43011feded4bbaf93d20e9f93ce1ad16d5736bc46f3fbce8cd4b87e0d8e333cd

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/02/2024, 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-19_629d2ea6bfbcb5a115ae6afcd82ec057_goldeneye.exe
Size

197KB
MD5

629d2ea6bfbcb5a115ae6afcd82ec057
SHA1

824bcfc6b052cf6a260de85894d4956cc0f7b345
SHA256

43011feded4bbaf93d20e9f93ce1ad16d5736bc46f3fbce8cd4b87e0d8e333cd
SHA512

28534325d120f7cb6fe4ccb4977252c15a4505883fd2f817ddb832e49e4e9e0d63473d4b0adb1c477201b159c9e83f3fa9d297261b24d3ec1b73235b7f748b71
SSDEEP

3072:jEGh0o3l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGplEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023208-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000023211-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023217-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023211-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021f82-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021f83-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021f82-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-29.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000705-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF66F40A-6603-454b-994F-F1BB332347B3}\stubpath = "C:\\Windows\\{FF66F40A-6603-454b-994F-F1BB332347B3}.exe"	2024-02-19_629d2ea6bfbcb5a115ae6afcd82ec057_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73DC9496-0CE8-488a-AEBB-EEF30C7BCA10}	{FF66F40A-6603-454b-994F-F1BB332347B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04EC73D2-9F34-48e8-8F03-199B28747E46}\stubpath = "C:\\Windows\\{04EC73D2-9F34-48e8-8F03-199B28747E46}.exe"	{CA4C7695-DF90-49d0-8BD7-A8EFF5765468}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC2CC396-10AD-4df5-86DA-1926FDACEF61}\stubpath = "C:\\Windows\\{EC2CC396-10AD-4df5-86DA-1926FDACEF61}.exe"	{04EC73D2-9F34-48e8-8F03-199B28747E46}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CA261AA-15A6-42a9-9854-098759803166}	{9637511C-4362-44dd-83D8-C565E435964D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF66F40A-6603-454b-994F-F1BB332347B3}	2024-02-19_629d2ea6bfbcb5a115ae6afcd82ec057_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4947AFD-B8C9-465a-8A6D-EA7544115CD2}	{EC2CC396-10AD-4df5-86DA-1926FDACEF61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9637511C-4362-44dd-83D8-C565E435964D}	{E35202EC-CFA1-47f8-AF3E-B151EEF97C45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56D40DA6-B900-4b6d-A020-0DE34F7AF77D}	{7AAC40C5-CAA6-4871-AB1D-48578B2E886B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56D40DA6-B900-4b6d-A020-0DE34F7AF77D}\stubpath = "C:\\Windows\\{56D40DA6-B900-4b6d-A020-0DE34F7AF77D}.exe"	{7AAC40C5-CAA6-4871-AB1D-48578B2E886B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04EC73D2-9F34-48e8-8F03-199B28747E46}	{CA4C7695-DF90-49d0-8BD7-A8EFF5765468}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA4C7695-DF90-49d0-8BD7-A8EFF5765468}\stubpath = "C:\\Windows\\{CA4C7695-DF90-49d0-8BD7-A8EFF5765468}.exe"	{73DC9496-0CE8-488a-AEBB-EEF30C7BCA10}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E35202EC-CFA1-47f8-AF3E-B151EEF97C45}\stubpath = "C:\\Windows\\{E35202EC-CFA1-47f8-AF3E-B151EEF97C45}.exe"	{C4947AFD-B8C9-465a-8A6D-EA7544115CD2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CA261AA-15A6-42a9-9854-098759803166}\stubpath = "C:\\Windows\\{2CA261AA-15A6-42a9-9854-098759803166}.exe"	{9637511C-4362-44dd-83D8-C565E435964D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A62F83A-CE50-4681-B689-2DB7E215DC28}\stubpath = "C:\\Windows\\{3A62F83A-CE50-4681-B689-2DB7E215DC28}.exe"	{2CA261AA-15A6-42a9-9854-098759803166}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AAC40C5-CAA6-4871-AB1D-48578B2E886B}	{3A62F83A-CE50-4681-B689-2DB7E215DC28}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AAC40C5-CAA6-4871-AB1D-48578B2E886B}\stubpath = "C:\\Windows\\{7AAC40C5-CAA6-4871-AB1D-48578B2E886B}.exe"	{3A62F83A-CE50-4681-B689-2DB7E215DC28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA4C7695-DF90-49d0-8BD7-A8EFF5765468}	{73DC9496-0CE8-488a-AEBB-EEF30C7BCA10}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC2CC396-10AD-4df5-86DA-1926FDACEF61}	{04EC73D2-9F34-48e8-8F03-199B28747E46}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4947AFD-B8C9-465a-8A6D-EA7544115CD2}\stubpath = "C:\\Windows\\{C4947AFD-B8C9-465a-8A6D-EA7544115CD2}.exe"	{EC2CC396-10AD-4df5-86DA-1926FDACEF61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E35202EC-CFA1-47f8-AF3E-B151EEF97C45}	{C4947AFD-B8C9-465a-8A6D-EA7544115CD2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9637511C-4362-44dd-83D8-C565E435964D}\stubpath = "C:\\Windows\\{9637511C-4362-44dd-83D8-C565E435964D}.exe"	{E35202EC-CFA1-47f8-AF3E-B151EEF97C45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A62F83A-CE50-4681-B689-2DB7E215DC28}	{2CA261AA-15A6-42a9-9854-098759803166}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73DC9496-0CE8-488a-AEBB-EEF30C7BCA10}\stubpath = "C:\\Windows\\{73DC9496-0CE8-488a-AEBB-EEF30C7BCA10}.exe"	{FF66F40A-6603-454b-994F-F1BB332347B3}.exe

Executes dropped EXE 11 IoCs

pid	Process
3880	{FF66F40A-6603-454b-994F-F1BB332347B3}.exe
1168	{73DC9496-0CE8-488a-AEBB-EEF30C7BCA10}.exe
4220	{CA4C7695-DF90-49d0-8BD7-A8EFF5765468}.exe
4104	{04EC73D2-9F34-48e8-8F03-199B28747E46}.exe
1944	{EC2CC396-10AD-4df5-86DA-1926FDACEF61}.exe
4544	{C4947AFD-B8C9-465a-8A6D-EA7544115CD2}.exe
2372	{E35202EC-CFA1-47f8-AF3E-B151EEF97C45}.exe
2796	{9637511C-4362-44dd-83D8-C565E435964D}.exe
2220	{2CA261AA-15A6-42a9-9854-098759803166}.exe
1424	{3A62F83A-CE50-4681-B689-2DB7E215DC28}.exe
3532	{56D40DA6-B900-4b6d-A020-0DE34F7AF77D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{04EC73D2-9F34-48e8-8F03-199B28747E46}.exe	{CA4C7695-DF90-49d0-8BD7-A8EFF5765468}.exe
File created	C:\Windows\{EC2CC396-10AD-4df5-86DA-1926FDACEF61}.exe	{04EC73D2-9F34-48e8-8F03-199B28747E46}.exe
File created	C:\Windows\{9637511C-4362-44dd-83D8-C565E435964D}.exe	{E35202EC-CFA1-47f8-AF3E-B151EEF97C45}.exe
File created	C:\Windows\{CA4C7695-DF90-49d0-8BD7-A8EFF5765468}.exe	{73DC9496-0CE8-488a-AEBB-EEF30C7BCA10}.exe
File created	C:\Windows\{73DC9496-0CE8-488a-AEBB-EEF30C7BCA10}.exe	{FF66F40A-6603-454b-994F-F1BB332347B3}.exe
File created	C:\Windows\{C4947AFD-B8C9-465a-8A6D-EA7544115CD2}.exe	{EC2CC396-10AD-4df5-86DA-1926FDACEF61}.exe
File created	C:\Windows\{E35202EC-CFA1-47f8-AF3E-B151EEF97C45}.exe	{C4947AFD-B8C9-465a-8A6D-EA7544115CD2}.exe
File created	C:\Windows\{2CA261AA-15A6-42a9-9854-098759803166}.exe	{9637511C-4362-44dd-83D8-C565E435964D}.exe
File created	C:\Windows\{3A62F83A-CE50-4681-B689-2DB7E215DC28}.exe	{2CA261AA-15A6-42a9-9854-098759803166}.exe
File created	C:\Windows\{56D40DA6-B900-4b6d-A020-0DE34F7AF77D}.exe	{7AAC40C5-CAA6-4871-AB1D-48578B2E886B}.exe
File created	C:\Windows\{FF66F40A-6603-454b-994F-F1BB332347B3}.exe	2024-02-19_629d2ea6bfbcb5a115ae6afcd82ec057_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2916	2024-02-19_629d2ea6bfbcb5a115ae6afcd82ec057_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3880	{FF66F40A-6603-454b-994F-F1BB332347B3}.exe
Token: SeIncBasePriorityPrivilege	1168	{73DC9496-0CE8-488a-AEBB-EEF30C7BCA10}.exe
Token: SeIncBasePriorityPrivilege	4220	{CA4C7695-DF90-49d0-8BD7-A8EFF5765468}.exe
Token: SeIncBasePriorityPrivilege	4104	{04EC73D2-9F34-48e8-8F03-199B28747E46}.exe
Token: SeIncBasePriorityPrivilege	1944	{EC2CC396-10AD-4df5-86DA-1926FDACEF61}.exe
Token: SeIncBasePriorityPrivilege	4544	{C4947AFD-B8C9-465a-8A6D-EA7544115CD2}.exe
Token: SeIncBasePriorityPrivilege	2372	{E35202EC-CFA1-47f8-AF3E-B151EEF97C45}.exe
Token: SeIncBasePriorityPrivilege	2796	{9637511C-4362-44dd-83D8-C565E435964D}.exe
Token: SeIncBasePriorityPrivilege	2220	{2CA261AA-15A6-42a9-9854-098759803166}.exe
Token: SeIncBasePriorityPrivilege	2216	{7AAC40C5-CAA6-4871-AB1D-48578B2E886B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 3880	2916	2024-02-19_629d2ea6bfbcb5a115ae6afcd82ec057_goldeneye.exe	89
PID 2916 wrote to memory of 3880	2916	2024-02-19_629d2ea6bfbcb5a115ae6afcd82ec057_goldeneye.exe	89
PID 2916 wrote to memory of 3880	2916	2024-02-19_629d2ea6bfbcb5a115ae6afcd82ec057_goldeneye.exe	89
PID 2916 wrote to memory of 2728	2916	2024-02-19_629d2ea6bfbcb5a115ae6afcd82ec057_goldeneye.exe	90
PID 2916 wrote to memory of 2728	2916	2024-02-19_629d2ea6bfbcb5a115ae6afcd82ec057_goldeneye.exe	90
PID 2916 wrote to memory of 2728	2916	2024-02-19_629d2ea6bfbcb5a115ae6afcd82ec057_goldeneye.exe	90
PID 3880 wrote to memory of 1168	3880	{FF66F40A-6603-454b-994F-F1BB332347B3}.exe	94
PID 3880 wrote to memory of 1168	3880	{FF66F40A-6603-454b-994F-F1BB332347B3}.exe	94
PID 3880 wrote to memory of 1168	3880	{FF66F40A-6603-454b-994F-F1BB332347B3}.exe	94
PID 3880 wrote to memory of 4620	3880	{FF66F40A-6603-454b-994F-F1BB332347B3}.exe	95
PID 3880 wrote to memory of 4620	3880	{FF66F40A-6603-454b-994F-F1BB332347B3}.exe	95
PID 3880 wrote to memory of 4620	3880	{FF66F40A-6603-454b-994F-F1BB332347B3}.exe	95
PID 1168 wrote to memory of 4220	1168	{73DC9496-0CE8-488a-AEBB-EEF30C7BCA10}.exe	97
PID 1168 wrote to memory of 4220	1168	{73DC9496-0CE8-488a-AEBB-EEF30C7BCA10}.exe	97
PID 1168 wrote to memory of 4220	1168	{73DC9496-0CE8-488a-AEBB-EEF30C7BCA10}.exe	97
PID 1168 wrote to memory of 3708	1168	{73DC9496-0CE8-488a-AEBB-EEF30C7BCA10}.exe	98
PID 1168 wrote to memory of 3708	1168	{73DC9496-0CE8-488a-AEBB-EEF30C7BCA10}.exe	98
PID 1168 wrote to memory of 3708	1168	{73DC9496-0CE8-488a-AEBB-EEF30C7BCA10}.exe	98
PID 4220 wrote to memory of 4104	4220	{CA4C7695-DF90-49d0-8BD7-A8EFF5765468}.exe	99
PID 4220 wrote to memory of 4104	4220	{CA4C7695-DF90-49d0-8BD7-A8EFF5765468}.exe	99
PID 4220 wrote to memory of 4104	4220	{CA4C7695-DF90-49d0-8BD7-A8EFF5765468}.exe	99
PID 4220 wrote to memory of 1312	4220	{CA4C7695-DF90-49d0-8BD7-A8EFF5765468}.exe	100
PID 4220 wrote to memory of 1312	4220	{CA4C7695-DF90-49d0-8BD7-A8EFF5765468}.exe	100
PID 4220 wrote to memory of 1312	4220	{CA4C7695-DF90-49d0-8BD7-A8EFF5765468}.exe	100
PID 4104 wrote to memory of 1944	4104	{04EC73D2-9F34-48e8-8F03-199B28747E46}.exe	101
PID 4104 wrote to memory of 1944	4104	{04EC73D2-9F34-48e8-8F03-199B28747E46}.exe	101
PID 4104 wrote to memory of 1944	4104	{04EC73D2-9F34-48e8-8F03-199B28747E46}.exe	101
PID 4104 wrote to memory of 2072	4104	{04EC73D2-9F34-48e8-8F03-199B28747E46}.exe	102
PID 4104 wrote to memory of 2072	4104	{04EC73D2-9F34-48e8-8F03-199B28747E46}.exe	102
PID 4104 wrote to memory of 2072	4104	{04EC73D2-9F34-48e8-8F03-199B28747E46}.exe	102
PID 1944 wrote to memory of 4544	1944	{EC2CC396-10AD-4df5-86DA-1926FDACEF61}.exe	103
PID 1944 wrote to memory of 4544	1944	{EC2CC396-10AD-4df5-86DA-1926FDACEF61}.exe	103
PID 1944 wrote to memory of 4544	1944	{EC2CC396-10AD-4df5-86DA-1926FDACEF61}.exe	103
PID 1944 wrote to memory of 4076	1944	{EC2CC396-10AD-4df5-86DA-1926FDACEF61}.exe	104
PID 1944 wrote to memory of 4076	1944	{EC2CC396-10AD-4df5-86DA-1926FDACEF61}.exe	104
PID 1944 wrote to memory of 4076	1944	{EC2CC396-10AD-4df5-86DA-1926FDACEF61}.exe	104
PID 4544 wrote to memory of 2372	4544	{C4947AFD-B8C9-465a-8A6D-EA7544115CD2}.exe	105
PID 4544 wrote to memory of 2372	4544	{C4947AFD-B8C9-465a-8A6D-EA7544115CD2}.exe	105
PID 4544 wrote to memory of 2372	4544	{C4947AFD-B8C9-465a-8A6D-EA7544115CD2}.exe	105
PID 4544 wrote to memory of 756	4544	{C4947AFD-B8C9-465a-8A6D-EA7544115CD2}.exe	106
PID 4544 wrote to memory of 756	4544	{C4947AFD-B8C9-465a-8A6D-EA7544115CD2}.exe	106
PID 4544 wrote to memory of 756	4544	{C4947AFD-B8C9-465a-8A6D-EA7544115CD2}.exe	106
PID 2372 wrote to memory of 2796	2372	{E35202EC-CFA1-47f8-AF3E-B151EEF97C45}.exe	107
PID 2372 wrote to memory of 2796	2372	{E35202EC-CFA1-47f8-AF3E-B151EEF97C45}.exe	107
PID 2372 wrote to memory of 2796	2372	{E35202EC-CFA1-47f8-AF3E-B151EEF97C45}.exe	107
PID 2372 wrote to memory of 4684	2372	{E35202EC-CFA1-47f8-AF3E-B151EEF97C45}.exe	108
PID 2372 wrote to memory of 4684	2372	{E35202EC-CFA1-47f8-AF3E-B151EEF97C45}.exe	108
PID 2372 wrote to memory of 4684	2372	{E35202EC-CFA1-47f8-AF3E-B151EEF97C45}.exe	108
PID 2796 wrote to memory of 2220	2796	{9637511C-4362-44dd-83D8-C565E435964D}.exe	109
PID 2796 wrote to memory of 2220	2796	{9637511C-4362-44dd-83D8-C565E435964D}.exe	109
PID 2796 wrote to memory of 2220	2796	{9637511C-4362-44dd-83D8-C565E435964D}.exe	109
PID 2796 wrote to memory of 4460	2796	{9637511C-4362-44dd-83D8-C565E435964D}.exe	110
PID 2796 wrote to memory of 4460	2796	{9637511C-4362-44dd-83D8-C565E435964D}.exe	110
PID 2796 wrote to memory of 4460	2796	{9637511C-4362-44dd-83D8-C565E435964D}.exe	110
PID 2220 wrote to memory of 1424	2220	{2CA261AA-15A6-42a9-9854-098759803166}.exe	111
PID 2220 wrote to memory of 1424	2220	{2CA261AA-15A6-42a9-9854-098759803166}.exe	111
PID 2220 wrote to memory of 1424	2220	{2CA261AA-15A6-42a9-9854-098759803166}.exe	111
PID 2220 wrote to memory of 4936	2220	{2CA261AA-15A6-42a9-9854-098759803166}.exe	112
PID 2220 wrote to memory of 4936	2220	{2CA261AA-15A6-42a9-9854-098759803166}.exe	112
PID 2220 wrote to memory of 4936	2220	{2CA261AA-15A6-42a9-9854-098759803166}.exe	112
PID 2216 wrote to memory of 3532	2216	{7AAC40C5-CAA6-4871-AB1D-48578B2E886B}.exe	115
PID 2216 wrote to memory of 3532	2216	{7AAC40C5-CAA6-4871-AB1D-48578B2E886B}.exe	115
PID 2216 wrote to memory of 3532	2216	{7AAC40C5-CAA6-4871-AB1D-48578B2E886B}.exe	115
PID 2216 wrote to memory of 1648	2216	{7AAC40C5-CAA6-4871-AB1D-48578B2E886B}.exe	116

C:\Users\Admin\AppData\Local\Temp\2024-02-19_629d2ea6bfbcb5a115ae6afcd82ec057_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_629d2ea6bfbcb5a115ae6afcd82ec057_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\{FF66F40A-6603-454b-994F-F1BB332347B3}.exe
  C:\Windows\{FF66F40A-6603-454b-994F-F1BB332347B3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3880
- - C:\Windows\{73DC9496-0CE8-488a-AEBB-EEF30C7BCA10}.exe
    C:\Windows\{73DC9496-0CE8-488a-AEBB-EEF30C7BCA10}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1168
  - - C:\Windows\{CA4C7695-DF90-49d0-8BD7-A8EFF5765468}.exe
      C:\Windows\{CA4C7695-DF90-49d0-8BD7-A8EFF5765468}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4220
    - - C:\Windows\{04EC73D2-9F34-48e8-8F03-199B28747E46}.exe
        
        C:\Windows\{04EC73D2-9F34-48e8-8F03-199B28747E46}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4104
      - C:\Windows\{EC2CC396-10AD-4df5-86DA-1926FDACEF61}.exe
        
        C:\Windows\{EC2CC396-10AD-4df5-86DA-1926FDACEF61}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\{C4947AFD-B8C9-465a-8A6D-EA7544115CD2}.exe
        
        C:\Windows\{C4947AFD-B8C9-465a-8A6D-EA7544115CD2}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\{E35202EC-CFA1-47f8-AF3E-B151EEF97C45}.exe
        
        C:\Windows\{E35202EC-CFA1-47f8-AF3E-B151EEF97C45}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\{9637511C-4362-44dd-83D8-C565E435964D}.exe
        
        C:\Windows\{9637511C-4362-44dd-83D8-C565E435964D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\{2CA261AA-15A6-42a9-9854-098759803166}.exe
        
        C:\Windows\{2CA261AA-15A6-42a9-9854-098759803166}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\{3A62F83A-CE50-4681-B689-2DB7E215DC28}.exe
        
        C:\Windows\{3A62F83A-CE50-4681-B689-2DB7E215DC28}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        
        PID:1424
        
        C:\Windows\{7AAC40C5-CAA6-4871-AB1D-48578B2E886B}.exe
        
        C:\Windows\{7AAC40C5-CAA6-4871-AB1D-48578B2E886B}.exe
        12⤵
        Modifies Installed Components in the registry
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\{56D40DA6-B900-4b6d-A020-0DE34F7AF77D}.exe
        
        C:\Windows\{56D40DA6-B900-4b6d-A020-0DE34F7AF77D}.exe
        13⤵
        Executes dropped EXE
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7AAC4~1.EXE > nul
        13⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3A62F~1.EXE > nul
        12⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2CA26~1.EXE > nul
        11⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96375~1.EXE > nul
        10⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E3520~1.EXE > nul
        9⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4947~1.EXE > nul
        8⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC2CC~1.EXE > nul
        7⤵
        
        PID:4076
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04EC7~1.EXE > nul
        6⤵
        
        PID:2072
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA4C7~1.EXE > nul
        5⤵
        
        PID:1312
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{73DC9~1.EXE > nul
      4⤵
      PID:3708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FF66F~1.EXE > nul
    3⤵
    PID:4620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04EC73D2-9F34-48e8-8F03-199B28747E46}.exe

Filesize
197KB

MD5
7b1099bb795293abe6fb08bc46a3b97e

SHA1
271a3eac3731be4e32d5d6f5c08ea7fea56e928a

SHA256
09cc47f0ce8ea1bcb8966dc8f6d0a51d2ca6bcdb2fac543eca1ef6d2eeca87c7

SHA512
690abb542c7e6e67878efe772c5cef1611947ab37b66e26e4329e9f39f33311bf230431a639efe2f62eb30c48d0f517194f30af2359c4356f487ee659274cb41

Download Submit
C:\Windows\{2CA261AA-15A6-42a9-9854-098759803166}.exe

Filesize
197KB

MD5
aa774b86aadcf7cf3ac1d2c2f7167102

SHA1
ba31b00b6ebd0737cf4c5bd38997672bae601cc6

SHA256
a8e40bbd353dbca0c2919b819509c0e52eaef5fbb4839a6fd9902e5c677b41a8

SHA512
ce18851482285f731474dcb0e8b8b9013612370c301817d0a97fcbcadd3d9f01c15962382f43175e10b660bd7f598becc80967309134a5aca5e377700e9b5256

Download Submit
C:\Windows\{3A62F83A-CE50-4681-B689-2DB7E215DC28}.exe

Filesize
197KB

MD5
5739990a56bbcd973374f61bcefd08d1

SHA1
ddadd5c1411687ec9463f4438870278f85797db3

SHA256
b4a5ec55b7e22913707badcf5e8b283be66ee071dae158ba1a97fd9a1fd1f8ab

SHA512
a8fd4f490d19d8262bfeb6afa8d82741133da628356da0635c707bed24f32052222fe3664f5f64e64fde81b173d33b05e0905e5fcabcd09b85f6b6c5ef339606

Download Submit
C:\Windows\{56D40DA6-B900-4b6d-A020-0DE34F7AF77D}.exe

Filesize
197KB

MD5
5564a9cb61cb998a99f3f4193b2ebc4c

SHA1
3ab557dc5a231576e73fc3469d82890b3a58de8f

SHA256
7c71c8c3dcec440d8b72eda77615757d71cff7f2188a9056f16f7963e6d512da

SHA512
ca31a367216c1c5a18319e1f83710761a0c09a2499b9c8a26064795109e6d4ada5f07bda3850a1721f0b55121d2296ded4a9d9c123cd0edf8f5e86645d5ec173

Download Submit
C:\Windows\{73DC9496-0CE8-488a-AEBB-EEF30C7BCA10}.exe

Filesize
197KB

MD5
ddbcba036abe67eeb817b427cb7deee3

SHA1
deec68f2c414adb5e1f6ae456e84762a4c10be81

SHA256
ce0f42fff81f1d7803e7c82ee83b26cfb5c68df69557800cc98191b34d5c8b61

SHA512
52e923f142aafedb4c286702a8312fd31465a82e9e531e673136d72dea1914ba6df4a4d8c87f3d060f9f6323a847fcf7bb0c7d71128e8ecd3546bf44aa2bab4e

Download Submit
C:\Windows\{9637511C-4362-44dd-83D8-C565E435964D}.exe

Filesize
197KB

MD5
d31d341d5a279aa5d4eb2c1e994f8016

SHA1
ca1315e81f20717bfef8b9a8ea3ceb240c5e430e

SHA256
d87bf0047a215ec245726e995ae664c08b201dc01f1285575ceb641c93ea27e4

SHA512
bfeaecbab9d9fd9ca1308df1cd85786be67f3d30e86fb17d12f4c86af1754a48a82942088726df8907c7ba57f6758d90a6a7a48f6dc93789b08eab21f378a0e3

Download Submit
C:\Windows\{C4947AFD-B8C9-465a-8A6D-EA7544115CD2}.exe

Filesize
197KB

MD5
16022e61fe8c2db63fb0dc692a9fb52e

SHA1
c975cd471af9b3f03d5d99d3c991b040a12170d7

SHA256
7e11f8e3c192172e80d68b3b55a3a6d4c3860c95f6371db5434754ad6955a388

SHA512
5086b36bee5da5e3c3f00c6c87b586f297f1eaf47a0c5890fd458c2df722763316b3cbff76250df64dcffeb47ea66e0335081f048a96702f85d53d6843c682ab

Download Submit
C:\Windows\{CA4C7695-DF90-49d0-8BD7-A8EFF5765468}.exe

Filesize
197KB

MD5
efffc5f97b2389444a20be04fecfb84b

SHA1
fb89847e0678d1056d3b742f561e18fc5c1df08f

SHA256
547e48b8f3682bff122da1da3ebf82d40adce14f2b1c81b45468fb79ba4ab633

SHA512
41b1d967665f8eae91ef0224c5922be206c20b182316f50c94e66af41ccad575da31ddf02d69ce7bdd367dbf2df703e94d32f414865f72c1f3a71717adfd4c70

Download Submit
C:\Windows\{E35202EC-CFA1-47f8-AF3E-B151EEF97C45}.exe

Filesize
197KB

MD5
9329f6f603a87b89f02ec9e9ca97be13

SHA1
8d291fe5bd5e215c77d54b4e7fc1ebc570300f9f

SHA256
bc0f4c0ca0b2946cf7bf1c491478c303c236e74ea85a3f969979fb7fe0a00aa3

SHA512
b8c27cf075519ca1c4f7fa1e0d351d2154ccce2af9b2c08c36ddc6bf9b3b60c51b353829b6b708a552ef83e7b6116a8e4239c7b2cbf384c0f6de13bb899eae89

Download Submit
C:\Windows\{EC2CC396-10AD-4df5-86DA-1926FDACEF61}.exe

Filesize
197KB

MD5
bb7c3dd8ad9d60cdcebde8a0d34dbc7b

SHA1
2d1c9b0ee445580cc9fa1f38dbd950346fe5bfaa

SHA256
d5cc66831b1ae4ad4bb225c4b92eb22f9487197eaa8c351f34e35772a8b7ec34

SHA512
546711101832cfe4877ca950db0791306abadfd4bb7476909d8f0f346723e306b892f8894bc65cb088e122a3bd3d25bf21edaebfb97c0e34a82c7098c4f68e88

Download Submit
C:\Windows\{FF66F40A-6603-454b-994F-F1BB332347B3}.exe

Filesize
197KB

MD5
bf09208def9f29d7f8cf0a21e06fe367

SHA1
4c988a2c16f7a7f9b4f1e0b3ab2e2a8ce98b62d1

SHA256
d81b88f3c725d0713e45215110aa5051abe870c5e20b40f215fe47ca5ba6df74

SHA512
f54a73af2e33149ba6c13752df58fcb54d9e786ca68010a282af40f01162bd8c72bb89d1c799a47fb72961d9946754848e1e80b80381ec3ed182a2496af34f38

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads