440cc9442c94ca63ab52b996966cd834cffd81d5440ba86a28391ed37caf9832

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
19/02/2024, 15:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-19_d7f73c4ef67ba7064bdbe281715006cc_goldeneye.exe
Size

168KB
MD5

d7f73c4ef67ba7064bdbe281715006cc
SHA1

e29ce43cf7e7bdd440b636f6c99ac16aa6bb9a3d
SHA256

440cc9442c94ca63ab52b996966cd834cffd81d5440ba86a28391ed37caf9832
SHA512

b077f58bbefa91993e60fdfc551f571cd31e3d69a3440404141a23a50155c0ef72bb6476cf8ef8ce96f8ccaf59aee4cb3fbcbc38da863a4863d58269c504d999
SSDEEP

1536:1EGh0o2lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o2lqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231f3-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000001e0b8-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023202-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000001e0b8-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x004600000001e0be-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000001e0b8-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x004700000001e0be-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A7C3998-9062-466a-B05C-87BB0CF41BD3}	{49BB22A1-2372-4c96-B0BB-38E04C2CA777}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1C75EB9-9DC8-43f2-AFD5-274A04694D80}	{4E1D3282-D769-4183-B1FB-73413E2A3172}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1C75EB9-9DC8-43f2-AFD5-274A04694D80}\stubpath = "C:\\Windows\\{C1C75EB9-9DC8-43f2-AFD5-274A04694D80}.exe"	{4E1D3282-D769-4183-B1FB-73413E2A3172}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53BFFAC8-A949-4d35-B3D2-CAE8F9827B9C}	{42F12947-ADE9-4899-8BAB-78A45D8DC55E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{964F105C-090B-403b-9458-E69FDFAF2B57}	{53BFFAC8-A949-4d35-B3D2-CAE8F9827B9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{964F105C-090B-403b-9458-E69FDFAF2B57}\stubpath = "C:\\Windows\\{964F105C-090B-403b-9458-E69FDFAF2B57}.exe"	{53BFFAC8-A949-4d35-B3D2-CAE8F9827B9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49BB22A1-2372-4c96-B0BB-38E04C2CA777}	{964F105C-090B-403b-9458-E69FDFAF2B57}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49BB22A1-2372-4c96-B0BB-38E04C2CA777}\stubpath = "C:\\Windows\\{49BB22A1-2372-4c96-B0BB-38E04C2CA777}.exe"	{964F105C-090B-403b-9458-E69FDFAF2B57}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B9DC207-65B6-4363-BE2E-BE82A7B2EB09}	{2A7C3998-9062-466a-B05C-87BB0CF41BD3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8D95684-1CAC-4995-98CE-60FAB9C500FD}	{7B9DC207-65B6-4363-BE2E-BE82A7B2EB09}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DD187B2-3DFB-4395-BC7F-7F42D796451D}	{3ABDF957-796C-4b3d-80CE-306109C495DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E1D3282-D769-4183-B1FB-73413E2A3172}	2024-02-19_d7f73c4ef67ba7064bdbe281715006cc_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A7C3998-9062-466a-B05C-87BB0CF41BD3}\stubpath = "C:\\Windows\\{2A7C3998-9062-466a-B05C-87BB0CF41BD3}.exe"	{49BB22A1-2372-4c96-B0BB-38E04C2CA777}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8D95684-1CAC-4995-98CE-60FAB9C500FD}\stubpath = "C:\\Windows\\{E8D95684-1CAC-4995-98CE-60FAB9C500FD}.exe"	{7B9DC207-65B6-4363-BE2E-BE82A7B2EB09}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DD187B2-3DFB-4395-BC7F-7F42D796451D}\stubpath = "C:\\Windows\\{2DD187B2-3DFB-4395-BC7F-7F42D796451D}.exe"	{3ABDF957-796C-4b3d-80CE-306109C495DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{923711A5-20F7-4a8b-85B5-693E3B83494D}	{2DD187B2-3DFB-4395-BC7F-7F42D796451D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E1D3282-D769-4183-B1FB-73413E2A3172}\stubpath = "C:\\Windows\\{4E1D3282-D769-4183-B1FB-73413E2A3172}.exe"	2024-02-19_d7f73c4ef67ba7064bdbe281715006cc_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42F12947-ADE9-4899-8BAB-78A45D8DC55E}	{C1C75EB9-9DC8-43f2-AFD5-274A04694D80}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42F12947-ADE9-4899-8BAB-78A45D8DC55E}\stubpath = "C:\\Windows\\{42F12947-ADE9-4899-8BAB-78A45D8DC55E}.exe"	{C1C75EB9-9DC8-43f2-AFD5-274A04694D80}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53BFFAC8-A949-4d35-B3D2-CAE8F9827B9C}\stubpath = "C:\\Windows\\{53BFFAC8-A949-4d35-B3D2-CAE8F9827B9C}.exe"	{42F12947-ADE9-4899-8BAB-78A45D8DC55E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B9DC207-65B6-4363-BE2E-BE82A7B2EB09}\stubpath = "C:\\Windows\\{7B9DC207-65B6-4363-BE2E-BE82A7B2EB09}.exe"	{2A7C3998-9062-466a-B05C-87BB0CF41BD3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3ABDF957-796C-4b3d-80CE-306109C495DB}	{E8D95684-1CAC-4995-98CE-60FAB9C500FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3ABDF957-796C-4b3d-80CE-306109C495DB}\stubpath = "C:\\Windows\\{3ABDF957-796C-4b3d-80CE-306109C495DB}.exe"	{E8D95684-1CAC-4995-98CE-60FAB9C500FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{923711A5-20F7-4a8b-85B5-693E3B83494D}\stubpath = "C:\\Windows\\{923711A5-20F7-4a8b-85B5-693E3B83494D}.exe"	{2DD187B2-3DFB-4395-BC7F-7F42D796451D}.exe

Executes dropped EXE 11 IoCs

pid	Process
1336	{4E1D3282-D769-4183-B1FB-73413E2A3172}.exe
3312	{C1C75EB9-9DC8-43f2-AFD5-274A04694D80}.exe
3680	{42F12947-ADE9-4899-8BAB-78A45D8DC55E}.exe
3192	{53BFFAC8-A949-4d35-B3D2-CAE8F9827B9C}.exe
720	{964F105C-090B-403b-9458-E69FDFAF2B57}.exe
640	{49BB22A1-2372-4c96-B0BB-38E04C2CA777}.exe
2064	{2A7C3998-9062-466a-B05C-87BB0CF41BD3}.exe
1096	{7B9DC207-65B6-4363-BE2E-BE82A7B2EB09}.exe
2248	{E8D95684-1CAC-4995-98CE-60FAB9C500FD}.exe
3676	{3ABDF957-796C-4b3d-80CE-306109C495DB}.exe
1920	{2DD187B2-3DFB-4395-BC7F-7F42D796451D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{4E1D3282-D769-4183-B1FB-73413E2A3172}.exe	2024-02-19_d7f73c4ef67ba7064bdbe281715006cc_goldeneye.exe
File created	C:\Windows\{49BB22A1-2372-4c96-B0BB-38E04C2CA777}.exe	{964F105C-090B-403b-9458-E69FDFAF2B57}.exe
File created	C:\Windows\{3ABDF957-796C-4b3d-80CE-306109C495DB}.exe	{E8D95684-1CAC-4995-98CE-60FAB9C500FD}.exe
File created	C:\Windows\{2DD187B2-3DFB-4395-BC7F-7F42D796451D}.exe	{3ABDF957-796C-4b3d-80CE-306109C495DB}.exe
File created	C:\Windows\{E8D95684-1CAC-4995-98CE-60FAB9C500FD}.exe	{7B9DC207-65B6-4363-BE2E-BE82A7B2EB09}.exe
File created	C:\Windows\{C1C75EB9-9DC8-43f2-AFD5-274A04694D80}.exe	{4E1D3282-D769-4183-B1FB-73413E2A3172}.exe
File created	C:\Windows\{42F12947-ADE9-4899-8BAB-78A45D8DC55E}.exe	{C1C75EB9-9DC8-43f2-AFD5-274A04694D80}.exe
File created	C:\Windows\{53BFFAC8-A949-4d35-B3D2-CAE8F9827B9C}.exe	{42F12947-ADE9-4899-8BAB-78A45D8DC55E}.exe
File created	C:\Windows\{964F105C-090B-403b-9458-E69FDFAF2B57}.exe	{53BFFAC8-A949-4d35-B3D2-CAE8F9827B9C}.exe
File created	C:\Windows\{2A7C3998-9062-466a-B05C-87BB0CF41BD3}.exe	{49BB22A1-2372-4c96-B0BB-38E04C2CA777}.exe
File created	C:\Windows\{7B9DC207-65B6-4363-BE2E-BE82A7B2EB09}.exe	{2A7C3998-9062-466a-B05C-87BB0CF41BD3}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3936	2024-02-19_d7f73c4ef67ba7064bdbe281715006cc_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1336	{4E1D3282-D769-4183-B1FB-73413E2A3172}.exe
Token: SeIncBasePriorityPrivilege	3312	{C1C75EB9-9DC8-43f2-AFD5-274A04694D80}.exe
Token: SeIncBasePriorityPrivilege	3680	{42F12947-ADE9-4899-8BAB-78A45D8DC55E}.exe
Token: SeIncBasePriorityPrivilege	3192	{53BFFAC8-A949-4d35-B3D2-CAE8F9827B9C}.exe
Token: SeIncBasePriorityPrivilege	720	{964F105C-090B-403b-9458-E69FDFAF2B57}.exe
Token: SeIncBasePriorityPrivilege	640	{49BB22A1-2372-4c96-B0BB-38E04C2CA777}.exe
Token: SeIncBasePriorityPrivilege	2064	{2A7C3998-9062-466a-B05C-87BB0CF41BD3}.exe
Token: SeIncBasePriorityPrivilege	1096	{7B9DC207-65B6-4363-BE2E-BE82A7B2EB09}.exe
Token: SeIncBasePriorityPrivilege	2248	{E8D95684-1CAC-4995-98CE-60FAB9C500FD}.exe
Token: SeIncBasePriorityPrivilege	3676	{3ABDF957-796C-4b3d-80CE-306109C495DB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3936 wrote to memory of 1336	3936	2024-02-19_d7f73c4ef67ba7064bdbe281715006cc_goldeneye.exe	88
PID 3936 wrote to memory of 1336	3936	2024-02-19_d7f73c4ef67ba7064bdbe281715006cc_goldeneye.exe	88
PID 3936 wrote to memory of 1336	3936	2024-02-19_d7f73c4ef67ba7064bdbe281715006cc_goldeneye.exe	88
PID 3936 wrote to memory of 1676	3936	2024-02-19_d7f73c4ef67ba7064bdbe281715006cc_goldeneye.exe	89
PID 3936 wrote to memory of 1676	3936	2024-02-19_d7f73c4ef67ba7064bdbe281715006cc_goldeneye.exe	89
PID 3936 wrote to memory of 1676	3936	2024-02-19_d7f73c4ef67ba7064bdbe281715006cc_goldeneye.exe	89
PID 1336 wrote to memory of 3312	1336	{4E1D3282-D769-4183-B1FB-73413E2A3172}.exe	93
PID 1336 wrote to memory of 3312	1336	{4E1D3282-D769-4183-B1FB-73413E2A3172}.exe	93
PID 1336 wrote to memory of 3312	1336	{4E1D3282-D769-4183-B1FB-73413E2A3172}.exe	93
PID 1336 wrote to memory of 2228	1336	{4E1D3282-D769-4183-B1FB-73413E2A3172}.exe	92
PID 1336 wrote to memory of 2228	1336	{4E1D3282-D769-4183-B1FB-73413E2A3172}.exe	92
PID 1336 wrote to memory of 2228	1336	{4E1D3282-D769-4183-B1FB-73413E2A3172}.exe	92
PID 3312 wrote to memory of 3680	3312	{C1C75EB9-9DC8-43f2-AFD5-274A04694D80}.exe	96
PID 3312 wrote to memory of 3680	3312	{C1C75EB9-9DC8-43f2-AFD5-274A04694D80}.exe	96
PID 3312 wrote to memory of 3680	3312	{C1C75EB9-9DC8-43f2-AFD5-274A04694D80}.exe	96
PID 3312 wrote to memory of 4268	3312	{C1C75EB9-9DC8-43f2-AFD5-274A04694D80}.exe	95
PID 3312 wrote to memory of 4268	3312	{C1C75EB9-9DC8-43f2-AFD5-274A04694D80}.exe	95
PID 3312 wrote to memory of 4268	3312	{C1C75EB9-9DC8-43f2-AFD5-274A04694D80}.exe	95
PID 3680 wrote to memory of 3192	3680	{42F12947-ADE9-4899-8BAB-78A45D8DC55E}.exe	97
PID 3680 wrote to memory of 3192	3680	{42F12947-ADE9-4899-8BAB-78A45D8DC55E}.exe	97
PID 3680 wrote to memory of 3192	3680	{42F12947-ADE9-4899-8BAB-78A45D8DC55E}.exe	97
PID 3680 wrote to memory of 2720	3680	{42F12947-ADE9-4899-8BAB-78A45D8DC55E}.exe	98
PID 3680 wrote to memory of 2720	3680	{42F12947-ADE9-4899-8BAB-78A45D8DC55E}.exe	98
PID 3680 wrote to memory of 2720	3680	{42F12947-ADE9-4899-8BAB-78A45D8DC55E}.exe	98
PID 3192 wrote to memory of 720	3192	{53BFFAC8-A949-4d35-B3D2-CAE8F9827B9C}.exe	99
PID 3192 wrote to memory of 720	3192	{53BFFAC8-A949-4d35-B3D2-CAE8F9827B9C}.exe	99
PID 3192 wrote to memory of 720	3192	{53BFFAC8-A949-4d35-B3D2-CAE8F9827B9C}.exe	99
PID 3192 wrote to memory of 4604	3192	{53BFFAC8-A949-4d35-B3D2-CAE8F9827B9C}.exe	100
PID 3192 wrote to memory of 4604	3192	{53BFFAC8-A949-4d35-B3D2-CAE8F9827B9C}.exe	100
PID 3192 wrote to memory of 4604	3192	{53BFFAC8-A949-4d35-B3D2-CAE8F9827B9C}.exe	100
PID 720 wrote to memory of 640	720	{964F105C-090B-403b-9458-E69FDFAF2B57}.exe	101
PID 720 wrote to memory of 640	720	{964F105C-090B-403b-9458-E69FDFAF2B57}.exe	101
PID 720 wrote to memory of 640	720	{964F105C-090B-403b-9458-E69FDFAF2B57}.exe	101
PID 720 wrote to memory of 2380	720	{964F105C-090B-403b-9458-E69FDFAF2B57}.exe	102
PID 720 wrote to memory of 2380	720	{964F105C-090B-403b-9458-E69FDFAF2B57}.exe	102
PID 720 wrote to memory of 2380	720	{964F105C-090B-403b-9458-E69FDFAF2B57}.exe	102
PID 640 wrote to memory of 2064	640	{49BB22A1-2372-4c96-B0BB-38E04C2CA777}.exe	103
PID 640 wrote to memory of 2064	640	{49BB22A1-2372-4c96-B0BB-38E04C2CA777}.exe	103
PID 640 wrote to memory of 2064	640	{49BB22A1-2372-4c96-B0BB-38E04C2CA777}.exe	103
PID 640 wrote to memory of 1372	640	{49BB22A1-2372-4c96-B0BB-38E04C2CA777}.exe	104
PID 640 wrote to memory of 1372	640	{49BB22A1-2372-4c96-B0BB-38E04C2CA777}.exe	104
PID 640 wrote to memory of 1372	640	{49BB22A1-2372-4c96-B0BB-38E04C2CA777}.exe	104
PID 2064 wrote to memory of 1096	2064	{2A7C3998-9062-466a-B05C-87BB0CF41BD3}.exe	105
PID 2064 wrote to memory of 1096	2064	{2A7C3998-9062-466a-B05C-87BB0CF41BD3}.exe	105
PID 2064 wrote to memory of 1096	2064	{2A7C3998-9062-466a-B05C-87BB0CF41BD3}.exe	105
PID 2064 wrote to memory of 4944	2064	{2A7C3998-9062-466a-B05C-87BB0CF41BD3}.exe	106
PID 2064 wrote to memory of 4944	2064	{2A7C3998-9062-466a-B05C-87BB0CF41BD3}.exe	106
PID 2064 wrote to memory of 4944	2064	{2A7C3998-9062-466a-B05C-87BB0CF41BD3}.exe	106
PID 1096 wrote to memory of 2248	1096	{7B9DC207-65B6-4363-BE2E-BE82A7B2EB09}.exe	107
PID 1096 wrote to memory of 2248	1096	{7B9DC207-65B6-4363-BE2E-BE82A7B2EB09}.exe	107
PID 1096 wrote to memory of 2248	1096	{7B9DC207-65B6-4363-BE2E-BE82A7B2EB09}.exe	107
PID 1096 wrote to memory of 3772	1096	{7B9DC207-65B6-4363-BE2E-BE82A7B2EB09}.exe	108
PID 1096 wrote to memory of 3772	1096	{7B9DC207-65B6-4363-BE2E-BE82A7B2EB09}.exe	108
PID 1096 wrote to memory of 3772	1096	{7B9DC207-65B6-4363-BE2E-BE82A7B2EB09}.exe	108
PID 2248 wrote to memory of 3676	2248	{E8D95684-1CAC-4995-98CE-60FAB9C500FD}.exe	109
PID 2248 wrote to memory of 3676	2248	{E8D95684-1CAC-4995-98CE-60FAB9C500FD}.exe	109
PID 2248 wrote to memory of 3676	2248	{E8D95684-1CAC-4995-98CE-60FAB9C500FD}.exe	109
PID 2248 wrote to memory of 4068	2248	{E8D95684-1CAC-4995-98CE-60FAB9C500FD}.exe	110
PID 2248 wrote to memory of 4068	2248	{E8D95684-1CAC-4995-98CE-60FAB9C500FD}.exe	110
PID 2248 wrote to memory of 4068	2248	{E8D95684-1CAC-4995-98CE-60FAB9C500FD}.exe	110
PID 3676 wrote to memory of 1920	3676	{3ABDF957-796C-4b3d-80CE-306109C495DB}.exe	111
PID 3676 wrote to memory of 1920	3676	{3ABDF957-796C-4b3d-80CE-306109C495DB}.exe	111
PID 3676 wrote to memory of 1920	3676	{3ABDF957-796C-4b3d-80CE-306109C495DB}.exe	111
PID 3676 wrote to memory of 4396	3676	{3ABDF957-796C-4b3d-80CE-306109C495DB}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-02-19_d7f73c4ef67ba7064bdbe281715006cc_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_d7f73c4ef67ba7064bdbe281715006cc_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3936
- C:\Windows\{4E1D3282-D769-4183-B1FB-73413E2A3172}.exe
  C:\Windows\{4E1D3282-D769-4183-B1FB-73413E2A3172}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4E1D3~1.EXE > nul
    3⤵
    PID:2228
- - C:\Windows\{C1C75EB9-9DC8-43f2-AFD5-274A04694D80}.exe
    C:\Windows\{C1C75EB9-9DC8-43f2-AFD5-274A04694D80}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3312
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C1C75~1.EXE > nul
      4⤵
      PID:4268
  - - C:\Windows\{42F12947-ADE9-4899-8BAB-78A45D8DC55E}.exe
      C:\Windows\{42F12947-ADE9-4899-8BAB-78A45D8DC55E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3680
    - - C:\Windows\{53BFFAC8-A949-4d35-B3D2-CAE8F9827B9C}.exe
        
        C:\Windows\{53BFFAC8-A949-4d35-B3D2-CAE8F9827B9C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3192
      - C:\Windows\{964F105C-090B-403b-9458-E69FDFAF2B57}.exe
        
        C:\Windows\{964F105C-090B-403b-9458-E69FDFAF2B57}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:720
        
        C:\Windows\{49BB22A1-2372-4c96-B0BB-38E04C2CA777}.exe
        
        C:\Windows\{49BB22A1-2372-4c96-B0BB-38E04C2CA777}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\{2A7C3998-9062-466a-B05C-87BB0CF41BD3}.exe
        
        C:\Windows\{2A7C3998-9062-466a-B05C-87BB0CF41BD3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\{7B9DC207-65B6-4363-BE2E-BE82A7B2EB09}.exe
        
        C:\Windows\{7B9DC207-65B6-4363-BE2E-BE82A7B2EB09}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\{E8D95684-1CAC-4995-98CE-60FAB9C500FD}.exe
        
        C:\Windows\{E8D95684-1CAC-4995-98CE-60FAB9C500FD}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\{3ABDF957-796C-4b3d-80CE-306109C495DB}.exe
        
        C:\Windows\{3ABDF957-796C-4b3d-80CE-306109C495DB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\{2DD187B2-3DFB-4395-BC7F-7F42D796451D}.exe
        
        C:\Windows\{2DD187B2-3DFB-4395-BC7F-7F42D796451D}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        
        PID:1920
        
        C:\Windows\{923711A5-20F7-4a8b-85B5-693E3B83494D}.exe
        
        C:\Windows\{923711A5-20F7-4a8b-85B5-693E3B83494D}.exe
        13⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2DD18~1.EXE > nul
        13⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3ABDF~1.EXE > nul
        12⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8D95~1.EXE > nul
        11⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B9DC~1.EXE > nul
        10⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A7C3~1.EXE > nul
        9⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49BB2~1.EXE > nul
        8⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{964F1~1.EXE > nul
        7⤵
        
        PID:2380
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53BFF~1.EXE > nul
        6⤵
        
        PID:4604
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42F12~1.EXE > nul
        5⤵
        
        PID:2720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2A7C3998-9062-466a-B05C-87BB0CF41BD3}.exe

Filesize
168KB

MD5
cf1c5a23b8e639af322ca7e7a2b6aaab

SHA1
b047986ace165e8ea59fba4356ca05de65963b5d

SHA256
22758414be9dfa941bd0d2d802e51e8e77f2731612e8292f0341756bbbcd5df0

SHA512
9090fdc79a376bf852dd4eb766504ac21788acab25f1fbf22ebbe0e0ee245c102c5aec1179c5793c7d715d257f2345a281b5bd6ee435db265c19d9da355ccf96

Download Submit
C:\Windows\{2DD187B2-3DFB-4395-BC7F-7F42D796451D}.exe

Filesize
168KB

MD5
c5b74e38608275a57801376600e77c89

SHA1
7e94f010a0123daf7951c5e7780401b5031a3788

SHA256
435fcb56c9f61fc6e598d1a8aa3125f54352fc1826d7f7df39bf6b802585fc0b

SHA512
23e4e206da86ae350a43eceff3e37ca99d0066d1955643fb2b6466aa36fafe687895ac7e653f3662e7113cfcc74000bfb4c4eeeca461bdf6b9e9eaa5361da08b

Download Submit
C:\Windows\{3ABDF957-796C-4b3d-80CE-306109C495DB}.exe

Filesize
168KB

MD5
4e35c44bf75a6088f6b5bacf8f9af233

SHA1
7e6b42d180471ddecbbeea41da6a5db5aa1e4b45

SHA256
861b6945f1ae2bba3609438ee9a0aed605a96021250b8f5cf7ea2b90409fefc0

SHA512
2f615ce4aa95374227a3190ed94fdeb2b6ba644a24919352253e85a8e36bef81362a91515484831bc94ab8a101b435d5c24d963c3eb5f5cb82f911c6aa80f524

Download Submit
C:\Windows\{42F12947-ADE9-4899-8BAB-78A45D8DC55E}.exe

Filesize
168KB

MD5
c3852298132f5733c02788f7eb95ac34

SHA1
1e301e702f73c28b8cd7e47f18359061b16cc9ae

SHA256
577fb7e0fd0dd4b95c6bd10616008947578855f2d65e742af08354706be3fa6d

SHA512
9bfcacb0270c881a421cf1ed4353298844fd6d7849d566c8eccefd556ae840f0f79fe93d8668cb5953fa83d2c8580db315bd5c01a89b3dbab21d4b55c3c5ecd0

Download Submit
C:\Windows\{49BB22A1-2372-4c96-B0BB-38E04C2CA777}.exe

Filesize
168KB

MD5
7750c8117fd294d8ad88c7553e38e9c3

SHA1
93b9d665bf6e9d07b3a312360515ffd4c6d581e1

SHA256
a2bc5741d7291bad68f13da2ef5dd9578a10393d0a19c9cb3912d293abc6a1a5

SHA512
b6f64261b036a4963dfb2a748fbe3d8c91f14e8e3134b5f891d979c070ee5f3d1637453204d45a7325c44e828e92680511b94911ecfb731f7f15d3baf8ba3746

Download Submit
C:\Windows\{4E1D3282-D769-4183-B1FB-73413E2A3172}.exe

Filesize
168KB

MD5
a2f828584e2599c634c42cc409d7fa8f

SHA1
5956eb64a4e02b838ea8265250fca6caa5afe464

SHA256
b3edc1d482a52c185997a9591cb78854f95369593215a9df9a9c69f01c8c0260

SHA512
66a00a04c119eff1700dbe8ba32a9c05130e94d5e33945e140100c63a5725f2458494732538615937bb9f183f710f545870a3b0dc44df6defeb325e4c56f6c39

Download Submit
C:\Windows\{53BFFAC8-A949-4d35-B3D2-CAE8F9827B9C}.exe

Filesize
168KB

MD5
54b11268da85f95ca38d910fd27e1694

SHA1
672efcf863c61655e518a926500666d392935fca

SHA256
de0b77e6759ba0f047b3fd75f15307cff80c85340429243d1d87486c2ee3bdf7

SHA512
cc2749a69c2a3309dd0a4610962c8cdd79bdcb7a889d4d5cac1923b68883b85d4ff07253f17a80009567e0c392d8bdae8da6ba814a603e5dd7b23c7f3d30abfb

Download Submit
C:\Windows\{7B9DC207-65B6-4363-BE2E-BE82A7B2EB09}.exe

Filesize
168KB

MD5
258cca9b8e66bb0c49a6f418668cc255

SHA1
a3d45beb48c9d1fa37a9f67d0fe3365c7e4f26af

SHA256
3b0aa1999e9a0103df40606d203b175399f8ac564e34956ceb0d80247288a517

SHA512
89a83aa3d6a3dfed9c95cdb31b1e42f8df93489808fdb8121442234899904ce60fae72026bb914ed62c40a554a141c4665ab06dd7d4a43d2af53fa7a98f80aef

Download Submit
C:\Windows\{964F105C-090B-403b-9458-E69FDFAF2B57}.exe

Filesize
168KB

MD5
d87a998142c635c20e504ad83b3fca1e

SHA1
2f9762636126fbd96f5fd7859fd29553a0ad0bcc

SHA256
baa6869b607eeda25e15f7cffdf7df67430c0ffd57499d84e7dd7f34cd524430

SHA512
598ff61bcae378f5587a806719a1e1e194cacc728dd30cd8dc1124551f00b6be3b1145d874ed6d2bb270f13c408295d3a848c1397b9d94c5036d181e98b5b99b

Download Submit
C:\Windows\{C1C75EB9-9DC8-43f2-AFD5-274A04694D80}.exe

Filesize
168KB

MD5
73e1cf0620d7c17e85781ff922f897a4

SHA1
b6cf6a69e8bfc2f9aa588905600386c2fb74573e

SHA256
046e9ab0862a498146e9d18a919cb3ccd43245e4b4f9ac2100223cfc79958ae2

SHA512
7a2cb57a427a03d0a057dd451e810342150bc587a26e5c68de04eceec843aa65e4fef2016d88b7b69fa4b892dba0f09eed175321256e7f5b09a59bbf54af202e

Download Submit
C:\Windows\{E8D95684-1CAC-4995-98CE-60FAB9C500FD}.exe

Filesize
168KB

MD5
408a4e40dc0d4c2fc65732b6b9c6b070

SHA1
098da530aea3c6e5a4fda854cd01159890a4ad6a

SHA256
64134495cf63b9af013d9c71047e1f5d625e3e3afc389ee635833a1a29d58fad

SHA512
76a8ab6079b4d8ec0b239f1e5bbffd66dcd6ee2fbb403d7cdba314b05f2acb8dbdfa5031fe564d6381511c5fc07f35d578721f5647b46abd3de75282bd6fb965

Download Submit
memory/1920-43-0x0000000003870000-0x000000000394B000-memory.dmp

Filesize
876KB

Download
memory/1920-44-0x0000000003950000-0x0000000003A2B000-memory.dmp

Filesize
876KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads