f3be57df0353f24a8748685606fc4fe3184fe6ac5ac1c517cb26384ad4264736

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
17/02/2024, 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-17_f545279219c36d29d20b8a2181a2c0d3_goldeneye.exe
Size

168KB
MD5

f545279219c36d29d20b8a2181a2c0d3
SHA1

265fa349b42c9f69e8f0b2e579a57fa1a2d98be2
SHA256

f3be57df0353f24a8748685606fc4fe3184fe6ac5ac1c517cb26384ad4264736
SHA512

860ecfca0b7edc9af88894e5ad0613456e9cf93a6f6a424462ed4686ab09a391ee5ff0f426464aed8babd3cc7acfb2ca258df148cef86624e4f8a5ffaa1c1f73
SSDEEP

1536:1EGh0oDlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oDlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000600000002322b-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023059-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023238-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023059-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022008-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022009-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000022008-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000036-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000036-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000715-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66E74253-30C6-4b13-8753-715204FECA78}	{6B368645-27D4-43a3-B713-A136C1C6AE7A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0154BCBB-2395-4a6d-9A3D-39B2954E1AED}\stubpath = "C:\\Windows\\{0154BCBB-2395-4a6d-9A3D-39B2954E1AED}.exe"	{868E0580-8EEA-43be-8FA6-19181065D2C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEE62F79-0BD3-4060-8D30-E56D963D08AC}\stubpath = "C:\\Windows\\{EEE62F79-0BD3-4060-8D30-E56D963D08AC}.exe"	{07966245-AF77-4b32-B895-43B00CFDAF32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6217F377-A930-4731-AEFF-3C19F39881D1}	{EEE62F79-0BD3-4060-8D30-E56D963D08AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6217F377-A930-4731-AEFF-3C19F39881D1}\stubpath = "C:\\Windows\\{6217F377-A930-4731-AEFF-3C19F39881D1}.exe"	{EEE62F79-0BD3-4060-8D30-E56D963D08AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBBEB134-8D4E-4142-9ACA-844B8507AFC5}	{3C7BBB73-BA6C-470a-B070-566D18D66518}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBBEB134-8D4E-4142-9ACA-844B8507AFC5}\stubpath = "C:\\Windows\\{EBBEB134-8D4E-4142-9ACA-844B8507AFC5}.exe"	{3C7BBB73-BA6C-470a-B070-566D18D66518}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A2DD360-D7BA-409f-8145-7B6470161DCA}\stubpath = "C:\\Windows\\{6A2DD360-D7BA-409f-8145-7B6470161DCA}.exe"	{EBBEB134-8D4E-4142-9ACA-844B8507AFC5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07966245-AF77-4b32-B895-43B00CFDAF32}	{6A2DD360-D7BA-409f-8145-7B6470161DCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07966245-AF77-4b32-B895-43B00CFDAF32}\stubpath = "C:\\Windows\\{07966245-AF77-4b32-B895-43B00CFDAF32}.exe"	{6A2DD360-D7BA-409f-8145-7B6470161DCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B368645-27D4-43a3-B713-A136C1C6AE7A}\stubpath = "C:\\Windows\\{6B368645-27D4-43a3-B713-A136C1C6AE7A}.exe"	{6217F377-A930-4731-AEFF-3C19F39881D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0154BCBB-2395-4a6d-9A3D-39B2954E1AED}	{868E0580-8EEA-43be-8FA6-19181065D2C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C7BBB73-BA6C-470a-B070-566D18D66518}	2024-02-17_f545279219c36d29d20b8a2181a2c0d3_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A2DD360-D7BA-409f-8145-7B6470161DCA}	{EBBEB134-8D4E-4142-9ACA-844B8507AFC5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66E74253-30C6-4b13-8753-715204FECA78}\stubpath = "C:\\Windows\\{66E74253-30C6-4b13-8753-715204FECA78}.exe"	{6B368645-27D4-43a3-B713-A136C1C6AE7A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{868E0580-8EEA-43be-8FA6-19181065D2C9}	{11EEA3B3-488E-4116-B216-6EAA9E95253D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{868E0580-8EEA-43be-8FA6-19181065D2C9}\stubpath = "C:\\Windows\\{868E0580-8EEA-43be-8FA6-19181065D2C9}.exe"	{11EEA3B3-488E-4116-B216-6EAA9E95253D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18CE5D05-B9AB-445e-923C-15985B46FB9A}	{0154BCBB-2395-4a6d-9A3D-39B2954E1AED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18CE5D05-B9AB-445e-923C-15985B46FB9A}\stubpath = "C:\\Windows\\{18CE5D05-B9AB-445e-923C-15985B46FB9A}.exe"	{0154BCBB-2395-4a6d-9A3D-39B2954E1AED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C7BBB73-BA6C-470a-B070-566D18D66518}\stubpath = "C:\\Windows\\{3C7BBB73-BA6C-470a-B070-566D18D66518}.exe"	2024-02-17_f545279219c36d29d20b8a2181a2c0d3_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEE62F79-0BD3-4060-8D30-E56D963D08AC}	{07966245-AF77-4b32-B895-43B00CFDAF32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B368645-27D4-43a3-B713-A136C1C6AE7A}	{6217F377-A930-4731-AEFF-3C19F39881D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11EEA3B3-488E-4116-B216-6EAA9E95253D}	{66E74253-30C6-4b13-8753-715204FECA78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11EEA3B3-488E-4116-B216-6EAA9E95253D}\stubpath = "C:\\Windows\\{11EEA3B3-488E-4116-B216-6EAA9E95253D}.exe"	{66E74253-30C6-4b13-8753-715204FECA78}.exe

Executes dropped EXE 12 IoCs

pid	Process
1384	{3C7BBB73-BA6C-470a-B070-566D18D66518}.exe
4636	{EBBEB134-8D4E-4142-9ACA-844B8507AFC5}.exe
1524	{6A2DD360-D7BA-409f-8145-7B6470161DCA}.exe
828	{07966245-AF77-4b32-B895-43B00CFDAF32}.exe
1928	{EEE62F79-0BD3-4060-8D30-E56D963D08AC}.exe
1764	{6217F377-A930-4731-AEFF-3C19F39881D1}.exe
2776	{6B368645-27D4-43a3-B713-A136C1C6AE7A}.exe
404	{66E74253-30C6-4b13-8753-715204FECA78}.exe
3440	{11EEA3B3-488E-4116-B216-6EAA9E95253D}.exe
4724	{868E0580-8EEA-43be-8FA6-19181065D2C9}.exe
464	{0154BCBB-2395-4a6d-9A3D-39B2954E1AED}.exe
1648	{18CE5D05-B9AB-445e-923C-15985B46FB9A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{18CE5D05-B9AB-445e-923C-15985B46FB9A}.exe	{0154BCBB-2395-4a6d-9A3D-39B2954E1AED}.exe
File created	C:\Windows\{3C7BBB73-BA6C-470a-B070-566D18D66518}.exe	2024-02-17_f545279219c36d29d20b8a2181a2c0d3_goldeneye.exe
File created	C:\Windows\{6A2DD360-D7BA-409f-8145-7B6470161DCA}.exe	{EBBEB134-8D4E-4142-9ACA-844B8507AFC5}.exe
File created	C:\Windows\{EEE62F79-0BD3-4060-8D30-E56D963D08AC}.exe	{07966245-AF77-4b32-B895-43B00CFDAF32}.exe
File created	C:\Windows\{66E74253-30C6-4b13-8753-715204FECA78}.exe	{6B368645-27D4-43a3-B713-A136C1C6AE7A}.exe
File created	C:\Windows\{11EEA3B3-488E-4116-B216-6EAA9E95253D}.exe	{66E74253-30C6-4b13-8753-715204FECA78}.exe
File created	C:\Windows\{868E0580-8EEA-43be-8FA6-19181065D2C9}.exe	{11EEA3B3-488E-4116-B216-6EAA9E95253D}.exe
File created	C:\Windows\{0154BCBB-2395-4a6d-9A3D-39B2954E1AED}.exe	{868E0580-8EEA-43be-8FA6-19181065D2C9}.exe
File created	C:\Windows\{EBBEB134-8D4E-4142-9ACA-844B8507AFC5}.exe	{3C7BBB73-BA6C-470a-B070-566D18D66518}.exe
File created	C:\Windows\{07966245-AF77-4b32-B895-43B00CFDAF32}.exe	{6A2DD360-D7BA-409f-8145-7B6470161DCA}.exe
File created	C:\Windows\{6217F377-A930-4731-AEFF-3C19F39881D1}.exe	{EEE62F79-0BD3-4060-8D30-E56D963D08AC}.exe
File created	C:\Windows\{6B368645-27D4-43a3-B713-A136C1C6AE7A}.exe	{6217F377-A930-4731-AEFF-3C19F39881D1}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3492	2024-02-17_f545279219c36d29d20b8a2181a2c0d3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1384	{3C7BBB73-BA6C-470a-B070-566D18D66518}.exe
Token: SeIncBasePriorityPrivilege	4636	{EBBEB134-8D4E-4142-9ACA-844B8507AFC5}.exe
Token: SeIncBasePriorityPrivilege	1524	{6A2DD360-D7BA-409f-8145-7B6470161DCA}.exe
Token: SeIncBasePriorityPrivilege	828	{07966245-AF77-4b32-B895-43B00CFDAF32}.exe
Token: SeIncBasePriorityPrivilege	1928	{EEE62F79-0BD3-4060-8D30-E56D963D08AC}.exe
Token: SeIncBasePriorityPrivilege	1764	{6217F377-A930-4731-AEFF-3C19F39881D1}.exe
Token: SeIncBasePriorityPrivilege	2776	{6B368645-27D4-43a3-B713-A136C1C6AE7A}.exe
Token: SeIncBasePriorityPrivilege	404	{66E74253-30C6-4b13-8753-715204FECA78}.exe
Token: SeIncBasePriorityPrivilege	3440	{11EEA3B3-488E-4116-B216-6EAA9E95253D}.exe
Token: SeIncBasePriorityPrivilege	4724	{868E0580-8EEA-43be-8FA6-19181065D2C9}.exe
Token: SeIncBasePriorityPrivilege	464	{0154BCBB-2395-4a6d-9A3D-39B2954E1AED}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 1384	3492	2024-02-17_f545279219c36d29d20b8a2181a2c0d3_goldeneye.exe	91
PID 3492 wrote to memory of 1384	3492	2024-02-17_f545279219c36d29d20b8a2181a2c0d3_goldeneye.exe	91
PID 3492 wrote to memory of 1384	3492	2024-02-17_f545279219c36d29d20b8a2181a2c0d3_goldeneye.exe	91
PID 3492 wrote to memory of 636	3492	2024-02-17_f545279219c36d29d20b8a2181a2c0d3_goldeneye.exe	92
PID 3492 wrote to memory of 636	3492	2024-02-17_f545279219c36d29d20b8a2181a2c0d3_goldeneye.exe	92
PID 3492 wrote to memory of 636	3492	2024-02-17_f545279219c36d29d20b8a2181a2c0d3_goldeneye.exe	92
PID 1384 wrote to memory of 4636	1384	{3C7BBB73-BA6C-470a-B070-566D18D66518}.exe	93
PID 1384 wrote to memory of 4636	1384	{3C7BBB73-BA6C-470a-B070-566D18D66518}.exe	93
PID 1384 wrote to memory of 4636	1384	{3C7BBB73-BA6C-470a-B070-566D18D66518}.exe	93
PID 1384 wrote to memory of 4888	1384	{3C7BBB73-BA6C-470a-B070-566D18D66518}.exe	94
PID 1384 wrote to memory of 4888	1384	{3C7BBB73-BA6C-470a-B070-566D18D66518}.exe	94
PID 1384 wrote to memory of 4888	1384	{3C7BBB73-BA6C-470a-B070-566D18D66518}.exe	94
PID 4636 wrote to memory of 1524	4636	{EBBEB134-8D4E-4142-9ACA-844B8507AFC5}.exe	97
PID 4636 wrote to memory of 1524	4636	{EBBEB134-8D4E-4142-9ACA-844B8507AFC5}.exe	97
PID 4636 wrote to memory of 1524	4636	{EBBEB134-8D4E-4142-9ACA-844B8507AFC5}.exe	97
PID 4636 wrote to memory of 3632	4636	{EBBEB134-8D4E-4142-9ACA-844B8507AFC5}.exe	96
PID 4636 wrote to memory of 3632	4636	{EBBEB134-8D4E-4142-9ACA-844B8507AFC5}.exe	96
PID 4636 wrote to memory of 3632	4636	{EBBEB134-8D4E-4142-9ACA-844B8507AFC5}.exe	96
PID 1524 wrote to memory of 828	1524	{6A2DD360-D7BA-409f-8145-7B6470161DCA}.exe	99
PID 1524 wrote to memory of 828	1524	{6A2DD360-D7BA-409f-8145-7B6470161DCA}.exe	99
PID 1524 wrote to memory of 828	1524	{6A2DD360-D7BA-409f-8145-7B6470161DCA}.exe	99
PID 1524 wrote to memory of 3972	1524	{6A2DD360-D7BA-409f-8145-7B6470161DCA}.exe	98
PID 1524 wrote to memory of 3972	1524	{6A2DD360-D7BA-409f-8145-7B6470161DCA}.exe	98
PID 1524 wrote to memory of 3972	1524	{6A2DD360-D7BA-409f-8145-7B6470161DCA}.exe	98
PID 828 wrote to memory of 1928	828	{07966245-AF77-4b32-B895-43B00CFDAF32}.exe	100
PID 828 wrote to memory of 1928	828	{07966245-AF77-4b32-B895-43B00CFDAF32}.exe	100
PID 828 wrote to memory of 1928	828	{07966245-AF77-4b32-B895-43B00CFDAF32}.exe	100
PID 828 wrote to memory of 1340	828	{07966245-AF77-4b32-B895-43B00CFDAF32}.exe	101
PID 828 wrote to memory of 1340	828	{07966245-AF77-4b32-B895-43B00CFDAF32}.exe	101
PID 828 wrote to memory of 1340	828	{07966245-AF77-4b32-B895-43B00CFDAF32}.exe	101
PID 1928 wrote to memory of 1764	1928	{EEE62F79-0BD3-4060-8D30-E56D963D08AC}.exe	102
PID 1928 wrote to memory of 1764	1928	{EEE62F79-0BD3-4060-8D30-E56D963D08AC}.exe	102
PID 1928 wrote to memory of 1764	1928	{EEE62F79-0BD3-4060-8D30-E56D963D08AC}.exe	102
PID 1928 wrote to memory of 4780	1928	{EEE62F79-0BD3-4060-8D30-E56D963D08AC}.exe	103
PID 1928 wrote to memory of 4780	1928	{EEE62F79-0BD3-4060-8D30-E56D963D08AC}.exe	103
PID 1928 wrote to memory of 4780	1928	{EEE62F79-0BD3-4060-8D30-E56D963D08AC}.exe	103
PID 1764 wrote to memory of 2776	1764	{6217F377-A930-4731-AEFF-3C19F39881D1}.exe	104
PID 1764 wrote to memory of 2776	1764	{6217F377-A930-4731-AEFF-3C19F39881D1}.exe	104
PID 1764 wrote to memory of 2776	1764	{6217F377-A930-4731-AEFF-3C19F39881D1}.exe	104
PID 1764 wrote to memory of 1008	1764	{6217F377-A930-4731-AEFF-3C19F39881D1}.exe	105
PID 1764 wrote to memory of 1008	1764	{6217F377-A930-4731-AEFF-3C19F39881D1}.exe	105
PID 1764 wrote to memory of 1008	1764	{6217F377-A930-4731-AEFF-3C19F39881D1}.exe	105
PID 2776 wrote to memory of 404	2776	{6B368645-27D4-43a3-B713-A136C1C6AE7A}.exe	106
PID 2776 wrote to memory of 404	2776	{6B368645-27D4-43a3-B713-A136C1C6AE7A}.exe	106
PID 2776 wrote to memory of 404	2776	{6B368645-27D4-43a3-B713-A136C1C6AE7A}.exe	106
PID 2776 wrote to memory of 3360	2776	{6B368645-27D4-43a3-B713-A136C1C6AE7A}.exe	107
PID 2776 wrote to memory of 3360	2776	{6B368645-27D4-43a3-B713-A136C1C6AE7A}.exe	107
PID 2776 wrote to memory of 3360	2776	{6B368645-27D4-43a3-B713-A136C1C6AE7A}.exe	107
PID 404 wrote to memory of 3440	404	{66E74253-30C6-4b13-8753-715204FECA78}.exe	108
PID 404 wrote to memory of 3440	404	{66E74253-30C6-4b13-8753-715204FECA78}.exe	108
PID 404 wrote to memory of 3440	404	{66E74253-30C6-4b13-8753-715204FECA78}.exe	108
PID 404 wrote to memory of 4516	404	{66E74253-30C6-4b13-8753-715204FECA78}.exe	109
PID 404 wrote to memory of 4516	404	{66E74253-30C6-4b13-8753-715204FECA78}.exe	109
PID 404 wrote to memory of 4516	404	{66E74253-30C6-4b13-8753-715204FECA78}.exe	109
PID 3440 wrote to memory of 4724	3440	{11EEA3B3-488E-4116-B216-6EAA9E95253D}.exe	110
PID 3440 wrote to memory of 4724	3440	{11EEA3B3-488E-4116-B216-6EAA9E95253D}.exe	110
PID 3440 wrote to memory of 4724	3440	{11EEA3B3-488E-4116-B216-6EAA9E95253D}.exe	110
PID 3440 wrote to memory of 1528	3440	{11EEA3B3-488E-4116-B216-6EAA9E95253D}.exe	111
PID 3440 wrote to memory of 1528	3440	{11EEA3B3-488E-4116-B216-6EAA9E95253D}.exe	111
PID 3440 wrote to memory of 1528	3440	{11EEA3B3-488E-4116-B216-6EAA9E95253D}.exe	111
PID 4724 wrote to memory of 464	4724	{868E0580-8EEA-43be-8FA6-19181065D2C9}.exe	112
PID 4724 wrote to memory of 464	4724	{868E0580-8EEA-43be-8FA6-19181065D2C9}.exe	112
PID 4724 wrote to memory of 464	4724	{868E0580-8EEA-43be-8FA6-19181065D2C9}.exe	112
PID 4724 wrote to memory of 3616	4724	{868E0580-8EEA-43be-8FA6-19181065D2C9}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-17_f545279219c36d29d20b8a2181a2c0d3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-17_f545279219c36d29d20b8a2181a2c0d3_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Windows\{3C7BBB73-BA6C-470a-B070-566D18D66518}.exe
  C:\Windows\{3C7BBB73-BA6C-470a-B070-566D18D66518}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Windows\{EBBEB134-8D4E-4142-9ACA-844B8507AFC5}.exe
    C:\Windows\{EBBEB134-8D4E-4142-9ACA-844B8507AFC5}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4636
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EBBEB~1.EXE > nul
      4⤵
      PID:3632
  - - C:\Windows\{6A2DD360-D7BA-409f-8145-7B6470161DCA}.exe
      C:\Windows\{6A2DD360-D7BA-409f-8145-7B6470161DCA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1524
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A2DD~1.EXE > nul
        5⤵
        
        PID:3972
    - - C:\Windows\{07966245-AF77-4b32-B895-43B00CFDAF32}.exe
        
        C:\Windows\{07966245-AF77-4b32-B895-43B00CFDAF32}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:828
      - C:\Windows\{EEE62F79-0BD3-4060-8D30-E56D963D08AC}.exe
        
        C:\Windows\{EEE62F79-0BD3-4060-8D30-E56D963D08AC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\{6217F377-A930-4731-AEFF-3C19F39881D1}.exe
        
        C:\Windows\{6217F377-A930-4731-AEFF-3C19F39881D1}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\{6B368645-27D4-43a3-B713-A136C1C6AE7A}.exe
        
        C:\Windows\{6B368645-27D4-43a3-B713-A136C1C6AE7A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\{66E74253-30C6-4b13-8753-715204FECA78}.exe
        
        C:\Windows\{66E74253-30C6-4b13-8753-715204FECA78}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\{11EEA3B3-488E-4116-B216-6EAA9E95253D}.exe
        
        C:\Windows\{11EEA3B3-488E-4116-B216-6EAA9E95253D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3440
        
        C:\Windows\{868E0580-8EEA-43be-8FA6-19181065D2C9}.exe
        
        C:\Windows\{868E0580-8EEA-43be-8FA6-19181065D2C9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\{0154BCBB-2395-4a6d-9A3D-39B2954E1AED}.exe
        
        C:\Windows\{0154BCBB-2395-4a6d-9A3D-39B2954E1AED}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:464
        
        C:\Windows\{18CE5D05-B9AB-445e-923C-15985B46FB9A}.exe
        
        C:\Windows\{18CE5D05-B9AB-445e-923C-15985B46FB9A}.exe
        13⤵
        Executes dropped EXE
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0154B~1.EXE > nul
        13⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{868E0~1.EXE > nul
        12⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11EEA~1.EXE > nul
        11⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{66E74~1.EXE > nul
        10⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B368~1.EXE > nul
        9⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6217F~1.EXE > nul
        8⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EEE62~1.EXE > nul
        7⤵
        
        PID:4780
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07966~1.EXE > nul
        6⤵
        
        PID:1340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3C7BB~1.EXE > nul
    3⤵
    PID:4888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0154BCBB-2395-4a6d-9A3D-39B2954E1AED}.exe

Filesize
168KB

MD5
c32b66b91624453eb2a180bfeeb4a0b1

SHA1
95e7fdab618ad64029a5fac8fa380eda9eab9545

SHA256
559dc6b1ece32907e567e1c1ef5a0f7a349139837a19c484c8e4d1df98c3751c

SHA512
0897c155de34220cc4fdeed2f872530af0b153c42dc910a23fd8cfdc1e5a588ab963def6241dab03c8418470d7f1e846e120ff69f18717964562da52e9cef3d7

Download Submit
C:\Windows\{07966245-AF77-4b32-B895-43B00CFDAF32}.exe

Filesize
168KB

MD5
f8e0aba0198d1091633ee8f21a20b4fd

SHA1
fbb41cbf76c9a8c2067b8fca91673c6d4c20b172

SHA256
28e701268fd6e5c711636a5936a53a7fd43c8e54d2e6ca1babbb68969a5054e7

SHA512
160a4b8d8a63597113c03e1d48f4da4d47dc2c6bcaea96568b0d760e71d8254a3d55302719a9fdf0a39edc443718d7a2fc485d9b04e3a117b0eedd7bdcb5fbd3

Download Submit
C:\Windows\{11EEA3B3-488E-4116-B216-6EAA9E95253D}.exe

Filesize
168KB

MD5
73c7d4adaea83ed2ba72d858ec00d882

SHA1
a2f4c95fb5b14def16958aacd4e7b5f926a72a76

SHA256
b61cd62b3536b8adcd04b508f81ba351e650dd1732a7b5f844ff977cd0d8f58e

SHA512
d26338cf4bff02dfc1e00c9feb2e8756ed2713ab44674b0c146a1eb18cbf304085f61dee441a8c048aa280b9890735eee2893fedfbeb1bde5cecb5526cc21b8b

Download Submit
C:\Windows\{18CE5D05-B9AB-445e-923C-15985B46FB9A}.exe

Filesize
168KB

MD5
73586575842df75f3176e5656975f4e0

SHA1
7ff71b88f3472d9382e83450a87cd29367122fdb

SHA256
bffc557904de3732a30cccd1ee366b24ceabef7a347522f4580c8b2e7fbfc5bd

SHA512
0b6022f5ea3780aa74c78453d160d0c5c3ae2b4f2b6246aea695d0ad52d0f0e243eea0cb940938f70a5ed70211cfaf41429fccc09f407949964d911e0cfbe4f9

Download Submit
C:\Windows\{3C7BBB73-BA6C-470a-B070-566D18D66518}.exe

Filesize
168KB

MD5
1e55ac4926d2458052132f28bf145c49

SHA1
f36d2a8768d76a9b66e273d6d51cd47653840ccc

SHA256
28ed9757621485e935f132e2f85dc6f58f5757c0177a904567b6f6dd957d3c4f

SHA512
fa40a1216b1c991f17a85481f2fe58a997c36e2368eda80f476b14fc7b26664da81fb41a75f0e3508c9a001fafa3a7f71a634a063a32afb8af42bb76ea046664

Download Submit
C:\Windows\{6217F377-A930-4731-AEFF-3C19F39881D1}.exe

Filesize
168KB

MD5
bc9d3dbc5fdefde232ec81819b2cb6d0

SHA1
81002869f4bcaeb9f582f8685d27fee8f8ceb43a

SHA256
a42a939717908104a0e40ba71d8f10888e8ca7dcb9ce4dc925b6e76156998032

SHA512
41747efd9f1c21011c7395732a3ed2bcc8ed798fb215f70b65fbc219c5b80593b67174f1bb574f49c7655812bc5cae17fa4402dc4e43b5daf792c5986e613846

Download Submit
C:\Windows\{66E74253-30C6-4b13-8753-715204FECA78}.exe

Filesize
168KB

MD5
04792ec6cd1780cdf57acf22d30c2143

SHA1
5e90cf799544272ede597fad3594f7d09ed68d24

SHA256
ef6a676383e60583d7e662216acc4cfe94a7a5ec970fd4073250e79be39d0a39

SHA512
654f3db6c0997c92330e6ab052858fc6c6ab803d4a92603625faf1d086499eeae2a43df58fdc323aedaf2c52a60d52b46fad6f3342e36706c3e09ca137a4f04d

Download Submit
C:\Windows\{6A2DD360-D7BA-409f-8145-7B6470161DCA}.exe

Filesize
168KB

MD5
304b187b23720113fd88b5ec33680eaa

SHA1
db39a47517c3d4f5470038522d93e8b5e5e76908

SHA256
b0a519ee5a91273cdb010f259a98faa0d115344e305f460e17b535e8d5bf9423

SHA512
2fb4784480ca255bdbc86e7622afc20d319b34e1828a3b25f10d5fe48bfd740d0aaf619b00d14f9837ca5aa85e00f4b0770ab096ab1ba414ec0dc76c543b2178

Download Submit
C:\Windows\{6B368645-27D4-43a3-B713-A136C1C6AE7A}.exe

Filesize
168KB

MD5
0beaa4a1836ba443639360c1152837bc

SHA1
1eec262f3cba16a2746063de9169cc850a3cf3b4

SHA256
d9191a40df737b48f1f06149029a94ac96126e348ff19ab69891232e33687a37

SHA512
dc9e6dfd698669382dffdf96064b0acc5bd5672e09f7b83b99224b734c571c697a7fcd7468ede104dbc11c7efb9dae361823413925a12126917b99565c8defba

Download Submit
C:\Windows\{868E0580-8EEA-43be-8FA6-19181065D2C9}.exe

Filesize
168KB

MD5
a9dddcd545eede8dcbdb5ac03a2265a5

SHA1
0d304a20763c48e1b3192be8c67c3014bb8c26fd

SHA256
45a9ac1b08ab06b97ee6cce54b19afa6a6891a792ac17ba2792f425d2f66b8ab

SHA512
4ac1629583320a85768c2ca97748922c011f36143b0b3c9b5f65062f867cdf27054a09c759b1abe344fdd8a335bca78d2897bed563817198b9324c9ecc67110f

Download Submit
C:\Windows\{EBBEB134-8D4E-4142-9ACA-844B8507AFC5}.exe

Filesize
168KB

MD5
d20ae6e1c1409b73353dfeb116091809

SHA1
1770fc328aa291cd16d2391f2b1946e62d62ac66

SHA256
e6c1df27ab66e97acc6e8a8ba3a95cc4806707dcafa75f6561efa44a93a6b978

SHA512
2e8cb5278039c5b18ca1b7f08f6ec56fb4ccd12b72185dbfca610197a168086ee86e703181dc2e12b5f17357d3f39a7298669006ec41d9efa0aec393e6936bcc

Download Submit
C:\Windows\{EEE62F79-0BD3-4060-8D30-E56D963D08AC}.exe

Filesize
168KB

MD5
ca9fe6e9a8f813540b99cb9370694af9

SHA1
3b6fafe8bab86e23465fed3646d3cb728ccedda2

SHA256
3c360eb50413f21e48f9cdf674dbf04265a319c4dff3acf84b555ae3610b2bd3

SHA512
48d068a8df8a4acece73d3cffd596ff7684a7fdd48d52390c88240d614a6ee5c37bf5d629153e5a1439bb88a7f25fbd22178cb5841f1a3f93e38cc138b399ae4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads