994b8381e9f77422abbc49a6fa73022218d50a81ca5b8e2ccd6bed9f27840949

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2024, 11:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-03_0b5cd8b1034a22a5df6ce25df6733b6d_goldeneye.exe
Size

180KB
MD5

0b5cd8b1034a22a5df6ce25df6733b6d
SHA1

e9470b725b5d94b66b442dc4332b3ac1cd9234bf
SHA256

994b8381e9f77422abbc49a6fa73022218d50a81ca5b8e2ccd6bed9f27840949
SHA512

c63426d002be8f879b109ce51aa85a85e34febb1bd6b4d9c767feff155886d257fbfd5d7069da2927f1d9088949808f5d364c35f04e1c59e6438fa7cf03b70dc
SSDEEP

3072:jEGh0oXlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGtl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023115-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001000000002311e-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023125-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023126-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023125-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00050000000217fa-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002181f-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006df-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA92CE2C-2867-4b6d-8871-3BDA396BE7AA}	{19881D3D-04EE-4c67-99A4-F17DE9DA554D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82938D71-E482-4a57-9120-1B9CC0AB35D8}	{FA92CE2C-2867-4b6d-8871-3BDA396BE7AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82938D71-E482-4a57-9120-1B9CC0AB35D8}\stubpath = "C:\\Windows\\{82938D71-E482-4a57-9120-1B9CC0AB35D8}.exe"	{FA92CE2C-2867-4b6d-8871-3BDA396BE7AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{893B9182-DB39-47f2-8D48-73E921DE52AB}	{9600251B-E0D6-4488-8AC9-C728F1C333EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81C99FDC-56EC-43d3-9924-A3F5B0C7B93A}\stubpath = "C:\\Windows\\{81C99FDC-56EC-43d3-9924-A3F5B0C7B93A}.exe"	{590DB96E-7512-4994-B79C-ABA4BDD8A500}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9B40D74-4F6E-4aba-9A49-624A07EC5D18}\stubpath = "C:\\Windows\\{E9B40D74-4F6E-4aba-9A49-624A07EC5D18}.exe"	{A67600C1-9344-4a40-AE1F-43C0500079E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19881D3D-04EE-4c67-99A4-F17DE9DA554D}	2024-02-03_0b5cd8b1034a22a5df6ce25df6733b6d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD5B5803-7318-45ee-B313-0626D8125950}\stubpath = "C:\\Windows\\{BD5B5803-7318-45ee-B313-0626D8125950}.exe"	{81C99FDC-56EC-43d3-9924-A3F5B0C7B93A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A67600C1-9344-4a40-AE1F-43C0500079E9}	{BD5B5803-7318-45ee-B313-0626D8125950}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A34009D-B8FF-4ce3-B9E8-2F1D72A7D667}	{E9B40D74-4F6E-4aba-9A49-624A07EC5D18}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A34009D-B8FF-4ce3-B9E8-2F1D72A7D667}\stubpath = "C:\\Windows\\{5A34009D-B8FF-4ce3-B9E8-2F1D72A7D667}.exe"	{E9B40D74-4F6E-4aba-9A49-624A07EC5D18}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{893B9182-DB39-47f2-8D48-73E921DE52AB}\stubpath = "C:\\Windows\\{893B9182-DB39-47f2-8D48-73E921DE52AB}.exe"	{9600251B-E0D6-4488-8AC9-C728F1C333EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{590DB96E-7512-4994-B79C-ABA4BDD8A500}	{893B9182-DB39-47f2-8D48-73E921DE52AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{590DB96E-7512-4994-B79C-ABA4BDD8A500}\stubpath = "C:\\Windows\\{590DB96E-7512-4994-B79C-ABA4BDD8A500}.exe"	{893B9182-DB39-47f2-8D48-73E921DE52AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81C99FDC-56EC-43d3-9924-A3F5B0C7B93A}	{590DB96E-7512-4994-B79C-ABA4BDD8A500}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD5B5803-7318-45ee-B313-0626D8125950}	{81C99FDC-56EC-43d3-9924-A3F5B0C7B93A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A67600C1-9344-4a40-AE1F-43C0500079E9}\stubpath = "C:\\Windows\\{A67600C1-9344-4a40-AE1F-43C0500079E9}.exe"	{BD5B5803-7318-45ee-B313-0626D8125950}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19881D3D-04EE-4c67-99A4-F17DE9DA554D}\stubpath = "C:\\Windows\\{19881D3D-04EE-4c67-99A4-F17DE9DA554D}.exe"	2024-02-03_0b5cd8b1034a22a5df6ce25df6733b6d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9600251B-E0D6-4488-8AC9-C728F1C333EB}	{82938D71-E482-4a57-9120-1B9CC0AB35D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9600251B-E0D6-4488-8AC9-C728F1C333EB}\stubpath = "C:\\Windows\\{9600251B-E0D6-4488-8AC9-C728F1C333EB}.exe"	{82938D71-E482-4a57-9120-1B9CC0AB35D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9B40D74-4F6E-4aba-9A49-624A07EC5D18}	{A67600C1-9344-4a40-AE1F-43C0500079E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA92CE2C-2867-4b6d-8871-3BDA396BE7AA}\stubpath = "C:\\Windows\\{FA92CE2C-2867-4b6d-8871-3BDA396BE7AA}.exe"	{19881D3D-04EE-4c67-99A4-F17DE9DA554D}.exe

Executes dropped EXE 11 IoCs

pid	Process
820	{19881D3D-04EE-4c67-99A4-F17DE9DA554D}.exe
4876	{FA92CE2C-2867-4b6d-8871-3BDA396BE7AA}.exe
4312	{82938D71-E482-4a57-9120-1B9CC0AB35D8}.exe
3404	{9600251B-E0D6-4488-8AC9-C728F1C333EB}.exe
4888	{893B9182-DB39-47f2-8D48-73E921DE52AB}.exe
2660	{590DB96E-7512-4994-B79C-ABA4BDD8A500}.exe
2988	{81C99FDC-56EC-43d3-9924-A3F5B0C7B93A}.exe
1600	{BD5B5803-7318-45ee-B313-0626D8125950}.exe
4864	{A67600C1-9344-4a40-AE1F-43C0500079E9}.exe
4336	{E9B40D74-4F6E-4aba-9A49-624A07EC5D18}.exe
1108	{5A34009D-B8FF-4ce3-B9E8-2F1D72A7D667}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{82938D71-E482-4a57-9120-1B9CC0AB35D8}.exe	{FA92CE2C-2867-4b6d-8871-3BDA396BE7AA}.exe
File created	C:\Windows\{81C99FDC-56EC-43d3-9924-A3F5B0C7B93A}.exe	{590DB96E-7512-4994-B79C-ABA4BDD8A500}.exe
File created	C:\Windows\{A67600C1-9344-4a40-AE1F-43C0500079E9}.exe	{BD5B5803-7318-45ee-B313-0626D8125950}.exe
File created	C:\Windows\{5A34009D-B8FF-4ce3-B9E8-2F1D72A7D667}.exe	{E9B40D74-4F6E-4aba-9A49-624A07EC5D18}.exe
File created	C:\Windows\{19881D3D-04EE-4c67-99A4-F17DE9DA554D}.exe	2024-02-03_0b5cd8b1034a22a5df6ce25df6733b6d_goldeneye.exe
File created	C:\Windows\{FA92CE2C-2867-4b6d-8871-3BDA396BE7AA}.exe	{19881D3D-04EE-4c67-99A4-F17DE9DA554D}.exe
File created	C:\Windows\{590DB96E-7512-4994-B79C-ABA4BDD8A500}.exe	{893B9182-DB39-47f2-8D48-73E921DE52AB}.exe
File created	C:\Windows\{BD5B5803-7318-45ee-B313-0626D8125950}.exe	{81C99FDC-56EC-43d3-9924-A3F5B0C7B93A}.exe
File created	C:\Windows\{E9B40D74-4F6E-4aba-9A49-624A07EC5D18}.exe	{A67600C1-9344-4a40-AE1F-43C0500079E9}.exe
File created	C:\Windows\{9600251B-E0D6-4488-8AC9-C728F1C333EB}.exe	{82938D71-E482-4a57-9120-1B9CC0AB35D8}.exe
File created	C:\Windows\{893B9182-DB39-47f2-8D48-73E921DE52AB}.exe	{9600251B-E0D6-4488-8AC9-C728F1C333EB}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	404	2024-02-03_0b5cd8b1034a22a5df6ce25df6733b6d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	820	{19881D3D-04EE-4c67-99A4-F17DE9DA554D}.exe
Token: SeIncBasePriorityPrivilege	4876	{FA92CE2C-2867-4b6d-8871-3BDA396BE7AA}.exe
Token: SeIncBasePriorityPrivilege	4312	{82938D71-E482-4a57-9120-1B9CC0AB35D8}.exe
Token: SeIncBasePriorityPrivilege	3404	{9600251B-E0D6-4488-8AC9-C728F1C333EB}.exe
Token: SeIncBasePriorityPrivilege	4888	{893B9182-DB39-47f2-8D48-73E921DE52AB}.exe
Token: SeIncBasePriorityPrivilege	2660	{590DB96E-7512-4994-B79C-ABA4BDD8A500}.exe
Token: SeIncBasePriorityPrivilege	2988	{81C99FDC-56EC-43d3-9924-A3F5B0C7B93A}.exe
Token: SeIncBasePriorityPrivilege	1600	{BD5B5803-7318-45ee-B313-0626D8125950}.exe
Token: SeIncBasePriorityPrivilege	4864	{A67600C1-9344-4a40-AE1F-43C0500079E9}.exe
Token: SeIncBasePriorityPrivilege	4336	{E9B40D74-4F6E-4aba-9A49-624A07EC5D18}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 820	404	2024-02-03_0b5cd8b1034a22a5df6ce25df6733b6d_goldeneye.exe	88
PID 404 wrote to memory of 820	404	2024-02-03_0b5cd8b1034a22a5df6ce25df6733b6d_goldeneye.exe	88
PID 404 wrote to memory of 820	404	2024-02-03_0b5cd8b1034a22a5df6ce25df6733b6d_goldeneye.exe	88
PID 404 wrote to memory of 3752	404	2024-02-03_0b5cd8b1034a22a5df6ce25df6733b6d_goldeneye.exe	89
PID 404 wrote to memory of 3752	404	2024-02-03_0b5cd8b1034a22a5df6ce25df6733b6d_goldeneye.exe	89
PID 404 wrote to memory of 3752	404	2024-02-03_0b5cd8b1034a22a5df6ce25df6733b6d_goldeneye.exe	89
PID 820 wrote to memory of 4876	820	{19881D3D-04EE-4c67-99A4-F17DE9DA554D}.exe	92
PID 820 wrote to memory of 4876	820	{19881D3D-04EE-4c67-99A4-F17DE9DA554D}.exe	92
PID 820 wrote to memory of 4876	820	{19881D3D-04EE-4c67-99A4-F17DE9DA554D}.exe	92
PID 820 wrote to memory of 648	820	{19881D3D-04EE-4c67-99A4-F17DE9DA554D}.exe	93
PID 820 wrote to memory of 648	820	{19881D3D-04EE-4c67-99A4-F17DE9DA554D}.exe	93
PID 820 wrote to memory of 648	820	{19881D3D-04EE-4c67-99A4-F17DE9DA554D}.exe	93
PID 4876 wrote to memory of 4312	4876	{FA92CE2C-2867-4b6d-8871-3BDA396BE7AA}.exe	95
PID 4876 wrote to memory of 4312	4876	{FA92CE2C-2867-4b6d-8871-3BDA396BE7AA}.exe	95
PID 4876 wrote to memory of 4312	4876	{FA92CE2C-2867-4b6d-8871-3BDA396BE7AA}.exe	95
PID 4876 wrote to memory of 1272	4876	{FA92CE2C-2867-4b6d-8871-3BDA396BE7AA}.exe	96
PID 4876 wrote to memory of 1272	4876	{FA92CE2C-2867-4b6d-8871-3BDA396BE7AA}.exe	96
PID 4876 wrote to memory of 1272	4876	{FA92CE2C-2867-4b6d-8871-3BDA396BE7AA}.exe	96
PID 4312 wrote to memory of 3404	4312	{82938D71-E482-4a57-9120-1B9CC0AB35D8}.exe	97
PID 4312 wrote to memory of 3404	4312	{82938D71-E482-4a57-9120-1B9CC0AB35D8}.exe	97
PID 4312 wrote to memory of 3404	4312	{82938D71-E482-4a57-9120-1B9CC0AB35D8}.exe	97
PID 4312 wrote to memory of 3216	4312	{82938D71-E482-4a57-9120-1B9CC0AB35D8}.exe	98
PID 4312 wrote to memory of 3216	4312	{82938D71-E482-4a57-9120-1B9CC0AB35D8}.exe	98
PID 4312 wrote to memory of 3216	4312	{82938D71-E482-4a57-9120-1B9CC0AB35D8}.exe	98
PID 3404 wrote to memory of 4888	3404	{9600251B-E0D6-4488-8AC9-C728F1C333EB}.exe	99
PID 3404 wrote to memory of 4888	3404	{9600251B-E0D6-4488-8AC9-C728F1C333EB}.exe	99
PID 3404 wrote to memory of 4888	3404	{9600251B-E0D6-4488-8AC9-C728F1C333EB}.exe	99
PID 3404 wrote to memory of 2584	3404	{9600251B-E0D6-4488-8AC9-C728F1C333EB}.exe	100
PID 3404 wrote to memory of 2584	3404	{9600251B-E0D6-4488-8AC9-C728F1C333EB}.exe	100
PID 3404 wrote to memory of 2584	3404	{9600251B-E0D6-4488-8AC9-C728F1C333EB}.exe	100
PID 4888 wrote to memory of 2660	4888	{893B9182-DB39-47f2-8D48-73E921DE52AB}.exe	101
PID 4888 wrote to memory of 2660	4888	{893B9182-DB39-47f2-8D48-73E921DE52AB}.exe	101
PID 4888 wrote to memory of 2660	4888	{893B9182-DB39-47f2-8D48-73E921DE52AB}.exe	101
PID 4888 wrote to memory of 3680	4888	{893B9182-DB39-47f2-8D48-73E921DE52AB}.exe	102
PID 4888 wrote to memory of 3680	4888	{893B9182-DB39-47f2-8D48-73E921DE52AB}.exe	102
PID 4888 wrote to memory of 3680	4888	{893B9182-DB39-47f2-8D48-73E921DE52AB}.exe	102
PID 2660 wrote to memory of 2988	2660	{590DB96E-7512-4994-B79C-ABA4BDD8A500}.exe	103
PID 2660 wrote to memory of 2988	2660	{590DB96E-7512-4994-B79C-ABA4BDD8A500}.exe	103
PID 2660 wrote to memory of 2988	2660	{590DB96E-7512-4994-B79C-ABA4BDD8A500}.exe	103
PID 2660 wrote to memory of 2372	2660	{590DB96E-7512-4994-B79C-ABA4BDD8A500}.exe	104
PID 2660 wrote to memory of 2372	2660	{590DB96E-7512-4994-B79C-ABA4BDD8A500}.exe	104
PID 2660 wrote to memory of 2372	2660	{590DB96E-7512-4994-B79C-ABA4BDD8A500}.exe	104
PID 2988 wrote to memory of 1600	2988	{81C99FDC-56EC-43d3-9924-A3F5B0C7B93A}.exe	105
PID 2988 wrote to memory of 1600	2988	{81C99FDC-56EC-43d3-9924-A3F5B0C7B93A}.exe	105
PID 2988 wrote to memory of 1600	2988	{81C99FDC-56EC-43d3-9924-A3F5B0C7B93A}.exe	105
PID 2988 wrote to memory of 3640	2988	{81C99FDC-56EC-43d3-9924-A3F5B0C7B93A}.exe	106
PID 2988 wrote to memory of 3640	2988	{81C99FDC-56EC-43d3-9924-A3F5B0C7B93A}.exe	106
PID 2988 wrote to memory of 3640	2988	{81C99FDC-56EC-43d3-9924-A3F5B0C7B93A}.exe	106
PID 1600 wrote to memory of 4864	1600	{BD5B5803-7318-45ee-B313-0626D8125950}.exe	107
PID 1600 wrote to memory of 4864	1600	{BD5B5803-7318-45ee-B313-0626D8125950}.exe	107
PID 1600 wrote to memory of 4864	1600	{BD5B5803-7318-45ee-B313-0626D8125950}.exe	107
PID 1600 wrote to memory of 4528	1600	{BD5B5803-7318-45ee-B313-0626D8125950}.exe	108
PID 1600 wrote to memory of 4528	1600	{BD5B5803-7318-45ee-B313-0626D8125950}.exe	108
PID 1600 wrote to memory of 4528	1600	{BD5B5803-7318-45ee-B313-0626D8125950}.exe	108
PID 4864 wrote to memory of 4336	4864	{A67600C1-9344-4a40-AE1F-43C0500079E9}.exe	109
PID 4864 wrote to memory of 4336	4864	{A67600C1-9344-4a40-AE1F-43C0500079E9}.exe	109
PID 4864 wrote to memory of 4336	4864	{A67600C1-9344-4a40-AE1F-43C0500079E9}.exe	109
PID 4864 wrote to memory of 4292	4864	{A67600C1-9344-4a40-AE1F-43C0500079E9}.exe	110
PID 4864 wrote to memory of 4292	4864	{A67600C1-9344-4a40-AE1F-43C0500079E9}.exe	110
PID 4864 wrote to memory of 4292	4864	{A67600C1-9344-4a40-AE1F-43C0500079E9}.exe	110
PID 4336 wrote to memory of 1108	4336	{E9B40D74-4F6E-4aba-9A49-624A07EC5D18}.exe	112
PID 4336 wrote to memory of 1108	4336	{E9B40D74-4F6E-4aba-9A49-624A07EC5D18}.exe	112
PID 4336 wrote to memory of 1108	4336	{E9B40D74-4F6E-4aba-9A49-624A07EC5D18}.exe	112
PID 4336 wrote to memory of 3724	4336	{E9B40D74-4F6E-4aba-9A49-624A07EC5D18}.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-02-03_0b5cd8b1034a22a5df6ce25df6733b6d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-03_0b5cd8b1034a22a5df6ce25df6733b6d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:404
- C:\Windows\{19881D3D-04EE-4c67-99A4-F17DE9DA554D}.exe
  C:\Windows\{19881D3D-04EE-4c67-99A4-F17DE9DA554D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\Windows\{FA92CE2C-2867-4b6d-8871-3BDA396BE7AA}.exe
    C:\Windows\{FA92CE2C-2867-4b6d-8871-3BDA396BE7AA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4876
  - - C:\Windows\{82938D71-E482-4a57-9120-1B9CC0AB35D8}.exe
      C:\Windows\{82938D71-E482-4a57-9120-1B9CC0AB35D8}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4312
    - - C:\Windows\{9600251B-E0D6-4488-8AC9-C728F1C333EB}.exe
        
        C:\Windows\{9600251B-E0D6-4488-8AC9-C728F1C333EB}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3404
      - C:\Windows\{893B9182-DB39-47f2-8D48-73E921DE52AB}.exe
        
        C:\Windows\{893B9182-DB39-47f2-8D48-73E921DE52AB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\{590DB96E-7512-4994-B79C-ABA4BDD8A500}.exe
        
        C:\Windows\{590DB96E-7512-4994-B79C-ABA4BDD8A500}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\{81C99FDC-56EC-43d3-9924-A3F5B0C7B93A}.exe
        
        C:\Windows\{81C99FDC-56EC-43d3-9924-A3F5B0C7B93A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\{BD5B5803-7318-45ee-B313-0626D8125950}.exe
        
        C:\Windows\{BD5B5803-7318-45ee-B313-0626D8125950}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\{A67600C1-9344-4a40-AE1F-43C0500079E9}.exe
        
        C:\Windows\{A67600C1-9344-4a40-AE1F-43C0500079E9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\{E9B40D74-4F6E-4aba-9A49-624A07EC5D18}.exe
        
        C:\Windows\{E9B40D74-4F6E-4aba-9A49-624A07EC5D18}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9B40~1.EXE > nul
        12⤵
        
        PID:3724
        
        C:\Windows\{5A34009D-B8FF-4ce3-B9E8-2F1D72A7D667}.exe
        
        C:\Windows\{5A34009D-B8FF-4ce3-B9E8-2F1D72A7D667}.exe
        12⤵
        Executes dropped EXE
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6760~1.EXE > nul
        11⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD5B5~1.EXE > nul
        10⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81C99~1.EXE > nul
        9⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{590DB~1.EXE > nul
        8⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{893B9~1.EXE > nul
        7⤵
        
        PID:3680
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96002~1.EXE > nul
        6⤵
        
        PID:2584
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82938~1.EXE > nul
        5⤵
        
        PID:3216
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FA92C~1.EXE > nul
      4⤵
      PID:1272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{19881~1.EXE > nul
    3⤵
    PID:648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{19881D3D-04EE-4c67-99A4-F17DE9DA554D}.exe

Filesize
180KB

MD5
1e40403dfca561b15b8f0cc602766af5

SHA1
50de3624e932b6ef39003c0bbf4a2af102d036eb

SHA256
e86dc1c169b4d065cd89d8b592018458efca916fd2f3bd67341165f6f20211a6

SHA512
557cae0a5420f84db1a831ebd1a7d8d3223ccf56e30b53668549feb0ccd008401ecba4d21c95eefbcdeaa858fc804edb0f9449812c4d1fecdd4f8c2c2d0da92e

Download Submit
C:\Windows\{590DB96E-7512-4994-B79C-ABA4BDD8A500}.exe

Filesize
180KB

MD5
ac5ae1324f09a2f8b841c2878c244cfe

SHA1
5b0f06c2aa591fad56c329f52df504cff2c5ada9

SHA256
f1d51066c0ba57ede3b6b6951657591551f6b4723447f7b5b6c74ce084c7da2d

SHA512
c9688146a413f46b5bd032a795040738594a52d84fdb77c9432545351b165d409e2b728550f2862bf408f06f2359cf27a5c928e45e00af86117167387b6033b6

Download Submit
C:\Windows\{5A34009D-B8FF-4ce3-B9E8-2F1D72A7D667}.exe

Filesize
180KB

MD5
513e03179acb62df8ff654427b76f79d

SHA1
7a16e2e7bca2d995dc2fb2fa4bd10041a4837f0d

SHA256
e75a7f89fa95887b570ad96083bacd5c319430b331c147ba40fb442e4753f993

SHA512
1128706327a136f9999a71dfa9be7e9660eadb9df1af8ddcb6ebced9941ac9693c33b34a8507026535d7b4a5fb08c0f5e37d19e66ae2c9f342af8539fda7e6f0

Download Submit
C:\Windows\{81C99FDC-56EC-43d3-9924-A3F5B0C7B93A}.exe

Filesize
180KB

MD5
58a9a20f3e370778f571d102ea231c19

SHA1
01643ac8cd99c151e144106e7a882b5336c94c55

SHA256
b3a897700709de989720ea53ce9cd2087563321c6a1e9144d4d890cfadfa0510

SHA512
9ca50f0e7f6210d70d835af1a9764c713a21e787fc9a74fb7c9e94b5a843e6da9bd7d43d2535cda60689afc34db2bad4927a549369c6e5ed6312b117c7e3d0fa

Download Submit
C:\Windows\{82938D71-E482-4a57-9120-1B9CC0AB35D8}.exe

Filesize
180KB

MD5
6a257fad0f87d7527b504e4b554547b1

SHA1
445b600d92ac27e48b43cce09ce27ab4d693fced

SHA256
e1b84c8a07f3abf8e99eb24efa87ead979003a9a0c77af87e590f7d5ed2ea2ee

SHA512
bfe5201fa95bd0402a8b98b3b977eea7a358cd726f17af2175a7f19aeb4700cc5a65f0a9fcfcf320808f0e14fbe1fbb864198b421009eae69cfe44dba8540b44

Download Submit
C:\Windows\{893B9182-DB39-47f2-8D48-73E921DE52AB}.exe

Filesize
180KB

MD5
2351f08e0532b8186beb66c7abaf9f94

SHA1
f92582f5ccb24ebbdeafb129c4064aa845464408

SHA256
4d74b134906259c951435cfe36f25c96d09b01d610f41e48fce72abb3c385361

SHA512
afbc9f08b00ba200d9a020258c23acb65a5f398ad05acedd5c81ecde9474e4d1b35ff2b7dab55dd9d2ff853b801db03e1d47e1d705ed165412e13c79119f7c93

Download Submit
C:\Windows\{9600251B-E0D6-4488-8AC9-C728F1C333EB}.exe

Filesize
180KB

MD5
0fa7fc55c1da0b46e279c219dd45b7f8

SHA1
e436dbe07122c7eafd3fa1e4743f291fefb53adc

SHA256
29febf83d92bfb7ac76205e9e3ed5e821cd549993249b4078964ab8cbe087d75

SHA512
2817d0f7bb8711ef0fe0624e9386b295be9de8373636e1c5a1c947a72bd6eab288f0daf7a46ce955b57102a9b8dd616355dd3b37e756e3721403d39c56235eac

Download Submit
C:\Windows\{A67600C1-9344-4a40-AE1F-43C0500079E9}.exe

Filesize
180KB

MD5
99e8344b7142fe41ddd0ca4bd30868cc

SHA1
79ba005e89b8da17ed8784b004e73e45af3e7750

SHA256
70458e3bb91e84fa740bab92c09b7d5a5b66a0f80f8a29bfa9c0ddb6c94a1221

SHA512
07fd99c48cd0b31a171fc7b6952b0ac97480549d7b5094a272c6fdb271c1a6ab1a0d51345db73a600bca993cdf4b935e252a5cdf7e0c833a267e13c233f611ab

Download Submit
C:\Windows\{BD5B5803-7318-45ee-B313-0626D8125950}.exe

Filesize
180KB

MD5
83689eb2e0d7a935719804420467b9cf

SHA1
b5299f4746d8a9bafa24842698b9e0e063c69724

SHA256
fa5252fdd1ea741dd226e69338092cc22bd1be36118939cb9261aef434f3300c

SHA512
f5b71cbb051e6735c3356dc6e1328b1a23fc7006f943846b0781e56d55c4cf291ec94e0c69bc0606c422ddc521ad22a7cb416956a0ddbe46b8e0e34b781f536f

Download Submit
C:\Windows\{E9B40D74-4F6E-4aba-9A49-624A07EC5D18}.exe

Filesize
180KB

MD5
f6a7a87ef89cd758d1c0f1e74bc3c74d

SHA1
7176bec9cc54bb492f70153b7f3146366add133c

SHA256
7d055648d9d5d2852ebec800f2d675101ef8b01072cf28ec77ed2e1dc1281e4d

SHA512
d571cefc5433e0c7faf228c2b743e5594b782b0872e8b6812b569f6fc5c74d5c5cdc42bea355805b3c3e71bcedeac8c7754b79aaebeb9fdbbdc6562d3b7e3013

Download Submit
C:\Windows\{FA92CE2C-2867-4b6d-8871-3BDA396BE7AA}.exe

Filesize
180KB

MD5
a4b11be37bf84413d15d7c14abb93544

SHA1
4fdd2f801a8183ee9df7fa6f265a10ce876a0cde

SHA256
592a390c78ca5a0ce980c21167c3e522b90f24725ad7e7110e63a08e618f867f

SHA512
a3a41ca19cb8ac31c0854a9d10378d81da4546a874c0b37e4f54349cf9d866028fb773825997fd83376ba8c8cd049920e637ee9a30c7dad2bcecfd560efe1eb3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads