fcf49dbec975e2fd56f1bf85ccaa2223c359e90ce04d4d585252dd9a63531011

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22/02/2024, 14:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-22_caa4ba728f94e32a982a70c19dbac6ff_goldeneye.exe
Size

344KB
MD5

caa4ba728f94e32a982a70c19dbac6ff
SHA1

eee4a0cbaef50cbedd7ea9dea2381c1f7f7eab10
SHA256

fcf49dbec975e2fd56f1bf85ccaa2223c359e90ce04d4d585252dd9a63531011
SHA512

fd0d65f0606ff8005391c7e4e4a3eb5a30ede706ea3020533cd58fa46d1b3e1977039254809a366586ff029992968f5a3fb8ab80fde6e9b396411db00e1596bd
SSDEEP

3072:mEGh0o4lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGqlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00070000000230fd-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023103-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023106-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000022fd8-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000022fd8-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023106-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000022fd8-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023106-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000022fd8-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023106-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000022fd8-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023106-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC96F252-5798-4093-972D-55814608A141}	{CF65B2AB-EB5B-43c1-9D64-EC4A0111D575}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5E64111-8216-49f2-B2B7-8FA9283D0172}\stubpath = "C:\\Windows\\{A5E64111-8216-49f2-B2B7-8FA9283D0172}.exe"	{BC96F252-5798-4093-972D-55814608A141}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18DE6951-209D-4153-9726-9382DC5D51DE}	{999EC5CC-721C-4db3-8B3D-F90F20310DF3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF65B2AB-EB5B-43c1-9D64-EC4A0111D575}\stubpath = "C:\\Windows\\{CF65B2AB-EB5B-43c1-9D64-EC4A0111D575}.exe"	{035E7B3F-CF8D-4c62-BC8C-3E390C1D7B67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5E64111-8216-49f2-B2B7-8FA9283D0172}	{BC96F252-5798-4093-972D-55814608A141}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18DE6951-209D-4153-9726-9382DC5D51DE}\stubpath = "C:\\Windows\\{18DE6951-209D-4153-9726-9382DC5D51DE}.exe"	{999EC5CC-721C-4db3-8B3D-F90F20310DF3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEF92F4F-A76A-4fdf-B805-DE57BCA2335E}	{18DE6951-209D-4153-9726-9382DC5D51DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EF25949-87A8-4202-8777-9100A90AB9C9}	{136FBB88-225A-4b2c-9FD9-95E574267E86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EF25949-87A8-4202-8777-9100A90AB9C9}\stubpath = "C:\\Windows\\{7EF25949-87A8-4202-8777-9100A90AB9C9}.exe"	{136FBB88-225A-4b2c-9FD9-95E574267E86}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF65B2AB-EB5B-43c1-9D64-EC4A0111D575}	{035E7B3F-CF8D-4c62-BC8C-3E390C1D7B67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55AE27D2-34E6-42b9-B45F-52EA3D872F0A}	{A5E64111-8216-49f2-B2B7-8FA9283D0172}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{999EC5CC-721C-4db3-8B3D-F90F20310DF3}	{55AE27D2-34E6-42b9-B45F-52EA3D872F0A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{999EC5CC-721C-4db3-8B3D-F90F20310DF3}\stubpath = "C:\\Windows\\{999EC5CC-721C-4db3-8B3D-F90F20310DF3}.exe"	{55AE27D2-34E6-42b9-B45F-52EA3D872F0A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE710945-6C82-4ccc-BA2A-BFCE87F1DCAE}	{7EF25949-87A8-4202-8777-9100A90AB9C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE710945-6C82-4ccc-BA2A-BFCE87F1DCAE}\stubpath = "C:\\Windows\\{EE710945-6C82-4ccc-BA2A-BFCE87F1DCAE}.exe"	{7EF25949-87A8-4202-8777-9100A90AB9C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{035E7B3F-CF8D-4c62-BC8C-3E390C1D7B67}	2024-02-22_caa4ba728f94e32a982a70c19dbac6ff_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{035E7B3F-CF8D-4c62-BC8C-3E390C1D7B67}\stubpath = "C:\\Windows\\{035E7B3F-CF8D-4c62-BC8C-3E390C1D7B67}.exe"	2024-02-22_caa4ba728f94e32a982a70c19dbac6ff_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC96F252-5798-4093-972D-55814608A141}\stubpath = "C:\\Windows\\{BC96F252-5798-4093-972D-55814608A141}.exe"	{CF65B2AB-EB5B-43c1-9D64-EC4A0111D575}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55AE27D2-34E6-42b9-B45F-52EA3D872F0A}\stubpath = "C:\\Windows\\{55AE27D2-34E6-42b9-B45F-52EA3D872F0A}.exe"	{A5E64111-8216-49f2-B2B7-8FA9283D0172}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEF92F4F-A76A-4fdf-B805-DE57BCA2335E}\stubpath = "C:\\Windows\\{CEF92F4F-A76A-4fdf-B805-DE57BCA2335E}.exe"	{18DE6951-209D-4153-9726-9382DC5D51DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{136FBB88-225A-4b2c-9FD9-95E574267E86}	{CEF92F4F-A76A-4fdf-B805-DE57BCA2335E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{136FBB88-225A-4b2c-9FD9-95E574267E86}\stubpath = "C:\\Windows\\{136FBB88-225A-4b2c-9FD9-95E574267E86}.exe"	{CEF92F4F-A76A-4fdf-B805-DE57BCA2335E}.exe

Executes dropped EXE 11 IoCs

pid	Process
2760	{035E7B3F-CF8D-4c62-BC8C-3E390C1D7B67}.exe
4048	{CF65B2AB-EB5B-43c1-9D64-EC4A0111D575}.exe
4092	{BC96F252-5798-4093-972D-55814608A141}.exe
4548	{A5E64111-8216-49f2-B2B7-8FA9283D0172}.exe
4104	{55AE27D2-34E6-42b9-B45F-52EA3D872F0A}.exe
3584	{999EC5CC-721C-4db3-8B3D-F90F20310DF3}.exe
4524	{18DE6951-209D-4153-9726-9382DC5D51DE}.exe
4156	{CEF92F4F-A76A-4fdf-B805-DE57BCA2335E}.exe
4148	{136FBB88-225A-4b2c-9FD9-95E574267E86}.exe
2332	{7EF25949-87A8-4202-8777-9100A90AB9C9}.exe
4328	{EE710945-6C82-4ccc-BA2A-BFCE87F1DCAE}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{CF65B2AB-EB5B-43c1-9D64-EC4A0111D575}.exe	{035E7B3F-CF8D-4c62-BC8C-3E390C1D7B67}.exe
File created	C:\Windows\{55AE27D2-34E6-42b9-B45F-52EA3D872F0A}.exe	{A5E64111-8216-49f2-B2B7-8FA9283D0172}.exe
File created	C:\Windows\{999EC5CC-721C-4db3-8B3D-F90F20310DF3}.exe	{55AE27D2-34E6-42b9-B45F-52EA3D872F0A}.exe
File created	C:\Windows\{18DE6951-209D-4153-9726-9382DC5D51DE}.exe	{999EC5CC-721C-4db3-8B3D-F90F20310DF3}.exe
File created	C:\Windows\{CEF92F4F-A76A-4fdf-B805-DE57BCA2335E}.exe	{18DE6951-209D-4153-9726-9382DC5D51DE}.exe
File created	C:\Windows\{035E7B3F-CF8D-4c62-BC8C-3E390C1D7B67}.exe	2024-02-22_caa4ba728f94e32a982a70c19dbac6ff_goldeneye.exe
File created	C:\Windows\{BC96F252-5798-4093-972D-55814608A141}.exe	{CF65B2AB-EB5B-43c1-9D64-EC4A0111D575}.exe
File created	C:\Windows\{A5E64111-8216-49f2-B2B7-8FA9283D0172}.exe	{BC96F252-5798-4093-972D-55814608A141}.exe
File created	C:\Windows\{136FBB88-225A-4b2c-9FD9-95E574267E86}.exe	{CEF92F4F-A76A-4fdf-B805-DE57BCA2335E}.exe
File created	C:\Windows\{7EF25949-87A8-4202-8777-9100A90AB9C9}.exe	{136FBB88-225A-4b2c-9FD9-95E574267E86}.exe
File created	C:\Windows\{EE710945-6C82-4ccc-BA2A-BFCE87F1DCAE}.exe	{7EF25949-87A8-4202-8777-9100A90AB9C9}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	212	2024-02-22_caa4ba728f94e32a982a70c19dbac6ff_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2760	{035E7B3F-CF8D-4c62-BC8C-3E390C1D7B67}.exe
Token: SeIncBasePriorityPrivilege	4048	{CF65B2AB-EB5B-43c1-9D64-EC4A0111D575}.exe
Token: SeIncBasePriorityPrivilege	4092	{BC96F252-5798-4093-972D-55814608A141}.exe
Token: SeIncBasePriorityPrivilege	4548	{A5E64111-8216-49f2-B2B7-8FA9283D0172}.exe
Token: SeIncBasePriorityPrivilege	4104	{55AE27D2-34E6-42b9-B45F-52EA3D872F0A}.exe
Token: SeIncBasePriorityPrivilege	3584	{999EC5CC-721C-4db3-8B3D-F90F20310DF3}.exe
Token: SeIncBasePriorityPrivilege	4524	{18DE6951-209D-4153-9726-9382DC5D51DE}.exe
Token: SeIncBasePriorityPrivilege	4156	{CEF92F4F-A76A-4fdf-B805-DE57BCA2335E}.exe
Token: SeIncBasePriorityPrivilege	4148	{136FBB88-225A-4b2c-9FD9-95E574267E86}.exe
Token: SeIncBasePriorityPrivilege	2332	{7EF25949-87A8-4202-8777-9100A90AB9C9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 2760	212	2024-02-22_caa4ba728f94e32a982a70c19dbac6ff_goldeneye.exe	88
PID 212 wrote to memory of 2760	212	2024-02-22_caa4ba728f94e32a982a70c19dbac6ff_goldeneye.exe	88
PID 212 wrote to memory of 2760	212	2024-02-22_caa4ba728f94e32a982a70c19dbac6ff_goldeneye.exe	88
PID 212 wrote to memory of 500	212	2024-02-22_caa4ba728f94e32a982a70c19dbac6ff_goldeneye.exe	89
PID 212 wrote to memory of 500	212	2024-02-22_caa4ba728f94e32a982a70c19dbac6ff_goldeneye.exe	89
PID 212 wrote to memory of 500	212	2024-02-22_caa4ba728f94e32a982a70c19dbac6ff_goldeneye.exe	89
PID 2760 wrote to memory of 4048	2760	{035E7B3F-CF8D-4c62-BC8C-3E390C1D7B67}.exe	92
PID 2760 wrote to memory of 4048	2760	{035E7B3F-CF8D-4c62-BC8C-3E390C1D7B67}.exe	92
PID 2760 wrote to memory of 4048	2760	{035E7B3F-CF8D-4c62-BC8C-3E390C1D7B67}.exe	92
PID 2760 wrote to memory of 4900	2760	{035E7B3F-CF8D-4c62-BC8C-3E390C1D7B67}.exe	93
PID 2760 wrote to memory of 4900	2760	{035E7B3F-CF8D-4c62-BC8C-3E390C1D7B67}.exe	93
PID 2760 wrote to memory of 4900	2760	{035E7B3F-CF8D-4c62-BC8C-3E390C1D7B67}.exe	93
PID 4048 wrote to memory of 4092	4048	{CF65B2AB-EB5B-43c1-9D64-EC4A0111D575}.exe	94
PID 4048 wrote to memory of 4092	4048	{CF65B2AB-EB5B-43c1-9D64-EC4A0111D575}.exe	94
PID 4048 wrote to memory of 4092	4048	{CF65B2AB-EB5B-43c1-9D64-EC4A0111D575}.exe	94
PID 4048 wrote to memory of 852	4048	{CF65B2AB-EB5B-43c1-9D64-EC4A0111D575}.exe	95
PID 4048 wrote to memory of 852	4048	{CF65B2AB-EB5B-43c1-9D64-EC4A0111D575}.exe	95
PID 4048 wrote to memory of 852	4048	{CF65B2AB-EB5B-43c1-9D64-EC4A0111D575}.exe	95
PID 4092 wrote to memory of 4548	4092	{BC96F252-5798-4093-972D-55814608A141}.exe	98
PID 4092 wrote to memory of 4548	4092	{BC96F252-5798-4093-972D-55814608A141}.exe	98
PID 4092 wrote to memory of 4548	4092	{BC96F252-5798-4093-972D-55814608A141}.exe	98
PID 4092 wrote to memory of 688	4092	{BC96F252-5798-4093-972D-55814608A141}.exe	99
PID 4092 wrote to memory of 688	4092	{BC96F252-5798-4093-972D-55814608A141}.exe	99
PID 4092 wrote to memory of 688	4092	{BC96F252-5798-4093-972D-55814608A141}.exe	99
PID 4548 wrote to memory of 4104	4548	{A5E64111-8216-49f2-B2B7-8FA9283D0172}.exe	100
PID 4548 wrote to memory of 4104	4548	{A5E64111-8216-49f2-B2B7-8FA9283D0172}.exe	100
PID 4548 wrote to memory of 4104	4548	{A5E64111-8216-49f2-B2B7-8FA9283D0172}.exe	100
PID 4548 wrote to memory of 3332	4548	{A5E64111-8216-49f2-B2B7-8FA9283D0172}.exe	101
PID 4548 wrote to memory of 3332	4548	{A5E64111-8216-49f2-B2B7-8FA9283D0172}.exe	101
PID 4548 wrote to memory of 3332	4548	{A5E64111-8216-49f2-B2B7-8FA9283D0172}.exe	101
PID 4104 wrote to memory of 3584	4104	{55AE27D2-34E6-42b9-B45F-52EA3D872F0A}.exe	102
PID 4104 wrote to memory of 3584	4104	{55AE27D2-34E6-42b9-B45F-52EA3D872F0A}.exe	102
PID 4104 wrote to memory of 3584	4104	{55AE27D2-34E6-42b9-B45F-52EA3D872F0A}.exe	102
PID 4104 wrote to memory of 3164	4104	{55AE27D2-34E6-42b9-B45F-52EA3D872F0A}.exe	103
PID 4104 wrote to memory of 3164	4104	{55AE27D2-34E6-42b9-B45F-52EA3D872F0A}.exe	103
PID 4104 wrote to memory of 3164	4104	{55AE27D2-34E6-42b9-B45F-52EA3D872F0A}.exe	103
PID 3584 wrote to memory of 4524	3584	{999EC5CC-721C-4db3-8B3D-F90F20310DF3}.exe	104
PID 3584 wrote to memory of 4524	3584	{999EC5CC-721C-4db3-8B3D-F90F20310DF3}.exe	104
PID 3584 wrote to memory of 4524	3584	{999EC5CC-721C-4db3-8B3D-F90F20310DF3}.exe	104
PID 3584 wrote to memory of 1992	3584	{999EC5CC-721C-4db3-8B3D-F90F20310DF3}.exe	105
PID 3584 wrote to memory of 1992	3584	{999EC5CC-721C-4db3-8B3D-F90F20310DF3}.exe	105
PID 3584 wrote to memory of 1992	3584	{999EC5CC-721C-4db3-8B3D-F90F20310DF3}.exe	105
PID 4524 wrote to memory of 4156	4524	{18DE6951-209D-4153-9726-9382DC5D51DE}.exe	106
PID 4524 wrote to memory of 4156	4524	{18DE6951-209D-4153-9726-9382DC5D51DE}.exe	106
PID 4524 wrote to memory of 4156	4524	{18DE6951-209D-4153-9726-9382DC5D51DE}.exe	106
PID 4524 wrote to memory of 4632	4524	{18DE6951-209D-4153-9726-9382DC5D51DE}.exe	107
PID 4524 wrote to memory of 4632	4524	{18DE6951-209D-4153-9726-9382DC5D51DE}.exe	107
PID 4524 wrote to memory of 4632	4524	{18DE6951-209D-4153-9726-9382DC5D51DE}.exe	107
PID 4156 wrote to memory of 4148	4156	{CEF92F4F-A76A-4fdf-B805-DE57BCA2335E}.exe	108
PID 4156 wrote to memory of 4148	4156	{CEF92F4F-A76A-4fdf-B805-DE57BCA2335E}.exe	108
PID 4156 wrote to memory of 4148	4156	{CEF92F4F-A76A-4fdf-B805-DE57BCA2335E}.exe	108
PID 4156 wrote to memory of 4820	4156	{CEF92F4F-A76A-4fdf-B805-DE57BCA2335E}.exe	109
PID 4156 wrote to memory of 4820	4156	{CEF92F4F-A76A-4fdf-B805-DE57BCA2335E}.exe	109
PID 4156 wrote to memory of 4820	4156	{CEF92F4F-A76A-4fdf-B805-DE57BCA2335E}.exe	109
PID 4148 wrote to memory of 2332	4148	{136FBB88-225A-4b2c-9FD9-95E574267E86}.exe	110
PID 4148 wrote to memory of 2332	4148	{136FBB88-225A-4b2c-9FD9-95E574267E86}.exe	110
PID 4148 wrote to memory of 2332	4148	{136FBB88-225A-4b2c-9FD9-95E574267E86}.exe	110
PID 4148 wrote to memory of 1580	4148	{136FBB88-225A-4b2c-9FD9-95E574267E86}.exe	111
PID 4148 wrote to memory of 1580	4148	{136FBB88-225A-4b2c-9FD9-95E574267E86}.exe	111
PID 4148 wrote to memory of 1580	4148	{136FBB88-225A-4b2c-9FD9-95E574267E86}.exe	111
PID 2332 wrote to memory of 4328	2332	{7EF25949-87A8-4202-8777-9100A90AB9C9}.exe	112
PID 2332 wrote to memory of 4328	2332	{7EF25949-87A8-4202-8777-9100A90AB9C9}.exe	112
PID 2332 wrote to memory of 4328	2332	{7EF25949-87A8-4202-8777-9100A90AB9C9}.exe	112
PID 2332 wrote to memory of 2508	2332	{7EF25949-87A8-4202-8777-9100A90AB9C9}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-22_caa4ba728f94e32a982a70c19dbac6ff_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-22_caa4ba728f94e32a982a70c19dbac6ff_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:212
- C:\Windows\{035E7B3F-CF8D-4c62-BC8C-3E390C1D7B67}.exe
  C:\Windows\{035E7B3F-CF8D-4c62-BC8C-3E390C1D7B67}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\{CF65B2AB-EB5B-43c1-9D64-EC4A0111D575}.exe
    C:\Windows\{CF65B2AB-EB5B-43c1-9D64-EC4A0111D575}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4048
  - - C:\Windows\{BC96F252-5798-4093-972D-55814608A141}.exe
      C:\Windows\{BC96F252-5798-4093-972D-55814608A141}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4092
    - - C:\Windows\{A5E64111-8216-49f2-B2B7-8FA9283D0172}.exe
        
        C:\Windows\{A5E64111-8216-49f2-B2B7-8FA9283D0172}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4548
      - C:\Windows\{55AE27D2-34E6-42b9-B45F-52EA3D872F0A}.exe
        
        C:\Windows\{55AE27D2-34E6-42b9-B45F-52EA3D872F0A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\{999EC5CC-721C-4db3-8B3D-F90F20310DF3}.exe
        
        C:\Windows\{999EC5CC-721C-4db3-8B3D-F90F20310DF3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\{18DE6951-209D-4153-9726-9382DC5D51DE}.exe
        
        C:\Windows\{18DE6951-209D-4153-9726-9382DC5D51DE}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\{CEF92F4F-A76A-4fdf-B805-DE57BCA2335E}.exe
        
        C:\Windows\{CEF92F4F-A76A-4fdf-B805-DE57BCA2335E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\{136FBB88-225A-4b2c-9FD9-95E574267E86}.exe
        
        C:\Windows\{136FBB88-225A-4b2c-9FD9-95E574267E86}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\{7EF25949-87A8-4202-8777-9100A90AB9C9}.exe
        
        C:\Windows\{7EF25949-87A8-4202-8777-9100A90AB9C9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\{EE710945-6C82-4ccc-BA2A-BFCE87F1DCAE}.exe
        
        C:\Windows\{EE710945-6C82-4ccc-BA2A-BFCE87F1DCAE}.exe
        12⤵
        Executes dropped EXE
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7EF25~1.EXE > nul
        12⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{136FB~1.EXE > nul
        11⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CEF92~1.EXE > nul
        10⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18DE6~1.EXE > nul
        9⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{999EC~1.EXE > nul
        8⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55AE2~1.EXE > nul
        7⤵
        
        PID:3164
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5E64~1.EXE > nul
        6⤵
        
        PID:3332
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC96F~1.EXE > nul
        5⤵
        
        PID:688
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CF65B~1.EXE > nul
      4⤵
      PID:852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{035E7~1.EXE > nul
    3⤵
    PID:4900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{035E7B3F-CF8D-4c62-BC8C-3E390C1D7B67}.exe

Filesize
344KB

MD5
ee1d43fc3e5b43e52d98f195820a8dc6

SHA1
f98a55d32f159afe9055f1e7ab6f9bd328f4fa31

SHA256
bacaf61dd5f5ddd9796830416114d08f30e3d8ac5fbbff172b26f5ce6820da8c

SHA512
ac68ead35804dd55bc84921d5602fd535554c81c7d39d2f0af454505fd465d3fd274d5e6edc5436fc46ce02267d8cf0aaa5566673839381c342b66c8ce38bba4

Download Submit
C:\Windows\{136FBB88-225A-4b2c-9FD9-95E574267E86}.exe

Filesize
344KB

MD5
d05d99712aa49f6e320f0efaec3ba3c1

SHA1
d0013b11f72bde8f3fd9d005d616a88acc9d8246

SHA256
761ef0f60b8724184dff88bce7349df1b6d3de7a6b184d3f5e9ea3fade48601d

SHA512
06d0172e9277af24355a02be803e8dfd6b5b95cb0df3fcd2104b3e1d139150b485bcc693c3331a0ad1c3e9eb8c4c15ae62417a04edf559915cfa07735d5f53d6

Download Submit
C:\Windows\{18DE6951-209D-4153-9726-9382DC5D51DE}.exe

Filesize
344KB

MD5
3751aef21a862a60f70169d999e833c3

SHA1
cb65a0fc830bd5349b0d6e106f44e860c1dc055b

SHA256
24a8c31781ec9861e72a73068de20b47c3af1acae4e7e102b492306878c34da5

SHA512
f1fdd84bf799aae8bf9fcf7e10b29d75e24cf99f9d6c67ad8e91e92ffc87953884c758552bd1195b20d0bacd3b8a09b8a82dbf513e758223669d277efb416a1c

Download Submit
C:\Windows\{55AE27D2-34E6-42b9-B45F-52EA3D872F0A}.exe

Filesize
344KB

MD5
2e1b640b2061767bf844e278fb434c72

SHA1
3ab52b430e85092c7afad7b9fd95dd70a2202495

SHA256
31c956041d5f6b1f4fbd0787468f7ec1e7db3178caaa1fec85c5bce8045de770

SHA512
1200845bb6c2fbbe6bfc75f988d4342e68a95b7fe57679ae250cb9437965cfd8dedc9a1e0624b3527e054dcaf65715839e0e47799d890687673523b66e6bbf41

Download Submit
C:\Windows\{7EF25949-87A8-4202-8777-9100A90AB9C9}.exe

Filesize
344KB

MD5
bb20de4b73da96967dd7edc2e06a2df0

SHA1
73266a29a5bdaba6f1f86ade4a8cdca9b1e88912

SHA256
b0144a0b2e6dd5bf7ac08ab6089938177a76b06248b1b43b125ee55922a41939

SHA512
e5ac4dcee3fb5d3737008a0725f477daf21564a6776eb5c7251d4b3bb4a4be9433862aad6f9fc1cc9abbdf6a7355e52b43e56927e72367756cc99700bb4b3cd6

Download Submit
C:\Windows\{999EC5CC-721C-4db3-8B3D-F90F20310DF3}.exe

Filesize
344KB

MD5
e66cde2bce6c1669055b714fc5928579

SHA1
2071e0f029232f1dfa89bd78c6498e40abbd3a71

SHA256
b3806a354ba09cabd31535ff34eabc5ee0747a1a13e15527fac5fc7346715d33

SHA512
8757f693ca9f901492581c37d7583cd44756170675b509860504e313a206317565bbd47daf1a0524493564b342ea8c79dbbb06f1d875dd2398b20dc481525824

Download Submit
C:\Windows\{A5E64111-8216-49f2-B2B7-8FA9283D0172}.exe

Filesize
344KB

MD5
b1eb464772c49b17c4a5145a72dedb67

SHA1
8b229673fa2d3b4b8bb2790495dae90ed71a6b81

SHA256
95f6c7658d0beaa83f6bc48869ce0552a143eae561651b21c3debc3b02797391

SHA512
a18fcc60dce1be6708517917c89e7188855830e84a5a6ed298bc715fe73205d42689daeb41f1067a11c3a5eb64ff3d90f8487386a0b534ec2871a14463253cee

Download Submit
C:\Windows\{A5E64111-8216-49f2-B2B7-8FA9283D0172}.exe

Filesize
281KB

MD5
cab2697400c0a4045c8e0f3d01ca4628

SHA1
570fbdf9283136f006043c3950745766046ca519

SHA256
be5323443edf025bc991ad3ec2b99afd3a3362a82cd304580a9dbc985223b5a3

SHA512
373bc3fed620b937c83b60e0fac8353969dd69c991ba5424810300e251224eff41782d82474b844f59745e8b1d3735a6d3039ae29856b7f02e1187213872fb9a

Download Submit
C:\Windows\{BC96F252-5798-4093-972D-55814608A141}.exe

Filesize
344KB

MD5
d676fca7955e533aab0ac218fa532c4f

SHA1
6b44bbf513eca689e782b7ef0082a13dcd538135

SHA256
d42781dbea401ce5ac44ae2833060bc329dd52299ad17f31e6b7e448dbcde12d

SHA512
084d6c52affb066e0b95a6b0c823ddbd0314ebaa4ad736555c74fa683d4635ec72beb3464db1357115c600dcdc01e942b4b7007399476d271bfbe8faf90b7a9b

Download Submit
C:\Windows\{CEF92F4F-A76A-4fdf-B805-DE57BCA2335E}.exe

Filesize
344KB

MD5
0ab534192802ff613e77d05757900328

SHA1
5cf5cc3c8274f542df5017352aba24ea7a57b154

SHA256
7fc4530e97de2bedfb110b25cdc7b61938bbb3044d1ad15c8776b03029af1999

SHA512
d882b723c678f0bed75c79acb50f7df10f9ea8a922864fc4b21291273bf503fd706d13c77712bd48a706fd27ec5f04ba6921dd92c58c11d9bcc0cd254b89ea0d

Download Submit
C:\Windows\{CF65B2AB-EB5B-43c1-9D64-EC4A0111D575}.exe

Filesize
344KB

MD5
078d76395a5a6c18c9ce1903462644f9

SHA1
ca8788e6a9cbb1fb13aad97c507e338c85721e19

SHA256
11aaae7e7b3d9b593751c813871f181d500f53572c4bb941f67d52be8a22c969

SHA512
908dfb79f00fa2b7c1d031ab4de88ca068aca34e7f16513c2d00257d0f3f305197197d8c9233bcaa508b879a57b097c479b2169921e7e3d3b94932641a8eb977

Download Submit
C:\Windows\{EE710945-6C82-4ccc-BA2A-BFCE87F1DCAE}.exe

Filesize
344KB

MD5
bfb1684ea8b93895565cb253a43c3df4

SHA1
f78c85f53e7890b40444ffa63c43767e336b0381

SHA256
3efc6d393b836dd47ce3ade632ed15a66055b80b14bcf1f0ba5603f1f2c40be1

SHA512
5a37131eb0e6efb4593d5d6ea1b6b21409782c1e95c65c172960f69a8bd009180b82ce4bedfb8142ba292567879bf02d146190d272034997d0649783dfee37c4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads