c1aff3b06ec8161b2c3a39de925070a3dba8a7e02b02f5affd0918e2bd88434c

Analysis

max time kernel
112s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 23:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-18_fccceb2d47639ed83a2a01f7b8ec3a6d_goldeneye.exe
Size

197KB
MD5

fccceb2d47639ed83a2a01f7b8ec3a6d
SHA1

c5f43c141a2f1d75962f6a58ab89f9525322ccfc
SHA256

c1aff3b06ec8161b2c3a39de925070a3dba8a7e02b02f5affd0918e2bd88434c
SHA512

973b35449e57bc49bded826afd9a6703c6edbeea7ca0dc376bbe9fddfa70854264b6294b4a2e9ef1dd8e487b051d461ac1baff20c9a6b6833459572295f83959
SSDEEP

3072:jEGh0oTl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGxlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 17 IoCs

resource	yara_rule
behavioral2/files/0x001000000002323d-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e5ea-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000016928-11.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00060000000233ca-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00060000000234c9-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233ca-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233ca-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000234c9-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000233ca-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000233ca-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023131-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023133-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023133-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000234d1-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000234d1-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023133-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023133-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{376F8B60-CBE5-443f-8152-5068E2D440E4}\stubpath = "C:\\Windows\\{376F8B60-CBE5-443f-8152-5068E2D440E4}.exe"	2024-01-18_fccceb2d47639ed83a2a01f7b8ec3a6d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{581F68E2-CBF7-4025-A7C1-F762FFC7F0D3}	{CBDA250B-A307-4ff9-8DE9-0F89322E97EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{581F68E2-CBF7-4025-A7C1-F762FFC7F0D3}\stubpath = "C:\\Windows\\{581F68E2-CBF7-4025-A7C1-F762FFC7F0D3}.exe"	{CBDA250B-A307-4ff9-8DE9-0F89322E97EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AB82442-01D9-4e85-955E-4C11F3CAF17C}\stubpath = "C:\\Windows\\{4AB82442-01D9-4e85-955E-4C11F3CAF17C}.exe"	{581F68E2-CBF7-4025-A7C1-F762FFC7F0D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D91452B-1FBB-4f7f-8E23-105E70644F47}	{86C63944-F340-4a10-BDD8-5254F33569CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{376F8B60-CBE5-443f-8152-5068E2D440E4}	2024-01-18_fccceb2d47639ed83a2a01f7b8ec3a6d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF5EB218-D207-4ac7-A2B4-F3700CEF76EB}\stubpath = "C:\\Windows\\{EF5EB218-D207-4ac7-A2B4-F3700CEF76EB}.exe"	{4AB82442-01D9-4e85-955E-4C11F3CAF17C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D12918DF-398F-4102-A08B-AEA173A049C4}\stubpath = "C:\\Windows\\{D12918DF-398F-4102-A08B-AEA173A049C4}.exe"	{EF5EB218-D207-4ac7-A2B4-F3700CEF76EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBDA250B-A307-4ff9-8DE9-0F89322E97EF}\stubpath = "C:\\Windows\\{CBDA250B-A307-4ff9-8DE9-0F89322E97EF}.exe"	{376F8B60-CBE5-443f-8152-5068E2D440E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D12918DF-398F-4102-A08B-AEA173A049C4}	{EF5EB218-D207-4ac7-A2B4-F3700CEF76EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86C63944-F340-4a10-BDD8-5254F33569CB}	{D12918DF-398F-4102-A08B-AEA173A049C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D91452B-1FBB-4f7f-8E23-105E70644F47}\stubpath = "C:\\Windows\\{0D91452B-1FBB-4f7f-8E23-105E70644F47}.exe"	{86C63944-F340-4a10-BDD8-5254F33569CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9715EAFF-C89D-43cd-8B26-E21583A756CC}	{0D91452B-1FBB-4f7f-8E23-105E70644F47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBDA250B-A307-4ff9-8DE9-0F89322E97EF}	{376F8B60-CBE5-443f-8152-5068E2D440E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AB82442-01D9-4e85-955E-4C11F3CAF17C}	{581F68E2-CBF7-4025-A7C1-F762FFC7F0D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF5EB218-D207-4ac7-A2B4-F3700CEF76EB}	{4AB82442-01D9-4e85-955E-4C11F3CAF17C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86C63944-F340-4a10-BDD8-5254F33569CB}\stubpath = "C:\\Windows\\{86C63944-F340-4a10-BDD8-5254F33569CB}.exe"	{D12918DF-398F-4102-A08B-AEA173A049C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9715EAFF-C89D-43cd-8B26-E21583A756CC}\stubpath = "C:\\Windows\\{9715EAFF-C89D-43cd-8B26-E21583A756CC}.exe"	{0D91452B-1FBB-4f7f-8E23-105E70644F47}.exe

Executes dropped EXE 9 IoCs

pid	Process
2304	{376F8B60-CBE5-443f-8152-5068E2D440E4}.exe
3388	{CBDA250B-A307-4ff9-8DE9-0F89322E97EF}.exe
4332	{581F68E2-CBF7-4025-A7C1-F762FFC7F0D3}.exe
3436	{4AB82442-01D9-4e85-955E-4C11F3CAF17C}.exe
2304	{EF5EB218-D207-4ac7-A2B4-F3700CEF76EB}.exe
2068	{D12918DF-398F-4102-A08B-AEA173A049C4}.exe
3392	{86C63944-F340-4a10-BDD8-5254F33569CB}.exe
4912	{0D91452B-1FBB-4f7f-8E23-105E70644F47}.exe
2592	{9715EAFF-C89D-43cd-8B26-E21583A756CC}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{9715EAFF-C89D-43cd-8B26-E21583A756CC}.exe	{0D91452B-1FBB-4f7f-8E23-105E70644F47}.exe
File created	C:\Windows\{376F8B60-CBE5-443f-8152-5068E2D440E4}.exe	2024-01-18_fccceb2d47639ed83a2a01f7b8ec3a6d_goldeneye.exe
File created	C:\Windows\{CBDA250B-A307-4ff9-8DE9-0F89322E97EF}.exe	{376F8B60-CBE5-443f-8152-5068E2D440E4}.exe
File created	C:\Windows\{D12918DF-398F-4102-A08B-AEA173A049C4}.exe	{EF5EB218-D207-4ac7-A2B4-F3700CEF76EB}.exe
File created	C:\Windows\{86C63944-F340-4a10-BDD8-5254F33569CB}.exe	{D12918DF-398F-4102-A08B-AEA173A049C4}.exe
File created	C:\Windows\{0D91452B-1FBB-4f7f-8E23-105E70644F47}.exe	{86C63944-F340-4a10-BDD8-5254F33569CB}.exe
File created	C:\Windows\{581F68E2-CBF7-4025-A7C1-F762FFC7F0D3}.exe	{CBDA250B-A307-4ff9-8DE9-0F89322E97EF}.exe
File created	C:\Windows\{4AB82442-01D9-4e85-955E-4C11F3CAF17C}.exe	{581F68E2-CBF7-4025-A7C1-F762FFC7F0D3}.exe
File created	C:\Windows\{EF5EB218-D207-4ac7-A2B4-F3700CEF76EB}.exe	{4AB82442-01D9-4e85-955E-4C11F3CAF17C}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1004	2024-01-18_fccceb2d47639ed83a2a01f7b8ec3a6d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2304	{376F8B60-CBE5-443f-8152-5068E2D440E4}.exe
Token: SeIncBasePriorityPrivilege	3388	{CBDA250B-A307-4ff9-8DE9-0F89322E97EF}.exe
Token: SeIncBasePriorityPrivilege	4332	{581F68E2-CBF7-4025-A7C1-F762FFC7F0D3}.exe
Token: SeIncBasePriorityPrivilege	3436	{4AB82442-01D9-4e85-955E-4C11F3CAF17C}.exe
Token: SeIncBasePriorityPrivilege	2304	{EF5EB218-D207-4ac7-A2B4-F3700CEF76EB}.exe
Token: SeIncBasePriorityPrivilege	2068	{D12918DF-398F-4102-A08B-AEA173A049C4}.exe
Token: SeIncBasePriorityPrivilege	3392	{86C63944-F340-4a10-BDD8-5254F33569CB}.exe
Token: SeIncBasePriorityPrivilege	4912	{0D91452B-1FBB-4f7f-8E23-105E70644F47}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1004 wrote to memory of 2304	1004	2024-01-18_fccceb2d47639ed83a2a01f7b8ec3a6d_goldeneye.exe	99
PID 1004 wrote to memory of 2304	1004	2024-01-18_fccceb2d47639ed83a2a01f7b8ec3a6d_goldeneye.exe	99
PID 1004 wrote to memory of 2304	1004	2024-01-18_fccceb2d47639ed83a2a01f7b8ec3a6d_goldeneye.exe	99
PID 1004 wrote to memory of 3608	1004	2024-01-18_fccceb2d47639ed83a2a01f7b8ec3a6d_goldeneye.exe	100
PID 1004 wrote to memory of 3608	1004	2024-01-18_fccceb2d47639ed83a2a01f7b8ec3a6d_goldeneye.exe	100
PID 1004 wrote to memory of 3608	1004	2024-01-18_fccceb2d47639ed83a2a01f7b8ec3a6d_goldeneye.exe	100
PID 2304 wrote to memory of 3388	2304	{376F8B60-CBE5-443f-8152-5068E2D440E4}.exe	102
PID 2304 wrote to memory of 3388	2304	{376F8B60-CBE5-443f-8152-5068E2D440E4}.exe	102
PID 2304 wrote to memory of 3388	2304	{376F8B60-CBE5-443f-8152-5068E2D440E4}.exe	102
PID 2304 wrote to memory of 4468	2304	{376F8B60-CBE5-443f-8152-5068E2D440E4}.exe	103
PID 2304 wrote to memory of 4468	2304	{376F8B60-CBE5-443f-8152-5068E2D440E4}.exe	103
PID 2304 wrote to memory of 4468	2304	{376F8B60-CBE5-443f-8152-5068E2D440E4}.exe	103
PID 3388 wrote to memory of 4332	3388	{CBDA250B-A307-4ff9-8DE9-0F89322E97EF}.exe	106
PID 3388 wrote to memory of 4332	3388	{CBDA250B-A307-4ff9-8DE9-0F89322E97EF}.exe	106
PID 3388 wrote to memory of 4332	3388	{CBDA250B-A307-4ff9-8DE9-0F89322E97EF}.exe	106
PID 3388 wrote to memory of 4324	3388	{CBDA250B-A307-4ff9-8DE9-0F89322E97EF}.exe	107
PID 3388 wrote to memory of 4324	3388	{CBDA250B-A307-4ff9-8DE9-0F89322E97EF}.exe	107
PID 3388 wrote to memory of 4324	3388	{CBDA250B-A307-4ff9-8DE9-0F89322E97EF}.exe	107
PID 4332 wrote to memory of 3436	4332	{581F68E2-CBF7-4025-A7C1-F762FFC7F0D3}.exe	108
PID 4332 wrote to memory of 3436	4332	{581F68E2-CBF7-4025-A7C1-F762FFC7F0D3}.exe	108
PID 4332 wrote to memory of 3436	4332	{581F68E2-CBF7-4025-A7C1-F762FFC7F0D3}.exe	108
PID 4332 wrote to memory of 4508	4332	{581F68E2-CBF7-4025-A7C1-F762FFC7F0D3}.exe	109
PID 4332 wrote to memory of 4508	4332	{581F68E2-CBF7-4025-A7C1-F762FFC7F0D3}.exe	109
PID 4332 wrote to memory of 4508	4332	{581F68E2-CBF7-4025-A7C1-F762FFC7F0D3}.exe	109
PID 3436 wrote to memory of 2304	3436	{4AB82442-01D9-4e85-955E-4C11F3CAF17C}.exe	111
PID 3436 wrote to memory of 2304	3436	{4AB82442-01D9-4e85-955E-4C11F3CAF17C}.exe	111
PID 3436 wrote to memory of 2304	3436	{4AB82442-01D9-4e85-955E-4C11F3CAF17C}.exe	111
PID 3436 wrote to memory of 3116	3436	{4AB82442-01D9-4e85-955E-4C11F3CAF17C}.exe	110
PID 3436 wrote to memory of 3116	3436	{4AB82442-01D9-4e85-955E-4C11F3CAF17C}.exe	110
PID 3436 wrote to memory of 3116	3436	{4AB82442-01D9-4e85-955E-4C11F3CAF17C}.exe	110
PID 2304 wrote to memory of 2068	2304	{EF5EB218-D207-4ac7-A2B4-F3700CEF76EB}.exe	114
PID 2304 wrote to memory of 2068	2304	{EF5EB218-D207-4ac7-A2B4-F3700CEF76EB}.exe	114
PID 2304 wrote to memory of 2068	2304	{EF5EB218-D207-4ac7-A2B4-F3700CEF76EB}.exe	114
PID 2304 wrote to memory of 2396	2304	{EF5EB218-D207-4ac7-A2B4-F3700CEF76EB}.exe	113
PID 2304 wrote to memory of 2396	2304	{EF5EB218-D207-4ac7-A2B4-F3700CEF76EB}.exe	113
PID 2304 wrote to memory of 2396	2304	{EF5EB218-D207-4ac7-A2B4-F3700CEF76EB}.exe	113
PID 2068 wrote to memory of 3392	2068	{D12918DF-398F-4102-A08B-AEA173A049C4}.exe	116
PID 2068 wrote to memory of 3392	2068	{D12918DF-398F-4102-A08B-AEA173A049C4}.exe	116
PID 2068 wrote to memory of 3392	2068	{D12918DF-398F-4102-A08B-AEA173A049C4}.exe	116
PID 2068 wrote to memory of 4056	2068	{D12918DF-398F-4102-A08B-AEA173A049C4}.exe	115
PID 2068 wrote to memory of 4056	2068	{D12918DF-398F-4102-A08B-AEA173A049C4}.exe	115
PID 2068 wrote to memory of 4056	2068	{D12918DF-398F-4102-A08B-AEA173A049C4}.exe	115
PID 3392 wrote to memory of 4912	3392	{86C63944-F340-4a10-BDD8-5254F33569CB}.exe	118
PID 3392 wrote to memory of 4912	3392	{86C63944-F340-4a10-BDD8-5254F33569CB}.exe	118
PID 3392 wrote to memory of 4912	3392	{86C63944-F340-4a10-BDD8-5254F33569CB}.exe	118
PID 3392 wrote to memory of 4236	3392	{86C63944-F340-4a10-BDD8-5254F33569CB}.exe	119
PID 3392 wrote to memory of 4236	3392	{86C63944-F340-4a10-BDD8-5254F33569CB}.exe	119
PID 3392 wrote to memory of 4236	3392	{86C63944-F340-4a10-BDD8-5254F33569CB}.exe	119
PID 4912 wrote to memory of 2592	4912	{0D91452B-1FBB-4f7f-8E23-105E70644F47}.exe	128
PID 4912 wrote to memory of 2592	4912	{0D91452B-1FBB-4f7f-8E23-105E70644F47}.exe	128
PID 4912 wrote to memory of 2592	4912	{0D91452B-1FBB-4f7f-8E23-105E70644F47}.exe	128
PID 4912 wrote to memory of 1772	4912	{0D91452B-1FBB-4f7f-8E23-105E70644F47}.exe	127
PID 4912 wrote to memory of 1772	4912	{0D91452B-1FBB-4f7f-8E23-105E70644F47}.exe	127
PID 4912 wrote to memory of 1772	4912	{0D91452B-1FBB-4f7f-8E23-105E70644F47}.exe	127

C:\Users\Admin\AppData\Local\Temp\2024-01-18_fccceb2d47639ed83a2a01f7b8ec3a6d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-18_fccceb2d47639ed83a2a01f7b8ec3a6d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1004
- C:\Windows\{376F8B60-CBE5-443f-8152-5068E2D440E4}.exe
  C:\Windows\{376F8B60-CBE5-443f-8152-5068E2D440E4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\{CBDA250B-A307-4ff9-8DE9-0F89322E97EF}.exe
    C:\Windows\{CBDA250B-A307-4ff9-8DE9-0F89322E97EF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3388
  - - C:\Windows\{581F68E2-CBF7-4025-A7C1-F762FFC7F0D3}.exe
      C:\Windows\{581F68E2-CBF7-4025-A7C1-F762FFC7F0D3}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4332
    - - C:\Windows\{4AB82442-01D9-4e85-955E-4C11F3CAF17C}.exe
        
        C:\Windows\{4AB82442-01D9-4e85-955E-4C11F3CAF17C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3436
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4AB82~1.EXE > nul
        6⤵
        
        PID:3116
      - C:\Windows\{EF5EB218-D207-4ac7-A2B4-F3700CEF76EB}.exe
        
        C:\Windows\{EF5EB218-D207-4ac7-A2B4-F3700CEF76EB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF5EB~1.EXE > nul
        7⤵
        
        PID:2396
        
        C:\Windows\{D12918DF-398F-4102-A08B-AEA173A049C4}.exe
        
        C:\Windows\{D12918DF-398F-4102-A08B-AEA173A049C4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D1291~1.EXE > nul
        8⤵
        
        PID:4056
        
        C:\Windows\{86C63944-F340-4a10-BDD8-5254F33569CB}.exe
        
        C:\Windows\{86C63944-F340-4a10-BDD8-5254F33569CB}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3392
        
        C:\Windows\{0D91452B-1FBB-4f7f-8E23-105E70644F47}.exe
        
        C:\Windows\{0D91452B-1FBB-4f7f-8E23-105E70644F47}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D914~1.EXE > nul
        10⤵
        
        PID:1772
        
        C:\Windows\{9715EAFF-C89D-43cd-8B26-E21583A756CC}.exe
        
        C:\Windows\{9715EAFF-C89D-43cd-8B26-E21583A756CC}.exe
        10⤵
        Executes dropped EXE
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9715E~1.EXE > nul
        11⤵
        
        PID:2176
        
        C:\Windows\{E2D15923-4453-4be8-A9CE-D1CB454BF02D}.exe
        
        C:\Windows\{E2D15923-4453-4be8-A9CE-D1CB454BF02D}.exe
        11⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2D15~1.EXE > nul
        12⤵
        
        PID:448
        
        C:\Windows\{6003743A-1D76-447b-83FB-2C211E3FD721}.exe
        
        C:\Windows\{6003743A-1D76-447b-83FB-2C211E3FD721}.exe
        12⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60037~1.EXE > nul
        13⤵
        
        PID:4652
        
        C:\Windows\{746E1D9D-AE80-4563-9939-1024126C3254}.exe
        
        C:\Windows\{746E1D9D-AE80-4563-9939-1024126C3254}.exe
        13⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86C63~1.EXE > nul
        9⤵
        
        PID:4236
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{581F6~1.EXE > nul
        5⤵
        
        PID:4508
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CBDA2~1.EXE > nul
      4⤵
      PID:4324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{376F8~1.EXE > nul
    3⤵
    PID:4468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0D91452B-1FBB-4f7f-8E23-105E70644F47}.exe

Filesize
140KB

MD5
d26e5a21db8f8e6a54bdccf6e1112f6d

SHA1
047e3ff4848653bbda8db151ff4c7b839d6f54ce

SHA256
4df42e8c8947ede718848207e72112737520a82fd9fc7fe04ceb384112632a85

SHA512
e0d9351b8108e4f48b677c0c09bff010b09994f46bcdc9611a3b7d07f1d23b5e2731e51286737a5bd182c19d0a3f59e67684df6a855263aaa7ec03aa53fa4c1a

Download Submit
C:\Windows\{0D91452B-1FBB-4f7f-8E23-105E70644F47}.exe

Filesize
197KB

MD5
b815c10f4f012abf212fa898378b449b

SHA1
5fb0644e622f4711ab343f0da2cf1e4799373ac5

SHA256
abadee0558244b19568f4404ca805cf1c06a29c53a32f113fd710d54458f5b4e

SHA512
4fe5ad1a2ba3bdde2c7674203783a9201518c63691b660fa3022c7a9c5dc063ffe97362e6dec1c882eee0db53e7fc1a63aeff084f4859503e55b3c28e102fd89

Download Submit
C:\Windows\{376F8B60-CBE5-443f-8152-5068E2D440E4}.exe

Filesize
197KB

MD5
165a7819387b65d4038c3820c72c8fa7

SHA1
422dd6b9c3b7dc995108a0361169a71e12e2344c

SHA256
74e52dda41919b517e7c86df7a85026faf8218249620f26f25fac7210f7a8ef3

SHA512
07dc81d90710ce1492ecc91dd8dd6d133d46e77a8f1d79430e3d1ad7d26aff3a4beda6ad72ee5c9a88b80fcbfef7d14c066d6ffef1d4acc0026705e8a8b9c4df

Download Submit
C:\Windows\{4AB82442-01D9-4e85-955E-4C11F3CAF17C}.exe

Filesize
197KB

MD5
ccd5548fee22afda20440a67450aad18

SHA1
255532b4553161034debbd9372d9c7168ec187d1

SHA256
3d19c23fa1051e80e9ccb2c52f8ac4507ef9af6bf0a46db694dbe911425d07fe

SHA512
9409516750ca475172f5019a5d1ebb0e49b951a3cab9d49d24a5f69d64d5910cb5c977b0552a0c2f009e5cd0b486b9d42fff5eb9fc2d0518b1022087a89d73e1

Download Submit
C:\Windows\{581F68E2-CBF7-4025-A7C1-F762FFC7F0D3}.exe

Filesize
197KB

MD5
2522eebbe7ae5540f46f74f3df7a9864

SHA1
fd0c579f73da0729c5e249de8128dcb819f8ddc2

SHA256
8cbeef0213bfcb1081dda69bce8c8a41237193dc54b9cc7a06572a9d4b3b3910

SHA512
b189063e0ef667377e478d711903b4d38802c6f6f7c5d6aed535d08ccd58453ce44ee2b4c55fc0fd9f625a327cb21384cdefcd4e9f354bddda053c5d2a29c467

Download Submit
C:\Windows\{6003743A-1D76-447b-83FB-2C211E3FD721}.exe

Filesize
92KB

MD5
e4c615b00683bd2346ecec84c0473ea8

SHA1
4815cf7d764581dd873776447392e46b263db2b8

SHA256
26182446a55e923403426c09dae0a8c6255ae00179f8cf79309918c3297f4c6f

SHA512
6c7799b123d14d7c58c0544ee2bf6d102e704fff0286d05ead7983f3d70d27c6ad5b1d7911585830d488f74af956a1f4481fe381ef6db1d62245634c2155a834

Download Submit
C:\Windows\{6003743A-1D76-447b-83FB-2C211E3FD721}.exe

Filesize
33KB

MD5
68a27b8ff60a3ebb92ed911b001a58b4

SHA1
6016299403f289576e461012a8a20727d04af947

SHA256
50f8228af148c9e43047946aa5aa4416e95fb43b073b514d99f0863b1cee5612

SHA512
36ca650c48dcdd44b217465ed49ea19494f2135cf56f4d89f84458eca32f4d61e9661c644ce0b11cc56b722274e685f97aaf0e68d9a10f5031985354127b7636

Download Submit
C:\Windows\{746E1D9D-AE80-4563-9939-1024126C3254}.exe

Filesize
50KB

MD5
b028ffbbfb91cfcd63a895da0caa0976

SHA1
4f9620450681afe5de5505322c033696dacfb131

SHA256
94428e1de4d9f6841e0738410f2698f7eb35e97fd46b39d6837d0697004c98b7

SHA512
a4678a5c2e2b534c737ddabfa2a39fef6070e897435066f0f94dc0598f84c39a824dfd564875e9f61dc31e7e68815a0aea436d09137fcacab4dd999891af6aa8

Download Submit
C:\Windows\{746E1D9D-AE80-4563-9939-1024126C3254}.exe

Filesize
87KB

MD5
ed534deed72eff7242f97e2f8e153306

SHA1
1491711dfd2a8b7c82186864b362d8257f15b56b

SHA256
66600c59367403da571b421fd03efe8d44af62ac902eea511548df36db0d7a72

SHA512
eaf68f67900dac0467cdcaa0230c77451350b8f0e9d2a114b482844388b427fdc202cd49eda74b8533ef82bacd527e59eb248d448907f921be820b3ce6e18a00

Download Submit
C:\Windows\{86C63944-F340-4a10-BDD8-5254F33569CB}.exe

Filesize
197KB

MD5
7c0d37a68fdcf770ab0e44e53c17f658

SHA1
680c78e4a30bfb62745abb3d08cf889cd54000f6

SHA256
4eceb7f8127bfeb941a0f47c699115e6b5a2df6125356376e116753192097ab9

SHA512
4730de5a57028b1d534d43964997488e253abc442391601e54a223e0210f5efe2288a607638461216881804453174d6023de996e9109c79c8491633b505f46c4

Download Submit
C:\Windows\{9715EAFF-C89D-43cd-8B26-E21583A756CC}.exe

Filesize
197KB

MD5
05416de6412a58a37ce1aed9a4e34710

SHA1
d3b52b1c790b37962a6ce828e0560139eb4a9103

SHA256
b17649ea9648cad4965bbfca41bdf6dacd2a9d51355c531839c760fa6a924448

SHA512
c73a11840fea4ac3c057c04a42db294bf46653b484b37a44790871ac810fb6eb6412f33009ed1f859dfdcc03faedcd5c73f1fbf52294c79a84506272f771389d

Download Submit
C:\Windows\{CBDA250B-A307-4ff9-8DE9-0F89322E97EF}.exe

Filesize
197KB

MD5
864dddbe8e280057963e9ecbe20e28f9

SHA1
057ba758d67fba6bd8f73173419f6b3733dacff9

SHA256
d88526e5cf020b1127651dd76297d285327786ba318beee05d1d259e39f1eb2e

SHA512
ecdc8d97c11b50a5e276ad5ca6d6705f43aba378459108f64c8992416377a5c26562795eb64874d3bd576e40fbdb227c892ed93fd8646b41224ad1b7306be06d

Download Submit
C:\Windows\{D12918DF-398F-4102-A08B-AEA173A049C4}.exe

Filesize
87KB

MD5
bfd54b613ce283469175a22202b8e4f4

SHA1
b3795e798671da9deac73d0a22432f167828ce5b

SHA256
a118cc6d59aac892f263c510f81f99d79469975b2ca1c5757dbf04288b506855

SHA512
0a6419c7ace0a7ac64a05f66595bc5095a0254b7bc937e1e754ea659439f35ffaaf4bcb90903aa80b8f300ae33ac82192e6de65313cb5b3453b3bbd7a42d0b37

Download Submit
C:\Windows\{D12918DF-398F-4102-A08B-AEA173A049C4}.exe

Filesize
98KB

MD5
5172553c16d3dc593970bef2fc815ee2

SHA1
78f21eea91ac8fb0178a5418dbfbac2fab3671ea

SHA256
d55d52e48a6df01b49fb8e45a0a92ea159466bb4350841176111eb222b83685d

SHA512
6063d17bf977100b2f77b74c49745f2c0255264acfe32c8f2a9724e1164ab4058acc715e37ef19a19ac4a0f5b50b744261de6a9c4014d00543369686f874425f

Download Submit
C:\Windows\{E2D15923-4453-4be8-A9CE-D1CB454BF02D}.exe

Filesize
197KB

MD5
5f6b34e00529064b8b9f3ceb5e5bfc26

SHA1
d78c02da19023419eabe51c66003ae9cc3c8a969

SHA256
5b6370b039bc92fd5f918cd66e8516e2399def4e45832b5f62b77bdff2778f37

SHA512
affc22c946c11c4b268d51a5c8461c841d82cce4cb2b32012e0c63c7a74bc28b90c905a1191651e64c17af496e6892061eed6c7bf4d670c938b24120027bc2bc

Download Submit
C:\Windows\{E2D15923-4453-4be8-A9CE-D1CB454BF02D}.exe

Filesize
93KB

MD5
47c08e1e5eb66490a6bfd180312e419f

SHA1
4076cc7794455ec51bee18688e63234cd78ac8ff

SHA256
1e36a6d744e12383c86aa05ff3cb0a16d0d13e5c3b177e73eaf495a51d8c0b4f

SHA512
01e66741793611e71c638009efbb0e47b7114bcb4e4a7ced33d6d4b885cab904074dd91eaa5461008abd53c2c8467128a39d4b0ecd589bf0f5fd7dba4b3ab536

Download Submit
C:\Windows\{EF5EB218-D207-4ac7-A2B4-F3700CEF76EB}.exe

Filesize
197KB

MD5
79510a28470dd58e4a507bbcb1393855

SHA1
a828fcdae0696425561bb536997f9fa9ce7b9378

SHA256
2cab9f92e5e11977423fe90d0f7c02165a281852919b94c383da7985765c7d80

SHA512
8bb16f2077912e52a411aa2762b6088d402508aa5af722d4867526946adf21cd0d74306e4ae7d082449d26afa3fee09061ce15886121efc8f9ba758da77bdb70

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads