8802c57ff7d49b880da00940537edd18691914d568f613338209ea996aee2847

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/02/2024, 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-18_051e0f97351938b0c469da0d0aac9ad6_goldeneye.exe
Size

180KB
MD5

051e0f97351938b0c469da0d0aac9ad6
SHA1

a008e6b6e3d4481812f5aecc2c1dbc61133b5f9e
SHA256

8802c57ff7d49b880da00940537edd18691914d568f613338209ea996aee2847
SHA512

459b31573e5cb429d7a72a188e705a6f5515c61aa67284400f9d1089c7bbee97256c97d2a8497501bbebb06262927b716e6bb6b37659c9fb9d6e9d685efb33bd
SSDEEP

3072:jEGh0oolfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGWl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023215-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e364-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023223-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e364-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000001db24-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e364-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000001db24-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73F285BC-A5B2-4d9d-BEE3-41D01D12F4CE}	{60DE2479-C5FC-426e-A478-8731185C6FF5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB11B714-0FD8-482e-87B1-86995C8F1D75}\stubpath = "C:\\Windows\\{FB11B714-0FD8-482e-87B1-86995C8F1D75}.exe"	{E3409B76-CA56-4fec-A4E7-0C053933F69C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28665156-99F3-4bfb-ACE6-264D5792211B}	{61DDC011-B019-4ad4-84BF-A8FA25DA84D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{837D2123-78C0-4d26-B8B4-5387A54507E2}	{28665156-99F3-4bfb-ACE6-264D5792211B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{869EA7DC-0FAA-425a-88EE-C3170345612C}	2024-02-18_051e0f97351938b0c469da0d0aac9ad6_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{787F72C9-D595-4f61-A843-76A00E021DF2}\stubpath = "C:\\Windows\\{787F72C9-D595-4f61-A843-76A00E021DF2}.exe"	{9C15BC21-61C0-469e-B0C8-CCED67A3367F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3409B76-CA56-4fec-A4E7-0C053933F69C}	{73F285BC-A5B2-4d9d-BEE3-41D01D12F4CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3409B76-CA56-4fec-A4E7-0C053933F69C}\stubpath = "C:\\Windows\\{E3409B76-CA56-4fec-A4E7-0C053933F69C}.exe"	{73F285BC-A5B2-4d9d-BEE3-41D01D12F4CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB11B714-0FD8-482e-87B1-86995C8F1D75}	{E3409B76-CA56-4fec-A4E7-0C053933F69C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F8CA859-5950-48c0-95CA-316EF9A96C28}	{FB11B714-0FD8-482e-87B1-86995C8F1D75}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61DDC011-B019-4ad4-84BF-A8FA25DA84D8}\stubpath = "C:\\Windows\\{61DDC011-B019-4ad4-84BF-A8FA25DA84D8}.exe"	{3F8CA859-5950-48c0-95CA-316EF9A96C28}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28665156-99F3-4bfb-ACE6-264D5792211B}\stubpath = "C:\\Windows\\{28665156-99F3-4bfb-ACE6-264D5792211B}.exe"	{61DDC011-B019-4ad4-84BF-A8FA25DA84D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{787F72C9-D595-4f61-A843-76A00E021DF2}	{9C15BC21-61C0-469e-B0C8-CCED67A3367F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60DE2479-C5FC-426e-A478-8731185C6FF5}	{787F72C9-D595-4f61-A843-76A00E021DF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73F285BC-A5B2-4d9d-BEE3-41D01D12F4CE}\stubpath = "C:\\Windows\\{73F285BC-A5B2-4d9d-BEE3-41D01D12F4CE}.exe"	{60DE2479-C5FC-426e-A478-8731185C6FF5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F8CA859-5950-48c0-95CA-316EF9A96C28}\stubpath = "C:\\Windows\\{3F8CA859-5950-48c0-95CA-316EF9A96C28}.exe"	{FB11B714-0FD8-482e-87B1-86995C8F1D75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61DDC011-B019-4ad4-84BF-A8FA25DA84D8}	{3F8CA859-5950-48c0-95CA-316EF9A96C28}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{869EA7DC-0FAA-425a-88EE-C3170345612C}\stubpath = "C:\\Windows\\{869EA7DC-0FAA-425a-88EE-C3170345612C}.exe"	2024-02-18_051e0f97351938b0c469da0d0aac9ad6_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C15BC21-61C0-469e-B0C8-CCED67A3367F}\stubpath = "C:\\Windows\\{9C15BC21-61C0-469e-B0C8-CCED67A3367F}.exe"	{869EA7DC-0FAA-425a-88EE-C3170345612C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60DE2479-C5FC-426e-A478-8731185C6FF5}\stubpath = "C:\\Windows\\{60DE2479-C5FC-426e-A478-8731185C6FF5}.exe"	{787F72C9-D595-4f61-A843-76A00E021DF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{837D2123-78C0-4d26-B8B4-5387A54507E2}\stubpath = "C:\\Windows\\{837D2123-78C0-4d26-B8B4-5387A54507E2}.exe"	{28665156-99F3-4bfb-ACE6-264D5792211B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C15BC21-61C0-469e-B0C8-CCED67A3367F}	{869EA7DC-0FAA-425a-88EE-C3170345612C}.exe

Executes dropped EXE 11 IoCs

pid	Process
2608	{869EA7DC-0FAA-425a-88EE-C3170345612C}.exe
1424	{9C15BC21-61C0-469e-B0C8-CCED67A3367F}.exe
5060	{787F72C9-D595-4f61-A843-76A00E021DF2}.exe
3740	{60DE2479-C5FC-426e-A478-8731185C6FF5}.exe
3384	{73F285BC-A5B2-4d9d-BEE3-41D01D12F4CE}.exe
4372	{E3409B76-CA56-4fec-A4E7-0C053933F69C}.exe
4072	{FB11B714-0FD8-482e-87B1-86995C8F1D75}.exe
1948	{3F8CA859-5950-48c0-95CA-316EF9A96C28}.exe
4416	{61DDC011-B019-4ad4-84BF-A8FA25DA84D8}.exe
1508	{28665156-99F3-4bfb-ACE6-264D5792211B}.exe
3160	{837D2123-78C0-4d26-B8B4-5387A54507E2}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{869EA7DC-0FAA-425a-88EE-C3170345612C}.exe	2024-02-18_051e0f97351938b0c469da0d0aac9ad6_goldeneye.exe
File created	C:\Windows\{9C15BC21-61C0-469e-B0C8-CCED67A3367F}.exe	{869EA7DC-0FAA-425a-88EE-C3170345612C}.exe
File created	C:\Windows\{60DE2479-C5FC-426e-A478-8731185C6FF5}.exe	{787F72C9-D595-4f61-A843-76A00E021DF2}.exe
File created	C:\Windows\{73F285BC-A5B2-4d9d-BEE3-41D01D12F4CE}.exe	{60DE2479-C5FC-426e-A478-8731185C6FF5}.exe
File created	C:\Windows\{3F8CA859-5950-48c0-95CA-316EF9A96C28}.exe	{FB11B714-0FD8-482e-87B1-86995C8F1D75}.exe
File created	C:\Windows\{61DDC011-B019-4ad4-84BF-A8FA25DA84D8}.exe	{3F8CA859-5950-48c0-95CA-316EF9A96C28}.exe
File created	C:\Windows\{837D2123-78C0-4d26-B8B4-5387A54507E2}.exe	{28665156-99F3-4bfb-ACE6-264D5792211B}.exe
File created	C:\Windows\{787F72C9-D595-4f61-A843-76A00E021DF2}.exe	{9C15BC21-61C0-469e-B0C8-CCED67A3367F}.exe
File created	C:\Windows\{E3409B76-CA56-4fec-A4E7-0C053933F69C}.exe	{73F285BC-A5B2-4d9d-BEE3-41D01D12F4CE}.exe
File created	C:\Windows\{FB11B714-0FD8-482e-87B1-86995C8F1D75}.exe	{E3409B76-CA56-4fec-A4E7-0C053933F69C}.exe
File created	C:\Windows\{28665156-99F3-4bfb-ACE6-264D5792211B}.exe	{61DDC011-B019-4ad4-84BF-A8FA25DA84D8}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3228	2024-02-18_051e0f97351938b0c469da0d0aac9ad6_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2608	{869EA7DC-0FAA-425a-88EE-C3170345612C}.exe
Token: SeIncBasePriorityPrivilege	1424	{9C15BC21-61C0-469e-B0C8-CCED67A3367F}.exe
Token: SeIncBasePriorityPrivilege	5060	{787F72C9-D595-4f61-A843-76A00E021DF2}.exe
Token: SeIncBasePriorityPrivilege	3740	{60DE2479-C5FC-426e-A478-8731185C6FF5}.exe
Token: SeIncBasePriorityPrivilege	3384	{73F285BC-A5B2-4d9d-BEE3-41D01D12F4CE}.exe
Token: SeIncBasePriorityPrivilege	4372	{E3409B76-CA56-4fec-A4E7-0C053933F69C}.exe
Token: SeIncBasePriorityPrivilege	4072	{FB11B714-0FD8-482e-87B1-86995C8F1D75}.exe
Token: SeIncBasePriorityPrivilege	1948	{3F8CA859-5950-48c0-95CA-316EF9A96C28}.exe
Token: SeIncBasePriorityPrivilege	4416	{61DDC011-B019-4ad4-84BF-A8FA25DA84D8}.exe
Token: SeIncBasePriorityPrivilege	1508	{28665156-99F3-4bfb-ACE6-264D5792211B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 2608	3228	2024-02-18_051e0f97351938b0c469da0d0aac9ad6_goldeneye.exe	88
PID 3228 wrote to memory of 2608	3228	2024-02-18_051e0f97351938b0c469da0d0aac9ad6_goldeneye.exe	88
PID 3228 wrote to memory of 2608	3228	2024-02-18_051e0f97351938b0c469da0d0aac9ad6_goldeneye.exe	88
PID 3228 wrote to memory of 3472	3228	2024-02-18_051e0f97351938b0c469da0d0aac9ad6_goldeneye.exe	89
PID 3228 wrote to memory of 3472	3228	2024-02-18_051e0f97351938b0c469da0d0aac9ad6_goldeneye.exe	89
PID 3228 wrote to memory of 3472	3228	2024-02-18_051e0f97351938b0c469da0d0aac9ad6_goldeneye.exe	89
PID 2608 wrote to memory of 1424	2608	{869EA7DC-0FAA-425a-88EE-C3170345612C}.exe	92
PID 2608 wrote to memory of 1424	2608	{869EA7DC-0FAA-425a-88EE-C3170345612C}.exe	92
PID 2608 wrote to memory of 1424	2608	{869EA7DC-0FAA-425a-88EE-C3170345612C}.exe	92
PID 2608 wrote to memory of 5092	2608	{869EA7DC-0FAA-425a-88EE-C3170345612C}.exe	93
PID 2608 wrote to memory of 5092	2608	{869EA7DC-0FAA-425a-88EE-C3170345612C}.exe	93
PID 2608 wrote to memory of 5092	2608	{869EA7DC-0FAA-425a-88EE-C3170345612C}.exe	93
PID 1424 wrote to memory of 5060	1424	{9C15BC21-61C0-469e-B0C8-CCED67A3367F}.exe	96
PID 1424 wrote to memory of 5060	1424	{9C15BC21-61C0-469e-B0C8-CCED67A3367F}.exe	96
PID 1424 wrote to memory of 5060	1424	{9C15BC21-61C0-469e-B0C8-CCED67A3367F}.exe	96
PID 1424 wrote to memory of 3896	1424	{9C15BC21-61C0-469e-B0C8-CCED67A3367F}.exe	95
PID 1424 wrote to memory of 3896	1424	{9C15BC21-61C0-469e-B0C8-CCED67A3367F}.exe	95
PID 1424 wrote to memory of 3896	1424	{9C15BC21-61C0-469e-B0C8-CCED67A3367F}.exe	95
PID 5060 wrote to memory of 3740	5060	{787F72C9-D595-4f61-A843-76A00E021DF2}.exe	97
PID 5060 wrote to memory of 3740	5060	{787F72C9-D595-4f61-A843-76A00E021DF2}.exe	97
PID 5060 wrote to memory of 3740	5060	{787F72C9-D595-4f61-A843-76A00E021DF2}.exe	97
PID 5060 wrote to memory of 2472	5060	{787F72C9-D595-4f61-A843-76A00E021DF2}.exe	98
PID 5060 wrote to memory of 2472	5060	{787F72C9-D595-4f61-A843-76A00E021DF2}.exe	98
PID 5060 wrote to memory of 2472	5060	{787F72C9-D595-4f61-A843-76A00E021DF2}.exe	98
PID 3740 wrote to memory of 3384	3740	{60DE2479-C5FC-426e-A478-8731185C6FF5}.exe	99
PID 3740 wrote to memory of 3384	3740	{60DE2479-C5FC-426e-A478-8731185C6FF5}.exe	99
PID 3740 wrote to memory of 3384	3740	{60DE2479-C5FC-426e-A478-8731185C6FF5}.exe	99
PID 3740 wrote to memory of 3300	3740	{60DE2479-C5FC-426e-A478-8731185C6FF5}.exe	100
PID 3740 wrote to memory of 3300	3740	{60DE2479-C5FC-426e-A478-8731185C6FF5}.exe	100
PID 3740 wrote to memory of 3300	3740	{60DE2479-C5FC-426e-A478-8731185C6FF5}.exe	100
PID 3384 wrote to memory of 4372	3384	{73F285BC-A5B2-4d9d-BEE3-41D01D12F4CE}.exe	101
PID 3384 wrote to memory of 4372	3384	{73F285BC-A5B2-4d9d-BEE3-41D01D12F4CE}.exe	101
PID 3384 wrote to memory of 4372	3384	{73F285BC-A5B2-4d9d-BEE3-41D01D12F4CE}.exe	101
PID 3384 wrote to memory of 4728	3384	{73F285BC-A5B2-4d9d-BEE3-41D01D12F4CE}.exe	102
PID 3384 wrote to memory of 4728	3384	{73F285BC-A5B2-4d9d-BEE3-41D01D12F4CE}.exe	102
PID 3384 wrote to memory of 4728	3384	{73F285BC-A5B2-4d9d-BEE3-41D01D12F4CE}.exe	102
PID 4372 wrote to memory of 4072	4372	{E3409B76-CA56-4fec-A4E7-0C053933F69C}.exe	103
PID 4372 wrote to memory of 4072	4372	{E3409B76-CA56-4fec-A4E7-0C053933F69C}.exe	103
PID 4372 wrote to memory of 4072	4372	{E3409B76-CA56-4fec-A4E7-0C053933F69C}.exe	103
PID 4372 wrote to memory of 4532	4372	{E3409B76-CA56-4fec-A4E7-0C053933F69C}.exe	104
PID 4372 wrote to memory of 4532	4372	{E3409B76-CA56-4fec-A4E7-0C053933F69C}.exe	104
PID 4372 wrote to memory of 4532	4372	{E3409B76-CA56-4fec-A4E7-0C053933F69C}.exe	104
PID 4072 wrote to memory of 1948	4072	{FB11B714-0FD8-482e-87B1-86995C8F1D75}.exe	105
PID 4072 wrote to memory of 1948	4072	{FB11B714-0FD8-482e-87B1-86995C8F1D75}.exe	105
PID 4072 wrote to memory of 1948	4072	{FB11B714-0FD8-482e-87B1-86995C8F1D75}.exe	105
PID 4072 wrote to memory of 2180	4072	{FB11B714-0FD8-482e-87B1-86995C8F1D75}.exe	106
PID 4072 wrote to memory of 2180	4072	{FB11B714-0FD8-482e-87B1-86995C8F1D75}.exe	106
PID 4072 wrote to memory of 2180	4072	{FB11B714-0FD8-482e-87B1-86995C8F1D75}.exe	106
PID 1948 wrote to memory of 4416	1948	{3F8CA859-5950-48c0-95CA-316EF9A96C28}.exe	107
PID 1948 wrote to memory of 4416	1948	{3F8CA859-5950-48c0-95CA-316EF9A96C28}.exe	107
PID 1948 wrote to memory of 4416	1948	{3F8CA859-5950-48c0-95CA-316EF9A96C28}.exe	107
PID 1948 wrote to memory of 1232	1948	{3F8CA859-5950-48c0-95CA-316EF9A96C28}.exe	108
PID 1948 wrote to memory of 1232	1948	{3F8CA859-5950-48c0-95CA-316EF9A96C28}.exe	108
PID 1948 wrote to memory of 1232	1948	{3F8CA859-5950-48c0-95CA-316EF9A96C28}.exe	108
PID 4416 wrote to memory of 1508	4416	{61DDC011-B019-4ad4-84BF-A8FA25DA84D8}.exe	109
PID 4416 wrote to memory of 1508	4416	{61DDC011-B019-4ad4-84BF-A8FA25DA84D8}.exe	109
PID 4416 wrote to memory of 1508	4416	{61DDC011-B019-4ad4-84BF-A8FA25DA84D8}.exe	109
PID 4416 wrote to memory of 932	4416	{61DDC011-B019-4ad4-84BF-A8FA25DA84D8}.exe	110
PID 4416 wrote to memory of 932	4416	{61DDC011-B019-4ad4-84BF-A8FA25DA84D8}.exe	110
PID 4416 wrote to memory of 932	4416	{61DDC011-B019-4ad4-84BF-A8FA25DA84D8}.exe	110
PID 1508 wrote to memory of 3160	1508	{28665156-99F3-4bfb-ACE6-264D5792211B}.exe	111
PID 1508 wrote to memory of 3160	1508	{28665156-99F3-4bfb-ACE6-264D5792211B}.exe	111
PID 1508 wrote to memory of 3160	1508	{28665156-99F3-4bfb-ACE6-264D5792211B}.exe	111
PID 1508 wrote to memory of 2932	1508	{28665156-99F3-4bfb-ACE6-264D5792211B}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-02-18_051e0f97351938b0c469da0d0aac9ad6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-18_051e0f97351938b0c469da0d0aac9ad6_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Windows\{869EA7DC-0FAA-425a-88EE-C3170345612C}.exe
  C:\Windows\{869EA7DC-0FAA-425a-88EE-C3170345612C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\{9C15BC21-61C0-469e-B0C8-CCED67A3367F}.exe
    C:\Windows\{9C15BC21-61C0-469e-B0C8-CCED67A3367F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1424
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9C15B~1.EXE > nul
      4⤵
      PID:3896
  - - C:\Windows\{787F72C9-D595-4f61-A843-76A00E021DF2}.exe
      C:\Windows\{787F72C9-D595-4f61-A843-76A00E021DF2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5060
    - - C:\Windows\{60DE2479-C5FC-426e-A478-8731185C6FF5}.exe
        
        C:\Windows\{60DE2479-C5FC-426e-A478-8731185C6FF5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3740
      - C:\Windows\{73F285BC-A5B2-4d9d-BEE3-41D01D12F4CE}.exe
        
        C:\Windows\{73F285BC-A5B2-4d9d-BEE3-41D01D12F4CE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\{E3409B76-CA56-4fec-A4E7-0C053933F69C}.exe
        
        C:\Windows\{E3409B76-CA56-4fec-A4E7-0C053933F69C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\{FB11B714-0FD8-482e-87B1-86995C8F1D75}.exe
        
        C:\Windows\{FB11B714-0FD8-482e-87B1-86995C8F1D75}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\{3F8CA859-5950-48c0-95CA-316EF9A96C28}.exe
        
        C:\Windows\{3F8CA859-5950-48c0-95CA-316EF9A96C28}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\{61DDC011-B019-4ad4-84BF-A8FA25DA84D8}.exe
        
        C:\Windows\{61DDC011-B019-4ad4-84BF-A8FA25DA84D8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\{28665156-99F3-4bfb-ACE6-264D5792211B}.exe
        
        C:\Windows\{28665156-99F3-4bfb-ACE6-264D5792211B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\{837D2123-78C0-4d26-B8B4-5387A54507E2}.exe
        
        C:\Windows\{837D2123-78C0-4d26-B8B4-5387A54507E2}.exe
        12⤵
        Executes dropped EXE
        
        PID:3160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28665~1.EXE > nul
        12⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61DDC~1.EXE > nul
        11⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F8CA~1.EXE > nul
        10⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB11B~1.EXE > nul
        9⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E3409~1.EXE > nul
        8⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73F28~1.EXE > nul
        7⤵
        
        PID:4728
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60DE2~1.EXE > nul
        6⤵
        
        PID:3300
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{787F7~1.EXE > nul
        5⤵
        
        PID:2472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{869EA~1.EXE > nul
    3⤵
    PID:5092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{28665156-99F3-4bfb-ACE6-264D5792211B}.exe

Filesize
180KB

MD5
9d9c13704b391e861643153ca211ba2a

SHA1
17bcbfbf1ac5bffed0c33b77a5d572bb7f49407a

SHA256
0fb97ed85c647403a8c1aff4527afe5eb64c32917c4f926773f789eec4a03eab

SHA512
fbde56c5cf946d96e508afbc619163c81a0ca6f0e5336fdf819923cbdc9ff13bfea3d945830a9b6057f5da5b69ce805477e02cd9bdf06e7c7ef480319243660a

Download Submit
C:\Windows\{3F8CA859-5950-48c0-95CA-316EF9A96C28}.exe

Filesize
180KB

MD5
af20159326183483bd179257e3fa8e8f

SHA1
ea9fe7e04a968142cfa1bbfd38b41891da999acc

SHA256
0137f498b374a6d004c47d1e28906188d674f427dd3332f933bf799083ff88fa

SHA512
0962595ffb0296c7c4367b2c910d583a47b3268dbb8f2c5eb52ac61b7d9296335543d2b16c120c4aa6dc2abeb0a946854f173153564e5c001f4963d317ccfa79

Download Submit
C:\Windows\{60DE2479-C5FC-426e-A478-8731185C6FF5}.exe

Filesize
180KB

MD5
0d565eba09bc2e7f5917cf9a809ebe99

SHA1
1df6335c5fd93d553c6876947daedfa9a167157b

SHA256
279e4e8902da4243a9d74124f72fe2cae6802ca6e8c87ff27b2015830a2de2b8

SHA512
29753d6c45d91e10e3bee49b6d3bd58aeaca57b68eb4ddc7ae8889726b7943a23c8c050537c7c62ce85e57c715580a39c8de8a2a83e27bbddde2a87efadcc332

Download Submit
C:\Windows\{61DDC011-B019-4ad4-84BF-A8FA25DA84D8}.exe

Filesize
180KB

MD5
8165ba5eebac8c2c7db2e7059ec8a383

SHA1
a72f8d95e5f04c56f8f878e0be0cb604945e5a9f

SHA256
2a236ffea7420da81ccb20e9378375aba8453a1b7e9926af7060eb36f1fc6d63

SHA512
5adf778ec1d03214d3530d804edcff19612716dbd69dce7f19f7d4d0744f2396e92cdbdda60471e53d595bfd98d985a2ee35bd2d2f4b5de797e8d57bd8041055

Download Submit
C:\Windows\{73F285BC-A5B2-4d9d-BEE3-41D01D12F4CE}.exe

Filesize
180KB

MD5
4e30f202a1cfdcd9eb5391cfe9ded1c0

SHA1
8d41f5d9444b6c9a591a9468b89c6f22fcf04bfb

SHA256
5d4aabe0f882644abe08347a42972e1080cbf17a67434a212519ed787c166cb8

SHA512
18cf28df7514f12fe780ee4c27c4a9d5baf637fb6f571764ebc0cef31fcd289a05ea0d840d123e67ccc2358ab6ae816855dbef8799280a11c3d07ecc156462d9

Download Submit
C:\Windows\{787F72C9-D595-4f61-A843-76A00E021DF2}.exe

Filesize
180KB

MD5
6799bd3f544e330d778bbd7a5341c79a

SHA1
9d0d213afdd6c84b203e24b3149fa51335acc631

SHA256
0c730fc9b14e59d1cfecc660f4b137236b8a3dbd343f3548e48771b9d3be9af9

SHA512
204fd1db8199ea82fe8eeb85d831b120b09b603bfababaa72a98eb36b3c0cfaf407f5e74cf87d62edd8c6860c8d68007a686af9d174272c88219ec07980af03c

Download Submit
C:\Windows\{837D2123-78C0-4d26-B8B4-5387A54507E2}.exe

Filesize
180KB

MD5
33dda1624d5451f402d876884a5902c8

SHA1
557e4ede72c848f3aa8790bc1501c257e386ae3d

SHA256
a08b97525edf5661e23696f7170e4723c5642a72d3f4c27ba8720baf61cc8a6a

SHA512
4470af220260459aa9da1180fff314baed33cdc6b58127a676bd00692d8569cf10e35b12ef80aca0e461d29a52460d084a22ac1978431e6a1094925b63343072

Download Submit
C:\Windows\{869EA7DC-0FAA-425a-88EE-C3170345612C}.exe

Filesize
180KB

MD5
1c716713aee3fcaac0ccf94f19adc666

SHA1
35f8fb0ae66369459d57de0a85644768534b51b9

SHA256
2060f4a3d9b6d15b8a00ee512562a98c2516657f343b20de8d96c1be287d9028

SHA512
51ab763a9942c8ce94e3dec10d5b4800560252b66d6f44716d664984936a6ba02441200af414a9bfc524a5f1f9bc5426d350e6a3844e5fd4afc562b8b0035b14

Download Submit
C:\Windows\{9C15BC21-61C0-469e-B0C8-CCED67A3367F}.exe

Filesize
180KB

MD5
8d04325b8f52397cf6eabf73d55241ab

SHA1
3f89e77a50738b733f5225207f5b2db7c88be438

SHA256
966221f066672f3d3df386887a4788816dd8913f9f07d89a601ffeef449b9f6c

SHA512
288f58dcf680bbe9791ca9206dd923aceb16638bd346c015835acd6c2a2a42ad1c91a3054bb5dcdd7996eaf11ac5dd530766aabe88387635f5737fc9ba3d2f65

Download Submit
C:\Windows\{E3409B76-CA56-4fec-A4E7-0C053933F69C}.exe

Filesize
180KB

MD5
479b7266d8efc26038495c58c3608fad

SHA1
78b1a89799b3c01abbf4295f68ed9449fbc39d55

SHA256
f176dffaf4856c490ded265495d81be5d39d19bf300a3bec4acfb34b1cbc21ec

SHA512
c3eea4199cb7024a1fba0aad0ba12ed3f8195ddb9042ff0ca215bc83c8990706850e7a8e259db03e46a5cd2e78188d4dd43d8ce7d5f14bb8469fe818c9a6a5fd

Download Submit
C:\Windows\{FB11B714-0FD8-482e-87B1-86995C8F1D75}.exe

Filesize
180KB

MD5
e53a1bb7659001aac6e589d8fcf6eea5

SHA1
85e4b1e8f8d8f717745612bfb832762695946b04

SHA256
5c1aa225eacbeb553fc0ae87b7a63b50949fd3e768e4dadf4bd0d77250905ffe

SHA512
a74d82a4115621468eb35d3b8d4c45dac652658c0466bedb563eb218a68f5fe1de0f5a63029df1b1182418641309a76c7e8e6531ef57485ff95ecef0ac1e0922

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads