c457486470c11b5b4217a9a031f8629ceee9cf17d41b7f32d81a4e8449ea5e32

Analysis

max time kernel
125s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2024 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-18_d2d197af32dcae541b18353dda396ce9_goldeneye.exe
Size

180KB
MD5

d2d197af32dcae541b18353dda396ce9
SHA1

c887f4f5a1f8547dcf3aaf15b761323a8d3d6ca2
SHA256

c457486470c11b5b4217a9a031f8629ceee9cf17d41b7f32d81a4e8449ea5e32
SHA512

20a33303a724537f8feb6b7830a0a466b6bc252ccbab3729568b191b91e9f5b817d93b7d88594c91d4fb732c4d47217ac4ff79989fd2bea5e5382d32aad628f6
SSDEEP

3072:jEGh0otlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGDl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 18 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023121-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002303c-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002303c-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023122-11.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002303c-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023122-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002303c-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002303c-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023122-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023122-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023231-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023231-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023122-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023125-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023223-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023223-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023125-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023125-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65B5A335-CD9A-4803-9E8A-976021EDDAC1}\stubpath = "C:\\Windows\\{65B5A335-CD9A-4803-9E8A-976021EDDAC1}.exe"	2024-01-18_d2d197af32dcae541b18353dda396ce9_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83FE6733-E0CF-48b2-A0F7-215D4C14C9E1}\stubpath = "C:\\Windows\\{83FE6733-E0CF-48b2-A0F7-215D4C14C9E1}.exe"	{65B5A335-CD9A-4803-9E8A-976021EDDAC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56BF502C-A272-40ec-83D1-ACB3D0B26F1C}	{F77CD92D-AE9F-4c8b-A7A6-2DE2CE91685E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A9E0886-CED9-46dc-9067-FAD30C496370}	{CA9442DB-E7D0-458d-9B20-5AA30902DCE0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFCD3145-EE28-4a5d-9B51-1554D11BF5C5}	{FE86D5F3-0C8B-4a82-85D9-A6CDF19B887D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65B5A335-CD9A-4803-9E8A-976021EDDAC1}	2024-01-18_d2d197af32dcae541b18353dda396ce9_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F77CD92D-AE9F-4c8b-A7A6-2DE2CE91685E}\stubpath = "C:\\Windows\\{F77CD92D-AE9F-4c8b-A7A6-2DE2CE91685E}.exe"	{2DE05FDA-782A-4d8d-B2D5-C2A78B0A3A53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA9442DB-E7D0-458d-9B20-5AA30902DCE0}\stubpath = "C:\\Windows\\{CA9442DB-E7D0-458d-9B20-5AA30902DCE0}.exe"	{56BF502C-A272-40ec-83D1-ACB3D0B26F1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE86D5F3-0C8B-4a82-85D9-A6CDF19B887D}\stubpath = "C:\\Windows\\{FE86D5F3-0C8B-4a82-85D9-A6CDF19B887D}.exe"	{5A9E0886-CED9-46dc-9067-FAD30C496370}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFCD3145-EE28-4a5d-9B51-1554D11BF5C5}\stubpath = "C:\\Windows\\{BFCD3145-EE28-4a5d-9B51-1554D11BF5C5}.exe"	{FE86D5F3-0C8B-4a82-85D9-A6CDF19B887D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5755D7C-D1AD-4540-8795-BF3E068185AD}	{83FE6733-E0CF-48b2-A0F7-215D4C14C9E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5755D7C-D1AD-4540-8795-BF3E068185AD}\stubpath = "C:\\Windows\\{C5755D7C-D1AD-4540-8795-BF3E068185AD}.exe"	{83FE6733-E0CF-48b2-A0F7-215D4C14C9E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DE05FDA-782A-4d8d-B2D5-C2A78B0A3A53}	{C5755D7C-D1AD-4540-8795-BF3E068185AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DE05FDA-782A-4d8d-B2D5-C2A78B0A3A53}\stubpath = "C:\\Windows\\{2DE05FDA-782A-4d8d-B2D5-C2A78B0A3A53}.exe"	{C5755D7C-D1AD-4540-8795-BF3E068185AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA9442DB-E7D0-458d-9B20-5AA30902DCE0}	{56BF502C-A272-40ec-83D1-ACB3D0B26F1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE86D5F3-0C8B-4a82-85D9-A6CDF19B887D}	{5A9E0886-CED9-46dc-9067-FAD30C496370}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83FE6733-E0CF-48b2-A0F7-215D4C14C9E1}	{65B5A335-CD9A-4803-9E8A-976021EDDAC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F77CD92D-AE9F-4c8b-A7A6-2DE2CE91685E}	{2DE05FDA-782A-4d8d-B2D5-C2A78B0A3A53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56BF502C-A272-40ec-83D1-ACB3D0B26F1C}\stubpath = "C:\\Windows\\{56BF502C-A272-40ec-83D1-ACB3D0B26F1C}.exe"	{F77CD92D-AE9F-4c8b-A7A6-2DE2CE91685E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A9E0886-CED9-46dc-9067-FAD30C496370}\stubpath = "C:\\Windows\\{5A9E0886-CED9-46dc-9067-FAD30C496370}.exe"	{CA9442DB-E7D0-458d-9B20-5AA30902DCE0}.exe

Executes dropped EXE 10 IoCs

pid	Process
4452	{65B5A335-CD9A-4803-9E8A-976021EDDAC1}.exe
2472	{83FE6733-E0CF-48b2-A0F7-215D4C14C9E1}.exe
2232	{C5755D7C-D1AD-4540-8795-BF3E068185AD}.exe
4408	{2DE05FDA-782A-4d8d-B2D5-C2A78B0A3A53}.exe
3576	{F77CD92D-AE9F-4c8b-A7A6-2DE2CE91685E}.exe
2348	{56BF502C-A272-40ec-83D1-ACB3D0B26F1C}.exe
3552	{CA9442DB-E7D0-458d-9B20-5AA30902DCE0}.exe
4728	{5A9E0886-CED9-46dc-9067-FAD30C496370}.exe
1492	{FE86D5F3-0C8B-4a82-85D9-A6CDF19B887D}.exe
4364	{BFCD3145-EE28-4a5d-9B51-1554D11BF5C5}.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\{83FE6733-E0CF-48b2-A0F7-215D4C14C9E1}.exe	{65B5A335-CD9A-4803-9E8A-976021EDDAC1}.exe
File created	C:\Windows\{65B5A335-CD9A-4803-9E8A-976021EDDAC1}.exe	2024-01-18_d2d197af32dcae541b18353dda396ce9_goldeneye.exe
File created	C:\Windows\{C5755D7C-D1AD-4540-8795-BF3E068185AD}.exe	{83FE6733-E0CF-48b2-A0F7-215D4C14C9E1}.exe
File created	C:\Windows\{2DE05FDA-782A-4d8d-B2D5-C2A78B0A3A53}.exe	{C5755D7C-D1AD-4540-8795-BF3E068185AD}.exe
File created	C:\Windows\{F77CD92D-AE9F-4c8b-A7A6-2DE2CE91685E}.exe	{2DE05FDA-782A-4d8d-B2D5-C2A78B0A3A53}.exe
File created	C:\Windows\{56BF502C-A272-40ec-83D1-ACB3D0B26F1C}.exe	{F77CD92D-AE9F-4c8b-A7A6-2DE2CE91685E}.exe
File created	C:\Windows\{CA9442DB-E7D0-458d-9B20-5AA30902DCE0}.exe	{56BF502C-A272-40ec-83D1-ACB3D0B26F1C}.exe
File created	C:\Windows\{5A9E0886-CED9-46dc-9067-FAD30C496370}.exe	{CA9442DB-E7D0-458d-9B20-5AA30902DCE0}.exe
File created	C:\Windows\{FE86D5F3-0C8B-4a82-85D9-A6CDF19B887D}.exe	{5A9E0886-CED9-46dc-9067-FAD30C496370}.exe
File created	C:\Windows\{BFCD3145-EE28-4a5d-9B51-1554D11BF5C5}.exe	{FE86D5F3-0C8B-4a82-85D9-A6CDF19B887D}.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4056	2024-01-18_d2d197af32dcae541b18353dda396ce9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4452	{65B5A335-CD9A-4803-9E8A-976021EDDAC1}.exe
Token: SeIncBasePriorityPrivilege	2472	{83FE6733-E0CF-48b2-A0F7-215D4C14C9E1}.exe
Token: SeIncBasePriorityPrivilege	2232	{C5755D7C-D1AD-4540-8795-BF3E068185AD}.exe
Token: SeIncBasePriorityPrivilege	4408	{2DE05FDA-782A-4d8d-B2D5-C2A78B0A3A53}.exe
Token: SeIncBasePriorityPrivilege	3576	{F77CD92D-AE9F-4c8b-A7A6-2DE2CE91685E}.exe
Token: SeIncBasePriorityPrivilege	2348	{56BF502C-A272-40ec-83D1-ACB3D0B26F1C}.exe
Token: SeIncBasePriorityPrivilege	3552	{CA9442DB-E7D0-458d-9B20-5AA30902DCE0}.exe
Token: SeIncBasePriorityPrivilege	4728	{5A9E0886-CED9-46dc-9067-FAD30C496370}.exe
Token: SeIncBasePriorityPrivilege	1492	{FE86D5F3-0C8B-4a82-85D9-A6CDF19B887D}.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 4056 wrote to memory of 4452	4056	2024-01-18_d2d197af32dcae541b18353dda396ce9_goldeneye.exe	100
PID 4056 wrote to memory of 4452	4056	2024-01-18_d2d197af32dcae541b18353dda396ce9_goldeneye.exe	100
PID 4056 wrote to memory of 4452	4056	2024-01-18_d2d197af32dcae541b18353dda396ce9_goldeneye.exe	100
PID 4056 wrote to memory of 3240	4056	2024-01-18_d2d197af32dcae541b18353dda396ce9_goldeneye.exe	99
PID 4056 wrote to memory of 3240	4056	2024-01-18_d2d197af32dcae541b18353dda396ce9_goldeneye.exe	99
PID 4056 wrote to memory of 3240	4056	2024-01-18_d2d197af32dcae541b18353dda396ce9_goldeneye.exe	99
PID 4452 wrote to memory of 2472	4452	{65B5A335-CD9A-4803-9E8A-976021EDDAC1}.exe	102
PID 4452 wrote to memory of 2472	4452	{65B5A335-CD9A-4803-9E8A-976021EDDAC1}.exe	102
PID 4452 wrote to memory of 2472	4452	{65B5A335-CD9A-4803-9E8A-976021EDDAC1}.exe	102
PID 4452 wrote to memory of 4776	4452	{65B5A335-CD9A-4803-9E8A-976021EDDAC1}.exe	101
PID 4452 wrote to memory of 4776	4452	{65B5A335-CD9A-4803-9E8A-976021EDDAC1}.exe	101
PID 4452 wrote to memory of 4776	4452	{65B5A335-CD9A-4803-9E8A-976021EDDAC1}.exe	101
PID 2472 wrote to memory of 2232	2472	{83FE6733-E0CF-48b2-A0F7-215D4C14C9E1}.exe	107
PID 2472 wrote to memory of 2232	2472	{83FE6733-E0CF-48b2-A0F7-215D4C14C9E1}.exe	107
PID 2472 wrote to memory of 2232	2472	{83FE6733-E0CF-48b2-A0F7-215D4C14C9E1}.exe	107
PID 2472 wrote to memory of 872	2472	{83FE6733-E0CF-48b2-A0F7-215D4C14C9E1}.exe	106
PID 2472 wrote to memory of 872	2472	{83FE6733-E0CF-48b2-A0F7-215D4C14C9E1}.exe	106
PID 2472 wrote to memory of 872	2472	{83FE6733-E0CF-48b2-A0F7-215D4C14C9E1}.exe	106
PID 2232 wrote to memory of 4408	2232	{C5755D7C-D1AD-4540-8795-BF3E068185AD}.exe	109
PID 2232 wrote to memory of 4408	2232	{C5755D7C-D1AD-4540-8795-BF3E068185AD}.exe	109
PID 2232 wrote to memory of 4408	2232	{C5755D7C-D1AD-4540-8795-BF3E068185AD}.exe	109
PID 2232 wrote to memory of 4920	2232	{C5755D7C-D1AD-4540-8795-BF3E068185AD}.exe	108
PID 2232 wrote to memory of 4920	2232	{C5755D7C-D1AD-4540-8795-BF3E068185AD}.exe	108
PID 2232 wrote to memory of 4920	2232	{C5755D7C-D1AD-4540-8795-BF3E068185AD}.exe	108
PID 4408 wrote to memory of 3576	4408	{2DE05FDA-782A-4d8d-B2D5-C2A78B0A3A53}.exe	112
PID 4408 wrote to memory of 3576	4408	{2DE05FDA-782A-4d8d-B2D5-C2A78B0A3A53}.exe	112
PID 4408 wrote to memory of 3576	4408	{2DE05FDA-782A-4d8d-B2D5-C2A78B0A3A53}.exe	112
PID 4408 wrote to memory of 3660	4408	{2DE05FDA-782A-4d8d-B2D5-C2A78B0A3A53}.exe	111
PID 4408 wrote to memory of 3660	4408	{2DE05FDA-782A-4d8d-B2D5-C2A78B0A3A53}.exe	111
PID 4408 wrote to memory of 3660	4408	{2DE05FDA-782A-4d8d-B2D5-C2A78B0A3A53}.exe	111
PID 3576 wrote to memory of 2348	3576	{F77CD92D-AE9F-4c8b-A7A6-2DE2CE91685E}.exe	113
PID 3576 wrote to memory of 2348	3576	{F77CD92D-AE9F-4c8b-A7A6-2DE2CE91685E}.exe	113
PID 3576 wrote to memory of 2348	3576	{F77CD92D-AE9F-4c8b-A7A6-2DE2CE91685E}.exe	113
PID 3576 wrote to memory of 1792	3576	{F77CD92D-AE9F-4c8b-A7A6-2DE2CE91685E}.exe	114
PID 3576 wrote to memory of 1792	3576	{F77CD92D-AE9F-4c8b-A7A6-2DE2CE91685E}.exe	114
PID 3576 wrote to memory of 1792	3576	{F77CD92D-AE9F-4c8b-A7A6-2DE2CE91685E}.exe	114
PID 2348 wrote to memory of 3552	2348	{56BF502C-A272-40ec-83D1-ACB3D0B26F1C}.exe	115
PID 2348 wrote to memory of 3552	2348	{56BF502C-A272-40ec-83D1-ACB3D0B26F1C}.exe	115
PID 2348 wrote to memory of 3552	2348	{56BF502C-A272-40ec-83D1-ACB3D0B26F1C}.exe	115
PID 2348 wrote to memory of 3644	2348	{56BF502C-A272-40ec-83D1-ACB3D0B26F1C}.exe	116
PID 2348 wrote to memory of 3644	2348	{56BF502C-A272-40ec-83D1-ACB3D0B26F1C}.exe	116
PID 2348 wrote to memory of 3644	2348	{56BF502C-A272-40ec-83D1-ACB3D0B26F1C}.exe	116
PID 3552 wrote to memory of 4728	3552	{CA9442DB-E7D0-458d-9B20-5AA30902DCE0}.exe	121
PID 3552 wrote to memory of 4728	3552	{CA9442DB-E7D0-458d-9B20-5AA30902DCE0}.exe	121
PID 3552 wrote to memory of 4728	3552	{CA9442DB-E7D0-458d-9B20-5AA30902DCE0}.exe	121
PID 3552 wrote to memory of 2980	3552	{CA9442DB-E7D0-458d-9B20-5AA30902DCE0}.exe	120
PID 3552 wrote to memory of 2980	3552	{CA9442DB-E7D0-458d-9B20-5AA30902DCE0}.exe	120
PID 3552 wrote to memory of 2980	3552	{CA9442DB-E7D0-458d-9B20-5AA30902DCE0}.exe	120
PID 4728 wrote to memory of 1492	4728	{5A9E0886-CED9-46dc-9067-FAD30C496370}.exe	126
PID 4728 wrote to memory of 1492	4728	{5A9E0886-CED9-46dc-9067-FAD30C496370}.exe	126
PID 4728 wrote to memory of 1492	4728	{5A9E0886-CED9-46dc-9067-FAD30C496370}.exe	126
PID 4728 wrote to memory of 4968	4728	{5A9E0886-CED9-46dc-9067-FAD30C496370}.exe	125
PID 4728 wrote to memory of 4968	4728	{5A9E0886-CED9-46dc-9067-FAD30C496370}.exe	125
PID 4728 wrote to memory of 4968	4728	{5A9E0886-CED9-46dc-9067-FAD30C496370}.exe	125
PID 1492 wrote to memory of 4364	1492	{FE86D5F3-0C8B-4a82-85D9-A6CDF19B887D}.exe	128
PID 1492 wrote to memory of 4364	1492	{FE86D5F3-0C8B-4a82-85D9-A6CDF19B887D}.exe	128
PID 1492 wrote to memory of 4364	1492	{FE86D5F3-0C8B-4a82-85D9-A6CDF19B887D}.exe	128
PID 1492 wrote to memory of 2556	1492	{FE86D5F3-0C8B-4a82-85D9-A6CDF19B887D}.exe	127
PID 1492 wrote to memory of 2556	1492	{FE86D5F3-0C8B-4a82-85D9-A6CDF19B887D}.exe	127
PID 1492 wrote to memory of 2556	1492	{FE86D5F3-0C8B-4a82-85D9-A6CDF19B887D}.exe	127

C:\Users\Admin\AppData\Local\Temp\2024-01-18_d2d197af32dcae541b18353dda396ce9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-18_d2d197af32dcae541b18353dda396ce9_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3240
- C:\Windows\{65B5A335-CD9A-4803-9E8A-976021EDDAC1}.exe
  C:\Windows\{65B5A335-CD9A-4803-9E8A-976021EDDAC1}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{65B5A~1.EXE > nul
    3⤵
    PID:4776
- - C:\Windows\{83FE6733-E0CF-48b2-A0F7-215D4C14C9E1}.exe
    C:\Windows\{83FE6733-E0CF-48b2-A0F7-215D4C14C9E1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{83FE6~1.EXE > nul
      4⤵
      PID:872
  - - C:\Windows\{C5755D7C-D1AD-4540-8795-BF3E068185AD}.exe
      C:\Windows\{C5755D7C-D1AD-4540-8795-BF3E068185AD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2232
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5755~1.EXE > nul
        5⤵
        
        PID:4920
    - - C:\Windows\{2DE05FDA-782A-4d8d-B2D5-C2A78B0A3A53}.exe
        
        C:\Windows\{2DE05FDA-782A-4d8d-B2D5-C2A78B0A3A53}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4408
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2DE05~1.EXE > nul
        6⤵
        
        PID:3660
      - C:\Windows\{F77CD92D-AE9F-4c8b-A7A6-2DE2CE91685E}.exe
        
        C:\Windows\{F77CD92D-AE9F-4c8b-A7A6-2DE2CE91685E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\{56BF502C-A272-40ec-83D1-ACB3D0B26F1C}.exe
        
        C:\Windows\{56BF502C-A272-40ec-83D1-ACB3D0B26F1C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\{CA9442DB-E7D0-458d-9B20-5AA30902DCE0}.exe
        
        C:\Windows\{CA9442DB-E7D0-458d-9B20-5AA30902DCE0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA944~1.EXE > nul
        9⤵
        
        PID:2980
        
        C:\Windows\{5A9E0886-CED9-46dc-9067-FAD30C496370}.exe
        
        C:\Windows\{5A9E0886-CED9-46dc-9067-FAD30C496370}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A9E0~1.EXE > nul
        10⤵
        
        PID:4968
        
        C:\Windows\{FE86D5F3-0C8B-4a82-85D9-A6CDF19B887D}.exe
        
        C:\Windows\{FE86D5F3-0C8B-4a82-85D9-A6CDF19B887D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE86D~1.EXE > nul
        11⤵
        
        PID:2556
        
        C:\Windows\{BFCD3145-EE28-4a5d-9B51-1554D11BF5C5}.exe
        
        C:\Windows\{BFCD3145-EE28-4a5d-9B51-1554D11BF5C5}.exe
        11⤵
        Executes dropped EXE
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BFCD3~1.EXE > nul
        12⤵
        
        PID:2136
        
        C:\Windows\{DCBA5A06-597D-4805-9AAC-69F39992E038}.exe
        
        C:\Windows\{DCBA5A06-597D-4805-9AAC-69F39992E038}.exe
        12⤵
        
        PID:2736
        
        C:\Windows\{F6DC8344-3E97-4415-AE9A-2437AD8C355E}.exe
        
        C:\Windows\{F6DC8344-3E97-4415-AE9A-2437AD8C355E}.exe
        13⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DCBA5~1.EXE > nul
        13⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{56BF5~1.EXE > nul
        8⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F77CD~1.EXE > nul
        7⤵
        
        PID:1792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2DE05FDA-782A-4d8d-B2D5-C2A78B0A3A53}.exe

Filesize
180KB

MD5
61c20ad72e8e29920cceac822b53ad75

SHA1
b28a5985b6fe831ee399255331eb2e54af0ce14f

SHA256
592d357515c65c4b1080a4b0e7034ca13393bded8d292a6b8755b353f9da0da8

SHA512
d4232a4c5ace756b804a4f864d344350db84992cd90f67d40962100f33ea6af5788229f8294251dc0a97704651328420ef33877bfd11a9bd549230b6d8431e21

Download Submit
C:\Windows\{56BF502C-A272-40ec-83D1-ACB3D0B26F1C}.exe

Filesize
176KB

MD5
3300ace6c3dc271f0ff1d9434ea027e1

SHA1
b9860b772be9fb9c50905b03f3cc720b690c71fe

SHA256
54dc793bdb4c6a06c6158772677f2c998593545e6c1076cdb3b55b4f98bca7b7

SHA512
13e84bb50e2d04d71035fffdc6815deea2febcfd928416ceeae2e536acecd5c42621655279ba452b0db5ffe52c2389fe431e999d002b7ca317a4f3afdd5631c7

Download Submit
C:\Windows\{56BF502C-A272-40ec-83D1-ACB3D0B26F1C}.exe

Filesize
27KB

MD5
edb79880136848054d6dbc8650c72310

SHA1
0c184c5ae703146d8e6d595e93b989e257fa5eb8

SHA256
1b6ab4524ec85cd5959976071ab580220aa2a4f78dcc4fb7b06b3eb9ce0e720b

SHA512
966fb10edc5067e9abd22bf8dcc8b077cb6ee7fa76f29e429b57452eb68652c9b914f6a2090633b7a998be87fdfff1a179be4bdea9e66271c1a9b5769f041950

Download Submit
C:\Windows\{5A9E0886-CED9-46dc-9067-FAD30C496370}.exe

Filesize
149KB

MD5
63970b05aa0b8b5bb07e99b3c65e9052

SHA1
f3b92e08abb0e12f19fa387933b880f88e2645cc

SHA256
a9f460f33101147d6638a07a858a0427fd158f0290950864e3456b6f741c0d27

SHA512
5943f626ff7cf4131e31fbfbf2cd16717650f07d0faeaadc220eb091ea4dedb81e0a9b51894b8040141b99d74188d815f481885b566348d995736fc41c79549e

Download Submit
C:\Windows\{5A9E0886-CED9-46dc-9067-FAD30C496370}.exe

Filesize
170KB

MD5
8ff97b2858672d93c4ae97681892e935

SHA1
5a54eec6e4e8e4eb693c90639f60108ded0be8f1

SHA256
3257d3a322d1b2811ac71885cab6265565e8ec3879bbae792b45b64613b704cd

SHA512
c616ffe27222bc339d8c11eaa75dc2d5a74ee715795590cdaf0fa198e1110b3699c4fe2990b98d7a58192c94fb9ecec4c7ba8c95fe44c2fd783f85bb3ae6fdc1

Download Submit
C:\Windows\{65B5A335-CD9A-4803-9E8A-976021EDDAC1}.exe

Filesize
180KB

MD5
ec61db91765370bb9fb0d07dba36e24b

SHA1
d76c8b04f9e675307a5f61f3c75303ff487244aa

SHA256
9b749a3586ba5bcff02ed3fa1fedee65937d887dbe67f6a96e499247d005a757

SHA512
220cd139b8da361eef9cfdf67e1944c96c31e5b540448dee426d87393c1aad62880a2a29d05071d236e4cf5fae07d9e9761eedc69978714a9c8b8c52a232d0e8

Download Submit
C:\Windows\{83FE6733-E0CF-48b2-A0F7-215D4C14C9E1}.exe

Filesize
143KB

MD5
ee1c2eef32973654fb818df8747da4dc

SHA1
992f92c205e2ee46741d7dbd6c301f28b6ce4269

SHA256
2a057560a2cee96b3debd1e8fd46ee6bc2b1acc51e2e362d5bbdc31d2137b65b

SHA512
ab25afc32eb5b33a31bfd865faa0e34034b69d355bc25a5cb30ccd0a72b980471159a3a767cd6d80dad6c1ae739f898d97c35e20e8fe491b668bc10e4acb7a7b

Download Submit
C:\Windows\{83FE6733-E0CF-48b2-A0F7-215D4C14C9E1}.exe

Filesize
180KB

MD5
c5bfeecfd44f6963d4689dbc3b723c43

SHA1
97f9ae422343ed9297c5a37dc2e916df44dc1e43

SHA256
c0766b2180feaa04ab9a837d42b1be4972459c8f35c3922b6af9dd41f85ddd7e

SHA512
553963b032c433940bbfa61371143bce550e9145ecc6476ab40a205e794172b1864789bde45549a7dfa2f93106097ddf2b03dfe9a14318d3d3e59955b85cd898

Download Submit
C:\Windows\{BFCD3145-EE28-4a5d-9B51-1554D11BF5C5}.exe

Filesize
180KB

MD5
0d4ea84152d500a9a24d493c90204b84

SHA1
550031169b71f37b5c3cc8f553c8e8fe20b69c68

SHA256
d70570d8dfe88bf23826a662000acc6b011e2b71127de3abcbaa941fade85a28

SHA512
9e95075994820b2dbb47312e6712a66d61644bc6bf2918e00129d3c2c7eadf8018fc7c6cff332a985184e117820d128429484735787618bb5bfbcc35f34c6817

Download Submit
C:\Windows\{C5755D7C-D1AD-4540-8795-BF3E068185AD}.exe

Filesize
180KB

MD5
e340748c0e71050e1b9c95820baa567e

SHA1
7af96193d752c4645691909691ca2a2109d9d5ee

SHA256
da8df5b3390d5cee88d52ce6815a5d9550154cf884e5d7dbb4c738b86711a6bd

SHA512
0b0c0f3e0d57317c167414cc203359ab6e2bc616865da587850dd7244f1db9fbdfd8cdfbc24cabbd77d471ba36aafca0a218fd99c9b37ee230be58471405d289

Download Submit
C:\Windows\{CA9442DB-E7D0-458d-9B20-5AA30902DCE0}.exe

Filesize
119KB

MD5
0b36bc0b584920f4a64e3e68ec690c27

SHA1
7413356a3d764a625caf03afbaa71b9be63aba02

SHA256
82d3e5cde9063c2029afdfeea08d906f63898c508d928d9aadeb8738ef1223a2

SHA512
72d976efdcb72fb83c2af12f35f2f57895e450eeadcb4b83e673929fa3c2ef910b3ff4840c65abdedf211f0ade49a9a97380f36f4aa9db94a434504c08afbab7

Download Submit
C:\Windows\{CA9442DB-E7D0-458d-9B20-5AA30902DCE0}.exe

Filesize
180KB

MD5
447c2dd4ef91f6dd4a16a351d9ea49b1

SHA1
d034196dee408c220b9c7244826194ea9a201988

SHA256
36423752e7398ec11dbae9421f04837ed4a26ccb46e708d1bc73b8ed5aefcc78

SHA512
3e5f03ea7aaed7e54bb418969f8333204d4c38834901e181d779433981bd996db220e32cab0ec4eb28c45fc49441040490386c8da36a254cfc77aa460ae1a9fd

Download Submit
C:\Windows\{DCBA5A06-597D-4805-9AAC-69F39992E038}.exe

Filesize
42KB

MD5
7161fdfc0c89431fa0fe18f3d913c388

SHA1
62796e9243b8b9bf9b62699aabfe0eb146f36d63

SHA256
4c14cdb4beb69c61461a8797aeb20f2dfaeeacd091ed1dc32a99e2fc2e1f8197

SHA512
5402a1661a9bab05d3eeb51d23c6f4f7d7b84794bdab6279c358110620fd8cd250b8ab63b9c47f9b8d220dc19933a8572b9f1e311495fd52fbece3f17f22468e

Download Submit
C:\Windows\{DCBA5A06-597D-4805-9AAC-69F39992E038}.exe

Filesize
50KB

MD5
bd162a4a52eaa5f15df60d8dc56d7845

SHA1
f97f9ef0e81d46cfd46b1628fb244bdbd667d01d

SHA256
a18b733afa63366761e23fa4905acd7a584e061b1dd646381bd136307ba91121

SHA512
e57c6bd788b94f3501671a71abb42d273d50ae929bc5885d943b82b9bedbeb2951d8731fe1d6a00d71176e2407f73bc0cc2547ab06c08f0081995285046a59c3

Download Submit
C:\Windows\{F6DC8344-3E97-4415-AE9A-2437AD8C355E}.exe

Filesize
111KB

MD5
d2ea75ea6fa610e25d535b22b23a2978

SHA1
627f44539d77661437436b0776aaa72c67134cbd

SHA256
369ef989e2ab0aa9a86e25e7134977de24d489f6d13e368f007152543e0d1f17

SHA512
c0b8da1635d807b1119c9c62ba76f736951cda5c6dcfa5fcd37c92d1e9b5456357d888e4fb0806c04fd5eb25bf467d366281ad732980e574b09fffcc3e3539ee

Download Submit
C:\Windows\{F6DC8344-3E97-4415-AE9A-2437AD8C355E}.exe

Filesize
149KB

MD5
eb0ff57317b90e180fca3979e26de4d2

SHA1
8c553e2b205501f01bfdd1bc79926305829d79c8

SHA256
48e8684b8bc1aadf336a1e7f4ed97f684731b3fc5fbb83ed8417dacee61bf96a

SHA512
ac73e23b0fad72800aeabe15adc8c0384638ffc3c163f61de6ada63142bbad220f46b1cbf28c6e6ed2ac14b0032a4a9fda38688f588fd720f486531bf785f25e

Download Submit
C:\Windows\{F77CD92D-AE9F-4c8b-A7A6-2DE2CE91685E}.exe

Filesize
180KB

MD5
a4b7ad4afc3a8c05359237849a7fa8d8

SHA1
bffd2ec5b6daf3a8f74c5baa7abf97af0a9ea9d2

SHA256
94a4aae4111834ec81a1dc5d7428cb7a26bc72bac87c70a802092c0a4c2450df

SHA512
21ed770af892d402b1d881cd104cc875b7a5db99150edd890ca2ff22eeeda889eaee9be221177524d265bb976bed311aa55a54788872f3216c3e262150ea2665

Download Submit
C:\Windows\{FE86D5F3-0C8B-4a82-85D9-A6CDF19B887D}.exe

Filesize
180KB

MD5
7dfa0b344beee96fe3a23bb760fe50ca

SHA1
4a3e3ccc4cfc99b31e8220ef48d10a9c3e525c7b

SHA256
86be5f36354e08fc5e88c81d8f495eba225ba634fa35b327855e10b521c26925

SHA512
f9d56fc691a2c5b1d39be8f3af0ac3f76343c7c7c37bbc05b07dcb4a3d753e654dfe9dce3ad140d941ff09dede957a1459883025e4c7ab969a66e72cdc282ffc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads