221cbb00a218cdd563bf25595de47b32dfc39f8bec183d299c1e2e1cd4e46112

Analysis

max time kernel
157s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2024 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-01_8771833d4d5db9a5d508adb8d86836c7_goldeneye.exe
Size

380KB
MD5

8771833d4d5db9a5d508adb8d86836c7
SHA1

e449e4dcad8fb623db6cb632380c6bec17f58351
SHA256

221cbb00a218cdd563bf25595de47b32dfc39f8bec183d299c1e2e1cd4e46112
SHA512

26ac72a41e6956df6526b87ee2d4c064f9e23bfcfcbdeb61c713d600b9edab1c39c18080bfa576b3b510a8d2b02beac35daa17986ed64ac2fb35fd01d3006031
SSDEEP

3072:mEGh0oOlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGkl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x000300000002276d-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000002313c-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023143-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002313c-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023143-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00050000000217fa-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-25.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000713-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006df-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00040000000006df-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AFB8CA7-54A7-47fa-B97F-C3E219E55724}\stubpath = "C:\\Windows\\{4AFB8CA7-54A7-47fa-B97F-C3E219E55724}.exe"	{7B5CAFEC-58D0-4f2d-ADF2-8CC9BD6FAB66}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9247367C-79CE-47d6-9DDB-25A09E5BAEB8}\stubpath = "C:\\Windows\\{9247367C-79CE-47d6-9DDB-25A09E5BAEB8}.exe"	{4AFB8CA7-54A7-47fa-B97F-C3E219E55724}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CC77FFA-7DFC-492b-BD9F-B3302EA4548E}\stubpath = "C:\\Windows\\{5CC77FFA-7DFC-492b-BD9F-B3302EA4548E}.exe"	{948C8663-4F2F-4271-82A2-636F198BF1D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD08570E-C971-497b-BA89-E227736D8933}	{5CC77FFA-7DFC-492b-BD9F-B3302EA4548E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD08570E-C971-497b-BA89-E227736D8933}\stubpath = "C:\\Windows\\{FD08570E-C971-497b-BA89-E227736D8933}.exe"	{5CC77FFA-7DFC-492b-BD9F-B3302EA4548E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{830C23F8-E875-432d-BE57-402098B77121}	2024-01-01_8771833d4d5db9a5d508adb8d86836c7_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{830C23F8-E875-432d-BE57-402098B77121}\stubpath = "C:\\Windows\\{830C23F8-E875-432d-BE57-402098B77121}.exe"	2024-01-01_8771833d4d5db9a5d508adb8d86836c7_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B5CAFEC-58D0-4f2d-ADF2-8CC9BD6FAB66}	{E7C4FBED-C811-4088-8795-C54BA57C2CC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E02E8492-D1C5-41ac-9E56-851129C97905}\stubpath = "C:\\Windows\\{E02E8492-D1C5-41ac-9E56-851129C97905}.exe"	{B2334B7A-5CCF-4b05-8303-54E2C2B70ACB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B5CAFEC-58D0-4f2d-ADF2-8CC9BD6FAB66}\stubpath = "C:\\Windows\\{7B5CAFEC-58D0-4f2d-ADF2-8CC9BD6FAB66}.exe"	{E7C4FBED-C811-4088-8795-C54BA57C2CC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{948C8663-4F2F-4271-82A2-636F198BF1D8}\stubpath = "C:\\Windows\\{948C8663-4F2F-4271-82A2-636F198BF1D8}.exe"	{9247367C-79CE-47d6-9DDB-25A09E5BAEB8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E02E8492-D1C5-41ac-9E56-851129C97905}	{B2334B7A-5CCF-4b05-8303-54E2C2B70ACB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2334B7A-5CCF-4b05-8303-54E2C2B70ACB}	{9BBC2C96-8A1D-4eb9-A4DC-82AABC19CE6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7C4FBED-C811-4088-8795-C54BA57C2CC9}	{830C23F8-E875-432d-BE57-402098B77121}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7C4FBED-C811-4088-8795-C54BA57C2CC9}\stubpath = "C:\\Windows\\{E7C4FBED-C811-4088-8795-C54BA57C2CC9}.exe"	{830C23F8-E875-432d-BE57-402098B77121}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CC77FFA-7DFC-492b-BD9F-B3302EA4548E}	{948C8663-4F2F-4271-82A2-636F198BF1D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BBC2C96-8A1D-4eb9-A4DC-82AABC19CE6E}	{FD08570E-C971-497b-BA89-E227736D8933}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BBC2C96-8A1D-4eb9-A4DC-82AABC19CE6E}\stubpath = "C:\\Windows\\{9BBC2C96-8A1D-4eb9-A4DC-82AABC19CE6E}.exe"	{FD08570E-C971-497b-BA89-E227736D8933}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2334B7A-5CCF-4b05-8303-54E2C2B70ACB}\stubpath = "C:\\Windows\\{B2334B7A-5CCF-4b05-8303-54E2C2B70ACB}.exe"	{9BBC2C96-8A1D-4eb9-A4DC-82AABC19CE6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AFB8CA7-54A7-47fa-B97F-C3E219E55724}	{7B5CAFEC-58D0-4f2d-ADF2-8CC9BD6FAB66}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9247367C-79CE-47d6-9DDB-25A09E5BAEB8}	{4AFB8CA7-54A7-47fa-B97F-C3E219E55724}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{948C8663-4F2F-4271-82A2-636F198BF1D8}	{9247367C-79CE-47d6-9DDB-25A09E5BAEB8}.exe

Executes dropped EXE 11 IoCs

pid	Process
3796	{830C23F8-E875-432d-BE57-402098B77121}.exe
1224	{E7C4FBED-C811-4088-8795-C54BA57C2CC9}.exe
3356	{7B5CAFEC-58D0-4f2d-ADF2-8CC9BD6FAB66}.exe
1728	{4AFB8CA7-54A7-47fa-B97F-C3E219E55724}.exe
3820	{9247367C-79CE-47d6-9DDB-25A09E5BAEB8}.exe
3292	{948C8663-4F2F-4271-82A2-636F198BF1D8}.exe
3740	{5CC77FFA-7DFC-492b-BD9F-B3302EA4548E}.exe
4352	{FD08570E-C971-497b-BA89-E227736D8933}.exe
2960	{9BBC2C96-8A1D-4eb9-A4DC-82AABC19CE6E}.exe
4672	{B2334B7A-5CCF-4b05-8303-54E2C2B70ACB}.exe
4592	{E02E8492-D1C5-41ac-9E56-851129C97905}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{5CC77FFA-7DFC-492b-BD9F-B3302EA4548E}.exe	{948C8663-4F2F-4271-82A2-636F198BF1D8}.exe
File created	C:\Windows\{FD08570E-C971-497b-BA89-E227736D8933}.exe	{5CC77FFA-7DFC-492b-BD9F-B3302EA4548E}.exe
File created	C:\Windows\{9BBC2C96-8A1D-4eb9-A4DC-82AABC19CE6E}.exe	{FD08570E-C971-497b-BA89-E227736D8933}.exe
File created	C:\Windows\{E02E8492-D1C5-41ac-9E56-851129C97905}.exe	{B2334B7A-5CCF-4b05-8303-54E2C2B70ACB}.exe
File created	C:\Windows\{E7C4FBED-C811-4088-8795-C54BA57C2CC9}.exe	{830C23F8-E875-432d-BE57-402098B77121}.exe
File created	C:\Windows\{9247367C-79CE-47d6-9DDB-25A09E5BAEB8}.exe	{4AFB8CA7-54A7-47fa-B97F-C3E219E55724}.exe
File created	C:\Windows\{4AFB8CA7-54A7-47fa-B97F-C3E219E55724}.exe	{7B5CAFEC-58D0-4f2d-ADF2-8CC9BD6FAB66}.exe
File created	C:\Windows\{948C8663-4F2F-4271-82A2-636F198BF1D8}.exe	{9247367C-79CE-47d6-9DDB-25A09E5BAEB8}.exe
File created	C:\Windows\{B2334B7A-5CCF-4b05-8303-54E2C2B70ACB}.exe	{9BBC2C96-8A1D-4eb9-A4DC-82AABC19CE6E}.exe
File created	C:\Windows\{830C23F8-E875-432d-BE57-402098B77121}.exe	2024-01-01_8771833d4d5db9a5d508adb8d86836c7_goldeneye.exe
File created	C:\Windows\{7B5CAFEC-58D0-4f2d-ADF2-8CC9BD6FAB66}.exe	{E7C4FBED-C811-4088-8795-C54BA57C2CC9}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3688	2024-01-01_8771833d4d5db9a5d508adb8d86836c7_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3796	{830C23F8-E875-432d-BE57-402098B77121}.exe
Token: SeIncBasePriorityPrivilege	1224	{E7C4FBED-C811-4088-8795-C54BA57C2CC9}.exe
Token: SeIncBasePriorityPrivilege	3356	{7B5CAFEC-58D0-4f2d-ADF2-8CC9BD6FAB66}.exe
Token: SeIncBasePriorityPrivilege	1728	{4AFB8CA7-54A7-47fa-B97F-C3E219E55724}.exe
Token: SeIncBasePriorityPrivilege	3820	{9247367C-79CE-47d6-9DDB-25A09E5BAEB8}.exe
Token: SeIncBasePriorityPrivilege	3292	{948C8663-4F2F-4271-82A2-636F198BF1D8}.exe
Token: SeIncBasePriorityPrivilege	3740	{5CC77FFA-7DFC-492b-BD9F-B3302EA4548E}.exe
Token: SeIncBasePriorityPrivilege	4352	{FD08570E-C971-497b-BA89-E227736D8933}.exe
Token: SeIncBasePriorityPrivilege	2960	{9BBC2C96-8A1D-4eb9-A4DC-82AABC19CE6E}.exe
Token: SeIncBasePriorityPrivilege	4672	{B2334B7A-5CCF-4b05-8303-54E2C2B70ACB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3688 wrote to memory of 3796	3688	2024-01-01_8771833d4d5db9a5d508adb8d86836c7_goldeneye.exe	88
PID 3688 wrote to memory of 3796	3688	2024-01-01_8771833d4d5db9a5d508adb8d86836c7_goldeneye.exe	88
PID 3688 wrote to memory of 3796	3688	2024-01-01_8771833d4d5db9a5d508adb8d86836c7_goldeneye.exe	88
PID 3688 wrote to memory of 2924	3688	2024-01-01_8771833d4d5db9a5d508adb8d86836c7_goldeneye.exe	89
PID 3688 wrote to memory of 2924	3688	2024-01-01_8771833d4d5db9a5d508adb8d86836c7_goldeneye.exe	89
PID 3688 wrote to memory of 2924	3688	2024-01-01_8771833d4d5db9a5d508adb8d86836c7_goldeneye.exe	89
PID 3796 wrote to memory of 1224	3796	{830C23F8-E875-432d-BE57-402098B77121}.exe	96
PID 3796 wrote to memory of 1224	3796	{830C23F8-E875-432d-BE57-402098B77121}.exe	96
PID 3796 wrote to memory of 1224	3796	{830C23F8-E875-432d-BE57-402098B77121}.exe	96
PID 3796 wrote to memory of 4528	3796	{830C23F8-E875-432d-BE57-402098B77121}.exe	97
PID 3796 wrote to memory of 4528	3796	{830C23F8-E875-432d-BE57-402098B77121}.exe	97
PID 3796 wrote to memory of 4528	3796	{830C23F8-E875-432d-BE57-402098B77121}.exe	97
PID 1224 wrote to memory of 3356	1224	{E7C4FBED-C811-4088-8795-C54BA57C2CC9}.exe	101
PID 1224 wrote to memory of 3356	1224	{E7C4FBED-C811-4088-8795-C54BA57C2CC9}.exe	101
PID 1224 wrote to memory of 3356	1224	{E7C4FBED-C811-4088-8795-C54BA57C2CC9}.exe	101
PID 1224 wrote to memory of 3624	1224	{E7C4FBED-C811-4088-8795-C54BA57C2CC9}.exe	102
PID 1224 wrote to memory of 3624	1224	{E7C4FBED-C811-4088-8795-C54BA57C2CC9}.exe	102
PID 1224 wrote to memory of 3624	1224	{E7C4FBED-C811-4088-8795-C54BA57C2CC9}.exe	102
PID 3356 wrote to memory of 1728	3356	{7B5CAFEC-58D0-4f2d-ADF2-8CC9BD6FAB66}.exe	103
PID 3356 wrote to memory of 1728	3356	{7B5CAFEC-58D0-4f2d-ADF2-8CC9BD6FAB66}.exe	103
PID 3356 wrote to memory of 1728	3356	{7B5CAFEC-58D0-4f2d-ADF2-8CC9BD6FAB66}.exe	103
PID 3356 wrote to memory of 4840	3356	{7B5CAFEC-58D0-4f2d-ADF2-8CC9BD6FAB66}.exe	104
PID 3356 wrote to memory of 4840	3356	{7B5CAFEC-58D0-4f2d-ADF2-8CC9BD6FAB66}.exe	104
PID 3356 wrote to memory of 4840	3356	{7B5CAFEC-58D0-4f2d-ADF2-8CC9BD6FAB66}.exe	104
PID 1728 wrote to memory of 3820	1728	{4AFB8CA7-54A7-47fa-B97F-C3E219E55724}.exe	106
PID 1728 wrote to memory of 3820	1728	{4AFB8CA7-54A7-47fa-B97F-C3E219E55724}.exe	106
PID 1728 wrote to memory of 3820	1728	{4AFB8CA7-54A7-47fa-B97F-C3E219E55724}.exe	106
PID 1728 wrote to memory of 484	1728	{4AFB8CA7-54A7-47fa-B97F-C3E219E55724}.exe	105
PID 1728 wrote to memory of 484	1728	{4AFB8CA7-54A7-47fa-B97F-C3E219E55724}.exe	105
PID 1728 wrote to memory of 484	1728	{4AFB8CA7-54A7-47fa-B97F-C3E219E55724}.exe	105
PID 3820 wrote to memory of 3292	3820	{9247367C-79CE-47d6-9DDB-25A09E5BAEB8}.exe	107
PID 3820 wrote to memory of 3292	3820	{9247367C-79CE-47d6-9DDB-25A09E5BAEB8}.exe	107
PID 3820 wrote to memory of 3292	3820	{9247367C-79CE-47d6-9DDB-25A09E5BAEB8}.exe	107
PID 3820 wrote to memory of 4604	3820	{9247367C-79CE-47d6-9DDB-25A09E5BAEB8}.exe	108
PID 3820 wrote to memory of 4604	3820	{9247367C-79CE-47d6-9DDB-25A09E5BAEB8}.exe	108
PID 3820 wrote to memory of 4604	3820	{9247367C-79CE-47d6-9DDB-25A09E5BAEB8}.exe	108
PID 3292 wrote to memory of 3740	3292	{948C8663-4F2F-4271-82A2-636F198BF1D8}.exe	109
PID 3292 wrote to memory of 3740	3292	{948C8663-4F2F-4271-82A2-636F198BF1D8}.exe	109
PID 3292 wrote to memory of 3740	3292	{948C8663-4F2F-4271-82A2-636F198BF1D8}.exe	109
PID 3292 wrote to memory of 1988	3292	{948C8663-4F2F-4271-82A2-636F198BF1D8}.exe	110
PID 3292 wrote to memory of 1988	3292	{948C8663-4F2F-4271-82A2-636F198BF1D8}.exe	110
PID 3292 wrote to memory of 1988	3292	{948C8663-4F2F-4271-82A2-636F198BF1D8}.exe	110
PID 3740 wrote to memory of 4352	3740	{5CC77FFA-7DFC-492b-BD9F-B3302EA4548E}.exe	111
PID 3740 wrote to memory of 4352	3740	{5CC77FFA-7DFC-492b-BD9F-B3302EA4548E}.exe	111
PID 3740 wrote to memory of 4352	3740	{5CC77FFA-7DFC-492b-BD9F-B3302EA4548E}.exe	111
PID 3740 wrote to memory of 2096	3740	{5CC77FFA-7DFC-492b-BD9F-B3302EA4548E}.exe	112
PID 3740 wrote to memory of 2096	3740	{5CC77FFA-7DFC-492b-BD9F-B3302EA4548E}.exe	112
PID 3740 wrote to memory of 2096	3740	{5CC77FFA-7DFC-492b-BD9F-B3302EA4548E}.exe	112
PID 4352 wrote to memory of 2960	4352	{FD08570E-C971-497b-BA89-E227736D8933}.exe	113
PID 4352 wrote to memory of 2960	4352	{FD08570E-C971-497b-BA89-E227736D8933}.exe	113
PID 4352 wrote to memory of 2960	4352	{FD08570E-C971-497b-BA89-E227736D8933}.exe	113
PID 4352 wrote to memory of 4448	4352	{FD08570E-C971-497b-BA89-E227736D8933}.exe	114
PID 4352 wrote to memory of 4448	4352	{FD08570E-C971-497b-BA89-E227736D8933}.exe	114
PID 4352 wrote to memory of 4448	4352	{FD08570E-C971-497b-BA89-E227736D8933}.exe	114
PID 2960 wrote to memory of 4672	2960	{9BBC2C96-8A1D-4eb9-A4DC-82AABC19CE6E}.exe	115
PID 2960 wrote to memory of 4672	2960	{9BBC2C96-8A1D-4eb9-A4DC-82AABC19CE6E}.exe	115
PID 2960 wrote to memory of 4672	2960	{9BBC2C96-8A1D-4eb9-A4DC-82AABC19CE6E}.exe	115
PID 2960 wrote to memory of 1816	2960	{9BBC2C96-8A1D-4eb9-A4DC-82AABC19CE6E}.exe	116
PID 2960 wrote to memory of 1816	2960	{9BBC2C96-8A1D-4eb9-A4DC-82AABC19CE6E}.exe	116
PID 2960 wrote to memory of 1816	2960	{9BBC2C96-8A1D-4eb9-A4DC-82AABC19CE6E}.exe	116
PID 4672 wrote to memory of 4592	4672	{B2334B7A-5CCF-4b05-8303-54E2C2B70ACB}.exe	117
PID 4672 wrote to memory of 4592	4672	{B2334B7A-5CCF-4b05-8303-54E2C2B70ACB}.exe	117
PID 4672 wrote to memory of 4592	4672	{B2334B7A-5CCF-4b05-8303-54E2C2B70ACB}.exe	117
PID 4672 wrote to memory of 2264	4672	{B2334B7A-5CCF-4b05-8303-54E2C2B70ACB}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-01-01_8771833d4d5db9a5d508adb8d86836c7_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-01_8771833d4d5db9a5d508adb8d86836c7_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Windows\{830C23F8-E875-432d-BE57-402098B77121}.exe
  C:\Windows\{830C23F8-E875-432d-BE57-402098B77121}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3796
- - C:\Windows\{E7C4FBED-C811-4088-8795-C54BA57C2CC9}.exe
    C:\Windows\{E7C4FBED-C811-4088-8795-C54BA57C2CC9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Windows\{7B5CAFEC-58D0-4f2d-ADF2-8CC9BD6FAB66}.exe
      C:\Windows\{7B5CAFEC-58D0-4f2d-ADF2-8CC9BD6FAB66}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3356
    - - C:\Windows\{4AFB8CA7-54A7-47fa-B97F-C3E219E55724}.exe
        
        C:\Windows\{4AFB8CA7-54A7-47fa-B97F-C3E219E55724}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1728
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4AFB8~1.EXE > nul
        6⤵
        
        PID:484
      - C:\Windows\{9247367C-79CE-47d6-9DDB-25A09E5BAEB8}.exe
        
        C:\Windows\{9247367C-79CE-47d6-9DDB-25A09E5BAEB8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3820
        
        C:\Windows\{948C8663-4F2F-4271-82A2-636F198BF1D8}.exe
        
        C:\Windows\{948C8663-4F2F-4271-82A2-636F198BF1D8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\{5CC77FFA-7DFC-492b-BD9F-B3302EA4548E}.exe
        
        C:\Windows\{5CC77FFA-7DFC-492b-BD9F-B3302EA4548E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\{FD08570E-C971-497b-BA89-E227736D8933}.exe
        
        C:\Windows\{FD08570E-C971-497b-BA89-E227736D8933}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\{9BBC2C96-8A1D-4eb9-A4DC-82AABC19CE6E}.exe
        
        C:\Windows\{9BBC2C96-8A1D-4eb9-A4DC-82AABC19CE6E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\{B2334B7A-5CCF-4b05-8303-54E2C2B70ACB}.exe
        
        C:\Windows\{B2334B7A-5CCF-4b05-8303-54E2C2B70ACB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\{E02E8492-D1C5-41ac-9E56-851129C97905}.exe
        
        C:\Windows\{E02E8492-D1C5-41ac-9E56-851129C97905}.exe
        12⤵
        Executes dropped EXE
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2334~1.EXE > nul
        12⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9BBC2~1.EXE > nul
        11⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD085~1.EXE > nul
        10⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5CC77~1.EXE > nul
        9⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{948C8~1.EXE > nul
        8⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92473~1.EXE > nul
        7⤵
        
        PID:4604
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B5CA~1.EXE > nul
        5⤵
        
        PID:4840
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E7C4F~1.EXE > nul
      4⤵
      PID:3624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{830C2~1.EXE > nul
    3⤵
    PID:4528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{4AFB8CA7-54A7-47fa-B97F-C3E219E55724}.exe

Filesize
380KB

MD5
ea90c7b742656b8fb5e32295d50c8807

SHA1
7fc4d71121e8efea8c6810c4bfd0b158eea5219b

SHA256
9fa6413334673cc054be3c2c5577204a5c7f43408dc46ad5acb208a96975d1a5

SHA512
127917b9c45a51d42c16b763e4ff09083dc18c58118aa1419a1e17025ae510b1aedfcb7071c398dc26139e28d97901261ce8f782b814537874397972a0d0dde3

Download Submit
C:\Windows\{5CC77FFA-7DFC-492b-BD9F-B3302EA4548E}.exe

Filesize
380KB

MD5
f74969fed343007af12faedbed381081

SHA1
d4b74548bb884ede7e0eb963ef48319c23f2dcc3

SHA256
620b139d88331433860c8e5e1fd2b7659e9d92454947915ca38a1fc689136002

SHA512
98def31b1313f1c460e3d7d13d5917cd324fef989e3fbe1a3ddb1bdb90a4d74f244b105577e855a5448fba9573c43139dad427295818d096ce5246b96315694d

Download Submit
C:\Windows\{7B5CAFEC-58D0-4f2d-ADF2-8CC9BD6FAB66}.exe

Filesize
380KB

MD5
f26d59826782239e7baa9544ec066889

SHA1
f375178cd18449e3034d473605700662343e668a

SHA256
45514ed71fccc53511b9696bdc19a4421f820dfd5b5b70cd2d884de2d17c45b8

SHA512
aab49bd642fe76f07aa858e8d7713822aad0ae18e2d09072f2ec119870f567be31e308ae69e83c7bef53d4c645e229c8badb005520e7843594c11f9d8236bedf

Download Submit
C:\Windows\{830C23F8-E875-432d-BE57-402098B77121}.exe

Filesize
380KB

MD5
6061bf6bd06a60b815a3d4144b79049e

SHA1
97ef2b46cd623f3f1460ea0b2d0842f862244c9c

SHA256
b941fa4e83b03b7c5dc9b53d19554c5b1a60dae298b96aebfec2ad8e18cdbee7

SHA512
8566bd0f9012edca7de9f21e84ff12ea1a2008d6754884b21b9ceff28aa617a3282d3f583a63ddf885a735f574d65068c7508c98516c74ad6cbdb2e87d0009c1

Download Submit
C:\Windows\{9247367C-79CE-47d6-9DDB-25A09E5BAEB8}.exe

Filesize
380KB

MD5
3a8d015f2d34fe7859ff38914dfdbd31

SHA1
2fd855fed0006b5b2aa17b8d73a9514461409ff8

SHA256
ab7cc9891928d0ec7c0bc3758d8f48620e1b76b2dea9b6d082205df41ace5a2f

SHA512
5cb916512928d73adcd5fb96502ef17382b5588eec05e24f02a65d0cc7613097bcc4633f7a63e70c59682f2a16c3739bde7128bb7e33c5e8babb2600bab8a374

Download Submit
C:\Windows\{948C8663-4F2F-4271-82A2-636F198BF1D8}.exe

Filesize
380KB

MD5
6aa86b488440ac50c807cc702bbb9d16

SHA1
fc9a0af36469403bbecf490eff5ca1d5a9aab350

SHA256
67883f0fbf2158bf465ff26729be38d61f14c42d0d21888229ba7558f8aeb74f

SHA512
f813b60b88151bddbc5854320d90fa18e6f1a0f8682a19c85a97d9f333cfbffa47f68199c18a87b51d3e52a2d69053f6f0cf9ce9caebe2ee9c3d809c7ed6a653

Download Submit
C:\Windows\{9BBC2C96-8A1D-4eb9-A4DC-82AABC19CE6E}.exe

Filesize
380KB

MD5
74af4caa7cc1168ebce908e17cfee475

SHA1
64aa16105b925875895845e5625fce9856ef7560

SHA256
891b23bed8010b667601a376fb0e81d2bc8ed806e5bb492a5370f1b690968341

SHA512
be095f04b8a7166dcf702833a8da1f627b2560e8a1becf0f37da9890c625d31e2550c6f8041ca76af15ae2a01ba471627c5fdc2f33a9992d5c9472b27ff9dda0

Download Submit
C:\Windows\{B2334B7A-5CCF-4b05-8303-54E2C2B70ACB}.exe

Filesize
380KB

MD5
7eba19fa35df422c1c4cb79c1093c618

SHA1
373a849e93629a0c7faf4a845d94e6decfa91c80

SHA256
85581e7dab7e89bd3c77d949730a66ef8761e6c92e3e36241959819db49064a9

SHA512
99ea328f9dc2875d3f06c119e9eaa160a5e8c490249116bb3d65454f0cd4b2f870b44da247caa6a27abdf934926c75e2a541aee8ef8c1c3dd47fd23e2bdae1cc

Download Submit
C:\Windows\{E02E8492-D1C5-41ac-9E56-851129C97905}.exe

Filesize
380KB

MD5
0a97fb7f93ceb743c4d56d5a2ce216b2

SHA1
8a5dbe65bc91a2cdc576a2a36a582d6f3603f221

SHA256
0a31ab4600a069ae936cd58fb6aec0fbb25d8accc1fa8bfbc5dfa541e67fd6ed

SHA512
a4890211d410df5d9c9b8ccc0b1ea1189616c6e277f6807883ef9813d289b0daba70a9ce0847497d1f94a7ef300a0be75de73bbc1f17d473e2e3ff8a1d3f2b2b

Download Submit
C:\Windows\{E7C4FBED-C811-4088-8795-C54BA57C2CC9}.exe

Filesize
380KB

MD5
ceb2658b50c1a9115c132fedf02d86c8

SHA1
b6ee22f1dfc20fe5830cf7536112217795b76e1c

SHA256
4189ac65b1e14241e0f94492c9900b9d5b5d152e53b37ae73b3077cfa800c873

SHA512
01bde9077ea3a7498c0529391286c08f779015d7c07cd2388f9c80f481a2256d51bd1bf21872c2d17f99b367104a1c6fa651954268dfde1cdb92739d0986cdba

Download Submit
C:\Windows\{FD08570E-C971-497b-BA89-E227736D8933}.exe

Filesize
380KB

MD5
852e63426e17ea78d580fd87d837b59e

SHA1
6520172b0c6debbd57471cc1eccc34d5dae1623e

SHA256
8e596b59320480de73419444c25e6cd44fce6ab864ece5d06f4d2c79a9f646fa

SHA512
018a9be96e828f46bc6aeb937d353858b7a6b820e82a76ecff6147e40ecf7616f23decdd4a57f80a16f8d11b62c518509ae190ed1dc1e5e39fe491779d5f3605

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads