528aa1cc45a89453bfec8d57db79ede87e79076cf39afc57483d4ab9f9a20173

Analysis

max time kernel
156s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 04:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-13_1faf6f5e5f2eac0a4eff6232863c7f22_goldeneye.exe
Size

197KB
MD5

1faf6f5e5f2eac0a4eff6232863c7f22
SHA1

e022b8e0892bb0ae22c200cc0e373aee883de077
SHA256

528aa1cc45a89453bfec8d57db79ede87e79076cf39afc57483d4ab9f9a20173
SHA512

cc1b7517e1d123e4aae54371a41354c48926e374ebd9df8db3fd7c9f91af9f307227660d77f5916c844e6da5981aec355d115207e509bfc9fe91304caf6e975a
SSDEEP

3072:jEGh0okl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGalEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231e0-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00060000000231f3-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001600000001e33a-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000231e0-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001700000001e33a-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002177b-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00150000000006c1-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00160000000006c1-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006e1-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09A4033B-378F-482c-B000-EBB8085FB065}\stubpath = "C:\\Windows\\{09A4033B-378F-482c-B000-EBB8085FB065}.exe"	{B729A844-5593-4de4-B2A8-2032820955DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98AF222E-8F86-48cd-B55D-126CD9AAABED}	{09A4033B-378F-482c-B000-EBB8085FB065}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7707364-CA3B-4146-B434-160EBEAC114E}\stubpath = "C:\\Windows\\{B7707364-CA3B-4146-B434-160EBEAC114E}.exe"	{5A4AEEFB-1E7E-45d6-AAAE-E6C5A1A4F5BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A4AEEFB-1E7E-45d6-AAAE-E6C5A1A4F5BB}	{57D2B3D2-8807-46c3-85AC-909A0F6B0D99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{538BEA34-A239-4bb3-BC75-DEDE76B292AA}\stubpath = "C:\\Windows\\{538BEA34-A239-4bb3-BC75-DEDE76B292AA}.exe"	{D203E46F-CFBE-4a00-89F7-D7DDD8FB088A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87AA7C5D-9645-4a0a-A99C-444FB3DE8EEC}	{538BEA34-A239-4bb3-BC75-DEDE76B292AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7707364-CA3B-4146-B434-160EBEAC114E}	{5A4AEEFB-1E7E-45d6-AAAE-E6C5A1A4F5BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B729A844-5593-4de4-B2A8-2032820955DD}	{48C1516D-93E4-44d5-AB18-15BEC2F6A566}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09A4033B-378F-482c-B000-EBB8085FB065}	{B729A844-5593-4de4-B2A8-2032820955DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A4AEEFB-1E7E-45d6-AAAE-E6C5A1A4F5BB}\stubpath = "C:\\Windows\\{5A4AEEFB-1E7E-45d6-AAAE-E6C5A1A4F5BB}.exe"	{57D2B3D2-8807-46c3-85AC-909A0F6B0D99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98AF222E-8F86-48cd-B55D-126CD9AAABED}\stubpath = "C:\\Windows\\{98AF222E-8F86-48cd-B55D-126CD9AAABED}.exe"	{09A4033B-378F-482c-B000-EBB8085FB065}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57D2B3D2-8807-46c3-85AC-909A0F6B0D99}	{98AF222E-8F86-48cd-B55D-126CD9AAABED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57D2B3D2-8807-46c3-85AC-909A0F6B0D99}\stubpath = "C:\\Windows\\{57D2B3D2-8807-46c3-85AC-909A0F6B0D99}.exe"	{98AF222E-8F86-48cd-B55D-126CD9AAABED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCB96A41-A833-41b4-8E33-B9E991274259}	{B7707364-CA3B-4146-B434-160EBEAC114E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCB96A41-A833-41b4-8E33-B9E991274259}\stubpath = "C:\\Windows\\{CCB96A41-A833-41b4-8E33-B9E991274259}.exe"	{B7707364-CA3B-4146-B434-160EBEAC114E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48C1516D-93E4-44d5-AB18-15BEC2F6A566}	2024-02-13_1faf6f5e5f2eac0a4eff6232863c7f22_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48C1516D-93E4-44d5-AB18-15BEC2F6A566}\stubpath = "C:\\Windows\\{48C1516D-93E4-44d5-AB18-15BEC2F6A566}.exe"	2024-02-13_1faf6f5e5f2eac0a4eff6232863c7f22_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B729A844-5593-4de4-B2A8-2032820955DD}\stubpath = "C:\\Windows\\{B729A844-5593-4de4-B2A8-2032820955DD}.exe"	{48C1516D-93E4-44d5-AB18-15BEC2F6A566}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87AA7C5D-9645-4a0a-A99C-444FB3DE8EEC}\stubpath = "C:\\Windows\\{87AA7C5D-9645-4a0a-A99C-444FB3DE8EEC}.exe"	{538BEA34-A239-4bb3-BC75-DEDE76B292AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D203E46F-CFBE-4a00-89F7-D7DDD8FB088A}	{CCB96A41-A833-41b4-8E33-B9E991274259}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D203E46F-CFBE-4a00-89F7-D7DDD8FB088A}\stubpath = "C:\\Windows\\{D203E46F-CFBE-4a00-89F7-D7DDD8FB088A}.exe"	{CCB96A41-A833-41b4-8E33-B9E991274259}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{538BEA34-A239-4bb3-BC75-DEDE76B292AA}	{D203E46F-CFBE-4a00-89F7-D7DDD8FB088A}.exe

Executes dropped EXE 11 IoCs

pid	Process
2540	{48C1516D-93E4-44d5-AB18-15BEC2F6A566}.exe
3048	{B729A844-5593-4de4-B2A8-2032820955DD}.exe
2592	{09A4033B-378F-482c-B000-EBB8085FB065}.exe
1628	{98AF222E-8F86-48cd-B55D-126CD9AAABED}.exe
1636	{57D2B3D2-8807-46c3-85AC-909A0F6B0D99}.exe
1200	{5A4AEEFB-1E7E-45d6-AAAE-E6C5A1A4F5BB}.exe
4044	{B7707364-CA3B-4146-B434-160EBEAC114E}.exe
1128	{CCB96A41-A833-41b4-8E33-B9E991274259}.exe
3592	{D203E46F-CFBE-4a00-89F7-D7DDD8FB088A}.exe
116	{538BEA34-A239-4bb3-BC75-DEDE76B292AA}.exe
4092	{87AA7C5D-9645-4a0a-A99C-444FB3DE8EEC}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{87AA7C5D-9645-4a0a-A99C-444FB3DE8EEC}.exe	{538BEA34-A239-4bb3-BC75-DEDE76B292AA}.exe
File created	C:\Windows\{48C1516D-93E4-44d5-AB18-15BEC2F6A566}.exe	2024-02-13_1faf6f5e5f2eac0a4eff6232863c7f22_goldeneye.exe
File created	C:\Windows\{98AF222E-8F86-48cd-B55D-126CD9AAABED}.exe	{09A4033B-378F-482c-B000-EBB8085FB065}.exe
File created	C:\Windows\{57D2B3D2-8807-46c3-85AC-909A0F6B0D99}.exe	{98AF222E-8F86-48cd-B55D-126CD9AAABED}.exe
File created	C:\Windows\{5A4AEEFB-1E7E-45d6-AAAE-E6C5A1A4F5BB}.exe	{57D2B3D2-8807-46c3-85AC-909A0F6B0D99}.exe
File created	C:\Windows\{B7707364-CA3B-4146-B434-160EBEAC114E}.exe	{5A4AEEFB-1E7E-45d6-AAAE-E6C5A1A4F5BB}.exe
File created	C:\Windows\{B729A844-5593-4de4-B2A8-2032820955DD}.exe	{48C1516D-93E4-44d5-AB18-15BEC2F6A566}.exe
File created	C:\Windows\{09A4033B-378F-482c-B000-EBB8085FB065}.exe	{B729A844-5593-4de4-B2A8-2032820955DD}.exe
File created	C:\Windows\{CCB96A41-A833-41b4-8E33-B9E991274259}.exe	{B7707364-CA3B-4146-B434-160EBEAC114E}.exe
File created	C:\Windows\{D203E46F-CFBE-4a00-89F7-D7DDD8FB088A}.exe	{CCB96A41-A833-41b4-8E33-B9E991274259}.exe
File created	C:\Windows\{538BEA34-A239-4bb3-BC75-DEDE76B292AA}.exe	{D203E46F-CFBE-4a00-89F7-D7DDD8FB088A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4172	2024-02-13_1faf6f5e5f2eac0a4eff6232863c7f22_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2540	{48C1516D-93E4-44d5-AB18-15BEC2F6A566}.exe
Token: SeIncBasePriorityPrivilege	3048	{B729A844-5593-4de4-B2A8-2032820955DD}.exe
Token: SeIncBasePriorityPrivilege	2592	{09A4033B-378F-482c-B000-EBB8085FB065}.exe
Token: SeIncBasePriorityPrivilege	1628	{98AF222E-8F86-48cd-B55D-126CD9AAABED}.exe
Token: SeIncBasePriorityPrivilege	1636	{57D2B3D2-8807-46c3-85AC-909A0F6B0D99}.exe
Token: SeIncBasePriorityPrivilege	1200	{5A4AEEFB-1E7E-45d6-AAAE-E6C5A1A4F5BB}.exe
Token: SeIncBasePriorityPrivilege	4044	{B7707364-CA3B-4146-B434-160EBEAC114E}.exe
Token: SeIncBasePriorityPrivilege	1128	{CCB96A41-A833-41b4-8E33-B9E991274259}.exe
Token: SeIncBasePriorityPrivilege	3592	{D203E46F-CFBE-4a00-89F7-D7DDD8FB088A}.exe
Token: SeIncBasePriorityPrivilege	116	{538BEA34-A239-4bb3-BC75-DEDE76B292AA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4172 wrote to memory of 2540	4172	2024-02-13_1faf6f5e5f2eac0a4eff6232863c7f22_goldeneye.exe	86
PID 4172 wrote to memory of 2540	4172	2024-02-13_1faf6f5e5f2eac0a4eff6232863c7f22_goldeneye.exe	86
PID 4172 wrote to memory of 2540	4172	2024-02-13_1faf6f5e5f2eac0a4eff6232863c7f22_goldeneye.exe	86
PID 4172 wrote to memory of 2620	4172	2024-02-13_1faf6f5e5f2eac0a4eff6232863c7f22_goldeneye.exe	87
PID 4172 wrote to memory of 2620	4172	2024-02-13_1faf6f5e5f2eac0a4eff6232863c7f22_goldeneye.exe	87
PID 4172 wrote to memory of 2620	4172	2024-02-13_1faf6f5e5f2eac0a4eff6232863c7f22_goldeneye.exe	87
PID 2540 wrote to memory of 3048	2540	{48C1516D-93E4-44d5-AB18-15BEC2F6A566}.exe	94
PID 2540 wrote to memory of 3048	2540	{48C1516D-93E4-44d5-AB18-15BEC2F6A566}.exe	94
PID 2540 wrote to memory of 3048	2540	{48C1516D-93E4-44d5-AB18-15BEC2F6A566}.exe	94
PID 2540 wrote to memory of 572	2540	{48C1516D-93E4-44d5-AB18-15BEC2F6A566}.exe	95
PID 2540 wrote to memory of 572	2540	{48C1516D-93E4-44d5-AB18-15BEC2F6A566}.exe	95
PID 2540 wrote to memory of 572	2540	{48C1516D-93E4-44d5-AB18-15BEC2F6A566}.exe	95
PID 3048 wrote to memory of 2592	3048	{B729A844-5593-4de4-B2A8-2032820955DD}.exe	97
PID 3048 wrote to memory of 2592	3048	{B729A844-5593-4de4-B2A8-2032820955DD}.exe	97
PID 3048 wrote to memory of 2592	3048	{B729A844-5593-4de4-B2A8-2032820955DD}.exe	97
PID 3048 wrote to memory of 1664	3048	{B729A844-5593-4de4-B2A8-2032820955DD}.exe	96
PID 3048 wrote to memory of 1664	3048	{B729A844-5593-4de4-B2A8-2032820955DD}.exe	96
PID 3048 wrote to memory of 1664	3048	{B729A844-5593-4de4-B2A8-2032820955DD}.exe	96
PID 2592 wrote to memory of 1628	2592	{09A4033B-378F-482c-B000-EBB8085FB065}.exe	98
PID 2592 wrote to memory of 1628	2592	{09A4033B-378F-482c-B000-EBB8085FB065}.exe	98
PID 2592 wrote to memory of 1628	2592	{09A4033B-378F-482c-B000-EBB8085FB065}.exe	98
PID 2592 wrote to memory of 4776	2592	{09A4033B-378F-482c-B000-EBB8085FB065}.exe	99
PID 2592 wrote to memory of 4776	2592	{09A4033B-378F-482c-B000-EBB8085FB065}.exe	99
PID 2592 wrote to memory of 4776	2592	{09A4033B-378F-482c-B000-EBB8085FB065}.exe	99
PID 1628 wrote to memory of 1636	1628	{98AF222E-8F86-48cd-B55D-126CD9AAABED}.exe	100
PID 1628 wrote to memory of 1636	1628	{98AF222E-8F86-48cd-B55D-126CD9AAABED}.exe	100
PID 1628 wrote to memory of 1636	1628	{98AF222E-8F86-48cd-B55D-126CD9AAABED}.exe	100
PID 1628 wrote to memory of 4240	1628	{98AF222E-8F86-48cd-B55D-126CD9AAABED}.exe	101
PID 1628 wrote to memory of 4240	1628	{98AF222E-8F86-48cd-B55D-126CD9AAABED}.exe	101
PID 1628 wrote to memory of 4240	1628	{98AF222E-8F86-48cd-B55D-126CD9AAABED}.exe	101
PID 1636 wrote to memory of 1200	1636	{57D2B3D2-8807-46c3-85AC-909A0F6B0D99}.exe	102
PID 1636 wrote to memory of 1200	1636	{57D2B3D2-8807-46c3-85AC-909A0F6B0D99}.exe	102
PID 1636 wrote to memory of 1200	1636	{57D2B3D2-8807-46c3-85AC-909A0F6B0D99}.exe	102
PID 1636 wrote to memory of 400	1636	{57D2B3D2-8807-46c3-85AC-909A0F6B0D99}.exe	103
PID 1636 wrote to memory of 400	1636	{57D2B3D2-8807-46c3-85AC-909A0F6B0D99}.exe	103
PID 1636 wrote to memory of 400	1636	{57D2B3D2-8807-46c3-85AC-909A0F6B0D99}.exe	103
PID 1200 wrote to memory of 4044	1200	{5A4AEEFB-1E7E-45d6-AAAE-E6C5A1A4F5BB}.exe	104
PID 1200 wrote to memory of 4044	1200	{5A4AEEFB-1E7E-45d6-AAAE-E6C5A1A4F5BB}.exe	104
PID 1200 wrote to memory of 4044	1200	{5A4AEEFB-1E7E-45d6-AAAE-E6C5A1A4F5BB}.exe	104
PID 1200 wrote to memory of 4420	1200	{5A4AEEFB-1E7E-45d6-AAAE-E6C5A1A4F5BB}.exe	105
PID 1200 wrote to memory of 4420	1200	{5A4AEEFB-1E7E-45d6-AAAE-E6C5A1A4F5BB}.exe	105
PID 1200 wrote to memory of 4420	1200	{5A4AEEFB-1E7E-45d6-AAAE-E6C5A1A4F5BB}.exe	105
PID 4044 wrote to memory of 1128	4044	{B7707364-CA3B-4146-B434-160EBEAC114E}.exe	106
PID 4044 wrote to memory of 1128	4044	{B7707364-CA3B-4146-B434-160EBEAC114E}.exe	106
PID 4044 wrote to memory of 1128	4044	{B7707364-CA3B-4146-B434-160EBEAC114E}.exe	106
PID 4044 wrote to memory of 2820	4044	{B7707364-CA3B-4146-B434-160EBEAC114E}.exe	107
PID 4044 wrote to memory of 2820	4044	{B7707364-CA3B-4146-B434-160EBEAC114E}.exe	107
PID 4044 wrote to memory of 2820	4044	{B7707364-CA3B-4146-B434-160EBEAC114E}.exe	107
PID 1128 wrote to memory of 3592	1128	{CCB96A41-A833-41b4-8E33-B9E991274259}.exe	108
PID 1128 wrote to memory of 3592	1128	{CCB96A41-A833-41b4-8E33-B9E991274259}.exe	108
PID 1128 wrote to memory of 3592	1128	{CCB96A41-A833-41b4-8E33-B9E991274259}.exe	108
PID 1128 wrote to memory of 4540	1128	{CCB96A41-A833-41b4-8E33-B9E991274259}.exe	109
PID 1128 wrote to memory of 4540	1128	{CCB96A41-A833-41b4-8E33-B9E991274259}.exe	109
PID 1128 wrote to memory of 4540	1128	{CCB96A41-A833-41b4-8E33-B9E991274259}.exe	109
PID 3592 wrote to memory of 116	3592	{D203E46F-CFBE-4a00-89F7-D7DDD8FB088A}.exe	110
PID 3592 wrote to memory of 116	3592	{D203E46F-CFBE-4a00-89F7-D7DDD8FB088A}.exe	110
PID 3592 wrote to memory of 116	3592	{D203E46F-CFBE-4a00-89F7-D7DDD8FB088A}.exe	110
PID 3592 wrote to memory of 1824	3592	{D203E46F-CFBE-4a00-89F7-D7DDD8FB088A}.exe	111
PID 3592 wrote to memory of 1824	3592	{D203E46F-CFBE-4a00-89F7-D7DDD8FB088A}.exe	111
PID 3592 wrote to memory of 1824	3592	{D203E46F-CFBE-4a00-89F7-D7DDD8FB088A}.exe	111
PID 116 wrote to memory of 4092	116	{538BEA34-A239-4bb3-BC75-DEDE76B292AA}.exe	112
PID 116 wrote to memory of 4092	116	{538BEA34-A239-4bb3-BC75-DEDE76B292AA}.exe	112
PID 116 wrote to memory of 4092	116	{538BEA34-A239-4bb3-BC75-DEDE76B292AA}.exe	112
PID 116 wrote to memory of 3704	116	{538BEA34-A239-4bb3-BC75-DEDE76B292AA}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-13_1faf6f5e5f2eac0a4eff6232863c7f22_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-13_1faf6f5e5f2eac0a4eff6232863c7f22_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Windows\{48C1516D-93E4-44d5-AB18-15BEC2F6A566}.exe
  C:\Windows\{48C1516D-93E4-44d5-AB18-15BEC2F6A566}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\{B729A844-5593-4de4-B2A8-2032820955DD}.exe
    C:\Windows\{B729A844-5593-4de4-B2A8-2032820955DD}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B729A~1.EXE > nul
      4⤵
      PID:1664
  - - C:\Windows\{09A4033B-378F-482c-B000-EBB8085FB065}.exe
      C:\Windows\{09A4033B-378F-482c-B000-EBB8085FB065}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\{98AF222E-8F86-48cd-B55D-126CD9AAABED}.exe
        
        C:\Windows\{98AF222E-8F86-48cd-B55D-126CD9AAABED}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1628
      - C:\Windows\{57D2B3D2-8807-46c3-85AC-909A0F6B0D99}.exe
        
        C:\Windows\{57D2B3D2-8807-46c3-85AC-909A0F6B0D99}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\{5A4AEEFB-1E7E-45d6-AAAE-E6C5A1A4F5BB}.exe
        
        C:\Windows\{5A4AEEFB-1E7E-45d6-AAAE-E6C5A1A4F5BB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\{B7707364-CA3B-4146-B434-160EBEAC114E}.exe
        
        C:\Windows\{B7707364-CA3B-4146-B434-160EBEAC114E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Windows\{CCB96A41-A833-41b4-8E33-B9E991274259}.exe
        
        C:\Windows\{CCB96A41-A833-41b4-8E33-B9E991274259}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\{D203E46F-CFBE-4a00-89F7-D7DDD8FB088A}.exe
        
        C:\Windows\{D203E46F-CFBE-4a00-89F7-D7DDD8FB088A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\{538BEA34-A239-4bb3-BC75-DEDE76B292AA}.exe
        
        C:\Windows\{538BEA34-A239-4bb3-BC75-DEDE76B292AA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\{87AA7C5D-9645-4a0a-A99C-444FB3DE8EEC}.exe
        
        C:\Windows\{87AA7C5D-9645-4a0a-A99C-444FB3DE8EEC}.exe
        12⤵
        Executes dropped EXE
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{538BE~1.EXE > nul
        12⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D203E~1.EXE > nul
        11⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CCB96~1.EXE > nul
        10⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7707~1.EXE > nul
        9⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A4AE~1.EXE > nul
        8⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57D2B~1.EXE > nul
        7⤵
        
        PID:400
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98AF2~1.EXE > nul
        6⤵
        
        PID:4240
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09A40~1.EXE > nul
        5⤵
        
        PID:4776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{48C15~1.EXE > nul
    3⤵
    PID:572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09A4033B-378F-482c-B000-EBB8085FB065}.exe

Filesize
197KB

MD5
d85fb08666bfe33b317444bbe6b0a6ec

SHA1
94bb4c46b11c0c666dfba2053aa332ea63b452c5

SHA256
4cf78eb17df2d21b8e49362d1c4e1aaacace5354e45f27936f15f8983554202c

SHA512
f3d4ee3fadb1679b93b754101801bcc12fd1c1a4e724e28a0affc0e1b5e0cfb76f69f75626194722a8c43929db9b747701e2e6a5cfede7f6ccab91c494e03484

Download Submit
C:\Windows\{48C1516D-93E4-44d5-AB18-15BEC2F6A566}.exe

Filesize
197KB

MD5
1af05ef0b39a5e33ebf365ff46479d4e

SHA1
379f5226126628ef4e24d2520ad2945027a2536a

SHA256
4475627978696125ea2db63451da5230d81341f073ea902b73872807278e8270

SHA512
a9b51b31f9d20938d4990000f6ea6220baa524bdbb9030c2a9fadd599a189eecc3e6a1049e54f918a9b0a9e6e7b0e13290e92cad7f6d24e15f3b801ffb0d93dd

Download Submit
C:\Windows\{538BEA34-A239-4bb3-BC75-DEDE76B292AA}.exe

Filesize
197KB

MD5
3400e2edf2ea8af338f3c3bfde0aa6d8

SHA1
52c1e39080e43d940952f2ea3d75a232eb3f11b2

SHA256
e8f091d746ab0d2be0998270257c6dc406401afd4612c21e13aae6774d05f2fe

SHA512
cd305e872bff3e77934c9ccd1d2f9e4cacfb8bda63e835137a2f283c88f9ea8c268a263b8dd7fefc0b049d3f965523bd28a615df70f7547d0731687fccc6627f

Download Submit
C:\Windows\{57D2B3D2-8807-46c3-85AC-909A0F6B0D99}.exe

Filesize
197KB

MD5
7fb8c6f256d44ced022a019a4e0fccc2

SHA1
3c5f616ff54e8956df95d5354dbd6e778a959361

SHA256
a79f7005a514cbd21539b0508f6a09877d0c2faaa46765f3dc56298a6f063b89

SHA512
d73f87e2a172f8a08c8086692c0e8aaacb0be44dac05d4550c69480ae5fdc5a9ef2ee1ad77d29038c699727496386077cec06a0a288b502a7fc848a1d58ff66b

Download Submit
C:\Windows\{5A4AEEFB-1E7E-45d6-AAAE-E6C5A1A4F5BB}.exe

Filesize
197KB

MD5
67b9e5a7a284475f84c575436cbcd5d6

SHA1
fce6f793ec9271d914c1054466e4acfa5b8eb0bf

SHA256
5214926fa78b455e9838aa364a418139cc207a759bcaab8a64c24c9582a3c799

SHA512
30ab06932f7c0c9ed0f85ec0d57888a96d571b4b9c47bfecbf3f18ad3131522c44dfc1413629036b5267bdd8a5ba401b84179fd04fbeb68ca8c7ab8112a7ee21

Download Submit
C:\Windows\{87AA7C5D-9645-4a0a-A99C-444FB3DE8EEC}.exe

Filesize
197KB

MD5
104daa192adc5167a14fe68614ac77eb

SHA1
aa1117e9d1148874b912fde7d188bdf574eb2cb4

SHA256
5465ffa9e0ef91c3384909ea49809ca6bcd346192f47797abe37f2b0ea35415e

SHA512
6271eba179f1514cd502d005886bd673cd7e687dfb4e925b9a6cf0ca324c47d18bdf58c3cae11ea279ce46976ffc57659f6950f08c1187fc09142bc5f0179741

Download Submit
C:\Windows\{98AF222E-8F86-48cd-B55D-126CD9AAABED}.exe

Filesize
197KB

MD5
2e4b9c04a06a5aa3387ba1561dc3b3ee

SHA1
a20646b45cc8cfc85d7a5be46fa0be11abe6b652

SHA256
286e497a83f1cd37ea7a804308d717a6690e48b3776e4d177626a1a57adcc26e

SHA512
056792404a9cc954a9bea503a9e1bb3ed2959b926108285b100602a644121ca550164d32ec019b750e90085978d9e57c84a4c1c77a35efd099fa59001e00a42f

Download Submit
C:\Windows\{B729A844-5593-4de4-B2A8-2032820955DD}.exe

Filesize
197KB

MD5
6b8673acce23ce90fd2d21691d937f69

SHA1
104c9ee4d37d056ae5e6ad6f2862f500e5ca6a1e

SHA256
f7fd2f4d4c3519ba1b2504a3fe4d21d2c8940b80f2b1544b4c6a7e24c14efd10

SHA512
3592996e98d5e3217b3a0324905dc8c19d2dd3de265af0c51bba51add4cf0a6412721652a2e5d753dc44eb69a9ab68a9a0ab14002533ca75eeac169b0a7320a8

Download Submit
C:\Windows\{B7707364-CA3B-4146-B434-160EBEAC114E}.exe

Filesize
197KB

MD5
25282f5db7d790366fdaa3d65b13124a

SHA1
b14f194f60d60a1daf48428a08754b0980c817a4

SHA256
d3c25db7c0698ad8339e5365bcad4f2510f117dfcbed00d07d09a409d3ed23db

SHA512
0042f2e94be4e5950a3f4d71954d72d0dcd891fe2345593322b66ac7fa4f800a4350effd7c53325e1341bfa8c8aa467bf07b05c61cefd6612a394f5c3621e3cc

Download Submit
C:\Windows\{CCB96A41-A833-41b4-8E33-B9E991274259}.exe

Filesize
197KB

MD5
a386d1448b6e70bc5f74ca2bc7d680cd

SHA1
43ee0d71064ec67af56a8a603b7c70c4b9494c10

SHA256
899cee4791b4b08e0f55109d8fc03fdfbd6b078bab12c3f2c5e53d30fccfc518

SHA512
0f101192dcc0c5684c3c5c76e3fea4ed550edabcfc74c3eded75d78e389e13864684be3a22ff640cc11c447acb8dc8a4d4888ebd885721bc081b75843c68706c

Download Submit
C:\Windows\{D203E46F-CFBE-4a00-89F7-D7DDD8FB088A}.exe

Filesize
197KB

MD5
afa99575819ffde546992d53510bde5e

SHA1
1ec8cbfaf1d9feb789c7f3c0f5a4fdf9b2dca852

SHA256
a5c41c2ca71288c3cf7a1ae2bd28cabfd0ce6a17237bcc8382c816cb607e13b1

SHA512
78c8627a8ece15eac2e32c9de9e98768689504fb0402a0d1bb86d0e2efaead516ab819785bce556e18ed490f96e6e4aacc6fa468d2e9273943317f9be391999d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads