13ef50c601362da512b6be84919240368b082195929494ec15eb85f1870439d4

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
17/02/2024, 09:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-17_a0b0fe16a7d4404f3676eb609f677826_goldeneye.exe
Size

344KB
MD5

a0b0fe16a7d4404f3676eb609f677826
SHA1

a4763391011afd89dea3c0ecfb165d0681fd3c6d
SHA256

13ef50c601362da512b6be84919240368b082195929494ec15eb85f1870439d4
SHA512

54fe6fa537b7bae07e839d3fcab70f7d2b04dd949a607a57ddd628e51596e8f19adb12716fa59560ae849bf2f41b24b130f2d64a9368bbba1067245afc8b2b9e
SSDEEP

3072:mEGh0oXlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGNlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023207-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023117-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023215-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023117-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000215c9-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000215d0-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0013000000000038-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0014000000000038-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000711-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000071b-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006e7-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21CC0038-431B-4dff-B0D9-755A7E2B71EB}	{6CE96529-3020-4744-A42C-F206BF981FCB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EDCE0DB-8634-4780-B020-C2A1B3ED856A}\stubpath = "C:\\Windows\\{8EDCE0DB-8634-4780-B020-C2A1B3ED856A}.exe"	{3225A890-02F9-4005-87C4-12E28D00154B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACF4C274-33D0-4a91-80B4-A9F3EDFB71B6}	{8EDCE0DB-8634-4780-B020-C2A1B3ED856A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACF4C274-33D0-4a91-80B4-A9F3EDFB71B6}\stubpath = "C:\\Windows\\{ACF4C274-33D0-4a91-80B4-A9F3EDFB71B6}.exe"	{8EDCE0DB-8634-4780-B020-C2A1B3ED856A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7137536D-F7C1-40ea-A5D5-C71D8464ADB5}\stubpath = "C:\\Windows\\{7137536D-F7C1-40ea-A5D5-C71D8464ADB5}.exe"	{C75AD251-A019-447f-8F99-DF397A4B966E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EDF849F-34B0-4ca4-B486-914591A38EE6}\stubpath = "C:\\Windows\\{9EDF849F-34B0-4ca4-B486-914591A38EE6}.exe"	{01D4B464-620D-475b-8AC1-47D6F3F65FA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CE96529-3020-4744-A42C-F206BF981FCB}	{9EDF849F-34B0-4ca4-B486-914591A38EE6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01D4B464-620D-475b-8AC1-47D6F3F65FA4}\stubpath = "C:\\Windows\\{01D4B464-620D-475b-8AC1-47D6F3F65FA4}.exe"	{73BF06D5-C0C4-4b18-A52E-AE53A7279738}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21CC0038-431B-4dff-B0D9-755A7E2B71EB}\stubpath = "C:\\Windows\\{21CC0038-431B-4dff-B0D9-755A7E2B71EB}.exe"	{6CE96529-3020-4744-A42C-F206BF981FCB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0457E547-3A1D-4958-8127-809165E1F990}	2024-02-17_a0b0fe16a7d4404f3676eb609f677826_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C75AD251-A019-447f-8F99-DF397A4B966E}\stubpath = "C:\\Windows\\{C75AD251-A019-447f-8F99-DF397A4B966E}.exe"	{0457E547-3A1D-4958-8127-809165E1F990}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73BF06D5-C0C4-4b18-A52E-AE53A7279738}\stubpath = "C:\\Windows\\{73BF06D5-C0C4-4b18-A52E-AE53A7279738}.exe"	{7137536D-F7C1-40ea-A5D5-C71D8464ADB5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CE96529-3020-4744-A42C-F206BF981FCB}\stubpath = "C:\\Windows\\{6CE96529-3020-4744-A42C-F206BF981FCB}.exe"	{9EDF849F-34B0-4ca4-B486-914591A38EE6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3225A890-02F9-4005-87C4-12E28D00154B}	{21CC0038-431B-4dff-B0D9-755A7E2B71EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5526FE8E-BA86-49bb-AAD4-228A05E2B355}	{ACF4C274-33D0-4a91-80B4-A9F3EDFB71B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5526FE8E-BA86-49bb-AAD4-228A05E2B355}\stubpath = "C:\\Windows\\{5526FE8E-BA86-49bb-AAD4-228A05E2B355}.exe"	{ACF4C274-33D0-4a91-80B4-A9F3EDFB71B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0457E547-3A1D-4958-8127-809165E1F990}\stubpath = "C:\\Windows\\{0457E547-3A1D-4958-8127-809165E1F990}.exe"	2024-02-17_a0b0fe16a7d4404f3676eb609f677826_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01D4B464-620D-475b-8AC1-47D6F3F65FA4}	{73BF06D5-C0C4-4b18-A52E-AE53A7279738}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EDF849F-34B0-4ca4-B486-914591A38EE6}	{01D4B464-620D-475b-8AC1-47D6F3F65FA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3225A890-02F9-4005-87C4-12E28D00154B}\stubpath = "C:\\Windows\\{3225A890-02F9-4005-87C4-12E28D00154B}.exe"	{21CC0038-431B-4dff-B0D9-755A7E2B71EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EDCE0DB-8634-4780-B020-C2A1B3ED856A}	{3225A890-02F9-4005-87C4-12E28D00154B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C75AD251-A019-447f-8F99-DF397A4B966E}	{0457E547-3A1D-4958-8127-809165E1F990}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7137536D-F7C1-40ea-A5D5-C71D8464ADB5}	{C75AD251-A019-447f-8F99-DF397A4B966E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73BF06D5-C0C4-4b18-A52E-AE53A7279738}	{7137536D-F7C1-40ea-A5D5-C71D8464ADB5}.exe

Executes dropped EXE 12 IoCs

pid	Process
1104	{0457E547-3A1D-4958-8127-809165E1F990}.exe
3876	{C75AD251-A019-447f-8F99-DF397A4B966E}.exe
4472	{7137536D-F7C1-40ea-A5D5-C71D8464ADB5}.exe
5076	{73BF06D5-C0C4-4b18-A52E-AE53A7279738}.exe
3960	{01D4B464-620D-475b-8AC1-47D6F3F65FA4}.exe
2180	{9EDF849F-34B0-4ca4-B486-914591A38EE6}.exe
1880	{6CE96529-3020-4744-A42C-F206BF981FCB}.exe
1208	{21CC0038-431B-4dff-B0D9-755A7E2B71EB}.exe
4116	{3225A890-02F9-4005-87C4-12E28D00154B}.exe
2012	{8EDCE0DB-8634-4780-B020-C2A1B3ED856A}.exe
1140	{ACF4C274-33D0-4a91-80B4-A9F3EDFB71B6}.exe
3684	{5526FE8E-BA86-49bb-AAD4-228A05E2B355}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{9EDF849F-34B0-4ca4-B486-914591A38EE6}.exe	{01D4B464-620D-475b-8AC1-47D6F3F65FA4}.exe
File created	C:\Windows\{21CC0038-431B-4dff-B0D9-755A7E2B71EB}.exe	{6CE96529-3020-4744-A42C-F206BF981FCB}.exe
File created	C:\Windows\{8EDCE0DB-8634-4780-B020-C2A1B3ED856A}.exe	{3225A890-02F9-4005-87C4-12E28D00154B}.exe
File created	C:\Windows\{0457E547-3A1D-4958-8127-809165E1F990}.exe	2024-02-17_a0b0fe16a7d4404f3676eb609f677826_goldeneye.exe
File created	C:\Windows\{C75AD251-A019-447f-8F99-DF397A4B966E}.exe	{0457E547-3A1D-4958-8127-809165E1F990}.exe
File created	C:\Windows\{7137536D-F7C1-40ea-A5D5-C71D8464ADB5}.exe	{C75AD251-A019-447f-8F99-DF397A4B966E}.exe
File created	C:\Windows\{73BF06D5-C0C4-4b18-A52E-AE53A7279738}.exe	{7137536D-F7C1-40ea-A5D5-C71D8464ADB5}.exe
File created	C:\Windows\{01D4B464-620D-475b-8AC1-47D6F3F65FA4}.exe	{73BF06D5-C0C4-4b18-A52E-AE53A7279738}.exe
File created	C:\Windows\{6CE96529-3020-4744-A42C-F206BF981FCB}.exe	{9EDF849F-34B0-4ca4-B486-914591A38EE6}.exe
File created	C:\Windows\{3225A890-02F9-4005-87C4-12E28D00154B}.exe	{21CC0038-431B-4dff-B0D9-755A7E2B71EB}.exe
File created	C:\Windows\{ACF4C274-33D0-4a91-80B4-A9F3EDFB71B6}.exe	{8EDCE0DB-8634-4780-B020-C2A1B3ED856A}.exe
File created	C:\Windows\{5526FE8E-BA86-49bb-AAD4-228A05E2B355}.exe	{ACF4C274-33D0-4a91-80B4-A9F3EDFB71B6}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5016	2024-02-17_a0b0fe16a7d4404f3676eb609f677826_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1104	{0457E547-3A1D-4958-8127-809165E1F990}.exe
Token: SeIncBasePriorityPrivilege	3876	{C75AD251-A019-447f-8F99-DF397A4B966E}.exe
Token: SeIncBasePriorityPrivilege	4472	{7137536D-F7C1-40ea-A5D5-C71D8464ADB5}.exe
Token: SeIncBasePriorityPrivilege	5076	{73BF06D5-C0C4-4b18-A52E-AE53A7279738}.exe
Token: SeIncBasePriorityPrivilege	3960	{01D4B464-620D-475b-8AC1-47D6F3F65FA4}.exe
Token: SeIncBasePriorityPrivilege	2180	{9EDF849F-34B0-4ca4-B486-914591A38EE6}.exe
Token: SeIncBasePriorityPrivilege	1880	{6CE96529-3020-4744-A42C-F206BF981FCB}.exe
Token: SeIncBasePriorityPrivilege	1208	{21CC0038-431B-4dff-B0D9-755A7E2B71EB}.exe
Token: SeIncBasePriorityPrivilege	4116	{3225A890-02F9-4005-87C4-12E28D00154B}.exe
Token: SeIncBasePriorityPrivilege	2012	{8EDCE0DB-8634-4780-B020-C2A1B3ED856A}.exe
Token: SeIncBasePriorityPrivilege	1140	{ACF4C274-33D0-4a91-80B4-A9F3EDFB71B6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 1104	5016	2024-02-17_a0b0fe16a7d4404f3676eb609f677826_goldeneye.exe	89
PID 5016 wrote to memory of 1104	5016	2024-02-17_a0b0fe16a7d4404f3676eb609f677826_goldeneye.exe	89
PID 5016 wrote to memory of 1104	5016	2024-02-17_a0b0fe16a7d4404f3676eb609f677826_goldeneye.exe	89
PID 5016 wrote to memory of 1544	5016	2024-02-17_a0b0fe16a7d4404f3676eb609f677826_goldeneye.exe	90
PID 5016 wrote to memory of 1544	5016	2024-02-17_a0b0fe16a7d4404f3676eb609f677826_goldeneye.exe	90
PID 5016 wrote to memory of 1544	5016	2024-02-17_a0b0fe16a7d4404f3676eb609f677826_goldeneye.exe	90
PID 1104 wrote to memory of 3876	1104	{0457E547-3A1D-4958-8127-809165E1F990}.exe	93
PID 1104 wrote to memory of 3876	1104	{0457E547-3A1D-4958-8127-809165E1F990}.exe	93
PID 1104 wrote to memory of 3876	1104	{0457E547-3A1D-4958-8127-809165E1F990}.exe	93
PID 1104 wrote to memory of 4084	1104	{0457E547-3A1D-4958-8127-809165E1F990}.exe	94
PID 1104 wrote to memory of 4084	1104	{0457E547-3A1D-4958-8127-809165E1F990}.exe	94
PID 1104 wrote to memory of 4084	1104	{0457E547-3A1D-4958-8127-809165E1F990}.exe	94
PID 3876 wrote to memory of 4472	3876	{C75AD251-A019-447f-8F99-DF397A4B966E}.exe	96
PID 3876 wrote to memory of 4472	3876	{C75AD251-A019-447f-8F99-DF397A4B966E}.exe	96
PID 3876 wrote to memory of 4472	3876	{C75AD251-A019-447f-8F99-DF397A4B966E}.exe	96
PID 3876 wrote to memory of 3324	3876	{C75AD251-A019-447f-8F99-DF397A4B966E}.exe	97
PID 3876 wrote to memory of 3324	3876	{C75AD251-A019-447f-8F99-DF397A4B966E}.exe	97
PID 3876 wrote to memory of 3324	3876	{C75AD251-A019-447f-8F99-DF397A4B966E}.exe	97
PID 4472 wrote to memory of 5076	4472	{7137536D-F7C1-40ea-A5D5-C71D8464ADB5}.exe	98
PID 4472 wrote to memory of 5076	4472	{7137536D-F7C1-40ea-A5D5-C71D8464ADB5}.exe	98
PID 4472 wrote to memory of 5076	4472	{7137536D-F7C1-40ea-A5D5-C71D8464ADB5}.exe	98
PID 4472 wrote to memory of 3000	4472	{7137536D-F7C1-40ea-A5D5-C71D8464ADB5}.exe	99
PID 4472 wrote to memory of 3000	4472	{7137536D-F7C1-40ea-A5D5-C71D8464ADB5}.exe	99
PID 4472 wrote to memory of 3000	4472	{7137536D-F7C1-40ea-A5D5-C71D8464ADB5}.exe	99
PID 5076 wrote to memory of 3960	5076	{73BF06D5-C0C4-4b18-A52E-AE53A7279738}.exe	100
PID 5076 wrote to memory of 3960	5076	{73BF06D5-C0C4-4b18-A52E-AE53A7279738}.exe	100
PID 5076 wrote to memory of 3960	5076	{73BF06D5-C0C4-4b18-A52E-AE53A7279738}.exe	100
PID 5076 wrote to memory of 2468	5076	{73BF06D5-C0C4-4b18-A52E-AE53A7279738}.exe	101
PID 5076 wrote to memory of 2468	5076	{73BF06D5-C0C4-4b18-A52E-AE53A7279738}.exe	101
PID 5076 wrote to memory of 2468	5076	{73BF06D5-C0C4-4b18-A52E-AE53A7279738}.exe	101
PID 3960 wrote to memory of 2180	3960	{01D4B464-620D-475b-8AC1-47D6F3F65FA4}.exe	102
PID 3960 wrote to memory of 2180	3960	{01D4B464-620D-475b-8AC1-47D6F3F65FA4}.exe	102
PID 3960 wrote to memory of 2180	3960	{01D4B464-620D-475b-8AC1-47D6F3F65FA4}.exe	102
PID 3960 wrote to memory of 1832	3960	{01D4B464-620D-475b-8AC1-47D6F3F65FA4}.exe	103
PID 3960 wrote to memory of 1832	3960	{01D4B464-620D-475b-8AC1-47D6F3F65FA4}.exe	103
PID 3960 wrote to memory of 1832	3960	{01D4B464-620D-475b-8AC1-47D6F3F65FA4}.exe	103
PID 2180 wrote to memory of 1880	2180	{9EDF849F-34B0-4ca4-B486-914591A38EE6}.exe	104
PID 2180 wrote to memory of 1880	2180	{9EDF849F-34B0-4ca4-B486-914591A38EE6}.exe	104
PID 2180 wrote to memory of 1880	2180	{9EDF849F-34B0-4ca4-B486-914591A38EE6}.exe	104
PID 2180 wrote to memory of 232	2180	{9EDF849F-34B0-4ca4-B486-914591A38EE6}.exe	105
PID 2180 wrote to memory of 232	2180	{9EDF849F-34B0-4ca4-B486-914591A38EE6}.exe	105
PID 2180 wrote to memory of 232	2180	{9EDF849F-34B0-4ca4-B486-914591A38EE6}.exe	105
PID 1880 wrote to memory of 1208	1880	{6CE96529-3020-4744-A42C-F206BF981FCB}.exe	107
PID 1880 wrote to memory of 1208	1880	{6CE96529-3020-4744-A42C-F206BF981FCB}.exe	107
PID 1880 wrote to memory of 1208	1880	{6CE96529-3020-4744-A42C-F206BF981FCB}.exe	107
PID 1880 wrote to memory of 4448	1880	{6CE96529-3020-4744-A42C-F206BF981FCB}.exe	106
PID 1880 wrote to memory of 4448	1880	{6CE96529-3020-4744-A42C-F206BF981FCB}.exe	106
PID 1880 wrote to memory of 4448	1880	{6CE96529-3020-4744-A42C-F206BF981FCB}.exe	106
PID 1208 wrote to memory of 4116	1208	{21CC0038-431B-4dff-B0D9-755A7E2B71EB}.exe	108
PID 1208 wrote to memory of 4116	1208	{21CC0038-431B-4dff-B0D9-755A7E2B71EB}.exe	108
PID 1208 wrote to memory of 4116	1208	{21CC0038-431B-4dff-B0D9-755A7E2B71EB}.exe	108
PID 1208 wrote to memory of 4284	1208	{21CC0038-431B-4dff-B0D9-755A7E2B71EB}.exe	109
PID 1208 wrote to memory of 4284	1208	{21CC0038-431B-4dff-B0D9-755A7E2B71EB}.exe	109
PID 1208 wrote to memory of 4284	1208	{21CC0038-431B-4dff-B0D9-755A7E2B71EB}.exe	109
PID 4116 wrote to memory of 2012	4116	{3225A890-02F9-4005-87C4-12E28D00154B}.exe	110
PID 4116 wrote to memory of 2012	4116	{3225A890-02F9-4005-87C4-12E28D00154B}.exe	110
PID 4116 wrote to memory of 2012	4116	{3225A890-02F9-4005-87C4-12E28D00154B}.exe	110
PID 4116 wrote to memory of 4564	4116	{3225A890-02F9-4005-87C4-12E28D00154B}.exe	111
PID 4116 wrote to memory of 4564	4116	{3225A890-02F9-4005-87C4-12E28D00154B}.exe	111
PID 4116 wrote to memory of 4564	4116	{3225A890-02F9-4005-87C4-12E28D00154B}.exe	111
PID 2012 wrote to memory of 1140	2012	{8EDCE0DB-8634-4780-B020-C2A1B3ED856A}.exe	112
PID 2012 wrote to memory of 1140	2012	{8EDCE0DB-8634-4780-B020-C2A1B3ED856A}.exe	112
PID 2012 wrote to memory of 1140	2012	{8EDCE0DB-8634-4780-B020-C2A1B3ED856A}.exe	112
PID 2012 wrote to memory of 2496	2012	{8EDCE0DB-8634-4780-B020-C2A1B3ED856A}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-17_a0b0fe16a7d4404f3676eb609f677826_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-17_a0b0fe16a7d4404f3676eb609f677826_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Windows\{0457E547-3A1D-4958-8127-809165E1F990}.exe
  C:\Windows\{0457E547-3A1D-4958-8127-809165E1F990}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Windows\{C75AD251-A019-447f-8F99-DF397A4B966E}.exe
    C:\Windows\{C75AD251-A019-447f-8F99-DF397A4B966E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3876
  - - C:\Windows\{7137536D-F7C1-40ea-A5D5-C71D8464ADB5}.exe
      C:\Windows\{7137536D-F7C1-40ea-A5D5-C71D8464ADB5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4472
    - - C:\Windows\{73BF06D5-C0C4-4b18-A52E-AE53A7279738}.exe
        
        C:\Windows\{73BF06D5-C0C4-4b18-A52E-AE53A7279738}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5076
      - C:\Windows\{01D4B464-620D-475b-8AC1-47D6F3F65FA4}.exe
        
        C:\Windows\{01D4B464-620D-475b-8AC1-47D6F3F65FA4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\{9EDF849F-34B0-4ca4-B486-914591A38EE6}.exe
        
        C:\Windows\{9EDF849F-34B0-4ca4-B486-914591A38EE6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\{6CE96529-3020-4744-A42C-F206BF981FCB}.exe
        
        C:\Windows\{6CE96529-3020-4744-A42C-F206BF981FCB}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6CE96~1.EXE > nul
        9⤵
        
        PID:4448
        
        C:\Windows\{21CC0038-431B-4dff-B0D9-755A7E2B71EB}.exe
        
        C:\Windows\{21CC0038-431B-4dff-B0D9-755A7E2B71EB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\{3225A890-02F9-4005-87C4-12E28D00154B}.exe
        
        C:\Windows\{3225A890-02F9-4005-87C4-12E28D00154B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\{8EDCE0DB-8634-4780-B020-C2A1B3ED856A}.exe
        
        C:\Windows\{8EDCE0DB-8634-4780-B020-C2A1B3ED856A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\{ACF4C274-33D0-4a91-80B4-A9F3EDFB71B6}.exe
        
        C:\Windows\{ACF4C274-33D0-4a91-80B4-A9F3EDFB71B6}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ACF4C~1.EXE > nul
        13⤵
        
        PID:1320
        
        C:\Windows\{5526FE8E-BA86-49bb-AAD4-228A05E2B355}.exe
        
        C:\Windows\{5526FE8E-BA86-49bb-AAD4-228A05E2B355}.exe
        13⤵
        Executes dropped EXE
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8EDCE~1.EXE > nul
        12⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3225A~1.EXE > nul
        11⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21CC0~1.EXE > nul
        10⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9EDF8~1.EXE > nul
        8⤵
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01D4B~1.EXE > nul
        7⤵
        
        PID:1832
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73BF0~1.EXE > nul
        6⤵
        
        PID:2468
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71375~1.EXE > nul
        5⤵
        
        PID:3000
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C75AD~1.EXE > nul
      4⤵
      PID:3324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0457E~1.EXE > nul
    3⤵
    PID:4084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01D4B464-620D-475b-8AC1-47D6F3F65FA4}.exe

Filesize
344KB

MD5
443e8225ed305e3c88f4ba22be8c4c15

SHA1
acecd44b22f54ed5d5652c8e55ae4c625181ca69

SHA256
76de900611570e684e61552a02ec0b63b22c13eefc6fc42cbf97322076c0739f

SHA512
3a2e36b19c39d53eb08aeb5929fe77c140dec9aa1bb5e529091cd9e3b432db085d8f4c8621970d51c809a4beb6fb055783ddebba3ff21350ce17bf3e53466ad0

Download Submit
C:\Windows\{0457E547-3A1D-4958-8127-809165E1F990}.exe

Filesize
344KB

MD5
8071878244c9125a6e0de6c9c9c60923

SHA1
f282dc0374e45783daca30994fc61dabf7b5a7fb

SHA256
8297d47e53f762399caf65dccaaa685b9eec4d2524dfad7da87bf33a2ae033fb

SHA512
b37382d1b6dcf20053cfd44f037b29e10e017de818754b6397ee6d26fa44a52e2dcd6db5182f2c369fe5ed154ef14815103b52fa3eb11e969d631861230bd3d5

Download Submit
C:\Windows\{21CC0038-431B-4dff-B0D9-755A7E2B71EB}.exe

Filesize
344KB

MD5
03b25e7ac6cdeef8984b25d7d51abb7b

SHA1
d270f87680abead73c6586deb6725c5378bcbf34

SHA256
18f19fe95c3fa324319d21aa64d6e5aa0eee2aa8f886889c5075d32c561b58c3

SHA512
fc6713cab76f6c401adcf431b65f56cc62c3d2e7f5d9d925622aeabbf2d24a097ad42ec0a11ba7304751a2bf79f3cc2f451525cabcb8c9aa66f4b242dfa8388c

Download Submit
C:\Windows\{3225A890-02F9-4005-87C4-12E28D00154B}.exe

Filesize
344KB

MD5
8041f4ba8dc2d4bb1104afd900941dfd

SHA1
ee0dffa92f26c3120b81c9fc06301d230c2f3125

SHA256
4beaeb55850e2aab5de8707d196422fdbc90f1389343d2f57ad87f24c25114e2

SHA512
28b1db8e98bbe3ceb777cae63510d86a03ecfb5ab97e2b09e92574e7cc0245505c2cf17a9dc865b4919f48cf2698e7ff39b459b8b9053ccf3aa4e819f83bf3f9

Download Submit
C:\Windows\{5526FE8E-BA86-49bb-AAD4-228A05E2B355}.exe

Filesize
344KB

MD5
e9ce889c8b9918440185b526d0ccbf0c

SHA1
9328d7a252ec6959263b09004960d6a9be1d1a36

SHA256
ad39d14cb6fed839c4c39e9e69fa2a444ec8b7d5cd19ea26d96959afe385405e

SHA512
5699e30fe06266b2b2ae6b04e9986a5bbfa8a3c4685c837b627c2667c38725252fbf73b6d4c5e1a0c2e2fcb468bd311210766abdfeef7a37afb2f8c1337d4494

Download Submit
C:\Windows\{6CE96529-3020-4744-A42C-F206BF981FCB}.exe

Filesize
344KB

MD5
289f45795f147fde0985abb19683e062

SHA1
c2e1c21e305856b070482952e0e7d2844ecbe8ff

SHA256
d4714ee73350bc0802f6be5d1f666281cb94703d65422ed8233ab60a6cbf3357

SHA512
613d065d5615e9f2cffd0f0fac26f17b09c6f9baab15511afbbc356c54e7608e7f6f4ec67e89700dc98f22501564efbf7d7bfb0a696300ab292d553b3227545c

Download Submit
C:\Windows\{7137536D-F7C1-40ea-A5D5-C71D8464ADB5}.exe

Filesize
344KB

MD5
2f88a4b1d210b7c658d2c0108f734977

SHA1
2c7bbfa347c1975be80e3d0791a7545900bad781

SHA256
75845c360c6a1f68fad9a4887391e44d89fce0814614c7db02a96c8443bad046

SHA512
0c67c218c7e71c1cdc51bcc0c2dc40839e740cc38f321dd2c27bb08ffc791d4b0d76d034be38a9e7d199e01158df9f896f686be75055f1a4cd3e6c4a7acb4cd4

Download Submit
C:\Windows\{73BF06D5-C0C4-4b18-A52E-AE53A7279738}.exe

Filesize
344KB

MD5
408a14ff35e1461fe0aa66906b5fcc2f

SHA1
22febe4790a11afa7050fc0774b89d4bc951eb4c

SHA256
1a767d6d8b515950cff61239024d9f57da20b72a6617fed6ee89bfb866cd728a

SHA512
71ef2ae1c4d78555a9e19c5ac2e979debb413ae1bdb43a9ad9d1c13d55b67e916a065eed87e017c628c25a8b54fd813b91a1981bc3a9c54c79541cc7f124bf44

Download Submit
C:\Windows\{8EDCE0DB-8634-4780-B020-C2A1B3ED856A}.exe

Filesize
344KB

MD5
42437e77dec057905eb49a195b2fb2ff

SHA1
41cd667b8a3df0be85a5e84863b6601fa7b2c08d

SHA256
afd04dce910201d47503509c68701625116447878af139ded5082bcee79aaa93

SHA512
d74dc6a77d0e2676a3cdefff2bec00b6bf332607386956232ffbfd029ad13a84a6977b8faae5030c34eac333751bf7332038c9314b48ee387595cd88ed6e35ae

Download Submit
C:\Windows\{9EDF849F-34B0-4ca4-B486-914591A38EE6}.exe

Filesize
344KB

MD5
6ffde8a91340e6022e32854edc85237c

SHA1
54fb88b1b46ccfd20a40c79ef95ec01831ba704a

SHA256
87a5ecceab79707447212d6d2c75dd5308efa017a4df321c993a5e7df19ea682

SHA512
abfb1020eb5e7371f7610e64ad9fc99b2d2cf30ac6796fc35bfca7496e5c777e9ef44f2ec3af70e9f9dffe59cb1384e3710f9d54f154635ac4f99755f7ca104a

Download Submit
C:\Windows\{ACF4C274-33D0-4a91-80B4-A9F3EDFB71B6}.exe

Filesize
344KB

MD5
d2e497cd5470701b57a2b63715905ad4

SHA1
e78bc42720f126a3a4d6d28089ef5a7a448269ff

SHA256
a873c8c49931c401181bce010a372e7ff8b9acf5a235ef2fb0dfa6723c59a254

SHA512
dd0bd65d4f4e5374ae6ddffbac16ad7ae36b96f76ff70e88fda796e6daddef15a5452081d81c776b522ef3509e5fb7e0b11f1e8a26811334f7f890dd711ca26c

Download Submit
C:\Windows\{C75AD251-A019-447f-8F99-DF397A4B966E}.exe

Filesize
344KB

MD5
08ab37ac3885dfa516e97e2d0008c0ef

SHA1
3ce26b4ed1f166c4aedc95f5a54cac5847fbd134

SHA256
9f69469861e19a25ce7725912c3dfbcb6e292edcbe4613468eeadb5ebf941a3a

SHA512
a51a577909f9eabb0227cf972a1240cd020c78dc0d8e92574b50554c4b24428b8da4820a0c10a26a64826f4eaf5a7daeffa70527ba05ef6f69d9e38765d6dbdb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads