11d

SHA1
8a23976971f1d05a79caaf71d501a42ab0c8f54e

SHA256
1a17a7c098e1527e430b5c923306efdd383b6162c61b7635d15aaf213897d23f

SHA512
3bdafcda10e93411fe2171c0a9c71a62d763832d84b515568062b9f0fbabe698eb70ff2fc2e2f952ed723722b50573badecccc8021d5e830b1998d80eaf9ebb9

Download Submit
C:\Windows\{75B3F48A-12DD-41e1-81AF-59C18AC1F264}.exe

Filesize
168KB

MD5
1ad378339743323aa8f4eef474c53199

SHA1
88cc5aa75ac4f12da845a47e737de9967eb4b727

SHA256
1179d3090274476107b63f7ea188e68be4e8521774aa9690dd5b2614a2a6d4be

SHA512
257dde4afdef70b9b654b0ab4c775ac6e7bdd9a571716a528bfedfdca469121fd00ba641f1050dc0ec7e37f27571ef5d4f9bcb36019fab15be702d4abd1595e6

Download Submit
C:\Windows\{7895060B-2C40-435e-A4AC-14E13D7C4BC9}.exe

Filesize
168KB

MD5
a46899340eefee137b9940461826b513

SHA1
41febef4e7d715ced8d4dc6323ba7518e6b28b2a

SHA256
04087e4064f7507fa4cff4e83a28f9ea2f3737aa07b5a80c64503a233a1e51d3

SHA512
5babef78e7f16e33009dcecb1a75e3de37ceef0ba17d76a0635610ebacde76193c389aa147555d1518cad0ce02c01dc3deeab1d2912a6539700092fcb02f7b2b

Download Submit
C:\Windows\{88689CC6-14B5-4a09-8B48-4D4BA1A63FEE}.exe

Filesize
168KB

MD5
4ff92f552a93b80b0dc6c48c3fbd2241

SHA1
93db1052575d9819c1205b97ca80cab77d8f502d

SHA256
907778cdde3a92d9b76bc7ac3b8e7a3a89aaea21ea883ff4121a214b5055d493

SHA512
f6c72a8e40f7aefc0677776fa5287aceddaf516513aebe610767e5bddd0e095f9a9caaec6ba9a48caa6b369357e68792100445fd6b72a8a4dab79e1521b2c14b

Download Submit
C:\Windows\{88689CC6-14B5-4a09-8B48-4D4BA1A63FEE}.exe

Filesize
120KB

MD5
493461e05d2a6b7e4bf34656cdd3e317

SHA1
69d08ebec28a3fe762f29332366d967095731aae

SHA256
635f2100a42d25fec194677320d990ed545718679950e56fdbf5b5fe9da3f8e5

SHA512
069d14f1208f21b0a8b4c528dd8539b46cd4069a2735f8d682a9e48a1cef2449ca1a31d07cb487befc166fc67ec941fb3ba3cd6810717f8be898c32f21c00eb1

Download Submit
C:\Windows\{AF400845-AB1A-4f45-A2F5-40F20FAD1374}.exe

Filesize
168KB

MD5
31abfc4532fba94d25af8ecccd47934e

SHA1
412f9e1bc444496fda131247f914af5365a21358

SHA256
186792dc667abc924b4e220deefceb6f32b7275e7d237b82c40e66500b9b03f5

SHA512
585c85bdbd033beac8bae81fae9c5faf64ccc67e8d7cbe608250377fd4e149c3f533f2a69e29a9100635a1f152bf899ac4d5e985ed374b425fde92d558f05dfa

Download Submit
C:\Windows\{C59DE170-848B-4fb9-8B42-A1D2B4595FBD}.exe

Filesize
168KB

MD5
eddd59177e6fe141d0c24e18a6cb66ca

SHA1
81f1e2b09d0b611015d330b8f9e2a8b39dcbe391

SHA256
ee479f2659584f7837aa8bc2c924d442f294974a719cb6e4c37cf610f7291f00

SHA512
e2abd3b4622b4fd82184dead7a59df667dd181809e123dfdc8436507dc436d93bf0285ac929ce2fb7b3a927068fa9f18749e864973206e0c13a521e58eb9b594

Download Submit
C:\Windows\{C88F6708-6C22-4349-A940-CE183D22104D}.exe

Filesize
168KB

MD5
754d521c80f4a0df3d428389e0115f5b

SHA1
3b66c477181e642c9a774c0ffe6ef127409df077

SHA256
93ba01192a6997701c722951b6e524a6d5c32cf30093a1b521ceb476a6f300c4

SHA512
897430183f82b42e411a114d6e2cac8c91488b1fe26b9a27b8279ee373318336fd77e5947b0292df6d5555f0ad630ed943affe66fb0489f7094204541096d5cd

Download Submit
C:\Windows\{D2964558-A1BB-4651-9D31-28AEBAC413AD}.exe

Filesize
168KB

MD5
a5e2ee3f5157ce84c8e4c8c7d97a9ae6

SHA1
e8a7de22d7ab60d60afb441705b08a1cd6fa5f5f

SHA256
778a564770deb43737cf137c1d0059353e50e513751636a2bfaa209d08e41732

SHA512
0d1ca16a20efa7171f6e621254fddf901cdb4edf20591cdd38f7fd20533fabae7081ee532be598d4135c846ede9aecbaf0cb3b6303c144e65f14b898c4ee687c

Download Submit
C:\Windows\{DA0B27E0-5527-43c5-9332-6EFF5403A66F}.exe

Filesize
168KB

MD5
694492e23f21f86a30a89f35075a9c5f

SHA1
752d037945accb5abe810dcb5c7819c95176e3f5

SHA256
0d0278f7801e435e8cbca45c742e624f38c58ae55c3da72ee873559b63938840

SHA512
bf8de73e11c235d865438cf37d2ef2cab291e9933e0b7f675b3c1255d0b32278a14d0f1a199486e8fb916b8d32cec1898ce26848ad1520c9b9830bb74f08c0e7

Download Submit
C:\Windows\{F5B7756A-E699-4099-85F4-1203DD32B072}.exe

Filesize
168KB

MD5
cb57dd62fc01cfa0408f27be0834c012

SHA1
6d58379bc1c5795ec41620bd95a46bf79933c539

SHA256
fe423a09074317a3d05e3c960dc9c8e0bb96b55d469dafb38ccac65f1af4c28e

SHA512
a8fe28ea690faa61562d6afdb2701d23c8db4cdc412570b2709197742d73d0c40eb6680b79e929bff99b940fbf9872a7d3d339ed3e68000c1217de358aaaa868

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads