aa9a192ff5ffdb1a9c504e67f64f647e783fafefe4899e82b60a129410f26bcf

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/01/2024, 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-24_250ff0d53370c69fa32531f07061cc5c_goldeneye.exe
Size

372KB
MD5

250ff0d53370c69fa32531f07061cc5c
SHA1

405c2112eafcc33e3cd1459bdde451475f115540
SHA256

aa9a192ff5ffdb1a9c504e67f64f647e783fafefe4899e82b60a129410f26bcf
SHA512

3debac4756bed5c2d337d51f3702ee186455d8492de3c1bfc7366e79ae05bddadc7607c4526f4a9514c74f31fdbfe0a46e3353f7128ce7b9d2b65e67ac0b1f7a
SSDEEP

3072:CEGh0ommlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGJl/Oe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x000b00000002300b-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023122-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023125-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023122-13.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023125-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00050000000217fa-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006df-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93064BB2-7223-43a9-B883-F1D9023F52F9}	{3C1E6C1B-15BC-4f1a-AF8F-F9D33837D973}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D94E75BD-103D-4430-AD5E-A7A08F5A4A0F}\stubpath = "C:\\Windows\\{D94E75BD-103D-4430-AD5E-A7A08F5A4A0F}.exe"	{93064BB2-7223-43a9-B883-F1D9023F52F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0347BF2-DF82-4fbd-88D9-4D4964C2D0D7}	{1A460F7E-ED6D-4514-BF4D-A07A7768B72C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{495C0AD1-E7A0-4e01-A29F-D4FFBDC8ADA3}	{B0347BF2-DF82-4fbd-88D9-4D4964C2D0D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEB809A2-36F9-413a-9BAD-072B49F2A09D}	{AF9692DA-02CB-41e1-AE61-D9850DC79018}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEB809A2-36F9-413a-9BAD-072B49F2A09D}\stubpath = "C:\\Windows\\{FEB809A2-36F9-413a-9BAD-072B49F2A09D}.exe"	{AF9692DA-02CB-41e1-AE61-D9850DC79018}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A84D9699-DC5E-4803-9DCE-E7496AFA25E5}\stubpath = "C:\\Windows\\{A84D9699-DC5E-4803-9DCE-E7496AFA25E5}.exe"	2024-01-24_250ff0d53370c69fa32531f07061cc5c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A460F7E-ED6D-4514-BF4D-A07A7768B72C}	{A84D9699-DC5E-4803-9DCE-E7496AFA25E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF9692DA-02CB-41e1-AE61-D9850DC79018}\stubpath = "C:\\Windows\\{AF9692DA-02CB-41e1-AE61-D9850DC79018}.exe"	{495C0AD1-E7A0-4e01-A29F-D4FFBDC8ADA3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{495C0AD1-E7A0-4e01-A29F-D4FFBDC8ADA3}\stubpath = "C:\\Windows\\{495C0AD1-E7A0-4e01-A29F-D4FFBDC8ADA3}.exe"	{B0347BF2-DF82-4fbd-88D9-4D4964C2D0D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF9692DA-02CB-41e1-AE61-D9850DC79018}	{495C0AD1-E7A0-4e01-A29F-D4FFBDC8ADA3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C1E6C1B-15BC-4f1a-AF8F-F9D33837D973}	{E4415BFB-A22D-4741-8EC7-DE8ED684EDC5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C1E6C1B-15BC-4f1a-AF8F-F9D33837D973}\stubpath = "C:\\Windows\\{3C1E6C1B-15BC-4f1a-AF8F-F9D33837D973}.exe"	{E4415BFB-A22D-4741-8EC7-DE8ED684EDC5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93064BB2-7223-43a9-B883-F1D9023F52F9}\stubpath = "C:\\Windows\\{93064BB2-7223-43a9-B883-F1D9023F52F9}.exe"	{3C1E6C1B-15BC-4f1a-AF8F-F9D33837D973}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A84D9699-DC5E-4803-9DCE-E7496AFA25E5}	2024-01-24_250ff0d53370c69fa32531f07061cc5c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A460F7E-ED6D-4514-BF4D-A07A7768B72C}\stubpath = "C:\\Windows\\{1A460F7E-ED6D-4514-BF4D-A07A7768B72C}.exe"	{A84D9699-DC5E-4803-9DCE-E7496AFA25E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0347BF2-DF82-4fbd-88D9-4D4964C2D0D7}\stubpath = "C:\\Windows\\{B0347BF2-DF82-4fbd-88D9-4D4964C2D0D7}.exe"	{1A460F7E-ED6D-4514-BF4D-A07A7768B72C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D94E75BD-103D-4430-AD5E-A7A08F5A4A0F}	{93064BB2-7223-43a9-B883-F1D9023F52F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90B460C8-569D-4fe0-94EC-50E3B06E549E}	{D94E75BD-103D-4430-AD5E-A7A08F5A4A0F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90B460C8-569D-4fe0-94EC-50E3B06E549E}\stubpath = "C:\\Windows\\{90B460C8-569D-4fe0-94EC-50E3B06E549E}.exe"	{D94E75BD-103D-4430-AD5E-A7A08F5A4A0F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4415BFB-A22D-4741-8EC7-DE8ED684EDC5}	{FEB809A2-36F9-413a-9BAD-072B49F2A09D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4415BFB-A22D-4741-8EC7-DE8ED684EDC5}\stubpath = "C:\\Windows\\{E4415BFB-A22D-4741-8EC7-DE8ED684EDC5}.exe"	{FEB809A2-36F9-413a-9BAD-072B49F2A09D}.exe

Executes dropped EXE 11 IoCs

pid	Process
3292	{A84D9699-DC5E-4803-9DCE-E7496AFA25E5}.exe
5064	{1A460F7E-ED6D-4514-BF4D-A07A7768B72C}.exe
4300	{B0347BF2-DF82-4fbd-88D9-4D4964C2D0D7}.exe
3132	{495C0AD1-E7A0-4e01-A29F-D4FFBDC8ADA3}.exe
3776	{AF9692DA-02CB-41e1-AE61-D9850DC79018}.exe
1204	{FEB809A2-36F9-413a-9BAD-072B49F2A09D}.exe
3676	{E4415BFB-A22D-4741-8EC7-DE8ED684EDC5}.exe
1472	{3C1E6C1B-15BC-4f1a-AF8F-F9D33837D973}.exe
4776	{93064BB2-7223-43a9-B883-F1D9023F52F9}.exe
1740	{D94E75BD-103D-4430-AD5E-A7A08F5A4A0F}.exe
3964	{90B460C8-569D-4fe0-94EC-50E3B06E549E}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D94E75BD-103D-4430-AD5E-A7A08F5A4A0F}.exe	{93064BB2-7223-43a9-B883-F1D9023F52F9}.exe
File created	C:\Windows\{90B460C8-569D-4fe0-94EC-50E3B06E549E}.exe	{D94E75BD-103D-4430-AD5E-A7A08F5A4A0F}.exe
File created	C:\Windows\{A84D9699-DC5E-4803-9DCE-E7496AFA25E5}.exe	2024-01-24_250ff0d53370c69fa32531f07061cc5c_goldeneye.exe
File created	C:\Windows\{B0347BF2-DF82-4fbd-88D9-4D4964C2D0D7}.exe	{1A460F7E-ED6D-4514-BF4D-A07A7768B72C}.exe
File created	C:\Windows\{AF9692DA-02CB-41e1-AE61-D9850DC79018}.exe	{495C0AD1-E7A0-4e01-A29F-D4FFBDC8ADA3}.exe
File created	C:\Windows\{E4415BFB-A22D-4741-8EC7-DE8ED684EDC5}.exe	{FEB809A2-36F9-413a-9BAD-072B49F2A09D}.exe
File created	C:\Windows\{3C1E6C1B-15BC-4f1a-AF8F-F9D33837D973}.exe	{E4415BFB-A22D-4741-8EC7-DE8ED684EDC5}.exe
File created	C:\Windows\{93064BB2-7223-43a9-B883-F1D9023F52F9}.exe	{3C1E6C1B-15BC-4f1a-AF8F-F9D33837D973}.exe
File created	C:\Windows\{1A460F7E-ED6D-4514-BF4D-A07A7768B72C}.exe	{A84D9699-DC5E-4803-9DCE-E7496AFA25E5}.exe
File created	C:\Windows\{495C0AD1-E7A0-4e01-A29F-D4FFBDC8ADA3}.exe	{B0347BF2-DF82-4fbd-88D9-4D4964C2D0D7}.exe
File created	C:\Windows\{FEB809A2-36F9-413a-9BAD-072B49F2A09D}.exe	{AF9692DA-02CB-41e1-AE61-D9850DC79018}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3684	2024-01-24_250ff0d53370c69fa32531f07061cc5c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3292	{A84D9699-DC5E-4803-9DCE-E7496AFA25E5}.exe
Token: SeIncBasePriorityPrivilege	5064	{1A460F7E-ED6D-4514-BF4D-A07A7768B72C}.exe
Token: SeIncBasePriorityPrivilege	4300	{B0347BF2-DF82-4fbd-88D9-4D4964C2D0D7}.exe
Token: SeIncBasePriorityPrivilege	3132	{495C0AD1-E7A0-4e01-A29F-D4FFBDC8ADA3}.exe
Token: SeIncBasePriorityPrivilege	3776	{AF9692DA-02CB-41e1-AE61-D9850DC79018}.exe
Token: SeIncBasePriorityPrivilege	1204	{FEB809A2-36F9-413a-9BAD-072B49F2A09D}.exe
Token: SeIncBasePriorityPrivilege	3676	{E4415BFB-A22D-4741-8EC7-DE8ED684EDC5}.exe
Token: SeIncBasePriorityPrivilege	1472	{3C1E6C1B-15BC-4f1a-AF8F-F9D33837D973}.exe
Token: SeIncBasePriorityPrivilege	4776	{93064BB2-7223-43a9-B883-F1D9023F52F9}.exe
Token: SeIncBasePriorityPrivilege	1740	{D94E75BD-103D-4430-AD5E-A7A08F5A4A0F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3684 wrote to memory of 3292	3684	2024-01-24_250ff0d53370c69fa32531f07061cc5c_goldeneye.exe	95
PID 3684 wrote to memory of 3292	3684	2024-01-24_250ff0d53370c69fa32531f07061cc5c_goldeneye.exe	95
PID 3684 wrote to memory of 3292	3684	2024-01-24_250ff0d53370c69fa32531f07061cc5c_goldeneye.exe	95
PID 3684 wrote to memory of 4176	3684	2024-01-24_250ff0d53370c69fa32531f07061cc5c_goldeneye.exe	96
PID 3684 wrote to memory of 4176	3684	2024-01-24_250ff0d53370c69fa32531f07061cc5c_goldeneye.exe	96
PID 3684 wrote to memory of 4176	3684	2024-01-24_250ff0d53370c69fa32531f07061cc5c_goldeneye.exe	96
PID 3292 wrote to memory of 5064	3292	{A84D9699-DC5E-4803-9DCE-E7496AFA25E5}.exe	101
PID 3292 wrote to memory of 5064	3292	{A84D9699-DC5E-4803-9DCE-E7496AFA25E5}.exe	101
PID 3292 wrote to memory of 5064	3292	{A84D9699-DC5E-4803-9DCE-E7496AFA25E5}.exe	101
PID 3292 wrote to memory of 1260	3292	{A84D9699-DC5E-4803-9DCE-E7496AFA25E5}.exe	102
PID 3292 wrote to memory of 1260	3292	{A84D9699-DC5E-4803-9DCE-E7496AFA25E5}.exe	102
PID 3292 wrote to memory of 1260	3292	{A84D9699-DC5E-4803-9DCE-E7496AFA25E5}.exe	102
PID 5064 wrote to memory of 4300	5064	{1A460F7E-ED6D-4514-BF4D-A07A7768B72C}.exe	104
PID 5064 wrote to memory of 4300	5064	{1A460F7E-ED6D-4514-BF4D-A07A7768B72C}.exe	104
PID 5064 wrote to memory of 4300	5064	{1A460F7E-ED6D-4514-BF4D-A07A7768B72C}.exe	104
PID 5064 wrote to memory of 3472	5064	{1A460F7E-ED6D-4514-BF4D-A07A7768B72C}.exe	103
PID 5064 wrote to memory of 3472	5064	{1A460F7E-ED6D-4514-BF4D-A07A7768B72C}.exe	103
PID 5064 wrote to memory of 3472	5064	{1A460F7E-ED6D-4514-BF4D-A07A7768B72C}.exe	103
PID 4300 wrote to memory of 3132	4300	{B0347BF2-DF82-4fbd-88D9-4D4964C2D0D7}.exe	105
PID 4300 wrote to memory of 3132	4300	{B0347BF2-DF82-4fbd-88D9-4D4964C2D0D7}.exe	105
PID 4300 wrote to memory of 3132	4300	{B0347BF2-DF82-4fbd-88D9-4D4964C2D0D7}.exe	105
PID 4300 wrote to memory of 2292	4300	{B0347BF2-DF82-4fbd-88D9-4D4964C2D0D7}.exe	106
PID 4300 wrote to memory of 2292	4300	{B0347BF2-DF82-4fbd-88D9-4D4964C2D0D7}.exe	106
PID 4300 wrote to memory of 2292	4300	{B0347BF2-DF82-4fbd-88D9-4D4964C2D0D7}.exe	106
PID 3132 wrote to memory of 3776	3132	{495C0AD1-E7A0-4e01-A29F-D4FFBDC8ADA3}.exe	107
PID 3132 wrote to memory of 3776	3132	{495C0AD1-E7A0-4e01-A29F-D4FFBDC8ADA3}.exe	107
PID 3132 wrote to memory of 3776	3132	{495C0AD1-E7A0-4e01-A29F-D4FFBDC8ADA3}.exe	107
PID 3132 wrote to memory of 3728	3132	{495C0AD1-E7A0-4e01-A29F-D4FFBDC8ADA3}.exe	108
PID 3132 wrote to memory of 3728	3132	{495C0AD1-E7A0-4e01-A29F-D4FFBDC8ADA3}.exe	108
PID 3132 wrote to memory of 3728	3132	{495C0AD1-E7A0-4e01-A29F-D4FFBDC8ADA3}.exe	108
PID 3776 wrote to memory of 1204	3776	{AF9692DA-02CB-41e1-AE61-D9850DC79018}.exe	109
PID 3776 wrote to memory of 1204	3776	{AF9692DA-02CB-41e1-AE61-D9850DC79018}.exe	109
PID 3776 wrote to memory of 1204	3776	{AF9692DA-02CB-41e1-AE61-D9850DC79018}.exe	109
PID 3776 wrote to memory of 4324	3776	{AF9692DA-02CB-41e1-AE61-D9850DC79018}.exe	110
PID 3776 wrote to memory of 4324	3776	{AF9692DA-02CB-41e1-AE61-D9850DC79018}.exe	110
PID 3776 wrote to memory of 4324	3776	{AF9692DA-02CB-41e1-AE61-D9850DC79018}.exe	110
PID 1204 wrote to memory of 3676	1204	{FEB809A2-36F9-413a-9BAD-072B49F2A09D}.exe	111
PID 1204 wrote to memory of 3676	1204	{FEB809A2-36F9-413a-9BAD-072B49F2A09D}.exe	111
PID 1204 wrote to memory of 3676	1204	{FEB809A2-36F9-413a-9BAD-072B49F2A09D}.exe	111
PID 1204 wrote to memory of 3116	1204	{FEB809A2-36F9-413a-9BAD-072B49F2A09D}.exe	112
PID 1204 wrote to memory of 3116	1204	{FEB809A2-36F9-413a-9BAD-072B49F2A09D}.exe	112
PID 1204 wrote to memory of 3116	1204	{FEB809A2-36F9-413a-9BAD-072B49F2A09D}.exe	112
PID 3676 wrote to memory of 1472	3676	{E4415BFB-A22D-4741-8EC7-DE8ED684EDC5}.exe	113
PID 3676 wrote to memory of 1472	3676	{E4415BFB-A22D-4741-8EC7-DE8ED684EDC5}.exe	113
PID 3676 wrote to memory of 1472	3676	{E4415BFB-A22D-4741-8EC7-DE8ED684EDC5}.exe	113
PID 3676 wrote to memory of 5076	3676	{E4415BFB-A22D-4741-8EC7-DE8ED684EDC5}.exe	114
PID 3676 wrote to memory of 5076	3676	{E4415BFB-A22D-4741-8EC7-DE8ED684EDC5}.exe	114
PID 3676 wrote to memory of 5076	3676	{E4415BFB-A22D-4741-8EC7-DE8ED684EDC5}.exe	114
PID 1472 wrote to memory of 4776	1472	{3C1E6C1B-15BC-4f1a-AF8F-F9D33837D973}.exe	115
PID 1472 wrote to memory of 4776	1472	{3C1E6C1B-15BC-4f1a-AF8F-F9D33837D973}.exe	115
PID 1472 wrote to memory of 4776	1472	{3C1E6C1B-15BC-4f1a-AF8F-F9D33837D973}.exe	115
PID 1472 wrote to memory of 1144	1472	{3C1E6C1B-15BC-4f1a-AF8F-F9D33837D973}.exe	116
PID 1472 wrote to memory of 1144	1472	{3C1E6C1B-15BC-4f1a-AF8F-F9D33837D973}.exe	116
PID 1472 wrote to memory of 1144	1472	{3C1E6C1B-15BC-4f1a-AF8F-F9D33837D973}.exe	116
PID 4776 wrote to memory of 1740	4776	{93064BB2-7223-43a9-B883-F1D9023F52F9}.exe	117
PID 4776 wrote to memory of 1740	4776	{93064BB2-7223-43a9-B883-F1D9023F52F9}.exe	117
PID 4776 wrote to memory of 1740	4776	{93064BB2-7223-43a9-B883-F1D9023F52F9}.exe	117
PID 4776 wrote to memory of 2236	4776	{93064BB2-7223-43a9-B883-F1D9023F52F9}.exe	118
PID 4776 wrote to memory of 2236	4776	{93064BB2-7223-43a9-B883-F1D9023F52F9}.exe	118
PID 4776 wrote to memory of 2236	4776	{93064BB2-7223-43a9-B883-F1D9023F52F9}.exe	118
PID 1740 wrote to memory of 3964	1740	{D94E75BD-103D-4430-AD5E-A7A08F5A4A0F}.exe	119
PID 1740 wrote to memory of 3964	1740	{D94E75BD-103D-4430-AD5E-A7A08F5A4A0F}.exe	119
PID 1740 wrote to memory of 3964	1740	{D94E75BD-103D-4430-AD5E-A7A08F5A4A0F}.exe	119
PID 1740 wrote to memory of 2320	1740	{D94E75BD-103D-4430-AD5E-A7A08F5A4A0F}.exe	120

C:\Users\Admin\AppData\Local\Temp\2024-01-24_250ff0d53370c69fa32531f07061cc5c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-24_250ff0d53370c69fa32531f07061cc5c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3684
- C:\Windows\{A84D9699-DC5E-4803-9DCE-E7496AFA25E5}.exe
  C:\Windows\{A84D9699-DC5E-4803-9DCE-E7496AFA25E5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3292
- - C:\Windows\{1A460F7E-ED6D-4514-BF4D-A07A7768B72C}.exe
    C:\Windows\{1A460F7E-ED6D-4514-BF4D-A07A7768B72C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5064
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1A460~1.EXE > nul
      4⤵
      PID:3472
  - - C:\Windows\{B0347BF2-DF82-4fbd-88D9-4D4964C2D0D7}.exe
      C:\Windows\{B0347BF2-DF82-4fbd-88D9-4D4964C2D0D7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4300
    - - C:\Windows\{495C0AD1-E7A0-4e01-A29F-D4FFBDC8ADA3}.exe
        
        C:\Windows\{495C0AD1-E7A0-4e01-A29F-D4FFBDC8ADA3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3132
      - C:\Windows\{AF9692DA-02CB-41e1-AE61-D9850DC79018}.exe
        
        C:\Windows\{AF9692DA-02CB-41e1-AE61-D9850DC79018}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3776
        
        C:\Windows\{FEB809A2-36F9-413a-9BAD-072B49F2A09D}.exe
        
        C:\Windows\{FEB809A2-36F9-413a-9BAD-072B49F2A09D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\{E4415BFB-A22D-4741-8EC7-DE8ED684EDC5}.exe
        
        C:\Windows\{E4415BFB-A22D-4741-8EC7-DE8ED684EDC5}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\{3C1E6C1B-15BC-4f1a-AF8F-F9D33837D973}.exe
        
        C:\Windows\{3C1E6C1B-15BC-4f1a-AF8F-F9D33837D973}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\{93064BB2-7223-43a9-B883-F1D9023F52F9}.exe
        
        C:\Windows\{93064BB2-7223-43a9-B883-F1D9023F52F9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\{D94E75BD-103D-4430-AD5E-A7A08F5A4A0F}.exe
        
        C:\Windows\{D94E75BD-103D-4430-AD5E-A7A08F5A4A0F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\{90B460C8-569D-4fe0-94EC-50E3B06E549E}.exe
        
        C:\Windows\{90B460C8-569D-4fe0-94EC-50E3B06E549E}.exe
        12⤵
        Executes dropped EXE
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D94E7~1.EXE > nul
        12⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93064~1.EXE > nul
        11⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C1E6~1.EXE > nul
        10⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4415~1.EXE > nul
        9⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FEB80~1.EXE > nul
        8⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF969~1.EXE > nul
        7⤵
        
        PID:4324
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{495C0~1.EXE > nul
        6⤵
        
        PID:3728
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0347~1.EXE > nul
        5⤵
        
        PID:2292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A84D9~1.EXE > nul
    3⤵
    PID:1260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1A460F7E-ED6D-4514-BF4D-A07A7768B72C}.exe

Filesize
372KB

MD5
550b8e25b2cf932e1c76305d0e5d6983

SHA1
19a4c1c1c7674a6062f57198262b795dcb22baed

SHA256
9c10815d9c2e797bb471614ee71fc437cf4ae2aa2c0add5d930cc68a352616cc

SHA512
7083d92116c7c8543430d0ee96b6d54d2474add80b751f029be433e822b0f65b432a93a1ae09dbef76acb40f0e597c5f14da09c8c640289fa725608f4e15c629

Download Submit
C:\Windows\{3C1E6C1B-15BC-4f1a-AF8F-F9D33837D973}.exe

Filesize
372KB

MD5
7e9f65db55134bc7d08df401a32fc7f2

SHA1
5a24a12601f74cf5a0a45889107d6b6fde490141

SHA256
9d7d03e0a8a5cd0105ee43020595fb012049c81e4b3f2fdc7dacb74eca6b1c75

SHA512
d82be12d7778ef5557449d9d670159388ee6e9a46c8934a51afb16525b5538b0589c1a210536ea716aca27efafe9d662591f0c6547c3c3d4767a063a7f8de572

Download Submit
C:\Windows\{495C0AD1-E7A0-4e01-A29F-D4FFBDC8ADA3}.exe

Filesize
372KB

MD5
db0b4c515e28447461d87d318f77c53e

SHA1
6e6e370140d118afa28ef00893e9bf9984ccd2c4

SHA256
24062a241ea22c06d4a5bbb604bcff7da5ec4529ff81782ca9fb098125b86798

SHA512
626efe526b55c65dc5691163649a2f7f1e914b44f33d5d2c575217b0ab0a76b20a69eade16ab53636f732f85c38cbbe8ccf9969dd26f69560aba7114bc9c4805

Download Submit
C:\Windows\{90B460C8-569D-4fe0-94EC-50E3B06E549E}.exe

Filesize
372KB

MD5
be948de3751df0dd63f506e21be1c29c

SHA1
3275afda0632ab7d77ac604a59d0d2b3e5d37c1c

SHA256
1a3af8e6eae345a1245e4625d95b273ad8a8f86a3c2dc97bd2dab61cf7301c9e

SHA512
85002f97b0bca25075dbedde940619869117d8f81085f56b7625ae8105bdc7d30fd5fdf4b937eb864e01e8e5c86e96fdae337352988bdfeeb75d282777193592

Download Submit
C:\Windows\{93064BB2-7223-43a9-B883-F1D9023F52F9}.exe

Filesize
372KB

MD5
12463b9913043690670aef52aa55d364

SHA1
8c0e47854c5ba3ddcf638e36a9c96663bc9cf69d

SHA256
4c082258c8e1ed976b31e725f4152c950280dac3ea3435670d2696240bd9a599

SHA512
4d19b0621170ab98fb06b36ecad21079619cbf3d0d0990e4a0130ba3243bb3d174e58050a25d39b9627a7341ad982580f541fcd533a9b068aae0cd87d91e000a

Download Submit
C:\Windows\{A84D9699-DC5E-4803-9DCE-E7496AFA25E5}.exe

Filesize
372KB

MD5
9b49e36eb2cd468a259cfe5e75610fe0

SHA1
d327f48dcc4330fa0fe68996776d26628bfdf4eb

SHA256
8709d3d19b13198e07705415e14f60c2b82284b85086404f0adcadeb61c42e52

SHA512
d82694747370c6986484e516bc4be527870125024ebe97f2ff54f38bf47a652e3a157f3d50d1cefe0579b8805902183c00b639e04babe70eb60111f8b81657e5

Download Submit
C:\Windows\{AF9692DA-02CB-41e1-AE61-D9850DC79018}.exe

Filesize
372KB

MD5
c529478f336170102beb9d88ae6eea12

SHA1
2b7c0de7b72539c041f8c8cc49ed26f93d10c54a

SHA256
68cbb1a30eef8cb9108265298adefb9206acb39e5c99ee32f1f1f576134b189e

SHA512
919726accc520da0a5df64b745b2e21879da60ca291b4d021f74fde0085838a56540a489026e31743eeb1fcd5252ca0b6fb4b07c2146ced71ccf23b773029a8d

Download Submit
C:\Windows\{B0347BF2-DF82-4fbd-88D9-4D4964C2D0D7}.exe

Filesize
372KB

MD5
fb819d014500b5d9a29b4517ae4aed1f

SHA1
23ea9c31fc443891379fca36fb9ef945fa0891d8

SHA256
cc45698e3749ee41276269be24632d13c0368e055fa1c272010e593cefd9eb72

SHA512
ba8698a18c2c9d9a2717c2af061de6578e9c742957f03d700dc575d3f2b87fb14a977904bb9e18d2e66a85453930e4dee6a8497658ce9d7420626cf6776ca098

Download Submit
C:\Windows\{D94E75BD-103D-4430-AD5E-A7A08F5A4A0F}.exe

Filesize
372KB

MD5
03645e9510e165e7c8aabbaa0b55fc83

SHA1
aab2fcc038faf8ced27216d2472588944a32eebd

SHA256
12b6169659f45ce0b340bd7a5b00f99915bc9c3e07a330c889ea9f4f597fcf57

SHA512
377648ad63fbe53f8ffefa6c233c32391132335c4dd78359692b299a6cdb49ddda0c972c90b1e97d0c16c58b78e851a4e438c64826222445cadb16049576548a

Download Submit
C:\Windows\{E4415BFB-A22D-4741-8EC7-DE8ED684EDC5}.exe

Filesize
372KB

MD5
e009554edcafc84ab3d93e4592d9c5b4

SHA1
f5906d107c3f054edb91a767b6b9671a0d1850e5

SHA256
36a950be027b405f22ced37debfa8c7b14d013ded94b025369f7d5f8abb459dd

SHA512
7bcd2e181f2e8364b4c27f233013a4c90cf62d127b1d2789eeb134f2cd2e61ad1e3637cdfc11a9b660e66b8637bced3bcd4dfbd3bfb5ed590e66758b3d23a468

Download Submit
C:\Windows\{FEB809A2-36F9-413a-9BAD-072B49F2A09D}.exe

Filesize
372KB

MD5
832735dfd4f1a23caa5328f593d3d0ac

SHA1
1e8ac71fcd2dc9517b283d4024b006abba94a202

SHA256
862a8df7dbf7cda84aa9d6a9fee04f18704134a23e14b98587f2113eacd970e3

SHA512
46f8f52816e48c18a59bef695fe6a6e7bad4319932c49fe2579124acb743b0ef3266d0d43f3ef1cded34f5d2aad1a820aa7c8da478c42e9a4b802347a553578f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads