6604744b89694e11bc16360a5ccf71213e3b9f928c029a04f789550bb8b7741e

Analysis

max time kernel
144s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/02/2024, 16:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-19_a4bcf7421cda7b3069d3994df67b7d00_goldeneye.exe
Size

408KB
MD5

a4bcf7421cda7b3069d3994df67b7d00
SHA1

f87f0619427df07caab420c246b28870e4bf382a
SHA256

6604744b89694e11bc16360a5ccf71213e3b9f928c029a04f789550bb8b7741e
SHA512

3e7ec216b290e8208c1a68aac20545bdd6f6c14e2ef72f3b2fd2509a3d58d29390a3d2fa187afdb593815ab05ad40e80f0b169a1a3bf2d66ca3462af00febe46
SSDEEP

3072:CEGh0owl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGuldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 14 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023142-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023148-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023149-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000200000001e2c0-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002181f-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002181f-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000023150-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000000707-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006df-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006df-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00040000000006df-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56FDC652-39C0-4c7b-AAF1-16AFFC422486}	{13E4F216-97C4-4969-9A53-347090BB87BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E67CC50B-DA6A-4d20-BC13-F9C091BB5A5F}	{0180427F-95C3-44ca-8F2C-D765D97535FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{143DBF59-EA39-45f0-A258-0DF4ED6B1765}\stubpath = "C:\\Windows\\{143DBF59-EA39-45f0-A258-0DF4ED6B1765}.exe"	{E67CC50B-DA6A-4d20-BC13-F9C091BB5A5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8E5610B-DDBA-461b-B50C-DF670BA17B67}\stubpath = "C:\\Windows\\{F8E5610B-DDBA-461b-B50C-DF670BA17B67}.exe"	2024-02-19_a4bcf7421cda7b3069d3994df67b7d00_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13E4F216-97C4-4969-9A53-347090BB87BC}	{415B36A1-0C33-4651-90D0-32A0C95B4C1D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13E4F216-97C4-4969-9A53-347090BB87BC}\stubpath = "C:\\Windows\\{13E4F216-97C4-4969-9A53-347090BB87BC}.exe"	{415B36A1-0C33-4651-90D0-32A0C95B4C1D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D09086E-650F-4b28-B6E2-A2C1352B8512}\stubpath = "C:\\Windows\\{5D09086E-650F-4b28-B6E2-A2C1352B8512}.exe"	{56FDC652-39C0-4c7b-AAF1-16AFFC422486}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E67CC50B-DA6A-4d20-BC13-F9C091BB5A5F}\stubpath = "C:\\Windows\\{E67CC50B-DA6A-4d20-BC13-F9C091BB5A5F}.exe"	{0180427F-95C3-44ca-8F2C-D765D97535FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{143DBF59-EA39-45f0-A258-0DF4ED6B1765}	{E67CC50B-DA6A-4d20-BC13-F9C091BB5A5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8E5610B-DDBA-461b-B50C-DF670BA17B67}	2024-02-19_a4bcf7421cda7b3069d3994df67b7d00_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{415B36A1-0C33-4651-90D0-32A0C95B4C1D}	{F8E5610B-DDBA-461b-B50C-DF670BA17B67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{515CFE2E-5429-4893-9AB4-B0AE15FB9E7F}	{5D09086E-650F-4b28-B6E2-A2C1352B8512}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{515CFE2E-5429-4893-9AB4-B0AE15FB9E7F}\stubpath = "C:\\Windows\\{515CFE2E-5429-4893-9AB4-B0AE15FB9E7F}.exe"	{5D09086E-650F-4b28-B6E2-A2C1352B8512}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D32FE62-5BBF-44f0-A2C1-6CB759DEA836}	{515CFE2E-5429-4893-9AB4-B0AE15FB9E7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D32FE62-5BBF-44f0-A2C1-6CB759DEA836}\stubpath = "C:\\Windows\\{0D32FE62-5BBF-44f0-A2C1-6CB759DEA836}.exe"	{515CFE2E-5429-4893-9AB4-B0AE15FB9E7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{415B36A1-0C33-4651-90D0-32A0C95B4C1D}\stubpath = "C:\\Windows\\{415B36A1-0C33-4651-90D0-32A0C95B4C1D}.exe"	{F8E5610B-DDBA-461b-B50C-DF670BA17B67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D09086E-650F-4b28-B6E2-A2C1352B8512}	{56FDC652-39C0-4c7b-AAF1-16AFFC422486}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0180427F-95C3-44ca-8F2C-D765D97535FB}\stubpath = "C:\\Windows\\{0180427F-95C3-44ca-8F2C-D765D97535FB}.exe"	{0D32FE62-5BBF-44f0-A2C1-6CB759DEA836}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56FDC652-39C0-4c7b-AAF1-16AFFC422486}\stubpath = "C:\\Windows\\{56FDC652-39C0-4c7b-AAF1-16AFFC422486}.exe"	{13E4F216-97C4-4969-9A53-347090BB87BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0180427F-95C3-44ca-8F2C-D765D97535FB}	{0D32FE62-5BBF-44f0-A2C1-6CB759DEA836}.exe

Executes dropped EXE 10 IoCs

pid	Process
3884	{F8E5610B-DDBA-461b-B50C-DF670BA17B67}.exe
760	{415B36A1-0C33-4651-90D0-32A0C95B4C1D}.exe
1892	{13E4F216-97C4-4969-9A53-347090BB87BC}.exe
3520	{56FDC652-39C0-4c7b-AAF1-16AFFC422486}.exe
5052	{5D09086E-650F-4b28-B6E2-A2C1352B8512}.exe
1020	{515CFE2E-5429-4893-9AB4-B0AE15FB9E7F}.exe
2460	{0D32FE62-5BBF-44f0-A2C1-6CB759DEA836}.exe
3324	{0180427F-95C3-44ca-8F2C-D765D97535FB}.exe
4276	{E67CC50B-DA6A-4d20-BC13-F9C091BB5A5F}.exe
5036	{143DBF59-EA39-45f0-A258-0DF4ED6B1765}.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\{56FDC652-39C0-4c7b-AAF1-16AFFC422486}.exe	{13E4F216-97C4-4969-9A53-347090BB87BC}.exe
File created	C:\Windows\{5D09086E-650F-4b28-B6E2-A2C1352B8512}.exe	{56FDC652-39C0-4c7b-AAF1-16AFFC422486}.exe
File created	C:\Windows\{0D32FE62-5BBF-44f0-A2C1-6CB759DEA836}.exe	{515CFE2E-5429-4893-9AB4-B0AE15FB9E7F}.exe
File created	C:\Windows\{E67CC50B-DA6A-4d20-BC13-F9C091BB5A5F}.exe	{0180427F-95C3-44ca-8F2C-D765D97535FB}.exe
File created	C:\Windows\{143DBF59-EA39-45f0-A258-0DF4ED6B1765}.exe	{E67CC50B-DA6A-4d20-BC13-F9C091BB5A5F}.exe
File created	C:\Windows\{F8E5610B-DDBA-461b-B50C-DF670BA17B67}.exe	2024-02-19_a4bcf7421cda7b3069d3994df67b7d00_goldeneye.exe
File created	C:\Windows\{13E4F216-97C4-4969-9A53-347090BB87BC}.exe	{415B36A1-0C33-4651-90D0-32A0C95B4C1D}.exe
File created	C:\Windows\{0180427F-95C3-44ca-8F2C-D765D97535FB}.exe	{0D32FE62-5BBF-44f0-A2C1-6CB759DEA836}.exe
File created	C:\Windows\{415B36A1-0C33-4651-90D0-32A0C95B4C1D}.exe	{F8E5610B-DDBA-461b-B50C-DF670BA17B67}.exe
File created	C:\Windows\{515CFE2E-5429-4893-9AB4-B0AE15FB9E7F}.exe	{5D09086E-650F-4b28-B6E2-A2C1352B8512}.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2028	2024-02-19_a4bcf7421cda7b3069d3994df67b7d00_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3884	{F8E5610B-DDBA-461b-B50C-DF670BA17B67}.exe
Token: SeIncBasePriorityPrivilege	760	{415B36A1-0C33-4651-90D0-32A0C95B4C1D}.exe
Token: SeIncBasePriorityPrivilege	1892	{13E4F216-97C4-4969-9A53-347090BB87BC}.exe
Token: SeIncBasePriorityPrivilege	3520	{56FDC652-39C0-4c7b-AAF1-16AFFC422486}.exe
Token: SeIncBasePriorityPrivilege	5052	{5D09086E-650F-4b28-B6E2-A2C1352B8512}.exe
Token: SeIncBasePriorityPrivilege	1020	{515CFE2E-5429-4893-9AB4-B0AE15FB9E7F}.exe
Token: SeIncBasePriorityPrivilege	2460	{0D32FE62-5BBF-44f0-A2C1-6CB759DEA836}.exe
Token: SeIncBasePriorityPrivilege	3324	{0180427F-95C3-44ca-8F2C-D765D97535FB}.exe
Token: SeIncBasePriorityPrivilege	4276	{E67CC50B-DA6A-4d20-BC13-F9C091BB5A5F}.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 3884	2028	2024-02-19_a4bcf7421cda7b3069d3994df67b7d00_goldeneye.exe	86
PID 2028 wrote to memory of 3884	2028	2024-02-19_a4bcf7421cda7b3069d3994df67b7d00_goldeneye.exe	86
PID 2028 wrote to memory of 3884	2028	2024-02-19_a4bcf7421cda7b3069d3994df67b7d00_goldeneye.exe	86
PID 2028 wrote to memory of 4368	2028	2024-02-19_a4bcf7421cda7b3069d3994df67b7d00_goldeneye.exe	87
PID 2028 wrote to memory of 4368	2028	2024-02-19_a4bcf7421cda7b3069d3994df67b7d00_goldeneye.exe	87
PID 2028 wrote to memory of 4368	2028	2024-02-19_a4bcf7421cda7b3069d3994df67b7d00_goldeneye.exe	87
PID 3884 wrote to memory of 760	3884	{F8E5610B-DDBA-461b-B50C-DF670BA17B67}.exe	88
PID 3884 wrote to memory of 760	3884	{F8E5610B-DDBA-461b-B50C-DF670BA17B67}.exe	88
PID 3884 wrote to memory of 760	3884	{F8E5610B-DDBA-461b-B50C-DF670BA17B67}.exe	88
PID 3884 wrote to memory of 3012	3884	{F8E5610B-DDBA-461b-B50C-DF670BA17B67}.exe	89
PID 3884 wrote to memory of 3012	3884	{F8E5610B-DDBA-461b-B50C-DF670BA17B67}.exe	89
PID 3884 wrote to memory of 3012	3884	{F8E5610B-DDBA-461b-B50C-DF670BA17B67}.exe	89
PID 760 wrote to memory of 1892	760	{415B36A1-0C33-4651-90D0-32A0C95B4C1D}.exe	90
PID 760 wrote to memory of 1892	760	{415B36A1-0C33-4651-90D0-32A0C95B4C1D}.exe	90
PID 760 wrote to memory of 1892	760	{415B36A1-0C33-4651-90D0-32A0C95B4C1D}.exe	90
PID 760 wrote to memory of 1544	760	{415B36A1-0C33-4651-90D0-32A0C95B4C1D}.exe	91
PID 760 wrote to memory of 1544	760	{415B36A1-0C33-4651-90D0-32A0C95B4C1D}.exe	91
PID 760 wrote to memory of 1544	760	{415B36A1-0C33-4651-90D0-32A0C95B4C1D}.exe	91
PID 1892 wrote to memory of 3520	1892	{13E4F216-97C4-4969-9A53-347090BB87BC}.exe	93
PID 1892 wrote to memory of 3520	1892	{13E4F216-97C4-4969-9A53-347090BB87BC}.exe	93
PID 1892 wrote to memory of 3520	1892	{13E4F216-97C4-4969-9A53-347090BB87BC}.exe	93
PID 1892 wrote to memory of 4916	1892	{13E4F216-97C4-4969-9A53-347090BB87BC}.exe	94
PID 1892 wrote to memory of 4916	1892	{13E4F216-97C4-4969-9A53-347090BB87BC}.exe	94
PID 1892 wrote to memory of 4916	1892	{13E4F216-97C4-4969-9A53-347090BB87BC}.exe	94
PID 3520 wrote to memory of 5052	3520	{56FDC652-39C0-4c7b-AAF1-16AFFC422486}.exe	98
PID 3520 wrote to memory of 5052	3520	{56FDC652-39C0-4c7b-AAF1-16AFFC422486}.exe	98
PID 3520 wrote to memory of 5052	3520	{56FDC652-39C0-4c7b-AAF1-16AFFC422486}.exe	98
PID 3520 wrote to memory of 2948	3520	{56FDC652-39C0-4c7b-AAF1-16AFFC422486}.exe	99
PID 3520 wrote to memory of 2948	3520	{56FDC652-39C0-4c7b-AAF1-16AFFC422486}.exe	99
PID 3520 wrote to memory of 2948	3520	{56FDC652-39C0-4c7b-AAF1-16AFFC422486}.exe	99
PID 5052 wrote to memory of 1020	5052	{5D09086E-650F-4b28-B6E2-A2C1352B8512}.exe	103
PID 5052 wrote to memory of 1020	5052	{5D09086E-650F-4b28-B6E2-A2C1352B8512}.exe	103
PID 5052 wrote to memory of 1020	5052	{5D09086E-650F-4b28-B6E2-A2C1352B8512}.exe	103
PID 5052 wrote to memory of 2316	5052	{5D09086E-650F-4b28-B6E2-A2C1352B8512}.exe	104
PID 5052 wrote to memory of 2316	5052	{5D09086E-650F-4b28-B6E2-A2C1352B8512}.exe	104
PID 5052 wrote to memory of 2316	5052	{5D09086E-650F-4b28-B6E2-A2C1352B8512}.exe	104
PID 1020 wrote to memory of 2460	1020	{515CFE2E-5429-4893-9AB4-B0AE15FB9E7F}.exe	105
PID 1020 wrote to memory of 2460	1020	{515CFE2E-5429-4893-9AB4-B0AE15FB9E7F}.exe	105
PID 1020 wrote to memory of 2460	1020	{515CFE2E-5429-4893-9AB4-B0AE15FB9E7F}.exe	105
PID 1020 wrote to memory of 2424	1020	{515CFE2E-5429-4893-9AB4-B0AE15FB9E7F}.exe	106
PID 1020 wrote to memory of 2424	1020	{515CFE2E-5429-4893-9AB4-B0AE15FB9E7F}.exe	106
PID 1020 wrote to memory of 2424	1020	{515CFE2E-5429-4893-9AB4-B0AE15FB9E7F}.exe	106
PID 2460 wrote to memory of 3324	2460	{0D32FE62-5BBF-44f0-A2C1-6CB759DEA836}.exe	107
PID 2460 wrote to memory of 3324	2460	{0D32FE62-5BBF-44f0-A2C1-6CB759DEA836}.exe	107
PID 2460 wrote to memory of 3324	2460	{0D32FE62-5BBF-44f0-A2C1-6CB759DEA836}.exe	107
PID 2460 wrote to memory of 3824	2460	{0D32FE62-5BBF-44f0-A2C1-6CB759DEA836}.exe	108
PID 2460 wrote to memory of 3824	2460	{0D32FE62-5BBF-44f0-A2C1-6CB759DEA836}.exe	108
PID 2460 wrote to memory of 3824	2460	{0D32FE62-5BBF-44f0-A2C1-6CB759DEA836}.exe	108
PID 3324 wrote to memory of 4276	3324	{0180427F-95C3-44ca-8F2C-D765D97535FB}.exe	109
PID 3324 wrote to memory of 4276	3324	{0180427F-95C3-44ca-8F2C-D765D97535FB}.exe	109
PID 3324 wrote to memory of 4276	3324	{0180427F-95C3-44ca-8F2C-D765D97535FB}.exe	109
PID 3324 wrote to memory of 4548	3324	{0180427F-95C3-44ca-8F2C-D765D97535FB}.exe	110
PID 3324 wrote to memory of 4548	3324	{0180427F-95C3-44ca-8F2C-D765D97535FB}.exe	110
PID 3324 wrote to memory of 4548	3324	{0180427F-95C3-44ca-8F2C-D765D97535FB}.exe	110
PID 4276 wrote to memory of 5036	4276	{E67CC50B-DA6A-4d20-BC13-F9C091BB5A5F}.exe	111
PID 4276 wrote to memory of 5036	4276	{E67CC50B-DA6A-4d20-BC13-F9C091BB5A5F}.exe	111
PID 4276 wrote to memory of 5036	4276	{E67CC50B-DA6A-4d20-BC13-F9C091BB5A5F}.exe	111
PID 4276 wrote to memory of 836	4276	{E67CC50B-DA6A-4d20-BC13-F9C091BB5A5F}.exe	112
PID 4276 wrote to memory of 836	4276	{E67CC50B-DA6A-4d20-BC13-F9C091BB5A5F}.exe	112
PID 4276 wrote to memory of 836	4276	{E67CC50B-DA6A-4d20-BC13-F9C091BB5A5F}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-02-19_a4bcf7421cda7b3069d3994df67b7d00_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_a4bcf7421cda7b3069d3994df67b7d00_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\{F8E5610B-DDBA-461b-B50C-DF670BA17B67}.exe
  C:\Windows\{F8E5610B-DDBA-461b-B50C-DF670BA17B67}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3884
- - C:\Windows\{415B36A1-0C33-4651-90D0-32A0C95B4C1D}.exe
    C:\Windows\{415B36A1-0C33-4651-90D0-32A0C95B4C1D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:760
  - - C:\Windows\{13E4F216-97C4-4969-9A53-347090BB87BC}.exe
      C:\Windows\{13E4F216-97C4-4969-9A53-347090BB87BC}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1892
    - - C:\Windows\{56FDC652-39C0-4c7b-AAF1-16AFFC422486}.exe
        
        C:\Windows\{56FDC652-39C0-4c7b-AAF1-16AFFC422486}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3520
      - C:\Windows\{5D09086E-650F-4b28-B6E2-A2C1352B8512}.exe
        
        C:\Windows\{5D09086E-650F-4b28-B6E2-A2C1352B8512}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\{515CFE2E-5429-4893-9AB4-B0AE15FB9E7F}.exe
        
        C:\Windows\{515CFE2E-5429-4893-9AB4-B0AE15FB9E7F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\{0D32FE62-5BBF-44f0-A2C1-6CB759DEA836}.exe
        
        C:\Windows\{0D32FE62-5BBF-44f0-A2C1-6CB759DEA836}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\{0180427F-95C3-44ca-8F2C-D765D97535FB}.exe
        
        C:\Windows\{0180427F-95C3-44ca-8F2C-D765D97535FB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\{E67CC50B-DA6A-4d20-BC13-F9C091BB5A5F}.exe
        
        C:\Windows\{E67CC50B-DA6A-4d20-BC13-F9C091BB5A5F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\{143DBF59-EA39-45f0-A258-0DF4ED6B1765}.exe
        
        C:\Windows\{143DBF59-EA39-45f0-A258-0DF4ED6B1765}.exe
        11⤵
        Executes dropped EXE
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{143DB~1.EXE > nul
        12⤵
        
        PID:5012
        
        C:\Windows\{82861416-BA8F-4250-B4A6-15D0150B7AF0}.exe
        
        C:\Windows\{82861416-BA8F-4250-B4A6-15D0150B7AF0}.exe
        12⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E67CC~1.EXE > nul
        11⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01804~1.EXE > nul
        10⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D32F~1.EXE > nul
        9⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{515CF~1.EXE > nul
        8⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D090~1.EXE > nul
        7⤵
        
        PID:2316
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{56FDC~1.EXE > nul
        6⤵
        
        PID:2948
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13E4F~1.EXE > nul
        5⤵
        
        PID:4916
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{415B3~1.EXE > nul
      4⤵
      PID:1544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F8E56~1.EXE > nul
    3⤵
    PID:3012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0180427F-95C3-44ca-8F2C-D765D97535FB}.exe

Filesize
408KB

MD5
91b96bfa45b5f9bbfd1fd79db6c60414

SHA1
1fa73f427644c9c149f113fbc7c053637257f58e

SHA256
66f0bc360aed92321cd14434c1d4fa4de534dfcfc019e9b8d09235b342b41427

SHA512
b32fb69e2bec97e23bee09a5cfecd92da3edd4141db4a97941a5090263f7c9d97c3e7fe0de6e79b795911ab39d2523f75c2b3c2ed8c212bdfdedc336a3c3c4f0

Download Submit
C:\Windows\{0D32FE62-5BBF-44f0-A2C1-6CB759DEA836}.exe

Filesize
408KB

MD5
a2d44244f1573c261296c4e110ced298

SHA1
aa87980bdf8ba85e13424ea214440e2799ee2c74

SHA256
ca070711a01b285e10c6c2cbe283479fe9e3cfcadd55bda548f82764f48b0010

SHA512
7b2f062f56943900751506d97bde5ccc814e590660723df349bb1f0e1e7dbf0615029bf8c8b5f6b8cd4083249f2e84f4847f0910e1a6e483503f4a9c0429d53e

Download Submit
C:\Windows\{13E4F216-97C4-4969-9A53-347090BB87BC}.exe

Filesize
408KB

MD5
c50ce9cdc236e60e3131decfe6e32aa9

SHA1
245db4fc3ed85f84ef38ab9d725d80c1e5a1473a

SHA256
8c4c4158aa3255e29ea4d168b87c9b214384a826d62cbaa6e10ee6ad88521aba

SHA512
393529be27954da4801a78f5ba5b56a0e4e7f6eda2b3dc3a45f98ec2db92fb7f4f7207a910b47a11bc5a5286b9ead0ecffb0338f8563a7c51e00f7cac214c50e

Download Submit
C:\Windows\{143DBF59-EA39-45f0-A258-0DF4ED6B1765}.exe

Filesize
292KB

MD5
9ca3e32e28f064dc2acdb6a5d5addf58

SHA1
1d999414bf4947a975d627bc900a4fabac47b2a2

SHA256
37a8776fbd3877a2cd0cb315455efb8d4945f32e038838a87aa3e186ffa96576

SHA512
cb47a1c8e2d8b3f82589160efc4c81640bc5ae3e3d4b4ee7efedffa42ca8735b02ad094c8c88dcab26f9c1a7230c8982cbbadeb1ed297073297570f858f9e802

Download Submit
C:\Windows\{143DBF59-EA39-45f0-A258-0DF4ED6B1765}.exe

Filesize
408KB

MD5
82d88503dd10554081a42327c12dbf8a

SHA1
304944efaf013f4c7f650c6fc371df8be30b959d

SHA256
38fa4f3b3d315a57c25695137198126981458bf612d6078cac717b0c4587e426

SHA512
ceef17c10375d9a91e630f1580ddce40be190bd23d21cdc21269393348f85ce92e722859cd590161b528ea4ca8f860644da1e8ebffd14176e7778185a485ced7

Download Submit
C:\Windows\{415B36A1-0C33-4651-90D0-32A0C95B4C1D}.exe

Filesize
408KB

MD5
513beda32c53510c92fcd0a634bfb1d1

SHA1
dee7c4ee0b64c21a4d93a3e0e43e7498bfe00c62

SHA256
9e3fb7e9345c24221d0c784e1ec571c76a2870a29efb847a803061c08163951c

SHA512
50ee60952ac93f3c4691c5b76df697911da530a40f5e419681eae7e73a0b132c79803b876dce95271ee4f1d0206bbac58c41fd13887660c8223561d6c2bbadf0

Download Submit
C:\Windows\{515CFE2E-5429-4893-9AB4-B0AE15FB9E7F}.exe

Filesize
408KB

MD5
a3be48ed958611638559c54c0445a522

SHA1
8c3272ea2791801c1ad0e0496718619f6b1a6594

SHA256
8c5cf4b3cd9317219980232a0f8e304829bd767c9301ca78c58f48b36039bf68

SHA512
c2653b897469ef8b708afe137177fb64f84251ad7da91489650f39ef2b20acc9d98b244257df499ee50fca6945cfff10fe176d19f2dbaa62c7e7bbd0e6f3f3d8

Download Submit
C:\Windows\{56FDC652-39C0-4c7b-AAF1-16AFFC422486}.exe

Filesize
408KB

MD5
8382dedb655731419b8fff08c9212eac

SHA1
1f710b42a37bc13e108747c2ce41d5785774db22

SHA256
f3d1b738625fb0a9e3ffbdd45337f04120a5affbad25c825b2c09c3490159b78

SHA512
d7eb3e31f7caf1e1f971993fe93bf936c7a7c527af171b39a27e65299b181d56241200727811c475e675c952abbc2df8726f425b74da6544b9f98e84039d984b

Download Submit
C:\Windows\{5D09086E-650F-4b28-B6E2-A2C1352B8512}.exe

Filesize
142KB

MD5
295301acfaaa7429c425ce312513412e

SHA1
67674e3d41e3088fa6e3f1ec7ee28fd99dfad709

SHA256
e74f4a2dfb2587bcdb3148039208212f7dda30fac5af07a5e77ecbead520fa25

SHA512
7043fe0006ba06b59eefe24268ef4d819e07e95e44ac691a053fad63b596d5708661cc5d7c5065255bc6cb8b7da1ff6f25c65c16764d98e10248f43b5ba73dc8

Download Submit
C:\Windows\{5D09086E-650F-4b28-B6E2-A2C1352B8512}.exe

Filesize
25KB

MD5
9f151c9597e83fa1bbb1ffc2e6f86f5f

SHA1
d0bd0cdaa7fe261e97ce63cfde3fd03561da3282

SHA256
232d8e1dcb478366370da6e2ce5c4d0440fb96392b81ee78d82ce8ec12241104

SHA512
a7df7816cb1553c307d1b50c7810b2576d4fa08be1de2a1b4da58aabbce29691422799ae29905b1461123ec14eabd0bd9bbba96765fb3607addc715ab421c437

Download Submit
C:\Windows\{82861416-BA8F-4250-B4A6-15D0150B7AF0}.exe

Filesize
408KB

MD5
58f67b4dd5cbc7295133051ed9c0d37c

SHA1
32b4f4ca03aa7ec427b268928b457b8981b3c8ff

SHA256
e17c5621eb66f223cfd734a296b1ed6eef553a1175ced4d70ae48f81ce335cd1

SHA512
e2f02d0cb50edc8618812acbe76e2b4b16ed21864667b13918b7c99be03841a814cd8f9279c7548cc4af836d5bd7e119b414dec9c8964883779eac53f3af75e9

Download Submit
C:\Windows\{E67CC50B-DA6A-4d20-BC13-F9C091BB5A5F}.exe

Filesize
184KB

MD5
e1f5cdb41d2117ae48a2b3932faa94e2

SHA1
5dde229fb9f449ee749aeed382d2c2b35530f841

SHA256
1486dd50cc0b13bed37a203f7155d0ee8f4fac622ce10584c48f42aefc2b30d8

SHA512
9e408eadf8624d1d95c81b87b47a9a7b650654ee4a2a44d4af287fe03c6da298ad6d4b7d1a26b8f648d66ae2512318622a7a9642915912a1fbf0d176c23cd441

Download Submit
C:\Windows\{E67CC50B-DA6A-4d20-BC13-F9C091BB5A5F}.exe

Filesize
139KB

MD5
bd0f0f4f11d4b61390a09b4e39705236

SHA1
2ec7f3a8c2063b6a645f658fb53a493e8e06188b

SHA256
de76b1626a035f3f7686591cf278fd0ad5fac160622751c841b9518c3d0804a8

SHA512
85b290897b3f49fe2d06062cf4cdb0506d3c026325fab7c2eaf02f8e7b0d042d0883d3a1dcabbd8fbc26c84f1508623d4f588bb5ec961cdaba53db6e8bd61d8b

Download Submit
C:\Windows\{F8E5610B-DDBA-461b-B50C-DF670BA17B67}.exe

Filesize
408KB

MD5
4ea39748d1c2eea21e5b978539edb9dc

SHA1
5ea53333c7763645c376c8f6cd178aa708e3405b

SHA256
0a9383d03f536c04a1305ae4e2ac7dfe139190e69ed9aeafd484a2a4b8a2b95d

SHA512
8ec8637a7b12184454e026a9025a40ac5307d59356cdde0634e60e04a9f4cb373129edff08c84c91db0ade7a8d81948d079e642e4053a7eea672f0b877ceb8c9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads