1dfd13e056e834d7ee6ca233dc2cc7624207fd29e2b339ec2b5487ad3d9b5318

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20/02/2024, 01:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-20_04a4ede4ef0cdfade21b83d928e9e8f4_goldeneye.exe
Size

197KB
MD5

04a4ede4ef0cdfade21b83d928e9e8f4
SHA1

9d3a4d2e15c48da444ec238e551a9c84d02f4966
SHA256

1dfd13e056e834d7ee6ca233dc2cc7624207fd29e2b339ec2b5487ad3d9b5318
SHA512

eb94fcd208c6957063cd8211e3225401c5ed2c000fd68991397e57dcd4da10a159b4fc4d54e591fb793a9f42c9aa3b1dbbf1f870e8f956df06dbfbab2f79d790
SSDEEP

3072:jEGh0oUl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGelEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x000300000001e7bf-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002313d-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002314c-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002313d-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002167d-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000021681-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002167d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070f-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000719-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000739-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CE90A54-BCD5-4334-A715-91435481F1A3}	{988757C6-C130-4510-B8B3-1DB169C27804}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF41A5B3-52E1-4b54-86C6-D33F94DC380B}	{6CE90A54-BCD5-4334-A715-91435481F1A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5EE24631-FBC3-4135-A214-3AABD9ACBF1E}	{4251D70E-37DD-4554-9A3D-C1CF055241F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14CCD5BD-CE59-4b1e-998E-DDC456EF791F}\stubpath = "C:\\Windows\\{14CCD5BD-CE59-4b1e-998E-DDC456EF791F}.exe"	{5EE24631-FBC3-4135-A214-3AABD9ACBF1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CBE2B41-9931-4b13-9CC9-AE69EEDB6E32}\stubpath = "C:\\Windows\\{5CBE2B41-9931-4b13-9CC9-AE69EEDB6E32}.exe"	{7926E7C4-2C38-4f5a-BD0C-99E1B3997794}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{988757C6-C130-4510-B8B3-1DB169C27804}\stubpath = "C:\\Windows\\{988757C6-C130-4510-B8B3-1DB169C27804}.exe"	{782A88E9-D54D-4e95-A50E-7908B34108DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF41A5B3-52E1-4b54-86C6-D33F94DC380B}\stubpath = "C:\\Windows\\{AF41A5B3-52E1-4b54-86C6-D33F94DC380B}.exe"	{6CE90A54-BCD5-4334-A715-91435481F1A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4251D70E-37DD-4554-9A3D-C1CF055241F3}\stubpath = "C:\\Windows\\{4251D70E-37DD-4554-9A3D-C1CF055241F3}.exe"	2024-02-20_04a4ede4ef0cdfade21b83d928e9e8f4_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{782A88E9-D54D-4e95-A50E-7908B34108DC}\stubpath = "C:\\Windows\\{782A88E9-D54D-4e95-A50E-7908B34108DC}.exe"	{CD0D062B-177F-4233-8141-523414AC30D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{988757C6-C130-4510-B8B3-1DB169C27804}	{782A88E9-D54D-4e95-A50E-7908B34108DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CE90A54-BCD5-4334-A715-91435481F1A3}\stubpath = "C:\\Windows\\{6CE90A54-BCD5-4334-A715-91435481F1A3}.exe"	{988757C6-C130-4510-B8B3-1DB169C27804}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4251D70E-37DD-4554-9A3D-C1CF055241F3}	2024-02-20_04a4ede4ef0cdfade21b83d928e9e8f4_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14CCD5BD-CE59-4b1e-998E-DDC456EF791F}	{5EE24631-FBC3-4135-A214-3AABD9ACBF1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CBE2B41-9931-4b13-9CC9-AE69EEDB6E32}	{7926E7C4-2C38-4f5a-BD0C-99E1B3997794}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD0D062B-177F-4233-8141-523414AC30D2}\stubpath = "C:\\Windows\\{CD0D062B-177F-4233-8141-523414AC30D2}.exe"	{FDE0D13F-9756-4a18-8CEC-6ECB08FABC82}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7926E7C4-2C38-4f5a-BD0C-99E1B3997794}\stubpath = "C:\\Windows\\{7926E7C4-2C38-4f5a-BD0C-99E1B3997794}.exe"	{75FF7BC1-1647-4610-8730-32544AE82E1D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FDE0D13F-9756-4a18-8CEC-6ECB08FABC82}	{5CBE2B41-9931-4b13-9CC9-AE69EEDB6E32}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FDE0D13F-9756-4a18-8CEC-6ECB08FABC82}\stubpath = "C:\\Windows\\{FDE0D13F-9756-4a18-8CEC-6ECB08FABC82}.exe"	{5CBE2B41-9931-4b13-9CC9-AE69EEDB6E32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD0D062B-177F-4233-8141-523414AC30D2}	{FDE0D13F-9756-4a18-8CEC-6ECB08FABC82}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5EE24631-FBC3-4135-A214-3AABD9ACBF1E}\stubpath = "C:\\Windows\\{5EE24631-FBC3-4135-A214-3AABD9ACBF1E}.exe"	{4251D70E-37DD-4554-9A3D-C1CF055241F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75FF7BC1-1647-4610-8730-32544AE82E1D}	{14CCD5BD-CE59-4b1e-998E-DDC456EF791F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75FF7BC1-1647-4610-8730-32544AE82E1D}\stubpath = "C:\\Windows\\{75FF7BC1-1647-4610-8730-32544AE82E1D}.exe"	{14CCD5BD-CE59-4b1e-998E-DDC456EF791F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7926E7C4-2C38-4f5a-BD0C-99E1B3997794}	{75FF7BC1-1647-4610-8730-32544AE82E1D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{782A88E9-D54D-4e95-A50E-7908B34108DC}	{CD0D062B-177F-4233-8141-523414AC30D2}.exe

Executes dropped EXE 11 IoCs

pid	Process
4060	{4251D70E-37DD-4554-9A3D-C1CF055241F3}.exe
1412	{5EE24631-FBC3-4135-A214-3AABD9ACBF1E}.exe
4500	{14CCD5BD-CE59-4b1e-998E-DDC456EF791F}.exe
828	{75FF7BC1-1647-4610-8730-32544AE82E1D}.exe
908	{7926E7C4-2C38-4f5a-BD0C-99E1B3997794}.exe
912	{5CBE2B41-9931-4b13-9CC9-AE69EEDB6E32}.exe
3704	{FDE0D13F-9756-4a18-8CEC-6ECB08FABC82}.exe
4352	{CD0D062B-177F-4233-8141-523414AC30D2}.exe
708	{988757C6-C130-4510-B8B3-1DB169C27804}.exe
2384	{6CE90A54-BCD5-4334-A715-91435481F1A3}.exe
4920	{AF41A5B3-52E1-4b54-86C6-D33F94DC380B}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{988757C6-C130-4510-B8B3-1DB169C27804}.exe	{782A88E9-D54D-4e95-A50E-7908B34108DC}.exe
File created	C:\Windows\{AF41A5B3-52E1-4b54-86C6-D33F94DC380B}.exe	{6CE90A54-BCD5-4334-A715-91435481F1A3}.exe
File created	C:\Windows\{4251D70E-37DD-4554-9A3D-C1CF055241F3}.exe	2024-02-20_04a4ede4ef0cdfade21b83d928e9e8f4_goldeneye.exe
File created	C:\Windows\{75FF7BC1-1647-4610-8730-32544AE82E1D}.exe	{14CCD5BD-CE59-4b1e-998E-DDC456EF791F}.exe
File created	C:\Windows\{7926E7C4-2C38-4f5a-BD0C-99E1B3997794}.exe	{75FF7BC1-1647-4610-8730-32544AE82E1D}.exe
File created	C:\Windows\{FDE0D13F-9756-4a18-8CEC-6ECB08FABC82}.exe	{5CBE2B41-9931-4b13-9CC9-AE69EEDB6E32}.exe
File created	C:\Windows\{CD0D062B-177F-4233-8141-523414AC30D2}.exe	{FDE0D13F-9756-4a18-8CEC-6ECB08FABC82}.exe
File created	C:\Windows\{5EE24631-FBC3-4135-A214-3AABD9ACBF1E}.exe	{4251D70E-37DD-4554-9A3D-C1CF055241F3}.exe
File created	C:\Windows\{14CCD5BD-CE59-4b1e-998E-DDC456EF791F}.exe	{5EE24631-FBC3-4135-A214-3AABD9ACBF1E}.exe
File created	C:\Windows\{5CBE2B41-9931-4b13-9CC9-AE69EEDB6E32}.exe	{7926E7C4-2C38-4f5a-BD0C-99E1B3997794}.exe
File created	C:\Windows\{6CE90A54-BCD5-4334-A715-91435481F1A3}.exe	{988757C6-C130-4510-B8B3-1DB169C27804}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4548	2024-02-20_04a4ede4ef0cdfade21b83d928e9e8f4_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4060	{4251D70E-37DD-4554-9A3D-C1CF055241F3}.exe
Token: SeIncBasePriorityPrivilege	1412	{5EE24631-FBC3-4135-A214-3AABD9ACBF1E}.exe
Token: SeIncBasePriorityPrivilege	4500	{14CCD5BD-CE59-4b1e-998E-DDC456EF791F}.exe
Token: SeIncBasePriorityPrivilege	828	{75FF7BC1-1647-4610-8730-32544AE82E1D}.exe
Token: SeIncBasePriorityPrivilege	908	{7926E7C4-2C38-4f5a-BD0C-99E1B3997794}.exe
Token: SeIncBasePriorityPrivilege	912	{5CBE2B41-9931-4b13-9CC9-AE69EEDB6E32}.exe
Token: SeIncBasePriorityPrivilege	3704	{FDE0D13F-9756-4a18-8CEC-6ECB08FABC82}.exe
Token: SeIncBasePriorityPrivilege	4464	{782A88E9-D54D-4e95-A50E-7908B34108DC}.exe
Token: SeIncBasePriorityPrivilege	708	{988757C6-C130-4510-B8B3-1DB169C27804}.exe
Token: SeIncBasePriorityPrivilege	2384	{6CE90A54-BCD5-4334-A715-91435481F1A3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4548 wrote to memory of 4060	4548	2024-02-20_04a4ede4ef0cdfade21b83d928e9e8f4_goldeneye.exe	89
PID 4548 wrote to memory of 4060	4548	2024-02-20_04a4ede4ef0cdfade21b83d928e9e8f4_goldeneye.exe	89
PID 4548 wrote to memory of 4060	4548	2024-02-20_04a4ede4ef0cdfade21b83d928e9e8f4_goldeneye.exe	89
PID 4548 wrote to memory of 1908	4548	2024-02-20_04a4ede4ef0cdfade21b83d928e9e8f4_goldeneye.exe	90
PID 4548 wrote to memory of 1908	4548	2024-02-20_04a4ede4ef0cdfade21b83d928e9e8f4_goldeneye.exe	90
PID 4548 wrote to memory of 1908	4548	2024-02-20_04a4ede4ef0cdfade21b83d928e9e8f4_goldeneye.exe	90
PID 4060 wrote to memory of 1412	4060	{4251D70E-37DD-4554-9A3D-C1CF055241F3}.exe	95
PID 4060 wrote to memory of 1412	4060	{4251D70E-37DD-4554-9A3D-C1CF055241F3}.exe	95
PID 4060 wrote to memory of 1412	4060	{4251D70E-37DD-4554-9A3D-C1CF055241F3}.exe	95
PID 4060 wrote to memory of 4516	4060	{4251D70E-37DD-4554-9A3D-C1CF055241F3}.exe	96
PID 4060 wrote to memory of 4516	4060	{4251D70E-37DD-4554-9A3D-C1CF055241F3}.exe	96
PID 4060 wrote to memory of 4516	4060	{4251D70E-37DD-4554-9A3D-C1CF055241F3}.exe	96
PID 1412 wrote to memory of 4500	1412	{5EE24631-FBC3-4135-A214-3AABD9ACBF1E}.exe	99
PID 1412 wrote to memory of 4500	1412	{5EE24631-FBC3-4135-A214-3AABD9ACBF1E}.exe	99
PID 1412 wrote to memory of 4500	1412	{5EE24631-FBC3-4135-A214-3AABD9ACBF1E}.exe	99
PID 1412 wrote to memory of 228	1412	{5EE24631-FBC3-4135-A214-3AABD9ACBF1E}.exe	98
PID 1412 wrote to memory of 228	1412	{5EE24631-FBC3-4135-A214-3AABD9ACBF1E}.exe	98
PID 1412 wrote to memory of 228	1412	{5EE24631-FBC3-4135-A214-3AABD9ACBF1E}.exe	98
PID 4500 wrote to memory of 828	4500	{14CCD5BD-CE59-4b1e-998E-DDC456EF791F}.exe	100
PID 4500 wrote to memory of 828	4500	{14CCD5BD-CE59-4b1e-998E-DDC456EF791F}.exe	100
PID 4500 wrote to memory of 828	4500	{14CCD5BD-CE59-4b1e-998E-DDC456EF791F}.exe	100
PID 4500 wrote to memory of 3264	4500	{14CCD5BD-CE59-4b1e-998E-DDC456EF791F}.exe	101
PID 4500 wrote to memory of 3264	4500	{14CCD5BD-CE59-4b1e-998E-DDC456EF791F}.exe	101
PID 4500 wrote to memory of 3264	4500	{14CCD5BD-CE59-4b1e-998E-DDC456EF791F}.exe	101
PID 828 wrote to memory of 908	828	{75FF7BC1-1647-4610-8730-32544AE82E1D}.exe	102
PID 828 wrote to memory of 908	828	{75FF7BC1-1647-4610-8730-32544AE82E1D}.exe	102
PID 828 wrote to memory of 908	828	{75FF7BC1-1647-4610-8730-32544AE82E1D}.exe	102
PID 828 wrote to memory of 1264	828	{75FF7BC1-1647-4610-8730-32544AE82E1D}.exe	103
PID 828 wrote to memory of 1264	828	{75FF7BC1-1647-4610-8730-32544AE82E1D}.exe	103
PID 828 wrote to memory of 1264	828	{75FF7BC1-1647-4610-8730-32544AE82E1D}.exe	103
PID 908 wrote to memory of 912	908	{7926E7C4-2C38-4f5a-BD0C-99E1B3997794}.exe	104
PID 908 wrote to memory of 912	908	{7926E7C4-2C38-4f5a-BD0C-99E1B3997794}.exe	104
PID 908 wrote to memory of 912	908	{7926E7C4-2C38-4f5a-BD0C-99E1B3997794}.exe	104
PID 908 wrote to memory of 2768	908	{7926E7C4-2C38-4f5a-BD0C-99E1B3997794}.exe	105
PID 908 wrote to memory of 2768	908	{7926E7C4-2C38-4f5a-BD0C-99E1B3997794}.exe	105
PID 908 wrote to memory of 2768	908	{7926E7C4-2C38-4f5a-BD0C-99E1B3997794}.exe	105
PID 912 wrote to memory of 3704	912	{5CBE2B41-9931-4b13-9CC9-AE69EEDB6E32}.exe	106
PID 912 wrote to memory of 3704	912	{5CBE2B41-9931-4b13-9CC9-AE69EEDB6E32}.exe	106
PID 912 wrote to memory of 3704	912	{5CBE2B41-9931-4b13-9CC9-AE69EEDB6E32}.exe	106
PID 912 wrote to memory of 4908	912	{5CBE2B41-9931-4b13-9CC9-AE69EEDB6E32}.exe	107
PID 912 wrote to memory of 4908	912	{5CBE2B41-9931-4b13-9CC9-AE69EEDB6E32}.exe	107
PID 912 wrote to memory of 4908	912	{5CBE2B41-9931-4b13-9CC9-AE69EEDB6E32}.exe	107
PID 3704 wrote to memory of 4352	3704	{FDE0D13F-9756-4a18-8CEC-6ECB08FABC82}.exe	108
PID 3704 wrote to memory of 4352	3704	{FDE0D13F-9756-4a18-8CEC-6ECB08FABC82}.exe	108
PID 3704 wrote to memory of 4352	3704	{FDE0D13F-9756-4a18-8CEC-6ECB08FABC82}.exe	108
PID 3704 wrote to memory of 4340	3704	{FDE0D13F-9756-4a18-8CEC-6ECB08FABC82}.exe	109
PID 3704 wrote to memory of 4340	3704	{FDE0D13F-9756-4a18-8CEC-6ECB08FABC82}.exe	109
PID 3704 wrote to memory of 4340	3704	{FDE0D13F-9756-4a18-8CEC-6ECB08FABC82}.exe	109
PID 4464 wrote to memory of 708	4464	{782A88E9-D54D-4e95-A50E-7908B34108DC}.exe	112
PID 4464 wrote to memory of 708	4464	{782A88E9-D54D-4e95-A50E-7908B34108DC}.exe	112
PID 4464 wrote to memory of 708	4464	{782A88E9-D54D-4e95-A50E-7908B34108DC}.exe	112
PID 4464 wrote to memory of 4436	4464	{782A88E9-D54D-4e95-A50E-7908B34108DC}.exe	113
PID 4464 wrote to memory of 4436	4464	{782A88E9-D54D-4e95-A50E-7908B34108DC}.exe	113
PID 4464 wrote to memory of 4436	4464	{782A88E9-D54D-4e95-A50E-7908B34108DC}.exe	113
PID 708 wrote to memory of 2384	708	{988757C6-C130-4510-B8B3-1DB169C27804}.exe	114
PID 708 wrote to memory of 2384	708	{988757C6-C130-4510-B8B3-1DB169C27804}.exe	114
PID 708 wrote to memory of 2384	708	{988757C6-C130-4510-B8B3-1DB169C27804}.exe	114
PID 708 wrote to memory of 3700	708	{988757C6-C130-4510-B8B3-1DB169C27804}.exe	115
PID 708 wrote to memory of 3700	708	{988757C6-C130-4510-B8B3-1DB169C27804}.exe	115
PID 708 wrote to memory of 3700	708	{988757C6-C130-4510-B8B3-1DB169C27804}.exe	115
PID 2384 wrote to memory of 4920	2384	{6CE90A54-BCD5-4334-A715-91435481F1A3}.exe	116
PID 2384 wrote to memory of 4920	2384	{6CE90A54-BCD5-4334-A715-91435481F1A3}.exe	116
PID 2384 wrote to memory of 4920	2384	{6CE90A54-BCD5-4334-A715-91435481F1A3}.exe	116
PID 2384 wrote to memory of 2992	2384	{6CE90A54-BCD5-4334-A715-91435481F1A3}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-02-20_04a4ede4ef0cdfade21b83d928e9e8f4_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-20_04a4ede4ef0cdfade21b83d928e9e8f4_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4548
- C:\Windows\{4251D70E-37DD-4554-9A3D-C1CF055241F3}.exe
  C:\Windows\{4251D70E-37DD-4554-9A3D-C1CF055241F3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4060
- - C:\Windows\{5EE24631-FBC3-4135-A214-3AABD9ACBF1E}.exe
    C:\Windows\{5EE24631-FBC3-4135-A214-3AABD9ACBF1E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1412
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5EE24~1.EXE > nul
      4⤵
      PID:228
  - - C:\Windows\{14CCD5BD-CE59-4b1e-998E-DDC456EF791F}.exe
      C:\Windows\{14CCD5BD-CE59-4b1e-998E-DDC456EF791F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4500
    - - C:\Windows\{75FF7BC1-1647-4610-8730-32544AE82E1D}.exe
        
        C:\Windows\{75FF7BC1-1647-4610-8730-32544AE82E1D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:828
      - C:\Windows\{7926E7C4-2C38-4f5a-BD0C-99E1B3997794}.exe
        
        C:\Windows\{7926E7C4-2C38-4f5a-BD0C-99E1B3997794}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:908
        
        C:\Windows\{5CBE2B41-9931-4b13-9CC9-AE69EEDB6E32}.exe
        
        C:\Windows\{5CBE2B41-9931-4b13-9CC9-AE69EEDB6E32}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Windows\{FDE0D13F-9756-4a18-8CEC-6ECB08FABC82}.exe
        
        C:\Windows\{FDE0D13F-9756-4a18-8CEC-6ECB08FABC82}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Windows\{CD0D062B-177F-4233-8141-523414AC30D2}.exe
        
        C:\Windows\{CD0D062B-177F-4233-8141-523414AC30D2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        
        PID:4352
        
        C:\Windows\{782A88E9-D54D-4e95-A50E-7908B34108DC}.exe
        
        C:\Windows\{782A88E9-D54D-4e95-A50E-7908B34108DC}.exe
        10⤵
        Modifies Installed Components in the registry
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\{988757C6-C130-4510-B8B3-1DB169C27804}.exe
        
        C:\Windows\{988757C6-C130-4510-B8B3-1DB169C27804}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:708
        
        C:\Windows\{6CE90A54-BCD5-4334-A715-91435481F1A3}.exe
        
        C:\Windows\{6CE90A54-BCD5-4334-A715-91435481F1A3}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\{AF41A5B3-52E1-4b54-86C6-D33F94DC380B}.exe
        
        C:\Windows\{AF41A5B3-52E1-4b54-86C6-D33F94DC380B}.exe
        13⤵
        Executes dropped EXE
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6CE90~1.EXE > nul
        13⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98875~1.EXE > nul
        12⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{782A8~1.EXE > nul
        11⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD0D0~1.EXE > nul
        10⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FDE0D~1.EXE > nul
        9⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5CBE2~1.EXE > nul
        8⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7926E~1.EXE > nul
        7⤵
        
        PID:2768
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75FF7~1.EXE > nul
        6⤵
        
        PID:1264
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14CCD~1.EXE > nul
        5⤵
        
        PID:3264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4251D~1.EXE > nul
    3⤵
    PID:4516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{14CCD5BD-CE59-4b1e-998E-DDC456EF791F}.exe

Filesize
197KB

MD5
1e3f4cdfd392463a019869303a060f83

SHA1
4e2ca061d0287ea64d3c2663e1661fdc93bf8173

SHA256
8792f6e99f95a1b1d12b3ef307620cbd2f0e0a5ee49cb142ffc83858dab03fff

SHA512
4c77ca70c23af9512a03807d012055561554f5ca23ec21bdce2db9d2a86233eab096d5be578edc9bb35e28fdd84ed639d34980cc9dadb9f1a798cc0d89a44b4e

Download Submit
C:\Windows\{4251D70E-37DD-4554-9A3D-C1CF055241F3}.exe

Filesize
197KB

MD5
778fbf19eb6cc95f3f2993b651eaeae5

SHA1
8d849cc0c991aff21d5fa4faed9e6dc9925817d5

SHA256
e97d52b8344a43dc3fea191c8b387b3a8d67f18527b2ac1082247a54fa803b92

SHA512
d15134217f817a0024d1b6840b9e8564cada45fd83137f94e772ef2e7e017d7a21656366ceb993e8a4dd9f6983ac3db276b3a3ec2c8e6e733942b849938c95a7

Download Submit
C:\Windows\{5CBE2B41-9931-4b13-9CC9-AE69EEDB6E32}.exe

Filesize
197KB

MD5
0b0ce0e926e1756da6601c30cabd2cb2

SHA1
7967dd2b81b76fb42e1959c6da6cce9c4c50a493

SHA256
8c751128ced57de7801d48d70e803ecde0475fbb23aeba26a8dd06aee09533cc

SHA512
a883a0182866aa039a281b98deca6d8094ce4dcaa55247257ba6f8956b14782c5ff9a9d6ac3263603ab680df9398efe3df662fdc787ab4aa2222eab767bd18b1

Download Submit
C:\Windows\{5EE24631-FBC3-4135-A214-3AABD9ACBF1E}.exe

Filesize
197KB

MD5
a7efd2d3553d277f63cc776cf6fa87de

SHA1
3fa6dcf054c78559fae7a3a4ddff2a402d8ee361

SHA256
c49d01c2583357a93de9f6bc224ad5973f479ea009bf410f7a5c357fb87258b9

SHA512
78c69435c8dfcde03de2cda9156fa880781fa215163f276c66e66b9e52cdd289191566fd7f7a7c2b73ab17a649e80e131d9a3fca9dc938a3113b1b616d1f8015

Download Submit
C:\Windows\{6CE90A54-BCD5-4334-A715-91435481F1A3}.exe

Filesize
197KB

MD5
1486aeff37a34db9cb4bd91c980da0ac

SHA1
93290bf52f895cfca7f632e57c5a7723c20367ac

SHA256
17c17b278e07859743dfea93d2af3776ce487f014a7b53093ca6303d03c23d5b

SHA512
6b75b374d78c13242965534b8ab45bf94f7b6d71eccd0cd475e02d92913c4d3bebbcdf32713f51aa3c3f0a9d7cb5ed38bba94e8bea4592f3db45d6147075033f

Download Submit
C:\Windows\{75FF7BC1-1647-4610-8730-32544AE82E1D}.exe

Filesize
197KB

MD5
23a64d54d19979730ee1690ac9002655

SHA1
25d753a887118c883d315f1e604c5994d44abcd7

SHA256
1ac2329dbfbee39684c5a86308de142b1a8ea88bf8f81e28e207f05a66ebcbdf

SHA512
0aa7857729faf8cdfdfdc34425a255e45fdd06e24d2ae51fc2510efeb6554b4769fa9b6b0d7edd5e6f3e78a68c4ac05b11ddc9fe6e26ca9a16ed8d0356cf0652

Download Submit
C:\Windows\{7926E7C4-2C38-4f5a-BD0C-99E1B3997794}.exe

Filesize
197KB

MD5
d1020b87dd4b8fb9e7c932548f49ebdb

SHA1
db5c33155d15c3e4b3e0b96b5852ecb6ce5dd5a2

SHA256
ba3aef369ec21c6288e1c5122b424a2a47748334c8e5b8810607d436b553868b

SHA512
e7f7068145abc6fa1a5aebeff063ac78c26474d676324493e8d27fac3122260de5d05df726d3f8fc9f8d960ae758c2353fffdc2837f0bcfe64c434af01387e34

Download Submit
C:\Windows\{988757C6-C130-4510-B8B3-1DB169C27804}.exe

Filesize
197KB

MD5
4d6eec14bebf48f9133bde0acddb1cb5

SHA1
1c815aaac45c8ed4dbf5ea38566eef0b73670e16

SHA256
ef45158f7541981bda936b4161abfc4b4e82321fa8e4266536a91fd0df66abaf

SHA512
1623c7f8724bdea3f845ce80ee51c92a1ac3b4c58e715bd5d8a50ae4f8feb0a554b04c75a60eac53d66583aa6a13b43f883c1f45d67eff96e8e40a424b4d9235

Download Submit
C:\Windows\{AF41A5B3-52E1-4b54-86C6-D33F94DC380B}.exe

Filesize
197KB

MD5
830c5aadef12b451fc20e2b154b90666

SHA1
e61c485fc1ab0752aba66c94aef73f8213981971

SHA256
6c8d634056e194f7d998563446acc82382de2e3bbbd63e6cf78796880a072a00

SHA512
927c2fe8d689c52cbe18db6e757e11fc299267db99b729eaeb39bd87052a9f534b500a41cb7a6285d1eeaaa03ee78a9ea224a85856efe57f5c7e1a41663de338

Download Submit
C:\Windows\{CD0D062B-177F-4233-8141-523414AC30D2}.exe

Filesize
197KB

MD5
c5bcbb4e1080d095ba7aca7664cec57f

SHA1
abc23df924a8ba045c2d4530ab26ae781afd9815

SHA256
bf56af7638a79ac14e08c5b7cae6e0b2e55c7809c39ad1c425b13e6c8bf5219f

SHA512
b074ed00b514a6d5f44a06662b3f2782b49f8e4944a5506d5904dbf373db00f6f260e11beb615272252d505e6f21994753140232551100f975d61709246220be

Download Submit
C:\Windows\{FDE0D13F-9756-4a18-8CEC-6ECB08FABC82}.exe

Filesize
197KB

MD5
b3801af174fc6f8fbb941feef254acc7

SHA1
b54ef375b4b0c0201d08c91a87fe573954381460

SHA256
ca6d763a67f41772a66d56e180ae0b0704a5a4a23ec47e114a6c83680a99c190

SHA512
aaeb2697b62ef05379075570b1f6e1f53d5d88245985eafded1c82436c3416794b2a9df61532769edf9e9e986f0b93fd2fa738b3c10d5bd9b76c942b241ed216

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads