f469aae3afa83d0b2ead5d65490e4210d39039c968b8c9b33e778e591dfd2511

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/01/2024, 00:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-24_caa0c110bc432b15fbd194057333be0a_goldeneye.exe
Size

408KB
MD5

caa0c110bc432b15fbd194057333be0a
SHA1

db7c9be0b90925269ec3a78b1a0e7ed9ca8116a4
SHA256

f469aae3afa83d0b2ead5d65490e4210d39039c968b8c9b33e778e591dfd2511
SHA512

f0303895369e919db428ba8f7e3c56c94f14cef62dbbe406240153bb1fdf41e77715b36e648d6c9f78aa0d44dbd674e4b61d29e6fc0342e1e9f301d173dc41ec
SSDEEP

3072:CEGh0oxl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGrldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00100000000231ee-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000231e8-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000231f5-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000006c5-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021f82-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000006c5-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021f82-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000006c5-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000006c5-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23007F8A-93CF-4650-85DB-6C49B75901A9}	2024-01-24_caa0c110bc432b15fbd194057333be0a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23007F8A-93CF-4650-85DB-6C49B75901A9}\stubpath = "C:\\Windows\\{23007F8A-93CF-4650-85DB-6C49B75901A9}.exe"	2024-01-24_caa0c110bc432b15fbd194057333be0a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E909D997-755C-434a-9E55-939C5AD361FA}	{723330EC-65DA-4f20-9DD2-F90BA13A6755}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B818C56B-A9C6-4f04-8AC1-870DD13100E2}\stubpath = "C:\\Windows\\{B818C56B-A9C6-4f04-8AC1-870DD13100E2}.exe"	{B90AE000-9779-46dd-9751-223876DD2C52}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F767994-73E0-44c9-9808-1E4758C8AC53}	{6488E9C0-0E81-4ec3-BC8A-73BC3ACF42A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B90AE000-9779-46dd-9751-223876DD2C52}	{004AF795-8946-465f-987D-02627C7638AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F767994-73E0-44c9-9808-1E4758C8AC53}\stubpath = "C:\\Windows\\{1F767994-73E0-44c9-9808-1E4758C8AC53}.exe"	{6488E9C0-0E81-4ec3-BC8A-73BC3ACF42A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5DF13C3-961B-4cc6-9805-C141C8EA6809}	{1F767994-73E0-44c9-9808-1E4758C8AC53}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5DF13C3-961B-4cc6-9805-C141C8EA6809}\stubpath = "C:\\Windows\\{D5DF13C3-961B-4cc6-9805-C141C8EA6809}.exe"	{1F767994-73E0-44c9-9808-1E4758C8AC53}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{864DB401-F4F5-4ffb-9727-9F545849BAAB}	{B818C56B-A9C6-4f04-8AC1-870DD13100E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F8214C5-9958-48ad-9746-6D02F90775BD}\stubpath = "C:\\Windows\\{6F8214C5-9958-48ad-9746-6D02F90775BD}.exe"	{864DB401-F4F5-4ffb-9727-9F545849BAAB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6488E9C0-0E81-4ec3-BC8A-73BC3ACF42A3}\stubpath = "C:\\Windows\\{6488E9C0-0E81-4ec3-BC8A-73BC3ACF42A3}.exe"	{6F8214C5-9958-48ad-9746-6D02F90775BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{723330EC-65DA-4f20-9DD2-F90BA13A6755}	{23007F8A-93CF-4650-85DB-6C49B75901A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E909D997-755C-434a-9E55-939C5AD361FA}\stubpath = "C:\\Windows\\{E909D997-755C-434a-9E55-939C5AD361FA}.exe"	{723330EC-65DA-4f20-9DD2-F90BA13A6755}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{004AF795-8946-465f-987D-02627C7638AF}	{E909D997-755C-434a-9E55-939C5AD361FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{004AF795-8946-465f-987D-02627C7638AF}\stubpath = "C:\\Windows\\{004AF795-8946-465f-987D-02627C7638AF}.exe"	{E909D997-755C-434a-9E55-939C5AD361FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B90AE000-9779-46dd-9751-223876DD2C52}\stubpath = "C:\\Windows\\{B90AE000-9779-46dd-9751-223876DD2C52}.exe"	{004AF795-8946-465f-987D-02627C7638AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81C23A86-BCF4-49b3-95E6-3D7377D2B04D}	{D5DF13C3-961B-4cc6-9805-C141C8EA6809}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81C23A86-BCF4-49b3-95E6-3D7377D2B04D}\stubpath = "C:\\Windows\\{81C23A86-BCF4-49b3-95E6-3D7377D2B04D}.exe"	{D5DF13C3-961B-4cc6-9805-C141C8EA6809}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{723330EC-65DA-4f20-9DD2-F90BA13A6755}\stubpath = "C:\\Windows\\{723330EC-65DA-4f20-9DD2-F90BA13A6755}.exe"	{23007F8A-93CF-4650-85DB-6C49B75901A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B818C56B-A9C6-4f04-8AC1-870DD13100E2}	{B90AE000-9779-46dd-9751-223876DD2C52}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{864DB401-F4F5-4ffb-9727-9F545849BAAB}\stubpath = "C:\\Windows\\{864DB401-F4F5-4ffb-9727-9F545849BAAB}.exe"	{B818C56B-A9C6-4f04-8AC1-870DD13100E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F8214C5-9958-48ad-9746-6D02F90775BD}	{864DB401-F4F5-4ffb-9727-9F545849BAAB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6488E9C0-0E81-4ec3-BC8A-73BC3ACF42A3}	{6F8214C5-9958-48ad-9746-6D02F90775BD}.exe

Executes dropped EXE 12 IoCs

pid	Process
3624	{23007F8A-93CF-4650-85DB-6C49B75901A9}.exe
3008	{723330EC-65DA-4f20-9DD2-F90BA13A6755}.exe
4660	{E909D997-755C-434a-9E55-939C5AD361FA}.exe
4528	{004AF795-8946-465f-987D-02627C7638AF}.exe
4400	{B90AE000-9779-46dd-9751-223876DD2C52}.exe
4452	{B818C56B-A9C6-4f04-8AC1-870DD13100E2}.exe
4516	{864DB401-F4F5-4ffb-9727-9F545849BAAB}.exe
1380	{6F8214C5-9958-48ad-9746-6D02F90775BD}.exe
4372	{6488E9C0-0E81-4ec3-BC8A-73BC3ACF42A3}.exe
2208	{1F767994-73E0-44c9-9808-1E4758C8AC53}.exe
4348	{D5DF13C3-961B-4cc6-9805-C141C8EA6809}.exe
3484	{81C23A86-BCF4-49b3-95E6-3D7377D2B04D}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{723330EC-65DA-4f20-9DD2-F90BA13A6755}.exe	{23007F8A-93CF-4650-85DB-6C49B75901A9}.exe
File created	C:\Windows\{E909D997-755C-434a-9E55-939C5AD361FA}.exe	{723330EC-65DA-4f20-9DD2-F90BA13A6755}.exe
File created	C:\Windows\{D5DF13C3-961B-4cc6-9805-C141C8EA6809}.exe	{1F767994-73E0-44c9-9808-1E4758C8AC53}.exe
File created	C:\Windows\{23007F8A-93CF-4650-85DB-6C49B75901A9}.exe	2024-01-24_caa0c110bc432b15fbd194057333be0a_goldeneye.exe
File created	C:\Windows\{B90AE000-9779-46dd-9751-223876DD2C52}.exe	{004AF795-8946-465f-987D-02627C7638AF}.exe
File created	C:\Windows\{B818C56B-A9C6-4f04-8AC1-870DD13100E2}.exe	{B90AE000-9779-46dd-9751-223876DD2C52}.exe
File created	C:\Windows\{864DB401-F4F5-4ffb-9727-9F545849BAAB}.exe	{B818C56B-A9C6-4f04-8AC1-870DD13100E2}.exe
File created	C:\Windows\{6F8214C5-9958-48ad-9746-6D02F90775BD}.exe	{864DB401-F4F5-4ffb-9727-9F545849BAAB}.exe
File created	C:\Windows\{6488E9C0-0E81-4ec3-BC8A-73BC3ACF42A3}.exe	{6F8214C5-9958-48ad-9746-6D02F90775BD}.exe
File created	C:\Windows\{1F767994-73E0-44c9-9808-1E4758C8AC53}.exe	{6488E9C0-0E81-4ec3-BC8A-73BC3ACF42A3}.exe
File created	C:\Windows\{81C23A86-BCF4-49b3-95E6-3D7377D2B04D}.exe	{D5DF13C3-961B-4cc6-9805-C141C8EA6809}.exe
File created	C:\Windows\{004AF795-8946-465f-987D-02627C7638AF}.exe	{E909D997-755C-434a-9E55-939C5AD361FA}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4348	2024-01-24_caa0c110bc432b15fbd194057333be0a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3624	{23007F8A-93CF-4650-85DB-6C49B75901A9}.exe
Token: SeIncBasePriorityPrivilege	3008	{723330EC-65DA-4f20-9DD2-F90BA13A6755}.exe
Token: SeIncBasePriorityPrivilege	4660	{E909D997-755C-434a-9E55-939C5AD361FA}.exe
Token: SeIncBasePriorityPrivilege	4528	{004AF795-8946-465f-987D-02627C7638AF}.exe
Token: SeIncBasePriorityPrivilege	4400	{B90AE000-9779-46dd-9751-223876DD2C52}.exe
Token: SeIncBasePriorityPrivilege	4452	{B818C56B-A9C6-4f04-8AC1-870DD13100E2}.exe
Token: SeIncBasePriorityPrivilege	4516	{864DB401-F4F5-4ffb-9727-9F545849BAAB}.exe
Token: SeIncBasePriorityPrivilege	1380	{6F8214C5-9958-48ad-9746-6D02F90775BD}.exe
Token: SeIncBasePriorityPrivilege	4372	{6488E9C0-0E81-4ec3-BC8A-73BC3ACF42A3}.exe
Token: SeIncBasePriorityPrivilege	2208	{1F767994-73E0-44c9-9808-1E4758C8AC53}.exe
Token: SeIncBasePriorityPrivilege	4348	{D5DF13C3-961B-4cc6-9805-C141C8EA6809}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4348 wrote to memory of 3624	4348	2024-01-24_caa0c110bc432b15fbd194057333be0a_goldeneye.exe	97
PID 4348 wrote to memory of 3624	4348	2024-01-24_caa0c110bc432b15fbd194057333be0a_goldeneye.exe	97
PID 4348 wrote to memory of 3624	4348	2024-01-24_caa0c110bc432b15fbd194057333be0a_goldeneye.exe	97
PID 4348 wrote to memory of 2328	4348	2024-01-24_caa0c110bc432b15fbd194057333be0a_goldeneye.exe	98
PID 4348 wrote to memory of 2328	4348	2024-01-24_caa0c110bc432b15fbd194057333be0a_goldeneye.exe	98
PID 4348 wrote to memory of 2328	4348	2024-01-24_caa0c110bc432b15fbd194057333be0a_goldeneye.exe	98
PID 3624 wrote to memory of 3008	3624	{23007F8A-93CF-4650-85DB-6C49B75901A9}.exe	99
PID 3624 wrote to memory of 3008	3624	{23007F8A-93CF-4650-85DB-6C49B75901A9}.exe	99
PID 3624 wrote to memory of 3008	3624	{23007F8A-93CF-4650-85DB-6C49B75901A9}.exe	99
PID 3624 wrote to memory of 4956	3624	{23007F8A-93CF-4650-85DB-6C49B75901A9}.exe	100
PID 3624 wrote to memory of 4956	3624	{23007F8A-93CF-4650-85DB-6C49B75901A9}.exe	100
PID 3624 wrote to memory of 4956	3624	{23007F8A-93CF-4650-85DB-6C49B75901A9}.exe	100
PID 3008 wrote to memory of 4660	3008	{723330EC-65DA-4f20-9DD2-F90BA13A6755}.exe	102
PID 3008 wrote to memory of 4660	3008	{723330EC-65DA-4f20-9DD2-F90BA13A6755}.exe	102
PID 3008 wrote to memory of 4660	3008	{723330EC-65DA-4f20-9DD2-F90BA13A6755}.exe	102
PID 3008 wrote to memory of 3988	3008	{723330EC-65DA-4f20-9DD2-F90BA13A6755}.exe	103
PID 3008 wrote to memory of 3988	3008	{723330EC-65DA-4f20-9DD2-F90BA13A6755}.exe	103
PID 3008 wrote to memory of 3988	3008	{723330EC-65DA-4f20-9DD2-F90BA13A6755}.exe	103
PID 4660 wrote to memory of 4528	4660	{E909D997-755C-434a-9E55-939C5AD361FA}.exe	104
PID 4660 wrote to memory of 4528	4660	{E909D997-755C-434a-9E55-939C5AD361FA}.exe	104
PID 4660 wrote to memory of 4528	4660	{E909D997-755C-434a-9E55-939C5AD361FA}.exe	104
PID 4660 wrote to memory of 5020	4660	{E909D997-755C-434a-9E55-939C5AD361FA}.exe	105
PID 4660 wrote to memory of 5020	4660	{E909D997-755C-434a-9E55-939C5AD361FA}.exe	105
PID 4660 wrote to memory of 5020	4660	{E909D997-755C-434a-9E55-939C5AD361FA}.exe	105
PID 4528 wrote to memory of 4400	4528	{004AF795-8946-465f-987D-02627C7638AF}.exe	106
PID 4528 wrote to memory of 4400	4528	{004AF795-8946-465f-987D-02627C7638AF}.exe	106
PID 4528 wrote to memory of 4400	4528	{004AF795-8946-465f-987D-02627C7638AF}.exe	106
PID 4528 wrote to memory of 2508	4528	{004AF795-8946-465f-987D-02627C7638AF}.exe	107
PID 4528 wrote to memory of 2508	4528	{004AF795-8946-465f-987D-02627C7638AF}.exe	107
PID 4528 wrote to memory of 2508	4528	{004AF795-8946-465f-987D-02627C7638AF}.exe	107
PID 4400 wrote to memory of 4452	4400	{B90AE000-9779-46dd-9751-223876DD2C52}.exe	108
PID 4400 wrote to memory of 4452	4400	{B90AE000-9779-46dd-9751-223876DD2C52}.exe	108
PID 4400 wrote to memory of 4452	4400	{B90AE000-9779-46dd-9751-223876DD2C52}.exe	108
PID 4400 wrote to memory of 4448	4400	{B90AE000-9779-46dd-9751-223876DD2C52}.exe	109
PID 4400 wrote to memory of 4448	4400	{B90AE000-9779-46dd-9751-223876DD2C52}.exe	109
PID 4400 wrote to memory of 4448	4400	{B90AE000-9779-46dd-9751-223876DD2C52}.exe	109
PID 4452 wrote to memory of 4516	4452	{B818C56B-A9C6-4f04-8AC1-870DD13100E2}.exe	110
PID 4452 wrote to memory of 4516	4452	{B818C56B-A9C6-4f04-8AC1-870DD13100E2}.exe	110
PID 4452 wrote to memory of 4516	4452	{B818C56B-A9C6-4f04-8AC1-870DD13100E2}.exe	110
PID 4452 wrote to memory of 4664	4452	{B818C56B-A9C6-4f04-8AC1-870DD13100E2}.exe	111
PID 4452 wrote to memory of 4664	4452	{B818C56B-A9C6-4f04-8AC1-870DD13100E2}.exe	111
PID 4452 wrote to memory of 4664	4452	{B818C56B-A9C6-4f04-8AC1-870DD13100E2}.exe	111
PID 4516 wrote to memory of 1380	4516	{864DB401-F4F5-4ffb-9727-9F545849BAAB}.exe	113
PID 4516 wrote to memory of 1380	4516	{864DB401-F4F5-4ffb-9727-9F545849BAAB}.exe	113
PID 4516 wrote to memory of 1380	4516	{864DB401-F4F5-4ffb-9727-9F545849BAAB}.exe	113
PID 4516 wrote to memory of 3808	4516	{864DB401-F4F5-4ffb-9727-9F545849BAAB}.exe	112
PID 4516 wrote to memory of 3808	4516	{864DB401-F4F5-4ffb-9727-9F545849BAAB}.exe	112
PID 4516 wrote to memory of 3808	4516	{864DB401-F4F5-4ffb-9727-9F545849BAAB}.exe	112
PID 1380 wrote to memory of 4372	1380	{6F8214C5-9958-48ad-9746-6D02F90775BD}.exe	114
PID 1380 wrote to memory of 4372	1380	{6F8214C5-9958-48ad-9746-6D02F90775BD}.exe	114
PID 1380 wrote to memory of 4372	1380	{6F8214C5-9958-48ad-9746-6D02F90775BD}.exe	114
PID 1380 wrote to memory of 4764	1380	{6F8214C5-9958-48ad-9746-6D02F90775BD}.exe	115
PID 1380 wrote to memory of 4764	1380	{6F8214C5-9958-48ad-9746-6D02F90775BD}.exe	115
PID 1380 wrote to memory of 4764	1380	{6F8214C5-9958-48ad-9746-6D02F90775BD}.exe	115
PID 4372 wrote to memory of 2208	4372	{6488E9C0-0E81-4ec3-BC8A-73BC3ACF42A3}.exe	116
PID 4372 wrote to memory of 2208	4372	{6488E9C0-0E81-4ec3-BC8A-73BC3ACF42A3}.exe	116
PID 4372 wrote to memory of 2208	4372	{6488E9C0-0E81-4ec3-BC8A-73BC3ACF42A3}.exe	116
PID 4372 wrote to memory of 1464	4372	{6488E9C0-0E81-4ec3-BC8A-73BC3ACF42A3}.exe	117
PID 4372 wrote to memory of 1464	4372	{6488E9C0-0E81-4ec3-BC8A-73BC3ACF42A3}.exe	117
PID 4372 wrote to memory of 1464	4372	{6488E9C0-0E81-4ec3-BC8A-73BC3ACF42A3}.exe	117
PID 2208 wrote to memory of 4348	2208	{1F767994-73E0-44c9-9808-1E4758C8AC53}.exe	118
PID 2208 wrote to memory of 4348	2208	{1F767994-73E0-44c9-9808-1E4758C8AC53}.exe	118
PID 2208 wrote to memory of 4348	2208	{1F767994-73E0-44c9-9808-1E4758C8AC53}.exe	118
PID 2208 wrote to memory of 4412	2208	{1F767994-73E0-44c9-9808-1E4758C8AC53}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-01-24_caa0c110bc432b15fbd194057333be0a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-24_caa0c110bc432b15fbd194057333be0a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4348
- C:\Windows\{23007F8A-93CF-4650-85DB-6C49B75901A9}.exe
  C:\Windows\{23007F8A-93CF-4650-85DB-6C49B75901A9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3624
- - C:\Windows\{723330EC-65DA-4f20-9DD2-F90BA13A6755}.exe
    C:\Windows\{723330EC-65DA-4f20-9DD2-F90BA13A6755}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Windows\{E909D997-755C-434a-9E55-939C5AD361FA}.exe
      C:\Windows\{E909D997-755C-434a-9E55-939C5AD361FA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4660
    - - C:\Windows\{004AF795-8946-465f-987D-02627C7638AF}.exe
        
        C:\Windows\{004AF795-8946-465f-987D-02627C7638AF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4528
      - C:\Windows\{B90AE000-9779-46dd-9751-223876DD2C52}.exe
        
        C:\Windows\{B90AE000-9779-46dd-9751-223876DD2C52}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\{B818C56B-A9C6-4f04-8AC1-870DD13100E2}.exe
        
        C:\Windows\{B818C56B-A9C6-4f04-8AC1-870DD13100E2}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\{864DB401-F4F5-4ffb-9727-9F545849BAAB}.exe
        
        C:\Windows\{864DB401-F4F5-4ffb-9727-9F545849BAAB}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{864DB~1.EXE > nul
        9⤵
        
        PID:3808
        
        C:\Windows\{6F8214C5-9958-48ad-9746-6D02F90775BD}.exe
        
        C:\Windows\{6F8214C5-9958-48ad-9746-6D02F90775BD}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\{6488E9C0-0E81-4ec3-BC8A-73BC3ACF42A3}.exe
        
        C:\Windows\{6488E9C0-0E81-4ec3-BC8A-73BC3ACF42A3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\{1F767994-73E0-44c9-9808-1E4758C8AC53}.exe
        
        C:\Windows\{1F767994-73E0-44c9-9808-1E4758C8AC53}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\{D5DF13C3-961B-4cc6-9805-C141C8EA6809}.exe
        
        C:\Windows\{D5DF13C3-961B-4cc6-9805-C141C8EA6809}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4348
        
        C:\Windows\{81C23A86-BCF4-49b3-95E6-3D7377D2B04D}.exe
        
        C:\Windows\{81C23A86-BCF4-49b3-95E6-3D7377D2B04D}.exe
        13⤵
        Executes dropped EXE
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5DF1~1.EXE > nul
        13⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F767~1.EXE > nul
        12⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6488E~1.EXE > nul
        11⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F821~1.EXE > nul
        10⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B818C~1.EXE > nul
        8⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B90AE~1.EXE > nul
        7⤵
        
        PID:4448
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{004AF~1.EXE > nul
        6⤵
        
        PID:2508
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E909D~1.EXE > nul
        5⤵
        
        PID:5020
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{72333~1.EXE > nul
      4⤵
      PID:3988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{23007~1.EXE > nul
    3⤵
    PID:4956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{004AF795-8946-465f-987D-02627C7638AF}.exe

Filesize
408KB

MD5
d4c6aac5705795a50c0da6ffad4eaa16

SHA1
6a636162ddf74c17ae82d8a370cdb60e5c9a8b04

SHA256
f6332d615c4cfe830c279f439ebdb70ef0730b359543eff6de8e8e06a47fac45

SHA512
30bc7e49b0c74dc7b1c585b605c62679e1f724d6dda68b9d0fdb689782cff799a35e77573d7714b063d69351ad340a5aa569b5b9e5044dac2ecc6e8025c5abd6

Download Submit
C:\Windows\{1F767994-73E0-44c9-9808-1E4758C8AC53}.exe

Filesize
408KB

MD5
5c749783111b06849626c35f92e48ae9

SHA1
2f3f2942e120562cf37d37da240bc17d2cd595d1

SHA256
ad9c87337e2bc5094d755258feda420819c1c0204159367b2feeb39a45566c3f

SHA512
4122d811c843563f847d723e7584e362e3b531cc2e9602c45c77ae20cb6f12341572a57c3730e63a999e0d28e3903c4b72ceb017c9361397a5334f56da084a94

Download Submit
C:\Windows\{23007F8A-93CF-4650-85DB-6C49B75901A9}.exe

Filesize
408KB

MD5
688dc2a0a0ade407c8905fd927c1407a

SHA1
55250827e7927220b4097ec73c05682e9a14ad03

SHA256
9cbf82e7da465557b0d71a832376a881327d230f006fd7bf5eac56c503145416

SHA512
9bf1e343465ed50e27900af203c415d4857ca9d03422729e48b17cb4a1e598ac1bd28a98f1f26a0d6e710910cb1a6809582c2df5f64ab89e85c5dd0e19b6df2b

Download Submit
C:\Windows\{6488E9C0-0E81-4ec3-BC8A-73BC3ACF42A3}.exe

Filesize
408KB

MD5
3fed54a885305a8bfc77f04cec08770d

SHA1
fbe0a6f6e0f5cb33638e779c78e0c21266aa45ac

SHA256
7984853d57ed667e2e24a54a2889da5c3af7481b62a27ee3382a3306872bbf24

SHA512
36745e628ff28f6ccde9c2f007375146e8bdd9cdd7e48a932632c0446aa3a038249b6a0166c9823084701cc1ce2234e46d227901dde33f2b41010f8855ee3a85

Download Submit
C:\Windows\{6F8214C5-9958-48ad-9746-6D02F90775BD}.exe

Filesize
408KB

MD5
3bc8c4b2d82632ff11d4a16bfab464fd

SHA1
38648c32794f7200f2a64120cae9e0030a4220dc

SHA256
521a6213b5236b87e99ff30c4f273aafa6c05d44b2973e8eec5ea0b1cdf0f510

SHA512
c9432eb8110ff0c351cba0a40deb2c45332b09bb18bef434812a41ff84acb6d58c4c8484e4304c13e5193098483859193c1192f3bdfcb9c05b894ce09194881e

Download Submit
C:\Windows\{723330EC-65DA-4f20-9DD2-F90BA13A6755}.exe

Filesize
408KB

MD5
d7fbad19403aef77178133fc119076de

SHA1
8c7b38c34e338f73d698460a1bf0c9e0ab390f4c

SHA256
a58cde1a3a0c8651461fed0b0ae33f741c99dacd5e30ca13ee96c8635d651aaa

SHA512
58b8adbcf9c9d2a2f12c992e3e40c702af1d7868c65cafce23c064f8c2228882f47cf9966e1908ae29ca8a179273f9ad383cb5d89d871cb7be1e82d3239ea2b1

Download Submit
C:\Windows\{81C23A86-BCF4-49b3-95E6-3D7377D2B04D}.exe

Filesize
408KB

MD5
7959917bf54a304a644d464b495501ba

SHA1
ca85d00a49c25edf0101c6eb12c331426ccdba92

SHA256
9946c662105e07f32a14c00f1c1c9ac3c9a4cc4b34dd284e8ba3194de4076bcb

SHA512
6c01408bdea38c3ec2b408d95210b4075010fff45073fe8bf6d8beaed0423bc4c44410bdcf8b46b9f38e14e622ff40525a6a47641d40d57a096175a6e897ed6f

Download Submit
C:\Windows\{864DB401-F4F5-4ffb-9727-9F545849BAAB}.exe

Filesize
408KB

MD5
ce6353b9cb3c5d13443cfc0b1b35e806

SHA1
66ba2b3d882ff94fd8edf8e5ae1484f64663655f

SHA256
3f7fb6eb6356f7ccc94babbf1c76d3fccb289fb52114a6bdd0596a243a7babff

SHA512
6795f73a5dd99daca4665f2939e64f9db302492b7f47fe0ede89579bbf5cfe7ed4015f737d7a06fe4cd53c148dc8b7deba1393f4c1f4cb83a6138de2dae09d4b

Download Submit
C:\Windows\{B818C56B-A9C6-4f04-8AC1-870DD13100E2}.exe

Filesize
408KB

MD5
c746d499da7a520971fc6e83c05b9f13

SHA1
9ed2692d3f2f8671597d0cfdbd15df15665eeb69

SHA256
4851cc40b241c31e704ce87b36e75b83f5062d859cb5725413b96aabbca009e3

SHA512
a5da288ac5c9416bb708b0c0a4de9390c0f33b0ec99f0744a8855d489484b0e6c6bb378f126aeb1377d667285064046294f4ad575edcd2c1d2417578f7f10ee5

Download Submit
C:\Windows\{B90AE000-9779-46dd-9751-223876DD2C52}.exe

Filesize
408KB

MD5
3adf2ad6398aa33dec9c4fc396232a29

SHA1
82ed4e4bb353f7ee04e0e18914fbf61567235767

SHA256
b244c73f8f08459020604985239bc12c6c0f620aa3a42336b8f29864a5641a7d

SHA512
2b85bdfc1f7deb5378ce85da5205db62b47392d7340a76d5ab93dae355926abbb93502b9c30b84ef1ca0ffed828e0c1266307077099b9b723e5407b3ddd63f1b

Download Submit
C:\Windows\{D5DF13C3-961B-4cc6-9805-C141C8EA6809}.exe

Filesize
408KB

MD5
5edb0f896bb56d3e8311e15a3fd55585

SHA1
92e6f41421e27f90384b8b9d24be27e01c1fed5e

SHA256
a33d2d36098ed9380fa08a903915caf965fc1077e30f66c426e4fe243fb9d54e

SHA512
0f68516c0dc879d81eaec8031b3a3c687bcd91a661c314976b21e55c0af165558ef8eaf8d1f9e9346055decdfeea45d3fcedf30625abf2dd6355ed8176592c13

Download Submit
C:\Windows\{E909D997-755C-434a-9E55-939C5AD361FA}.exe

Filesize
408KB

MD5
55cef8aa05c2d3ba80b3a5ddd38e35ba

SHA1
2dbf69bcdfbf7e8288f887b2a45d45d907f36b70

SHA256
cac3f48781c44391d25c58237cf6683758f1fa4a0432f4628c8f050d824f5b9a

SHA512
45b182a6ddae37a5791dfd0004990e12a0ae76446f8ed1d6ba462ae8ac464b08b7d7287ab0e7cf8db28efaf4b7407fd5587fdf75d90acd82e83b3b0a5cecd9c8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads