4fe0e1046bb0bf9ec1729d952dfebe2d6e5cb115f373db2ea273048f2f10b837

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20/02/2024, 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-20_599a55686bd7d712e3f9e88902ef9c65_goldeneye.exe
Size

408KB
MD5

599a55686bd7d712e3f9e88902ef9c65
SHA1

1962891758377ef5dbefc5a798cdb7e71054e4aa
SHA256

4fe0e1046bb0bf9ec1729d952dfebe2d6e5cb115f373db2ea273048f2f10b837
SHA512

e572e2cb9057f2a0cb7e84b927908a6090080e6fe648dc3db3b5a8985d782d79ea89ad5836ecbd29cfa54212da33103f31da3961589ff4d0ae6836ae3d202d0d
SSDEEP

3072:CEGh0oXl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGNldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x000600000002313f-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000023146-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001a00000001e2b4-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023146-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001b00000001e2b4-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002181f-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B79AD721-C1AA-4364-9F1D-D03494D3F49A}\stubpath = "C:\\Windows\\{B79AD721-C1AA-4364-9F1D-D03494D3F49A}.exe"	{C2B0F610-96F7-4818-91C1-0EB26A6BA433}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53A4B3C0-1E5E-4eb9-A58B-333DAC5CED82}\stubpath = "C:\\Windows\\{53A4B3C0-1E5E-4eb9-A58B-333DAC5CED82}.exe"	{C25D29C4-5933-4614-924A-4D96233D4459}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F73178E-7617-456d-9488-D2760A72C7FF}	{6A7D76F8-4F15-4c05-B631-5CBDC9041E4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AAD8F039-1C7A-4025-92E8-F6289E60E128}\stubpath = "C:\\Windows\\{AAD8F039-1C7A-4025-92E8-F6289E60E128}.exe"	{1F73178E-7617-456d-9488-D2760A72C7FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{512030C5-B160-4858-99FA-9A613CD4675D}	{AAD8F039-1C7A-4025-92E8-F6289E60E128}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3DFA095-3E35-4d13-8F01-B81E55981CFD}\stubpath = "C:\\Windows\\{D3DFA095-3E35-4d13-8F01-B81E55981CFD}.exe"	{512030C5-B160-4858-99FA-9A613CD4675D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B57BB437-C3CB-440a-952F-13394A2E49C8}\stubpath = "C:\\Windows\\{B57BB437-C3CB-440a-952F-13394A2E49C8}.exe"	{D3DFA095-3E35-4d13-8F01-B81E55981CFD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2B0F610-96F7-4818-91C1-0EB26A6BA433}	{B57BB437-C3CB-440a-952F-13394A2E49C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B57BB437-C3CB-440a-952F-13394A2E49C8}	{D3DFA095-3E35-4d13-8F01-B81E55981CFD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C25D29C4-5933-4614-924A-4D96233D4459}	{B79AD721-C1AA-4364-9F1D-D03494D3F49A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53A4B3C0-1E5E-4eb9-A58B-333DAC5CED82}	{C25D29C4-5933-4614-924A-4D96233D4459}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DA51E6A-1ECA-489d-8C79-D1CDE4D171F0}	2024-02-20_599a55686bd7d712e3f9e88902ef9c65_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DA51E6A-1ECA-489d-8C79-D1CDE4D171F0}\stubpath = "C:\\Windows\\{1DA51E6A-1ECA-489d-8C79-D1CDE4D171F0}.exe"	2024-02-20_599a55686bd7d712e3f9e88902ef9c65_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A7D76F8-4F15-4c05-B631-5CBDC9041E4C}	{1DA51E6A-1ECA-489d-8C79-D1CDE4D171F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F73178E-7617-456d-9488-D2760A72C7FF}\stubpath = "C:\\Windows\\{1F73178E-7617-456d-9488-D2760A72C7FF}.exe"	{6A7D76F8-4F15-4c05-B631-5CBDC9041E4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{512030C5-B160-4858-99FA-9A613CD4675D}\stubpath = "C:\\Windows\\{512030C5-B160-4858-99FA-9A613CD4675D}.exe"	{AAD8F039-1C7A-4025-92E8-F6289E60E128}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C25D29C4-5933-4614-924A-4D96233D4459}\stubpath = "C:\\Windows\\{C25D29C4-5933-4614-924A-4D96233D4459}.exe"	{B79AD721-C1AA-4364-9F1D-D03494D3F49A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A7D76F8-4F15-4c05-B631-5CBDC9041E4C}\stubpath = "C:\\Windows\\{6A7D76F8-4F15-4c05-B631-5CBDC9041E4C}.exe"	{1DA51E6A-1ECA-489d-8C79-D1CDE4D171F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AAD8F039-1C7A-4025-92E8-F6289E60E128}	{1F73178E-7617-456d-9488-D2760A72C7FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3DFA095-3E35-4d13-8F01-B81E55981CFD}	{512030C5-B160-4858-99FA-9A613CD4675D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2B0F610-96F7-4818-91C1-0EB26A6BA433}\stubpath = "C:\\Windows\\{C2B0F610-96F7-4818-91C1-0EB26A6BA433}.exe"	{B57BB437-C3CB-440a-952F-13394A2E49C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B79AD721-C1AA-4364-9F1D-D03494D3F49A}	{C2B0F610-96F7-4818-91C1-0EB26A6BA433}.exe

Executes dropped EXE 11 IoCs

pid	Process
4644	{1DA51E6A-1ECA-489d-8C79-D1CDE4D171F0}.exe
1364	{6A7D76F8-4F15-4c05-B631-5CBDC9041E4C}.exe
928	{1F73178E-7617-456d-9488-D2760A72C7FF}.exe
4236	{AAD8F039-1C7A-4025-92E8-F6289E60E128}.exe
2064	{512030C5-B160-4858-99FA-9A613CD4675D}.exe
1224	{D3DFA095-3E35-4d13-8F01-B81E55981CFD}.exe
3608	{B57BB437-C3CB-440a-952F-13394A2E49C8}.exe
2488	{C2B0F610-96F7-4818-91C1-0EB26A6BA433}.exe
1256	{B79AD721-C1AA-4364-9F1D-D03494D3F49A}.exe
3476	{C25D29C4-5933-4614-924A-4D96233D4459}.exe
4100	{53A4B3C0-1E5E-4eb9-A58B-333DAC5CED82}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{1F73178E-7617-456d-9488-D2760A72C7FF}.exe	{6A7D76F8-4F15-4c05-B631-5CBDC9041E4C}.exe
File created	C:\Windows\{AAD8F039-1C7A-4025-92E8-F6289E60E128}.exe	{1F73178E-7617-456d-9488-D2760A72C7FF}.exe
File created	C:\Windows\{512030C5-B160-4858-99FA-9A613CD4675D}.exe	{AAD8F039-1C7A-4025-92E8-F6289E60E128}.exe
File created	C:\Windows\{D3DFA095-3E35-4d13-8F01-B81E55981CFD}.exe	{512030C5-B160-4858-99FA-9A613CD4675D}.exe
File created	C:\Windows\{53A4B3C0-1E5E-4eb9-A58B-333DAC5CED82}.exe	{C25D29C4-5933-4614-924A-4D96233D4459}.exe
File created	C:\Windows\{6A7D76F8-4F15-4c05-B631-5CBDC9041E4C}.exe	{1DA51E6A-1ECA-489d-8C79-D1CDE4D171F0}.exe
File created	C:\Windows\{B57BB437-C3CB-440a-952F-13394A2E49C8}.exe	{D3DFA095-3E35-4d13-8F01-B81E55981CFD}.exe
File created	C:\Windows\{C2B0F610-96F7-4818-91C1-0EB26A6BA433}.exe	{B57BB437-C3CB-440a-952F-13394A2E49C8}.exe
File created	C:\Windows\{B79AD721-C1AA-4364-9F1D-D03494D3F49A}.exe	{C2B0F610-96F7-4818-91C1-0EB26A6BA433}.exe
File created	C:\Windows\{C25D29C4-5933-4614-924A-4D96233D4459}.exe	{B79AD721-C1AA-4364-9F1D-D03494D3F49A}.exe
File created	C:\Windows\{1DA51E6A-1ECA-489d-8C79-D1CDE4D171F0}.exe	2024-02-20_599a55686bd7d712e3f9e88902ef9c65_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1564	2024-02-20_599a55686bd7d712e3f9e88902ef9c65_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4644	{1DA51E6A-1ECA-489d-8C79-D1CDE4D171F0}.exe
Token: SeIncBasePriorityPrivilege	1364	{6A7D76F8-4F15-4c05-B631-5CBDC9041E4C}.exe
Token: SeIncBasePriorityPrivilege	928	{1F73178E-7617-456d-9488-D2760A72C7FF}.exe
Token: SeIncBasePriorityPrivilege	4236	{AAD8F039-1C7A-4025-92E8-F6289E60E128}.exe
Token: SeIncBasePriorityPrivilege	2064	{512030C5-B160-4858-99FA-9A613CD4675D}.exe
Token: SeIncBasePriorityPrivilege	1224	{D3DFA095-3E35-4d13-8F01-B81E55981CFD}.exe
Token: SeIncBasePriorityPrivilege	3608	{B57BB437-C3CB-440a-952F-13394A2E49C8}.exe
Token: SeIncBasePriorityPrivilege	2488	{C2B0F610-96F7-4818-91C1-0EB26A6BA433}.exe
Token: SeIncBasePriorityPrivilege	1256	{B79AD721-C1AA-4364-9F1D-D03494D3F49A}.exe
Token: SeIncBasePriorityPrivilege	3476	{C25D29C4-5933-4614-924A-4D96233D4459}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 4644	1564	2024-02-20_599a55686bd7d712e3f9e88902ef9c65_goldeneye.exe	84
PID 1564 wrote to memory of 4644	1564	2024-02-20_599a55686bd7d712e3f9e88902ef9c65_goldeneye.exe	84
PID 1564 wrote to memory of 4644	1564	2024-02-20_599a55686bd7d712e3f9e88902ef9c65_goldeneye.exe	84
PID 1564 wrote to memory of 1464	1564	2024-02-20_599a55686bd7d712e3f9e88902ef9c65_goldeneye.exe	85
PID 1564 wrote to memory of 1464	1564	2024-02-20_599a55686bd7d712e3f9e88902ef9c65_goldeneye.exe	85
PID 1564 wrote to memory of 1464	1564	2024-02-20_599a55686bd7d712e3f9e88902ef9c65_goldeneye.exe	85
PID 4644 wrote to memory of 1364	4644	{1DA51E6A-1ECA-489d-8C79-D1CDE4D171F0}.exe	91
PID 4644 wrote to memory of 1364	4644	{1DA51E6A-1ECA-489d-8C79-D1CDE4D171F0}.exe	91
PID 4644 wrote to memory of 1364	4644	{1DA51E6A-1ECA-489d-8C79-D1CDE4D171F0}.exe	91
PID 4644 wrote to memory of 4640	4644	{1DA51E6A-1ECA-489d-8C79-D1CDE4D171F0}.exe	92
PID 4644 wrote to memory of 4640	4644	{1DA51E6A-1ECA-489d-8C79-D1CDE4D171F0}.exe	92
PID 4644 wrote to memory of 4640	4644	{1DA51E6A-1ECA-489d-8C79-D1CDE4D171F0}.exe	92
PID 1364 wrote to memory of 928	1364	{6A7D76F8-4F15-4c05-B631-5CBDC9041E4C}.exe	97
PID 1364 wrote to memory of 928	1364	{6A7D76F8-4F15-4c05-B631-5CBDC9041E4C}.exe	97
PID 1364 wrote to memory of 928	1364	{6A7D76F8-4F15-4c05-B631-5CBDC9041E4C}.exe	97
PID 1364 wrote to memory of 4572	1364	{6A7D76F8-4F15-4c05-B631-5CBDC9041E4C}.exe	96
PID 1364 wrote to memory of 4572	1364	{6A7D76F8-4F15-4c05-B631-5CBDC9041E4C}.exe	96
PID 1364 wrote to memory of 4572	1364	{6A7D76F8-4F15-4c05-B631-5CBDC9041E4C}.exe	96
PID 928 wrote to memory of 4236	928	{1F73178E-7617-456d-9488-D2760A72C7FF}.exe	98
PID 928 wrote to memory of 4236	928	{1F73178E-7617-456d-9488-D2760A72C7FF}.exe	98
PID 928 wrote to memory of 4236	928	{1F73178E-7617-456d-9488-D2760A72C7FF}.exe	98
PID 928 wrote to memory of 320	928	{1F73178E-7617-456d-9488-D2760A72C7FF}.exe	99
PID 928 wrote to memory of 320	928	{1F73178E-7617-456d-9488-D2760A72C7FF}.exe	99
PID 928 wrote to memory of 320	928	{1F73178E-7617-456d-9488-D2760A72C7FF}.exe	99
PID 4236 wrote to memory of 2064	4236	{AAD8F039-1C7A-4025-92E8-F6289E60E128}.exe	100
PID 4236 wrote to memory of 2064	4236	{AAD8F039-1C7A-4025-92E8-F6289E60E128}.exe	100
PID 4236 wrote to memory of 2064	4236	{AAD8F039-1C7A-4025-92E8-F6289E60E128}.exe	100
PID 4236 wrote to memory of 2248	4236	{AAD8F039-1C7A-4025-92E8-F6289E60E128}.exe	101
PID 4236 wrote to memory of 2248	4236	{AAD8F039-1C7A-4025-92E8-F6289E60E128}.exe	101
PID 4236 wrote to memory of 2248	4236	{AAD8F039-1C7A-4025-92E8-F6289E60E128}.exe	101
PID 2064 wrote to memory of 1224	2064	{512030C5-B160-4858-99FA-9A613CD4675D}.exe	102
PID 2064 wrote to memory of 1224	2064	{512030C5-B160-4858-99FA-9A613CD4675D}.exe	102
PID 2064 wrote to memory of 1224	2064	{512030C5-B160-4858-99FA-9A613CD4675D}.exe	102
PID 2064 wrote to memory of 2796	2064	{512030C5-B160-4858-99FA-9A613CD4675D}.exe	103
PID 2064 wrote to memory of 2796	2064	{512030C5-B160-4858-99FA-9A613CD4675D}.exe	103
PID 2064 wrote to memory of 2796	2064	{512030C5-B160-4858-99FA-9A613CD4675D}.exe	103
PID 1224 wrote to memory of 3608	1224	{D3DFA095-3E35-4d13-8F01-B81E55981CFD}.exe	104
PID 1224 wrote to memory of 3608	1224	{D3DFA095-3E35-4d13-8F01-B81E55981CFD}.exe	104
PID 1224 wrote to memory of 3608	1224	{D3DFA095-3E35-4d13-8F01-B81E55981CFD}.exe	104
PID 1224 wrote to memory of 4180	1224	{D3DFA095-3E35-4d13-8F01-B81E55981CFD}.exe	105
PID 1224 wrote to memory of 4180	1224	{D3DFA095-3E35-4d13-8F01-B81E55981CFD}.exe	105
PID 1224 wrote to memory of 4180	1224	{D3DFA095-3E35-4d13-8F01-B81E55981CFD}.exe	105
PID 3608 wrote to memory of 2488	3608	{B57BB437-C3CB-440a-952F-13394A2E49C8}.exe	106
PID 3608 wrote to memory of 2488	3608	{B57BB437-C3CB-440a-952F-13394A2E49C8}.exe	106
PID 3608 wrote to memory of 2488	3608	{B57BB437-C3CB-440a-952F-13394A2E49C8}.exe	106
PID 3608 wrote to memory of 3652	3608	{B57BB437-C3CB-440a-952F-13394A2E49C8}.exe	107
PID 3608 wrote to memory of 3652	3608	{B57BB437-C3CB-440a-952F-13394A2E49C8}.exe	107
PID 3608 wrote to memory of 3652	3608	{B57BB437-C3CB-440a-952F-13394A2E49C8}.exe	107
PID 2488 wrote to memory of 1256	2488	{C2B0F610-96F7-4818-91C1-0EB26A6BA433}.exe	108
PID 2488 wrote to memory of 1256	2488	{C2B0F610-96F7-4818-91C1-0EB26A6BA433}.exe	108
PID 2488 wrote to memory of 1256	2488	{C2B0F610-96F7-4818-91C1-0EB26A6BA433}.exe	108
PID 2488 wrote to memory of 3376	2488	{C2B0F610-96F7-4818-91C1-0EB26A6BA433}.exe	109
PID 2488 wrote to memory of 3376	2488	{C2B0F610-96F7-4818-91C1-0EB26A6BA433}.exe	109
PID 2488 wrote to memory of 3376	2488	{C2B0F610-96F7-4818-91C1-0EB26A6BA433}.exe	109
PID 1256 wrote to memory of 3476	1256	{B79AD721-C1AA-4364-9F1D-D03494D3F49A}.exe	110
PID 1256 wrote to memory of 3476	1256	{B79AD721-C1AA-4364-9F1D-D03494D3F49A}.exe	110
PID 1256 wrote to memory of 3476	1256	{B79AD721-C1AA-4364-9F1D-D03494D3F49A}.exe	110
PID 1256 wrote to memory of 5056	1256	{B79AD721-C1AA-4364-9F1D-D03494D3F49A}.exe	111
PID 1256 wrote to memory of 5056	1256	{B79AD721-C1AA-4364-9F1D-D03494D3F49A}.exe	111
PID 1256 wrote to memory of 5056	1256	{B79AD721-C1AA-4364-9F1D-D03494D3F49A}.exe	111
PID 3476 wrote to memory of 4100	3476	{C25D29C4-5933-4614-924A-4D96233D4459}.exe	112
PID 3476 wrote to memory of 4100	3476	{C25D29C4-5933-4614-924A-4D96233D4459}.exe	112
PID 3476 wrote to memory of 4100	3476	{C25D29C4-5933-4614-924A-4D96233D4459}.exe	112
PID 3476 wrote to memory of 2336	3476	{C25D29C4-5933-4614-924A-4D96233D4459}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-20_599a55686bd7d712e3f9e88902ef9c65_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-20_599a55686bd7d712e3f9e88902ef9c65_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Windows\{1DA51E6A-1ECA-489d-8C79-D1CDE4D171F0}.exe
  C:\Windows\{1DA51E6A-1ECA-489d-8C79-D1CDE4D171F0}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4644
- - C:\Windows\{6A7D76F8-4F15-4c05-B631-5CBDC9041E4C}.exe
    C:\Windows\{6A7D76F8-4F15-4c05-B631-5CBDC9041E4C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1364
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6A7D7~1.EXE > nul
      4⤵
      PID:4572
  - - C:\Windows\{1F73178E-7617-456d-9488-D2760A72C7FF}.exe
      C:\Windows\{1F73178E-7617-456d-9488-D2760A72C7FF}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:928
    - - C:\Windows\{AAD8F039-1C7A-4025-92E8-F6289E60E128}.exe
        
        C:\Windows\{AAD8F039-1C7A-4025-92E8-F6289E60E128}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4236
      - C:\Windows\{512030C5-B160-4858-99FA-9A613CD4675D}.exe
        
        C:\Windows\{512030C5-B160-4858-99FA-9A613CD4675D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\{D3DFA095-3E35-4d13-8F01-B81E55981CFD}.exe
        
        C:\Windows\{D3DFA095-3E35-4d13-8F01-B81E55981CFD}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\{B57BB437-C3CB-440a-952F-13394A2E49C8}.exe
        
        C:\Windows\{B57BB437-C3CB-440a-952F-13394A2E49C8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\{C2B0F610-96F7-4818-91C1-0EB26A6BA433}.exe
        
        C:\Windows\{C2B0F610-96F7-4818-91C1-0EB26A6BA433}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\{B79AD721-C1AA-4364-9F1D-D03494D3F49A}.exe
        
        C:\Windows\{B79AD721-C1AA-4364-9F1D-D03494D3F49A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Windows\{C25D29C4-5933-4614-924A-4D96233D4459}.exe
        
        C:\Windows\{C25D29C4-5933-4614-924A-4D96233D4459}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\{53A4B3C0-1E5E-4eb9-A58B-333DAC5CED82}.exe
        
        C:\Windows\{53A4B3C0-1E5E-4eb9-A58B-333DAC5CED82}.exe
        12⤵
        Executes dropped EXE
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C25D2~1.EXE > nul
        12⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B79AD~1.EXE > nul
        11⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2B0F~1.EXE > nul
        10⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B57BB~1.EXE > nul
        9⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3DFA~1.EXE > nul
        8⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51203~1.EXE > nul
        7⤵
        
        PID:2796
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AAD8F~1.EXE > nul
        6⤵
        
        PID:2248
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F731~1.EXE > nul
        5⤵
        
        PID:320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1DA51~1.EXE > nul
    3⤵
    PID:4640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1DA51E6A-1ECA-489d-8C79-D1CDE4D171F0}.exe

Filesize
408KB

MD5
48f9338d997c401dc030bb3ee1ede13a

SHA1
aa2255264b9cfba98e76172927dea1136cbcca61

SHA256
f0e33ec51dd0410f391b281cb87e90b23aa9d8c681b2390d4bf333ffd3beb8f0

SHA512
31b77c44e413fc0f9898bdc121fc2da1ca70500b6e8dc409d30f70adaa5154db7bb9c998f368e24e5d5558753614fcf272fa90961ce90ec458abe2a8d7816e4d

Download Submit
C:\Windows\{1F73178E-7617-456d-9488-D2760A72C7FF}.exe

Filesize
408KB

MD5
2aec109d7bb38c9e9bfd369856abcde3

SHA1
a9597fd2b2ef6df4f72f8b09b2d1dc08a2ff904b

SHA256
292526942add55c18d884bb58ec6455f3c07d2cb1884088b125455bdad302c44

SHA512
f1ddbdde1b6dc1e0f3e851f40ea25fae5ad76698037df0e82748e3cd44370d2b86609f06e0057d4f7af29beb0ca4442cca993a099a1963f4cf531efa66711afe

Download Submit
C:\Windows\{512030C5-B160-4858-99FA-9A613CD4675D}.exe

Filesize
408KB

MD5
debd6e5f4c7e44bd93e12d29b7d4e6e5

SHA1
c7b0397d1bb57525c12337739e47286103aee4fa

SHA256
08cd533d5216435b71a516697045b5d0ed14ec7815a197787e85bede54918f31

SHA512
5429f9ce7e444378afaec20c5d5faf32b8e3796d620f7f5588bf6ccf368e5e91866e0e65f6caacca01391dc311213932266e73a61d2ca0d8fb82448fc70bd444

Download Submit
C:\Windows\{53A4B3C0-1E5E-4eb9-A58B-333DAC5CED82}.exe

Filesize
408KB

MD5
da7286dba5a310a0ce7bdbdad2290e04

SHA1
29bd6252a2fbd7d0f5f19f3247d1702cf4eae5ac

SHA256
ec4bf912ebbc803765ffd645f3aba802c2a1cb00c81b5946de87d9bdfba86786

SHA512
469fb3e16369b123632fdd5de697486a9e17b830ba9944baa8eaa019a4a3341443f95cc44049dc76addc927238d6e594618ee6656fbbab97ef15ab0ace7ddb64

Download Submit
C:\Windows\{6A7D76F8-4F15-4c05-B631-5CBDC9041E4C}.exe

Filesize
408KB

MD5
30550b8f88addc63d752aa5ba26c5205

SHA1
ebe4b5b809f0944566012e4efd57243add87f4ee

SHA256
a2b470c257c6b2c82bbfef9ad3b2b47034eb675b76f3cde0e5a85dfdf1d01c02

SHA512
245d2e055d6e847797a4c46089a4704c23ce48e87207b6cc6597c60c041f64479120512aecc6c908c2d405aa36ad26447a41a72855c75fea09e2b9786bb8c178

Download Submit
C:\Windows\{AAD8F039-1C7A-4025-92E8-F6289E60E128}.exe

Filesize
408KB

MD5
63f71c577368117f69ea381e53432d5f

SHA1
e0ea7d6c6748eace1f265a58725c108a86e154cc

SHA256
12584f8077e46efb15a87f9b81ef80d22f3363ecadea9b52b4b064537cd60615

SHA512
e76aaffec5fbca7fbe33d57ac89fe6a3498e3474000887cfe8f8c3351ed70ccfd009244e5e77361c3f65d5d2265dbcb57246b0a8d978b81c1c43cad690af2e3e

Download Submit
C:\Windows\{B57BB437-C3CB-440a-952F-13394A2E49C8}.exe

Filesize
408KB

MD5
7cf443f0f66a0e88495fd23948669051

SHA1
d264b5a4c848d3d8d08835b664b49878d1bac171

SHA256
2661c040fe2baec021f155859aa620cf379367c349debbaeaf37570209dd877f

SHA512
509afb96d42d186fb4b6a048c6f7cc6e21c9364427679a279d38538a250853f7779b57ed659fa1ec5e9a6048f5acae8f550bccdcd2a5f2d5e6d3c03463819be1

Download Submit
C:\Windows\{B79AD721-C1AA-4364-9F1D-D03494D3F49A}.exe

Filesize
408KB

MD5
010a6ca660a54c10f58bf64067b236c6

SHA1
4cb10b30cf6ac9acf007a25adfcbca2ce22027e7

SHA256
66f3caeb5c54a61b568c7ec8d140cb3c51d3bae8b3e0b299d79a3982efb244e0

SHA512
f2dfbd888f1bcc2227073001524ca11c105df6266c1f62ded1ef4c3426fd374eaacc88413b28425c8c0e6449bb204948f1302b577c739313791093b75ac03e0b

Download Submit
C:\Windows\{C25D29C4-5933-4614-924A-4D96233D4459}.exe

Filesize
408KB

MD5
c5224e1ed1d61188eec82b42378403f9

SHA1
36aaf110b11a90d582d6e4dcb803926505f3306b

SHA256
9e47378dd37fa9d9531abf8c2903539c42a540aaa44a1d489251490eab6166a5

SHA512
a4d3ea760ecb70cb3acf99603f356c52ae7f953bda3e15fdfe34c01f74cc03ee23f7bc526628fb8374a64c5001dc9c7f15335b0773a4a514b2fb8af88938075d

Download Submit
C:\Windows\{C2B0F610-96F7-4818-91C1-0EB26A6BA433}.exe

Filesize
408KB

MD5
400a22d87e6d6c422be2b70a5b16c5d7

SHA1
48d00536b8657b0aea999e4c9676e8569e061232

SHA256
5faef335b78b77bc2234bad1822564b4d7482657024736b16dfa02f8c77d3235

SHA512
c6ac98fc9e938da5a3f63fb50ed1e5531c4c8b2c60cc034973334942fa5fe3b08fe430f941a009ba2451fcd83f9d84833255064555beeea860492823598b19b6

Download Submit
C:\Windows\{D3DFA095-3E35-4d13-8F01-B81E55981CFD}.exe

Filesize
408KB

MD5
f3c64360bb34aa3556966709479940f0

SHA1
d39ea9fc79a9b60eed077dea779108209af1b73b

SHA256
90cf8654cb2247fa7f5a40ad07fcb6dd8e25fd3e77fc7e80e81d3a148ace0c92

SHA512
0c263d93f1df0aee77167b07919c942264bb88abcfbec0a12a8abd4d7af59e0898dee1b9aa8c24dfc06d2d618dcfb4f879375e65d42d19141b7f4f11cfab7b43

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads