6640c01492e9dca57c7a030c2e30fa330f7f6f6081d9c8c0beffc82c65cd4888

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
21/02/2024, 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-21_ee498fe9799366244d7f0f34532646e9_goldeneye.exe
Size

372KB
MD5

ee498fe9799366244d7f0f34532646e9
SHA1

3ae4b30f19d663a10682eadb43eee8d2dbb54aaf
SHA256

6640c01492e9dca57c7a030c2e30fa330f7f6f6081d9c8c0beffc82c65cd4888
SHA512

e4c6601432692fc58b9a9bd2f8c5e1ce12eb57449188f2a43bfec26f5c88653c7776596267856cc2e46ee211a937b1095d8bd7dd079563272e257fd3299e1f45
SSDEEP

3072:CEGh0ojlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGdlkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023209-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023202-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023209-11.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023202-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023209-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023202-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023209-25.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023202-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023209-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023202-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023209-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023202-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CFDB2C3-270A-4c1f-B695-D4B27380CA88}\stubpath = "C:\\Windows\\{0CFDB2C3-270A-4c1f-B695-D4B27380CA88}.exe"	{104C8805-5582-46ec-B006-D39BE10F2E68}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2E65B51-ED65-4143-832E-784AB586B87E}	{0CFDB2C3-270A-4c1f-B695-D4B27380CA88}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{491A5C07-4872-462e-8634-5D59F15CB65A}\stubpath = "C:\\Windows\\{491A5C07-4872-462e-8634-5D59F15CB65A}.exe"	{23CD4CF9-A05B-447b-80A3-5D1C11224751}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCBD414F-0484-4ca1-87D3-271A2257512D}	{491A5C07-4872-462e-8634-5D59F15CB65A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2794C31-A032-43db-B7DC-A9D85AF3F883}\stubpath = "C:\\Windows\\{E2794C31-A032-43db-B7DC-A9D85AF3F883}.exe"	{A3B1CD79-4F1D-4a08-9FB5-02984FF64E3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C0146A7-96AA-4b39-83AB-1D295D7E2518}	{2D028246-A077-46c5-9541-A889BB22AD63}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C0146A7-96AA-4b39-83AB-1D295D7E2518}\stubpath = "C:\\Windows\\{1C0146A7-96AA-4b39-83AB-1D295D7E2518}.exe"	{2D028246-A077-46c5-9541-A889BB22AD63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CFDB2C3-270A-4c1f-B695-D4B27380CA88}	{104C8805-5582-46ec-B006-D39BE10F2E68}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23CD4CF9-A05B-447b-80A3-5D1C11224751}	{B2E65B51-ED65-4143-832E-784AB586B87E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23CD4CF9-A05B-447b-80A3-5D1C11224751}\stubpath = "C:\\Windows\\{23CD4CF9-A05B-447b-80A3-5D1C11224751}.exe"	{B2E65B51-ED65-4143-832E-784AB586B87E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{491A5C07-4872-462e-8634-5D59F15CB65A}	{23CD4CF9-A05B-447b-80A3-5D1C11224751}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9134E2C1-D012-42ea-879B-EC052DDD2411}\stubpath = "C:\\Windows\\{9134E2C1-D012-42ea-879B-EC052DDD2411}.exe"	2024-02-21_ee498fe9799366244d7f0f34532646e9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{034C3199-5A0B-43ac-94A5-83809C1E215A}	{1C0146A7-96AA-4b39-83AB-1D295D7E2518}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{104C8805-5582-46ec-B006-D39BE10F2E68}\stubpath = "C:\\Windows\\{104C8805-5582-46ec-B006-D39BE10F2E68}.exe"	{034C3199-5A0B-43ac-94A5-83809C1E215A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2E65B51-ED65-4143-832E-784AB586B87E}\stubpath = "C:\\Windows\\{B2E65B51-ED65-4143-832E-784AB586B87E}.exe"	{0CFDB2C3-270A-4c1f-B695-D4B27380CA88}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9134E2C1-D012-42ea-879B-EC052DDD2411}	2024-02-21_ee498fe9799366244d7f0f34532646e9_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D028246-A077-46c5-9541-A889BB22AD63}\stubpath = "C:\\Windows\\{2D028246-A077-46c5-9541-A889BB22AD63}.exe"	{9134E2C1-D012-42ea-879B-EC052DDD2411}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{034C3199-5A0B-43ac-94A5-83809C1E215A}\stubpath = "C:\\Windows\\{034C3199-5A0B-43ac-94A5-83809C1E215A}.exe"	{1C0146A7-96AA-4b39-83AB-1D295D7E2518}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{104C8805-5582-46ec-B006-D39BE10F2E68}	{034C3199-5A0B-43ac-94A5-83809C1E215A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCBD414F-0484-4ca1-87D3-271A2257512D}\stubpath = "C:\\Windows\\{DCBD414F-0484-4ca1-87D3-271A2257512D}.exe"	{491A5C07-4872-462e-8634-5D59F15CB65A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3B1CD79-4F1D-4a08-9FB5-02984FF64E3C}	{DCBD414F-0484-4ca1-87D3-271A2257512D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3B1CD79-4F1D-4a08-9FB5-02984FF64E3C}\stubpath = "C:\\Windows\\{A3B1CD79-4F1D-4a08-9FB5-02984FF64E3C}.exe"	{DCBD414F-0484-4ca1-87D3-271A2257512D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2794C31-A032-43db-B7DC-A9D85AF3F883}	{A3B1CD79-4F1D-4a08-9FB5-02984FF64E3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D028246-A077-46c5-9541-A889BB22AD63}	{9134E2C1-D012-42ea-879B-EC052DDD2411}.exe

Executes dropped EXE 12 IoCs

pid	Process
2460	{9134E2C1-D012-42ea-879B-EC052DDD2411}.exe
2116	{2D028246-A077-46c5-9541-A889BB22AD63}.exe
4484	{1C0146A7-96AA-4b39-83AB-1D295D7E2518}.exe
2232	{034C3199-5A0B-43ac-94A5-83809C1E215A}.exe
3912	{104C8805-5582-46ec-B006-D39BE10F2E68}.exe
2420	{0CFDB2C3-270A-4c1f-B695-D4B27380CA88}.exe
3248	{B2E65B51-ED65-4143-832E-784AB586B87E}.exe
3560	{23CD4CF9-A05B-447b-80A3-5D1C11224751}.exe
3284	{491A5C07-4872-462e-8634-5D59F15CB65A}.exe
1788	{DCBD414F-0484-4ca1-87D3-271A2257512D}.exe
1684	{A3B1CD79-4F1D-4a08-9FB5-02984FF64E3C}.exe
3064	{E2794C31-A032-43db-B7DC-A9D85AF3F883}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{DCBD414F-0484-4ca1-87D3-271A2257512D}.exe	{491A5C07-4872-462e-8634-5D59F15CB65A}.exe
File created	C:\Windows\{A3B1CD79-4F1D-4a08-9FB5-02984FF64E3C}.exe	{DCBD414F-0484-4ca1-87D3-271A2257512D}.exe
File created	C:\Windows\{9134E2C1-D012-42ea-879B-EC052DDD2411}.exe	2024-02-21_ee498fe9799366244d7f0f34532646e9_goldeneye.exe
File created	C:\Windows\{1C0146A7-96AA-4b39-83AB-1D295D7E2518}.exe	{2D028246-A077-46c5-9541-A889BB22AD63}.exe
File created	C:\Windows\{B2E65B51-ED65-4143-832E-784AB586B87E}.exe	{0CFDB2C3-270A-4c1f-B695-D4B27380CA88}.exe
File created	C:\Windows\{23CD4CF9-A05B-447b-80A3-5D1C11224751}.exe	{B2E65B51-ED65-4143-832E-784AB586B87E}.exe
File created	C:\Windows\{491A5C07-4872-462e-8634-5D59F15CB65A}.exe	{23CD4CF9-A05B-447b-80A3-5D1C11224751}.exe
File created	C:\Windows\{2D028246-A077-46c5-9541-A889BB22AD63}.exe	{9134E2C1-D012-42ea-879B-EC052DDD2411}.exe
File created	C:\Windows\{034C3199-5A0B-43ac-94A5-83809C1E215A}.exe	{1C0146A7-96AA-4b39-83AB-1D295D7E2518}.exe
File created	C:\Windows\{104C8805-5582-46ec-B006-D39BE10F2E68}.exe	{034C3199-5A0B-43ac-94A5-83809C1E215A}.exe
File created	C:\Windows\{0CFDB2C3-270A-4c1f-B695-D4B27380CA88}.exe	{104C8805-5582-46ec-B006-D39BE10F2E68}.exe
File created	C:\Windows\{E2794C31-A032-43db-B7DC-A9D85AF3F883}.exe	{A3B1CD79-4F1D-4a08-9FB5-02984FF64E3C}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2968	2024-02-21_ee498fe9799366244d7f0f34532646e9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2460	{9134E2C1-D012-42ea-879B-EC052DDD2411}.exe
Token: SeIncBasePriorityPrivilege	2116	{2D028246-A077-46c5-9541-A889BB22AD63}.exe
Token: SeIncBasePriorityPrivilege	4484	{1C0146A7-96AA-4b39-83AB-1D295D7E2518}.exe
Token: SeIncBasePriorityPrivilege	2232	{034C3199-5A0B-43ac-94A5-83809C1E215A}.exe
Token: SeIncBasePriorityPrivilege	3912	{104C8805-5582-46ec-B006-D39BE10F2E68}.exe
Token: SeIncBasePriorityPrivilege	2420	{0CFDB2C3-270A-4c1f-B695-D4B27380CA88}.exe
Token: SeIncBasePriorityPrivilege	3248	{B2E65B51-ED65-4143-832E-784AB586B87E}.exe
Token: SeIncBasePriorityPrivilege	3560	{23CD4CF9-A05B-447b-80A3-5D1C11224751}.exe
Token: SeIncBasePriorityPrivilege	3284	{491A5C07-4872-462e-8634-5D59F15CB65A}.exe
Token: SeIncBasePriorityPrivilege	1788	{DCBD414F-0484-4ca1-87D3-271A2257512D}.exe
Token: SeIncBasePriorityPrivilege	1684	{A3B1CD79-4F1D-4a08-9FB5-02984FF64E3C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2460	2968	2024-02-21_ee498fe9799366244d7f0f34532646e9_goldeneye.exe	85
PID 2968 wrote to memory of 2460	2968	2024-02-21_ee498fe9799366244d7f0f34532646e9_goldeneye.exe	85
PID 2968 wrote to memory of 2460	2968	2024-02-21_ee498fe9799366244d7f0f34532646e9_goldeneye.exe	85
PID 2968 wrote to memory of 5088	2968	2024-02-21_ee498fe9799366244d7f0f34532646e9_goldeneye.exe	86
PID 2968 wrote to memory of 5088	2968	2024-02-21_ee498fe9799366244d7f0f34532646e9_goldeneye.exe	86
PID 2968 wrote to memory of 5088	2968	2024-02-21_ee498fe9799366244d7f0f34532646e9_goldeneye.exe	86
PID 2460 wrote to memory of 2116	2460	{9134E2C1-D012-42ea-879B-EC052DDD2411}.exe	87
PID 2460 wrote to memory of 2116	2460	{9134E2C1-D012-42ea-879B-EC052DDD2411}.exe	87
PID 2460 wrote to memory of 2116	2460	{9134E2C1-D012-42ea-879B-EC052DDD2411}.exe	87
PID 2460 wrote to memory of 4344	2460	{9134E2C1-D012-42ea-879B-EC052DDD2411}.exe	88
PID 2460 wrote to memory of 4344	2460	{9134E2C1-D012-42ea-879B-EC052DDD2411}.exe	88
PID 2460 wrote to memory of 4344	2460	{9134E2C1-D012-42ea-879B-EC052DDD2411}.exe	88
PID 2116 wrote to memory of 4484	2116	{2D028246-A077-46c5-9541-A889BB22AD63}.exe	90
PID 2116 wrote to memory of 4484	2116	{2D028246-A077-46c5-9541-A889BB22AD63}.exe	90
PID 2116 wrote to memory of 4484	2116	{2D028246-A077-46c5-9541-A889BB22AD63}.exe	90
PID 2116 wrote to memory of 4092	2116	{2D028246-A077-46c5-9541-A889BB22AD63}.exe	89
PID 2116 wrote to memory of 4092	2116	{2D028246-A077-46c5-9541-A889BB22AD63}.exe	89
PID 2116 wrote to memory of 4092	2116	{2D028246-A077-46c5-9541-A889BB22AD63}.exe	89
PID 4484 wrote to memory of 2232	4484	{1C0146A7-96AA-4b39-83AB-1D295D7E2518}.exe	91
PID 4484 wrote to memory of 2232	4484	{1C0146A7-96AA-4b39-83AB-1D295D7E2518}.exe	91
PID 4484 wrote to memory of 2232	4484	{1C0146A7-96AA-4b39-83AB-1D295D7E2518}.exe	91
PID 4484 wrote to memory of 556	4484	{1C0146A7-96AA-4b39-83AB-1D295D7E2518}.exe	92
PID 4484 wrote to memory of 556	4484	{1C0146A7-96AA-4b39-83AB-1D295D7E2518}.exe	92
PID 4484 wrote to memory of 556	4484	{1C0146A7-96AA-4b39-83AB-1D295D7E2518}.exe	92
PID 2232 wrote to memory of 3912	2232	{034C3199-5A0B-43ac-94A5-83809C1E215A}.exe	93
PID 2232 wrote to memory of 3912	2232	{034C3199-5A0B-43ac-94A5-83809C1E215A}.exe	93
PID 2232 wrote to memory of 3912	2232	{034C3199-5A0B-43ac-94A5-83809C1E215A}.exe	93
PID 2232 wrote to memory of 1480	2232	{034C3199-5A0B-43ac-94A5-83809C1E215A}.exe	94
PID 2232 wrote to memory of 1480	2232	{034C3199-5A0B-43ac-94A5-83809C1E215A}.exe	94
PID 2232 wrote to memory of 1480	2232	{034C3199-5A0B-43ac-94A5-83809C1E215A}.exe	94
PID 3912 wrote to memory of 2420	3912	{104C8805-5582-46ec-B006-D39BE10F2E68}.exe	95
PID 3912 wrote to memory of 2420	3912	{104C8805-5582-46ec-B006-D39BE10F2E68}.exe	95
PID 3912 wrote to memory of 2420	3912	{104C8805-5582-46ec-B006-D39BE10F2E68}.exe	95
PID 3912 wrote to memory of 2448	3912	{104C8805-5582-46ec-B006-D39BE10F2E68}.exe	96
PID 3912 wrote to memory of 2448	3912	{104C8805-5582-46ec-B006-D39BE10F2E68}.exe	96
PID 3912 wrote to memory of 2448	3912	{104C8805-5582-46ec-B006-D39BE10F2E68}.exe	96
PID 2420 wrote to memory of 3248	2420	{0CFDB2C3-270A-4c1f-B695-D4B27380CA88}.exe	97
PID 2420 wrote to memory of 3248	2420	{0CFDB2C3-270A-4c1f-B695-D4B27380CA88}.exe	97
PID 2420 wrote to memory of 3248	2420	{0CFDB2C3-270A-4c1f-B695-D4B27380CA88}.exe	97
PID 2420 wrote to memory of 4352	2420	{0CFDB2C3-270A-4c1f-B695-D4B27380CA88}.exe	98
PID 2420 wrote to memory of 4352	2420	{0CFDB2C3-270A-4c1f-B695-D4B27380CA88}.exe	98
PID 2420 wrote to memory of 4352	2420	{0CFDB2C3-270A-4c1f-B695-D4B27380CA88}.exe	98
PID 3248 wrote to memory of 3560	3248	{B2E65B51-ED65-4143-832E-784AB586B87E}.exe	99
PID 3248 wrote to memory of 3560	3248	{B2E65B51-ED65-4143-832E-784AB586B87E}.exe	99
PID 3248 wrote to memory of 3560	3248	{B2E65B51-ED65-4143-832E-784AB586B87E}.exe	99
PID 3248 wrote to memory of 2136	3248	{B2E65B51-ED65-4143-832E-784AB586B87E}.exe	100
PID 3248 wrote to memory of 2136	3248	{B2E65B51-ED65-4143-832E-784AB586B87E}.exe	100
PID 3248 wrote to memory of 2136	3248	{B2E65B51-ED65-4143-832E-784AB586B87E}.exe	100
PID 3560 wrote to memory of 3284	3560	{23CD4CF9-A05B-447b-80A3-5D1C11224751}.exe	101
PID 3560 wrote to memory of 3284	3560	{23CD4CF9-A05B-447b-80A3-5D1C11224751}.exe	101
PID 3560 wrote to memory of 3284	3560	{23CD4CF9-A05B-447b-80A3-5D1C11224751}.exe	101
PID 3560 wrote to memory of 2240	3560	{23CD4CF9-A05B-447b-80A3-5D1C11224751}.exe	102
PID 3560 wrote to memory of 2240	3560	{23CD4CF9-A05B-447b-80A3-5D1C11224751}.exe	102
PID 3560 wrote to memory of 2240	3560	{23CD4CF9-A05B-447b-80A3-5D1C11224751}.exe	102
PID 3284 wrote to memory of 1788	3284	{491A5C07-4872-462e-8634-5D59F15CB65A}.exe	103
PID 3284 wrote to memory of 1788	3284	{491A5C07-4872-462e-8634-5D59F15CB65A}.exe	103
PID 3284 wrote to memory of 1788	3284	{491A5C07-4872-462e-8634-5D59F15CB65A}.exe	103
PID 3284 wrote to memory of 3724	3284	{491A5C07-4872-462e-8634-5D59F15CB65A}.exe	104
PID 3284 wrote to memory of 3724	3284	{491A5C07-4872-462e-8634-5D59F15CB65A}.exe	104
PID 3284 wrote to memory of 3724	3284	{491A5C07-4872-462e-8634-5D59F15CB65A}.exe	104
PID 1788 wrote to memory of 1684	1788	{DCBD414F-0484-4ca1-87D3-271A2257512D}.exe	105
PID 1788 wrote to memory of 1684	1788	{DCBD414F-0484-4ca1-87D3-271A2257512D}.exe	105
PID 1788 wrote to memory of 1684	1788	{DCBD414F-0484-4ca1-87D3-271A2257512D}.exe	105
PID 1788 wrote to memory of 3188	1788	{DCBD414F-0484-4ca1-87D3-271A2257512D}.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-02-21_ee498fe9799366244d7f0f34532646e9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-21_ee498fe9799366244d7f0f34532646e9_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\{9134E2C1-D012-42ea-879B-EC052DDD2411}.exe
  C:\Windows\{9134E2C1-D012-42ea-879B-EC052DDD2411}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\{2D028246-A077-46c5-9541-A889BB22AD63}.exe
    C:\Windows\{2D028246-A077-46c5-9541-A889BB22AD63}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2D028~1.EXE > nul
      4⤵
      PID:4092
  - - C:\Windows\{1C0146A7-96AA-4b39-83AB-1D295D7E2518}.exe
      C:\Windows\{1C0146A7-96AA-4b39-83AB-1D295D7E2518}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4484
    - - C:\Windows\{034C3199-5A0B-43ac-94A5-83809C1E215A}.exe
        
        C:\Windows\{034C3199-5A0B-43ac-94A5-83809C1E215A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2232
      - C:\Windows\{104C8805-5582-46ec-B006-D39BE10F2E68}.exe
        
        C:\Windows\{104C8805-5582-46ec-B006-D39BE10F2E68}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Windows\{0CFDB2C3-270A-4c1f-B695-D4B27380CA88}.exe
        
        C:\Windows\{0CFDB2C3-270A-4c1f-B695-D4B27380CA88}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\{B2E65B51-ED65-4143-832E-784AB586B87E}.exe
        
        C:\Windows\{B2E65B51-ED65-4143-832E-784AB586B87E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\{23CD4CF9-A05B-447b-80A3-5D1C11224751}.exe
        
        C:\Windows\{23CD4CF9-A05B-447b-80A3-5D1C11224751}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        C:\Windows\{491A5C07-4872-462e-8634-5D59F15CB65A}.exe
        
        C:\Windows\{491A5C07-4872-462e-8634-5D59F15CB65A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\{DCBD414F-0484-4ca1-87D3-271A2257512D}.exe
        
        C:\Windows\{DCBD414F-0484-4ca1-87D3-271A2257512D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\{A3B1CD79-4F1D-4a08-9FB5-02984FF64E3C}.exe
        
        C:\Windows\{A3B1CD79-4F1D-4a08-9FB5-02984FF64E3C}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
        
        C:\Windows\{E2794C31-A032-43db-B7DC-A9D85AF3F883}.exe
        
        C:\Windows\{E2794C31-A032-43db-B7DC-A9D85AF3F883}.exe
        13⤵
        Executes dropped EXE
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3B1C~1.EXE > nul
        13⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DCBD4~1.EXE > nul
        12⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{491A5~1.EXE > nul
        11⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23CD4~1.EXE > nul
        10⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2E65~1.EXE > nul
        9⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0CFDB~1.EXE > nul
        8⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{104C8~1.EXE > nul
        7⤵
        
        PID:2448
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{034C3~1.EXE > nul
        6⤵
        
        PID:1480
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C014~1.EXE > nul
        5⤵
        
        PID:556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9134E~1.EXE > nul
    3⤵
    PID:4344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:5088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{034C3199-5A0B-43ac-94A5-83809C1E215A}.exe

Filesize
372KB

MD5
93971e5ee1cfbfd5d794f5fbb4a2056c

SHA1
21b44ac24dd9bcc5ab54d62352de6624552f4299

SHA256
1c1142de8c4fe8d68b602d9223840a60fe6d3cc71370f5bb00c435d5a403faf6

SHA512
9e530d7e4b2132678ee35092340cf597814bfd492f0802559d30d2cc4a25c56fa5bb871ef6b2f9134b97c134083486f3e3adb31f122b102db023940aa781d724

Download Submit
C:\Windows\{0CFDB2C3-270A-4c1f-B695-D4B27380CA88}.exe

Filesize
372KB

MD5
04e344116748429a70543ec34128c5e7

SHA1
bbeae8768e570963670b5db7bb0839dcf49bf16b

SHA256
d3b307691f783fd339aa8a4237d4cc8e199f49c894afc9f11981ab18846954ce

SHA512
24bad2234fcc50617d96650b7b6cf1e887bd81735144c589dc2a316785d2cdbe733d36253e7bbc8657c66822e136e137ad29dc2a87e2899ae347d70846ab6e14

Download Submit
C:\Windows\{104C8805-5582-46ec-B006-D39BE10F2E68}.exe

Filesize
372KB

MD5
de1313b9a0c119c452c00b69db844b6b

SHA1
45b257ebaaad20a921f99bbd61046e759e5df528

SHA256
1b05685c5c043d49b2cc70134c548cc7d5b147c94df734774b1d060b5c04cfd1

SHA512
dffc31ca6c824e2f81b1d9143cedc93fc2f6d0c46cdbd52ce6634cb44ac1e1a320ef005776a79eba992881f507ba73d6cb7f0b06306da1d1493967b7f39357a7

Download Submit
C:\Windows\{1C0146A7-96AA-4b39-83AB-1D295D7E2518}.exe

Filesize
372KB

MD5
3188050321a2ef02a574dd21f8b821bf

SHA1
1de6bce2e49dca24e4e8b1eb40650c5dd38d933c

SHA256
af508ac6ea6c184d738ad3945554b62ea68d122bb103b395648b930d77254518

SHA512
4a1f852ce7bc0d7899e9395b61790c3838f9db1a644bb57e0ef175ce12fa28a44ddf8dac0c89b513a352938ba77f3b62e115921963f2eadcbfe101098b322106

Download Submit
C:\Windows\{23CD4CF9-A05B-447b-80A3-5D1C11224751}.exe

Filesize
372KB

MD5
885fa5f73355c34b59688fd742051c08

SHA1
f6e275b2c75fa9a380434ac39df04e1e1c353614

SHA256
32db3aa4f4b692d2a9a320a8f7935de36e5c48b0600c49265f22cffc120bc03f

SHA512
b92331a968c7a13a847afae4b845246105e8ee9508428587c8054aeb2a09892c9ef424c3d8b8962adf4ca3c248b6d2997fb657385fb9be3e63ff576638828f2b

Download Submit
C:\Windows\{2D028246-A077-46c5-9541-A889BB22AD63}.exe

Filesize
372KB

MD5
aadb8b74ea1bd2bc13c8903e67956658

SHA1
26df56f201e7a5273df878238ebddfeaf4998642

SHA256
0311c0837d8885775e502ad6ad28cb5a83d376383e61cf9c82657871d205c031

SHA512
75ae951a2d2fc109e39e8beb82493a6ceaf83e80276b7fbbbddf3e3e60e818dab366818855effcec030dfae736380a7c479e355d69c7cbd2ff4d598f7226fdc3

Download Submit
C:\Windows\{491A5C07-4872-462e-8634-5D59F15CB65A}.exe

Filesize
372KB

MD5
628de71ad1b8b099bc00d7a39b8e2a8c

SHA1
6912792c817d4a58d4f64304fe09525500726c51

SHA256
c52b9d86e593a3ec15aacdc691e87dedbc9e3178803d1017562722154396f220

SHA512
6f4965552be1d912873fb848877c83715de3f63cd2fbb28d58c946a15eff7d3423c4a434524ca8a8f507fa0db00ed2ecb19711354ac28c0590da89dc76e8470c

Download Submit
C:\Windows\{9134E2C1-D012-42ea-879B-EC052DDD2411}.exe

Filesize
372KB

MD5
168911555d1bd4850d97761010ebbb9d

SHA1
23751df1b69259549d26726eddebd11636b9dc11

SHA256
8aacc4fcf71cc7b6137f7c016f18cf1dffede0ee4200e276da08d3c068787f83

SHA512
7828117f02ecbe1fac251fccd6367f9fa61220a1ebae32ceda87f1b77216e98bf49438e73d3cf546548555447d64b8b66e9f61d53d6be0bb92c3410b171cec29

Download Submit
C:\Windows\{A3B1CD79-4F1D-4a08-9FB5-02984FF64E3C}.exe

Filesize
372KB

MD5
f9dd86f725ce843b1dde86b0a426ac0b

SHA1
40b382c4d761f3ac5a470ce5c12a638f860c8b9e

SHA256
e6343ab12b1fc96c43c46e4ccdf9127001a51c002e49cf27023b7b6039945cba

SHA512
0fd282942c079c1f6de5a900549a75c8ef393e0853cc993a122f086c37a03ff3ad3e61f2a5665000319b37bfd43b32111c7901f5598c99c9f0ccfc81d256a8ef

Download Submit
C:\Windows\{B2E65B51-ED65-4143-832E-784AB586B87E}.exe

Filesize
372KB

MD5
7658d449df0a5a72122149e861686c2a

SHA1
00f79fde053411ff61f1cc27afd8ecc09147709e

SHA256
b4d4db04b4b3bf8d0cffeaaab78cc96565fd58e31f5701f9c39958f2e26e3502

SHA512
5f47bb307b15ef0fd02406362b6bbbd593cb2e2698767f641ff68906adea616eb442ed7102963c3409596596c1169037f1639ad5b6d194482b899933feae6698

Download Submit
C:\Windows\{DCBD414F-0484-4ca1-87D3-271A2257512D}.exe

Filesize
372KB

MD5
ebfd25a59ffd64ad5c246069860d0410

SHA1
6f85068a4111aafa816a304f6ed9a89eaf62e293

SHA256
e386b8b56c0d60fcd0132f3ae43d7225512f45851a58700e67cdb9f3d0b70a56

SHA512
ab6fd87b69d5cde14160de243428afe6b8a106194ab8da4a8d7825c43edab6a64dd44a7e7d1ea2c6dc829fdcbdbf14928f41cd0d05418bc78a51edae1e4cf07c

Download Submit
C:\Windows\{E2794C31-A032-43db-B7DC-A9D85AF3F883}.exe

Filesize
372KB

MD5
dd7386bdf1f80b25f3e169d72969262a

SHA1
e1b4ece41ef93eea9e7ee93edbd7a3203f6461d8

SHA256
8e5b184c1bb7b0d1d0498a85628aad04b56abc737e0dc4525b7c666d2b22e509

SHA512
919e402f669743e2f099e51b72460d56b9721f10b5fab4e3558c984b3fff53eeecc6e6b3cc5b1c4dd82195d62e870785a54885a139852accb2235bca6918e5ce

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads