a60e41b03d814e431bf72b084bf0369775272ba0687086016b20856212fc91d4

Analysis

max time kernel
155s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-01-2024 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-26_66df83b4656869eefb369c65fabebc92_goldeneye.exe
Size

372KB
MD5

66df83b4656869eefb369c65fabebc92
SHA1

c48f2936456db8e002839828bfbfcf321378a409
SHA256

a60e41b03d814e431bf72b084bf0369775272ba0687086016b20856212fc91d4
SHA512

5570cac2367d35143a3caab225e76c04a91b4f974b07c3cd248401f03d22cd10b75770c7b8eb33980d7ba46b8ae70196a648715e921d455f1976aeaee04f06d3
SSDEEP

3072:CEGh0ommlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEG5l/Oe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023001-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002310f-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001000000002311c-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002310f-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001100000002311c-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006df-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00040000000006df-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8260C0C9-C0C7-4ca7-8442-B95187799896}	{7C168ACD-3A82-4bc2-B051-BB07D52C92D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44D6FE23-8EED-4fce-95E4-98D17CA9625B}	{6124B61D-1157-4e88-A184-23EF13D340FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44D6FE23-8EED-4fce-95E4-98D17CA9625B}\stubpath = "C:\\Windows\\{44D6FE23-8EED-4fce-95E4-98D17CA9625B}.exe"	{6124B61D-1157-4e88-A184-23EF13D340FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAA78C05-16E1-4448-BCE5-B234F6A17025}	{44D6FE23-8EED-4fce-95E4-98D17CA9625B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5BC6B50F-261E-4ce6-9BA3-7193D5A7CCC0}\stubpath = "C:\\Windows\\{5BC6B50F-261E-4ce6-9BA3-7193D5A7CCC0}.exe"	2024-01-26_66df83b4656869eefb369c65fabebc92_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{798F5A8B-E292-4bfc-8885-E512AA821F05}	{39A255E0-6052-422a-A9C4-22522840458D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{798F5A8B-E292-4bfc-8885-E512AA821F05}\stubpath = "C:\\Windows\\{798F5A8B-E292-4bfc-8885-E512AA821F05}.exe"	{39A255E0-6052-422a-A9C4-22522840458D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C168ACD-3A82-4bc2-B051-BB07D52C92D7}\stubpath = "C:\\Windows\\{7C168ACD-3A82-4bc2-B051-BB07D52C92D7}.exe"	{798F5A8B-E292-4bfc-8885-E512AA821F05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8260C0C9-C0C7-4ca7-8442-B95187799896}\stubpath = "C:\\Windows\\{8260C0C9-C0C7-4ca7-8442-B95187799896}.exe"	{7C168ACD-3A82-4bc2-B051-BB07D52C92D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DAB7A87-204E-4de4-87F1-197374D41EA5}\stubpath = "C:\\Windows\\{2DAB7A87-204E-4de4-87F1-197374D41EA5}.exe"	{DAA78C05-16E1-4448-BCE5-B234F6A17025}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69C73602-07BA-4375-B818-CE086149CAF8}\stubpath = "C:\\Windows\\{69C73602-07BA-4375-B818-CE086149CAF8}.exe"	{699DDEFC-A165-4fd5-AED6-82FF888F43E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAA78C05-16E1-4448-BCE5-B234F6A17025}\stubpath = "C:\\Windows\\{DAA78C05-16E1-4448-BCE5-B234F6A17025}.exe"	{44D6FE23-8EED-4fce-95E4-98D17CA9625B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DAB7A87-204E-4de4-87F1-197374D41EA5}	{DAA78C05-16E1-4448-BCE5-B234F6A17025}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{699DDEFC-A165-4fd5-AED6-82FF888F43E8}	{2DAB7A87-204E-4de4-87F1-197374D41EA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{699DDEFC-A165-4fd5-AED6-82FF888F43E8}\stubpath = "C:\\Windows\\{699DDEFC-A165-4fd5-AED6-82FF888F43E8}.exe"	{2DAB7A87-204E-4de4-87F1-197374D41EA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5BC6B50F-261E-4ce6-9BA3-7193D5A7CCC0}	2024-01-26_66df83b4656869eefb369c65fabebc92_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39A255E0-6052-422a-A9C4-22522840458D}	{5BC6B50F-261E-4ce6-9BA3-7193D5A7CCC0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6124B61D-1157-4e88-A184-23EF13D340FA}	{8260C0C9-C0C7-4ca7-8442-B95187799896}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6124B61D-1157-4e88-A184-23EF13D340FA}\stubpath = "C:\\Windows\\{6124B61D-1157-4e88-A184-23EF13D340FA}.exe"	{8260C0C9-C0C7-4ca7-8442-B95187799896}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69C73602-07BA-4375-B818-CE086149CAF8}	{699DDEFC-A165-4fd5-AED6-82FF888F43E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39A255E0-6052-422a-A9C4-22522840458D}\stubpath = "C:\\Windows\\{39A255E0-6052-422a-A9C4-22522840458D}.exe"	{5BC6B50F-261E-4ce6-9BA3-7193D5A7CCC0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C168ACD-3A82-4bc2-B051-BB07D52C92D7}	{798F5A8B-E292-4bfc-8885-E512AA821F05}.exe

Executes dropped EXE 11 IoCs

pid	Process
1068	{5BC6B50F-261E-4ce6-9BA3-7193D5A7CCC0}.exe
4248	{39A255E0-6052-422a-A9C4-22522840458D}.exe
2636	{798F5A8B-E292-4bfc-8885-E512AA821F05}.exe
4960	{7C168ACD-3A82-4bc2-B051-BB07D52C92D7}.exe
4676	{8260C0C9-C0C7-4ca7-8442-B95187799896}.exe
2140	{6124B61D-1157-4e88-A184-23EF13D340FA}.exe
1512	{44D6FE23-8EED-4fce-95E4-98D17CA9625B}.exe
4228	{DAA78C05-16E1-4448-BCE5-B234F6A17025}.exe
4144	{2DAB7A87-204E-4de4-87F1-197374D41EA5}.exe
3596	{699DDEFC-A165-4fd5-AED6-82FF888F43E8}.exe
3384	{69C73602-07BA-4375-B818-CE086149CAF8}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{DAA78C05-16E1-4448-BCE5-B234F6A17025}.exe	{44D6FE23-8EED-4fce-95E4-98D17CA9625B}.exe
File created	C:\Windows\{699DDEFC-A165-4fd5-AED6-82FF888F43E8}.exe	{2DAB7A87-204E-4de4-87F1-197374D41EA5}.exe
File created	C:\Windows\{69C73602-07BA-4375-B818-CE086149CAF8}.exe	{699DDEFC-A165-4fd5-AED6-82FF888F43E8}.exe
File created	C:\Windows\{5BC6B50F-261E-4ce6-9BA3-7193D5A7CCC0}.exe	2024-01-26_66df83b4656869eefb369c65fabebc92_goldeneye.exe
File created	C:\Windows\{39A255E0-6052-422a-A9C4-22522840458D}.exe	{5BC6B50F-261E-4ce6-9BA3-7193D5A7CCC0}.exe
File created	C:\Windows\{798F5A8B-E292-4bfc-8885-E512AA821F05}.exe	{39A255E0-6052-422a-A9C4-22522840458D}.exe
File created	C:\Windows\{7C168ACD-3A82-4bc2-B051-BB07D52C92D7}.exe	{798F5A8B-E292-4bfc-8885-E512AA821F05}.exe
File created	C:\Windows\{8260C0C9-C0C7-4ca7-8442-B95187799896}.exe	{7C168ACD-3A82-4bc2-B051-BB07D52C92D7}.exe
File created	C:\Windows\{6124B61D-1157-4e88-A184-23EF13D340FA}.exe	{8260C0C9-C0C7-4ca7-8442-B95187799896}.exe
File created	C:\Windows\{44D6FE23-8EED-4fce-95E4-98D17CA9625B}.exe	{6124B61D-1157-4e88-A184-23EF13D340FA}.exe
File created	C:\Windows\{2DAB7A87-204E-4de4-87F1-197374D41EA5}.exe	{DAA78C05-16E1-4448-BCE5-B234F6A17025}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4648	2024-01-26_66df83b4656869eefb369c65fabebc92_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1068	{5BC6B50F-261E-4ce6-9BA3-7193D5A7CCC0}.exe
Token: SeIncBasePriorityPrivilege	4248	{39A255E0-6052-422a-A9C4-22522840458D}.exe
Token: SeIncBasePriorityPrivilege	2636	{798F5A8B-E292-4bfc-8885-E512AA821F05}.exe
Token: SeIncBasePriorityPrivilege	4960	{7C168ACD-3A82-4bc2-B051-BB07D52C92D7}.exe
Token: SeIncBasePriorityPrivilege	4676	{8260C0C9-C0C7-4ca7-8442-B95187799896}.exe
Token: SeIncBasePriorityPrivilege	2140	{6124B61D-1157-4e88-A184-23EF13D340FA}.exe
Token: SeIncBasePriorityPrivilege	1512	{44D6FE23-8EED-4fce-95E4-98D17CA9625B}.exe
Token: SeIncBasePriorityPrivilege	4228	{DAA78C05-16E1-4448-BCE5-B234F6A17025}.exe
Token: SeIncBasePriorityPrivilege	4144	{2DAB7A87-204E-4de4-87F1-197374D41EA5}.exe
Token: SeIncBasePriorityPrivilege	3596	{699DDEFC-A165-4fd5-AED6-82FF888F43E8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4648 wrote to memory of 1068	4648	2024-01-26_66df83b4656869eefb369c65fabebc92_goldeneye.exe	91
PID 4648 wrote to memory of 1068	4648	2024-01-26_66df83b4656869eefb369c65fabebc92_goldeneye.exe	91
PID 4648 wrote to memory of 1068	4648	2024-01-26_66df83b4656869eefb369c65fabebc92_goldeneye.exe	91
PID 4648 wrote to memory of 1732	4648	2024-01-26_66df83b4656869eefb369c65fabebc92_goldeneye.exe	92
PID 4648 wrote to memory of 1732	4648	2024-01-26_66df83b4656869eefb369c65fabebc92_goldeneye.exe	92
PID 4648 wrote to memory of 1732	4648	2024-01-26_66df83b4656869eefb369c65fabebc92_goldeneye.exe	92
PID 1068 wrote to memory of 4248	1068	{5BC6B50F-261E-4ce6-9BA3-7193D5A7CCC0}.exe	96
PID 1068 wrote to memory of 4248	1068	{5BC6B50F-261E-4ce6-9BA3-7193D5A7CCC0}.exe	96
PID 1068 wrote to memory of 4248	1068	{5BC6B50F-261E-4ce6-9BA3-7193D5A7CCC0}.exe	96
PID 1068 wrote to memory of 3908	1068	{5BC6B50F-261E-4ce6-9BA3-7193D5A7CCC0}.exe	97
PID 1068 wrote to memory of 3908	1068	{5BC6B50F-261E-4ce6-9BA3-7193D5A7CCC0}.exe	97
PID 1068 wrote to memory of 3908	1068	{5BC6B50F-261E-4ce6-9BA3-7193D5A7CCC0}.exe	97
PID 4248 wrote to memory of 2636	4248	{39A255E0-6052-422a-A9C4-22522840458D}.exe	102
PID 4248 wrote to memory of 2636	4248	{39A255E0-6052-422a-A9C4-22522840458D}.exe	102
PID 4248 wrote to memory of 2636	4248	{39A255E0-6052-422a-A9C4-22522840458D}.exe	102
PID 4248 wrote to memory of 1476	4248	{39A255E0-6052-422a-A9C4-22522840458D}.exe	103
PID 4248 wrote to memory of 1476	4248	{39A255E0-6052-422a-A9C4-22522840458D}.exe	103
PID 4248 wrote to memory of 1476	4248	{39A255E0-6052-422a-A9C4-22522840458D}.exe	103
PID 2636 wrote to memory of 4960	2636	{798F5A8B-E292-4bfc-8885-E512AA821F05}.exe	104
PID 2636 wrote to memory of 4960	2636	{798F5A8B-E292-4bfc-8885-E512AA821F05}.exe	104
PID 2636 wrote to memory of 4960	2636	{798F5A8B-E292-4bfc-8885-E512AA821F05}.exe	104
PID 2636 wrote to memory of 5116	2636	{798F5A8B-E292-4bfc-8885-E512AA821F05}.exe	105
PID 2636 wrote to memory of 5116	2636	{798F5A8B-E292-4bfc-8885-E512AA821F05}.exe	105
PID 2636 wrote to memory of 5116	2636	{798F5A8B-E292-4bfc-8885-E512AA821F05}.exe	105
PID 4960 wrote to memory of 4676	4960	{7C168ACD-3A82-4bc2-B051-BB07D52C92D7}.exe	106
PID 4960 wrote to memory of 4676	4960	{7C168ACD-3A82-4bc2-B051-BB07D52C92D7}.exe	106
PID 4960 wrote to memory of 4676	4960	{7C168ACD-3A82-4bc2-B051-BB07D52C92D7}.exe	106
PID 4960 wrote to memory of 3520	4960	{7C168ACD-3A82-4bc2-B051-BB07D52C92D7}.exe	107
PID 4960 wrote to memory of 3520	4960	{7C168ACD-3A82-4bc2-B051-BB07D52C92D7}.exe	107
PID 4960 wrote to memory of 3520	4960	{7C168ACD-3A82-4bc2-B051-BB07D52C92D7}.exe	107
PID 4676 wrote to memory of 2140	4676	{8260C0C9-C0C7-4ca7-8442-B95187799896}.exe	108
PID 4676 wrote to memory of 2140	4676	{8260C0C9-C0C7-4ca7-8442-B95187799896}.exe	108
PID 4676 wrote to memory of 2140	4676	{8260C0C9-C0C7-4ca7-8442-B95187799896}.exe	108
PID 4676 wrote to memory of 3320	4676	{8260C0C9-C0C7-4ca7-8442-B95187799896}.exe	109
PID 4676 wrote to memory of 3320	4676	{8260C0C9-C0C7-4ca7-8442-B95187799896}.exe	109
PID 4676 wrote to memory of 3320	4676	{8260C0C9-C0C7-4ca7-8442-B95187799896}.exe	109
PID 2140 wrote to memory of 1512	2140	{6124B61D-1157-4e88-A184-23EF13D340FA}.exe	110
PID 2140 wrote to memory of 1512	2140	{6124B61D-1157-4e88-A184-23EF13D340FA}.exe	110
PID 2140 wrote to memory of 1512	2140	{6124B61D-1157-4e88-A184-23EF13D340FA}.exe	110
PID 2140 wrote to memory of 1328	2140	{6124B61D-1157-4e88-A184-23EF13D340FA}.exe	111
PID 2140 wrote to memory of 1328	2140	{6124B61D-1157-4e88-A184-23EF13D340FA}.exe	111
PID 2140 wrote to memory of 1328	2140	{6124B61D-1157-4e88-A184-23EF13D340FA}.exe	111
PID 1512 wrote to memory of 4228	1512	{44D6FE23-8EED-4fce-95E4-98D17CA9625B}.exe	112
PID 1512 wrote to memory of 4228	1512	{44D6FE23-8EED-4fce-95E4-98D17CA9625B}.exe	112
PID 1512 wrote to memory of 4228	1512	{44D6FE23-8EED-4fce-95E4-98D17CA9625B}.exe	112
PID 1512 wrote to memory of 4480	1512	{44D6FE23-8EED-4fce-95E4-98D17CA9625B}.exe	113
PID 1512 wrote to memory of 4480	1512	{44D6FE23-8EED-4fce-95E4-98D17CA9625B}.exe	113
PID 1512 wrote to memory of 4480	1512	{44D6FE23-8EED-4fce-95E4-98D17CA9625B}.exe	113
PID 4228 wrote to memory of 4144	4228	{DAA78C05-16E1-4448-BCE5-B234F6A17025}.exe	114
PID 4228 wrote to memory of 4144	4228	{DAA78C05-16E1-4448-BCE5-B234F6A17025}.exe	114
PID 4228 wrote to memory of 4144	4228	{DAA78C05-16E1-4448-BCE5-B234F6A17025}.exe	114
PID 4228 wrote to memory of 4428	4228	{DAA78C05-16E1-4448-BCE5-B234F6A17025}.exe	115
PID 4228 wrote to memory of 4428	4228	{DAA78C05-16E1-4448-BCE5-B234F6A17025}.exe	115
PID 4228 wrote to memory of 4428	4228	{DAA78C05-16E1-4448-BCE5-B234F6A17025}.exe	115
PID 4144 wrote to memory of 3596	4144	{2DAB7A87-204E-4de4-87F1-197374D41EA5}.exe	116
PID 4144 wrote to memory of 3596	4144	{2DAB7A87-204E-4de4-87F1-197374D41EA5}.exe	116
PID 4144 wrote to memory of 3596	4144	{2DAB7A87-204E-4de4-87F1-197374D41EA5}.exe	116
PID 4144 wrote to memory of 3164	4144	{2DAB7A87-204E-4de4-87F1-197374D41EA5}.exe	117
PID 4144 wrote to memory of 3164	4144	{2DAB7A87-204E-4de4-87F1-197374D41EA5}.exe	117
PID 4144 wrote to memory of 3164	4144	{2DAB7A87-204E-4de4-87F1-197374D41EA5}.exe	117
PID 3596 wrote to memory of 3384	3596	{699DDEFC-A165-4fd5-AED6-82FF888F43E8}.exe	118
PID 3596 wrote to memory of 3384	3596	{699DDEFC-A165-4fd5-AED6-82FF888F43E8}.exe	118
PID 3596 wrote to memory of 3384	3596	{699DDEFC-A165-4fd5-AED6-82FF888F43E8}.exe	118
PID 3596 wrote to memory of 4892	3596	{699DDEFC-A165-4fd5-AED6-82FF888F43E8}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-01-26_66df83b4656869eefb369c65fabebc92_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-26_66df83b4656869eefb369c65fabebc92_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Windows\{5BC6B50F-261E-4ce6-9BA3-7193D5A7CCC0}.exe
  C:\Windows\{5BC6B50F-261E-4ce6-9BA3-7193D5A7CCC0}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Windows\{39A255E0-6052-422a-A9C4-22522840458D}.exe
    C:\Windows\{39A255E0-6052-422a-A9C4-22522840458D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4248
  - - C:\Windows\{798F5A8B-E292-4bfc-8885-E512AA821F05}.exe
      C:\Windows\{798F5A8B-E292-4bfc-8885-E512AA821F05}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\{7C168ACD-3A82-4bc2-B051-BB07D52C92D7}.exe
        
        C:\Windows\{7C168ACD-3A82-4bc2-B051-BB07D52C92D7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4960
      - C:\Windows\{8260C0C9-C0C7-4ca7-8442-B95187799896}.exe
        
        C:\Windows\{8260C0C9-C0C7-4ca7-8442-B95187799896}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\{6124B61D-1157-4e88-A184-23EF13D340FA}.exe
        
        C:\Windows\{6124B61D-1157-4e88-A184-23EF13D340FA}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\{44D6FE23-8EED-4fce-95E4-98D17CA9625B}.exe
        
        C:\Windows\{44D6FE23-8EED-4fce-95E4-98D17CA9625B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\{DAA78C05-16E1-4448-BCE5-B234F6A17025}.exe
        
        C:\Windows\{DAA78C05-16E1-4448-BCE5-B234F6A17025}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\{2DAB7A87-204E-4de4-87F1-197374D41EA5}.exe
        
        C:\Windows\{2DAB7A87-204E-4de4-87F1-197374D41EA5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\{699DDEFC-A165-4fd5-AED6-82FF888F43E8}.exe
        
        C:\Windows\{699DDEFC-A165-4fd5-AED6-82FF888F43E8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\{69C73602-07BA-4375-B818-CE086149CAF8}.exe
        
        C:\Windows\{69C73602-07BA-4375-B818-CE086149CAF8}.exe
        12⤵
        Executes dropped EXE
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{699DD~1.EXE > nul
        12⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2DAB7~1.EXE > nul
        11⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DAA78~1.EXE > nul
        10⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44D6F~1.EXE > nul
        9⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6124B~1.EXE > nul
        8⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8260C~1.EXE > nul
        7⤵
        
        PID:3320
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C168~1.EXE > nul
        6⤵
        
        PID:3520
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{798F5~1.EXE > nul
        5⤵
        
        PID:5116
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{39A25~1.EXE > nul
      4⤵
      PID:1476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5BC6B~1.EXE > nul
    3⤵
    PID:3908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2DAB7A87-204E-4de4-87F1-197374D41EA5}.exe

Filesize
372KB

MD5
0ce898710ba14bfec1eb58c415f40a45

SHA1
cbb003ffcfd0247f8832eb5f085c63227a2bba5d

SHA256
44ca6375bf24f1a7f9f8dc5a6993ed51239658ad7c135bf5f3a788a8b6d1f7ef

SHA512
5f42bdb2ffc09bbdf9a3e8842730965eead65f8923b6d014cef5366409822183811d6ec1f837ebd5a5ee9dfcddd8400ca8efe9f2ef33e3e8fdca8e20427e7551

Download Submit
C:\Windows\{39A255E0-6052-422a-A9C4-22522840458D}.exe

Filesize
372KB

MD5
b2b5be56df6d34317731565a5d78a68d

SHA1
c2bfb1c1e26c9fb0b556091a47950fe5aae539a5

SHA256
3a96543d8bd9ace265655c6809373da6627eb53361d44dd398d6f71cbb1fa66d

SHA512
ee6b08237174137b72c43cf12ad9601a5b2f04a4850bf9cead3f2ee8833e1cbf3924e82e12bdc1c8937202027fe79887477330dbf2fe4f789565dbb9c4aae17d

Download Submit
C:\Windows\{44D6FE23-8EED-4fce-95E4-98D17CA9625B}.exe

Filesize
372KB

MD5
eba808fc2cde011da5b997d85e11a2cc

SHA1
416c9dedb78818ac609999c0e17563ad51f6c6ad

SHA256
f3b76294c07b3e5e24951fe559bbbcc6416e9ea860b00ad50ca71975195366a4

SHA512
e593d9a88d881489da17a2d11cc260c314f9c201a3f6b6f28f8264b939edf385e608b30d3648ee5e6a7f8fc1ed07c600b47158cd4ac7643f0e2cbe3beb8be482

Download Submit
C:\Windows\{5BC6B50F-261E-4ce6-9BA3-7193D5A7CCC0}.exe

Filesize
372KB

MD5
d6f431c3ed3c15b53bba69840795ed2b

SHA1
e36e2887549159c75cb64f8cd0ee7fd97612921b

SHA256
1b644de365ad39766411e9e7d9c28ee2f30cd66dab8f115a0ed84c253fef23a0

SHA512
5ad9bc4006b82e748bca9a30ca66724d96cff02714b48f1688a40ac89718466352a1b53a0f1940301ee0b2d3e95d264706f6c3a98881c22a25448ceb277b7689

Download Submit
C:\Windows\{6124B61D-1157-4e88-A184-23EF13D340FA}.exe

Filesize
372KB

MD5
2c397c294e5e4a2bbcd2ea785a373868

SHA1
15adadb97a92072065ded96940726d1ea336a4bc

SHA256
983062767d1caa37c5fd0336fea73eae9ef27e67945b73e4b9b23c3ef8697b95

SHA512
7d96a2ae3b392d01781346641edc9a222e2f7f7dd582fa37406987d76305b109fee33eaf15419f28367ebe129ab7b6eaf14dd972ed48529394edc196cec623be

Download Submit
C:\Windows\{699DDEFC-A165-4fd5-AED6-82FF888F43E8}.exe

Filesize
372KB

MD5
f242e4fc839f0baa897d3c797b8fe32d

SHA1
c0e18f518ef4d7ab14fcb975cd7f0886aaecab4b

SHA256
73df5be888419529fa97a80d3c9756074f2fe5670a02bbd4d2d3f5919ec94aa4

SHA512
b7b3a09cf5993c9f368f050a0e7c6a44415a9c34c4d056b02c387e46e285a373962eabadf972600a6506db60d2f455164eeb38b8ba65951b8e9acd3f0c3b4cb6

Download Submit
C:\Windows\{69C73602-07BA-4375-B818-CE086149CAF8}.exe

Filesize
372KB

MD5
761332db0c7cffdfd87a657d97d0043b

SHA1
707dda524ee321544c67f52d746e18fc4d0bd901

SHA256
6149c4feb34dbc802d76d288b1995f39831d979224d3f2bc1c5b78f0d76d49d2

SHA512
0b858be199c81aa9b5bb00fe35400f555a88b4e199d10f6f6241bd0a643d8d69fe399900f3728e0a6a892ca57edb38edad75155c972c16b0d12eeda9a8949950

Download Submit
C:\Windows\{798F5A8B-E292-4bfc-8885-E512AA821F05}.exe

Filesize
372KB

MD5
94adaecb43fdb08b395a568c9d5396e7

SHA1
b73f40ccb9a0670919f79ca54d3e3d6c2d905ab9

SHA256
02ad9bcfb1015fb7ee3101b49902a53cc88c1a65e4f016623915a9b474df18ad

SHA512
f836761cad65b1c5dd15c9b41f2c6d2ff6e9da4bc665001c8223dd535207d3b9cf5118a224b8cbe9a793f503161cac62ff17e0648822690c64b7e00608061f7d

Download Submit
C:\Windows\{7C168ACD-3A82-4bc2-B051-BB07D52C92D7}.exe

Filesize
372KB

MD5
92c1c05491f57d2660fa9973d05377ed

SHA1
918be27dfb3166cc42c9cc4d2ad744112467d34a

SHA256
035a8aa3167586e8a882c5286ed92c0fd64540c976972f8099c175868527bb95

SHA512
54857fb836c9ceff22bdee77cb3a69ea90cfe894a9b1ed71e5b1edb2532174695a58d30f1a617a5667c3fd836f982c57be5ccd4d278ac42cdbab9090131d791e

Download Submit
C:\Windows\{8260C0C9-C0C7-4ca7-8442-B95187799896}.exe

Filesize
372KB

MD5
6c3b41cd9cc4a4852e58686ef9863ffb

SHA1
d2bcd7a708da08a1be74ece04cd9e08515c89459

SHA256
cabab38056b8ab9db5c14f166eca734955d3daac09b5f1eb67f5a60c8760c28c

SHA512
497348e46d4cd2347f8690d5485942b466c667da4b87b45bad89d70b85596c89d8003a908d270438ef5408af3a15b04ab5d147cb4be33382574c604f113c6292

Download Submit
C:\Windows\{DAA78C05-16E1-4448-BCE5-B234F6A17025}.exe

Filesize
372KB

MD5
c37963bee46dd9108102650ce167c8c6

SHA1
d05c0ba4aa701cabf8cdb0447176e56f40d4ad47

SHA256
b9455f1c963c56e830d29a2e1386ad332b9f18767d2451304c2bdcf8e0520dc2

SHA512
d6ba681fb3055c4ea37b01bd32d2edff7f68a8a558b66e714c48ca8379f66fec3ed32e6a98d9ee6da5d2d854f2ef581a26ef817a4b80754a83f6f3d33f522187

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads