b9a0182ec522a022f2ee1f7804ef8cf540503a1a7d6604c523bf1acfbfa71f53

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13-02-2024 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-13_30e235408f0e1c206818a933d1aea018_goldeneye.exe
Size

216KB
MD5

30e235408f0e1c206818a933d1aea018
SHA1

c71844a25df9178589092f746065fab8e6fd2b6b
SHA256

b9a0182ec522a022f2ee1f7804ef8cf540503a1a7d6604c523bf1acfbfa71f53
SHA512

601e1de8887db9debcfc13c245707b52c0050b81224fbc6a841b44e23ddc3fd30f61504ce22ac5b456337ec7fa4dba6d5cae0a27ac873713e88a430866c90fe6
SSDEEP

3072:jEGh0oTl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG1lEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231fc-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000001e804-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002320a-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000001e804-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021f82-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000001e804-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021f82-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62FE0FF5-C89B-48f2-882E-0FFA1E7BF693}	{1695BA1F-60F1-4c96-B9FE-C5C240264D71}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40184EFD-E929-420a-9AA1-26957E227395}	{140D86B2-F1C1-433f-AC54-947DB5DCB73C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40184EFD-E929-420a-9AA1-26957E227395}\stubpath = "C:\\Windows\\{40184EFD-E929-420a-9AA1-26957E227395}.exe"	{140D86B2-F1C1-433f-AC54-947DB5DCB73C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{643B179E-EBD0-48ae-847E-0D8CF14068BE}\stubpath = "C:\\Windows\\{643B179E-EBD0-48ae-847E-0D8CF14068BE}.exe"	{40184EFD-E929-420a-9AA1-26957E227395}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1027FA74-A23A-4b7e-A1B6-66FE276373F1}	{643B179E-EBD0-48ae-847E-0D8CF14068BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B15C44A7-5DD6-4478-970E-15E9B30CC448}	{3C79395F-0525-4caa-B8E4-A264DB6BC120}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1695BA1F-60F1-4c96-B9FE-C5C240264D71}	{DC94DBEC-199B-406f-8CD8-AA23C4774D3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1695BA1F-60F1-4c96-B9FE-C5C240264D71}\stubpath = "C:\\Windows\\{1695BA1F-60F1-4c96-B9FE-C5C240264D71}.exe"	{DC94DBEC-199B-406f-8CD8-AA23C4774D3E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA8F404D-6272-4b6e-8AB0-30EED4EE9078}	{62FE0FF5-C89B-48f2-882E-0FFA1E7BF693}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1027FA74-A23A-4b7e-A1B6-66FE276373F1}\stubpath = "C:\\Windows\\{1027FA74-A23A-4b7e-A1B6-66FE276373F1}.exe"	{643B179E-EBD0-48ae-847E-0D8CF14068BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C79395F-0525-4caa-B8E4-A264DB6BC120}	{1027FA74-A23A-4b7e-A1B6-66FE276373F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05E3B5B6-356B-46fb-A4CA-8AB4E99140F1}	{B15C44A7-5DD6-4478-970E-15E9B30CC448}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05E3B5B6-356B-46fb-A4CA-8AB4E99140F1}\stubpath = "C:\\Windows\\{05E3B5B6-356B-46fb-A4CA-8AB4E99140F1}.exe"	{B15C44A7-5DD6-4478-970E-15E9B30CC448}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC94DBEC-199B-406f-8CD8-AA23C4774D3E}\stubpath = "C:\\Windows\\{DC94DBEC-199B-406f-8CD8-AA23C4774D3E}.exe"	{5AF0F262-244A-44af-BA9A-43CFA9CE403C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62FE0FF5-C89B-48f2-882E-0FFA1E7BF693}\stubpath = "C:\\Windows\\{62FE0FF5-C89B-48f2-882E-0FFA1E7BF693}.exe"	{1695BA1F-60F1-4c96-B9FE-C5C240264D71}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA8F404D-6272-4b6e-8AB0-30EED4EE9078}\stubpath = "C:\\Windows\\{BA8F404D-6272-4b6e-8AB0-30EED4EE9078}.exe"	{62FE0FF5-C89B-48f2-882E-0FFA1E7BF693}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{140D86B2-F1C1-433f-AC54-947DB5DCB73C}\stubpath = "C:\\Windows\\{140D86B2-F1C1-433f-AC54-947DB5DCB73C}.exe"	2024-02-13_30e235408f0e1c206818a933d1aea018_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{140D86B2-F1C1-433f-AC54-947DB5DCB73C}	2024-02-13_30e235408f0e1c206818a933d1aea018_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{643B179E-EBD0-48ae-847E-0D8CF14068BE}	{40184EFD-E929-420a-9AA1-26957E227395}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C79395F-0525-4caa-B8E4-A264DB6BC120}\stubpath = "C:\\Windows\\{3C79395F-0525-4caa-B8E4-A264DB6BC120}.exe"	{1027FA74-A23A-4b7e-A1B6-66FE276373F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B15C44A7-5DD6-4478-970E-15E9B30CC448}\stubpath = "C:\\Windows\\{B15C44A7-5DD6-4478-970E-15E9B30CC448}.exe"	{3C79395F-0525-4caa-B8E4-A264DB6BC120}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AF0F262-244A-44af-BA9A-43CFA9CE403C}	{05E3B5B6-356B-46fb-A4CA-8AB4E99140F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AF0F262-244A-44af-BA9A-43CFA9CE403C}\stubpath = "C:\\Windows\\{5AF0F262-244A-44af-BA9A-43CFA9CE403C}.exe"	{05E3B5B6-356B-46fb-A4CA-8AB4E99140F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC94DBEC-199B-406f-8CD8-AA23C4774D3E}	{5AF0F262-244A-44af-BA9A-43CFA9CE403C}.exe

Executes dropped EXE 11 IoCs

pid	Process
4568	{140D86B2-F1C1-433f-AC54-947DB5DCB73C}.exe
2156	{40184EFD-E929-420a-9AA1-26957E227395}.exe
2280	{643B179E-EBD0-48ae-847E-0D8CF14068BE}.exe
3876	{1027FA74-A23A-4b7e-A1B6-66FE276373F1}.exe
428	{3C79395F-0525-4caa-B8E4-A264DB6BC120}.exe
1600	{B15C44A7-5DD6-4478-970E-15E9B30CC448}.exe
4704	{05E3B5B6-356B-46fb-A4CA-8AB4E99140F1}.exe
1944	{5AF0F262-244A-44af-BA9A-43CFA9CE403C}.exe
2612	{DC94DBEC-199B-406f-8CD8-AA23C4774D3E}.exe
4708	{1695BA1F-60F1-4c96-B9FE-C5C240264D71}.exe
3592	{62FE0FF5-C89B-48f2-882E-0FFA1E7BF693}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{05E3B5B6-356B-46fb-A4CA-8AB4E99140F1}.exe	{B15C44A7-5DD6-4478-970E-15E9B30CC448}.exe
File created	C:\Windows\{5AF0F262-244A-44af-BA9A-43CFA9CE403C}.exe	{05E3B5B6-356B-46fb-A4CA-8AB4E99140F1}.exe
File created	C:\Windows\{DC94DBEC-199B-406f-8CD8-AA23C4774D3E}.exe	{5AF0F262-244A-44af-BA9A-43CFA9CE403C}.exe
File created	C:\Windows\{1695BA1F-60F1-4c96-B9FE-C5C240264D71}.exe	{DC94DBEC-199B-406f-8CD8-AA23C4774D3E}.exe
File created	C:\Windows\{140D86B2-F1C1-433f-AC54-947DB5DCB73C}.exe	2024-02-13_30e235408f0e1c206818a933d1aea018_goldeneye.exe
File created	C:\Windows\{40184EFD-E929-420a-9AA1-26957E227395}.exe	{140D86B2-F1C1-433f-AC54-947DB5DCB73C}.exe
File created	C:\Windows\{1027FA74-A23A-4b7e-A1B6-66FE276373F1}.exe	{643B179E-EBD0-48ae-847E-0D8CF14068BE}.exe
File created	C:\Windows\{3C79395F-0525-4caa-B8E4-A264DB6BC120}.exe	{1027FA74-A23A-4b7e-A1B6-66FE276373F1}.exe
File created	C:\Windows\{643B179E-EBD0-48ae-847E-0D8CF14068BE}.exe	{40184EFD-E929-420a-9AA1-26957E227395}.exe
File created	C:\Windows\{B15C44A7-5DD6-4478-970E-15E9B30CC448}.exe	{3C79395F-0525-4caa-B8E4-A264DB6BC120}.exe
File created	C:\Windows\{62FE0FF5-C89B-48f2-882E-0FFA1E7BF693}.exe	{1695BA1F-60F1-4c96-B9FE-C5C240264D71}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3880	2024-02-13_30e235408f0e1c206818a933d1aea018_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4568	{140D86B2-F1C1-433f-AC54-947DB5DCB73C}.exe
Token: SeIncBasePriorityPrivilege	2156	{40184EFD-E929-420a-9AA1-26957E227395}.exe
Token: SeIncBasePriorityPrivilege	2280	{643B179E-EBD0-48ae-847E-0D8CF14068BE}.exe
Token: SeIncBasePriorityPrivilege	3876	{1027FA74-A23A-4b7e-A1B6-66FE276373F1}.exe
Token: SeIncBasePriorityPrivilege	428	{3C79395F-0525-4caa-B8E4-A264DB6BC120}.exe
Token: SeIncBasePriorityPrivilege	1600	{B15C44A7-5DD6-4478-970E-15E9B30CC448}.exe
Token: SeIncBasePriorityPrivilege	4704	{05E3B5B6-356B-46fb-A4CA-8AB4E99140F1}.exe
Token: SeIncBasePriorityPrivilege	1944	{5AF0F262-244A-44af-BA9A-43CFA9CE403C}.exe
Token: SeIncBasePriorityPrivilege	2612	{DC94DBEC-199B-406f-8CD8-AA23C4774D3E}.exe
Token: SeIncBasePriorityPrivilege	4708	{1695BA1F-60F1-4c96-B9FE-C5C240264D71}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3880 wrote to memory of 4568	3880	2024-02-13_30e235408f0e1c206818a933d1aea018_goldeneye.exe	88
PID 3880 wrote to memory of 4568	3880	2024-02-13_30e235408f0e1c206818a933d1aea018_goldeneye.exe	88
PID 3880 wrote to memory of 4568	3880	2024-02-13_30e235408f0e1c206818a933d1aea018_goldeneye.exe	88
PID 3880 wrote to memory of 2272	3880	2024-02-13_30e235408f0e1c206818a933d1aea018_goldeneye.exe	89
PID 3880 wrote to memory of 2272	3880	2024-02-13_30e235408f0e1c206818a933d1aea018_goldeneye.exe	89
PID 3880 wrote to memory of 2272	3880	2024-02-13_30e235408f0e1c206818a933d1aea018_goldeneye.exe	89
PID 4568 wrote to memory of 2156	4568	{140D86B2-F1C1-433f-AC54-947DB5DCB73C}.exe	92
PID 4568 wrote to memory of 2156	4568	{140D86B2-F1C1-433f-AC54-947DB5DCB73C}.exe	92
PID 4568 wrote to memory of 2156	4568	{140D86B2-F1C1-433f-AC54-947DB5DCB73C}.exe	92
PID 4568 wrote to memory of 4164	4568	{140D86B2-F1C1-433f-AC54-947DB5DCB73C}.exe	93
PID 4568 wrote to memory of 4164	4568	{140D86B2-F1C1-433f-AC54-947DB5DCB73C}.exe	93
PID 4568 wrote to memory of 4164	4568	{140D86B2-F1C1-433f-AC54-947DB5DCB73C}.exe	93
PID 2156 wrote to memory of 2280	2156	{40184EFD-E929-420a-9AA1-26957E227395}.exe	96
PID 2156 wrote to memory of 2280	2156	{40184EFD-E929-420a-9AA1-26957E227395}.exe	96
PID 2156 wrote to memory of 2280	2156	{40184EFD-E929-420a-9AA1-26957E227395}.exe	96
PID 2156 wrote to memory of 4424	2156	{40184EFD-E929-420a-9AA1-26957E227395}.exe	95
PID 2156 wrote to memory of 4424	2156	{40184EFD-E929-420a-9AA1-26957E227395}.exe	95
PID 2156 wrote to memory of 4424	2156	{40184EFD-E929-420a-9AA1-26957E227395}.exe	95
PID 2280 wrote to memory of 3876	2280	{643B179E-EBD0-48ae-847E-0D8CF14068BE}.exe	97
PID 2280 wrote to memory of 3876	2280	{643B179E-EBD0-48ae-847E-0D8CF14068BE}.exe	97
PID 2280 wrote to memory of 3876	2280	{643B179E-EBD0-48ae-847E-0D8CF14068BE}.exe	97
PID 2280 wrote to memory of 2956	2280	{643B179E-EBD0-48ae-847E-0D8CF14068BE}.exe	98
PID 2280 wrote to memory of 2956	2280	{643B179E-EBD0-48ae-847E-0D8CF14068BE}.exe	98
PID 2280 wrote to memory of 2956	2280	{643B179E-EBD0-48ae-847E-0D8CF14068BE}.exe	98
PID 3876 wrote to memory of 428	3876	{1027FA74-A23A-4b7e-A1B6-66FE276373F1}.exe	99
PID 3876 wrote to memory of 428	3876	{1027FA74-A23A-4b7e-A1B6-66FE276373F1}.exe	99
PID 3876 wrote to memory of 428	3876	{1027FA74-A23A-4b7e-A1B6-66FE276373F1}.exe	99
PID 3876 wrote to memory of 1044	3876	{1027FA74-A23A-4b7e-A1B6-66FE276373F1}.exe	100
PID 3876 wrote to memory of 1044	3876	{1027FA74-A23A-4b7e-A1B6-66FE276373F1}.exe	100
PID 3876 wrote to memory of 1044	3876	{1027FA74-A23A-4b7e-A1B6-66FE276373F1}.exe	100
PID 428 wrote to memory of 1600	428	{3C79395F-0525-4caa-B8E4-A264DB6BC120}.exe	101
PID 428 wrote to memory of 1600	428	{3C79395F-0525-4caa-B8E4-A264DB6BC120}.exe	101
PID 428 wrote to memory of 1600	428	{3C79395F-0525-4caa-B8E4-A264DB6BC120}.exe	101
PID 428 wrote to memory of 5060	428	{3C79395F-0525-4caa-B8E4-A264DB6BC120}.exe	102
PID 428 wrote to memory of 5060	428	{3C79395F-0525-4caa-B8E4-A264DB6BC120}.exe	102
PID 428 wrote to memory of 5060	428	{3C79395F-0525-4caa-B8E4-A264DB6BC120}.exe	102
PID 1600 wrote to memory of 4704	1600	{B15C44A7-5DD6-4478-970E-15E9B30CC448}.exe	103
PID 1600 wrote to memory of 4704	1600	{B15C44A7-5DD6-4478-970E-15E9B30CC448}.exe	103
PID 1600 wrote to memory of 4704	1600	{B15C44A7-5DD6-4478-970E-15E9B30CC448}.exe	103
PID 1600 wrote to memory of 1580	1600	{B15C44A7-5DD6-4478-970E-15E9B30CC448}.exe	104
PID 1600 wrote to memory of 1580	1600	{B15C44A7-5DD6-4478-970E-15E9B30CC448}.exe	104
PID 1600 wrote to memory of 1580	1600	{B15C44A7-5DD6-4478-970E-15E9B30CC448}.exe	104
PID 4704 wrote to memory of 1944	4704	{05E3B5B6-356B-46fb-A4CA-8AB4E99140F1}.exe	105
PID 4704 wrote to memory of 1944	4704	{05E3B5B6-356B-46fb-A4CA-8AB4E99140F1}.exe	105
PID 4704 wrote to memory of 1944	4704	{05E3B5B6-356B-46fb-A4CA-8AB4E99140F1}.exe	105
PID 4704 wrote to memory of 3536	4704	{05E3B5B6-356B-46fb-A4CA-8AB4E99140F1}.exe	106
PID 4704 wrote to memory of 3536	4704	{05E3B5B6-356B-46fb-A4CA-8AB4E99140F1}.exe	106
PID 4704 wrote to memory of 3536	4704	{05E3B5B6-356B-46fb-A4CA-8AB4E99140F1}.exe	106
PID 1944 wrote to memory of 2612	1944	{5AF0F262-244A-44af-BA9A-43CFA9CE403C}.exe	107
PID 1944 wrote to memory of 2612	1944	{5AF0F262-244A-44af-BA9A-43CFA9CE403C}.exe	107
PID 1944 wrote to memory of 2612	1944	{5AF0F262-244A-44af-BA9A-43CFA9CE403C}.exe	107
PID 1944 wrote to memory of 3664	1944	{5AF0F262-244A-44af-BA9A-43CFA9CE403C}.exe	108
PID 1944 wrote to memory of 3664	1944	{5AF0F262-244A-44af-BA9A-43CFA9CE403C}.exe	108
PID 1944 wrote to memory of 3664	1944	{5AF0F262-244A-44af-BA9A-43CFA9CE403C}.exe	108
PID 2612 wrote to memory of 4708	2612	{DC94DBEC-199B-406f-8CD8-AA23C4774D3E}.exe	109
PID 2612 wrote to memory of 4708	2612	{DC94DBEC-199B-406f-8CD8-AA23C4774D3E}.exe	109
PID 2612 wrote to memory of 4708	2612	{DC94DBEC-199B-406f-8CD8-AA23C4774D3E}.exe	109
PID 2612 wrote to memory of 1448	2612	{DC94DBEC-199B-406f-8CD8-AA23C4774D3E}.exe	110
PID 2612 wrote to memory of 1448	2612	{DC94DBEC-199B-406f-8CD8-AA23C4774D3E}.exe	110
PID 2612 wrote to memory of 1448	2612	{DC94DBEC-199B-406f-8CD8-AA23C4774D3E}.exe	110
PID 4708 wrote to memory of 3592	4708	{1695BA1F-60F1-4c96-B9FE-C5C240264D71}.exe	111
PID 4708 wrote to memory of 3592	4708	{1695BA1F-60F1-4c96-B9FE-C5C240264D71}.exe	111
PID 4708 wrote to memory of 3592	4708	{1695BA1F-60F1-4c96-B9FE-C5C240264D71}.exe	111
PID 4708 wrote to memory of 4356	4708	{1695BA1F-60F1-4c96-B9FE-C5C240264D71}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-02-13_30e235408f0e1c206818a933d1aea018_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-13_30e235408f0e1c206818a933d1aea018_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3880
- C:\Windows\{140D86B2-F1C1-433f-AC54-947DB5DCB73C}.exe
  C:\Windows\{140D86B2-F1C1-433f-AC54-947DB5DCB73C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Windows\{40184EFD-E929-420a-9AA1-26957E227395}.exe
    C:\Windows\{40184EFD-E929-420a-9AA1-26957E227395}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{40184~1.EXE > nul
      4⤵
      PID:4424
  - - C:\Windows\{643B179E-EBD0-48ae-847E-0D8CF14068BE}.exe
      C:\Windows\{643B179E-EBD0-48ae-847E-0D8CF14068BE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2280
    - - C:\Windows\{1027FA74-A23A-4b7e-A1B6-66FE276373F1}.exe
        
        C:\Windows\{1027FA74-A23A-4b7e-A1B6-66FE276373F1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3876
      - C:\Windows\{3C79395F-0525-4caa-B8E4-A264DB6BC120}.exe
        
        C:\Windows\{3C79395F-0525-4caa-B8E4-A264DB6BC120}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        C:\Windows\{B15C44A7-5DD6-4478-970E-15E9B30CC448}.exe
        
        C:\Windows\{B15C44A7-5DD6-4478-970E-15E9B30CC448}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\{05E3B5B6-356B-46fb-A4CA-8AB4E99140F1}.exe
        
        C:\Windows\{05E3B5B6-356B-46fb-A4CA-8AB4E99140F1}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\{5AF0F262-244A-44af-BA9A-43CFA9CE403C}.exe
        
        C:\Windows\{5AF0F262-244A-44af-BA9A-43CFA9CE403C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\{DC94DBEC-199B-406f-8CD8-AA23C4774D3E}.exe
        
        C:\Windows\{DC94DBEC-199B-406f-8CD8-AA23C4774D3E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\{1695BA1F-60F1-4c96-B9FE-C5C240264D71}.exe
        
        C:\Windows\{1695BA1F-60F1-4c96-B9FE-C5C240264D71}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\{62FE0FF5-C89B-48f2-882E-0FFA1E7BF693}.exe
        
        C:\Windows\{62FE0FF5-C89B-48f2-882E-0FFA1E7BF693}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        
        PID:3592
        
        C:\Windows\{BA8F404D-6272-4b6e-8AB0-30EED4EE9078}.exe
        
        C:\Windows\{BA8F404D-6272-4b6e-8AB0-30EED4EE9078}.exe
        13⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62FE0~1.EXE > nul
        13⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1695B~1.EXE > nul
        12⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC94D~1.EXE > nul
        11⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5AF0F~1.EXE > nul
        10⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05E3B~1.EXE > nul
        9⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B15C4~1.EXE > nul
        8⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C793~1.EXE > nul
        7⤵
        
        PID:5060
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1027F~1.EXE > nul
        6⤵
        
        PID:1044
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{643B1~1.EXE > nul
        5⤵
        
        PID:2956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{140D8~1.EXE > nul
    3⤵
    PID:4164
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05E3B5B6-356B-46fb-A4CA-8AB4E99140F1}.exe

Filesize
216KB

MD5
6444da26156a0c44a2a8f7f58cc56de1

SHA1
615075d055a9fb516eb380b390fb359280286fb2

SHA256
ad20a13b24844afd94479b599ed31215ce5d738056d085c70893811c9fb3bd58

SHA512
4e53fc88d7afcec57126b5bf0f376949678797e25468f7f52f9f14c34bdcc445380d0d6f131e9cc8e27c101e6f3f430bfac38bb6ac03b598a42adfd8b6428459

Download Submit
C:\Windows\{1027FA74-A23A-4b7e-A1B6-66FE276373F1}.exe

Filesize
216KB

MD5
b7d377221ad6adadc1b21484afd8cc1d

SHA1
0f3084877f15fcadc14746e968d41e3f24f174d7

SHA256
ea3a6a6cdf08e65ee5ccdbc95f315ef8b2b6171e13b79b8d92a30cf9e6239cbf

SHA512
001dbaa68ee878fb34cde85d8c3d81c1dbc3cb45f600142b7b12566252e9e93de7942e3a9d3f651749c616023bbd7a04ff5691aaf894c9dce00aa83a6502636f

Download Submit
C:\Windows\{140D86B2-F1C1-433f-AC54-947DB5DCB73C}.exe

Filesize
216KB

MD5
90d1fdbdca7d4435ccf2d5c793d98265

SHA1
ff025ff42685a4594f63876b9bfd1e168f778c72

SHA256
65a1cb01769f9494f7de3aac501821f774eb8d3c3e20acfceecfebed1d55084c

SHA512
527ef212a432c872b8660549422836785cda9dee8bbec112371043c4b71e02cb4ce8dd6b948d78d696d33adc493b69664cfce2a7434dab21810a03a5a9c79b07

Download Submit
C:\Windows\{1695BA1F-60F1-4c96-B9FE-C5C240264D71}.exe

Filesize
216KB

MD5
f4a9dfa367653ed55d7adec375ee8935

SHA1
64a0f42657645c8d35871837be63c1ebb93f9f30

SHA256
deca7329c9acd614616ae37c49a5cd48674cca276a0784b98f1e6f1e6ef50d45

SHA512
f198fccaa76a86f885dda4a8f4872bfb7527da377dedb5fa50f35a3dd6d06e14c84ef2502ce874c7b1ffaeceeb6a858d2046afbfe04e011d4a96f8b76a7d98f3

Download Submit
C:\Windows\{3C79395F-0525-4caa-B8E4-A264DB6BC120}.exe

Filesize
216KB

MD5
15e0f2a1fe26bb7834c252680cf81b07

SHA1
a96529727f9b233e526b74c333cd15a742c55dd5

SHA256
b2c79de2e7a32aefce60c2f77b0797c54d430451439962f03049900f4ca225e9

SHA512
7373d2e7c7da0138e094cab0f138e1cf6bd4b017a46f981dc6add485e459fc625d70d960b230280234fa2105370d69cc2b01993bb8cb05e3a9993cfc269c802d

Download Submit
C:\Windows\{40184EFD-E929-420a-9AA1-26957E227395}.exe

Filesize
216KB

MD5
523d7d69a01ad7b42741f96e3292d98a

SHA1
34614092517ad6061a736e2b2512c60e5499c26b

SHA256
89e6d631484e561f4f72576a75fceb7b04dd55a3e9b8e886b9c9627f9c666b39

SHA512
de2f4adad3e5e534be62d52d514f855c4cc768d17b5166f83864f9839dff406a93081591a3d24b5053435747bfd3d3ee6dbe66dfd6d186c90620788f5d9ef01f

Download Submit
C:\Windows\{5AF0F262-244A-44af-BA9A-43CFA9CE403C}.exe

Filesize
216KB

MD5
fec618d1336f17cdb12d39a23e6d43d5

SHA1
81019a3c0ec76a7f208dcf661261a6283053edfe

SHA256
4d0f0589bcd65bdc641517c0b2eeb9d960fc41d63d6942b56b8d9cc3a0c7ed64

SHA512
524db4a5e85f13f841f8622557d2e335b88384e34c1829498eb43343e4f0108141e0b81f768373515c8ff9e600a0f8dd7a3cbd96da6315774276e71bf8460e10

Download Submit
C:\Windows\{62FE0FF5-C89B-48f2-882E-0FFA1E7BF693}.exe

Filesize
216KB

MD5
5a5740b9680327d6f563f4002dcc192a

SHA1
8da01edfe8c6ba80aa46282e9f2ed89e673e896d

SHA256
c40f4042bcccc440bf55f4ecf52986d4cb3a3914e8c3d5842039c330cb5a41cd

SHA512
ad751e6d4ec7278b2dca893f7455c69eb63a6c8c5a2638cd055d823fce506de26100e4d8b52762221f8f39be3dc0804472479ff277e4bc818acc739d4a13bef8

Download Submit
C:\Windows\{643B179E-EBD0-48ae-847E-0D8CF14068BE}.exe

Filesize
216KB

MD5
a099b021d453c8ca38bd4a1683356c38

SHA1
b4c50574b80b5d545af67ce8d531c3b90bbaca3c

SHA256
e82afaffb6f71e12600e0aec926fbd150aea0636553f45288e3065410a22c91f

SHA512
594fb45a6be4291823d83364a754b3d4a59739cf817f625ad376b5cbdb84a7b3352bdc4a5a76242ede616fb3aca1659f28085d4c591303272a00359b3606774e

Download Submit
C:\Windows\{B15C44A7-5DD6-4478-970E-15E9B30CC448}.exe

Filesize
216KB

MD5
43369ede23a95c2841d8674df670abfc

SHA1
d10545669e3949d6a3a0efa57580c7fd23ead101

SHA256
c6496b821203f7d79b86ebddf41538b48bd7706d72c39d1962011f18f3968eb0

SHA512
38b9f4dd6af5dc64cd14312526ad933995d75968ae52154d651779cdd616f882ed884432a71151412a3fd51cad769634daa500c9ba0d9f0f9f215c263bca041b

Download Submit
C:\Windows\{DC94DBEC-199B-406f-8CD8-AA23C4774D3E}.exe

Filesize
216KB

MD5
99307eda8777f25f3d61003348bad77a

SHA1
ecf87be1cd1fe79d72b0f9c1d2b8ee855d4b61a4

SHA256
6b9fcd6307ee513b4aa02ebb5818fe2fa9f142f337fd05ee3c24377a5c228a61

SHA512
625b2e28876eb0d1c9674bea32e677fb23bfdd8fe0aa14ba1e1d72ac34ff4b106a02d631663b00170acb9a95d9a29d8a215d19f80573f56f708f7b31b32595e1

Download Submit
memory/3592-43-0x0000000003820000-0x00000000038FB000-memory.dmp

Filesize
876KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads