f90c597f8ade60d134d57eff5ce1a4c7a78e1a09373031da29fb64520880f30f

Analysis

max time kernel
149s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
29/01/2024, 04:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-29_ef45d5fa96f0c68102c991f1ea7afa15_goldeneye.exe
Size

192KB
MD5

ef45d5fa96f0c68102c991f1ea7afa15
SHA1

98533540fa2a74fefd400244ea643a28ef29c522
SHA256

f90c597f8ade60d134d57eff5ce1a4c7a78e1a09373031da29fb64520880f30f
SHA512

4a5fd67c44c8358726494d09d1398268d67d92bbd2bdcdf80b7172cdfafe0fac9840e5f6290f9e018dd183e16525e1538fdb413b63f7150291ba6e3ef86bcc2c
SSDEEP

1536:1EGh0oxl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oxl1OPOe2MUVg3Ve+rXfMUa

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x001800000001e590-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e00000001e5cf-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000001ea38-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f00000001e5cf-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e50e-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000001e50f-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e50e-25.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000036-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000036-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000036-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000036-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15979193-C696-4fba-86B2-FDDDAC31761F}\stubpath = "C:\\Windows\\{15979193-C696-4fba-86B2-FDDDAC31761F}.exe"	{8FA9A81C-CB24-4bf1-8D51-44D200AF2928}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{390075A5-71FC-467c-907F-535874258729}	{15979193-C696-4fba-86B2-FDDDAC31761F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50A4FC00-E389-4c19-9050-DAD541B764EB}	{390075A5-71FC-467c-907F-535874258729}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CAC5197E-15D6-472c-B1D1-DFB5D7BA19C7}	{C795F5A1-D073-4f53-882C-D5E58A4D21D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CF3E85C-142C-4987-BF0A-FF7EB92A2A6B}\stubpath = "C:\\Windows\\{8CF3E85C-142C-4987-BF0A-FF7EB92A2A6B}.exe"	{B040E036-F1A3-4c08-8F1D-71050D1113AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B492FFA-07EA-4092-B263-E0EE592CE415}	{FFF23800-99FC-4637-A842-2AD52C34D441}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CD1981A-4FD2-4033-BBC1-2D9A2AECFF7B}	{2B492FFA-07EA-4092-B263-E0EE592CE415}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1977436-7F97-4fb4-9593-E944F925B889}	{3CD1981A-4FD2-4033-BBC1-2D9A2AECFF7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C795F5A1-D073-4f53-882C-D5E58A4D21D2}	{50A4FC00-E389-4c19-9050-DAD541B764EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B040E036-F1A3-4c08-8F1D-71050D1113AB}\stubpath = "C:\\Windows\\{B040E036-F1A3-4c08-8F1D-71050D1113AB}.exe"	2024-01-29_ef45d5fa96f0c68102c991f1ea7afa15_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FFF23800-99FC-4637-A842-2AD52C34D441}\stubpath = "C:\\Windows\\{FFF23800-99FC-4637-A842-2AD52C34D441}.exe"	{8CF3E85C-142C-4987-BF0A-FF7EB92A2A6B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8FA9A81C-CB24-4bf1-8D51-44D200AF2928}\stubpath = "C:\\Windows\\{8FA9A81C-CB24-4bf1-8D51-44D200AF2928}.exe"	{B1977436-7F97-4fb4-9593-E944F925B889}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{390075A5-71FC-467c-907F-535874258729}\stubpath = "C:\\Windows\\{390075A5-71FC-467c-907F-535874258729}.exe"	{15979193-C696-4fba-86B2-FDDDAC31761F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1977436-7F97-4fb4-9593-E944F925B889}\stubpath = "C:\\Windows\\{B1977436-7F97-4fb4-9593-E944F925B889}.exe"	{3CD1981A-4FD2-4033-BBC1-2D9A2AECFF7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50A4FC00-E389-4c19-9050-DAD541B764EB}\stubpath = "C:\\Windows\\{50A4FC00-E389-4c19-9050-DAD541B764EB}.exe"	{390075A5-71FC-467c-907F-535874258729}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CAC5197E-15D6-472c-B1D1-DFB5D7BA19C7}\stubpath = "C:\\Windows\\{CAC5197E-15D6-472c-B1D1-DFB5D7BA19C7}.exe"	{C795F5A1-D073-4f53-882C-D5E58A4D21D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B040E036-F1A3-4c08-8F1D-71050D1113AB}	2024-01-29_ef45d5fa96f0c68102c991f1ea7afa15_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CF3E85C-142C-4987-BF0A-FF7EB92A2A6B}	{B040E036-F1A3-4c08-8F1D-71050D1113AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FFF23800-99FC-4637-A842-2AD52C34D441}	{8CF3E85C-142C-4987-BF0A-FF7EB92A2A6B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B492FFA-07EA-4092-B263-E0EE592CE415}\stubpath = "C:\\Windows\\{2B492FFA-07EA-4092-B263-E0EE592CE415}.exe"	{FFF23800-99FC-4637-A842-2AD52C34D441}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CD1981A-4FD2-4033-BBC1-2D9A2AECFF7B}\stubpath = "C:\\Windows\\{3CD1981A-4FD2-4033-BBC1-2D9A2AECFF7B}.exe"	{2B492FFA-07EA-4092-B263-E0EE592CE415}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8FA9A81C-CB24-4bf1-8D51-44D200AF2928}	{B1977436-7F97-4fb4-9593-E944F925B889}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15979193-C696-4fba-86B2-FDDDAC31761F}	{8FA9A81C-CB24-4bf1-8D51-44D200AF2928}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C795F5A1-D073-4f53-882C-D5E58A4D21D2}\stubpath = "C:\\Windows\\{C795F5A1-D073-4f53-882C-D5E58A4D21D2}.exe"	{50A4FC00-E389-4c19-9050-DAD541B764EB}.exe

Executes dropped EXE 11 IoCs

pid	Process
1704	{B040E036-F1A3-4c08-8F1D-71050D1113AB}.exe
4712	{8CF3E85C-142C-4987-BF0A-FF7EB92A2A6B}.exe
2788	{FFF23800-99FC-4637-A842-2AD52C34D441}.exe
1804	{2B492FFA-07EA-4092-B263-E0EE592CE415}.exe
544	{3CD1981A-4FD2-4033-BBC1-2D9A2AECFF7B}.exe
2184	{B1977436-7F97-4fb4-9593-E944F925B889}.exe
3676	{8FA9A81C-CB24-4bf1-8D51-44D200AF2928}.exe
3056	{15979193-C696-4fba-86B2-FDDDAC31761F}.exe
4920	{390075A5-71FC-467c-907F-535874258729}.exe
2672	{50A4FC00-E389-4c19-9050-DAD541B764EB}.exe
2972	{C795F5A1-D073-4f53-882C-D5E58A4D21D2}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{FFF23800-99FC-4637-A842-2AD52C34D441}.exe	{8CF3E85C-142C-4987-BF0A-FF7EB92A2A6B}.exe
File created	C:\Windows\{2B492FFA-07EA-4092-B263-E0EE592CE415}.exe	{FFF23800-99FC-4637-A842-2AD52C34D441}.exe
File created	C:\Windows\{B1977436-7F97-4fb4-9593-E944F925B889}.exe	{3CD1981A-4FD2-4033-BBC1-2D9A2AECFF7B}.exe
File created	C:\Windows\{8FA9A81C-CB24-4bf1-8D51-44D200AF2928}.exe	{B1977436-7F97-4fb4-9593-E944F925B889}.exe
File created	C:\Windows\{390075A5-71FC-467c-907F-535874258729}.exe	{15979193-C696-4fba-86B2-FDDDAC31761F}.exe
File created	C:\Windows\{50A4FC00-E389-4c19-9050-DAD541B764EB}.exe	{390075A5-71FC-467c-907F-535874258729}.exe
File created	C:\Windows\{B040E036-F1A3-4c08-8F1D-71050D1113AB}.exe	2024-01-29_ef45d5fa96f0c68102c991f1ea7afa15_goldeneye.exe
File created	C:\Windows\{8CF3E85C-142C-4987-BF0A-FF7EB92A2A6B}.exe	{B040E036-F1A3-4c08-8F1D-71050D1113AB}.exe
File created	C:\Windows\{3CD1981A-4FD2-4033-BBC1-2D9A2AECFF7B}.exe	{2B492FFA-07EA-4092-B263-E0EE592CE415}.exe
File created	C:\Windows\{15979193-C696-4fba-86B2-FDDDAC31761F}.exe	{8FA9A81C-CB24-4bf1-8D51-44D200AF2928}.exe
File created	C:\Windows\{C795F5A1-D073-4f53-882C-D5E58A4D21D2}.exe	{50A4FC00-E389-4c19-9050-DAD541B764EB}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3544	2024-01-29_ef45d5fa96f0c68102c991f1ea7afa15_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1704	{B040E036-F1A3-4c08-8F1D-71050D1113AB}.exe
Token: SeIncBasePriorityPrivilege	4712	{8CF3E85C-142C-4987-BF0A-FF7EB92A2A6B}.exe
Token: SeIncBasePriorityPrivilege	2788	{FFF23800-99FC-4637-A842-2AD52C34D441}.exe
Token: SeIncBasePriorityPrivilege	1804	{2B492FFA-07EA-4092-B263-E0EE592CE415}.exe
Token: SeIncBasePriorityPrivilege	544	{3CD1981A-4FD2-4033-BBC1-2D9A2AECFF7B}.exe
Token: SeIncBasePriorityPrivilege	2184	{B1977436-7F97-4fb4-9593-E944F925B889}.exe
Token: SeIncBasePriorityPrivilege	3676	{8FA9A81C-CB24-4bf1-8D51-44D200AF2928}.exe
Token: SeIncBasePriorityPrivilege	3056	{15979193-C696-4fba-86B2-FDDDAC31761F}.exe
Token: SeIncBasePriorityPrivilege	4920	{390075A5-71FC-467c-907F-535874258729}.exe
Token: SeIncBasePriorityPrivilege	2672	{50A4FC00-E389-4c19-9050-DAD541B764EB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3544 wrote to memory of 1704	3544	2024-01-29_ef45d5fa96f0c68102c991f1ea7afa15_goldeneye.exe	100
PID 3544 wrote to memory of 1704	3544	2024-01-29_ef45d5fa96f0c68102c991f1ea7afa15_goldeneye.exe	100
PID 3544 wrote to memory of 1704	3544	2024-01-29_ef45d5fa96f0c68102c991f1ea7afa15_goldeneye.exe	100
PID 3544 wrote to memory of 4220	3544	2024-01-29_ef45d5fa96f0c68102c991f1ea7afa15_goldeneye.exe	101
PID 3544 wrote to memory of 4220	3544	2024-01-29_ef45d5fa96f0c68102c991f1ea7afa15_goldeneye.exe	101
PID 3544 wrote to memory of 4220	3544	2024-01-29_ef45d5fa96f0c68102c991f1ea7afa15_goldeneye.exe	101
PID 1704 wrote to memory of 4712	1704	{B040E036-F1A3-4c08-8F1D-71050D1113AB}.exe	102
PID 1704 wrote to memory of 4712	1704	{B040E036-F1A3-4c08-8F1D-71050D1113AB}.exe	102
PID 1704 wrote to memory of 4712	1704	{B040E036-F1A3-4c08-8F1D-71050D1113AB}.exe	102
PID 1704 wrote to memory of 764	1704	{B040E036-F1A3-4c08-8F1D-71050D1113AB}.exe	103
PID 1704 wrote to memory of 764	1704	{B040E036-F1A3-4c08-8F1D-71050D1113AB}.exe	103
PID 1704 wrote to memory of 764	1704	{B040E036-F1A3-4c08-8F1D-71050D1113AB}.exe	103
PID 4712 wrote to memory of 2788	4712	{8CF3E85C-142C-4987-BF0A-FF7EB92A2A6B}.exe	107
PID 4712 wrote to memory of 2788	4712	{8CF3E85C-142C-4987-BF0A-FF7EB92A2A6B}.exe	107
PID 4712 wrote to memory of 2788	4712	{8CF3E85C-142C-4987-BF0A-FF7EB92A2A6B}.exe	107
PID 4712 wrote to memory of 4780	4712	{8CF3E85C-142C-4987-BF0A-FF7EB92A2A6B}.exe	106
PID 4712 wrote to memory of 4780	4712	{8CF3E85C-142C-4987-BF0A-FF7EB92A2A6B}.exe	106
PID 4712 wrote to memory of 4780	4712	{8CF3E85C-142C-4987-BF0A-FF7EB92A2A6B}.exe	106
PID 2788 wrote to memory of 1804	2788	{FFF23800-99FC-4637-A842-2AD52C34D441}.exe	108
PID 2788 wrote to memory of 1804	2788	{FFF23800-99FC-4637-A842-2AD52C34D441}.exe	108
PID 2788 wrote to memory of 1804	2788	{FFF23800-99FC-4637-A842-2AD52C34D441}.exe	108
PID 2788 wrote to memory of 1684	2788	{FFF23800-99FC-4637-A842-2AD52C34D441}.exe	109
PID 2788 wrote to memory of 1684	2788	{FFF23800-99FC-4637-A842-2AD52C34D441}.exe	109
PID 2788 wrote to memory of 1684	2788	{FFF23800-99FC-4637-A842-2AD52C34D441}.exe	109
PID 1804 wrote to memory of 544	1804	{2B492FFA-07EA-4092-B263-E0EE592CE415}.exe	110
PID 1804 wrote to memory of 544	1804	{2B492FFA-07EA-4092-B263-E0EE592CE415}.exe	110
PID 1804 wrote to memory of 544	1804	{2B492FFA-07EA-4092-B263-E0EE592CE415}.exe	110
PID 1804 wrote to memory of 4320	1804	{2B492FFA-07EA-4092-B263-E0EE592CE415}.exe	111
PID 1804 wrote to memory of 4320	1804	{2B492FFA-07EA-4092-B263-E0EE592CE415}.exe	111
PID 1804 wrote to memory of 4320	1804	{2B492FFA-07EA-4092-B263-E0EE592CE415}.exe	111
PID 544 wrote to memory of 2184	544	{3CD1981A-4FD2-4033-BBC1-2D9A2AECFF7B}.exe	113
PID 544 wrote to memory of 2184	544	{3CD1981A-4FD2-4033-BBC1-2D9A2AECFF7B}.exe	113
PID 544 wrote to memory of 2184	544	{3CD1981A-4FD2-4033-BBC1-2D9A2AECFF7B}.exe	113
PID 544 wrote to memory of 3572	544	{3CD1981A-4FD2-4033-BBC1-2D9A2AECFF7B}.exe	112
PID 544 wrote to memory of 3572	544	{3CD1981A-4FD2-4033-BBC1-2D9A2AECFF7B}.exe	112
PID 544 wrote to memory of 3572	544	{3CD1981A-4FD2-4033-BBC1-2D9A2AECFF7B}.exe	112
PID 2184 wrote to memory of 3676	2184	{B1977436-7F97-4fb4-9593-E944F925B889}.exe	114
PID 2184 wrote to memory of 3676	2184	{B1977436-7F97-4fb4-9593-E944F925B889}.exe	114
PID 2184 wrote to memory of 3676	2184	{B1977436-7F97-4fb4-9593-E944F925B889}.exe	114
PID 2184 wrote to memory of 1500	2184	{B1977436-7F97-4fb4-9593-E944F925B889}.exe	115
PID 2184 wrote to memory of 1500	2184	{B1977436-7F97-4fb4-9593-E944F925B889}.exe	115
PID 2184 wrote to memory of 1500	2184	{B1977436-7F97-4fb4-9593-E944F925B889}.exe	115
PID 3676 wrote to memory of 3056	3676	{8FA9A81C-CB24-4bf1-8D51-44D200AF2928}.exe	116
PID 3676 wrote to memory of 3056	3676	{8FA9A81C-CB24-4bf1-8D51-44D200AF2928}.exe	116
PID 3676 wrote to memory of 3056	3676	{8FA9A81C-CB24-4bf1-8D51-44D200AF2928}.exe	116
PID 3676 wrote to memory of 836	3676	{8FA9A81C-CB24-4bf1-8D51-44D200AF2928}.exe	117
PID 3676 wrote to memory of 836	3676	{8FA9A81C-CB24-4bf1-8D51-44D200AF2928}.exe	117
PID 3676 wrote to memory of 836	3676	{8FA9A81C-CB24-4bf1-8D51-44D200AF2928}.exe	117
PID 3056 wrote to memory of 4920	3056	{15979193-C696-4fba-86B2-FDDDAC31761F}.exe	118
PID 3056 wrote to memory of 4920	3056	{15979193-C696-4fba-86B2-FDDDAC31761F}.exe	118
PID 3056 wrote to memory of 4920	3056	{15979193-C696-4fba-86B2-FDDDAC31761F}.exe	118
PID 3056 wrote to memory of 4668	3056	{15979193-C696-4fba-86B2-FDDDAC31761F}.exe	119
PID 3056 wrote to memory of 4668	3056	{15979193-C696-4fba-86B2-FDDDAC31761F}.exe	119
PID 3056 wrote to memory of 4668	3056	{15979193-C696-4fba-86B2-FDDDAC31761F}.exe	119
PID 4920 wrote to memory of 2672	4920	{390075A5-71FC-467c-907F-535874258729}.exe	120
PID 4920 wrote to memory of 2672	4920	{390075A5-71FC-467c-907F-535874258729}.exe	120
PID 4920 wrote to memory of 2672	4920	{390075A5-71FC-467c-907F-535874258729}.exe	120
PID 4920 wrote to memory of 4260	4920	{390075A5-71FC-467c-907F-535874258729}.exe	121
PID 4920 wrote to memory of 4260	4920	{390075A5-71FC-467c-907F-535874258729}.exe	121
PID 4920 wrote to memory of 4260	4920	{390075A5-71FC-467c-907F-535874258729}.exe	121
PID 2672 wrote to memory of 2972	2672	{50A4FC00-E389-4c19-9050-DAD541B764EB}.exe	122
PID 2672 wrote to memory of 2972	2672	{50A4FC00-E389-4c19-9050-DAD541B764EB}.exe	122
PID 2672 wrote to memory of 2972	2672	{50A4FC00-E389-4c19-9050-DAD541B764EB}.exe	122
PID 2672 wrote to memory of 1432	2672	{50A4FC00-E389-4c19-9050-DAD541B764EB}.exe	123

C:\Users\Admin\AppData\Local\Temp\2024-01-29_ef45d5fa96f0c68102c991f1ea7afa15_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-29_ef45d5fa96f0c68102c991f1ea7afa15_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3544
- C:\Windows\{B040E036-F1A3-4c08-8F1D-71050D1113AB}.exe
  C:\Windows\{B040E036-F1A3-4c08-8F1D-71050D1113AB}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\{8CF3E85C-142C-4987-BF0A-FF7EB92A2A6B}.exe
    C:\Windows\{8CF3E85C-142C-4987-BF0A-FF7EB92A2A6B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4712
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8CF3E~1.EXE > nul
      4⤵
      PID:4780
  - - C:\Windows\{FFF23800-99FC-4637-A842-2AD52C34D441}.exe
      C:\Windows\{FFF23800-99FC-4637-A842-2AD52C34D441}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\Windows\{2B492FFA-07EA-4092-B263-E0EE592CE415}.exe
        
        C:\Windows\{2B492FFA-07EA-4092-B263-E0EE592CE415}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1804
      - C:\Windows\{3CD1981A-4FD2-4033-BBC1-2D9A2AECFF7B}.exe
        
        C:\Windows\{3CD1981A-4FD2-4033-BBC1-2D9A2AECFF7B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3CD19~1.EXE > nul
        7⤵
        
        PID:3572
        
        C:\Windows\{B1977436-7F97-4fb4-9593-E944F925B889}.exe
        
        C:\Windows\{B1977436-7F97-4fb4-9593-E944F925B889}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\{8FA9A81C-CB24-4bf1-8D51-44D200AF2928}.exe
        
        C:\Windows\{8FA9A81C-CB24-4bf1-8D51-44D200AF2928}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\{15979193-C696-4fba-86B2-FDDDAC31761F}.exe
        
        C:\Windows\{15979193-C696-4fba-86B2-FDDDAC31761F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\{390075A5-71FC-467c-907F-535874258729}.exe
        
        C:\Windows\{390075A5-71FC-467c-907F-535874258729}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\{50A4FC00-E389-4c19-9050-DAD541B764EB}.exe
        
        C:\Windows\{50A4FC00-E389-4c19-9050-DAD541B764EB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\{C795F5A1-D073-4f53-882C-D5E58A4D21D2}.exe
        
        C:\Windows\{C795F5A1-D073-4f53-882C-D5E58A4D21D2}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C795F~1.EXE > nul
        13⤵
        
        PID:4396
        
        C:\Windows\{CAC5197E-15D6-472c-B1D1-DFB5D7BA19C7}.exe
        
        C:\Windows\{CAC5197E-15D6-472c-B1D1-DFB5D7BA19C7}.exe
        13⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50A4F~1.EXE > nul
        12⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39007~1.EXE > nul
        11⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15979~1.EXE > nul
        10⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8FA9A~1.EXE > nul
        9⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1977~1.EXE > nul
        8⤵
        
        PID:1500
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B492~1.EXE > nul
        6⤵
        
        PID:4320
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FFF23~1.EXE > nul
        5⤵
        
        PID:1684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B040E~1.EXE > nul
    3⤵
    PID:764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{15979193-C696-4fba-86B2-FDDDAC31761F}.exe

Filesize
192KB

MD5
0246dd8d06dc0edf38ba64bd3f23f693

SHA1
199d95d8b1d73fe2ba0a180789ec555b2c9225ca

SHA256
b18b9fb3495ffaf353dc1dd2f3a87df2e27edb32d240275b41e6c4f73f146e24

SHA512
86211a3f2504e609bac36bdd71084f131997b036b9a498092d64d4addf522119dcfd80d887dcf54ab6123fd6f1e8fe49b205e3bf7f43bfa4d73a8fe7f9e8255f

Download Submit
C:\Windows\{2B492FFA-07EA-4092-B263-E0EE592CE415}.exe

Filesize
192KB

MD5
725788c46baf5853b19175fbb64d79ae

SHA1
31c4b0da3034368e7be06f968bf15169370a634a

SHA256
d712986fb75355c8794861f19b3b62c80a04cfd7129af0070be20c5f12fe8256

SHA512
a0393aea02b223112a2aa862a407b4814b4cc078ce8b9ce89bf7bd12099e9947b6295f0c09fd656ffbede22aa626a1064acba5ee21f2ad7ba9368b366b479c34

Download Submit
C:\Windows\{390075A5-71FC-467c-907F-535874258729}.exe

Filesize
192KB

MD5
b5aa7053694a25d1db69a7d306fd338b

SHA1
cff67387e10793433a88bfdeebfe7efb5da63039

SHA256
73ad916848c44a671a1212ede0e98c5f7e69a5a33cb6943f89d84029db727f51

SHA512
5b7d5074067c3124f01954f5ff8cea655269a393cf6aec270730b2fc3748f564de99a405c9fff8e67ca169eed0c0004e36f160c229bc9fad036c0e82831223b9

Download Submit
C:\Windows\{3CD1981A-4FD2-4033-BBC1-2D9A2AECFF7B}.exe

Filesize
192KB

MD5
a6108882687a4e6e7be366051353f758

SHA1
85967467b30bf6821fd4099d45e7c9250228ea1e

SHA256
d4d03e9c8718d852c1978860e82ad208287b8dc99dea9eadb2b894c54ba45184

SHA512
f947229e8c880a078bef730faa3e47bbdb5485860de75eda92100ba0db8bf4f2bda774e8afc033b97fb65d1271a07077523cad0da2d78fbf1355755795425867

Download Submit
C:\Windows\{50A4FC00-E389-4c19-9050-DAD541B764EB}.exe

Filesize
192KB

MD5
860bfeba7dd898d24293f0e942bc06d7

SHA1
5ba55e0e6707b5f5889197c9e022a8c25895dbee

SHA256
3957f8f1530255e45459631bf4d5320bd1863455dc50391c872401e008c2e006

SHA512
877ecb8d42f2454d38bc0d0e6db8ad8cea5fd808807fc858a6ba7029ac5efe934c978d8f0cf8a96014b07f7f605000fdcf671e75b8c19726b88b6eff4a582d79

Download Submit
C:\Windows\{8CF3E85C-142C-4987-BF0A-FF7EB92A2A6B}.exe

Filesize
192KB

MD5
1725aaac37cc496e0efe0f577945c82e

SHA1
28ee00a302070b3f706f2c23d06dad5f3a0441b9

SHA256
0c4c0012cabe96d6cc9207fb00583f6b18439bd77926720425e35f93473bb4e2

SHA512
b20609a1d3b100dfb425028d7a98d9ff6bf86338708b6419fc9ac2379cb85df362990370174c9bdf5e434c420b5f27265d2d2d1da778250830411d08f99d9b69

Download Submit
C:\Windows\{8FA9A81C-CB24-4bf1-8D51-44D200AF2928}.exe

Filesize
192KB

MD5
8dc282a37d2ff1957785c3416cfe7e1f

SHA1
4fec6a40080197f4284c2125c2b87b929f7851c8

SHA256
4aeb265af62df2dd52ef0d48ccd1820d395c6894d6d0f28418cc9695d36c4f13

SHA512
6e2dfb7121384e59961cd2bcc0b2ec2139bd3ed77f11b8ccc3d1d3c0e11dac2d50e244abae54695c27333b315eb56ee07a5d459de5df324f5202f0d839d2d8ee

Download Submit
C:\Windows\{B040E036-F1A3-4c08-8F1D-71050D1113AB}.exe

Filesize
192KB

MD5
131a51554644fbbf44f62e2bd1462734

SHA1
bf597c3b00fb8fd7c6ea742f3c812d1a203aa8b9

SHA256
ce95015a984c42f9e9d76cd3f089249ff130ce07e74bd92c2b5003856318ac96

SHA512
017dc0ba9f5efffe4681471fcdd7b186086b801daee2553f70484ec3e805c3baafce7d9fe47df83c2fd87e13e9c891e75882f5147766fc692704fea4251f9400

Download Submit
C:\Windows\{B1977436-7F97-4fb4-9593-E944F925B889}.exe

Filesize
192KB

MD5
93dce364ed466a809b60865f1dbc08dc

SHA1
dbbc671088a932a3024b9dde2c7e218d3b2e0694

SHA256
1969948140701736a55a4b012bd831a1fbcae92d4d7f2cd0bd7755479cf38eaf

SHA512
dfc2c7f8f7ad7335393b8afce78abd4f45214f43c3c7dc9515394c43d01bf6b34086b9654514bed969e96470086a5f4266fc28d7c94ba6a1fd1041b86f226494

Download Submit
C:\Windows\{C795F5A1-D073-4f53-882C-D5E58A4D21D2}.exe

Filesize
192KB

MD5
61abcb564740e3601588a55ae760cca1

SHA1
5e88a748b5a253858a5f8bdabed7e44472754ebb

SHA256
254613e47b978b93c08dbc42ccbec4cef140033f9c4a26a449181c971da283c8

SHA512
4e85323b6e4fe1a3e16cdd8a6020fcb1ff0b8fc80007b34e048ad8e6141b10851d232fd4fa23431df6f00d14b49afff1ca643ab1e96e96ab46573e7849635284

Download Submit
C:\Windows\{CAC5197E-15D6-472c-B1D1-DFB5D7BA19C7}.exe

Filesize
144KB

MD5
ceac083a62067292476fb16f471fd81c

SHA1
3431cc348f45f4c611c8e66581b6ed7ee2659133

SHA256
126ae747c6134c2b1ad0e5c98f493c871f21fe4a708bfe975be8bffddd2039c0

SHA512
094940fa389a6bacaa9ceb2c2021e256da38b303c5f1a2ce13466510257902da22062893a7f6c757e5ee54044939b100f53581b11fb67d9a3d57538c9033ccfe

Download Submit
C:\Windows\{CAC5197E-15D6-472c-B1D1-DFB5D7BA19C7}.exe

Filesize
67KB

MD5
65d3e566973b9dcec4402462cab3e8de

SHA1
1ada056e1fbab3f11996b86889a179c1885e3a5c

SHA256
4a220506984f8244234620ff981fb84dd6c63eca435595c00d28f02ef7cd59f6

SHA512
783db616222510eac3b9168db3f1cd9cd4cb31ef55655dcb6446faf7a2f9f344bbc1e3ff20edfebf6fe6c5b705f9b915c4da891226f48b3ee7c4f27ec7f70a50

Download Submit
C:\Windows\{FFF23800-99FC-4637-A842-2AD52C34D441}.exe

Filesize
192KB

MD5
4bf270a5fdbc5a72590f7e55d24d2f6b

SHA1
d795fe652f2f536a89e5f49e384743e53f588a7f

SHA256
65573eb5429024efd7cfb358dcec6b61ed43c7956361ab38ff4845e86f6e598c

SHA512
c9e56b484d9def69defbf65e38279cb8723a407bb1b4af8a7434c47f473dfe5e6b72ca2ca7df48aa2256e55d38628e8ff277fcf6f8a5748d02bbb4833aa6482a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads