3b7fe1a1741bb0a552792ca843a2163837ddb85efd1fa696ac55573465d8efa8

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2024, 21:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-26_68f6c8a3298d159d4c69229b9734330c_goldeneye.exe
Size

168KB
MD5

68f6c8a3298d159d4c69229b9734330c
SHA1

6ef316ac15274219ee6268eb628309bf45be0f5c
SHA256

3b7fe1a1741bb0a552792ca843a2163837ddb85efd1fa696ac55573465d8efa8
SHA512

dd86f8cba90beaf1abbf3a06ea737779ad495a0b4f85d874ee348cd29594325ec3486a13ae61b19d6338dc9b284ab23cef99e40d17c3362332b9a49b3425cff2
SSDEEP

1536:1EGh0oIlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oIlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023020-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023139-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002313c-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023139-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002313c-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00050000000217fa-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006df-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E710364-B061-4446-977A-80B3F51FD927}\stubpath = "C:\\Windows\\{0E710364-B061-4446-977A-80B3F51FD927}.exe"	{8613706F-6DC0-49f3-B00B-AADDCDD72765}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19072492-D670-4f4e-8D4A-00FFD249F63B}	{0E710364-B061-4446-977A-80B3F51FD927}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8301C4A-489D-4355-91E6-06D78A0DA7F1}	{8F055C54-F599-4ccd-9148-2C69A8928710}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8EB5559-DFA2-4ca2-9D13-EB65BF3B9AA5}\stubpath = "C:\\Windows\\{D8EB5559-DFA2-4ca2-9D13-EB65BF3B9AA5}.exe"	{99E96886-94A6-4f16-A0CE-E618345E8149}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4BEC9B3-0799-41dc-83F3-1B83775353E7}	{D8EB5559-DFA2-4ca2-9D13-EB65BF3B9AA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99E96886-94A6-4f16-A0CE-E618345E8149}\stubpath = "C:\\Windows\\{99E96886-94A6-4f16-A0CE-E618345E8149}.exe"	{6B05AA6B-675C-4e32-A9EE-4F8CD3055666}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4BEC9B3-0799-41dc-83F3-1B83775353E7}\stubpath = "C:\\Windows\\{B4BEC9B3-0799-41dc-83F3-1B83775353E7}.exe"	{D8EB5559-DFA2-4ca2-9D13-EB65BF3B9AA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8613706F-6DC0-49f3-B00B-AADDCDD72765}	{F236B066-6FBF-4e13-BC91-5E7F28EFA602}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E710364-B061-4446-977A-80B3F51FD927}	{8613706F-6DC0-49f3-B00B-AADDCDD72765}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F055C54-F599-4ccd-9148-2C69A8928710}\stubpath = "C:\\Windows\\{8F055C54-F599-4ccd-9148-2C69A8928710}.exe"	{5DF02A58-6C3E-44da-8330-A9A4A361EE35}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8301C4A-489D-4355-91E6-06D78A0DA7F1}\stubpath = "C:\\Windows\\{D8301C4A-489D-4355-91E6-06D78A0DA7F1}.exe"	{8F055C54-F599-4ccd-9148-2C69A8928710}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B05AA6B-675C-4e32-A9EE-4F8CD3055666}\stubpath = "C:\\Windows\\{6B05AA6B-675C-4e32-A9EE-4F8CD3055666}.exe"	2024-01-26_68f6c8a3298d159d4c69229b9734330c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99E96886-94A6-4f16-A0CE-E618345E8149}	{6B05AA6B-675C-4e32-A9EE-4F8CD3055666}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8613706F-6DC0-49f3-B00B-AADDCDD72765}\stubpath = "C:\\Windows\\{8613706F-6DC0-49f3-B00B-AADDCDD72765}.exe"	{F236B066-6FBF-4e13-BC91-5E7F28EFA602}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B05AA6B-675C-4e32-A9EE-4F8CD3055666}	2024-01-26_68f6c8a3298d159d4c69229b9734330c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F236B066-6FBF-4e13-BC91-5E7F28EFA602}\stubpath = "C:\\Windows\\{F236B066-6FBF-4e13-BC91-5E7F28EFA602}.exe"	{B4BEC9B3-0799-41dc-83F3-1B83775353E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19072492-D670-4f4e-8D4A-00FFD249F63B}\stubpath = "C:\\Windows\\{19072492-D670-4f4e-8D4A-00FFD249F63B}.exe"	{0E710364-B061-4446-977A-80B3F51FD927}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DF02A58-6C3E-44da-8330-A9A4A361EE35}	{19072492-D670-4f4e-8D4A-00FFD249F63B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DF02A58-6C3E-44da-8330-A9A4A361EE35}\stubpath = "C:\\Windows\\{5DF02A58-6C3E-44da-8330-A9A4A361EE35}.exe"	{19072492-D670-4f4e-8D4A-00FFD249F63B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F055C54-F599-4ccd-9148-2C69A8928710}	{5DF02A58-6C3E-44da-8330-A9A4A361EE35}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8EB5559-DFA2-4ca2-9D13-EB65BF3B9AA5}	{99E96886-94A6-4f16-A0CE-E618345E8149}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F236B066-6FBF-4e13-BC91-5E7F28EFA602}	{B4BEC9B3-0799-41dc-83F3-1B83775353E7}.exe

Executes dropped EXE 11 IoCs

pid	Process
3748	{6B05AA6B-675C-4e32-A9EE-4F8CD3055666}.exe
1232	{99E96886-94A6-4f16-A0CE-E618345E8149}.exe
1064	{D8EB5559-DFA2-4ca2-9D13-EB65BF3B9AA5}.exe
4900	{B4BEC9B3-0799-41dc-83F3-1B83775353E7}.exe
3712	{F236B066-6FBF-4e13-BC91-5E7F28EFA602}.exe
1056	{8613706F-6DC0-49f3-B00B-AADDCDD72765}.exe
4468	{0E710364-B061-4446-977A-80B3F51FD927}.exe
2256	{19072492-D670-4f4e-8D4A-00FFD249F63B}.exe
1996	{5DF02A58-6C3E-44da-8330-A9A4A361EE35}.exe
4840	{8F055C54-F599-4ccd-9148-2C69A8928710}.exe
2092	{D8301C4A-489D-4355-91E6-06D78A0DA7F1}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{99E96886-94A6-4f16-A0CE-E618345E8149}.exe	{6B05AA6B-675C-4e32-A9EE-4F8CD3055666}.exe
File created	C:\Windows\{D8EB5559-DFA2-4ca2-9D13-EB65BF3B9AA5}.exe	{99E96886-94A6-4f16-A0CE-E618345E8149}.exe
File created	C:\Windows\{B4BEC9B3-0799-41dc-83F3-1B83775353E7}.exe	{D8EB5559-DFA2-4ca2-9D13-EB65BF3B9AA5}.exe
File created	C:\Windows\{8613706F-6DC0-49f3-B00B-AADDCDD72765}.exe	{F236B066-6FBF-4e13-BC91-5E7F28EFA602}.exe
File created	C:\Windows\{0E710364-B061-4446-977A-80B3F51FD927}.exe	{8613706F-6DC0-49f3-B00B-AADDCDD72765}.exe
File created	C:\Windows\{19072492-D670-4f4e-8D4A-00FFD249F63B}.exe	{0E710364-B061-4446-977A-80B3F51FD927}.exe
File created	C:\Windows\{5DF02A58-6C3E-44da-8330-A9A4A361EE35}.exe	{19072492-D670-4f4e-8D4A-00FFD249F63B}.exe
File created	C:\Windows\{6B05AA6B-675C-4e32-A9EE-4F8CD3055666}.exe	2024-01-26_68f6c8a3298d159d4c69229b9734330c_goldeneye.exe
File created	C:\Windows\{D8301C4A-489D-4355-91E6-06D78A0DA7F1}.exe	{8F055C54-F599-4ccd-9148-2C69A8928710}.exe
File created	C:\Windows\{8F055C54-F599-4ccd-9148-2C69A8928710}.exe	{5DF02A58-6C3E-44da-8330-A9A4A361EE35}.exe
File created	C:\Windows\{F236B066-6FBF-4e13-BC91-5E7F28EFA602}.exe	{B4BEC9B3-0799-41dc-83F3-1B83775353E7}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	760	2024-01-26_68f6c8a3298d159d4c69229b9734330c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3748	{6B05AA6B-675C-4e32-A9EE-4F8CD3055666}.exe
Token: SeIncBasePriorityPrivilege	1232	{99E96886-94A6-4f16-A0CE-E618345E8149}.exe
Token: SeIncBasePriorityPrivilege	1064	{D8EB5559-DFA2-4ca2-9D13-EB65BF3B9AA5}.exe
Token: SeIncBasePriorityPrivilege	4900	{B4BEC9B3-0799-41dc-83F3-1B83775353E7}.exe
Token: SeIncBasePriorityPrivilege	3712	{F236B066-6FBF-4e13-BC91-5E7F28EFA602}.exe
Token: SeIncBasePriorityPrivilege	1056	{8613706F-6DC0-49f3-B00B-AADDCDD72765}.exe
Token: SeIncBasePriorityPrivilege	4468	{0E710364-B061-4446-977A-80B3F51FD927}.exe
Token: SeIncBasePriorityPrivilege	2256	{19072492-D670-4f4e-8D4A-00FFD249F63B}.exe
Token: SeIncBasePriorityPrivilege	1996	{5DF02A58-6C3E-44da-8330-A9A4A361EE35}.exe
Token: SeIncBasePriorityPrivilege	4840	{8F055C54-F599-4ccd-9148-2C69A8928710}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 760 wrote to memory of 3748	760	2024-01-26_68f6c8a3298d159d4c69229b9734330c_goldeneye.exe	90
PID 760 wrote to memory of 3748	760	2024-01-26_68f6c8a3298d159d4c69229b9734330c_goldeneye.exe	90
PID 760 wrote to memory of 3748	760	2024-01-26_68f6c8a3298d159d4c69229b9734330c_goldeneye.exe	90
PID 760 wrote to memory of 4220	760	2024-01-26_68f6c8a3298d159d4c69229b9734330c_goldeneye.exe	92
PID 760 wrote to memory of 4220	760	2024-01-26_68f6c8a3298d159d4c69229b9734330c_goldeneye.exe	92
PID 760 wrote to memory of 4220	760	2024-01-26_68f6c8a3298d159d4c69229b9734330c_goldeneye.exe	92
PID 3748 wrote to memory of 1232	3748	{6B05AA6B-675C-4e32-A9EE-4F8CD3055666}.exe	98
PID 3748 wrote to memory of 1232	3748	{6B05AA6B-675C-4e32-A9EE-4F8CD3055666}.exe	98
PID 3748 wrote to memory of 1232	3748	{6B05AA6B-675C-4e32-A9EE-4F8CD3055666}.exe	98
PID 3748 wrote to memory of 1068	3748	{6B05AA6B-675C-4e32-A9EE-4F8CD3055666}.exe	99
PID 3748 wrote to memory of 1068	3748	{6B05AA6B-675C-4e32-A9EE-4F8CD3055666}.exe	99
PID 3748 wrote to memory of 1068	3748	{6B05AA6B-675C-4e32-A9EE-4F8CD3055666}.exe	99
PID 1232 wrote to memory of 1064	1232	{99E96886-94A6-4f16-A0CE-E618345E8149}.exe	101
PID 1232 wrote to memory of 1064	1232	{99E96886-94A6-4f16-A0CE-E618345E8149}.exe	101
PID 1232 wrote to memory of 1064	1232	{99E96886-94A6-4f16-A0CE-E618345E8149}.exe	101
PID 1232 wrote to memory of 4092	1232	{99E96886-94A6-4f16-A0CE-E618345E8149}.exe	100
PID 1232 wrote to memory of 4092	1232	{99E96886-94A6-4f16-A0CE-E618345E8149}.exe	100
PID 1232 wrote to memory of 4092	1232	{99E96886-94A6-4f16-A0CE-E618345E8149}.exe	100
PID 1064 wrote to memory of 4900	1064	{D8EB5559-DFA2-4ca2-9D13-EB65BF3B9AA5}.exe	102
PID 1064 wrote to memory of 4900	1064	{D8EB5559-DFA2-4ca2-9D13-EB65BF3B9AA5}.exe	102
PID 1064 wrote to memory of 4900	1064	{D8EB5559-DFA2-4ca2-9D13-EB65BF3B9AA5}.exe	102
PID 1064 wrote to memory of 3960	1064	{D8EB5559-DFA2-4ca2-9D13-EB65BF3B9AA5}.exe	103
PID 1064 wrote to memory of 3960	1064	{D8EB5559-DFA2-4ca2-9D13-EB65BF3B9AA5}.exe	103
PID 1064 wrote to memory of 3960	1064	{D8EB5559-DFA2-4ca2-9D13-EB65BF3B9AA5}.exe	103
PID 4900 wrote to memory of 3712	4900	{B4BEC9B3-0799-41dc-83F3-1B83775353E7}.exe	104
PID 4900 wrote to memory of 3712	4900	{B4BEC9B3-0799-41dc-83F3-1B83775353E7}.exe	104
PID 4900 wrote to memory of 3712	4900	{B4BEC9B3-0799-41dc-83F3-1B83775353E7}.exe	104
PID 4900 wrote to memory of 4696	4900	{B4BEC9B3-0799-41dc-83F3-1B83775353E7}.exe	105
PID 4900 wrote to memory of 4696	4900	{B4BEC9B3-0799-41dc-83F3-1B83775353E7}.exe	105
PID 4900 wrote to memory of 4696	4900	{B4BEC9B3-0799-41dc-83F3-1B83775353E7}.exe	105
PID 3712 wrote to memory of 1056	3712	{F236B066-6FBF-4e13-BC91-5E7F28EFA602}.exe	106
PID 3712 wrote to memory of 1056	3712	{F236B066-6FBF-4e13-BC91-5E7F28EFA602}.exe	106
PID 3712 wrote to memory of 1056	3712	{F236B066-6FBF-4e13-BC91-5E7F28EFA602}.exe	106
PID 3712 wrote to memory of 4908	3712	{F236B066-6FBF-4e13-BC91-5E7F28EFA602}.exe	107
PID 3712 wrote to memory of 4908	3712	{F236B066-6FBF-4e13-BC91-5E7F28EFA602}.exe	107
PID 3712 wrote to memory of 4908	3712	{F236B066-6FBF-4e13-BC91-5E7F28EFA602}.exe	107
PID 1056 wrote to memory of 4468	1056	{8613706F-6DC0-49f3-B00B-AADDCDD72765}.exe	108
PID 1056 wrote to memory of 4468	1056	{8613706F-6DC0-49f3-B00B-AADDCDD72765}.exe	108
PID 1056 wrote to memory of 4468	1056	{8613706F-6DC0-49f3-B00B-AADDCDD72765}.exe	108
PID 1056 wrote to memory of 4348	1056	{8613706F-6DC0-49f3-B00B-AADDCDD72765}.exe	109
PID 1056 wrote to memory of 4348	1056	{8613706F-6DC0-49f3-B00B-AADDCDD72765}.exe	109
PID 1056 wrote to memory of 4348	1056	{8613706F-6DC0-49f3-B00B-AADDCDD72765}.exe	109
PID 4468 wrote to memory of 2256	4468	{0E710364-B061-4446-977A-80B3F51FD927}.exe	110
PID 4468 wrote to memory of 2256	4468	{0E710364-B061-4446-977A-80B3F51FD927}.exe	110
PID 4468 wrote to memory of 2256	4468	{0E710364-B061-4446-977A-80B3F51FD927}.exe	110
PID 4468 wrote to memory of 1568	4468	{0E710364-B061-4446-977A-80B3F51FD927}.exe	111
PID 4468 wrote to memory of 1568	4468	{0E710364-B061-4446-977A-80B3F51FD927}.exe	111
PID 4468 wrote to memory of 1568	4468	{0E710364-B061-4446-977A-80B3F51FD927}.exe	111
PID 2256 wrote to memory of 1996	2256	{19072492-D670-4f4e-8D4A-00FFD249F63B}.exe	112
PID 2256 wrote to memory of 1996	2256	{19072492-D670-4f4e-8D4A-00FFD249F63B}.exe	112
PID 2256 wrote to memory of 1996	2256	{19072492-D670-4f4e-8D4A-00FFD249F63B}.exe	112
PID 2256 wrote to memory of 2872	2256	{19072492-D670-4f4e-8D4A-00FFD249F63B}.exe	113
PID 2256 wrote to memory of 2872	2256	{19072492-D670-4f4e-8D4A-00FFD249F63B}.exe	113
PID 2256 wrote to memory of 2872	2256	{19072492-D670-4f4e-8D4A-00FFD249F63B}.exe	113
PID 1996 wrote to memory of 4840	1996	{5DF02A58-6C3E-44da-8330-A9A4A361EE35}.exe	114
PID 1996 wrote to memory of 4840	1996	{5DF02A58-6C3E-44da-8330-A9A4A361EE35}.exe	114
PID 1996 wrote to memory of 4840	1996	{5DF02A58-6C3E-44da-8330-A9A4A361EE35}.exe	114
PID 1996 wrote to memory of 1340	1996	{5DF02A58-6C3E-44da-8330-A9A4A361EE35}.exe	115
PID 1996 wrote to memory of 1340	1996	{5DF02A58-6C3E-44da-8330-A9A4A361EE35}.exe	115
PID 1996 wrote to memory of 1340	1996	{5DF02A58-6C3E-44da-8330-A9A4A361EE35}.exe	115
PID 4840 wrote to memory of 2092	4840	{8F055C54-F599-4ccd-9148-2C69A8928710}.exe	116
PID 4840 wrote to memory of 2092	4840	{8F055C54-F599-4ccd-9148-2C69A8928710}.exe	116
PID 4840 wrote to memory of 2092	4840	{8F055C54-F599-4ccd-9148-2C69A8928710}.exe	116
PID 4840 wrote to memory of 4460	4840	{8F055C54-F599-4ccd-9148-2C69A8928710}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-01-26_68f6c8a3298d159d4c69229b9734330c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-26_68f6c8a3298d159d4c69229b9734330c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:760
- C:\Windows\{6B05AA6B-675C-4e32-A9EE-4F8CD3055666}.exe
  C:\Windows\{6B05AA6B-675C-4e32-A9EE-4F8CD3055666}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3748
- - C:\Windows\{99E96886-94A6-4f16-A0CE-E618345E8149}.exe
    C:\Windows\{99E96886-94A6-4f16-A0CE-E618345E8149}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1232
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{99E96~1.EXE > nul
      4⤵
      PID:4092
  - - C:\Windows\{D8EB5559-DFA2-4ca2-9D13-EB65BF3B9AA5}.exe
      C:\Windows\{D8EB5559-DFA2-4ca2-9D13-EB65BF3B9AA5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1064
    - - C:\Windows\{B4BEC9B3-0799-41dc-83F3-1B83775353E7}.exe
        
        C:\Windows\{B4BEC9B3-0799-41dc-83F3-1B83775353E7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4900
      - C:\Windows\{F236B066-6FBF-4e13-BC91-5E7F28EFA602}.exe
        
        C:\Windows\{F236B066-6FBF-4e13-BC91-5E7F28EFA602}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\{8613706F-6DC0-49f3-B00B-AADDCDD72765}.exe
        
        C:\Windows\{8613706F-6DC0-49f3-B00B-AADDCDD72765}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\{0E710364-B061-4446-977A-80B3F51FD927}.exe
        
        C:\Windows\{0E710364-B061-4446-977A-80B3F51FD927}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\{19072492-D670-4f4e-8D4A-00FFD249F63B}.exe
        
        C:\Windows\{19072492-D670-4f4e-8D4A-00FFD249F63B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\{5DF02A58-6C3E-44da-8330-A9A4A361EE35}.exe
        
        C:\Windows\{5DF02A58-6C3E-44da-8330-A9A4A361EE35}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\{8F055C54-F599-4ccd-9148-2C69A8928710}.exe
        
        C:\Windows\{8F055C54-F599-4ccd-9148-2C69A8928710}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\{D8301C4A-489D-4355-91E6-06D78A0DA7F1}.exe
        
        C:\Windows\{D8301C4A-489D-4355-91E6-06D78A0DA7F1}.exe
        12⤵
        Executes dropped EXE
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F055~1.EXE > nul
        12⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5DF02~1.EXE > nul
        11⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19072~1.EXE > nul
        10⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E710~1.EXE > nul
        9⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86137~1.EXE > nul
        8⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F236B~1.EXE > nul
        7⤵
        
        PID:4908
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4BEC~1.EXE > nul
        6⤵
        
        PID:4696
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8EB5~1.EXE > nul
        5⤵
        
        PID:3960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6B05A~1.EXE > nul
    3⤵
    PID:1068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0E710364-B061-4446-977A-80B3F51FD927}.exe

Filesize
168KB

MD5
460e079d09a122ee42b4af5fd9dcf114

SHA1
19c6065a89de0647d42b41c4ee7aaa599be09b17

SHA256
785dcb1fa89607eb00341a88302890202f474431d07b807fbb50222bc0efeefb

SHA512
a5cf6b5ff343e45d715b4a648315437ff83d8e2a2e3ed3b4453e284e99eddfee681ea06c9c1a7fc2ce5926ee8e306fa9fd4a869d13ee549ec616219fbabf4055

Download Submit
C:\Windows\{19072492-D670-4f4e-8D4A-00FFD249F63B}.exe

Filesize
168KB

MD5
50ff136337fe0d7551ce5d20b98bccf4

SHA1
460207f3f884fd3137dc79effd888bfd8aed0527

SHA256
ba437dc4b95ca6e63d9fd8d5aaae24d9bf4b2ab00bd58358b3edfbd33829fef7

SHA512
18a396f4f533343474c25fe61c8fa02ffec8f5e17e5cf09570257f2ce4585966a08c04c3bc0d59297ecd52e1a94dd1932b296b88f45e0d6d28f44d0887bc33e4

Download Submit
C:\Windows\{5DF02A58-6C3E-44da-8330-A9A4A361EE35}.exe

Filesize
168KB

MD5
f7acf2a42aa20b320f3ac3b0db6929ce

SHA1
c99a99cdea886e3ec8e469aa6869c328dd191489

SHA256
04579f26e7e2c1576151385261d1324aab524c937276351a5de39e0443ee8bc1

SHA512
96dc66b115c1f5f415f584feca44eaed7cc8224ed4c6090dba4cb3277c62fc9ba7869e2fbcf7043decec9b99124c7d8e96bf90ed4724abd132602c7ec2473bb2

Download Submit
C:\Windows\{6B05AA6B-675C-4e32-A9EE-4F8CD3055666}.exe

Filesize
168KB

MD5
63f236523e6f09fc66f62998dea9d1c6

SHA1
d543d587bb81b4b20d04f5d0489cd58fbf97a321

SHA256
a32a270ea465ba516aab96c68c145e86992501f9e25e749195b39089b8fa0c8c

SHA512
330a895c360f5f85267856c6881acfcb435542169ee4124052e2f8be31698d2fae09b6405b9262dfcba8c8445ffd88688d6e9e183808dbc284b3e4383d0f039b

Download Submit
C:\Windows\{8613706F-6DC0-49f3-B00B-AADDCDD72765}.exe

Filesize
168KB

MD5
85cadd5c0170158b86b6e675101e21f1

SHA1
aa326b51ad8c860bab094222cbf60637a716ebd1

SHA256
dc3bc1f03d154622fe607ca04d837c938888ae5e2e6999abe19d6d7aa6f2f8ce

SHA512
96d647de75cf2b862ba599c84495fe571fc394d9ed06fcfa1c132e8115525f37db3d213b3b8b47ece4c90a5b149b88499b372e0b7d8016a4bf8c2056445f9860

Download Submit
C:\Windows\{8F055C54-F599-4ccd-9148-2C69A8928710}.exe

Filesize
168KB

MD5
ceca2df7d756c6e5591ea9877aebdff5

SHA1
52eeb438512f6275a9a0c7eafb2e4d5231db087c

SHA256
88f99670d3e1dfc865438aa58ae1bbe0e5013fa0c379ae27feb1ea5037dc146f

SHA512
d4c34b67ecfc28b6ffee77a90e9a8c951941ee3d6e91dd58f74e51dfb10c9e820b399f389bb57ed071259b33985be41721e507f5227274300781fa3c6f24733f

Download Submit
C:\Windows\{99E96886-94A6-4f16-A0CE-E618345E8149}.exe

Filesize
168KB

MD5
8f0dc21f98a1fb85c5b23b638e3aa90a

SHA1
fc2d4280b07f940b2e1732583683094e9f18dde9

SHA256
402ad8879e9584c3a58fa58cb6334ad3f2bbcf55a2ac9b6637dcd8c92d4b18fa

SHA512
90ec0f5891311420949e104f8d013d69bc4e18a54728d83938d8523209f3a02e5a31a6adb47b6b6ae90a36241fba8348d87bb95e33380d3fc6878902023e2df1

Download Submit
C:\Windows\{B4BEC9B3-0799-41dc-83F3-1B83775353E7}.exe

Filesize
168KB

MD5
b9978df5430f558af679d0372f710b74

SHA1
3a9403cad2ce30b5a44cec72b19ffc0748cfbe94

SHA256
3bd8aebe52fc75529db11c8bbaf58265ae407c1d4320c56c9825236c410bf445

SHA512
efba8c5a0c8eb0aa4506a6f369f567a285db1c65ddb1fd758d7af7a4a9fb72f003565ba5bd1261333f3f46d6164997eec49a765fbee01e2ade0beae01f8b2d0e

Download Submit
C:\Windows\{D8301C4A-489D-4355-91E6-06D78A0DA7F1}.exe

Filesize
168KB

MD5
5677f88d0c16274f61e6fe02220259b5

SHA1
eadb987382ece10a274fde544be95dbe228e4bfc

SHA256
bce1a9f4fae20c27dce368a0515c889abde913865bff1f9ecb6a73e7c9458829

SHA512
0eaf1aa764481f100fd79c39993aa166f151ee6923cb9469c2498a17d9142219eb8ee24bdd4fa1c04cd6916e9235107b43c02bcd6fd23608bda94b034a431fa8

Download Submit
C:\Windows\{D8EB5559-DFA2-4ca2-9D13-EB65BF3B9AA5}.exe

Filesize
168KB

MD5
72c37d6178bd3517322a6ba1cbbb9a9e

SHA1
444b558d862dfa9960100d7b68f6afca9a6d2c5d

SHA256
d2161f9be2e001c5f47c8aa477520eb4bd1accc5080b1b311bb2f6abf67d7fa6

SHA512
7d23779e63bfb599da14f74c480c11876dd82649861f151b3ca7aabf502a9f697e404fb49abc5bc3faee36b59fc4191b524b1bf0154ce2d8236ca79c95bdc4df

Download Submit
C:\Windows\{F236B066-6FBF-4e13-BC91-5E7F28EFA602}.exe

Filesize
168KB

MD5
e7833e58a77955af2d23fb5d23e9b4e8

SHA1
28f71902f8b866ac7e3e10c2c98968cdc8b00681

SHA256
baa2843c0efa0891a59e248ceb333f9792a76d668ea1a1edd2bf68c87a1488c0

SHA512
e6cf1b8e13e9ba33d9179c613c2297386c3c14bac2c7f79e31cad90c1a2ec1244bacc1f268657b6a7ce24e35e75e22fdb40ab9b6a86e46563a3ff2162fc94e2b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads