a23602583b1c9700f9dc098b4b8fa70a29b59356f3d92e1550b0e10a258e8fde

Analysis

max time kernel
156s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27/01/2024, 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-27_f973b94b171c96235f2f3c538dfd151a_goldeneye.exe
Size

168KB
MD5

f973b94b171c96235f2f3c538dfd151a
SHA1

34a84f2d123c99a963e4eb47496299d5d15c3c1b
SHA256

a23602583b1c9700f9dc098b4b8fa70a29b59356f3d92e1550b0e10a258e8fde
SHA512

56026005cb2c0630b3ecb06a328b6be142ec2ce83e3b8b55ba845e0a53f3c9493123636500f78344ef6ad5429829f000653d64a1a97bcd6bd169e34d0ee20d9b
SSDEEP

1536:1EGh0o7lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o7lqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x0002000000022775-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023121-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e00000002312c-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023121-13.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f00000002312c-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00050000000217fa-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006df-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00040000000006df-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12AE5D6C-D079-4698-A973-342547A6CF24}	{99F02D0E-3341-4c36-B816-9020AAB34771}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12AE5D6C-D079-4698-A973-342547A6CF24}\stubpath = "C:\\Windows\\{12AE5D6C-D079-4698-A973-342547A6CF24}.exe"	{99F02D0E-3341-4c36-B816-9020AAB34771}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D55E36EE-B52B-4ae3-BDFB-211DA02CF4B1}\stubpath = "C:\\Windows\\{D55E36EE-B52B-4ae3-BDFB-211DA02CF4B1}.exe"	{562F71CB-21AC-4331-B923-DFA02A133B3E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9881102-AAF9-4416-BFC4-28B73A2F61C4}	2024-01-27_f973b94b171c96235f2f3c538dfd151a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C653E19-2283-44ab-B579-A4A1157B665C}\stubpath = "C:\\Windows\\{9C653E19-2283-44ab-B579-A4A1157B665C}.exe"	{CD3A96C3-9F2E-433e-AC1E-FF09CA42B58A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84FBF5D6-5DCF-4f37-AF2E-10A3C83484FD}	{9C653E19-2283-44ab-B579-A4A1157B665C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84FBF5D6-5DCF-4f37-AF2E-10A3C83484FD}\stubpath = "C:\\Windows\\{84FBF5D6-5DCF-4f37-AF2E-10A3C83484FD}.exe"	{9C653E19-2283-44ab-B579-A4A1157B665C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{228EB0C6-5BF1-460c-A967-19CA526963D1}\stubpath = "C:\\Windows\\{228EB0C6-5BF1-460c-A967-19CA526963D1}.exe"	{12AE5D6C-D079-4698-A973-342547A6CF24}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4A5FA02-6263-40f8-B449-CCEE602B5E0E}\stubpath = "C:\\Windows\\{E4A5FA02-6263-40f8-B449-CCEE602B5E0E}.exe"	{228EB0C6-5BF1-460c-A967-19CA526963D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C653E19-2283-44ab-B579-A4A1157B665C}	{CD3A96C3-9F2E-433e-AC1E-FF09CA42B58A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99F02D0E-3341-4c36-B816-9020AAB34771}	{EB0CC80C-3B26-4b61-92E6-19B5B02FF2E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99F02D0E-3341-4c36-B816-9020AAB34771}\stubpath = "C:\\Windows\\{99F02D0E-3341-4c36-B816-9020AAB34771}.exe"	{EB0CC80C-3B26-4b61-92E6-19B5B02FF2E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4A5FA02-6263-40f8-B449-CCEE602B5E0E}	{228EB0C6-5BF1-460c-A967-19CA526963D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{562F71CB-21AC-4331-B923-DFA02A133B3E}	{E4A5FA02-6263-40f8-B449-CCEE602B5E0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{562F71CB-21AC-4331-B923-DFA02A133B3E}\stubpath = "C:\\Windows\\{562F71CB-21AC-4331-B923-DFA02A133B3E}.exe"	{E4A5FA02-6263-40f8-B449-CCEE602B5E0E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D55E36EE-B52B-4ae3-BDFB-211DA02CF4B1}	{562F71CB-21AC-4331-B923-DFA02A133B3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD3A96C3-9F2E-433e-AC1E-FF09CA42B58A}\stubpath = "C:\\Windows\\{CD3A96C3-9F2E-433e-AC1E-FF09CA42B58A}.exe"	{F9881102-AAF9-4416-BFC4-28B73A2F61C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD3A96C3-9F2E-433e-AC1E-FF09CA42B58A}	{F9881102-AAF9-4416-BFC4-28B73A2F61C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB0CC80C-3B26-4b61-92E6-19B5B02FF2E2}	{84FBF5D6-5DCF-4f37-AF2E-10A3C83484FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB0CC80C-3B26-4b61-92E6-19B5B02FF2E2}\stubpath = "C:\\Windows\\{EB0CC80C-3B26-4b61-92E6-19B5B02FF2E2}.exe"	{84FBF5D6-5DCF-4f37-AF2E-10A3C83484FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{228EB0C6-5BF1-460c-A967-19CA526963D1}	{12AE5D6C-D079-4698-A973-342547A6CF24}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9881102-AAF9-4416-BFC4-28B73A2F61C4}\stubpath = "C:\\Windows\\{F9881102-AAF9-4416-BFC4-28B73A2F61C4}.exe"	2024-01-27_f973b94b171c96235f2f3c538dfd151a_goldeneye.exe

Executes dropped EXE 11 IoCs

pid	Process
1896	{F9881102-AAF9-4416-BFC4-28B73A2F61C4}.exe
4008	{CD3A96C3-9F2E-433e-AC1E-FF09CA42B58A}.exe
2276	{9C653E19-2283-44ab-B579-A4A1157B665C}.exe
3760	{84FBF5D6-5DCF-4f37-AF2E-10A3C83484FD}.exe
2852	{EB0CC80C-3B26-4b61-92E6-19B5B02FF2E2}.exe
1348	{99F02D0E-3341-4c36-B816-9020AAB34771}.exe
2076	{12AE5D6C-D079-4698-A973-342547A6CF24}.exe
1968	{228EB0C6-5BF1-460c-A967-19CA526963D1}.exe
2720	{E4A5FA02-6263-40f8-B449-CCEE602B5E0E}.exe
1960	{562F71CB-21AC-4331-B923-DFA02A133B3E}.exe
3928	{D55E36EE-B52B-4ae3-BDFB-211DA02CF4B1}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{F9881102-AAF9-4416-BFC4-28B73A2F61C4}.exe	2024-01-27_f973b94b171c96235f2f3c538dfd151a_goldeneye.exe
File created	C:\Windows\{CD3A96C3-9F2E-433e-AC1E-FF09CA42B58A}.exe	{F9881102-AAF9-4416-BFC4-28B73A2F61C4}.exe
File created	C:\Windows\{84FBF5D6-5DCF-4f37-AF2E-10A3C83484FD}.exe	{9C653E19-2283-44ab-B579-A4A1157B665C}.exe
File created	C:\Windows\{99F02D0E-3341-4c36-B816-9020AAB34771}.exe	{EB0CC80C-3B26-4b61-92E6-19B5B02FF2E2}.exe
File created	C:\Windows\{228EB0C6-5BF1-460c-A967-19CA526963D1}.exe	{12AE5D6C-D079-4698-A973-342547A6CF24}.exe
File created	C:\Windows\{E4A5FA02-6263-40f8-B449-CCEE602B5E0E}.exe	{228EB0C6-5BF1-460c-A967-19CA526963D1}.exe
File created	C:\Windows\{9C653E19-2283-44ab-B579-A4A1157B665C}.exe	{CD3A96C3-9F2E-433e-AC1E-FF09CA42B58A}.exe
File created	C:\Windows\{EB0CC80C-3B26-4b61-92E6-19B5B02FF2E2}.exe	{84FBF5D6-5DCF-4f37-AF2E-10A3C83484FD}.exe
File created	C:\Windows\{12AE5D6C-D079-4698-A973-342547A6CF24}.exe	{99F02D0E-3341-4c36-B816-9020AAB34771}.exe
File created	C:\Windows\{562F71CB-21AC-4331-B923-DFA02A133B3E}.exe	{E4A5FA02-6263-40f8-B449-CCEE602B5E0E}.exe
File created	C:\Windows\{D55E36EE-B52B-4ae3-BDFB-211DA02CF4B1}.exe	{562F71CB-21AC-4331-B923-DFA02A133B3E}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1032	2024-01-27_f973b94b171c96235f2f3c538dfd151a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1896	{F9881102-AAF9-4416-BFC4-28B73A2F61C4}.exe
Token: SeIncBasePriorityPrivilege	4008	{CD3A96C3-9F2E-433e-AC1E-FF09CA42B58A}.exe
Token: SeIncBasePriorityPrivilege	2276	{9C653E19-2283-44ab-B579-A4A1157B665C}.exe
Token: SeIncBasePriorityPrivilege	3760	{84FBF5D6-5DCF-4f37-AF2E-10A3C83484FD}.exe
Token: SeIncBasePriorityPrivilege	2852	{EB0CC80C-3B26-4b61-92E6-19B5B02FF2E2}.exe
Token: SeIncBasePriorityPrivilege	1348	{99F02D0E-3341-4c36-B816-9020AAB34771}.exe
Token: SeIncBasePriorityPrivilege	2076	{12AE5D6C-D079-4698-A973-342547A6CF24}.exe
Token: SeIncBasePriorityPrivilege	1968	{228EB0C6-5BF1-460c-A967-19CA526963D1}.exe
Token: SeIncBasePriorityPrivilege	2720	{E4A5FA02-6263-40f8-B449-CCEE602B5E0E}.exe
Token: SeIncBasePriorityPrivilege	1960	{562F71CB-21AC-4331-B923-DFA02A133B3E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 1896	1032	2024-01-27_f973b94b171c96235f2f3c538dfd151a_goldeneye.exe	89
PID 1032 wrote to memory of 1896	1032	2024-01-27_f973b94b171c96235f2f3c538dfd151a_goldeneye.exe	89
PID 1032 wrote to memory of 1896	1032	2024-01-27_f973b94b171c96235f2f3c538dfd151a_goldeneye.exe	89
PID 1032 wrote to memory of 4428	1032	2024-01-27_f973b94b171c96235f2f3c538dfd151a_goldeneye.exe	90
PID 1032 wrote to memory of 4428	1032	2024-01-27_f973b94b171c96235f2f3c538dfd151a_goldeneye.exe	90
PID 1032 wrote to memory of 4428	1032	2024-01-27_f973b94b171c96235f2f3c538dfd151a_goldeneye.exe	90
PID 1896 wrote to memory of 4008	1896	{F9881102-AAF9-4416-BFC4-28B73A2F61C4}.exe	97
PID 1896 wrote to memory of 4008	1896	{F9881102-AAF9-4416-BFC4-28B73A2F61C4}.exe	97
PID 1896 wrote to memory of 4008	1896	{F9881102-AAF9-4416-BFC4-28B73A2F61C4}.exe	97
PID 1896 wrote to memory of 1624	1896	{F9881102-AAF9-4416-BFC4-28B73A2F61C4}.exe	98
PID 1896 wrote to memory of 1624	1896	{F9881102-AAF9-4416-BFC4-28B73A2F61C4}.exe	98
PID 1896 wrote to memory of 1624	1896	{F9881102-AAF9-4416-BFC4-28B73A2F61C4}.exe	98
PID 4008 wrote to memory of 2276	4008	{CD3A96C3-9F2E-433e-AC1E-FF09CA42B58A}.exe	101
PID 4008 wrote to memory of 2276	4008	{CD3A96C3-9F2E-433e-AC1E-FF09CA42B58A}.exe	101
PID 4008 wrote to memory of 2276	4008	{CD3A96C3-9F2E-433e-AC1E-FF09CA42B58A}.exe	101
PID 4008 wrote to memory of 808	4008	{CD3A96C3-9F2E-433e-AC1E-FF09CA42B58A}.exe	102
PID 4008 wrote to memory of 808	4008	{CD3A96C3-9F2E-433e-AC1E-FF09CA42B58A}.exe	102
PID 4008 wrote to memory of 808	4008	{CD3A96C3-9F2E-433e-AC1E-FF09CA42B58A}.exe	102
PID 2276 wrote to memory of 3760	2276	{9C653E19-2283-44ab-B579-A4A1157B665C}.exe	103
PID 2276 wrote to memory of 3760	2276	{9C653E19-2283-44ab-B579-A4A1157B665C}.exe	103
PID 2276 wrote to memory of 3760	2276	{9C653E19-2283-44ab-B579-A4A1157B665C}.exe	103
PID 2276 wrote to memory of 1500	2276	{9C653E19-2283-44ab-B579-A4A1157B665C}.exe	104
PID 2276 wrote to memory of 1500	2276	{9C653E19-2283-44ab-B579-A4A1157B665C}.exe	104
PID 2276 wrote to memory of 1500	2276	{9C653E19-2283-44ab-B579-A4A1157B665C}.exe	104
PID 3760 wrote to memory of 2852	3760	{84FBF5D6-5DCF-4f37-AF2E-10A3C83484FD}.exe	105
PID 3760 wrote to memory of 2852	3760	{84FBF5D6-5DCF-4f37-AF2E-10A3C83484FD}.exe	105
PID 3760 wrote to memory of 2852	3760	{84FBF5D6-5DCF-4f37-AF2E-10A3C83484FD}.exe	105
PID 3760 wrote to memory of 4452	3760	{84FBF5D6-5DCF-4f37-AF2E-10A3C83484FD}.exe	106
PID 3760 wrote to memory of 4452	3760	{84FBF5D6-5DCF-4f37-AF2E-10A3C83484FD}.exe	106
PID 3760 wrote to memory of 4452	3760	{84FBF5D6-5DCF-4f37-AF2E-10A3C83484FD}.exe	106
PID 2852 wrote to memory of 1348	2852	{EB0CC80C-3B26-4b61-92E6-19B5B02FF2E2}.exe	107
PID 2852 wrote to memory of 1348	2852	{EB0CC80C-3B26-4b61-92E6-19B5B02FF2E2}.exe	107
PID 2852 wrote to memory of 1348	2852	{EB0CC80C-3B26-4b61-92E6-19B5B02FF2E2}.exe	107
PID 2852 wrote to memory of 1132	2852	{EB0CC80C-3B26-4b61-92E6-19B5B02FF2E2}.exe	108
PID 2852 wrote to memory of 1132	2852	{EB0CC80C-3B26-4b61-92E6-19B5B02FF2E2}.exe	108
PID 2852 wrote to memory of 1132	2852	{EB0CC80C-3B26-4b61-92E6-19B5B02FF2E2}.exe	108
PID 1348 wrote to memory of 2076	1348	{99F02D0E-3341-4c36-B816-9020AAB34771}.exe	109
PID 1348 wrote to memory of 2076	1348	{99F02D0E-3341-4c36-B816-9020AAB34771}.exe	109
PID 1348 wrote to memory of 2076	1348	{99F02D0E-3341-4c36-B816-9020AAB34771}.exe	109
PID 1348 wrote to memory of 1716	1348	{99F02D0E-3341-4c36-B816-9020AAB34771}.exe	110
PID 1348 wrote to memory of 1716	1348	{99F02D0E-3341-4c36-B816-9020AAB34771}.exe	110
PID 1348 wrote to memory of 1716	1348	{99F02D0E-3341-4c36-B816-9020AAB34771}.exe	110
PID 2076 wrote to memory of 1968	2076	{12AE5D6C-D079-4698-A973-342547A6CF24}.exe	111
PID 2076 wrote to memory of 1968	2076	{12AE5D6C-D079-4698-A973-342547A6CF24}.exe	111
PID 2076 wrote to memory of 1968	2076	{12AE5D6C-D079-4698-A973-342547A6CF24}.exe	111
PID 2076 wrote to memory of 1072	2076	{12AE5D6C-D079-4698-A973-342547A6CF24}.exe	112
PID 2076 wrote to memory of 1072	2076	{12AE5D6C-D079-4698-A973-342547A6CF24}.exe	112
PID 2076 wrote to memory of 1072	2076	{12AE5D6C-D079-4698-A973-342547A6CF24}.exe	112
PID 1968 wrote to memory of 2720	1968	{228EB0C6-5BF1-460c-A967-19CA526963D1}.exe	113
PID 1968 wrote to memory of 2720	1968	{228EB0C6-5BF1-460c-A967-19CA526963D1}.exe	113
PID 1968 wrote to memory of 2720	1968	{228EB0C6-5BF1-460c-A967-19CA526963D1}.exe	113
PID 1968 wrote to memory of 2844	1968	{228EB0C6-5BF1-460c-A967-19CA526963D1}.exe	114
PID 1968 wrote to memory of 2844	1968	{228EB0C6-5BF1-460c-A967-19CA526963D1}.exe	114
PID 1968 wrote to memory of 2844	1968	{228EB0C6-5BF1-460c-A967-19CA526963D1}.exe	114
PID 2720 wrote to memory of 1960	2720	{E4A5FA02-6263-40f8-B449-CCEE602B5E0E}.exe	115
PID 2720 wrote to memory of 1960	2720	{E4A5FA02-6263-40f8-B449-CCEE602B5E0E}.exe	115
PID 2720 wrote to memory of 1960	2720	{E4A5FA02-6263-40f8-B449-CCEE602B5E0E}.exe	115
PID 2720 wrote to memory of 836	2720	{E4A5FA02-6263-40f8-B449-CCEE602B5E0E}.exe	116
PID 2720 wrote to memory of 836	2720	{E4A5FA02-6263-40f8-B449-CCEE602B5E0E}.exe	116
PID 2720 wrote to memory of 836	2720	{E4A5FA02-6263-40f8-B449-CCEE602B5E0E}.exe	116
PID 1960 wrote to memory of 3928	1960	{562F71CB-21AC-4331-B923-DFA02A133B3E}.exe	117
PID 1960 wrote to memory of 3928	1960	{562F71CB-21AC-4331-B923-DFA02A133B3E}.exe	117
PID 1960 wrote to memory of 3928	1960	{562F71CB-21AC-4331-B923-DFA02A133B3E}.exe	117
PID 1960 wrote to memory of 1404	1960	{562F71CB-21AC-4331-B923-DFA02A133B3E}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-01-27_f973b94b171c96235f2f3c538dfd151a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-27_f973b94b171c96235f2f3c538dfd151a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Windows\{F9881102-AAF9-4416-BFC4-28B73A2F61C4}.exe
  C:\Windows\{F9881102-AAF9-4416-BFC4-28B73A2F61C4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Windows\{CD3A96C3-9F2E-433e-AC1E-FF09CA42B58A}.exe
    C:\Windows\{CD3A96C3-9F2E-433e-AC1E-FF09CA42B58A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4008
  - - C:\Windows\{9C653E19-2283-44ab-B579-A4A1157B665C}.exe
      C:\Windows\{9C653E19-2283-44ab-B579-A4A1157B665C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2276
    - - C:\Windows\{84FBF5D6-5DCF-4f37-AF2E-10A3C83484FD}.exe
        
        C:\Windows\{84FBF5D6-5DCF-4f37-AF2E-10A3C83484FD}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3760
      - C:\Windows\{EB0CC80C-3B26-4b61-92E6-19B5B02FF2E2}.exe
        
        C:\Windows\{EB0CC80C-3B26-4b61-92E6-19B5B02FF2E2}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\{99F02D0E-3341-4c36-B816-9020AAB34771}.exe
        
        C:\Windows\{99F02D0E-3341-4c36-B816-9020AAB34771}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Windows\{12AE5D6C-D079-4698-A973-342547A6CF24}.exe
        
        C:\Windows\{12AE5D6C-D079-4698-A973-342547A6CF24}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\{228EB0C6-5BF1-460c-A967-19CA526963D1}.exe
        
        C:\Windows\{228EB0C6-5BF1-460c-A967-19CA526963D1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\{E4A5FA02-6263-40f8-B449-CCEE602B5E0E}.exe
        
        C:\Windows\{E4A5FA02-6263-40f8-B449-CCEE602B5E0E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\{562F71CB-21AC-4331-B923-DFA02A133B3E}.exe
        
        C:\Windows\{562F71CB-21AC-4331-B923-DFA02A133B3E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\{D55E36EE-B52B-4ae3-BDFB-211DA02CF4B1}.exe
        
        C:\Windows\{D55E36EE-B52B-4ae3-BDFB-211DA02CF4B1}.exe
        12⤵
        Executes dropped EXE
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{562F7~1.EXE > nul
        12⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4A5F~1.EXE > nul
        11⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{228EB~1.EXE > nul
        10⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12AE5~1.EXE > nul
        9⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99F02~1.EXE > nul
        8⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB0CC~1.EXE > nul
        7⤵
        
        PID:1132
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{84FBF~1.EXE > nul
        6⤵
        
        PID:4452
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C653~1.EXE > nul
        5⤵
        
        PID:1500
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CD3A9~1.EXE > nul
      4⤵
      PID:808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F9881~1.EXE > nul
    3⤵
    PID:1624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{12AE5D6C-D079-4698-A973-342547A6CF24}.exe

Filesize
168KB

MD5
cb45e10841742c58409a8c6bc9c5e0e8

SHA1
b8797691ffb5cf43286a12f5303f2c0db44fc4cc

SHA256
10278967d3a440e1ec2400211c9f50bf68659fce0e5c414a3f4b804ac0eea15a

SHA512
988cea35c2b416bae05f6a933e1f7d5e4ac26004e555939303b08164c594293a0f7188418f570b1ff74bbdbf05c1dad523aa36415c8c7451f4dc59f0d8fe95fe

Download Submit
C:\Windows\{228EB0C6-5BF1-460c-A967-19CA526963D1}.exe

Filesize
168KB

MD5
d36d5c9c7d7eacced0e3089f5f20b647

SHA1
7a11a984e1c8d0a11ee89ca9febe27ae954cb02c

SHA256
96d49cee2fe65dcc4b48a635d3fecbfb17cff9c9a4f822d83e6f35b82f4a5c24

SHA512
c8d9c1117780acbcc99d14d554f0a47c3467defe1fffdedf11c1d5ede1dd04b5c7d408dc5c730791d4da452d4efbf42908a6056397a7fc81fb8b318d9e9401bd

Download Submit
C:\Windows\{562F71CB-21AC-4331-B923-DFA02A133B3E}.exe

Filesize
168KB

MD5
615ce153c896b430cdd1d81bfba48117

SHA1
2af91963ac5b92d59da9b1c567075249b5886144

SHA256
2c9a3884bc805c0ccdbe12c464eea883cd9ba0b0ef4b9a7f341caa33abe977e2

SHA512
6bc63433ff9b0986afd3ae38736199ac73b745f1a80eab8840358cd60e57e68118286074e2b1d09c4722fa8c47ef9d769b84be40f31bd0210acc16a5e4661be3

Download Submit
C:\Windows\{84FBF5D6-5DCF-4f37-AF2E-10A3C83484FD}.exe

Filesize
168KB

MD5
2e1e916031890b2b8e0764ac87069464

SHA1
08c488db9a4cd70c98ab35b9bfe9ca966b6b7231

SHA256
00e7804f474aa3c6cc6158148a3fb90e19744b0dde15290ca75dbe44cf54bb05

SHA512
6a9f13f922fdf053fe9ad421476e8dab8224ff02f0ff4a1255afbd96f3719e970bd59029734a2e1e075047c2b911f85d5f3cd1ec3bf6edd435b216763e459f58

Download Submit
C:\Windows\{99F02D0E-3341-4c36-B816-9020AAB34771}.exe

Filesize
168KB

MD5
25a6cd0b1559be0b7526bdc87aed4eda

SHA1
42b500b4c988562f9df6577bcb205125fdc160d9

SHA256
c17bc1da826bd208800deac3160fce6d94c30eaa5007ad9b55fd013d08ef0ae0

SHA512
d6c067886573d14eb8335702332861b44b58249c9188a5ebbcc898bc1ab82b0ccad22a400f4100c82b3d3fc0dd6b9140f81579df6695664884c2f6896e17e180

Download Submit
C:\Windows\{9C653E19-2283-44ab-B579-A4A1157B665C}.exe

Filesize
168KB

MD5
7035b3f17d593c927587bf0fcc0bf46a

SHA1
ece97cce1a343a5a0b72ee028eba2308efcdee6b

SHA256
219e9112732f750e8ed4c63c6cfbafb35bc56168d57b49a77a3247139fa59a6a

SHA512
7e9ab38257bc5821eeff49830a7c740c358337f4f0764fb1734fb3a1bbd08037b716019c5d1e141717431e4bfd2ffadb7f8507cd77a77696faaa8bf766846fb5

Download Submit
C:\Windows\{CD3A96C3-9F2E-433e-AC1E-FF09CA42B58A}.exe

Filesize
168KB

MD5
ac0a34266eb4827f68b927e516bb3cc2

SHA1
a28b4612dee182bbde26b1865275c236e1404cd1

SHA256
f92396016669f16c5cbcec7e498a37c45fa45223d12c9991fa9da67d5c77a5c5

SHA512
76e96aaee9f4b828566145acb23d1f48c27f54095d25da81d66a7745d1b9c76647e934e6978de9fd4f3f6e0f34b0a8f79800c15daeecbab05b072db2ef461a82

Download Submit
C:\Windows\{D55E36EE-B52B-4ae3-BDFB-211DA02CF4B1}.exe

Filesize
168KB

MD5
f214a036145d34cf945cf554a1f27072

SHA1
e5a9be735909f3b844e47250b2e3022cf96cea87

SHA256
f7e5a46c3f0467eccda588c6574a90e342ca3f126d39b370eaa9b7cfb79a8521

SHA512
bef2dbab84a26ff8400dad12961bfc8dc10ccd12cb190f4f50650afc0019318921bf3c66f3ffa7f2eb11cee8555f067d2ffddb1bdcae9f7471dcb7a51c203e4b

Download Submit
C:\Windows\{E4A5FA02-6263-40f8-B449-CCEE602B5E0E}.exe

Filesize
168KB

MD5
6faa65fa89d1fbc43af4f3450ceb1bd4

SHA1
14ecb12c6dfeb1f57cb3b926dab35e216c0f64fe

SHA256
c555f7c51e8dee26fdd7f40a2fe07e81f3a8e3892a99fc5c0e1bbc2b76c1c68f

SHA512
f44ff01ff01b53e60674773bdc2c672ce801489f4683288cfc2439aaa906b3c5b2612fabea9ddd1dd14ffa1460aead635f418901736fb806c691c6e900055b19

Download Submit
C:\Windows\{EB0CC80C-3B26-4b61-92E6-19B5B02FF2E2}.exe

Filesize
168KB

MD5
345c4f56dae55373ebb3147089c1efc4

SHA1
618f3d266d154adf37b6a76dee66c40642f4186d

SHA256
7f34ae8d8bd4816baf2f261ac0f4254020dbe71ac02796158bc1f687f5f8867b

SHA512
22302609b4e0d3c77cf744aea73ef490e64ccad90a9ce67af115732a1ac88d9318618bccc506612fd08d7632ca75c53a15f1acfefee9c14cfec128164ea394c2

Download Submit
C:\Windows\{F9881102-AAF9-4416-BFC4-28B73A2F61C4}.exe

Filesize
168KB

MD5
5165bd26356e1155681a64649e277b28

SHA1
8c9acf3ca842ce61074f5f103b77e56c3e5a9e07

SHA256
6337b5cee7936f49d138dd0d5a106926b88cf83b679f4daf58bedeec1ee717c6

SHA512
fb32df455a3fa46e014f7e7c1e626a9090fe84eabfdeaf06bee226fc3486c7ccba5c6448e3d4818ef8dca2a2bc4d617e8fbc73144b538906b5f985af9bc1b1f3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads