0b1a9425274d717d5cd5029747cb31d414be5e1e73b25c397e6e63fa3c5899cd

Analysis

max time kernel
149s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2024 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-23_54b75c41945967a4351185745e053f43_goldeneye.exe
Size

197KB
MD5

54b75c41945967a4351185745e053f43
SHA1

d0ee100ca1b87e7176c927891fa9f4a5835dd6eb
SHA256

0b1a9425274d717d5cd5029747cb31d414be5e1e73b25c397e6e63fa3c5899cd
SHA512

16be7bdd37b31fc7bb8d45e00922a7ae6d178b115f734c7b90be88ec886d138b5bddfa058440347f6df1071442117e1943cd7a465d28beb0548418e1f4c080f4
SSDEEP

3072:jEGh0oll+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGblEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000300000001e479-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001800000001e590-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001e819-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001900000001e590-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e819-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001a00000001e590-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e819-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000735-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000737-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000735-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000737-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000735-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF88AF89-143D-42d0-B691-65EC90985558}\stubpath = "C:\\Windows\\{EF88AF89-143D-42d0-B691-65EC90985558}.exe"	{BA6D0A86-B6D0-4a9d-B7FE-33D10565C793}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38DB8CB2-4E9F-437d-9D21-DCFEA4966298}	{EF88AF89-143D-42d0-B691-65EC90985558}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{755AA7A9-A50F-4a6d-9813-F3A040F063C8}	{BD76A1EF-03CA-4284-A109-30A3055078B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94678770-59A0-4157-B883-23DE88933E88}	{755AA7A9-A50F-4a6d-9813-F3A040F063C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{388995B2-A108-48b2-89EA-C3408CDC58C0}	{D05DC3EF-80FA-4dd2-9413-843601C376F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AE22681-0901-4d92-A488-64AAE55B705F}\stubpath = "C:\\Windows\\{1AE22681-0901-4d92-A488-64AAE55B705F}.exe"	{BF35F6BE-FD07-44cc-8AA9-74DD12BDB6E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF88AF89-143D-42d0-B691-65EC90985558}	{BA6D0A86-B6D0-4a9d-B7FE-33D10565C793}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38DB8CB2-4E9F-437d-9D21-DCFEA4966298}\stubpath = "C:\\Windows\\{38DB8CB2-4E9F-437d-9D21-DCFEA4966298}.exe"	{EF88AF89-143D-42d0-B691-65EC90985558}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD76A1EF-03CA-4284-A109-30A3055078B3}\stubpath = "C:\\Windows\\{BD76A1EF-03CA-4284-A109-30A3055078B3}.exe"	{38DB8CB2-4E9F-437d-9D21-DCFEA4966298}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F8EE81E-D83B-4523-8C84-91A56CDDD4A7}	{94678770-59A0-4157-B883-23DE88933E88}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF35F6BE-FD07-44cc-8AA9-74DD12BDB6E1}	{388995B2-A108-48b2-89EA-C3408CDC58C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AE22681-0901-4d92-A488-64AAE55B705F}	{BF35F6BE-FD07-44cc-8AA9-74DD12BDB6E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA6D0A86-B6D0-4a9d-B7FE-33D10565C793}	2024-01-23_54b75c41945967a4351185745e053f43_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F8EE81E-D83B-4523-8C84-91A56CDDD4A7}\stubpath = "C:\\Windows\\{2F8EE81E-D83B-4523-8C84-91A56CDDD4A7}.exe"	{94678770-59A0-4157-B883-23DE88933E88}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{659864B1-3F7A-4920-A760-357AFBF562BC}	{2F8EE81E-D83B-4523-8C84-91A56CDDD4A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{659864B1-3F7A-4920-A760-357AFBF562BC}\stubpath = "C:\\Windows\\{659864B1-3F7A-4920-A760-357AFBF562BC}.exe"	{2F8EE81E-D83B-4523-8C84-91A56CDDD4A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D05DC3EF-80FA-4dd2-9413-843601C376F6}	{659864B1-3F7A-4920-A760-357AFBF562BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{388995B2-A108-48b2-89EA-C3408CDC58C0}\stubpath = "C:\\Windows\\{388995B2-A108-48b2-89EA-C3408CDC58C0}.exe"	{D05DC3EF-80FA-4dd2-9413-843601C376F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF35F6BE-FD07-44cc-8AA9-74DD12BDB6E1}\stubpath = "C:\\Windows\\{BF35F6BE-FD07-44cc-8AA9-74DD12BDB6E1}.exe"	{388995B2-A108-48b2-89EA-C3408CDC58C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD76A1EF-03CA-4284-A109-30A3055078B3}	{38DB8CB2-4E9F-437d-9D21-DCFEA4966298}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{755AA7A9-A50F-4a6d-9813-F3A040F063C8}\stubpath = "C:\\Windows\\{755AA7A9-A50F-4a6d-9813-F3A040F063C8}.exe"	{BD76A1EF-03CA-4284-A109-30A3055078B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94678770-59A0-4157-B883-23DE88933E88}\stubpath = "C:\\Windows\\{94678770-59A0-4157-B883-23DE88933E88}.exe"	{755AA7A9-A50F-4a6d-9813-F3A040F063C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D05DC3EF-80FA-4dd2-9413-843601C376F6}\stubpath = "C:\\Windows\\{D05DC3EF-80FA-4dd2-9413-843601C376F6}.exe"	{659864B1-3F7A-4920-A760-357AFBF562BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA6D0A86-B6D0-4a9d-B7FE-33D10565C793}\stubpath = "C:\\Windows\\{BA6D0A86-B6D0-4a9d-B7FE-33D10565C793}.exe"	2024-01-23_54b75c41945967a4351185745e053f43_goldeneye.exe

Executes dropped EXE 12 IoCs

pid	Process
2448	{BA6D0A86-B6D0-4a9d-B7FE-33D10565C793}.exe
3900	{EF88AF89-143D-42d0-B691-65EC90985558}.exe
3512	{38DB8CB2-4E9F-437d-9D21-DCFEA4966298}.exe
1528	{BD76A1EF-03CA-4284-A109-30A3055078B3}.exe
5084	{755AA7A9-A50F-4a6d-9813-F3A040F063C8}.exe
4260	{94678770-59A0-4157-B883-23DE88933E88}.exe
628	{2F8EE81E-D83B-4523-8C84-91A56CDDD4A7}.exe
4312	{659864B1-3F7A-4920-A760-357AFBF562BC}.exe
4512	{D05DC3EF-80FA-4dd2-9413-843601C376F6}.exe
2596	{388995B2-A108-48b2-89EA-C3408CDC58C0}.exe
728	{BF35F6BE-FD07-44cc-8AA9-74DD12BDB6E1}.exe
2016	{1AE22681-0901-4d92-A488-64AAE55B705F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{388995B2-A108-48b2-89EA-C3408CDC58C0}.exe	{D05DC3EF-80FA-4dd2-9413-843601C376F6}.exe
File created	C:\Windows\{1AE22681-0901-4d92-A488-64AAE55B705F}.exe	{BF35F6BE-FD07-44cc-8AA9-74DD12BDB6E1}.exe
File created	C:\Windows\{BA6D0A86-B6D0-4a9d-B7FE-33D10565C793}.exe	2024-01-23_54b75c41945967a4351185745e053f43_goldeneye.exe
File created	C:\Windows\{94678770-59A0-4157-B883-23DE88933E88}.exe	{755AA7A9-A50F-4a6d-9813-F3A040F063C8}.exe
File created	C:\Windows\{D05DC3EF-80FA-4dd2-9413-843601C376F6}.exe	{659864B1-3F7A-4920-A760-357AFBF562BC}.exe
File created	C:\Windows\{755AA7A9-A50F-4a6d-9813-F3A040F063C8}.exe	{BD76A1EF-03CA-4284-A109-30A3055078B3}.exe
File created	C:\Windows\{2F8EE81E-D83B-4523-8C84-91A56CDDD4A7}.exe	{94678770-59A0-4157-B883-23DE88933E88}.exe
File created	C:\Windows\{659864B1-3F7A-4920-A760-357AFBF562BC}.exe	{2F8EE81E-D83B-4523-8C84-91A56CDDD4A7}.exe
File created	C:\Windows\{BF35F6BE-FD07-44cc-8AA9-74DD12BDB6E1}.exe	{388995B2-A108-48b2-89EA-C3408CDC58C0}.exe
File created	C:\Windows\{EF88AF89-143D-42d0-B691-65EC90985558}.exe	{BA6D0A86-B6D0-4a9d-B7FE-33D10565C793}.exe
File created	C:\Windows\{38DB8CB2-4E9F-437d-9D21-DCFEA4966298}.exe	{EF88AF89-143D-42d0-B691-65EC90985558}.exe
File created	C:\Windows\{BD76A1EF-03CA-4284-A109-30A3055078B3}.exe	{38DB8CB2-4E9F-437d-9D21-DCFEA4966298}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1040	2024-01-23_54b75c41945967a4351185745e053f43_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2448	{BA6D0A86-B6D0-4a9d-B7FE-33D10565C793}.exe
Token: SeIncBasePriorityPrivilege	3900	{EF88AF89-143D-42d0-B691-65EC90985558}.exe
Token: SeIncBasePriorityPrivilege	3512	{38DB8CB2-4E9F-437d-9D21-DCFEA4966298}.exe
Token: SeIncBasePriorityPrivilege	1528	{BD76A1EF-03CA-4284-A109-30A3055078B3}.exe
Token: SeIncBasePriorityPrivilege	5084	{755AA7A9-A50F-4a6d-9813-F3A040F063C8}.exe
Token: SeIncBasePriorityPrivilege	4260	{94678770-59A0-4157-B883-23DE88933E88}.exe
Token: SeIncBasePriorityPrivilege	628	{2F8EE81E-D83B-4523-8C84-91A56CDDD4A7}.exe
Token: SeIncBasePriorityPrivilege	4312	{659864B1-3F7A-4920-A760-357AFBF562BC}.exe
Token: SeIncBasePriorityPrivilege	4512	{D05DC3EF-80FA-4dd2-9413-843601C376F6}.exe
Token: SeIncBasePriorityPrivilege	2596	{388995B2-A108-48b2-89EA-C3408CDC58C0}.exe
Token: SeIncBasePriorityPrivilege	728	{BF35F6BE-FD07-44cc-8AA9-74DD12BDB6E1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1040 wrote to memory of 2448	1040	2024-01-23_54b75c41945967a4351185745e053f43_goldeneye.exe	100
PID 1040 wrote to memory of 2448	1040	2024-01-23_54b75c41945967a4351185745e053f43_goldeneye.exe	100
PID 1040 wrote to memory of 2448	1040	2024-01-23_54b75c41945967a4351185745e053f43_goldeneye.exe	100
PID 1040 wrote to memory of 1048	1040	2024-01-23_54b75c41945967a4351185745e053f43_goldeneye.exe	99
PID 1040 wrote to memory of 1048	1040	2024-01-23_54b75c41945967a4351185745e053f43_goldeneye.exe	99
PID 1040 wrote to memory of 1048	1040	2024-01-23_54b75c41945967a4351185745e053f43_goldeneye.exe	99
PID 2448 wrote to memory of 3900	2448	{BA6D0A86-B6D0-4a9d-B7FE-33D10565C793}.exe	101
PID 2448 wrote to memory of 3900	2448	{BA6D0A86-B6D0-4a9d-B7FE-33D10565C793}.exe	101
PID 2448 wrote to memory of 3900	2448	{BA6D0A86-B6D0-4a9d-B7FE-33D10565C793}.exe	101
PID 2448 wrote to memory of 4740	2448	{BA6D0A86-B6D0-4a9d-B7FE-33D10565C793}.exe	102
PID 2448 wrote to memory of 4740	2448	{BA6D0A86-B6D0-4a9d-B7FE-33D10565C793}.exe	102
PID 2448 wrote to memory of 4740	2448	{BA6D0A86-B6D0-4a9d-B7FE-33D10565C793}.exe	102
PID 3900 wrote to memory of 3512	3900	{EF88AF89-143D-42d0-B691-65EC90985558}.exe	106
PID 3900 wrote to memory of 3512	3900	{EF88AF89-143D-42d0-B691-65EC90985558}.exe	106
PID 3900 wrote to memory of 3512	3900	{EF88AF89-143D-42d0-B691-65EC90985558}.exe	106
PID 3900 wrote to memory of 2524	3900	{EF88AF89-143D-42d0-B691-65EC90985558}.exe	105
PID 3900 wrote to memory of 2524	3900	{EF88AF89-143D-42d0-B691-65EC90985558}.exe	105
PID 3900 wrote to memory of 2524	3900	{EF88AF89-143D-42d0-B691-65EC90985558}.exe	105
PID 3512 wrote to memory of 1528	3512	{38DB8CB2-4E9F-437d-9D21-DCFEA4966298}.exe	107
PID 3512 wrote to memory of 1528	3512	{38DB8CB2-4E9F-437d-9D21-DCFEA4966298}.exe	107
PID 3512 wrote to memory of 1528	3512	{38DB8CB2-4E9F-437d-9D21-DCFEA4966298}.exe	107
PID 3512 wrote to memory of 3188	3512	{38DB8CB2-4E9F-437d-9D21-DCFEA4966298}.exe	108
PID 3512 wrote to memory of 3188	3512	{38DB8CB2-4E9F-437d-9D21-DCFEA4966298}.exe	108
PID 3512 wrote to memory of 3188	3512	{38DB8CB2-4E9F-437d-9D21-DCFEA4966298}.exe	108
PID 1528 wrote to memory of 5084	1528	{BD76A1EF-03CA-4284-A109-30A3055078B3}.exe	110
PID 1528 wrote to memory of 5084	1528	{BD76A1EF-03CA-4284-A109-30A3055078B3}.exe	110
PID 1528 wrote to memory of 5084	1528	{BD76A1EF-03CA-4284-A109-30A3055078B3}.exe	110
PID 1528 wrote to memory of 2460	1528	{BD76A1EF-03CA-4284-A109-30A3055078B3}.exe	109
PID 1528 wrote to memory of 2460	1528	{BD76A1EF-03CA-4284-A109-30A3055078B3}.exe	109
PID 1528 wrote to memory of 2460	1528	{BD76A1EF-03CA-4284-A109-30A3055078B3}.exe	109
PID 5084 wrote to memory of 4260	5084	{755AA7A9-A50F-4a6d-9813-F3A040F063C8}.exe	111
PID 5084 wrote to memory of 4260	5084	{755AA7A9-A50F-4a6d-9813-F3A040F063C8}.exe	111
PID 5084 wrote to memory of 4260	5084	{755AA7A9-A50F-4a6d-9813-F3A040F063C8}.exe	111
PID 5084 wrote to memory of 4280	5084	{755AA7A9-A50F-4a6d-9813-F3A040F063C8}.exe	112
PID 5084 wrote to memory of 4280	5084	{755AA7A9-A50F-4a6d-9813-F3A040F063C8}.exe	112
PID 5084 wrote to memory of 4280	5084	{755AA7A9-A50F-4a6d-9813-F3A040F063C8}.exe	112
PID 4260 wrote to memory of 628	4260	{94678770-59A0-4157-B883-23DE88933E88}.exe	113
PID 4260 wrote to memory of 628	4260	{94678770-59A0-4157-B883-23DE88933E88}.exe	113
PID 4260 wrote to memory of 628	4260	{94678770-59A0-4157-B883-23DE88933E88}.exe	113
PID 4260 wrote to memory of 4832	4260	{94678770-59A0-4157-B883-23DE88933E88}.exe	114
PID 4260 wrote to memory of 4832	4260	{94678770-59A0-4157-B883-23DE88933E88}.exe	114
PID 4260 wrote to memory of 4832	4260	{94678770-59A0-4157-B883-23DE88933E88}.exe	114
PID 628 wrote to memory of 4312	628	{2F8EE81E-D83B-4523-8C84-91A56CDDD4A7}.exe	115
PID 628 wrote to memory of 4312	628	{2F8EE81E-D83B-4523-8C84-91A56CDDD4A7}.exe	115
PID 628 wrote to memory of 4312	628	{2F8EE81E-D83B-4523-8C84-91A56CDDD4A7}.exe	115
PID 628 wrote to memory of 4440	628	{2F8EE81E-D83B-4523-8C84-91A56CDDD4A7}.exe	116
PID 628 wrote to memory of 4440	628	{2F8EE81E-D83B-4523-8C84-91A56CDDD4A7}.exe	116
PID 628 wrote to memory of 4440	628	{2F8EE81E-D83B-4523-8C84-91A56CDDD4A7}.exe	116
PID 4312 wrote to memory of 4512	4312	{659864B1-3F7A-4920-A760-357AFBF562BC}.exe	117
PID 4312 wrote to memory of 4512	4312	{659864B1-3F7A-4920-A760-357AFBF562BC}.exe	117
PID 4312 wrote to memory of 4512	4312	{659864B1-3F7A-4920-A760-357AFBF562BC}.exe	117
PID 4312 wrote to memory of 4752	4312	{659864B1-3F7A-4920-A760-357AFBF562BC}.exe	118
PID 4312 wrote to memory of 4752	4312	{659864B1-3F7A-4920-A760-357AFBF562BC}.exe	118
PID 4312 wrote to memory of 4752	4312	{659864B1-3F7A-4920-A760-357AFBF562BC}.exe	118
PID 4512 wrote to memory of 2596	4512	{D05DC3EF-80FA-4dd2-9413-843601C376F6}.exe	119
PID 4512 wrote to memory of 2596	4512	{D05DC3EF-80FA-4dd2-9413-843601C376F6}.exe	119
PID 4512 wrote to memory of 2596	4512	{D05DC3EF-80FA-4dd2-9413-843601C376F6}.exe	119
PID 4512 wrote to memory of 4272	4512	{D05DC3EF-80FA-4dd2-9413-843601C376F6}.exe	120
PID 4512 wrote to memory of 4272	4512	{D05DC3EF-80FA-4dd2-9413-843601C376F6}.exe	120
PID 4512 wrote to memory of 4272	4512	{D05DC3EF-80FA-4dd2-9413-843601C376F6}.exe	120
PID 2596 wrote to memory of 728	2596	{388995B2-A108-48b2-89EA-C3408CDC58C0}.exe	121
PID 2596 wrote to memory of 728	2596	{388995B2-A108-48b2-89EA-C3408CDC58C0}.exe	121
PID 2596 wrote to memory of 728	2596	{388995B2-A108-48b2-89EA-C3408CDC58C0}.exe	121
PID 2596 wrote to memory of 1796	2596	{388995B2-A108-48b2-89EA-C3408CDC58C0}.exe	122

C:\Users\Admin\AppData\Local\Temp\2024-01-23_54b75c41945967a4351185745e053f43_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-23_54b75c41945967a4351185745e053f43_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1048
- C:\Windows\{BA6D0A86-B6D0-4a9d-B7FE-33D10565C793}.exe
  C:\Windows\{BA6D0A86-B6D0-4a9d-B7FE-33D10565C793}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\{EF88AF89-143D-42d0-B691-65EC90985558}.exe
    C:\Windows\{EF88AF89-143D-42d0-B691-65EC90985558}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3900
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EF88A~1.EXE > nul
      4⤵
      PID:2524
  - - C:\Windows\{38DB8CB2-4E9F-437d-9D21-DCFEA4966298}.exe
      C:\Windows\{38DB8CB2-4E9F-437d-9D21-DCFEA4966298}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3512
    - - C:\Windows\{BD76A1EF-03CA-4284-A109-30A3055078B3}.exe
        
        C:\Windows\{BD76A1EF-03CA-4284-A109-30A3055078B3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1528
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD76A~1.EXE > nul
        6⤵
        
        PID:2460
      - C:\Windows\{755AA7A9-A50F-4a6d-9813-F3A040F063C8}.exe
        
        C:\Windows\{755AA7A9-A50F-4a6d-9813-F3A040F063C8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\{94678770-59A0-4157-B883-23DE88933E88}.exe
        
        C:\Windows\{94678770-59A0-4157-B883-23DE88933E88}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4260
        
        C:\Windows\{2F8EE81E-D83B-4523-8C84-91A56CDDD4A7}.exe
        
        C:\Windows\{2F8EE81E-D83B-4523-8C84-91A56CDDD4A7}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\{659864B1-3F7A-4920-A760-357AFBF562BC}.exe
        
        C:\Windows\{659864B1-3F7A-4920-A760-357AFBF562BC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\{D05DC3EF-80FA-4dd2-9413-843601C376F6}.exe
        
        C:\Windows\{D05DC3EF-80FA-4dd2-9413-843601C376F6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\{388995B2-A108-48b2-89EA-C3408CDC58C0}.exe
        
        C:\Windows\{388995B2-A108-48b2-89EA-C3408CDC58C0}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\{BF35F6BE-FD07-44cc-8AA9-74DD12BDB6E1}.exe
        
        C:\Windows\{BF35F6BE-FD07-44cc-8AA9-74DD12BDB6E1}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:728
        
        C:\Windows\{1AE22681-0901-4d92-A488-64AAE55B705F}.exe
        
        C:\Windows\{1AE22681-0901-4d92-A488-64AAE55B705F}.exe
        13⤵
        Executes dropped EXE
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF35F~1.EXE > nul
        13⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38899~1.EXE > nul
        12⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D05DC~1.EXE > nul
        11⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65986~1.EXE > nul
        10⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F8EE~1.EXE > nul
        9⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94678~1.EXE > nul
        8⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{755AA~1.EXE > nul
        7⤵
        
        PID:4280
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38DB8~1.EXE > nul
        5⤵
        
        PID:3188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BA6D0~1.EXE > nul
    3⤵
    PID:4740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1AE22681-0901-4d92-A488-64AAE55B705F}.exe

Filesize
197KB

MD5
74ee6f83bbb3238f0249520b3be10837

SHA1
8760739c19e10f0ed20699bf326318df5cea537a

SHA256
12f6fb018d6954bafc4de826dab36fcd2a158a030b549365998a66a310d1eca5

SHA512
4aae42d11ad67fc568b13b019713ff9ff9c094494c01f9dfc81c9810ce1caf6b958a009bf077c9dc7b6afbde52f10397b0d468f1c87868867d660ca96d091090

Download Submit
C:\Windows\{2F8EE81E-D83B-4523-8C84-91A56CDDD4A7}.exe

Filesize
197KB

MD5
c52c9879edb667dd3f1e013b2b95c796

SHA1
2b17770c19092fbfcc1a2269a5e39f9e29082439

SHA256
d26cb62a2e695c183af647ff543dced7a66e92610aec4edb287b18d8d3328eed

SHA512
db56a455b908d81f4088b5c47805dcc312ccda75760c2718f82749453857e352baebd2e97471836471464b5bf17970d379f90fd99175ef71ac4fd8957b9cb804

Download Submit
C:\Windows\{388995B2-A108-48b2-89EA-C3408CDC58C0}.exe

Filesize
197KB

MD5
8c66d507c87cdee11a841f0479209b01

SHA1
f918397902425b8a23c7bf6d316c12a41dafeaaa

SHA256
00bc3b0ff74964ba65dcd7d483312c57162da728a8f0fd5c68192400b3c83bc9

SHA512
4d1871a0f62d6296c30cd9cff0727491a3accf65a314c66878f4e1cac581e3f7b287c82a10ea880c8301b5906bf0b327e6b0af62924c29cd0c729dbadf04a6ed

Download Submit
C:\Windows\{38DB8CB2-4E9F-437d-9D21-DCFEA4966298}.exe

Filesize
197KB

MD5
fcfc794d829cba14a0bfbe938a7b553e

SHA1
e838557afa62ef290b81973f5008ae8989026c51

SHA256
c71855c2d3b0816570dcd10e50bf8a5098a885b9da7b9311d53edfab647fb81d

SHA512
be417764b2e5f29db19c157ab66295fcb3fea9416e228e733374465ea648e13400ed255c054fda2b7d0307fb5d811a99e51d4630452ea7e1f1f0d2b968ce1d7a

Download Submit
C:\Windows\{659864B1-3F7A-4920-A760-357AFBF562BC}.exe

Filesize
197KB

MD5
fdbf67c0711b3cacb53d007c970d6ee8

SHA1
1a395c5cab7bb13163b150bf6d6889ee83810f14

SHA256
d3715c13bcd8126b738db7f20bd3f387bd76f3591c5c2e3178e6c20658fffed1

SHA512
f9084ed350514223cdd6af4f4e9bcb05b26825dda976ebf71180e2f4f0a68c6afaafd8b905ac054e6f9fc6791363e1e4c5f53edbc16fdc2a10e711f55f2d4359

Download Submit
C:\Windows\{755AA7A9-A50F-4a6d-9813-F3A040F063C8}.exe

Filesize
197KB

MD5
dcfc5b31a69f8111126657bff8e49654

SHA1
7fc2277e918ebb01232bda526c6f7243ac7ce6e8

SHA256
03dd31895026e93cc219216b751e2af175cf05d4c6274afbb53452fd15889590

SHA512
b8c1d15b7b59743801f2f23bdad370d018707d6b5ccaa3278ff415556d3892f1eb15a283e08bef6abd8c8f81b89cd2c79615306e674490a905e8c31043bb7080

Download Submit
C:\Windows\{94678770-59A0-4157-B883-23DE88933E88}.exe

Filesize
197KB

MD5
9512d587ed4fcec5f147215a50af68bd

SHA1
dfe85944cd43251f194a2d4764ba0cd0bf650c23

SHA256
b38b3f33ac9e6e01bd13158d1f19193a1927a954d2128aaaf9545d3ab921ba13

SHA512
05b8d646629e9a3463592b5b4ccc3da3bed8b7f17574a66cd2bd5d02304b2b039e490efa364cb7416acb2fa71b64ee16e6bde775a14930fb267ffe5a821cd1de

Download Submit
C:\Windows\{BA6D0A86-B6D0-4a9d-B7FE-33D10565C793}.exe

Filesize
197KB

MD5
9f94c4672ac19be48fd7dfa7f1884b6b

SHA1
bf3a3e5ebab33a1ae12efedadb8e23f459dd7b1f

SHA256
b908d9871e028ad6ec1cd2e925ace24a15b9a5624c600576ef61b584ad686ce3

SHA512
7745a466f47095b58d8c6bc3d584b7a5147ede9bc117f72058d2b4e5d69f4df2a6abff497db6fc8bb68c6172cf7415c8098787771ee42372b9afd418a87116f9

Download Submit
C:\Windows\{BD76A1EF-03CA-4284-A109-30A3055078B3}.exe

Filesize
197KB

MD5
cb792984ad40072fab705de80d58357a

SHA1
f2cca2c71384c58adba59c917bcb73dcf1eddc42

SHA256
ae31e2431b5c51854c9478ece771b916bbad23fa2129bf90e64cc909eb2d9631

SHA512
da7046279e4540d04cad64e5360102e53c5af34eeb9aa095962843ab11291059a95e77be8ad6a3efede59ca7b2981ea1be28a607194cdde3fa0fa21215407704

Download Submit
C:\Windows\{BF35F6BE-FD07-44cc-8AA9-74DD12BDB6E1}.exe

Filesize
197KB

MD5
2e0fa0e7523c05cdad51151318babe11

SHA1
05b02ea4a6e6cb5694aef7844d38eb60d50618c6

SHA256
0b5ebb37c3d5bac5e7398edbcaf228c16f1c8839119daed6b65dad3a92e5154a

SHA512
4bfbe81aed4ceca193839b89e3dfda4585b138e7a22c1921ed711bcc93a064f816581bec17edc94ef40f57542075a747ae53fd37f7ff003cb9798c20f07d1194

Download Submit
C:\Windows\{D05DC3EF-80FA-4dd2-9413-843601C376F6}.exe

Filesize
197KB

MD5
13024bf812ea4d67cc713ebbaaa33cf2

SHA1
fd9378fe2734376843e84dca9d8c45a520293ff6

SHA256
53cc87d0fc8afd4c3fcf0dbb71d0d7cae018358aa2789efcd592a154b63ac421

SHA512
a463be172766c6f7119c6fc80b3829bceb7b209860360c3993db504ac0914dda9387e567031716b9329eb84762ff42e895bbae57fc64856d35ab309f35a92cf3

Download Submit
C:\Windows\{EF88AF89-143D-42d0-B691-65EC90985558}.exe

Filesize
197KB

MD5
208d84c784bf59702b98eda8c2653c8b

SHA1
bc26c87cefd0dbce83ef381ab0bf3befa9cb1ebd

SHA256
d7c4943bdcfeda414edbcbab8124403149d569c590f5b4e12d57bedc9ccec395

SHA512
facbf69f0114c1c50c57847323c6771b8bb5755a92122d3a854c6770c373bb63c801915b8fa9bede7634d6ab7edcd5d10fab31b9355f89eb5739337209db3312

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads