05e9b0861727d8ef30f7e9100ba4569ff91e0e663da24c4e91163fc68c8cd66e

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-13_fda2c50a74929567813e502b36efb32c_goldeneye.exe
Size

180KB
MD5

fda2c50a74929567813e502b36efb32c
SHA1

bffc43787a67eb7b75339706b9e41b6e0237b8fc
SHA256

05e9b0861727d8ef30f7e9100ba4569ff91e0e663da24c4e91163fc68c8cd66e
SHA512

67d6143a8390fb51ed73b7fec9d4f0acdaca6da290f9aefd2295942cbd072d06e8beb9463be805bbec9d6440760566a7e75668169a40199ef5dfe3be81491cf7
SSDEEP

3072:jEGh0oBlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGTl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000600000002320a-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023213-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023219-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023213-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021569-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000021570-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000021569-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070f-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000711-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006e5-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5BD86185-14CA-482d-A532-CB5F7635F44E}\stubpath = "C:\\Windows\\{5BD86185-14CA-482d-A532-CB5F7635F44E}.exe"	{039754A0-CBFA-463f-BBD6-6CB522F77E25}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47675C31-8851-46e0-87DA-CDFE8F627F99}\stubpath = "C:\\Windows\\{47675C31-8851-46e0-87DA-CDFE8F627F99}.exe"	{5BD86185-14CA-482d-A532-CB5F7635F44E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B0BA8E2-24E2-429f-905E-1C3FC96DFE0B}\stubpath = "C:\\Windows\\{2B0BA8E2-24E2-429f-905E-1C3FC96DFE0B}.exe"	{47675C31-8851-46e0-87DA-CDFE8F627F99}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{156578AD-DA25-45e7-BD04-141F6EB76D88}	2024-02-13_fda2c50a74929567813e502b36efb32c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{501041A0-E9C3-474f-9198-ACA5C5ADCB71}\stubpath = "C:\\Windows\\{501041A0-E9C3-474f-9198-ACA5C5ADCB71}.exe"	{7628037A-683E-4ee4-904B-58B0971881D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AFA220A-7B6F-4e31-9C36-0D88ED5CA85C}	{724A1DC7-330E-4a72-B93A-A8F66E77807D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{039754A0-CBFA-463f-BBD6-6CB522F77E25}	{2AFA220A-7B6F-4e31-9C36-0D88ED5CA85C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{609E5C20-423F-4119-9473-CBA4405CB3DA}\stubpath = "C:\\Windows\\{609E5C20-423F-4119-9473-CBA4405CB3DA}.exe"	{00A7880F-0F09-4c33-BD00-7AAA6E98159F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47675C31-8851-46e0-87DA-CDFE8F627F99}	{5BD86185-14CA-482d-A532-CB5F7635F44E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF0677D5-7638-4c62-8081-1493167BF7DA}	{156578AD-DA25-45e7-BD04-141F6EB76D88}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{501041A0-E9C3-474f-9198-ACA5C5ADCB71}	{7628037A-683E-4ee4-904B-58B0971881D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00A7880F-0F09-4c33-BD00-7AAA6E98159F}	{501041A0-E9C3-474f-9198-ACA5C5ADCB71}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00A7880F-0F09-4c33-BD00-7AAA6E98159F}\stubpath = "C:\\Windows\\{00A7880F-0F09-4c33-BD00-7AAA6E98159F}.exe"	{501041A0-E9C3-474f-9198-ACA5C5ADCB71}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{724A1DC7-330E-4a72-B93A-A8F66E77807D}\stubpath = "C:\\Windows\\{724A1DC7-330E-4a72-B93A-A8F66E77807D}.exe"	{609E5C20-423F-4119-9473-CBA4405CB3DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AFA220A-7B6F-4e31-9C36-0D88ED5CA85C}\stubpath = "C:\\Windows\\{2AFA220A-7B6F-4e31-9C36-0D88ED5CA85C}.exe"	{724A1DC7-330E-4a72-B93A-A8F66E77807D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{039754A0-CBFA-463f-BBD6-6CB522F77E25}\stubpath = "C:\\Windows\\{039754A0-CBFA-463f-BBD6-6CB522F77E25}.exe"	{2AFA220A-7B6F-4e31-9C36-0D88ED5CA85C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B0BA8E2-24E2-429f-905E-1C3FC96DFE0B}	{47675C31-8851-46e0-87DA-CDFE8F627F99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{156578AD-DA25-45e7-BD04-141F6EB76D88}\stubpath = "C:\\Windows\\{156578AD-DA25-45e7-BD04-141F6EB76D88}.exe"	2024-02-13_fda2c50a74929567813e502b36efb32c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7628037A-683E-4ee4-904B-58B0971881D8}	{CF0677D5-7638-4c62-8081-1493167BF7DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7628037A-683E-4ee4-904B-58B0971881D8}\stubpath = "C:\\Windows\\{7628037A-683E-4ee4-904B-58B0971881D8}.exe"	{CF0677D5-7638-4c62-8081-1493167BF7DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{609E5C20-423F-4119-9473-CBA4405CB3DA}	{00A7880F-0F09-4c33-BD00-7AAA6E98159F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF0677D5-7638-4c62-8081-1493167BF7DA}\stubpath = "C:\\Windows\\{CF0677D5-7638-4c62-8081-1493167BF7DA}.exe"	{156578AD-DA25-45e7-BD04-141F6EB76D88}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{724A1DC7-330E-4a72-B93A-A8F66E77807D}	{609E5C20-423F-4119-9473-CBA4405CB3DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5BD86185-14CA-482d-A532-CB5F7635F44E}	{039754A0-CBFA-463f-BBD6-6CB522F77E25}.exe

Executes dropped EXE 12 IoCs

pid	Process
5084	{156578AD-DA25-45e7-BD04-141F6EB76D88}.exe
4324	{CF0677D5-7638-4c62-8081-1493167BF7DA}.exe
2140	{7628037A-683E-4ee4-904B-58B0971881D8}.exe
4936	{501041A0-E9C3-474f-9198-ACA5C5ADCB71}.exe
4176	{00A7880F-0F09-4c33-BD00-7AAA6E98159F}.exe
1968	{609E5C20-423F-4119-9473-CBA4405CB3DA}.exe
1828	{724A1DC7-330E-4a72-B93A-A8F66E77807D}.exe
3600	{2AFA220A-7B6F-4e31-9C36-0D88ED5CA85C}.exe
1664	{039754A0-CBFA-463f-BBD6-6CB522F77E25}.exe
496	{5BD86185-14CA-482d-A532-CB5F7635F44E}.exe
3420	{47675C31-8851-46e0-87DA-CDFE8F627F99}.exe
3368	{2B0BA8E2-24E2-429f-905E-1C3FC96DFE0B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{CF0677D5-7638-4c62-8081-1493167BF7DA}.exe	{156578AD-DA25-45e7-BD04-141F6EB76D88}.exe
File created	C:\Windows\{7628037A-683E-4ee4-904B-58B0971881D8}.exe	{CF0677D5-7638-4c62-8081-1493167BF7DA}.exe
File created	C:\Windows\{00A7880F-0F09-4c33-BD00-7AAA6E98159F}.exe	{501041A0-E9C3-474f-9198-ACA5C5ADCB71}.exe
File created	C:\Windows\{47675C31-8851-46e0-87DA-CDFE8F627F99}.exe	{5BD86185-14CA-482d-A532-CB5F7635F44E}.exe
File created	C:\Windows\{2B0BA8E2-24E2-429f-905E-1C3FC96DFE0B}.exe	{47675C31-8851-46e0-87DA-CDFE8F627F99}.exe
File created	C:\Windows\{156578AD-DA25-45e7-BD04-141F6EB76D88}.exe	2024-02-13_fda2c50a74929567813e502b36efb32c_goldeneye.exe
File created	C:\Windows\{501041A0-E9C3-474f-9198-ACA5C5ADCB71}.exe	{7628037A-683E-4ee4-904B-58B0971881D8}.exe
File created	C:\Windows\{609E5C20-423F-4119-9473-CBA4405CB3DA}.exe	{00A7880F-0F09-4c33-BD00-7AAA6E98159F}.exe
File created	C:\Windows\{724A1DC7-330E-4a72-B93A-A8F66E77807D}.exe	{609E5C20-423F-4119-9473-CBA4405CB3DA}.exe
File created	C:\Windows\{2AFA220A-7B6F-4e31-9C36-0D88ED5CA85C}.exe	{724A1DC7-330E-4a72-B93A-A8F66E77807D}.exe
File created	C:\Windows\{039754A0-CBFA-463f-BBD6-6CB522F77E25}.exe	{2AFA220A-7B6F-4e31-9C36-0D88ED5CA85C}.exe
File created	C:\Windows\{5BD86185-14CA-482d-A532-CB5F7635F44E}.exe	{039754A0-CBFA-463f-BBD6-6CB522F77E25}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3768	2024-02-13_fda2c50a74929567813e502b36efb32c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	5084	{156578AD-DA25-45e7-BD04-141F6EB76D88}.exe
Token: SeIncBasePriorityPrivilege	4324	{CF0677D5-7638-4c62-8081-1493167BF7DA}.exe
Token: SeIncBasePriorityPrivilege	2140	{7628037A-683E-4ee4-904B-58B0971881D8}.exe
Token: SeIncBasePriorityPrivilege	4936	{501041A0-E9C3-474f-9198-ACA5C5ADCB71}.exe
Token: SeIncBasePriorityPrivilege	4176	{00A7880F-0F09-4c33-BD00-7AAA6E98159F}.exe
Token: SeIncBasePriorityPrivilege	1968	{609E5C20-423F-4119-9473-CBA4405CB3DA}.exe
Token: SeIncBasePriorityPrivilege	1828	{724A1DC7-330E-4a72-B93A-A8F66E77807D}.exe
Token: SeIncBasePriorityPrivilege	3600	{2AFA220A-7B6F-4e31-9C36-0D88ED5CA85C}.exe
Token: SeIncBasePriorityPrivilege	1664	{039754A0-CBFA-463f-BBD6-6CB522F77E25}.exe
Token: SeIncBasePriorityPrivilege	496	{5BD86185-14CA-482d-A532-CB5F7635F44E}.exe
Token: SeIncBasePriorityPrivilege	3420	{47675C31-8851-46e0-87DA-CDFE8F627F99}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3768 wrote to memory of 5084	3768	2024-02-13_fda2c50a74929567813e502b36efb32c_goldeneye.exe	86
PID 3768 wrote to memory of 5084	3768	2024-02-13_fda2c50a74929567813e502b36efb32c_goldeneye.exe	86
PID 3768 wrote to memory of 5084	3768	2024-02-13_fda2c50a74929567813e502b36efb32c_goldeneye.exe	86
PID 3768 wrote to memory of 3424	3768	2024-02-13_fda2c50a74929567813e502b36efb32c_goldeneye.exe	87
PID 3768 wrote to memory of 3424	3768	2024-02-13_fda2c50a74929567813e502b36efb32c_goldeneye.exe	87
PID 3768 wrote to memory of 3424	3768	2024-02-13_fda2c50a74929567813e502b36efb32c_goldeneye.exe	87
PID 5084 wrote to memory of 4324	5084	{156578AD-DA25-45e7-BD04-141F6EB76D88}.exe	91
PID 5084 wrote to memory of 4324	5084	{156578AD-DA25-45e7-BD04-141F6EB76D88}.exe	91
PID 5084 wrote to memory of 4324	5084	{156578AD-DA25-45e7-BD04-141F6EB76D88}.exe	91
PID 5084 wrote to memory of 4892	5084	{156578AD-DA25-45e7-BD04-141F6EB76D88}.exe	92
PID 5084 wrote to memory of 4892	5084	{156578AD-DA25-45e7-BD04-141F6EB76D88}.exe	92
PID 5084 wrote to memory of 4892	5084	{156578AD-DA25-45e7-BD04-141F6EB76D88}.exe	92
PID 4324 wrote to memory of 2140	4324	{CF0677D5-7638-4c62-8081-1493167BF7DA}.exe	95
PID 4324 wrote to memory of 2140	4324	{CF0677D5-7638-4c62-8081-1493167BF7DA}.exe	95
PID 4324 wrote to memory of 2140	4324	{CF0677D5-7638-4c62-8081-1493167BF7DA}.exe	95
PID 4324 wrote to memory of 1840	4324	{CF0677D5-7638-4c62-8081-1493167BF7DA}.exe	94
PID 4324 wrote to memory of 1840	4324	{CF0677D5-7638-4c62-8081-1493167BF7DA}.exe	94
PID 4324 wrote to memory of 1840	4324	{CF0677D5-7638-4c62-8081-1493167BF7DA}.exe	94
PID 2140 wrote to memory of 4936	2140	{7628037A-683E-4ee4-904B-58B0971881D8}.exe	96
PID 2140 wrote to memory of 4936	2140	{7628037A-683E-4ee4-904B-58B0971881D8}.exe	96
PID 2140 wrote to memory of 4936	2140	{7628037A-683E-4ee4-904B-58B0971881D8}.exe	96
PID 2140 wrote to memory of 1364	2140	{7628037A-683E-4ee4-904B-58B0971881D8}.exe	97
PID 2140 wrote to memory of 1364	2140	{7628037A-683E-4ee4-904B-58B0971881D8}.exe	97
PID 2140 wrote to memory of 1364	2140	{7628037A-683E-4ee4-904B-58B0971881D8}.exe	97
PID 4936 wrote to memory of 4176	4936	{501041A0-E9C3-474f-9198-ACA5C5ADCB71}.exe	98
PID 4936 wrote to memory of 4176	4936	{501041A0-E9C3-474f-9198-ACA5C5ADCB71}.exe	98
PID 4936 wrote to memory of 4176	4936	{501041A0-E9C3-474f-9198-ACA5C5ADCB71}.exe	98
PID 4936 wrote to memory of 3032	4936	{501041A0-E9C3-474f-9198-ACA5C5ADCB71}.exe	99
PID 4936 wrote to memory of 3032	4936	{501041A0-E9C3-474f-9198-ACA5C5ADCB71}.exe	99
PID 4936 wrote to memory of 3032	4936	{501041A0-E9C3-474f-9198-ACA5C5ADCB71}.exe	99
PID 4176 wrote to memory of 1968	4176	{00A7880F-0F09-4c33-BD00-7AAA6E98159F}.exe	100
PID 4176 wrote to memory of 1968	4176	{00A7880F-0F09-4c33-BD00-7AAA6E98159F}.exe	100
PID 4176 wrote to memory of 1968	4176	{00A7880F-0F09-4c33-BD00-7AAA6E98159F}.exe	100
PID 4176 wrote to memory of 4740	4176	{00A7880F-0F09-4c33-BD00-7AAA6E98159F}.exe	101
PID 4176 wrote to memory of 4740	4176	{00A7880F-0F09-4c33-BD00-7AAA6E98159F}.exe	101
PID 4176 wrote to memory of 4740	4176	{00A7880F-0F09-4c33-BD00-7AAA6E98159F}.exe	101
PID 1968 wrote to memory of 1828	1968	{609E5C20-423F-4119-9473-CBA4405CB3DA}.exe	102
PID 1968 wrote to memory of 1828	1968	{609E5C20-423F-4119-9473-CBA4405CB3DA}.exe	102
PID 1968 wrote to memory of 1828	1968	{609E5C20-423F-4119-9473-CBA4405CB3DA}.exe	102
PID 1968 wrote to memory of 4512	1968	{609E5C20-423F-4119-9473-CBA4405CB3DA}.exe	103
PID 1968 wrote to memory of 4512	1968	{609E5C20-423F-4119-9473-CBA4405CB3DA}.exe	103
PID 1968 wrote to memory of 4512	1968	{609E5C20-423F-4119-9473-CBA4405CB3DA}.exe	103
PID 1828 wrote to memory of 3600	1828	{724A1DC7-330E-4a72-B93A-A8F66E77807D}.exe	104
PID 1828 wrote to memory of 3600	1828	{724A1DC7-330E-4a72-B93A-A8F66E77807D}.exe	104
PID 1828 wrote to memory of 3600	1828	{724A1DC7-330E-4a72-B93A-A8F66E77807D}.exe	104
PID 1828 wrote to memory of 3524	1828	{724A1DC7-330E-4a72-B93A-A8F66E77807D}.exe	105
PID 1828 wrote to memory of 3524	1828	{724A1DC7-330E-4a72-B93A-A8F66E77807D}.exe	105
PID 1828 wrote to memory of 3524	1828	{724A1DC7-330E-4a72-B93A-A8F66E77807D}.exe	105
PID 3600 wrote to memory of 1664	3600	{2AFA220A-7B6F-4e31-9C36-0D88ED5CA85C}.exe	106
PID 3600 wrote to memory of 1664	3600	{2AFA220A-7B6F-4e31-9C36-0D88ED5CA85C}.exe	106
PID 3600 wrote to memory of 1664	3600	{2AFA220A-7B6F-4e31-9C36-0D88ED5CA85C}.exe	106
PID 3600 wrote to memory of 2036	3600	{2AFA220A-7B6F-4e31-9C36-0D88ED5CA85C}.exe	107
PID 3600 wrote to memory of 2036	3600	{2AFA220A-7B6F-4e31-9C36-0D88ED5CA85C}.exe	107
PID 3600 wrote to memory of 2036	3600	{2AFA220A-7B6F-4e31-9C36-0D88ED5CA85C}.exe	107
PID 1664 wrote to memory of 496	1664	{039754A0-CBFA-463f-BBD6-6CB522F77E25}.exe	108
PID 1664 wrote to memory of 496	1664	{039754A0-CBFA-463f-BBD6-6CB522F77E25}.exe	108
PID 1664 wrote to memory of 496	1664	{039754A0-CBFA-463f-BBD6-6CB522F77E25}.exe	108
PID 1664 wrote to memory of 388	1664	{039754A0-CBFA-463f-BBD6-6CB522F77E25}.exe	109
PID 1664 wrote to memory of 388	1664	{039754A0-CBFA-463f-BBD6-6CB522F77E25}.exe	109
PID 1664 wrote to memory of 388	1664	{039754A0-CBFA-463f-BBD6-6CB522F77E25}.exe	109
PID 496 wrote to memory of 3420	496	{5BD86185-14CA-482d-A532-CB5F7635F44E}.exe	110
PID 496 wrote to memory of 3420	496	{5BD86185-14CA-482d-A532-CB5F7635F44E}.exe	110
PID 496 wrote to memory of 3420	496	{5BD86185-14CA-482d-A532-CB5F7635F44E}.exe	110
PID 496 wrote to memory of 3516	496	{5BD86185-14CA-482d-A532-CB5F7635F44E}.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-02-13_fda2c50a74929567813e502b36efb32c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-13_fda2c50a74929567813e502b36efb32c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3768
- C:\Windows\{156578AD-DA25-45e7-BD04-141F6EB76D88}.exe
  C:\Windows\{156578AD-DA25-45e7-BD04-141F6EB76D88}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Windows\{CF0677D5-7638-4c62-8081-1493167BF7DA}.exe
    C:\Windows\{CF0677D5-7638-4c62-8081-1493167BF7DA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4324
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CF067~1.EXE > nul
      4⤵
      PID:1840
  - - C:\Windows\{7628037A-683E-4ee4-904B-58B0971881D8}.exe
      C:\Windows\{7628037A-683E-4ee4-904B-58B0971881D8}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2140
    - - C:\Windows\{501041A0-E9C3-474f-9198-ACA5C5ADCB71}.exe
        
        C:\Windows\{501041A0-E9C3-474f-9198-ACA5C5ADCB71}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4936
      - C:\Windows\{00A7880F-0F09-4c33-BD00-7AAA6E98159F}.exe
        
        C:\Windows\{00A7880F-0F09-4c33-BD00-7AAA6E98159F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\{609E5C20-423F-4119-9473-CBA4405CB3DA}.exe
        
        C:\Windows\{609E5C20-423F-4119-9473-CBA4405CB3DA}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\{724A1DC7-330E-4a72-B93A-A8F66E77807D}.exe
        
        C:\Windows\{724A1DC7-330E-4a72-B93A-A8F66E77807D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\{2AFA220A-7B6F-4e31-9C36-0D88ED5CA85C}.exe
        
        C:\Windows\{2AFA220A-7B6F-4e31-9C36-0D88ED5CA85C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\{039754A0-CBFA-463f-BBD6-6CB522F77E25}.exe
        
        C:\Windows\{039754A0-CBFA-463f-BBD6-6CB522F77E25}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\{5BD86185-14CA-482d-A532-CB5F7635F44E}.exe
        
        C:\Windows\{5BD86185-14CA-482d-A532-CB5F7635F44E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:496
        
        C:\Windows\{47675C31-8851-46e0-87DA-CDFE8F627F99}.exe
        
        C:\Windows\{47675C31-8851-46e0-87DA-CDFE8F627F99}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3420
        
        C:\Windows\{2B0BA8E2-24E2-429f-905E-1C3FC96DFE0B}.exe
        
        C:\Windows\{2B0BA8E2-24E2-429f-905E-1C3FC96DFE0B}.exe
        13⤵
        Executes dropped EXE
        
        PID:3368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47675~1.EXE > nul
        13⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5BD86~1.EXE > nul
        12⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03975~1.EXE > nul
        11⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2AFA2~1.EXE > nul
        10⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{724A1~1.EXE > nul
        9⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{609E5~1.EXE > nul
        8⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00A78~1.EXE > nul
        7⤵
        
        PID:4740
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50104~1.EXE > nul
        6⤵
        
        PID:3032
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76280~1.EXE > nul
        5⤵
        
        PID:1364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{15657~1.EXE > nul
    3⤵
    PID:4892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00A7880F-0F09-4c33-BD00-7AAA6E98159F}.exe

Filesize
180KB

MD5
f63dce6b038a186466aa524245c31618

SHA1
2033c36c34ac28aedc2f56f04c6a2586868434c1

SHA256
31f5db7a2916aae502f1e86aae1112ae790531519a9d691e532d3ee3314d2538

SHA512
7222c31a4ef5850cf2fae6963dcda45c51ec31217bef739b9540a7ffc8bfc40f17e6f4074cca350ec5dc198069db0cb3a250652909bad18816a2eec13c4083ef

Download Submit
C:\Windows\{039754A0-CBFA-463f-BBD6-6CB522F77E25}.exe

Filesize
180KB

MD5
c49c585d7f2c79bae36780cf119a93b7

SHA1
b922405c7f2de9afd3c3724eeb61eb85c728c9d2

SHA256
00cbdd7d9972a9417014cdc57e3fbbffa3c6a4df9de77ab4f29ae991243e7a52

SHA512
39caafd05b5b23c66140f49abfec96ee3de91f69a46b5fa1a701e5cf49a18869c4749fd0ea82fe8a79d57d9030fc175395bb8fb611b56625aaf25a8733346cd3

Download Submit
C:\Windows\{156578AD-DA25-45e7-BD04-141F6EB76D88}.exe

Filesize
180KB

MD5
44f932d106b7c4cbaadd1a15080b2637

SHA1
7824d4dc2f7397ab08b0718546320d07556fed84

SHA256
bca04f7833c6d9fa734539a7a909cfa43a3be7087f9851253030e1a6183dee99

SHA512
1364af9261981ef616e69d4333d711d7e316ff25fb901dca5f910de3625d25cabe6ae97660a73064a5e22bd90aa45cfd52d5dee3d996970af19832ef11ca5ea8

Download Submit
C:\Windows\{2AFA220A-7B6F-4e31-9C36-0D88ED5CA85C}.exe

Filesize
180KB

MD5
c9358d70387ddcec5bfad7ecdcbbcc7c

SHA1
86fa5015863b201bfd65e96b78f44032bc8993e6

SHA256
81f46bcc83ce538b0c256116b92f14b9c1a26cfef895f576073d7a19d1733a80

SHA512
ec01ee5f63b33d7df1a2b88a8628ef48161e3c0cc88cdf1501158edb52889ea93fa855eed6f4571c21d1d70e7594b986e524436647ba62bda6c4881dee0b1922

Download Submit
C:\Windows\{2B0BA8E2-24E2-429f-905E-1C3FC96DFE0B}.exe

Filesize
180KB

MD5
20f28e882d418d76ee22a13225c72dcc

SHA1
d848ce3b53f4332419fba48d249d3bdae589f318

SHA256
fc9b1aae083271998672ddae88a977f06c0bcdfc00965c98daf0d4474b391b11

SHA512
bec47fe52f0a4c3350e5875a8abeb83c9c4e54ee7578599cdb9c1cae85fc735a25172dd888f28b161e45ba1499d64c49bfec570169fed06c7748d3c520707ecb

Download Submit
C:\Windows\{47675C31-8851-46e0-87DA-CDFE8F627F99}.exe

Filesize
180KB

MD5
d7f128beb3f5c61ae03669c42bf09933

SHA1
9513d30e1ab63fd4471d8fbd7f2eb3500c6bec09

SHA256
948b873753a7dea854a8422c2bf7b08199c8e8d2a8ff89c6ed074facd3efc34e

SHA512
4623f6f03e0af4ad378ab8faa0471f2e71e6102d2206d7281b712ca4745cb7a7a9cd789ddedab895d209767275d94c8d02ae74d43e62d5be1582ec7f7214a96e

Download Submit
C:\Windows\{501041A0-E9C3-474f-9198-ACA5C5ADCB71}.exe

Filesize
180KB

MD5
60982db136d26c37a020f8a00f4e9eb8

SHA1
06270729e5a4b370f749bd59b38267924504ce53

SHA256
b99b22d0cfedad7582ba362b45684562c422bd48397bd2f0b3884f68aa87abab

SHA512
076d0ce2a6072bb5fc1aaefcc4a463e7dfb150dbdcd880aec3e512a4a2ad7933d50beaa29caecb21882ddf8969383eb04e3c8d0ac8181fa77ad556ad085c4ede

Download Submit
C:\Windows\{5BD86185-14CA-482d-A532-CB5F7635F44E}.exe

Filesize
180KB

MD5
135b360c7e5236c6c799878b471da09c

SHA1
6818c37371dfaebc84f0ee97103c6a0c87fd8601

SHA256
7477df2a7b43591aeeabf55c932f13aba35ba91b6250a6cb34780f01063f4103

SHA512
0760a6f99774e56b59aceb009b1d7dc12f1740bae40937b6ad7f4179d98a93779dd941e784b24a203c44c630eac8286e8ae92e5ac304ba38a94dc506ae34ede7

Download Submit
C:\Windows\{609E5C20-423F-4119-9473-CBA4405CB3DA}.exe

Filesize
180KB

MD5
3c3c33e882c4ef962e480bade7b6f8af

SHA1
725f8f564fe417e010ec0b80b60d1dca876df14f

SHA256
12120905cbfdd27b55a508490732cdf94f4ac4242a929fd5189a36ed5b7cf565

SHA512
be3c60efe3124eb8ad247a4037324af748d70cc7489081456121a9c5bad10b5909c56a6b6c89a512ccd0b00cc67fc7a412a8db75c2116b468d8746b2755e6fa0

Download Submit
C:\Windows\{724A1DC7-330E-4a72-B93A-A8F66E77807D}.exe

Filesize
180KB

MD5
8685ecec8c9333818a176b53e5739229

SHA1
0c84b19d396c392f3245df8ab533afd9d7910e1a

SHA256
231fb77453dafb6eb392fc03358b8305d47da1b0154569b44b23c5006720d352

SHA512
2f35a4120768d12948619ddb878df630fe146c8aab71595831ad21ba7826a772ef3ffba37e47c4b1691cf24a2f7eb8f3de79ca409c619999ea3126fb6a1a3283

Download Submit
C:\Windows\{7628037A-683E-4ee4-904B-58B0971881D8}.exe

Filesize
180KB

MD5
37002913f38359b52618b322f3e8e611

SHA1
08e7e420e1176b107a26dd4ccc4c6a2a95ddcd2a

SHA256
1afa12032ceb00a9e0004da2f87672667a68f7d8d9826209beb980e1d1fec5a0

SHA512
dd672876bd84650d592d63e63c3cd3a5d3548c2a327c7ff4ea655c7d92947182536f2311217e1bd6ee0c4e4a1878d8cdc7d16a690875fcf3f0d9596de47cbaeb

Download Submit
C:\Windows\{CF0677D5-7638-4c62-8081-1493167BF7DA}.exe

Filesize
180KB

MD5
6a63deee7eacbff827fe1ee16ca26bbf

SHA1
b0463020a8740b8f4b116ac3249f67e0a371af1c

SHA256
8c3e01b2932f78e18839ff815795c0143459a001d8ade5ff2ac0e178d6617201

SHA512
65dff576d3eb46cd5a8dbbf9872dca34f87e8d2055d68f69cc8579226187d624379eec44bd0ecde518c1a34f5f73390e4d12e80b899427a81e4a69a6146e4a4c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads