ccc304048f849413ee32a40551eb388ae1c2fe31e4632084ffa5dcefba052a14

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2024 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-02_fe225f3ee7275d70b4bdf364f18a7049_goldeneye.exe
Size

168KB
MD5

fe225f3ee7275d70b4bdf364f18a7049
SHA1

a8ba1573ca0cf1775ad719b2cfdb93fef0a8ddd5
SHA256

ccc304048f849413ee32a40551eb388ae1c2fe31e4632084ffa5dcefba052a14
SHA512

367cd0e99d69904515dcd568cf09521d2de4e1478519fc9f26283c4b5c650e6e27c66dd98cb9c7d435e2c84eb886e7c39227937d13a3b92d53b7e66ae210e2cd
SSDEEP

1536:1EGh0oMlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oMlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x000600000002313c-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000023153-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002313c-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002314c-13.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002313c-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00050000000217fa-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006df-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1DFDFD3-0308-4ae2-A835-31041B2DCEA5}\stubpath = "C:\\Windows\\{A1DFDFD3-0308-4ae2-A835-31041B2DCEA5}.exe"	{BCB3311A-1B9A-44b8-8100-09717FCD5C93}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80875812-3412-4f6a-B391-A2F163ABBAB9}	{A1DFDFD3-0308-4ae2-A835-31041B2DCEA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB0FA605-7AA8-4c1f-B243-2982BDE57275}	{DBA91191-5D36-4d28-8837-D5ECAAA4947F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB0FA605-7AA8-4c1f-B243-2982BDE57275}\stubpath = "C:\\Windows\\{AB0FA605-7AA8-4c1f-B243-2982BDE57275}.exe"	{DBA91191-5D36-4d28-8837-D5ECAAA4947F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8CB63F6-7765-486f-8EA0-1E3D252D1325}	{AB0FA605-7AA8-4c1f-B243-2982BDE57275}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7795CD6-3E41-4fab-8420-3FFDC79259C8}	{C7402980-4CAD-4309-A466-DE1784E32628}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7795CD6-3E41-4fab-8420-3FFDC79259C8}\stubpath = "C:\\Windows\\{B7795CD6-3E41-4fab-8420-3FFDC79259C8}.exe"	{C7402980-4CAD-4309-A466-DE1784E32628}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCB3311A-1B9A-44b8-8100-09717FCD5C93}\stubpath = "C:\\Windows\\{BCB3311A-1B9A-44b8-8100-09717FCD5C93}.exe"	{B7795CD6-3E41-4fab-8420-3FFDC79259C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7402980-4CAD-4309-A466-DE1784E32628}\stubpath = "C:\\Windows\\{C7402980-4CAD-4309-A466-DE1784E32628}.exe"	{EF7D9230-FE7A-4e62-969C-AA2B96A8C826}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCB3311A-1B9A-44b8-8100-09717FCD5C93}	{B7795CD6-3E41-4fab-8420-3FFDC79259C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80875812-3412-4f6a-B391-A2F163ABBAB9}\stubpath = "C:\\Windows\\{80875812-3412-4f6a-B391-A2F163ABBAB9}.exe"	{A1DFDFD3-0308-4ae2-A835-31041B2DCEA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBA91191-5D36-4d28-8837-D5ECAAA4947F}\stubpath = "C:\\Windows\\{DBA91191-5D36-4d28-8837-D5ECAAA4947F}.exe"	{80875812-3412-4f6a-B391-A2F163ABBAB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8CB63F6-7765-486f-8EA0-1E3D252D1325}\stubpath = "C:\\Windows\\{C8CB63F6-7765-486f-8EA0-1E3D252D1325}.exe"	{AB0FA605-7AA8-4c1f-B243-2982BDE57275}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D41B1C72-DE6D-4517-B9FC-3ED9BC1EE28D}\stubpath = "C:\\Windows\\{D41B1C72-DE6D-4517-B9FC-3ED9BC1EE28D}.exe"	{7057E0AF-DD79-4d91-B2FC-4ED7B87C4928}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF7D9230-FE7A-4e62-969C-AA2B96A8C826}	{D41B1C72-DE6D-4517-B9FC-3ED9BC1EE28D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7402980-4CAD-4309-A466-DE1784E32628}	{EF7D9230-FE7A-4e62-969C-AA2B96A8C826}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF7D9230-FE7A-4e62-969C-AA2B96A8C826}\stubpath = "C:\\Windows\\{EF7D9230-FE7A-4e62-969C-AA2B96A8C826}.exe"	{D41B1C72-DE6D-4517-B9FC-3ED9BC1EE28D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1DFDFD3-0308-4ae2-A835-31041B2DCEA5}	{BCB3311A-1B9A-44b8-8100-09717FCD5C93}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBA91191-5D36-4d28-8837-D5ECAAA4947F}	{80875812-3412-4f6a-B391-A2F163ABBAB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7057E0AF-DD79-4d91-B2FC-4ED7B87C4928}	2024-02-02_fe225f3ee7275d70b4bdf364f18a7049_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7057E0AF-DD79-4d91-B2FC-4ED7B87C4928}\stubpath = "C:\\Windows\\{7057E0AF-DD79-4d91-B2FC-4ED7B87C4928}.exe"	2024-02-02_fe225f3ee7275d70b4bdf364f18a7049_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D41B1C72-DE6D-4517-B9FC-3ED9BC1EE28D}	{7057E0AF-DD79-4d91-B2FC-4ED7B87C4928}.exe

Executes dropped EXE 11 IoCs

pid	Process
3804	{7057E0AF-DD79-4d91-B2FC-4ED7B87C4928}.exe
2532	{D41B1C72-DE6D-4517-B9FC-3ED9BC1EE28D}.exe
5088	{EF7D9230-FE7A-4e62-969C-AA2B96A8C826}.exe
4468	{C7402980-4CAD-4309-A466-DE1784E32628}.exe
4036	{B7795CD6-3E41-4fab-8420-3FFDC79259C8}.exe
1180	{BCB3311A-1B9A-44b8-8100-09717FCD5C93}.exe
5084	{A1DFDFD3-0308-4ae2-A835-31041B2DCEA5}.exe
4404	{80875812-3412-4f6a-B391-A2F163ABBAB9}.exe
3132	{DBA91191-5D36-4d28-8837-D5ECAAA4947F}.exe
4424	{AB0FA605-7AA8-4c1f-B243-2982BDE57275}.exe
3168	{C8CB63F6-7765-486f-8EA0-1E3D252D1325}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D41B1C72-DE6D-4517-B9FC-3ED9BC1EE28D}.exe	{7057E0AF-DD79-4d91-B2FC-4ED7B87C4928}.exe
File created	C:\Windows\{A1DFDFD3-0308-4ae2-A835-31041B2DCEA5}.exe	{BCB3311A-1B9A-44b8-8100-09717FCD5C93}.exe
File created	C:\Windows\{DBA91191-5D36-4d28-8837-D5ECAAA4947F}.exe	{80875812-3412-4f6a-B391-A2F163ABBAB9}.exe
File created	C:\Windows\{AB0FA605-7AA8-4c1f-B243-2982BDE57275}.exe	{DBA91191-5D36-4d28-8837-D5ECAAA4947F}.exe
File created	C:\Windows\{C8CB63F6-7765-486f-8EA0-1E3D252D1325}.exe	{AB0FA605-7AA8-4c1f-B243-2982BDE57275}.exe
File created	C:\Windows\{7057E0AF-DD79-4d91-B2FC-4ED7B87C4928}.exe	2024-02-02_fe225f3ee7275d70b4bdf364f18a7049_goldeneye.exe
File created	C:\Windows\{C7402980-4CAD-4309-A466-DE1784E32628}.exe	{EF7D9230-FE7A-4e62-969C-AA2B96A8C826}.exe
File created	C:\Windows\{B7795CD6-3E41-4fab-8420-3FFDC79259C8}.exe	{C7402980-4CAD-4309-A466-DE1784E32628}.exe
File created	C:\Windows\{BCB3311A-1B9A-44b8-8100-09717FCD5C93}.exe	{B7795CD6-3E41-4fab-8420-3FFDC79259C8}.exe
File created	C:\Windows\{80875812-3412-4f6a-B391-A2F163ABBAB9}.exe	{A1DFDFD3-0308-4ae2-A835-31041B2DCEA5}.exe
File created	C:\Windows\{EF7D9230-FE7A-4e62-969C-AA2B96A8C826}.exe	{D41B1C72-DE6D-4517-B9FC-3ED9BC1EE28D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4852	2024-02-02_fe225f3ee7275d70b4bdf364f18a7049_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3804	{7057E0AF-DD79-4d91-B2FC-4ED7B87C4928}.exe
Token: SeIncBasePriorityPrivilege	2532	{D41B1C72-DE6D-4517-B9FC-3ED9BC1EE28D}.exe
Token: SeIncBasePriorityPrivilege	5088	{EF7D9230-FE7A-4e62-969C-AA2B96A8C826}.exe
Token: SeIncBasePriorityPrivilege	4468	{C7402980-4CAD-4309-A466-DE1784E32628}.exe
Token: SeIncBasePriorityPrivilege	4036	{B7795CD6-3E41-4fab-8420-3FFDC79259C8}.exe
Token: SeIncBasePriorityPrivilege	1180	{BCB3311A-1B9A-44b8-8100-09717FCD5C93}.exe
Token: SeIncBasePriorityPrivilege	5084	{A1DFDFD3-0308-4ae2-A835-31041B2DCEA5}.exe
Token: SeIncBasePriorityPrivilege	4404	{80875812-3412-4f6a-B391-A2F163ABBAB9}.exe
Token: SeIncBasePriorityPrivilege	3132	{DBA91191-5D36-4d28-8837-D5ECAAA4947F}.exe
Token: SeIncBasePriorityPrivilege	4424	{AB0FA605-7AA8-4c1f-B243-2982BDE57275}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 3804	4852	2024-02-02_fe225f3ee7275d70b4bdf364f18a7049_goldeneye.exe	87
PID 4852 wrote to memory of 3804	4852	2024-02-02_fe225f3ee7275d70b4bdf364f18a7049_goldeneye.exe	87
PID 4852 wrote to memory of 3804	4852	2024-02-02_fe225f3ee7275d70b4bdf364f18a7049_goldeneye.exe	87
PID 4852 wrote to memory of 1064	4852	2024-02-02_fe225f3ee7275d70b4bdf364f18a7049_goldeneye.exe	88
PID 4852 wrote to memory of 1064	4852	2024-02-02_fe225f3ee7275d70b4bdf364f18a7049_goldeneye.exe	88
PID 4852 wrote to memory of 1064	4852	2024-02-02_fe225f3ee7275d70b4bdf364f18a7049_goldeneye.exe	88
PID 3804 wrote to memory of 2532	3804	{7057E0AF-DD79-4d91-B2FC-4ED7B87C4928}.exe	93
PID 3804 wrote to memory of 2532	3804	{7057E0AF-DD79-4d91-B2FC-4ED7B87C4928}.exe	93
PID 3804 wrote to memory of 2532	3804	{7057E0AF-DD79-4d91-B2FC-4ED7B87C4928}.exe	93
PID 3804 wrote to memory of 4516	3804	{7057E0AF-DD79-4d91-B2FC-4ED7B87C4928}.exe	94
PID 3804 wrote to memory of 4516	3804	{7057E0AF-DD79-4d91-B2FC-4ED7B87C4928}.exe	94
PID 3804 wrote to memory of 4516	3804	{7057E0AF-DD79-4d91-B2FC-4ED7B87C4928}.exe	94
PID 2532 wrote to memory of 5088	2532	{D41B1C72-DE6D-4517-B9FC-3ED9BC1EE28D}.exe	95
PID 2532 wrote to memory of 5088	2532	{D41B1C72-DE6D-4517-B9FC-3ED9BC1EE28D}.exe	95
PID 2532 wrote to memory of 5088	2532	{D41B1C72-DE6D-4517-B9FC-3ED9BC1EE28D}.exe	95
PID 2532 wrote to memory of 3700	2532	{D41B1C72-DE6D-4517-B9FC-3ED9BC1EE28D}.exe	96
PID 2532 wrote to memory of 3700	2532	{D41B1C72-DE6D-4517-B9FC-3ED9BC1EE28D}.exe	96
PID 2532 wrote to memory of 3700	2532	{D41B1C72-DE6D-4517-B9FC-3ED9BC1EE28D}.exe	96
PID 5088 wrote to memory of 4468	5088	{EF7D9230-FE7A-4e62-969C-AA2B96A8C826}.exe	97
PID 5088 wrote to memory of 4468	5088	{EF7D9230-FE7A-4e62-969C-AA2B96A8C826}.exe	97
PID 5088 wrote to memory of 4468	5088	{EF7D9230-FE7A-4e62-969C-AA2B96A8C826}.exe	97
PID 5088 wrote to memory of 3512	5088	{EF7D9230-FE7A-4e62-969C-AA2B96A8C826}.exe	98
PID 5088 wrote to memory of 3512	5088	{EF7D9230-FE7A-4e62-969C-AA2B96A8C826}.exe	98
PID 5088 wrote to memory of 3512	5088	{EF7D9230-FE7A-4e62-969C-AA2B96A8C826}.exe	98
PID 4468 wrote to memory of 4036	4468	{C7402980-4CAD-4309-A466-DE1784E32628}.exe	99
PID 4468 wrote to memory of 4036	4468	{C7402980-4CAD-4309-A466-DE1784E32628}.exe	99
PID 4468 wrote to memory of 4036	4468	{C7402980-4CAD-4309-A466-DE1784E32628}.exe	99
PID 4468 wrote to memory of 3516	4468	{C7402980-4CAD-4309-A466-DE1784E32628}.exe	100
PID 4468 wrote to memory of 3516	4468	{C7402980-4CAD-4309-A466-DE1784E32628}.exe	100
PID 4468 wrote to memory of 3516	4468	{C7402980-4CAD-4309-A466-DE1784E32628}.exe	100
PID 4036 wrote to memory of 1180	4036	{B7795CD6-3E41-4fab-8420-3FFDC79259C8}.exe	102
PID 4036 wrote to memory of 1180	4036	{B7795CD6-3E41-4fab-8420-3FFDC79259C8}.exe	102
PID 4036 wrote to memory of 1180	4036	{B7795CD6-3E41-4fab-8420-3FFDC79259C8}.exe	102
PID 4036 wrote to memory of 1040	4036	{B7795CD6-3E41-4fab-8420-3FFDC79259C8}.exe	101
PID 4036 wrote to memory of 1040	4036	{B7795CD6-3E41-4fab-8420-3FFDC79259C8}.exe	101
PID 4036 wrote to memory of 1040	4036	{B7795CD6-3E41-4fab-8420-3FFDC79259C8}.exe	101
PID 1180 wrote to memory of 5084	1180	{BCB3311A-1B9A-44b8-8100-09717FCD5C93}.exe	103
PID 1180 wrote to memory of 5084	1180	{BCB3311A-1B9A-44b8-8100-09717FCD5C93}.exe	103
PID 1180 wrote to memory of 5084	1180	{BCB3311A-1B9A-44b8-8100-09717FCD5C93}.exe	103
PID 1180 wrote to memory of 560	1180	{BCB3311A-1B9A-44b8-8100-09717FCD5C93}.exe	104
PID 1180 wrote to memory of 560	1180	{BCB3311A-1B9A-44b8-8100-09717FCD5C93}.exe	104
PID 1180 wrote to memory of 560	1180	{BCB3311A-1B9A-44b8-8100-09717FCD5C93}.exe	104
PID 5084 wrote to memory of 4404	5084	{A1DFDFD3-0308-4ae2-A835-31041B2DCEA5}.exe	105
PID 5084 wrote to memory of 4404	5084	{A1DFDFD3-0308-4ae2-A835-31041B2DCEA5}.exe	105
PID 5084 wrote to memory of 4404	5084	{A1DFDFD3-0308-4ae2-A835-31041B2DCEA5}.exe	105
PID 5084 wrote to memory of 4520	5084	{A1DFDFD3-0308-4ae2-A835-31041B2DCEA5}.exe	106
PID 5084 wrote to memory of 4520	5084	{A1DFDFD3-0308-4ae2-A835-31041B2DCEA5}.exe	106
PID 5084 wrote to memory of 4520	5084	{A1DFDFD3-0308-4ae2-A835-31041B2DCEA5}.exe	106
PID 4404 wrote to memory of 3132	4404	{80875812-3412-4f6a-B391-A2F163ABBAB9}.exe	107
PID 4404 wrote to memory of 3132	4404	{80875812-3412-4f6a-B391-A2F163ABBAB9}.exe	107
PID 4404 wrote to memory of 3132	4404	{80875812-3412-4f6a-B391-A2F163ABBAB9}.exe	107
PID 4404 wrote to memory of 4848	4404	{80875812-3412-4f6a-B391-A2F163ABBAB9}.exe	108
PID 4404 wrote to memory of 4848	4404	{80875812-3412-4f6a-B391-A2F163ABBAB9}.exe	108
PID 4404 wrote to memory of 4848	4404	{80875812-3412-4f6a-B391-A2F163ABBAB9}.exe	108
PID 3132 wrote to memory of 4424	3132	{DBA91191-5D36-4d28-8837-D5ECAAA4947F}.exe	109
PID 3132 wrote to memory of 4424	3132	{DBA91191-5D36-4d28-8837-D5ECAAA4947F}.exe	109
PID 3132 wrote to memory of 4424	3132	{DBA91191-5D36-4d28-8837-D5ECAAA4947F}.exe	109
PID 3132 wrote to memory of 3740	3132	{DBA91191-5D36-4d28-8837-D5ECAAA4947F}.exe	110
PID 3132 wrote to memory of 3740	3132	{DBA91191-5D36-4d28-8837-D5ECAAA4947F}.exe	110
PID 3132 wrote to memory of 3740	3132	{DBA91191-5D36-4d28-8837-D5ECAAA4947F}.exe	110
PID 4424 wrote to memory of 3168	4424	{AB0FA605-7AA8-4c1f-B243-2982BDE57275}.exe	111
PID 4424 wrote to memory of 3168	4424	{AB0FA605-7AA8-4c1f-B243-2982BDE57275}.exe	111
PID 4424 wrote to memory of 3168	4424	{AB0FA605-7AA8-4c1f-B243-2982BDE57275}.exe	111
PID 4424 wrote to memory of 2312	4424	{AB0FA605-7AA8-4c1f-B243-2982BDE57275}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-02-02_fe225f3ee7275d70b4bdf364f18a7049_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-02_fe225f3ee7275d70b4bdf364f18a7049_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Windows\{7057E0AF-DD79-4d91-B2FC-4ED7B87C4928}.exe
  C:\Windows\{7057E0AF-DD79-4d91-B2FC-4ED7B87C4928}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3804
- - C:\Windows\{D41B1C72-DE6D-4517-B9FC-3ED9BC1EE28D}.exe
    C:\Windows\{D41B1C72-DE6D-4517-B9FC-3ED9BC1EE28D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Windows\{EF7D9230-FE7A-4e62-969C-AA2B96A8C826}.exe
      C:\Windows\{EF7D9230-FE7A-4e62-969C-AA2B96A8C826}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5088
    - - C:\Windows\{C7402980-4CAD-4309-A466-DE1784E32628}.exe
        
        C:\Windows\{C7402980-4CAD-4309-A466-DE1784E32628}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4468
      - C:\Windows\{B7795CD6-3E41-4fab-8420-3FFDC79259C8}.exe
        
        C:\Windows\{B7795CD6-3E41-4fab-8420-3FFDC79259C8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7795~1.EXE > nul
        7⤵
        
        PID:1040
        
        C:\Windows\{BCB3311A-1B9A-44b8-8100-09717FCD5C93}.exe
        
        C:\Windows\{BCB3311A-1B9A-44b8-8100-09717FCD5C93}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\{A1DFDFD3-0308-4ae2-A835-31041B2DCEA5}.exe
        
        C:\Windows\{A1DFDFD3-0308-4ae2-A835-31041B2DCEA5}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\{80875812-3412-4f6a-B391-A2F163ABBAB9}.exe
        
        C:\Windows\{80875812-3412-4f6a-B391-A2F163ABBAB9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\{DBA91191-5D36-4d28-8837-D5ECAAA4947F}.exe
        
        C:\Windows\{DBA91191-5D36-4d28-8837-D5ECAAA4947F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Windows\{AB0FA605-7AA8-4c1f-B243-2982BDE57275}.exe
        
        C:\Windows\{AB0FA605-7AA8-4c1f-B243-2982BDE57275}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\{C8CB63F6-7765-486f-8EA0-1E3D252D1325}.exe
        
        C:\Windows\{C8CB63F6-7765-486f-8EA0-1E3D252D1325}.exe
        12⤵
        Executes dropped EXE
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB0FA~1.EXE > nul
        12⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DBA91~1.EXE > nul
        11⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80875~1.EXE > nul
        10⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1DFD~1.EXE > nul
        9⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCB33~1.EXE > nul
        8⤵
        
        PID:560
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7402~1.EXE > nul
        6⤵
        
        PID:3516
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF7D9~1.EXE > nul
        5⤵
        
        PID:3512
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D41B1~1.EXE > nul
      4⤵
      PID:3700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7057E~1.EXE > nul
    3⤵
    PID:4516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{7057E0AF-DD79-4d91-B2FC-4ED7B87C4928}.exe

Filesize
168KB

MD5
4ddb451c93d23969168c0271df8bb5ab

SHA1
2381d68ab4667873b7f7d67795877c5053e49823

SHA256
3e95ac52854e63357bfbd42ea6b4c5371f56489da46455a947b4966be32596bb

SHA512
4f1cc103992155dd008a6c2628c333048f564b1213f755bf2793d712e34b199b5e04a2f11cd6877c813455e0616917fb0b96da5dd98b53533875e04a16b64a73

Download Submit
C:\Windows\{80875812-3412-4f6a-B391-A2F163ABBAB9}.exe

Filesize
168KB

MD5
b2961586e0e2d0e97be41a16dec227cd

SHA1
d607736c72ed6b3122f72f0b677d8792bf254d55

SHA256
432e13bb5e89fee3f926d44ddd58d474ea05bfb7a2cc31bccbf397570b678418

SHA512
e123057fd911dbcdb1f0ba4f292d84ec926664addab17fd0dc26b7cf6a94331e0360f689cf514cbabecdb17db7d55df4b21b22c9f1942de24495be62188ddaab

Download Submit
C:\Windows\{A1DFDFD3-0308-4ae2-A835-31041B2DCEA5}.exe

Filesize
168KB

MD5
bd156b1ba4e9369fa5ea19bfd7ed0955

SHA1
742e968149d6177fa67e7f72db77199c0c1391b1

SHA256
fd97a8fc608fa79b255b566cbd2ec2d4b1aa65b80dc56904213d7346d9e30f17

SHA512
3c2e3520af47aa7821d0c110f54986918a86bf8a278f9455f01e278eddf798d9a0fe3d8dfb6a25729f89f66a4f6806b5f23647404782aac400da4eaf4d33c1a7

Download Submit
C:\Windows\{AB0FA605-7AA8-4c1f-B243-2982BDE57275}.exe

Filesize
168KB

MD5
d1176398cc6ddaf57a5c26d5f99fc37f

SHA1
eeac5fe81a3b99002d76cf7fcb7f0e9997be39e6

SHA256
e923143f65ccf26254311b4566784b5f86f5852c73d3dce2f05f3043691d8087

SHA512
b8acc3040a733aac9337a4bfce05457e6a251fd262fc4455603fe87124b464155213f5ddb7b31521a8987a5175fc4ca99e43629d98cff53273a0b2626a505698

Download Submit
C:\Windows\{B7795CD6-3E41-4fab-8420-3FFDC79259C8}.exe

Filesize
168KB

MD5
7680f46c8a627d07b153b5c59d542857

SHA1
2b6225cdec98c31fe6f76e3bf683e5d0b439248f

SHA256
fea62a00dc30c7b2368d03cf5acc9d1c79f03faf8cb3594ede1bf25a60c9e99e

SHA512
5417e7286512f92c7400f5da801c94434c28e7575125954b53c2943eccba3424f783ca2c54d5401d04bb13535cd2bc0c2d2653aca0d1092385c6549beafeb00b

Download Submit
C:\Windows\{BCB3311A-1B9A-44b8-8100-09717FCD5C93}.exe

Filesize
168KB

MD5
e73cbb7d9a16a84936774025fd8d7c1f

SHA1
0a828096027ee3a1266ae7c6c33ea4842df84525

SHA256
7ff52cca49a20deffe01ce1f02ead1e2f2e1433ba3cd2b477f98629b78000dba

SHA512
beb105c922f45f2473d783a121c5579aeac01f7058cf4345610f23919ddfd06765a15770d8c1bd60568dfaceb62b8780f522726fd9860a55f747d8b972dfaa6b

Download Submit
C:\Windows\{C7402980-4CAD-4309-A466-DE1784E32628}.exe

Filesize
168KB

MD5
7dc7c38fcb5b16265684d1faf7406992

SHA1
e5f83fdb1fcc78066c826eecb89b56d0e02b9367

SHA256
4297be296cc6b2fd430bb6154dc279f4eeee23301734493aa1643ef6e57f67d3

SHA512
a0a0cb878762e667e2b3c594c8f33897e646e335ef786032867e0cf0cc84a65f74ed7e5067280127a1d3a0d3f3facc255fe61570bb66524079f3e47090e6da54

Download Submit
C:\Windows\{C8CB63F6-7765-486f-8EA0-1E3D252D1325}.exe

Filesize
168KB

MD5
11ba6c60ccdfda4d05afce802955dd83

SHA1
ca867d203610785a5e972722352d5bba6a2bc185

SHA256
11d473670fa562b7f9c7e972ea1eb6c647a68383eb1ad0055ad641f430ca47ad

SHA512
ae02b84db1b931c72b870957ffff6b13759f79625df7a12732c2a5fa95c4f80938fa46b51c06e5ee0646e7b9af2c63c7bd0a2ba94470e990c32902d8c6b6a1e3

Download Submit
C:\Windows\{D41B1C72-DE6D-4517-B9FC-3ED9BC1EE28D}.exe

Filesize
168KB

MD5
e62a63126d57b92fa5dfa982564580fe

SHA1
da4743008f95aacba4568b34243c0eeffb012b2d

SHA256
c0bbac6a8523af6bbc62ab3072eb4740226d2fe52fdf91f705a9f97adfd8591c

SHA512
623b5e52a4be1e1cee87e60d4e737b986077845a4c24cad2a5c9f9138d2d8e52229d952bed6910f3dea4eddbf314204174f63506e57d52a5fb95531d7d534c7e

Download Submit
C:\Windows\{DBA91191-5D36-4d28-8837-D5ECAAA4947F}.exe

Filesize
168KB

MD5
aa30d5cde090b816b91d984f467fb2e2

SHA1
cafcd8359e524e256b858a1c68300e9decde06cf

SHA256
03850fac52165940c5fcb0ff74231f1a5d750afdfe582260ee17d8cbfdb1b342

SHA512
d7a0ad0f62f378b9402f78c7476c24527168eef26d7bec6e9bece5f2a43ddbd9f8fa6d183d1536826ad0ca93498aa3249fb48878bc3307847035826e16c6f368

Download Submit
C:\Windows\{EF7D9230-FE7A-4e62-969C-AA2B96A8C826}.exe

Filesize
168KB

MD5
b93c1d56e21dc08fa336e4940d43ceab

SHA1
9ec435a044584750ac0813182ebf21f9dfd4a926

SHA256
cea1e09b843ec9d02136d3f0343e726560e3ad4d89a368111257912e4c774856

SHA512
caf1a5b4bb212f7cd8a42c2b430b0f0b754a4f478d5c0b9be734b21e24e41681482da40c3c9441697d765d5b6c95d6e103566f96a06efe2caf3c4d5564a8416a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads