b4b6df39910bf0f5832e5534eeaef3116bbaea15314f9f594d274ffc28093164

Analysis

max time kernel
144s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2024, 18:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-24_a74a48c48c1f360964643e7eb34b7871_goldeneye.exe
Size

372KB
MD5

a74a48c48c1f360964643e7eb34b7871
SHA1

1550903768fd3433628aa8c67eeaf1a40dd3f18f
SHA256

b4b6df39910bf0f5832e5534eeaef3116bbaea15314f9f594d274ffc28093164
SHA512

72f79e3f0c63c0b8d864dfef136a6c551f95c782bb597e52384f7d86c32932433e5a0558592b8579f5f26ed6c21644d74c286a639c08ddf81632fa05842207e9
SSDEEP

3072:CEGh0oomlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGTl/Oe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023213-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023214-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023220-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000230ff-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023220-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000230ff-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023220-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000230ff-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023220-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000230ff-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023218-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8D7B3B1-D846-4fd3-B9E4-A8AD4BDDCB5A}\stubpath = "C:\\Windows\\{B8D7B3B1-D846-4fd3-B9E4-A8AD4BDDCB5A}.exe"	{62FC1382-2AB9-4f2e-A77A-AEC9E72DC746}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B9CA7F2-AA5E-4f6b-9669-AB59448FB029}	2024-02-24_a74a48c48c1f360964643e7eb34b7871_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4350C010-3B14-42fa-894B-642F44F5CF48}\stubpath = "C:\\Windows\\{4350C010-3B14-42fa-894B-642F44F5CF48}.exe"	{CFCAB7E1-49C5-47b3-8456-2AE4F8C7D851}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62FC1382-2AB9-4f2e-A77A-AEC9E72DC746}\stubpath = "C:\\Windows\\{62FC1382-2AB9-4f2e-A77A-AEC9E72DC746}.exe"	{4350C010-3B14-42fa-894B-642F44F5CF48}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B9CA7F2-AA5E-4f6b-9669-AB59448FB029}\stubpath = "C:\\Windows\\{0B9CA7F2-AA5E-4f6b-9669-AB59448FB029}.exe"	2024-02-24_a74a48c48c1f360964643e7eb34b7871_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8CA8A67-B334-4e50-B550-92015BBFA456}	{9FDD66EA-6E11-443b-905B-AABAA59EA82C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFCAB7E1-49C5-47b3-8456-2AE4F8C7D851}\stubpath = "C:\\Windows\\{CFCAB7E1-49C5-47b3-8456-2AE4F8C7D851}.exe"	{A8CA8A67-B334-4e50-B550-92015BBFA456}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A204712-61E0-489b-92BB-32FC224EA044}	{B8D7B3B1-D846-4fd3-B9E4-A8AD4BDDCB5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C085A37-D9CB-4cf5-B68C-A3E4A26ABDB7}	{6A204712-61E0-489b-92BB-32FC224EA044}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C085A37-D9CB-4cf5-B68C-A3E4A26ABDB7}\stubpath = "C:\\Windows\\{9C085A37-D9CB-4cf5-B68C-A3E4A26ABDB7}.exe"	{6A204712-61E0-489b-92BB-32FC224EA044}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D0FD444-ABA1-4a9f-8F99-B2E1EFC22D32}	{9C085A37-D9CB-4cf5-B68C-A3E4A26ABDB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58F52727-ECEE-423a-945C-10ACF777756A}	{0B9CA7F2-AA5E-4f6b-9669-AB59448FB029}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FDD66EA-6E11-443b-905B-AABAA59EA82C}	{58F52727-ECEE-423a-945C-10ACF777756A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFCAB7E1-49C5-47b3-8456-2AE4F8C7D851}	{A8CA8A67-B334-4e50-B550-92015BBFA456}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D0FD444-ABA1-4a9f-8F99-B2E1EFC22D32}\stubpath = "C:\\Windows\\{7D0FD444-ABA1-4a9f-8F99-B2E1EFC22D32}.exe"	{9C085A37-D9CB-4cf5-B68C-A3E4A26ABDB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4350C010-3B14-42fa-894B-642F44F5CF48}	{CFCAB7E1-49C5-47b3-8456-2AE4F8C7D851}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62FC1382-2AB9-4f2e-A77A-AEC9E72DC746}	{4350C010-3B14-42fa-894B-642F44F5CF48}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8D7B3B1-D846-4fd3-B9E4-A8AD4BDDCB5A}	{62FC1382-2AB9-4f2e-A77A-AEC9E72DC746}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A204712-61E0-489b-92BB-32FC224EA044}\stubpath = "C:\\Windows\\{6A204712-61E0-489b-92BB-32FC224EA044}.exe"	{B8D7B3B1-D846-4fd3-B9E4-A8AD4BDDCB5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58F52727-ECEE-423a-945C-10ACF777756A}\stubpath = "C:\\Windows\\{58F52727-ECEE-423a-945C-10ACF777756A}.exe"	{0B9CA7F2-AA5E-4f6b-9669-AB59448FB029}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FDD66EA-6E11-443b-905B-AABAA59EA82C}\stubpath = "C:\\Windows\\{9FDD66EA-6E11-443b-905B-AABAA59EA82C}.exe"	{58F52727-ECEE-423a-945C-10ACF777756A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8CA8A67-B334-4e50-B550-92015BBFA456}\stubpath = "C:\\Windows\\{A8CA8A67-B334-4e50-B550-92015BBFA456}.exe"	{9FDD66EA-6E11-443b-905B-AABAA59EA82C}.exe

Executes dropped EXE 11 IoCs

pid	Process
4528	{0B9CA7F2-AA5E-4f6b-9669-AB59448FB029}.exe
3176	{58F52727-ECEE-423a-945C-10ACF777756A}.exe
2324	{9FDD66EA-6E11-443b-905B-AABAA59EA82C}.exe
1228	{A8CA8A67-B334-4e50-B550-92015BBFA456}.exe
800	{CFCAB7E1-49C5-47b3-8456-2AE4F8C7D851}.exe
4288	{4350C010-3B14-42fa-894B-642F44F5CF48}.exe
3372	{62FC1382-2AB9-4f2e-A77A-AEC9E72DC746}.exe
4180	{B8D7B3B1-D846-4fd3-B9E4-A8AD4BDDCB5A}.exe
2024	{6A204712-61E0-489b-92BB-32FC224EA044}.exe
3864	{9C085A37-D9CB-4cf5-B68C-A3E4A26ABDB7}.exe
4376	{7D0FD444-ABA1-4a9f-8F99-B2E1EFC22D32}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{62FC1382-2AB9-4f2e-A77A-AEC9E72DC746}.exe	{4350C010-3B14-42fa-894B-642F44F5CF48}.exe
File created	C:\Windows\{B8D7B3B1-D846-4fd3-B9E4-A8AD4BDDCB5A}.exe	{62FC1382-2AB9-4f2e-A77A-AEC9E72DC746}.exe
File created	C:\Windows\{6A204712-61E0-489b-92BB-32FC224EA044}.exe	{B8D7B3B1-D846-4fd3-B9E4-A8AD4BDDCB5A}.exe
File created	C:\Windows\{0B9CA7F2-AA5E-4f6b-9669-AB59448FB029}.exe	2024-02-24_a74a48c48c1f360964643e7eb34b7871_goldeneye.exe
File created	C:\Windows\{58F52727-ECEE-423a-945C-10ACF777756A}.exe	{0B9CA7F2-AA5E-4f6b-9669-AB59448FB029}.exe
File created	C:\Windows\{9FDD66EA-6E11-443b-905B-AABAA59EA82C}.exe	{58F52727-ECEE-423a-945C-10ACF777756A}.exe
File created	C:\Windows\{A8CA8A67-B334-4e50-B550-92015BBFA456}.exe	{9FDD66EA-6E11-443b-905B-AABAA59EA82C}.exe
File created	C:\Windows\{CFCAB7E1-49C5-47b3-8456-2AE4F8C7D851}.exe	{A8CA8A67-B334-4e50-B550-92015BBFA456}.exe
File created	C:\Windows\{4350C010-3B14-42fa-894B-642F44F5CF48}.exe	{CFCAB7E1-49C5-47b3-8456-2AE4F8C7D851}.exe
File created	C:\Windows\{9C085A37-D9CB-4cf5-B68C-A3E4A26ABDB7}.exe	{6A204712-61E0-489b-92BB-32FC224EA044}.exe
File created	C:\Windows\{7D0FD444-ABA1-4a9f-8F99-B2E1EFC22D32}.exe	{9C085A37-D9CB-4cf5-B68C-A3E4A26ABDB7}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	316	2024-02-24_a74a48c48c1f360964643e7eb34b7871_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4528	{0B9CA7F2-AA5E-4f6b-9669-AB59448FB029}.exe
Token: SeIncBasePriorityPrivilege	3176	{58F52727-ECEE-423a-945C-10ACF777756A}.exe
Token: SeIncBasePriorityPrivilege	2324	{9FDD66EA-6E11-443b-905B-AABAA59EA82C}.exe
Token: SeIncBasePriorityPrivilege	1228	{A8CA8A67-B334-4e50-B550-92015BBFA456}.exe
Token: SeIncBasePriorityPrivilege	800	{CFCAB7E1-49C5-47b3-8456-2AE4F8C7D851}.exe
Token: SeIncBasePriorityPrivilege	4288	{4350C010-3B14-42fa-894B-642F44F5CF48}.exe
Token: SeIncBasePriorityPrivilege	3372	{62FC1382-2AB9-4f2e-A77A-AEC9E72DC746}.exe
Token: SeIncBasePriorityPrivilege	4180	{B8D7B3B1-D846-4fd3-B9E4-A8AD4BDDCB5A}.exe
Token: SeIncBasePriorityPrivilege	2024	{6A204712-61E0-489b-92BB-32FC224EA044}.exe
Token: SeIncBasePriorityPrivilege	3864	{9C085A37-D9CB-4cf5-B68C-A3E4A26ABDB7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 316 wrote to memory of 4528	316	2024-02-24_a74a48c48c1f360964643e7eb34b7871_goldeneye.exe	92
PID 316 wrote to memory of 4528	316	2024-02-24_a74a48c48c1f360964643e7eb34b7871_goldeneye.exe	92
PID 316 wrote to memory of 4528	316	2024-02-24_a74a48c48c1f360964643e7eb34b7871_goldeneye.exe	92
PID 316 wrote to memory of 3360	316	2024-02-24_a74a48c48c1f360964643e7eb34b7871_goldeneye.exe	93
PID 316 wrote to memory of 3360	316	2024-02-24_a74a48c48c1f360964643e7eb34b7871_goldeneye.exe	93
PID 316 wrote to memory of 3360	316	2024-02-24_a74a48c48c1f360964643e7eb34b7871_goldeneye.exe	93
PID 4528 wrote to memory of 3176	4528	{0B9CA7F2-AA5E-4f6b-9669-AB59448FB029}.exe	94
PID 4528 wrote to memory of 3176	4528	{0B9CA7F2-AA5E-4f6b-9669-AB59448FB029}.exe	94
PID 4528 wrote to memory of 3176	4528	{0B9CA7F2-AA5E-4f6b-9669-AB59448FB029}.exe	94
PID 4528 wrote to memory of 180	4528	{0B9CA7F2-AA5E-4f6b-9669-AB59448FB029}.exe	95
PID 4528 wrote to memory of 180	4528	{0B9CA7F2-AA5E-4f6b-9669-AB59448FB029}.exe	95
PID 4528 wrote to memory of 180	4528	{0B9CA7F2-AA5E-4f6b-9669-AB59448FB029}.exe	95
PID 3176 wrote to memory of 2324	3176	{58F52727-ECEE-423a-945C-10ACF777756A}.exe	98
PID 3176 wrote to memory of 2324	3176	{58F52727-ECEE-423a-945C-10ACF777756A}.exe	98
PID 3176 wrote to memory of 2324	3176	{58F52727-ECEE-423a-945C-10ACF777756A}.exe	98
PID 3176 wrote to memory of 3216	3176	{58F52727-ECEE-423a-945C-10ACF777756A}.exe	99
PID 3176 wrote to memory of 3216	3176	{58F52727-ECEE-423a-945C-10ACF777756A}.exe	99
PID 3176 wrote to memory of 3216	3176	{58F52727-ECEE-423a-945C-10ACF777756A}.exe	99
PID 2324 wrote to memory of 1228	2324	{9FDD66EA-6E11-443b-905B-AABAA59EA82C}.exe	102
PID 2324 wrote to memory of 1228	2324	{9FDD66EA-6E11-443b-905B-AABAA59EA82C}.exe	102
PID 2324 wrote to memory of 1228	2324	{9FDD66EA-6E11-443b-905B-AABAA59EA82C}.exe	102
PID 2324 wrote to memory of 3236	2324	{9FDD66EA-6E11-443b-905B-AABAA59EA82C}.exe	103
PID 2324 wrote to memory of 3236	2324	{9FDD66EA-6E11-443b-905B-AABAA59EA82C}.exe	103
PID 2324 wrote to memory of 3236	2324	{9FDD66EA-6E11-443b-905B-AABAA59EA82C}.exe	103
PID 1228 wrote to memory of 800	1228	{A8CA8A67-B334-4e50-B550-92015BBFA456}.exe	104
PID 1228 wrote to memory of 800	1228	{A8CA8A67-B334-4e50-B550-92015BBFA456}.exe	104
PID 1228 wrote to memory of 800	1228	{A8CA8A67-B334-4e50-B550-92015BBFA456}.exe	104
PID 1228 wrote to memory of 4792	1228	{A8CA8A67-B334-4e50-B550-92015BBFA456}.exe	105
PID 1228 wrote to memory of 4792	1228	{A8CA8A67-B334-4e50-B550-92015BBFA456}.exe	105
PID 1228 wrote to memory of 4792	1228	{A8CA8A67-B334-4e50-B550-92015BBFA456}.exe	105
PID 800 wrote to memory of 4288	800	{CFCAB7E1-49C5-47b3-8456-2AE4F8C7D851}.exe	106
PID 800 wrote to memory of 4288	800	{CFCAB7E1-49C5-47b3-8456-2AE4F8C7D851}.exe	106
PID 800 wrote to memory of 4288	800	{CFCAB7E1-49C5-47b3-8456-2AE4F8C7D851}.exe	106
PID 800 wrote to memory of 828	800	{CFCAB7E1-49C5-47b3-8456-2AE4F8C7D851}.exe	107
PID 800 wrote to memory of 828	800	{CFCAB7E1-49C5-47b3-8456-2AE4F8C7D851}.exe	107
PID 800 wrote to memory of 828	800	{CFCAB7E1-49C5-47b3-8456-2AE4F8C7D851}.exe	107
PID 4288 wrote to memory of 3372	4288	{4350C010-3B14-42fa-894B-642F44F5CF48}.exe	109
PID 4288 wrote to memory of 3372	4288	{4350C010-3B14-42fa-894B-642F44F5CF48}.exe	109
PID 4288 wrote to memory of 3372	4288	{4350C010-3B14-42fa-894B-642F44F5CF48}.exe	109
PID 4288 wrote to memory of 3444	4288	{4350C010-3B14-42fa-894B-642F44F5CF48}.exe	108
PID 4288 wrote to memory of 3444	4288	{4350C010-3B14-42fa-894B-642F44F5CF48}.exe	108
PID 4288 wrote to memory of 3444	4288	{4350C010-3B14-42fa-894B-642F44F5CF48}.exe	108
PID 3372 wrote to memory of 4180	3372	{62FC1382-2AB9-4f2e-A77A-AEC9E72DC746}.exe	111
PID 3372 wrote to memory of 4180	3372	{62FC1382-2AB9-4f2e-A77A-AEC9E72DC746}.exe	111
PID 3372 wrote to memory of 4180	3372	{62FC1382-2AB9-4f2e-A77A-AEC9E72DC746}.exe	111
PID 3372 wrote to memory of 4028	3372	{62FC1382-2AB9-4f2e-A77A-AEC9E72DC746}.exe	110
PID 3372 wrote to memory of 4028	3372	{62FC1382-2AB9-4f2e-A77A-AEC9E72DC746}.exe	110
PID 3372 wrote to memory of 4028	3372	{62FC1382-2AB9-4f2e-A77A-AEC9E72DC746}.exe	110
PID 4180 wrote to memory of 2024	4180	{B8D7B3B1-D846-4fd3-B9E4-A8AD4BDDCB5A}.exe	112
PID 4180 wrote to memory of 2024	4180	{B8D7B3B1-D846-4fd3-B9E4-A8AD4BDDCB5A}.exe	112
PID 4180 wrote to memory of 2024	4180	{B8D7B3B1-D846-4fd3-B9E4-A8AD4BDDCB5A}.exe	112
PID 4180 wrote to memory of 4796	4180	{B8D7B3B1-D846-4fd3-B9E4-A8AD4BDDCB5A}.exe	113
PID 4180 wrote to memory of 4796	4180	{B8D7B3B1-D846-4fd3-B9E4-A8AD4BDDCB5A}.exe	113
PID 4180 wrote to memory of 4796	4180	{B8D7B3B1-D846-4fd3-B9E4-A8AD4BDDCB5A}.exe	113
PID 2024 wrote to memory of 3864	2024	{6A204712-61E0-489b-92BB-32FC224EA044}.exe	114
PID 2024 wrote to memory of 3864	2024	{6A204712-61E0-489b-92BB-32FC224EA044}.exe	114
PID 2024 wrote to memory of 3864	2024	{6A204712-61E0-489b-92BB-32FC224EA044}.exe	114
PID 2024 wrote to memory of 4032	2024	{6A204712-61E0-489b-92BB-32FC224EA044}.exe	115
PID 2024 wrote to memory of 4032	2024	{6A204712-61E0-489b-92BB-32FC224EA044}.exe	115
PID 2024 wrote to memory of 4032	2024	{6A204712-61E0-489b-92BB-32FC224EA044}.exe	115
PID 3864 wrote to memory of 4376	3864	{9C085A37-D9CB-4cf5-B68C-A3E4A26ABDB7}.exe	116
PID 3864 wrote to memory of 4376	3864	{9C085A37-D9CB-4cf5-B68C-A3E4A26ABDB7}.exe	116
PID 3864 wrote to memory of 4376	3864	{9C085A37-D9CB-4cf5-B68C-A3E4A26ABDB7}.exe	116
PID 3864 wrote to memory of 2544	3864	{9C085A37-D9CB-4cf5-B68C-A3E4A26ABDB7}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-02-24_a74a48c48c1f360964643e7eb34b7871_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-24_a74a48c48c1f360964643e7eb34b7871_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:316
- C:\Windows\{0B9CA7F2-AA5E-4f6b-9669-AB59448FB029}.exe
  C:\Windows\{0B9CA7F2-AA5E-4f6b-9669-AB59448FB029}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4528
- - C:\Windows\{58F52727-ECEE-423a-945C-10ACF777756A}.exe
    C:\Windows\{58F52727-ECEE-423a-945C-10ACF777756A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3176
  - - C:\Windows\{9FDD66EA-6E11-443b-905B-AABAA59EA82C}.exe
      C:\Windows\{9FDD66EA-6E11-443b-905B-AABAA59EA82C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2324
    - - C:\Windows\{A8CA8A67-B334-4e50-B550-92015BBFA456}.exe
        
        C:\Windows\{A8CA8A67-B334-4e50-B550-92015BBFA456}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1228
      - C:\Windows\{CFCAB7E1-49C5-47b3-8456-2AE4F8C7D851}.exe
        
        C:\Windows\{CFCAB7E1-49C5-47b3-8456-2AE4F8C7D851}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Windows\{4350C010-3B14-42fa-894B-642F44F5CF48}.exe
        
        C:\Windows\{4350C010-3B14-42fa-894B-642F44F5CF48}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4350C~1.EXE > nul
        8⤵
        
        PID:3444
        
        C:\Windows\{62FC1382-2AB9-4f2e-A77A-AEC9E72DC746}.exe
        
        C:\Windows\{62FC1382-2AB9-4f2e-A77A-AEC9E72DC746}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62FC1~1.EXE > nul
        9⤵
        
        PID:4028
        
        C:\Windows\{B8D7B3B1-D846-4fd3-B9E4-A8AD4BDDCB5A}.exe
        
        C:\Windows\{B8D7B3B1-D846-4fd3-B9E4-A8AD4BDDCB5A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Windows\{6A204712-61E0-489b-92BB-32FC224EA044}.exe
        
        C:\Windows\{6A204712-61E0-489b-92BB-32FC224EA044}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\{9C085A37-D9CB-4cf5-B68C-A3E4A26ABDB7}.exe
        
        C:\Windows\{9C085A37-D9CB-4cf5-B68C-A3E4A26ABDB7}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3864
        
        C:\Windows\{7D0FD444-ABA1-4a9f-8F99-B2E1EFC22D32}.exe
        
        C:\Windows\{7D0FD444-ABA1-4a9f-8F99-B2E1EFC22D32}.exe
        12⤵
        Executes dropped EXE
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C085~1.EXE > nul
        12⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A204~1.EXE > nul
        11⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8D7B~1.EXE > nul
        10⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CFCAB~1.EXE > nul
        7⤵
        
        PID:828
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8CA8~1.EXE > nul
        6⤵
        
        PID:4792
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9FDD6~1.EXE > nul
        5⤵
        
        PID:3236
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{58F52~1.EXE > nul
      4⤵
      PID:3216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0B9CA~1.EXE > nul
    3⤵
    PID:180
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0B9CA7F2-AA5E-4f6b-9669-AB59448FB029}.exe

Filesize
372KB

MD5
f655b10b1252d96d6a3348cdb641fe8b

SHA1
811c848c089efa1a0140fd0b31e75eb8da229603

SHA256
d32689f2e689110da1025591db6d38353d0d5fc13f2e43107917c14f41c7cb46

SHA512
308d8c6538f169c2055562bdc53a6040664175f4185c3f899c56bd479c8546d6e5e7a3f90ae803390780fbea4ac4d070fb795d259e1f520bcfa4681ab4564831

Download Submit
C:\Windows\{4350C010-3B14-42fa-894B-642F44F5CF48}.exe

Filesize
372KB

MD5
16c7f600deb2f0b7f761df249466ff88

SHA1
542c1a5912ac81f16ff708c99f732d14edab1dcb

SHA256
dea421c68d5877ffd602b49d7c3473fbf5d10d1dcbb6d727b423864b710e3af4

SHA512
01204dbcbc876d9a5143c50b3a65a901257dbab60c05ba48aa3f23258ad48e4cc98459c29b06d53936d188e3436fab3b68ba44a95e41622813ad3dbaa66a6cc1

Download Submit
C:\Windows\{58F52727-ECEE-423a-945C-10ACF777756A}.exe

Filesize
372KB

MD5
f044b73c2b56266b20c15f87de5dd47e

SHA1
393a140bd8e7a663895804abfa3ec856bbdd695d

SHA256
59292334f15c5bfa5aae4e21568b7c36a683d4a1ac3afda67e84a5ec206e5114

SHA512
3ce581898701362ca3daf426dc5afcbd34ca44ba873818535a75eb1dbebe8615f3b28e21e4bfbf5cda0f1383a73c330f6b2de423c8e5e814eb4fe2b8c768455e

Download Submit
C:\Windows\{62FC1382-2AB9-4f2e-A77A-AEC9E72DC746}.exe

Filesize
372KB

MD5
859136828918172d6a8aa535e2b52273

SHA1
8c214d62ddca85de2d603f2572f26713946bada1

SHA256
14a73a900d397e983efaed1505f646301ec9b757c59a31d414f2f7040d5d3928

SHA512
eaf9e776b40fb353f20fb06943bda8df4f03cdd2387e218db7eddab0b605f378518e5ac198d5942fcffa7204f1fd33cac350d6fe636e3bd16e5c8072d2d08825

Download Submit
C:\Windows\{6A204712-61E0-489b-92BB-32FC224EA044}.exe

Filesize
372KB

MD5
87c53375d60a5ba17306da5a73005a30

SHA1
467fdcc75ccba6d89c7bd13e5a6e45874fc04b85

SHA256
c74eda5f87d29075e89138cc82f6cfcd7874e0f5589b7a643db737c363c09883

SHA512
1d9ff26abf9582c03ec66fc0a93b8f845b225044a1cf551b14e96b44081dc8daa8454e0efb016ff702b900513acc734789ab58f87bfce0992e6651ec8f2c508c

Download Submit
C:\Windows\{7D0FD444-ABA1-4a9f-8F99-B2E1EFC22D32}.exe

Filesize
372KB

MD5
c4c1540b8bb35f6bfb3566c320535f38

SHA1
46f25e327591dbfb6c6dc82d39b28e033a299efd

SHA256
33916a7e600147702bdad42387b801a38d5830f9332acc99291497692c1d30e9

SHA512
49c7891c6220e60f951fee4d4516981b61bdbeb126d987c75a8ce31bf7248403309efe59e80589aae07c561288a214d2665857dd8a6276e2cf16768cd2922382

Download Submit
C:\Windows\{9C085A37-D9CB-4cf5-B68C-A3E4A26ABDB7}.exe

Filesize
372KB

MD5
d18d5c8f254a3a90946ced3fd1e07b4e

SHA1
66a751e015ed8ad5c41b903a027769fd6692bcba

SHA256
4fe39715a23f23653fc035928dc4d7bdf8c2c98e3b6c8563ce91396b5cb76cb1

SHA512
e45f16f82531a725fe051495397cc975e357dba33f0509a6d9df9b903f2b641f7d3625cfa38c4400b5ceb8793c1548dd9581ee54e40c96e06da974b3ae728e29

Download Submit
C:\Windows\{9FDD66EA-6E11-443b-905B-AABAA59EA82C}.exe

Filesize
372KB

MD5
007a974d007301dd1690cd2cc6b560ae

SHA1
f7aaba30f972f1b8e64fe2897e40bcba4da61e86

SHA256
4dbee1f0908fcb7304099bde4bc4f404b8899d4baf1f8743ad01066cb4053f74

SHA512
aa866c2e35c72bbd980ba0ad78ba536eaa8eca38cc38d4eeaa4d89443ea751803970afb4ea6b9d178cc5c73ad258fdc032cb58418fb3c3cb5fe78e70bf634f6b

Download Submit
C:\Windows\{A8CA8A67-B334-4e50-B550-92015BBFA456}.exe

Filesize
372KB

MD5
4ec3601ca73fe1f32927b8e97790febb

SHA1
f75d128ee1ab1a80bda990f62c61a1ebbcc41910

SHA256
65d54452e0c06d32f5ec54075d7996aab8fdeb7cecb6a50ac071890cf93b6002

SHA512
bc1294d3347ba132254e70ee3ec1c7a1090500f9504c047654f84bea07797703aac90188fc4fec08f4c745309802a42eabbff7898b7bf7e68bf3690cd05dcd15

Download Submit
C:\Windows\{B8D7B3B1-D846-4fd3-B9E4-A8AD4BDDCB5A}.exe

Filesize
372KB

MD5
e3079d0acdcd714fcb16abb9ce51302b

SHA1
fbcc501c5b344295bcbc0dc390e381f220977aae

SHA256
a495b4c4dca2f620933a4f670a97aebdd84a129209b09a1d8b6d415bf0e6444e

SHA512
8e528ad1e1ff073aeb772a56358943bee818c28c748c247860abac482f7aaa6211afb30c772891c187e2a49c9f96a362a02aee072a76e1cd307f41007e549a1f

Download Submit
C:\Windows\{CFCAB7E1-49C5-47b3-8456-2AE4F8C7D851}.exe

Filesize
372KB

MD5
210adcc9f24ad27b18fac479375753d6

SHA1
11bbbf973693be565ccf31c6141f26860fb0b2dd

SHA256
97c1bf3fa9eedc0a12bc577cebb6f629b05298dd96071402baff9674a26b6e47

SHA512
cba632ec5ba96c95142e286a8609e320af1053384b40813498d69933c431294884950fa4c9884826e53f041fcfeb4a30525214af56c7b49d8a1c6894d6197abc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads