6e2c4eeec4d859eeccaaaac5b14f818a82d80585bc2d0436093a36a62ab6ebe0

Analysis

max time kernel
157s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-01_cda6422a7356a40ac2e60140dac6b5be_goldeneye.exe
Size

380KB
MD5

cda6422a7356a40ac2e60140dac6b5be
SHA1

61694d817e90b3fbe4a223f2e4487ec11d4c6d9a
SHA256

6e2c4eeec4d859eeccaaaac5b14f818a82d80585bc2d0436093a36a62ab6ebe0
SHA512

70e515599a8ca9c7ea5403059b689db00da0ca844102aabb0185a65fc4455551cd80a3d92b791c8c9b8706871995266ed1015e93c0596ae8425b7a0ab19411cb
SSDEEP

3072:mEGh0oXlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGpl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023100-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000023105-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023107-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002310b-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023114-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000713-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000711-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006df-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00040000000006df-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93FCD70C-D8F8-44e0-9FC9-D68FD1FA74ED}	2024-01-01_cda6422a7356a40ac2e60140dac6b5be_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{311F411D-FCB7-4e9c-BE52-8855ECD024F2}	{A223E1F5-5158-46e5-BD80-856EC9F794AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D2B0F04-F33C-4567-ADAA-7BAEA817F010}\stubpath = "C:\\Windows\\{7D2B0F04-F33C-4567-ADAA-7BAEA817F010}.exe"	{13C98F1A-41C2-40ee-ABE4-06559184C8BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9B774CF-10EA-403e-BAE3-49199E329047}	{35B315B9-72DA-416e-B650-46A65DF0CF53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13C98F1A-41C2-40ee-ABE4-06559184C8BF}\stubpath = "C:\\Windows\\{13C98F1A-41C2-40ee-ABE4-06559184C8BF}.exe"	{B9806BFA-3D28-4c8e-95A6-42460A9BA025}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F28B12FE-B9F5-4b15-A1EF-B4EF2C22A76E}\stubpath = "C:\\Windows\\{F28B12FE-B9F5-4b15-A1EF-B4EF2C22A76E}.exe"	{7D2B0F04-F33C-4567-ADAA-7BAEA817F010}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14F1AC24-C7F2-48e2-89B4-3CA7AA31B87B}	{F28B12FE-B9F5-4b15-A1EF-B4EF2C22A76E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A223E1F5-5158-46e5-BD80-856EC9F794AF}\stubpath = "C:\\Windows\\{A223E1F5-5158-46e5-BD80-856EC9F794AF}.exe"	{93FCD70C-D8F8-44e0-9FC9-D68FD1FA74ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1CAAF36-FFE6-4c4b-9810-2526393FB8F3}	{311F411D-FCB7-4e9c-BE52-8855ECD024F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35B315B9-72DA-416e-B650-46A65DF0CF53}	{C1CAAF36-FFE6-4c4b-9810-2526393FB8F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35B315B9-72DA-416e-B650-46A65DF0CF53}\stubpath = "C:\\Windows\\{35B315B9-72DA-416e-B650-46A65DF0CF53}.exe"	{C1CAAF36-FFE6-4c4b-9810-2526393FB8F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13C98F1A-41C2-40ee-ABE4-06559184C8BF}	{B9806BFA-3D28-4c8e-95A6-42460A9BA025}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D2B0F04-F33C-4567-ADAA-7BAEA817F010}	{13C98F1A-41C2-40ee-ABE4-06559184C8BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14F1AC24-C7F2-48e2-89B4-3CA7AA31B87B}\stubpath = "C:\\Windows\\{14F1AC24-C7F2-48e2-89B4-3CA7AA31B87B}.exe"	{F28B12FE-B9F5-4b15-A1EF-B4EF2C22A76E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{311F411D-FCB7-4e9c-BE52-8855ECD024F2}\stubpath = "C:\\Windows\\{311F411D-FCB7-4e9c-BE52-8855ECD024F2}.exe"	{A223E1F5-5158-46e5-BD80-856EC9F794AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1CAAF36-FFE6-4c4b-9810-2526393FB8F3}\stubpath = "C:\\Windows\\{C1CAAF36-FFE6-4c4b-9810-2526393FB8F3}.exe"	{311F411D-FCB7-4e9c-BE52-8855ECD024F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9B774CF-10EA-403e-BAE3-49199E329047}\stubpath = "C:\\Windows\\{F9B774CF-10EA-403e-BAE3-49199E329047}.exe"	{35B315B9-72DA-416e-B650-46A65DF0CF53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9806BFA-3D28-4c8e-95A6-42460A9BA025}	{F9B774CF-10EA-403e-BAE3-49199E329047}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93FCD70C-D8F8-44e0-9FC9-D68FD1FA74ED}\stubpath = "C:\\Windows\\{93FCD70C-D8F8-44e0-9FC9-D68FD1FA74ED}.exe"	2024-01-01_cda6422a7356a40ac2e60140dac6b5be_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A223E1F5-5158-46e5-BD80-856EC9F794AF}	{93FCD70C-D8F8-44e0-9FC9-D68FD1FA74ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9806BFA-3D28-4c8e-95A6-42460A9BA025}\stubpath = "C:\\Windows\\{B9806BFA-3D28-4c8e-95A6-42460A9BA025}.exe"	{F9B774CF-10EA-403e-BAE3-49199E329047}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F28B12FE-B9F5-4b15-A1EF-B4EF2C22A76E}	{7D2B0F04-F33C-4567-ADAA-7BAEA817F010}.exe

Executes dropped EXE 11 IoCs

pid	Process
1752	{93FCD70C-D8F8-44e0-9FC9-D68FD1FA74ED}.exe
4564	{A223E1F5-5158-46e5-BD80-856EC9F794AF}.exe
4112	{311F411D-FCB7-4e9c-BE52-8855ECD024F2}.exe
1540	{C1CAAF36-FFE6-4c4b-9810-2526393FB8F3}.exe
3488	{35B315B9-72DA-416e-B650-46A65DF0CF53}.exe
3176	{F9B774CF-10EA-403e-BAE3-49199E329047}.exe
624	{B9806BFA-3D28-4c8e-95A6-42460A9BA025}.exe
668	{13C98F1A-41C2-40ee-ABE4-06559184C8BF}.exe
1680	{7D2B0F04-F33C-4567-ADAA-7BAEA817F010}.exe
3880	{F28B12FE-B9F5-4b15-A1EF-B4EF2C22A76E}.exe
3408	{14F1AC24-C7F2-48e2-89B4-3CA7AA31B87B}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{35B315B9-72DA-416e-B650-46A65DF0CF53}.exe	{C1CAAF36-FFE6-4c4b-9810-2526393FB8F3}.exe
File created	C:\Windows\{B9806BFA-3D28-4c8e-95A6-42460A9BA025}.exe	{F9B774CF-10EA-403e-BAE3-49199E329047}.exe
File created	C:\Windows\{13C98F1A-41C2-40ee-ABE4-06559184C8BF}.exe	{B9806BFA-3D28-4c8e-95A6-42460A9BA025}.exe
File created	C:\Windows\{7D2B0F04-F33C-4567-ADAA-7BAEA817F010}.exe	{13C98F1A-41C2-40ee-ABE4-06559184C8BF}.exe
File created	C:\Windows\{F28B12FE-B9F5-4b15-A1EF-B4EF2C22A76E}.exe	{7D2B0F04-F33C-4567-ADAA-7BAEA817F010}.exe
File created	C:\Windows\{311F411D-FCB7-4e9c-BE52-8855ECD024F2}.exe	{A223E1F5-5158-46e5-BD80-856EC9F794AF}.exe
File created	C:\Windows\{C1CAAF36-FFE6-4c4b-9810-2526393FB8F3}.exe	{311F411D-FCB7-4e9c-BE52-8855ECD024F2}.exe
File created	C:\Windows\{F9B774CF-10EA-403e-BAE3-49199E329047}.exe	{35B315B9-72DA-416e-B650-46A65DF0CF53}.exe
File created	C:\Windows\{14F1AC24-C7F2-48e2-89B4-3CA7AA31B87B}.exe	{F28B12FE-B9F5-4b15-A1EF-B4EF2C22A76E}.exe
File created	C:\Windows\{93FCD70C-D8F8-44e0-9FC9-D68FD1FA74ED}.exe	2024-01-01_cda6422a7356a40ac2e60140dac6b5be_goldeneye.exe
File created	C:\Windows\{A223E1F5-5158-46e5-BD80-856EC9F794AF}.exe	{93FCD70C-D8F8-44e0-9FC9-D68FD1FA74ED}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1840	2024-01-01_cda6422a7356a40ac2e60140dac6b5be_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1752	{93FCD70C-D8F8-44e0-9FC9-D68FD1FA74ED}.exe
Token: SeIncBasePriorityPrivilege	4564	{A223E1F5-5158-46e5-BD80-856EC9F794AF}.exe
Token: SeIncBasePriorityPrivilege	4112	{311F411D-FCB7-4e9c-BE52-8855ECD024F2}.exe
Token: SeIncBasePriorityPrivilege	1540	{C1CAAF36-FFE6-4c4b-9810-2526393FB8F3}.exe
Token: SeIncBasePriorityPrivilege	3488	{35B315B9-72DA-416e-B650-46A65DF0CF53}.exe
Token: SeIncBasePriorityPrivilege	3176	{F9B774CF-10EA-403e-BAE3-49199E329047}.exe
Token: SeIncBasePriorityPrivilege	624	{B9806BFA-3D28-4c8e-95A6-42460A9BA025}.exe
Token: SeIncBasePriorityPrivilege	668	{13C98F1A-41C2-40ee-ABE4-06559184C8BF}.exe
Token: SeIncBasePriorityPrivilege	1680	{7D2B0F04-F33C-4567-ADAA-7BAEA817F010}.exe
Token: SeIncBasePriorityPrivilege	3880	{F28B12FE-B9F5-4b15-A1EF-B4EF2C22A76E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 1752	1840	2024-01-01_cda6422a7356a40ac2e60140dac6b5be_goldeneye.exe	90
PID 1840 wrote to memory of 1752	1840	2024-01-01_cda6422a7356a40ac2e60140dac6b5be_goldeneye.exe	90
PID 1840 wrote to memory of 1752	1840	2024-01-01_cda6422a7356a40ac2e60140dac6b5be_goldeneye.exe	90
PID 1840 wrote to memory of 2536	1840	2024-01-01_cda6422a7356a40ac2e60140dac6b5be_goldeneye.exe	91
PID 1840 wrote to memory of 2536	1840	2024-01-01_cda6422a7356a40ac2e60140dac6b5be_goldeneye.exe	91
PID 1840 wrote to memory of 2536	1840	2024-01-01_cda6422a7356a40ac2e60140dac6b5be_goldeneye.exe	91
PID 1752 wrote to memory of 4564	1752	{93FCD70C-D8F8-44e0-9FC9-D68FD1FA74ED}.exe	92
PID 1752 wrote to memory of 4564	1752	{93FCD70C-D8F8-44e0-9FC9-D68FD1FA74ED}.exe	92
PID 1752 wrote to memory of 4564	1752	{93FCD70C-D8F8-44e0-9FC9-D68FD1FA74ED}.exe	92
PID 1752 wrote to memory of 3924	1752	{93FCD70C-D8F8-44e0-9FC9-D68FD1FA74ED}.exe	93
PID 1752 wrote to memory of 3924	1752	{93FCD70C-D8F8-44e0-9FC9-D68FD1FA74ED}.exe	93
PID 1752 wrote to memory of 3924	1752	{93FCD70C-D8F8-44e0-9FC9-D68FD1FA74ED}.exe	93
PID 4564 wrote to memory of 4112	4564	{A223E1F5-5158-46e5-BD80-856EC9F794AF}.exe	95
PID 4564 wrote to memory of 4112	4564	{A223E1F5-5158-46e5-BD80-856EC9F794AF}.exe	95
PID 4564 wrote to memory of 4112	4564	{A223E1F5-5158-46e5-BD80-856EC9F794AF}.exe	95
PID 4564 wrote to memory of 5040	4564	{A223E1F5-5158-46e5-BD80-856EC9F794AF}.exe	94
PID 4564 wrote to memory of 5040	4564	{A223E1F5-5158-46e5-BD80-856EC9F794AF}.exe	94
PID 4564 wrote to memory of 5040	4564	{A223E1F5-5158-46e5-BD80-856EC9F794AF}.exe	94
PID 4112 wrote to memory of 1540	4112	{311F411D-FCB7-4e9c-BE52-8855ECD024F2}.exe	102
PID 4112 wrote to memory of 1540	4112	{311F411D-FCB7-4e9c-BE52-8855ECD024F2}.exe	102
PID 4112 wrote to memory of 1540	4112	{311F411D-FCB7-4e9c-BE52-8855ECD024F2}.exe	102
PID 4112 wrote to memory of 4736	4112	{311F411D-FCB7-4e9c-BE52-8855ECD024F2}.exe	103
PID 4112 wrote to memory of 4736	4112	{311F411D-FCB7-4e9c-BE52-8855ECD024F2}.exe	103
PID 4112 wrote to memory of 4736	4112	{311F411D-FCB7-4e9c-BE52-8855ECD024F2}.exe	103
PID 1540 wrote to memory of 3488	1540	{C1CAAF36-FFE6-4c4b-9810-2526393FB8F3}.exe	105
PID 1540 wrote to memory of 3488	1540	{C1CAAF36-FFE6-4c4b-9810-2526393FB8F3}.exe	105
PID 1540 wrote to memory of 3488	1540	{C1CAAF36-FFE6-4c4b-9810-2526393FB8F3}.exe	105
PID 1540 wrote to memory of 4116	1540	{C1CAAF36-FFE6-4c4b-9810-2526393FB8F3}.exe	106
PID 1540 wrote to memory of 4116	1540	{C1CAAF36-FFE6-4c4b-9810-2526393FB8F3}.exe	106
PID 1540 wrote to memory of 4116	1540	{C1CAAF36-FFE6-4c4b-9810-2526393FB8F3}.exe	106
PID 3488 wrote to memory of 3176	3488	{35B315B9-72DA-416e-B650-46A65DF0CF53}.exe	107
PID 3488 wrote to memory of 3176	3488	{35B315B9-72DA-416e-B650-46A65DF0CF53}.exe	107
PID 3488 wrote to memory of 3176	3488	{35B315B9-72DA-416e-B650-46A65DF0CF53}.exe	107
PID 3488 wrote to memory of 4756	3488	{35B315B9-72DA-416e-B650-46A65DF0CF53}.exe	108
PID 3488 wrote to memory of 4756	3488	{35B315B9-72DA-416e-B650-46A65DF0CF53}.exe	108
PID 3488 wrote to memory of 4756	3488	{35B315B9-72DA-416e-B650-46A65DF0CF53}.exe	108
PID 3176 wrote to memory of 624	3176	{F9B774CF-10EA-403e-BAE3-49199E329047}.exe	109
PID 3176 wrote to memory of 624	3176	{F9B774CF-10EA-403e-BAE3-49199E329047}.exe	109
PID 3176 wrote to memory of 624	3176	{F9B774CF-10EA-403e-BAE3-49199E329047}.exe	109
PID 3176 wrote to memory of 1128	3176	{F9B774CF-10EA-403e-BAE3-49199E329047}.exe	110
PID 3176 wrote to memory of 1128	3176	{F9B774CF-10EA-403e-BAE3-49199E329047}.exe	110
PID 3176 wrote to memory of 1128	3176	{F9B774CF-10EA-403e-BAE3-49199E329047}.exe	110
PID 624 wrote to memory of 668	624	{B9806BFA-3D28-4c8e-95A6-42460A9BA025}.exe	111
PID 624 wrote to memory of 668	624	{B9806BFA-3D28-4c8e-95A6-42460A9BA025}.exe	111
PID 624 wrote to memory of 668	624	{B9806BFA-3D28-4c8e-95A6-42460A9BA025}.exe	111
PID 624 wrote to memory of 4472	624	{B9806BFA-3D28-4c8e-95A6-42460A9BA025}.exe	112
PID 624 wrote to memory of 4472	624	{B9806BFA-3D28-4c8e-95A6-42460A9BA025}.exe	112
PID 624 wrote to memory of 4472	624	{B9806BFA-3D28-4c8e-95A6-42460A9BA025}.exe	112
PID 668 wrote to memory of 1680	668	{13C98F1A-41C2-40ee-ABE4-06559184C8BF}.exe	113
PID 668 wrote to memory of 1680	668	{13C98F1A-41C2-40ee-ABE4-06559184C8BF}.exe	113
PID 668 wrote to memory of 1680	668	{13C98F1A-41C2-40ee-ABE4-06559184C8BF}.exe	113
PID 668 wrote to memory of 1688	668	{13C98F1A-41C2-40ee-ABE4-06559184C8BF}.exe	114
PID 668 wrote to memory of 1688	668	{13C98F1A-41C2-40ee-ABE4-06559184C8BF}.exe	114
PID 668 wrote to memory of 1688	668	{13C98F1A-41C2-40ee-ABE4-06559184C8BF}.exe	114
PID 1680 wrote to memory of 3880	1680	{7D2B0F04-F33C-4567-ADAA-7BAEA817F010}.exe	115
PID 1680 wrote to memory of 3880	1680	{7D2B0F04-F33C-4567-ADAA-7BAEA817F010}.exe	115
PID 1680 wrote to memory of 3880	1680	{7D2B0F04-F33C-4567-ADAA-7BAEA817F010}.exe	115
PID 1680 wrote to memory of 3388	1680	{7D2B0F04-F33C-4567-ADAA-7BAEA817F010}.exe	116
PID 1680 wrote to memory of 3388	1680	{7D2B0F04-F33C-4567-ADAA-7BAEA817F010}.exe	116
PID 1680 wrote to memory of 3388	1680	{7D2B0F04-F33C-4567-ADAA-7BAEA817F010}.exe	116
PID 3880 wrote to memory of 3408	3880	{F28B12FE-B9F5-4b15-A1EF-B4EF2C22A76E}.exe	117
PID 3880 wrote to memory of 3408	3880	{F28B12FE-B9F5-4b15-A1EF-B4EF2C22A76E}.exe	117
PID 3880 wrote to memory of 3408	3880	{F28B12FE-B9F5-4b15-A1EF-B4EF2C22A76E}.exe	117
PID 3880 wrote to memory of 4748	3880	{F28B12FE-B9F5-4b15-A1EF-B4EF2C22A76E}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-01-01_cda6422a7356a40ac2e60140dac6b5be_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-01_cda6422a7356a40ac2e60140dac6b5be_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Windows\{93FCD70C-D8F8-44e0-9FC9-D68FD1FA74ED}.exe
  C:\Windows\{93FCD70C-D8F8-44e0-9FC9-D68FD1FA74ED}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\{A223E1F5-5158-46e5-BD80-856EC9F794AF}.exe
    C:\Windows\{A223E1F5-5158-46e5-BD80-856EC9F794AF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4564
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A223E~1.EXE > nul
      4⤵
      PID:5040
  - - C:\Windows\{311F411D-FCB7-4e9c-BE52-8855ECD024F2}.exe
      C:\Windows\{311F411D-FCB7-4e9c-BE52-8855ECD024F2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4112
    - - C:\Windows\{C1CAAF36-FFE6-4c4b-9810-2526393FB8F3}.exe
        
        C:\Windows\{C1CAAF36-FFE6-4c4b-9810-2526393FB8F3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1540
      - C:\Windows\{35B315B9-72DA-416e-B650-46A65DF0CF53}.exe
        
        C:\Windows\{35B315B9-72DA-416e-B650-46A65DF0CF53}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\{F9B774CF-10EA-403e-BAE3-49199E329047}.exe
        
        C:\Windows\{F9B774CF-10EA-403e-BAE3-49199E329047}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\{B9806BFA-3D28-4c8e-95A6-42460A9BA025}.exe
        
        C:\Windows\{B9806BFA-3D28-4c8e-95A6-42460A9BA025}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\{13C98F1A-41C2-40ee-ABE4-06559184C8BF}.exe
        
        C:\Windows\{13C98F1A-41C2-40ee-ABE4-06559184C8BF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:668
        
        C:\Windows\{7D2B0F04-F33C-4567-ADAA-7BAEA817F010}.exe
        
        C:\Windows\{7D2B0F04-F33C-4567-ADAA-7BAEA817F010}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\{F28B12FE-B9F5-4b15-A1EF-B4EF2C22A76E}.exe
        
        C:\Windows\{F28B12FE-B9F5-4b15-A1EF-B4EF2C22A76E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\{14F1AC24-C7F2-48e2-89B4-3CA7AA31B87B}.exe
        
        C:\Windows\{14F1AC24-C7F2-48e2-89B4-3CA7AA31B87B}.exe
        12⤵
        Executes dropped EXE
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F28B1~1.EXE > nul
        12⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D2B0~1.EXE > nul
        11⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13C98~1.EXE > nul
        10⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9806~1.EXE > nul
        9⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9B77~1.EXE > nul
        8⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35B31~1.EXE > nul
        7⤵
        
        PID:4756
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1CAA~1.EXE > nul
        6⤵
        
        PID:4116
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{311F4~1.EXE > nul
        5⤵
        
        PID:4736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{93FCD~1.EXE > nul
    3⤵
    PID:3924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{13C98F1A-41C2-40ee-ABE4-06559184C8BF}.exe

Filesize
380KB

MD5
0b3c4e46c85877339e03a119b0e00f7a

SHA1
66d4364e4aaa925decc707f48145742ba650f432

SHA256
7eff44c74f7fc872bedd4d35ceee047450ff2ade104c6c717c26e48b162241d1

SHA512
320ac9adf6c8878346f9922027aff5d420ee4e2460272f22fec436ca156eb3957b6429ab01acd75397b220a48b7eb0b46e4bde58038c7768795af2389fd73333

Download Submit
C:\Windows\{14F1AC24-C7F2-48e2-89B4-3CA7AA31B87B}.exe

Filesize
380KB

MD5
56d0d02cec5969ceb2cece2f8a2d6473

SHA1
b7b5d53fff46ce5f5ff10ca7772fa884bc49e44d

SHA256
d45f7bb4b49d89ee7d76b9a582aae5192a0338d1de8b7b760ad96e17ee3a9e3a

SHA512
e44e61a0554290a756003c2ae25b93618cb86eeab9e2681043cc91aa3ce72534ac89928a4cdfe3f9a3cedc930073e0693922b781bfcde3f6962b0af3c4c4e39c

Download Submit
C:\Windows\{311F411D-FCB7-4e9c-BE52-8855ECD024F2}.exe

Filesize
380KB

MD5
9410524ff37f34273cc71bb053e5ca2f

SHA1
eefe1e945bec3a64443d3aa53317dc4a0f564f79

SHA256
8685fecefd3537ccfe126664d3b54006d0e6a824865f39649843b3a657006144

SHA512
1179b0dab877fefd1be39639044e8e5ceae69a6d250b14c0735db8f08eab15cd37fbeffa2dc04ef16681d25514bf5fff5172e439a78af776c42619c1329d5c9d

Download Submit
C:\Windows\{35B315B9-72DA-416e-B650-46A65DF0CF53}.exe

Filesize
380KB

MD5
81107e9b95325410c801aba85ef046b6

SHA1
4518d5214b11def2a33592e7418299c9fef061a8

SHA256
a3447728c9111113c74d98340f832cb657903959e3281db669509c830a4db8ac

SHA512
1cb0e9126856b3a0ed6a6494ce2ced8447d5c116fc5c57c890972802f9295ef515a0b7d9b54c72c71614378019d5b252f98a3da0449c175689add7d9c500c157

Download Submit
C:\Windows\{7D2B0F04-F33C-4567-ADAA-7BAEA817F010}.exe

Filesize
380KB

MD5
e404c6ac4cd9c332f1ddd283d06d16ed

SHA1
337e2cda5767ccd276a262505f44d0f188583f5c

SHA256
783c79a2690e5b2f9db352e996a255cb141d56bc7c2812e942e7cb8da526b7ef

SHA512
30c567c43395c5d6a0ff61daf20064208cfa8e2b37204cdd36aee5f3a5941a6447ff6362179e9c660fd8cbce4faa6b2d7820815646334bc8de6c81fbdf8e023a

Download Submit
C:\Windows\{93FCD70C-D8F8-44e0-9FC9-D68FD1FA74ED}.exe

Filesize
380KB

MD5
895f02cfaeb0fa5f55b42ca9562f4e1f

SHA1
c3f46d6b67dc7c70f5eb90eee21a1c3816eafab7

SHA256
86a876f6dfd742b333e86d4b091e358c642c004f04f7b29a43d9e67efc116846

SHA512
95075ac230477ec7f24a09809bcf37a68f97505db22ed526b97804208640c6f155e7ce9121c92e6c12cd2e302a1d8b1a64e0d36c5b3acbfe4ac16d3b4c2fca1f

Download Submit
C:\Windows\{A223E1F5-5158-46e5-BD80-856EC9F794AF}.exe

Filesize
380KB

MD5
bc8647254137bff1afd981be6f45466b

SHA1
510c3659a0b4dfad99f1cf8dce1e73c3713d7202

SHA256
4cc125f06129749a020658199e86cb3fcaf744091ee530669e506588005db076

SHA512
979eba274c4fb50febca9f4c62fd930051dfa92e467f91b564796ebc01365e7c3416d663964eef6d506b37af3cb3fa721abfe6f4238beff0890a01562e43fa81

Download Submit
C:\Windows\{B9806BFA-3D28-4c8e-95A6-42460A9BA025}.exe

Filesize
380KB

MD5
2c1f258a9089ddd02d5fe14cd6832f86

SHA1
728d1020cebd8ba2da7fb7984816786527abbbba

SHA256
fb2aa43fa9b4845e5e10f67d5acee47dd53b6e1c5e21263be368c9863dca85ef

SHA512
840733820d785e911a750a48af859dbfcf9e38d071dee3911822c943a7aabe0bf933895944bf9f1c09dfcf7fa38c7605675d3cd7bad3c61af04fb428d77e631d

Download Submit
C:\Windows\{C1CAAF36-FFE6-4c4b-9810-2526393FB8F3}.exe

Filesize
380KB

MD5
88d0d0a377b52dfd56b04e747072881f

SHA1
07ddebcc056b8fb65e0b24aea71e19de473b03c8

SHA256
e56a077311acadaa208b24fa04e7f44aab9852531568c9f007f4b130a07f4860

SHA512
be91d6e3934199b9ee5747326fee66828c2a68e8b9dfc6478e7cfd30c590055a5d531ba00bb148fdff5905864b45d47f10442c8df766c749d52051da22756ada

Download Submit
C:\Windows\{F28B12FE-B9F5-4b15-A1EF-B4EF2C22A76E}.exe

Filesize
380KB

MD5
4f3352ba9250804bbe09fa973d062520

SHA1
0ecb8e8e8a1cd4a25d27ffb11b6cd4eecf383f36

SHA256
394f8ad7c997bca339f8b8d6bb78d3e5cc492a0c2fdc80577546370b7a9380eb

SHA512
40938569876594713fe9873757b448de3f17d84bed027f5ed4895ecf0c39183ab3b0f8906dd847e5aaded82cd64ad2fd888bd508540500c225012419ba891839

Download Submit
C:\Windows\{F9B774CF-10EA-403e-BAE3-49199E329047}.exe

Filesize
380KB

MD5
868111f0ca53401acbee77e16d00ddc5

SHA1
dbc9dae93f107c50da4f64da7201c4a4d6a3e9c7

SHA256
d45c342ca72a7eca8399fddafc46a3b6ddd5274e6b9b021c4b3011a5478f03c2

SHA512
4dc56434d481bfe25f3d50290b53eda5b451bd8cf39117905b658ee2ea34d5dcae2f9cbbedaba75560ea4a0fbd87ac587daeb97dabbc3b97c142ea38bb82a465

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads