3cce5034ebe56924d3421eeeeaef7c3fdad0c3afab762615dbba122a240c5d82

Analysis

max time kernel
112s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 04:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-13_49b7951a5d4ee468686a26559570f749_goldeneye.exe
Size

408KB
MD5

49b7951a5d4ee468686a26559570f749
SHA1

c914947bd2fe3c19f49ca11dd93c8c8dceda5435
SHA256

3cce5034ebe56924d3421eeeeaef7c3fdad0c3afab762615dbba122a240c5d82
SHA512

ef22ba3daadeea494d8c03467932b9300b9d271c653fac4c21e7402924b98b862abb6dd28236cfebfb22952691d571a4b0ca8ea6d599853bba2cc03c70da0b0a
SSDEEP

3072:CEGh0o84l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf:CEGdldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 20 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023217-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023220-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023226-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023220-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023220-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023226-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000217f9-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000217f9-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000021805-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000021805-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000000070b-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000000070b-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CF5F5F5-7A92-4d42-8454-90A524AF7299}	{29B460F2-BB45-44b0-B5F4-F1470978A5FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D4D281F-928F-47d0-B1FF-B123BCBB242D}\stubpath = "C:\\Windows\\{7D4D281F-928F-47d0-B1FF-B123BCBB242D}.exe"	{6860E2C5-5AE6-4030-B0AC-451E89E734E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85E5BA72-80D9-4eb9-A452-C24D65CD6771}	{CCA05B14-5FFB-456e-8C81-9B87B50C1D3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{113F9BF3-D0D7-464b-AB1F-F1030BE708FC}	2024-02-13_49b7951a5d4ee468686a26559570f749_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47A425D8-3DD5-4b62-8DFD-83BC2E14B5AB}\stubpath = "C:\\Windows\\{47A425D8-3DD5-4b62-8DFD-83BC2E14B5AB}.exe"	{113F9BF3-D0D7-464b-AB1F-F1030BE708FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85E5BA72-80D9-4eb9-A452-C24D65CD6771}\stubpath = "C:\\Windows\\{85E5BA72-80D9-4eb9-A452-C24D65CD6771}.exe"	{CCA05B14-5FFB-456e-8C81-9B87B50C1D3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47A425D8-3DD5-4b62-8DFD-83BC2E14B5AB}	{113F9BF3-D0D7-464b-AB1F-F1030BE708FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE83DBC4-E646-4592-88CC-5B0918768225}\stubpath = "C:\\Windows\\{AE83DBC4-E646-4592-88CC-5B0918768225}.exe"	{47A425D8-3DD5-4b62-8DFD-83BC2E14B5AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29B460F2-BB45-44b0-B5F4-F1470978A5FC}\stubpath = "C:\\Windows\\{29B460F2-BB45-44b0-B5F4-F1470978A5FC}.exe"	{AE83DBC4-E646-4592-88CC-5B0918768225}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6860E2C5-5AE6-4030-B0AC-451E89E734E6}\stubpath = "C:\\Windows\\{6860E2C5-5AE6-4030-B0AC-451E89E734E6}.exe"	{8CF5F5F5-7A92-4d42-8454-90A524AF7299}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D4D281F-928F-47d0-B1FF-B123BCBB242D}	{6860E2C5-5AE6-4030-B0AC-451E89E734E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCA05B14-5FFB-456e-8C81-9B87B50C1D3A}	{7D4D281F-928F-47d0-B1FF-B123BCBB242D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{113F9BF3-D0D7-464b-AB1F-F1030BE708FC}\stubpath = "C:\\Windows\\{113F9BF3-D0D7-464b-AB1F-F1030BE708FC}.exe"	2024-02-13_49b7951a5d4ee468686a26559570f749_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE83DBC4-E646-4592-88CC-5B0918768225}	{47A425D8-3DD5-4b62-8DFD-83BC2E14B5AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29B460F2-BB45-44b0-B5F4-F1470978A5FC}	{AE83DBC4-E646-4592-88CC-5B0918768225}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CF5F5F5-7A92-4d42-8454-90A524AF7299}\stubpath = "C:\\Windows\\{8CF5F5F5-7A92-4d42-8454-90A524AF7299}.exe"	{29B460F2-BB45-44b0-B5F4-F1470978A5FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6860E2C5-5AE6-4030-B0AC-451E89E734E6}	{8CF5F5F5-7A92-4d42-8454-90A524AF7299}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCA05B14-5FFB-456e-8C81-9B87B50C1D3A}\stubpath = "C:\\Windows\\{CCA05B14-5FFB-456e-8C81-9B87B50C1D3A}.exe"	{7D4D281F-928F-47d0-B1FF-B123BCBB242D}.exe

Executes dropped EXE 9 IoCs

pid	Process
3128	{113F9BF3-D0D7-464b-AB1F-F1030BE708FC}.exe
4744	{47A425D8-3DD5-4b62-8DFD-83BC2E14B5AB}.exe
4640	{AE83DBC4-E646-4592-88CC-5B0918768225}.exe
5068	{29B460F2-BB45-44b0-B5F4-F1470978A5FC}.exe
3276	{8CF5F5F5-7A92-4d42-8454-90A524AF7299}.exe
3940	{6860E2C5-5AE6-4030-B0AC-451E89E734E6}.exe
1380	{7D4D281F-928F-47d0-B1FF-B123BCBB242D}.exe
2316	{CCA05B14-5FFB-456e-8C81-9B87B50C1D3A}.exe
4808	{85E5BA72-80D9-4eb9-A452-C24D65CD6771}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{8CF5F5F5-7A92-4d42-8454-90A524AF7299}.exe	{29B460F2-BB45-44b0-B5F4-F1470978A5FC}.exe
File created	C:\Windows\{6860E2C5-5AE6-4030-B0AC-451E89E734E6}.exe	{8CF5F5F5-7A92-4d42-8454-90A524AF7299}.exe
File created	C:\Windows\{7D4D281F-928F-47d0-B1FF-B123BCBB242D}.exe	{6860E2C5-5AE6-4030-B0AC-451E89E734E6}.exe
File created	C:\Windows\{47A425D8-3DD5-4b62-8DFD-83BC2E14B5AB}.exe	{113F9BF3-D0D7-464b-AB1F-F1030BE708FC}.exe
File created	C:\Windows\{AE83DBC4-E646-4592-88CC-5B0918768225}.exe	{47A425D8-3DD5-4b62-8DFD-83BC2E14B5AB}.exe
File created	C:\Windows\{29B460F2-BB45-44b0-B5F4-F1470978A5FC}.exe	{AE83DBC4-E646-4592-88CC-5B0918768225}.exe
File created	C:\Windows\{113F9BF3-D0D7-464b-AB1F-F1030BE708FC}.exe	2024-02-13_49b7951a5d4ee468686a26559570f749_goldeneye.exe
File created	C:\Windows\{CCA05B14-5FFB-456e-8C81-9B87B50C1D3A}.exe	{7D4D281F-928F-47d0-B1FF-B123BCBB242D}.exe
File created	C:\Windows\{85E5BA72-80D9-4eb9-A452-C24D65CD6771}.exe	{CCA05B14-5FFB-456e-8C81-9B87B50C1D3A}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2116	2024-02-13_49b7951a5d4ee468686a26559570f749_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3128	{113F9BF3-D0D7-464b-AB1F-F1030BE708FC}.exe
Token: SeIncBasePriorityPrivilege	4744	{47A425D8-3DD5-4b62-8DFD-83BC2E14B5AB}.exe
Token: SeIncBasePriorityPrivilege	4640	{AE83DBC4-E646-4592-88CC-5B0918768225}.exe
Token: SeIncBasePriorityPrivilege	5068	{29B460F2-BB45-44b0-B5F4-F1470978A5FC}.exe
Token: SeIncBasePriorityPrivilege	3276	{8CF5F5F5-7A92-4d42-8454-90A524AF7299}.exe
Token: SeIncBasePriorityPrivilege	3940	{6860E2C5-5AE6-4030-B0AC-451E89E734E6}.exe
Token: SeIncBasePriorityPrivilege	1380	{7D4D281F-928F-47d0-B1FF-B123BCBB242D}.exe
Token: SeIncBasePriorityPrivilege	2316	{CCA05B14-5FFB-456e-8C81-9B87B50C1D3A}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 3128	2116	2024-02-13_49b7951a5d4ee468686a26559570f749_goldeneye.exe	89
PID 2116 wrote to memory of 3128	2116	2024-02-13_49b7951a5d4ee468686a26559570f749_goldeneye.exe	89
PID 2116 wrote to memory of 3128	2116	2024-02-13_49b7951a5d4ee468686a26559570f749_goldeneye.exe	89
PID 2116 wrote to memory of 2828	2116	2024-02-13_49b7951a5d4ee468686a26559570f749_goldeneye.exe	90
PID 2116 wrote to memory of 2828	2116	2024-02-13_49b7951a5d4ee468686a26559570f749_goldeneye.exe	90
PID 2116 wrote to memory of 2828	2116	2024-02-13_49b7951a5d4ee468686a26559570f749_goldeneye.exe	90
PID 3128 wrote to memory of 4744	3128	{113F9BF3-D0D7-464b-AB1F-F1030BE708FC}.exe	93
PID 3128 wrote to memory of 4744	3128	{113F9BF3-D0D7-464b-AB1F-F1030BE708FC}.exe	93
PID 3128 wrote to memory of 4744	3128	{113F9BF3-D0D7-464b-AB1F-F1030BE708FC}.exe	93
PID 3128 wrote to memory of 2704	3128	{113F9BF3-D0D7-464b-AB1F-F1030BE708FC}.exe	94
PID 3128 wrote to memory of 2704	3128	{113F9BF3-D0D7-464b-AB1F-F1030BE708FC}.exe	94
PID 3128 wrote to memory of 2704	3128	{113F9BF3-D0D7-464b-AB1F-F1030BE708FC}.exe	94
PID 4744 wrote to memory of 4640	4744	{47A425D8-3DD5-4b62-8DFD-83BC2E14B5AB}.exe	97
PID 4744 wrote to memory of 4640	4744	{47A425D8-3DD5-4b62-8DFD-83BC2E14B5AB}.exe	97
PID 4744 wrote to memory of 4640	4744	{47A425D8-3DD5-4b62-8DFD-83BC2E14B5AB}.exe	97
PID 4744 wrote to memory of 2184	4744	{47A425D8-3DD5-4b62-8DFD-83BC2E14B5AB}.exe	96
PID 4744 wrote to memory of 2184	4744	{47A425D8-3DD5-4b62-8DFD-83BC2E14B5AB}.exe	96
PID 4744 wrote to memory of 2184	4744	{47A425D8-3DD5-4b62-8DFD-83BC2E14B5AB}.exe	96
PID 4640 wrote to memory of 5068	4640	{AE83DBC4-E646-4592-88CC-5B0918768225}.exe	98
PID 4640 wrote to memory of 5068	4640	{AE83DBC4-E646-4592-88CC-5B0918768225}.exe	98
PID 4640 wrote to memory of 5068	4640	{AE83DBC4-E646-4592-88CC-5B0918768225}.exe	98
PID 4640 wrote to memory of 4984	4640	{AE83DBC4-E646-4592-88CC-5B0918768225}.exe	99
PID 4640 wrote to memory of 4984	4640	{AE83DBC4-E646-4592-88CC-5B0918768225}.exe	99
PID 4640 wrote to memory of 4984	4640	{AE83DBC4-E646-4592-88CC-5B0918768225}.exe	99
PID 5068 wrote to memory of 3276	5068	{29B460F2-BB45-44b0-B5F4-F1470978A5FC}.exe	101
PID 5068 wrote to memory of 3276	5068	{29B460F2-BB45-44b0-B5F4-F1470978A5FC}.exe	101
PID 5068 wrote to memory of 3276	5068	{29B460F2-BB45-44b0-B5F4-F1470978A5FC}.exe	101
PID 5068 wrote to memory of 2580	5068	{29B460F2-BB45-44b0-B5F4-F1470978A5FC}.exe	100
PID 5068 wrote to memory of 2580	5068	{29B460F2-BB45-44b0-B5F4-F1470978A5FC}.exe	100
PID 5068 wrote to memory of 2580	5068	{29B460F2-BB45-44b0-B5F4-F1470978A5FC}.exe	100
PID 3276 wrote to memory of 3940	3276	{8CF5F5F5-7A92-4d42-8454-90A524AF7299}.exe	103
PID 3276 wrote to memory of 3940	3276	{8CF5F5F5-7A92-4d42-8454-90A524AF7299}.exe	103
PID 3276 wrote to memory of 3940	3276	{8CF5F5F5-7A92-4d42-8454-90A524AF7299}.exe	103
PID 3276 wrote to memory of 1540	3276	{8CF5F5F5-7A92-4d42-8454-90A524AF7299}.exe	102
PID 3276 wrote to memory of 1540	3276	{8CF5F5F5-7A92-4d42-8454-90A524AF7299}.exe	102
PID 3276 wrote to memory of 1540	3276	{8CF5F5F5-7A92-4d42-8454-90A524AF7299}.exe	102
PID 3940 wrote to memory of 1380	3940	{6860E2C5-5AE6-4030-B0AC-451E89E734E6}.exe	105
PID 3940 wrote to memory of 1380	3940	{6860E2C5-5AE6-4030-B0AC-451E89E734E6}.exe	105
PID 3940 wrote to memory of 1380	3940	{6860E2C5-5AE6-4030-B0AC-451E89E734E6}.exe	105
PID 3940 wrote to memory of 1676	3940	{6860E2C5-5AE6-4030-B0AC-451E89E734E6}.exe	104
PID 3940 wrote to memory of 1676	3940	{6860E2C5-5AE6-4030-B0AC-451E89E734E6}.exe	104
PID 3940 wrote to memory of 1676	3940	{6860E2C5-5AE6-4030-B0AC-451E89E734E6}.exe	104
PID 1380 wrote to memory of 2316	1380	{7D4D281F-928F-47d0-B1FF-B123BCBB242D}.exe	106
PID 1380 wrote to memory of 2316	1380	{7D4D281F-928F-47d0-B1FF-B123BCBB242D}.exe	106
PID 1380 wrote to memory of 2316	1380	{7D4D281F-928F-47d0-B1FF-B123BCBB242D}.exe	106
PID 1380 wrote to memory of 60	1380	{7D4D281F-928F-47d0-B1FF-B123BCBB242D}.exe	107
PID 1380 wrote to memory of 60	1380	{7D4D281F-928F-47d0-B1FF-B123BCBB242D}.exe	107
PID 1380 wrote to memory of 60	1380	{7D4D281F-928F-47d0-B1FF-B123BCBB242D}.exe	107
PID 2316 wrote to memory of 4808	2316	{CCA05B14-5FFB-456e-8C81-9B87B50C1D3A}.exe	109
PID 2316 wrote to memory of 4808	2316	{CCA05B14-5FFB-456e-8C81-9B87B50C1D3A}.exe	109
PID 2316 wrote to memory of 4808	2316	{CCA05B14-5FFB-456e-8C81-9B87B50C1D3A}.exe	109
PID 2316 wrote to memory of 4552	2316	{CCA05B14-5FFB-456e-8C81-9B87B50C1D3A}.exe	108
PID 2316 wrote to memory of 4552	2316	{CCA05B14-5FFB-456e-8C81-9B87B50C1D3A}.exe	108
PID 2316 wrote to memory of 4552	2316	{CCA05B14-5FFB-456e-8C81-9B87B50C1D3A}.exe	108

C:\Users\Admin\AppData\Local\Temp\2024-02-13_49b7951a5d4ee468686a26559570f749_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-13_49b7951a5d4ee468686a26559570f749_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\{113F9BF3-D0D7-464b-AB1F-F1030BE708FC}.exe
  C:\Windows\{113F9BF3-D0D7-464b-AB1F-F1030BE708FC}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3128
- - C:\Windows\{47A425D8-3DD5-4b62-8DFD-83BC2E14B5AB}.exe
    C:\Windows\{47A425D8-3DD5-4b62-8DFD-83BC2E14B5AB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{47A42~1.EXE > nul
      4⤵
      PID:2184
  - - C:\Windows\{AE83DBC4-E646-4592-88CC-5B0918768225}.exe
      C:\Windows\{AE83DBC4-E646-4592-88CC-5B0918768225}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4640
    - - C:\Windows\{29B460F2-BB45-44b0-B5F4-F1470978A5FC}.exe
        
        C:\Windows\{29B460F2-BB45-44b0-B5F4-F1470978A5FC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5068
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29B46~1.EXE > nul
        6⤵
        
        PID:2580
      - C:\Windows\{8CF5F5F5-7A92-4d42-8454-90A524AF7299}.exe
        
        C:\Windows\{8CF5F5F5-7A92-4d42-8454-90A524AF7299}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CF5F~1.EXE > nul
        7⤵
        
        PID:1540
        
        C:\Windows\{6860E2C5-5AE6-4030-B0AC-451E89E734E6}.exe
        
        C:\Windows\{6860E2C5-5AE6-4030-B0AC-451E89E734E6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6860E~1.EXE > nul
        8⤵
        
        PID:1676
        
        C:\Windows\{7D4D281F-928F-47d0-B1FF-B123BCBB242D}.exe
        
        C:\Windows\{7D4D281F-928F-47d0-B1FF-B123BCBB242D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\{CCA05B14-5FFB-456e-8C81-9B87B50C1D3A}.exe
        
        C:\Windows\{CCA05B14-5FFB-456e-8C81-9B87B50C1D3A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CCA05~1.EXE > nul
        10⤵
        
        PID:4552
        
        C:\Windows\{85E5BA72-80D9-4eb9-A452-C24D65CD6771}.exe
        
        C:\Windows\{85E5BA72-80D9-4eb9-A452-C24D65CD6771}.exe
        10⤵
        Executes dropped EXE
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85E5B~1.EXE > nul
        11⤵
        
        PID:1424
        
        C:\Windows\{0C2E1BCA-FCAE-44e7-A2DB-2ACD5D5FA336}.exe
        
        C:\Windows\{0C2E1BCA-FCAE-44e7-A2DB-2ACD5D5FA336}.exe
        11⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C2E1~1.EXE > nul
        12⤵
        
        PID:2692
        
        C:\Windows\{73BA6DED-F907-4a81-B5DD-7AB3FA83D495}.exe
        
        C:\Windows\{73BA6DED-F907-4a81-B5DD-7AB3FA83D495}.exe
        12⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73BA6~1.EXE > nul
        13⤵
        
        PID:4820
        
        C:\Windows\{423E01D1-2D64-4ada-B9B3-449EEBED7273}.exe
        
        C:\Windows\{423E01D1-2D64-4ada-B9B3-449EEBED7273}.exe
        13⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D4D2~1.EXE > nul
        9⤵
        
        PID:60
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE83D~1.EXE > nul
        5⤵
        
        PID:4984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{113F9~1.EXE > nul
    3⤵
    PID:2704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0C2E1BCA-FCAE-44e7-A2DB-2ACD5D5FA336}.exe

Filesize
92KB

MD5
d7c62b4124824ed5f0d9226ae6b1245d

SHA1
112703a2cecea7fed6e10bf3bced325b9ddfd34c

SHA256
09ba707e8150db3526848011764a1775e131a4bd85637feb81bc9078615e965d

SHA512
a272d882298475acee12706e6f6a9607cff9db518ed460facd6929a387c36d12abb8900ae0a6c6f29c13f29f76a4fe11402c4b8448e570e4fec1a88243ec7846

Download Submit
C:\Windows\{0C2E1BCA-FCAE-44e7-A2DB-2ACD5D5FA336}.exe

Filesize
111KB

MD5
fff0b085d1a3ccf0da87429aa2a33181

SHA1
696dd6f270750d792301e8f658beb683b4880298

SHA256
bca6c6a3f5c3968be465c55f1ae0ca6dccb27f41a71e53762c22250c49ff2f11

SHA512
cfab1c626ad1834c37ec0f34f6a752633f79f8c28371272e074d50787470f3ac06e23cf14915281fe0f5d479dbfcbc0a0d3da8dde190d7e718ad6a70e0d7425a

Download Submit
C:\Windows\{113F9BF3-D0D7-464b-AB1F-F1030BE708FC}.exe

Filesize
408KB

MD5
c9fec5f6f5a99d6f5777fb7d15d1abec

SHA1
f53f2ae260f158d17d61f197413bbe1cac3e35fe

SHA256
474d508b3caa4d1357795fd80d32200068554b78a2a6a55b71e105d86c3cdce9

SHA512
10169349ed6bf6a9647c65ab8cd1ffc1dbfe835313178fed8e04f0f06c91608a87f2acace02233267d5b24ecc3cdba80a78ca6f383cf1ee2792a64de8b23c06c

Download Submit
C:\Windows\{29B460F2-BB45-44b0-B5F4-F1470978A5FC}.exe

Filesize
175KB

MD5
847c5089c967089e9775d7e19df41d5f

SHA1
71670c266e159bf464a00c9e02b39316c5bad614

SHA256
15e4cd3d35fa055060a1e4a6ae9d6e669dd727672c17c63d96cef92324ca896b

SHA512
f96edeaf86d88504d0b802d09942c9c581982791c56f0ea66a893a0949a2b4f7c0f679db1c746e83197e76fe52ccb70d8959caa3511d1fa0abc6ba83ab7fb644

Download Submit
C:\Windows\{29B460F2-BB45-44b0-B5F4-F1470978A5FC}.exe

Filesize
153KB

MD5
6d085b8ccd2ce823af7e07394aadccb4

SHA1
b2e41dfc843da467c07437943a52a9997a6e3d0f

SHA256
6d79b437002c2f94644b05e9d7ceb8c721b728c8dc705c733a740a0eb4fa93e3

SHA512
755fd646b11b679bc58213e53bcd600b5921aa5d50d943cbf54c05ddd54a85254236c28dc5719ca5a4f286d978a22b3ba9138ed9128791e86f7fc27324b79b61

Download Submit
C:\Windows\{423E01D1-2D64-4ada-B9B3-449EEBED7273}.exe

Filesize
30KB

MD5
436520a1eca92e96feb15f1655c88d1f

SHA1
e46d0100b802c293c26d61a90f821a4a7e59a96e

SHA256
54a4515ef96feb9fc3c9133b76108bf326e2950646cf4dbe193f8b8cd15e764d

SHA512
bdd4f7ecd60a4387c246a35d41e1ae54db7436f47db1a5323e14333d68a462a75455f070e596522dcdad49007f92f45e881eb702499f57e45e0f21b4674b58be

Download Submit
C:\Windows\{423E01D1-2D64-4ada-B9B3-449EEBED7273}.exe

Filesize
1KB

MD5
e390d5e1c9a5f95b99521de37c76e69b

SHA1
37cde85109a08b3b0d68aef382e00b09f3768e2d

SHA256
80ca884b931bb88ac3c9c819bf370704a34239361066e032d31c01fe2e1ee4c6

SHA512
fad1ef08769adc38455e2b5a614e36854b41144719f164202398888d97d387dac4c98de29088b222fb2756fe416ef6deb4fdf88649aa55ea91de4927542f8e69

Download Submit
C:\Windows\{47A425D8-3DD5-4b62-8DFD-83BC2E14B5AB}.exe

Filesize
408KB

MD5
1a833d1d487c8c6c65b365db80229661

SHA1
bbde26649718b02ec6f5c281ac94dc545e5dc3b7

SHA256
df7cf34624655535bdafee0600c5f346b1a0a347ccf59d9ddb300ed1f479db5a

SHA512
15d8e38bbfb130dfe026b83015435aac474541fc04773d9bdf9245356a69a28924448d626ac41a9717537baa6a4eed85656f7bf20906d264adfeef0d48528666

Download Submit
C:\Windows\{6860E2C5-5AE6-4030-B0AC-451E89E734E6}.exe

Filesize
37KB

MD5
63d587f9226f6c61797551b17fef9398

SHA1
fafe9a32b6f21bd63e77181b7a186f114088ccc9

SHA256
16999ec6b1747087bb7b0086b7536dbb20ab41957a02c4308bf311c83dc4dce8

SHA512
c08e3551a31ec9ba643801065e040dfcccfca1993eb825c58c95c9ca2a593d093b624b9dcfd540a83766234d61b23e198f9f1df12f8e2d2069caf32c195b06a0

Download Submit
C:\Windows\{6860E2C5-5AE6-4030-B0AC-451E89E734E6}.exe

Filesize
157KB

MD5
936cc42f7809b62b3b8444dd29b2eba6

SHA1
0f2a9d584a54e803535b553ac26c8dd7c31d0261

SHA256
14f8ffc11e284ce3db6438b1d60b8e036df487b473dc5981ec5b07a5c43b1619

SHA512
6afa4725b65b1c334a922325046fda128d00706e9149af5b0228b7b69809afa7e94b1813621e402a3549579a658bdb8374104e695a2dea78a978fe874c4af395

Download Submit
C:\Windows\{73BA6DED-F907-4a81-B5DD-7AB3FA83D495}.exe

Filesize
41KB

MD5
03eafb420323a8672dbbbb952188a1af

SHA1
5fe0603217a13bdb643c26c02c07b1ef263c0794

SHA256
41b14272188e3663f5cdb0d4a25d917ebdb7d1d03a9869f763e62c4cd0fb250e

SHA512
f94dd2cc55f3983262efe10214ad9888f22a91c990ce3830bd82a53c66068af7e8468bdc5b8a985be782dc3f82aa8bf2dbc7ced59ca92d6fa397a3eef8918c68

Download Submit
C:\Windows\{73BA6DED-F907-4a81-B5DD-7AB3FA83D495}.exe

Filesize
47KB

MD5
eb99838e0b75ccd2b6770e936b745dca

SHA1
1f23d74a6e23fcc2c3aa16e024af839cd941e382

SHA256
3253d085d7445fc0afee7be6e4e59035e91a8e95f48b0fd48302a20926bc7798

SHA512
e6712e7731255464be7c5fb2bad5f6c4a5f2accff308fc0ed74b10ed34427e00fdb2fe5810ed30a220aa133b2ef60c6cbfa2f9d83337bff5993e5599a9dd7348

Download Submit
C:\Windows\{7D4D281F-928F-47d0-B1FF-B123BCBB242D}.exe

Filesize
124KB

MD5
a9c8f61a6441bbb4436d356f96f5d358

SHA1
3636e20e73f6df8228b8d2addd21fdccaef75322

SHA256
0d350ab78f57bdce998f3d9341745855326771b4e560f98c63ac231a0997969f

SHA512
b6a6d3f19ebb0cdce108be81af9899fe8668c662fdbea37033e6950371daa9b8e45a07a2578fc5d91861fe3c40ca36909e453c49a1d24bab4b380df240e8bf15

Download Submit
C:\Windows\{7D4D281F-928F-47d0-B1FF-B123BCBB242D}.exe

Filesize
133KB

MD5
8793cc0c8fee2e57c96725f6fe844688

SHA1
095a7718a1a08156ef82d2d84634ab854746c345

SHA256
46bb4193d5175a7634770ef9c7521e5f0d3f43e40d21f59072dde21bbf49cfdb

SHA512
ba11dd09f62a3c904dfb1fdb84bbb40ac2373800bfb528d9ef2ab68485a521150118d0932bd7c8dcef5411f4b4fe2fe6db04baa598ed866184be0fe5d36e8b34

Download Submit
C:\Windows\{85E5BA72-80D9-4eb9-A452-C24D65CD6771}.exe

Filesize
205KB

MD5
d3dd0ce0f0b1e244be2d97faa35e5ff8

SHA1
63e7c7d7c19d79f964e9cec09a65d15268165564

SHA256
872359d16630c90cba398b87b6bf2822f441024c044d16fc4c5190a41ec1aba1

SHA512
31fe2539e99a86ea2911ebf2989fa5d57afa15769e78853162fa3261654b4fb7705bd359e266ff770817a1661522723b892ab517a11a31733829fbfe64f8a166

Download Submit
C:\Windows\{85E5BA72-80D9-4eb9-A452-C24D65CD6771}.exe

Filesize
334KB

MD5
e0dace01233b7c21d3f9d055601364a3

SHA1
7c55cf326c24e0ddee97dab7de2fc09140dfcac5

SHA256
2b736a778dac5016daa7aeee3ce867b9082ff7e248184b32ba0f9f7c8b9c1495

SHA512
7a7dbd3f3237441bd010a297fd27a98c539f2c596021385f1d97f5dd6437201288e522ab57b4d6ddbdf4c2e8cc41201feb7bf530109c49647646fbf1d5cdd116

Download Submit
C:\Windows\{8CF5F5F5-7A92-4d42-8454-90A524AF7299}.exe

Filesize
408KB

MD5
19f479a58b8fbde292e2ab0717004afb

SHA1
b9aee8d59dc1d56af557db7ec845eaab26c9553b

SHA256
0e668e3c81420b3031ca50b80d52e9930416ffbe61efec0bece3a4cedefc5cc4

SHA512
0e2e6e9c653aaec83edb696bca678bc2cf60feedaeaf64de1dd20c3fa6bfaf93c14b8fad25ab790091ba79c3d6c55c5a3b0ec9a77361603cb43828a7947fb9be

Download Submit
C:\Windows\{AE83DBC4-E646-4592-88CC-5B0918768225}.exe

Filesize
408KB

MD5
d1254b473e31a1adb1b464738c4f4031

SHA1
f70462e3b5e81d950cfaf31b523374a71b551653

SHA256
f26c04c20554689ab24db8fd075c6b5f8c25a6e2f12d0764195ee2b78e16a312

SHA512
6e2edb12bebfd712509f716195feb19dc1f2e8c93b83f700375b2174f0d1a71d531428db0c9bafa49784dfa474ff12f898e09600951d2dd150d7c095142ccd5b

Download Submit
C:\Windows\{CCA05B14-5FFB-456e-8C81-9B87B50C1D3A}.exe

Filesize
7KB

MD5
a76665cdbcbe7e3ada0c253809f8f261

SHA1
46a0f3593b27c6373784ece73fd0e286bdcbff74

SHA256
65931f6bfcbd53654594856e2519136b040b25e994517a135f27d82127ad00e0

SHA512
1d2191e3925f4026c30b037ccd32c405750c4e50533fc688ae62b2eeb992c825fcf318ac9f81f6c035d3755250a6bac7065d2d5e7805a9a03495c33682ba38d9

Download Submit
C:\Windows\{CCA05B14-5FFB-456e-8C81-9B87B50C1D3A}.exe

Filesize
96KB

MD5
12a2410f090e5573a73ccd000f27eed4

SHA1
92afd50792c48e7b1676c1ac8e9ce2953acabadf

SHA256
8f916d83b3acd6a736968faa6ad04f36b437ed1980dc8ea228f770c0ddecd0e5

SHA512
2750a7d10b0c283d5e39479a6f3c6f69161d8557be275e5544ad607301eab2a105eacccfce2c03ef849518e22a7a25a821aaa9a80b5b1b8d0282ef1bab1cca5f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads