7756327866767164207d0de6842e4f3f8bba7fc89c2e751a80f6555d51771a00

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
14-02-2024 17:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-14_92af4398017eb96ce7e901dd19c17ee6_goldeneye.exe
Size

344KB
MD5

92af4398017eb96ce7e901dd19c17ee6
SHA1

5ec4be1895d66ff90ed99961b3456d364b1396c8
SHA256

7756327866767164207d0de6842e4f3f8bba7fc89c2e751a80f6555d51771a00
SHA512

1f65e66363b7c6fbc4f2c0a1aa6f0020b773d976ffed200c61cadcf3ed6c41138f348725fe15dac50bda316610d5d2be1472ee39d5527ea916296ca7be48fca9
SSDEEP

3072:mEGh0oPlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEG1lqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023228-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023131-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023237-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023131-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x004600000001e0be-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021550-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x004700000001e0be-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000000070b-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F92540E-A4A6-437a-9656-325CDC6AECFD}\stubpath = "C:\\Windows\\{6F92540E-A4A6-437a-9656-325CDC6AECFD}.exe"	{B9C3C96D-96CD-4560-AF9A-A49419F7A9C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FDF2497-A758-40df-B54E-FBDAF2290A60}\stubpath = "C:\\Windows\\{1FDF2497-A758-40df-B54E-FBDAF2290A60}.exe"	{8FD938F8-924D-4fd0-934F-95A547F9D137}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8C4F21A-6A66-4306-AA02-19443F6DD042}	{1FDF2497-A758-40df-B54E-FBDAF2290A60}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C5289EA-583B-4ac8-B662-EC8737D70333}	{B8C4F21A-6A66-4306-AA02-19443F6DD042}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8137DF09-FF21-4095-81C0-D09283751C02}	{82490983-7461-40b1-A261-04572D67D095}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9C3C96D-96CD-4560-AF9A-A49419F7A9C5}	{415CFF42-618A-4354-914A-90413D288D9F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4CA93D1B-AD7C-4309-A0C1-0506C7C0BC63}	{762B78E1-B32A-41c4-A2EF-A449A90D959C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4CA93D1B-AD7C-4309-A0C1-0506C7C0BC63}\stubpath = "C:\\Windows\\{4CA93D1B-AD7C-4309-A0C1-0506C7C0BC63}.exe"	{762B78E1-B32A-41c4-A2EF-A449A90D959C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9C3C96D-96CD-4560-AF9A-A49419F7A9C5}\stubpath = "C:\\Windows\\{B9C3C96D-96CD-4560-AF9A-A49419F7A9C5}.exe"	{415CFF42-618A-4354-914A-90413D288D9F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8FD938F8-924D-4fd0-934F-95A547F9D137}\stubpath = "C:\\Windows\\{8FD938F8-924D-4fd0-934F-95A547F9D137}.exe"	{6F92540E-A4A6-437a-9656-325CDC6AECFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C5289EA-583B-4ac8-B662-EC8737D70333}\stubpath = "C:\\Windows\\{7C5289EA-583B-4ac8-B662-EC8737D70333}.exe"	{B8C4F21A-6A66-4306-AA02-19443F6DD042}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82490983-7461-40b1-A261-04572D67D095}	{7C5289EA-583B-4ac8-B662-EC8737D70333}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8137DF09-FF21-4095-81C0-D09283751C02}\stubpath = "C:\\Windows\\{8137DF09-FF21-4095-81C0-D09283751C02}.exe"	{82490983-7461-40b1-A261-04572D67D095}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{762B78E1-B32A-41c4-A2EF-A449A90D959C}\stubpath = "C:\\Windows\\{762B78E1-B32A-41c4-A2EF-A449A90D959C}.exe"	2024-02-14_92af4398017eb96ce7e901dd19c17ee6_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00A3F715-9861-45cc-8701-38F4BE54CFF7}	{8137DF09-FF21-4095-81C0-D09283751C02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F92540E-A4A6-437a-9656-325CDC6AECFD}	{B9C3C96D-96CD-4560-AF9A-A49419F7A9C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FDF2497-A758-40df-B54E-FBDAF2290A60}	{8FD938F8-924D-4fd0-934F-95A547F9D137}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{415CFF42-618A-4354-914A-90413D288D9F}\stubpath = "C:\\Windows\\{415CFF42-618A-4354-914A-90413D288D9F}.exe"	{4CA93D1B-AD7C-4309-A0C1-0506C7C0BC63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{415CFF42-618A-4354-914A-90413D288D9F}	{4CA93D1B-AD7C-4309-A0C1-0506C7C0BC63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8FD938F8-924D-4fd0-934F-95A547F9D137}	{6F92540E-A4A6-437a-9656-325CDC6AECFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8C4F21A-6A66-4306-AA02-19443F6DD042}\stubpath = "C:\\Windows\\{B8C4F21A-6A66-4306-AA02-19443F6DD042}.exe"	{1FDF2497-A758-40df-B54E-FBDAF2290A60}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82490983-7461-40b1-A261-04572D67D095}\stubpath = "C:\\Windows\\{82490983-7461-40b1-A261-04572D67D095}.exe"	{7C5289EA-583B-4ac8-B662-EC8737D70333}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00A3F715-9861-45cc-8701-38F4BE54CFF7}\stubpath = "C:\\Windows\\{00A3F715-9861-45cc-8701-38F4BE54CFF7}.exe"	{8137DF09-FF21-4095-81C0-D09283751C02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{762B78E1-B32A-41c4-A2EF-A449A90D959C}	2024-02-14_92af4398017eb96ce7e901dd19c17ee6_goldeneye.exe

Executes dropped EXE 12 IoCs

pid	Process
1256	{762B78E1-B32A-41c4-A2EF-A449A90D959C}.exe
988	{4CA93D1B-AD7C-4309-A0C1-0506C7C0BC63}.exe
1952	{415CFF42-618A-4354-914A-90413D288D9F}.exe
2216	{B9C3C96D-96CD-4560-AF9A-A49419F7A9C5}.exe
1628	{6F92540E-A4A6-437a-9656-325CDC6AECFD}.exe
2364	{8FD938F8-924D-4fd0-934F-95A547F9D137}.exe
3028	{1FDF2497-A758-40df-B54E-FBDAF2290A60}.exe
1824	{B8C4F21A-6A66-4306-AA02-19443F6DD042}.exe
2508	{7C5289EA-583B-4ac8-B662-EC8737D70333}.exe
2028	{82490983-7461-40b1-A261-04572D67D095}.exe
4656	{8137DF09-FF21-4095-81C0-D09283751C02}.exe
4936	{00A3F715-9861-45cc-8701-38F4BE54CFF7}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{762B78E1-B32A-41c4-A2EF-A449A90D959C}.exe	2024-02-14_92af4398017eb96ce7e901dd19c17ee6_goldeneye.exe
File created	C:\Windows\{415CFF42-618A-4354-914A-90413D288D9F}.exe	{4CA93D1B-AD7C-4309-A0C1-0506C7C0BC63}.exe
File created	C:\Windows\{B9C3C96D-96CD-4560-AF9A-A49419F7A9C5}.exe	{415CFF42-618A-4354-914A-90413D288D9F}.exe
File created	C:\Windows\{B8C4F21A-6A66-4306-AA02-19443F6DD042}.exe	{1FDF2497-A758-40df-B54E-FBDAF2290A60}.exe
File created	C:\Windows\{7C5289EA-583B-4ac8-B662-EC8737D70333}.exe	{B8C4F21A-6A66-4306-AA02-19443F6DD042}.exe
File created	C:\Windows\{82490983-7461-40b1-A261-04572D67D095}.exe	{7C5289EA-583B-4ac8-B662-EC8737D70333}.exe
File created	C:\Windows\{4CA93D1B-AD7C-4309-A0C1-0506C7C0BC63}.exe	{762B78E1-B32A-41c4-A2EF-A449A90D959C}.exe
File created	C:\Windows\{6F92540E-A4A6-437a-9656-325CDC6AECFD}.exe	{B9C3C96D-96CD-4560-AF9A-A49419F7A9C5}.exe
File created	C:\Windows\{8FD938F8-924D-4fd0-934F-95A547F9D137}.exe	{6F92540E-A4A6-437a-9656-325CDC6AECFD}.exe
File created	C:\Windows\{1FDF2497-A758-40df-B54E-FBDAF2290A60}.exe	{8FD938F8-924D-4fd0-934F-95A547F9D137}.exe
File created	C:\Windows\{8137DF09-FF21-4095-81C0-D09283751C02}.exe	{82490983-7461-40b1-A261-04572D67D095}.exe
File created	C:\Windows\{00A3F715-9861-45cc-8701-38F4BE54CFF7}.exe	{8137DF09-FF21-4095-81C0-D09283751C02}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	664	2024-02-14_92af4398017eb96ce7e901dd19c17ee6_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1256	{762B78E1-B32A-41c4-A2EF-A449A90D959C}.exe
Token: SeIncBasePriorityPrivilege	988	{4CA93D1B-AD7C-4309-A0C1-0506C7C0BC63}.exe
Token: SeIncBasePriorityPrivilege	1952	{415CFF42-618A-4354-914A-90413D288D9F}.exe
Token: SeIncBasePriorityPrivilege	2216	{B9C3C96D-96CD-4560-AF9A-A49419F7A9C5}.exe
Token: SeIncBasePriorityPrivilege	1628	{6F92540E-A4A6-437a-9656-325CDC6AECFD}.exe
Token: SeIncBasePriorityPrivilege	2364	{8FD938F8-924D-4fd0-934F-95A547F9D137}.exe
Token: SeIncBasePriorityPrivilege	3028	{1FDF2497-A758-40df-B54E-FBDAF2290A60}.exe
Token: SeIncBasePriorityPrivilege	1824	{B8C4F21A-6A66-4306-AA02-19443F6DD042}.exe
Token: SeIncBasePriorityPrivilege	2508	{7C5289EA-583B-4ac8-B662-EC8737D70333}.exe
Token: SeIncBasePriorityPrivilege	2028	{82490983-7461-40b1-A261-04572D67D095}.exe
Token: SeIncBasePriorityPrivilege	4656	{8137DF09-FF21-4095-81C0-D09283751C02}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 664 wrote to memory of 1256	664	2024-02-14_92af4398017eb96ce7e901dd19c17ee6_goldeneye.exe	89
PID 664 wrote to memory of 1256	664	2024-02-14_92af4398017eb96ce7e901dd19c17ee6_goldeneye.exe	89
PID 664 wrote to memory of 1256	664	2024-02-14_92af4398017eb96ce7e901dd19c17ee6_goldeneye.exe	89
PID 664 wrote to memory of 4768	664	2024-02-14_92af4398017eb96ce7e901dd19c17ee6_goldeneye.exe	90
PID 664 wrote to memory of 4768	664	2024-02-14_92af4398017eb96ce7e901dd19c17ee6_goldeneye.exe	90
PID 664 wrote to memory of 4768	664	2024-02-14_92af4398017eb96ce7e901dd19c17ee6_goldeneye.exe	90
PID 1256 wrote to memory of 988	1256	{762B78E1-B32A-41c4-A2EF-A449A90D959C}.exe	93
PID 1256 wrote to memory of 988	1256	{762B78E1-B32A-41c4-A2EF-A449A90D959C}.exe	93
PID 1256 wrote to memory of 988	1256	{762B78E1-B32A-41c4-A2EF-A449A90D959C}.exe	93
PID 1256 wrote to memory of 4360	1256	{762B78E1-B32A-41c4-A2EF-A449A90D959C}.exe	94
PID 1256 wrote to memory of 4360	1256	{762B78E1-B32A-41c4-A2EF-A449A90D959C}.exe	94
PID 1256 wrote to memory of 4360	1256	{762B78E1-B32A-41c4-A2EF-A449A90D959C}.exe	94
PID 988 wrote to memory of 1952	988	{4CA93D1B-AD7C-4309-A0C1-0506C7C0BC63}.exe	96
PID 988 wrote to memory of 1952	988	{4CA93D1B-AD7C-4309-A0C1-0506C7C0BC63}.exe	96
PID 988 wrote to memory of 1952	988	{4CA93D1B-AD7C-4309-A0C1-0506C7C0BC63}.exe	96
PID 988 wrote to memory of 4160	988	{4CA93D1B-AD7C-4309-A0C1-0506C7C0BC63}.exe	97
PID 988 wrote to memory of 4160	988	{4CA93D1B-AD7C-4309-A0C1-0506C7C0BC63}.exe	97
PID 988 wrote to memory of 4160	988	{4CA93D1B-AD7C-4309-A0C1-0506C7C0BC63}.exe	97
PID 1952 wrote to memory of 2216	1952	{415CFF42-618A-4354-914A-90413D288D9F}.exe	98
PID 1952 wrote to memory of 2216	1952	{415CFF42-618A-4354-914A-90413D288D9F}.exe	98
PID 1952 wrote to memory of 2216	1952	{415CFF42-618A-4354-914A-90413D288D9F}.exe	98
PID 1952 wrote to memory of 2348	1952	{415CFF42-618A-4354-914A-90413D288D9F}.exe	99
PID 1952 wrote to memory of 2348	1952	{415CFF42-618A-4354-914A-90413D288D9F}.exe	99
PID 1952 wrote to memory of 2348	1952	{415CFF42-618A-4354-914A-90413D288D9F}.exe	99
PID 2216 wrote to memory of 1628	2216	{B9C3C96D-96CD-4560-AF9A-A49419F7A9C5}.exe	100
PID 2216 wrote to memory of 1628	2216	{B9C3C96D-96CD-4560-AF9A-A49419F7A9C5}.exe	100
PID 2216 wrote to memory of 1628	2216	{B9C3C96D-96CD-4560-AF9A-A49419F7A9C5}.exe	100
PID 2216 wrote to memory of 1584	2216	{B9C3C96D-96CD-4560-AF9A-A49419F7A9C5}.exe	101
PID 2216 wrote to memory of 1584	2216	{B9C3C96D-96CD-4560-AF9A-A49419F7A9C5}.exe	101
PID 2216 wrote to memory of 1584	2216	{B9C3C96D-96CD-4560-AF9A-A49419F7A9C5}.exe	101
PID 1628 wrote to memory of 2364	1628	{6F92540E-A4A6-437a-9656-325CDC6AECFD}.exe	103
PID 1628 wrote to memory of 2364	1628	{6F92540E-A4A6-437a-9656-325CDC6AECFD}.exe	103
PID 1628 wrote to memory of 2364	1628	{6F92540E-A4A6-437a-9656-325CDC6AECFD}.exe	103
PID 1628 wrote to memory of 1068	1628	{6F92540E-A4A6-437a-9656-325CDC6AECFD}.exe	102
PID 1628 wrote to memory of 1068	1628	{6F92540E-A4A6-437a-9656-325CDC6AECFD}.exe	102
PID 1628 wrote to memory of 1068	1628	{6F92540E-A4A6-437a-9656-325CDC6AECFD}.exe	102
PID 2364 wrote to memory of 3028	2364	{8FD938F8-924D-4fd0-934F-95A547F9D137}.exe	105
PID 2364 wrote to memory of 3028	2364	{8FD938F8-924D-4fd0-934F-95A547F9D137}.exe	105
PID 2364 wrote to memory of 3028	2364	{8FD938F8-924D-4fd0-934F-95A547F9D137}.exe	105
PID 2364 wrote to memory of 1128	2364	{8FD938F8-924D-4fd0-934F-95A547F9D137}.exe	104
PID 2364 wrote to memory of 1128	2364	{8FD938F8-924D-4fd0-934F-95A547F9D137}.exe	104
PID 2364 wrote to memory of 1128	2364	{8FD938F8-924D-4fd0-934F-95A547F9D137}.exe	104
PID 3028 wrote to memory of 1824	3028	{1FDF2497-A758-40df-B54E-FBDAF2290A60}.exe	106
PID 3028 wrote to memory of 1824	3028	{1FDF2497-A758-40df-B54E-FBDAF2290A60}.exe	106
PID 3028 wrote to memory of 1824	3028	{1FDF2497-A758-40df-B54E-FBDAF2290A60}.exe	106
PID 3028 wrote to memory of 2124	3028	{1FDF2497-A758-40df-B54E-FBDAF2290A60}.exe	107
PID 3028 wrote to memory of 2124	3028	{1FDF2497-A758-40df-B54E-FBDAF2290A60}.exe	107
PID 3028 wrote to memory of 2124	3028	{1FDF2497-A758-40df-B54E-FBDAF2290A60}.exe	107
PID 1824 wrote to memory of 2508	1824	{B8C4F21A-6A66-4306-AA02-19443F6DD042}.exe	108
PID 1824 wrote to memory of 2508	1824	{B8C4F21A-6A66-4306-AA02-19443F6DD042}.exe	108
PID 1824 wrote to memory of 2508	1824	{B8C4F21A-6A66-4306-AA02-19443F6DD042}.exe	108
PID 1824 wrote to memory of 1356	1824	{B8C4F21A-6A66-4306-AA02-19443F6DD042}.exe	109
PID 1824 wrote to memory of 1356	1824	{B8C4F21A-6A66-4306-AA02-19443F6DD042}.exe	109
PID 1824 wrote to memory of 1356	1824	{B8C4F21A-6A66-4306-AA02-19443F6DD042}.exe	109
PID 2508 wrote to memory of 2028	2508	{7C5289EA-583B-4ac8-B662-EC8737D70333}.exe	110
PID 2508 wrote to memory of 2028	2508	{7C5289EA-583B-4ac8-B662-EC8737D70333}.exe	110
PID 2508 wrote to memory of 2028	2508	{7C5289EA-583B-4ac8-B662-EC8737D70333}.exe	110
PID 2508 wrote to memory of 1176	2508	{7C5289EA-583B-4ac8-B662-EC8737D70333}.exe	111
PID 2508 wrote to memory of 1176	2508	{7C5289EA-583B-4ac8-B662-EC8737D70333}.exe	111
PID 2508 wrote to memory of 1176	2508	{7C5289EA-583B-4ac8-B662-EC8737D70333}.exe	111
PID 2028 wrote to memory of 4656	2028	{82490983-7461-40b1-A261-04572D67D095}.exe	112
PID 2028 wrote to memory of 4656	2028	{82490983-7461-40b1-A261-04572D67D095}.exe	112
PID 2028 wrote to memory of 4656	2028	{82490983-7461-40b1-A261-04572D67D095}.exe	112
PID 2028 wrote to memory of 4780	2028	{82490983-7461-40b1-A261-04572D67D095}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-14_92af4398017eb96ce7e901dd19c17ee6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-14_92af4398017eb96ce7e901dd19c17ee6_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:664
- C:\Windows\{762B78E1-B32A-41c4-A2EF-A449A90D959C}.exe
  C:\Windows\{762B78E1-B32A-41c4-A2EF-A449A90D959C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Windows\{4CA93D1B-AD7C-4309-A0C1-0506C7C0BC63}.exe
    C:\Windows\{4CA93D1B-AD7C-4309-A0C1-0506C7C0BC63}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:988
  - - C:\Windows\{415CFF42-618A-4354-914A-90413D288D9F}.exe
      C:\Windows\{415CFF42-618A-4354-914A-90413D288D9F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1952
    - - C:\Windows\{B9C3C96D-96CD-4560-AF9A-A49419F7A9C5}.exe
        
        C:\Windows\{B9C3C96D-96CD-4560-AF9A-A49419F7A9C5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2216
      - C:\Windows\{6F92540E-A4A6-437a-9656-325CDC6AECFD}.exe
        
        C:\Windows\{6F92540E-A4A6-437a-9656-325CDC6AECFD}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F925~1.EXE > nul
        7⤵
        
        PID:1068
        
        C:\Windows\{8FD938F8-924D-4fd0-934F-95A547F9D137}.exe
        
        C:\Windows\{8FD938F8-924D-4fd0-934F-95A547F9D137}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8FD93~1.EXE > nul
        8⤵
        
        PID:1128
        
        C:\Windows\{1FDF2497-A758-40df-B54E-FBDAF2290A60}.exe
        
        C:\Windows\{1FDF2497-A758-40df-B54E-FBDAF2290A60}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\{B8C4F21A-6A66-4306-AA02-19443F6DD042}.exe
        
        C:\Windows\{B8C4F21A-6A66-4306-AA02-19443F6DD042}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\{7C5289EA-583B-4ac8-B662-EC8737D70333}.exe
        
        C:\Windows\{7C5289EA-583B-4ac8-B662-EC8737D70333}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\{82490983-7461-40b1-A261-04572D67D095}.exe
        
        C:\Windows\{82490983-7461-40b1-A261-04572D67D095}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\{8137DF09-FF21-4095-81C0-D09283751C02}.exe
        
        C:\Windows\{8137DF09-FF21-4095-81C0-D09283751C02}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4656
        
        C:\Windows\{00A3F715-9861-45cc-8701-38F4BE54CFF7}.exe
        
        C:\Windows\{00A3F715-9861-45cc-8701-38F4BE54CFF7}.exe
        13⤵
        Executes dropped EXE
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8137D~1.EXE > nul
        13⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82490~1.EXE > nul
        12⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C528~1.EXE > nul
        11⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8C4F~1.EXE > nul
        10⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1FDF2~1.EXE > nul
        9⤵
        
        PID:2124
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9C3C~1.EXE > nul
        6⤵
        
        PID:1584
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{415CF~1.EXE > nul
        5⤵
        
        PID:2348
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4CA93~1.EXE > nul
      4⤵
      PID:4160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{762B7~1.EXE > nul
    3⤵
    PID:4360
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00A3F715-9861-45cc-8701-38F4BE54CFF7}.exe

Filesize
344KB

MD5
f21fd493ffa3e17197ebcf9407c1f92c

SHA1
650c1e62d9aa435549e02969db5df633f381def0

SHA256
38c7234a8b1f50edf711b9ec69f614415bab44db143f1f897a165ee5d8b57008

SHA512
4168bc9c89e00e40c24b65a3a0bb9c683f9abea75ae75cc0c1fc2fd3b7b0f4c21fa41a499f4e0d4ad13e229008166d04b6fbb0f43d4c56a30bb09c515cb1d50b

Download Submit
C:\Windows\{1FDF2497-A758-40df-B54E-FBDAF2290A60}.exe

Filesize
344KB

MD5
7d507d4027a7e49655ce1e4337aebf41

SHA1
c35462b8748289f1f852526dff531a2500a6202d

SHA256
b6f368c373754f9ab354923ad80e7420791ff752952ef33f827305841b6b1b27

SHA512
b42643fedb154104b6940efeb6ea65a361e8cbcc6658d7ed8b4cb14f6e761820f8c8484077e65a89ab632e4a3cef0343005747adfdb36fd16660227523d45ea0

Download Submit
C:\Windows\{415CFF42-618A-4354-914A-90413D288D9F}.exe

Filesize
344KB

MD5
11c688548e2d7b10c4baa10266653ec2

SHA1
bbe935986df5578a1756948c725a1be0a3143737

SHA256
2ec09317c5ca9545837772c34b13a2c5ce485291b3b8522f7191dfb0ade25488

SHA512
aabd4809903f1b7f18daedf4bc4095eaa5a5bc789601a52e4ecdae8bf2689dc468485afd47d89e81af1d65466cfc0690b574efb3cc9e15b5b8116d230a9627aa

Download Submit
C:\Windows\{4CA93D1B-AD7C-4309-A0C1-0506C7C0BC63}.exe

Filesize
344KB

MD5
115e6a17189a27637d33301392d5dea4

SHA1
24fed90f9d0a6a8e3ec5010c8ba9b491ffcc81b7

SHA256
c5993b2a527fb8ed37634ffb648bb437464eb0a65895e85161ee491c7ab060bc

SHA512
accb7c648bd2b72d972464eb985e9dd4b09c79edb7f861e39922548d4272211955fd7e551cd7e4ee1ebeb778a92c8970705e11675c15778e320f111c2f313ea6

Download Submit
C:\Windows\{6F92540E-A4A6-437a-9656-325CDC6AECFD}.exe

Filesize
344KB

MD5
63f99c45037f9e2de9f04746145f3e5d

SHA1
39cc512e9972726a4a54969a65e8410a61e067ef

SHA256
aed0be16f4de3ead32eaaa32b77be0e2fbdbb994b2a7a19627e8462a8a1e5fb7

SHA512
a56947568dd7eab7c5ebb53696856035b5e870b8525a1ac060cb312f69beaa490263b22dc9eda4f8ac8b18b9208bf5fd35e57acc95ec4af718f3d2092dd824d5

Download Submit
C:\Windows\{762B78E1-B32A-41c4-A2EF-A449A90D959C}.exe

Filesize
344KB

MD5
65f0e4151fa6624ee8d6e20819d419bf

SHA1
6e8fefb9dc1afa70e1c6cddd7ecbdb068060eb9a

SHA256
b02134a964ac3970499a2e6505ae470d04bbd0645dbb1467a1cd0d44ee90b5bb

SHA512
a8e3cdeceb1e2eab94aff7c6d72c3217025c8b3f199cd29a9f147e51a8f44567ff75a88c52f3bc2abc73fc08e3f3dfb6e5f2d07ee84c54a7e654a7bc069a265e

Download Submit
C:\Windows\{7C5289EA-583B-4ac8-B662-EC8737D70333}.exe

Filesize
344KB

MD5
851336dc327a529409e02e2fd966aa4e

SHA1
72a3f4f3e298711090cd5c59217d6382783dbe7b

SHA256
072962af4ca3d41d33ac84c77313edf6f49c21476064ede2d1628b2f224824f2

SHA512
31eab669f1e023b3e222acd908fce0cd6f7d3e1a84a2d4dada395b959baf0a11c74a7a74801f2959e84084d922143141e643305b3bc2027d2937b0dec15be803

Download Submit
C:\Windows\{8137DF09-FF21-4095-81C0-D09283751C02}.exe

Filesize
344KB

MD5
a6d2651380f3a94b54c368f246f0218a

SHA1
1d6eadff5e97f1e7def45b290c5aee7f13add7fd

SHA256
3b9816c37fe41ba5ff4fae874ae1956bf18110cd67dffea69eb21f6ed5183286

SHA512
832e278a5010fca6c7a58ba5072d360c4a2e71dc9ac4fce4b6063750031ac918cc4a3de07f7e8cecf86adcc0120766435eb51a20ccbbc0f9cb3f81df695e80b5

Download Submit
C:\Windows\{82490983-7461-40b1-A261-04572D67D095}.exe

Filesize
344KB

MD5
8f846f641a8dcdcb070417933fd823a5

SHA1
d7605268e0bc9590e95fc14171a2071b69081e9b

SHA256
588b9ee698f40e8c61e3946edc3a317ee7211e96bb942bd274208ca677bd78c2

SHA512
8be48c52e64cdc4a9989a99812df03975d93df3351da291a420497139e4ed8675934a2d2f3f38265f6c3a140fd2134795bf63be6197de12c1c3d93d03f9e36d2

Download Submit
C:\Windows\{8FD938F8-924D-4fd0-934F-95A547F9D137}.exe

Filesize
344KB

MD5
90df87587b93228f9c6baff3b4dc2485

SHA1
befa2e05f192177a660f919488886e8055a6f253

SHA256
5e1241ea103b00a6265cd76119277737523b59a5451af032be0e1980fb4f96ed

SHA512
5aade6add655d6a8b7285867bb72d014a3d088b3f3d3a99047ba24df447842e02567c72c13e146a797de41cc9c11d6f44b22dad7da663dc820e50c57602c797a

Download Submit
C:\Windows\{B8C4F21A-6A66-4306-AA02-19443F6DD042}.exe

Filesize
344KB

MD5
137211295e7aa91f7ead9d7b32d57ed2

SHA1
6a8d02c89f494a4518d580ff6f92634a14b3cbb3

SHA256
74920351726a4469c6f4cc5054c51ccd962e7c24c60a5d99ace00f391abcbfab

SHA512
445ccd545aaa1d6ebfec7a1e14a09ceed0712d31481df7743f6d6390d6215c6a004f89896691c7803ccfc79dc9e4b6938eaa49982c4c9145a6121e72bf325e6b

Download Submit
C:\Windows\{B9C3C96D-96CD-4560-AF9A-A49419F7A9C5}.exe

Filesize
344KB

MD5
bdd23b0973755db4002bada81ee56b67

SHA1
85d3b89e7ecbc86492ee86be423c6a25ead27e17

SHA256
7f7d66ef17e038a2002f4572ad37d78ea922f1965566b7e0a6a6445541f9bfd6

SHA512
6e9a4e4d6462d439404df4933c167a40a50f30bc77b9f64ea8e356f626718e0a8122222bc3e3ad57e63511b384a81ed78654fce87955224afc4403e789ff2238

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads