74fc88fb6086dda112302a91e0b180c853b3632c646ab35d7f46926f4728f810

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27/02/2024, 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-27_1c30e8576665116797808f923c00bace_goldeneye.exe
Size

408KB
MD5

1c30e8576665116797808f923c00bace
SHA1

e6795570149c5617a958b03e0a7e378a31509966
SHA256

74fc88fb6086dda112302a91e0b180c853b3632c646ab35d7f46926f4728f810
SHA512

4316ecdbba240468e02392bf0a7a384e11226cf728a6cd0c89c7eca140c78cdb50c45bdb1e20a56e04863aa7859e622527c2e64e946e237b67468ad788d95b2d
SSDEEP

3072:CEGh0oMl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGWldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023214-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023214-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023215-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000016927-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023215-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000016927-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023215-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000016927-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023215-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000016927-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023215-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000016927-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023215-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69E72F56-20C9-403e-BD69-C3E88B073B6C}	{08409513-D2D7-4c2a-899A-9F6590170A68}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17FF5BE5-AF47-4285-BF30-0BC9245C0394}	{69E72F56-20C9-403e-BD69-C3E88B073B6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73B5BE5E-F416-4c88-A9CE-A090B028E089}	{7A328556-D303-4832-AD2E-9450EA4FE0C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E58F8677-076F-4431-990D-AA50DD691F22}	2024-02-27_1c30e8576665116797808f923c00bace_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E58F8677-076F-4431-990D-AA50DD691F22}\stubpath = "C:\\Windows\\{E58F8677-076F-4431-990D-AA50DD691F22}.exe"	2024-02-27_1c30e8576665116797808f923c00bace_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08409513-D2D7-4c2a-899A-9F6590170A68}	{51AD14E1-5498-48a0-B7EB-120629BF29B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF296E38-7E78-41bd-8754-EA71BACC4F13}	{17FF5BE5-AF47-4285-BF30-0BC9245C0394}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A328556-D303-4832-AD2E-9450EA4FE0C7}	{737AC202-3065-49a9-A2EA-D2901D138119}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8193D59-D611-4d66-A03E-AA020E1C3A6D}\stubpath = "C:\\Windows\\{A8193D59-D611-4d66-A03E-AA020E1C3A6D}.exe"	{F69EF639-0A9D-4445-A963-E1B504CD1C46}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15E43474-7D86-4da4-AE0E-23D2C604B15B}	{E58F8677-076F-4431-990D-AA50DD691F22}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15E43474-7D86-4da4-AE0E-23D2C604B15B}\stubpath = "C:\\Windows\\{15E43474-7D86-4da4-AE0E-23D2C604B15B}.exe"	{E58F8677-076F-4431-990D-AA50DD691F22}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69E72F56-20C9-403e-BD69-C3E88B073B6C}\stubpath = "C:\\Windows\\{69E72F56-20C9-403e-BD69-C3E88B073B6C}.exe"	{08409513-D2D7-4c2a-899A-9F6590170A68}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF296E38-7E78-41bd-8754-EA71BACC4F13}\stubpath = "C:\\Windows\\{FF296E38-7E78-41bd-8754-EA71BACC4F13}.exe"	{17FF5BE5-AF47-4285-BF30-0BC9245C0394}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73B5BE5E-F416-4c88-A9CE-A090B028E089}\stubpath = "C:\\Windows\\{73B5BE5E-F416-4c88-A9CE-A090B028E089}.exe"	{7A328556-D303-4832-AD2E-9450EA4FE0C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F69EF639-0A9D-4445-A963-E1B504CD1C46}\stubpath = "C:\\Windows\\{F69EF639-0A9D-4445-A963-E1B504CD1C46}.exe"	{73B5BE5E-F416-4c88-A9CE-A090B028E089}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F69EF639-0A9D-4445-A963-E1B504CD1C46}	{73B5BE5E-F416-4c88-A9CE-A090B028E089}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51AD14E1-5498-48a0-B7EB-120629BF29B2}	{15E43474-7D86-4da4-AE0E-23D2C604B15B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51AD14E1-5498-48a0-B7EB-120629BF29B2}\stubpath = "C:\\Windows\\{51AD14E1-5498-48a0-B7EB-120629BF29B2}.exe"	{15E43474-7D86-4da4-AE0E-23D2C604B15B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08409513-D2D7-4c2a-899A-9F6590170A68}\stubpath = "C:\\Windows\\{08409513-D2D7-4c2a-899A-9F6590170A68}.exe"	{51AD14E1-5498-48a0-B7EB-120629BF29B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17FF5BE5-AF47-4285-BF30-0BC9245C0394}\stubpath = "C:\\Windows\\{17FF5BE5-AF47-4285-BF30-0BC9245C0394}.exe"	{69E72F56-20C9-403e-BD69-C3E88B073B6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{737AC202-3065-49a9-A2EA-D2901D138119}	{FF296E38-7E78-41bd-8754-EA71BACC4F13}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{737AC202-3065-49a9-A2EA-D2901D138119}\stubpath = "C:\\Windows\\{737AC202-3065-49a9-A2EA-D2901D138119}.exe"	{FF296E38-7E78-41bd-8754-EA71BACC4F13}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A328556-D303-4832-AD2E-9450EA4FE0C7}\stubpath = "C:\\Windows\\{7A328556-D303-4832-AD2E-9450EA4FE0C7}.exe"	{737AC202-3065-49a9-A2EA-D2901D138119}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8193D59-D611-4d66-A03E-AA020E1C3A6D}	{F69EF639-0A9D-4445-A963-E1B504CD1C46}.exe

Executes dropped EXE 12 IoCs

pid	Process
2096	{E58F8677-076F-4431-990D-AA50DD691F22}.exe
892	{15E43474-7D86-4da4-AE0E-23D2C604B15B}.exe
2616	{51AD14E1-5498-48a0-B7EB-120629BF29B2}.exe
3932	{08409513-D2D7-4c2a-899A-9F6590170A68}.exe
3972	{69E72F56-20C9-403e-BD69-C3E88B073B6C}.exe
4532	{17FF5BE5-AF47-4285-BF30-0BC9245C0394}.exe
116	{FF296E38-7E78-41bd-8754-EA71BACC4F13}.exe
1248	{737AC202-3065-49a9-A2EA-D2901D138119}.exe
4844	{7A328556-D303-4832-AD2E-9450EA4FE0C7}.exe
4368	{73B5BE5E-F416-4c88-A9CE-A090B028E089}.exe
3148	{F69EF639-0A9D-4445-A963-E1B504CD1C46}.exe
4868	{A8193D59-D611-4d66-A03E-AA020E1C3A6D}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{E58F8677-076F-4431-990D-AA50DD691F22}.exe	2024-02-27_1c30e8576665116797808f923c00bace_goldeneye.exe
File created	C:\Windows\{15E43474-7D86-4da4-AE0E-23D2C604B15B}.exe	{E58F8677-076F-4431-990D-AA50DD691F22}.exe
File created	C:\Windows\{08409513-D2D7-4c2a-899A-9F6590170A68}.exe	{51AD14E1-5498-48a0-B7EB-120629BF29B2}.exe
File created	C:\Windows\{73B5BE5E-F416-4c88-A9CE-A090B028E089}.exe	{7A328556-D303-4832-AD2E-9450EA4FE0C7}.exe
File created	C:\Windows\{7A328556-D303-4832-AD2E-9450EA4FE0C7}.exe	{737AC202-3065-49a9-A2EA-D2901D138119}.exe
File created	C:\Windows\{F69EF639-0A9D-4445-A963-E1B504CD1C46}.exe	{73B5BE5E-F416-4c88-A9CE-A090B028E089}.exe
File created	C:\Windows\{A8193D59-D611-4d66-A03E-AA020E1C3A6D}.exe	{F69EF639-0A9D-4445-A963-E1B504CD1C46}.exe
File created	C:\Windows\{51AD14E1-5498-48a0-B7EB-120629BF29B2}.exe	{15E43474-7D86-4da4-AE0E-23D2C604B15B}.exe
File created	C:\Windows\{69E72F56-20C9-403e-BD69-C3E88B073B6C}.exe	{08409513-D2D7-4c2a-899A-9F6590170A68}.exe
File created	C:\Windows\{17FF5BE5-AF47-4285-BF30-0BC9245C0394}.exe	{69E72F56-20C9-403e-BD69-C3E88B073B6C}.exe
File created	C:\Windows\{FF296E38-7E78-41bd-8754-EA71BACC4F13}.exe	{17FF5BE5-AF47-4285-BF30-0BC9245C0394}.exe
File created	C:\Windows\{737AC202-3065-49a9-A2EA-D2901D138119}.exe	{FF296E38-7E78-41bd-8754-EA71BACC4F13}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5080	2024-02-27_1c30e8576665116797808f923c00bace_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2096	{E58F8677-076F-4431-990D-AA50DD691F22}.exe
Token: SeIncBasePriorityPrivilege	892	{15E43474-7D86-4da4-AE0E-23D2C604B15B}.exe
Token: SeIncBasePriorityPrivilege	2616	{51AD14E1-5498-48a0-B7EB-120629BF29B2}.exe
Token: SeIncBasePriorityPrivilege	3932	{08409513-D2D7-4c2a-899A-9F6590170A68}.exe
Token: SeIncBasePriorityPrivilege	3972	{69E72F56-20C9-403e-BD69-C3E88B073B6C}.exe
Token: SeIncBasePriorityPrivilege	4532	{17FF5BE5-AF47-4285-BF30-0BC9245C0394}.exe
Token: SeIncBasePriorityPrivilege	116	{FF296E38-7E78-41bd-8754-EA71BACC4F13}.exe
Token: SeIncBasePriorityPrivilege	1248	{737AC202-3065-49a9-A2EA-D2901D138119}.exe
Token: SeIncBasePriorityPrivilege	4844	{7A328556-D303-4832-AD2E-9450EA4FE0C7}.exe
Token: SeIncBasePriorityPrivilege	4368	{73B5BE5E-F416-4c88-A9CE-A090B028E089}.exe
Token: SeIncBasePriorityPrivilege	3148	{F69EF639-0A9D-4445-A963-E1B504CD1C46}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 2096	5080	2024-02-27_1c30e8576665116797808f923c00bace_goldeneye.exe	93
PID 5080 wrote to memory of 2096	5080	2024-02-27_1c30e8576665116797808f923c00bace_goldeneye.exe	93
PID 5080 wrote to memory of 2096	5080	2024-02-27_1c30e8576665116797808f923c00bace_goldeneye.exe	93
PID 5080 wrote to memory of 2800	5080	2024-02-27_1c30e8576665116797808f923c00bace_goldeneye.exe	94
PID 5080 wrote to memory of 2800	5080	2024-02-27_1c30e8576665116797808f923c00bace_goldeneye.exe	94
PID 5080 wrote to memory of 2800	5080	2024-02-27_1c30e8576665116797808f923c00bace_goldeneye.exe	94
PID 2096 wrote to memory of 892	2096	{E58F8677-076F-4431-990D-AA50DD691F22}.exe	95
PID 2096 wrote to memory of 892	2096	{E58F8677-076F-4431-990D-AA50DD691F22}.exe	95
PID 2096 wrote to memory of 892	2096	{E58F8677-076F-4431-990D-AA50DD691F22}.exe	95
PID 2096 wrote to memory of 4728	2096	{E58F8677-076F-4431-990D-AA50DD691F22}.exe	96
PID 2096 wrote to memory of 4728	2096	{E58F8677-076F-4431-990D-AA50DD691F22}.exe	96
PID 2096 wrote to memory of 4728	2096	{E58F8677-076F-4431-990D-AA50DD691F22}.exe	96
PID 892 wrote to memory of 2616	892	{15E43474-7D86-4da4-AE0E-23D2C604B15B}.exe	100
PID 892 wrote to memory of 2616	892	{15E43474-7D86-4da4-AE0E-23D2C604B15B}.exe	100
PID 892 wrote to memory of 2616	892	{15E43474-7D86-4da4-AE0E-23D2C604B15B}.exe	100
PID 892 wrote to memory of 1908	892	{15E43474-7D86-4da4-AE0E-23D2C604B15B}.exe	101
PID 892 wrote to memory of 1908	892	{15E43474-7D86-4da4-AE0E-23D2C604B15B}.exe	101
PID 892 wrote to memory of 1908	892	{15E43474-7D86-4da4-AE0E-23D2C604B15B}.exe	101
PID 2616 wrote to memory of 3932	2616	{51AD14E1-5498-48a0-B7EB-120629BF29B2}.exe	102
PID 2616 wrote to memory of 3932	2616	{51AD14E1-5498-48a0-B7EB-120629BF29B2}.exe	102
PID 2616 wrote to memory of 3932	2616	{51AD14E1-5498-48a0-B7EB-120629BF29B2}.exe	102
PID 2616 wrote to memory of 4752	2616	{51AD14E1-5498-48a0-B7EB-120629BF29B2}.exe	103
PID 2616 wrote to memory of 4752	2616	{51AD14E1-5498-48a0-B7EB-120629BF29B2}.exe	103
PID 2616 wrote to memory of 4752	2616	{51AD14E1-5498-48a0-B7EB-120629BF29B2}.exe	103
PID 3932 wrote to memory of 3972	3932	{08409513-D2D7-4c2a-899A-9F6590170A68}.exe	104
PID 3932 wrote to memory of 3972	3932	{08409513-D2D7-4c2a-899A-9F6590170A68}.exe	104
PID 3932 wrote to memory of 3972	3932	{08409513-D2D7-4c2a-899A-9F6590170A68}.exe	104
PID 3932 wrote to memory of 4156	3932	{08409513-D2D7-4c2a-899A-9F6590170A68}.exe	105
PID 3932 wrote to memory of 4156	3932	{08409513-D2D7-4c2a-899A-9F6590170A68}.exe	105
PID 3932 wrote to memory of 4156	3932	{08409513-D2D7-4c2a-899A-9F6590170A68}.exe	105
PID 3972 wrote to memory of 4532	3972	{69E72F56-20C9-403e-BD69-C3E88B073B6C}.exe	106
PID 3972 wrote to memory of 4532	3972	{69E72F56-20C9-403e-BD69-C3E88B073B6C}.exe	106
PID 3972 wrote to memory of 4532	3972	{69E72F56-20C9-403e-BD69-C3E88B073B6C}.exe	106
PID 3972 wrote to memory of 2136	3972	{69E72F56-20C9-403e-BD69-C3E88B073B6C}.exe	107
PID 3972 wrote to memory of 2136	3972	{69E72F56-20C9-403e-BD69-C3E88B073B6C}.exe	107
PID 3972 wrote to memory of 2136	3972	{69E72F56-20C9-403e-BD69-C3E88B073B6C}.exe	107
PID 4532 wrote to memory of 116	4532	{17FF5BE5-AF47-4285-BF30-0BC9245C0394}.exe	108
PID 4532 wrote to memory of 116	4532	{17FF5BE5-AF47-4285-BF30-0BC9245C0394}.exe	108
PID 4532 wrote to memory of 116	4532	{17FF5BE5-AF47-4285-BF30-0BC9245C0394}.exe	108
PID 4532 wrote to memory of 3452	4532	{17FF5BE5-AF47-4285-BF30-0BC9245C0394}.exe	109
PID 4532 wrote to memory of 3452	4532	{17FF5BE5-AF47-4285-BF30-0BC9245C0394}.exe	109
PID 4532 wrote to memory of 3452	4532	{17FF5BE5-AF47-4285-BF30-0BC9245C0394}.exe	109
PID 116 wrote to memory of 1248	116	{FF296E38-7E78-41bd-8754-EA71BACC4F13}.exe	110
PID 116 wrote to memory of 1248	116	{FF296E38-7E78-41bd-8754-EA71BACC4F13}.exe	110
PID 116 wrote to memory of 1248	116	{FF296E38-7E78-41bd-8754-EA71BACC4F13}.exe	110
PID 116 wrote to memory of 1096	116	{FF296E38-7E78-41bd-8754-EA71BACC4F13}.exe	111
PID 116 wrote to memory of 1096	116	{FF296E38-7E78-41bd-8754-EA71BACC4F13}.exe	111
PID 116 wrote to memory of 1096	116	{FF296E38-7E78-41bd-8754-EA71BACC4F13}.exe	111
PID 1248 wrote to memory of 4844	1248	{737AC202-3065-49a9-A2EA-D2901D138119}.exe	112
PID 1248 wrote to memory of 4844	1248	{737AC202-3065-49a9-A2EA-D2901D138119}.exe	112
PID 1248 wrote to memory of 4844	1248	{737AC202-3065-49a9-A2EA-D2901D138119}.exe	112
PID 1248 wrote to memory of 3792	1248	{737AC202-3065-49a9-A2EA-D2901D138119}.exe	113
PID 1248 wrote to memory of 3792	1248	{737AC202-3065-49a9-A2EA-D2901D138119}.exe	113
PID 1248 wrote to memory of 3792	1248	{737AC202-3065-49a9-A2EA-D2901D138119}.exe	113
PID 4844 wrote to memory of 4368	4844	{7A328556-D303-4832-AD2E-9450EA4FE0C7}.exe	114
PID 4844 wrote to memory of 4368	4844	{7A328556-D303-4832-AD2E-9450EA4FE0C7}.exe	114
PID 4844 wrote to memory of 4368	4844	{7A328556-D303-4832-AD2E-9450EA4FE0C7}.exe	114
PID 4844 wrote to memory of 4248	4844	{7A328556-D303-4832-AD2E-9450EA4FE0C7}.exe	115
PID 4844 wrote to memory of 4248	4844	{7A328556-D303-4832-AD2E-9450EA4FE0C7}.exe	115
PID 4844 wrote to memory of 4248	4844	{7A328556-D303-4832-AD2E-9450EA4FE0C7}.exe	115
PID 4368 wrote to memory of 3148	4368	{73B5BE5E-F416-4c88-A9CE-A090B028E089}.exe	117
PID 4368 wrote to memory of 3148	4368	{73B5BE5E-F416-4c88-A9CE-A090B028E089}.exe	117
PID 4368 wrote to memory of 3148	4368	{73B5BE5E-F416-4c88-A9CE-A090B028E089}.exe	117
PID 4368 wrote to memory of 4120	4368	{73B5BE5E-F416-4c88-A9CE-A090B028E089}.exe	116

C:\Users\Admin\AppData\Local\Temp\2024-02-27_1c30e8576665116797808f923c00bace_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-27_1c30e8576665116797808f923c00bace_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Windows\{E58F8677-076F-4431-990D-AA50DD691F22}.exe
  C:\Windows\{E58F8677-076F-4431-990D-AA50DD691F22}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\{15E43474-7D86-4da4-AE0E-23D2C604B15B}.exe
    C:\Windows\{15E43474-7D86-4da4-AE0E-23D2C604B15B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:892
  - - C:\Windows\{51AD14E1-5498-48a0-B7EB-120629BF29B2}.exe
      C:\Windows\{51AD14E1-5498-48a0-B7EB-120629BF29B2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Windows\{08409513-D2D7-4c2a-899A-9F6590170A68}.exe
        
        C:\Windows\{08409513-D2D7-4c2a-899A-9F6590170A68}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3932
      - C:\Windows\{69E72F56-20C9-403e-BD69-C3E88B073B6C}.exe
        
        C:\Windows\{69E72F56-20C9-403e-BD69-C3E88B073B6C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\{17FF5BE5-AF47-4285-BF30-0BC9245C0394}.exe
        
        C:\Windows\{17FF5BE5-AF47-4285-BF30-0BC9245C0394}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\{FF296E38-7E78-41bd-8754-EA71BACC4F13}.exe
        
        C:\Windows\{FF296E38-7E78-41bd-8754-EA71BACC4F13}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\{737AC202-3065-49a9-A2EA-D2901D138119}.exe
        
        C:\Windows\{737AC202-3065-49a9-A2EA-D2901D138119}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\{7A328556-D303-4832-AD2E-9450EA4FE0C7}.exe
        
        C:\Windows\{7A328556-D303-4832-AD2E-9450EA4FE0C7}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\{73B5BE5E-F416-4c88-A9CE-A090B028E089}.exe
        
        C:\Windows\{73B5BE5E-F416-4c88-A9CE-A090B028E089}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73B5B~1.EXE > nul
        12⤵
        
        PID:4120
        
        C:\Windows\{F69EF639-0A9D-4445-A963-E1B504CD1C46}.exe
        
        C:\Windows\{F69EF639-0A9D-4445-A963-E1B504CD1C46}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3148
        
        C:\Windows\{A8193D59-D611-4d66-A03E-AA020E1C3A6D}.exe
        
        C:\Windows\{A8193D59-D611-4d66-A03E-AA020E1C3A6D}.exe
        13⤵
        Executes dropped EXE
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F69EF~1.EXE > nul
        13⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A328~1.EXE > nul
        11⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{737AC~1.EXE > nul
        10⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF296~1.EXE > nul
        9⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17FF5~1.EXE > nul
        8⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69E72~1.EXE > nul
        7⤵
        
        PID:2136
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08409~1.EXE > nul
        6⤵
        
        PID:4156
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51AD1~1.EXE > nul
        5⤵
        
        PID:4752
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{15E43~1.EXE > nul
      4⤵
      PID:1908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E58F8~1.EXE > nul
    3⤵
    PID:4728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08409513-D2D7-4c2a-899A-9F6590170A68}.exe

Filesize
408KB

MD5
6a209684569d0559f4267a9fccef805f

SHA1
de561e426faaf4463e414b39159837c4de65484a

SHA256
c7e36441e3822d589718123f07c5a412eb962453557fb47f64089a222b721e6d

SHA512
9359220f75cbef6f2e155fed9e681cbf8656b36cd7579c46c10af248a43e2dbf17589201a58be62e68306f3796fdf4202c3bb210399e3c2c5511517975c1142b

Download Submit
C:\Windows\{15E43474-7D86-4da4-AE0E-23D2C604B15B}.exe

Filesize
408KB

MD5
888a8533114124785c20be3c9f0ca91c

SHA1
b78d44ba6567ee7588b282d59120610b94a5b7f1

SHA256
7d516b809a93049510e7b17e031ec647a5770c1c42241d2aa57185f31b2a9fb5

SHA512
c661e7d2ad89370cb81df92f42b445113debffc7ebbb3994700ecb7779fb812c288c8cada7a59d93b21af3b01e45cdfc868f6c0960031a180b8dd86d1d4e781f

Download Submit
C:\Windows\{17FF5BE5-AF47-4285-BF30-0BC9245C0394}.exe

Filesize
408KB

MD5
71d09946618f0decc05b3dff590e8b35

SHA1
401dbde52a8991d0e112c641773bff22679a3ab7

SHA256
d52ed3964667d9a826ae1ed9599bb4fe4feafad28d69ada6ea7014f1b84aa1df

SHA512
6dbe1a9d09439f2b10bc01d850c563aff51ac3c556d5249e4b363d2f305221d0ebf99e280441e5b93b038fec643486971539f5c0d56b4aaefc5877a12d47200c

Download Submit
C:\Windows\{51AD14E1-5498-48a0-B7EB-120629BF29B2}.exe

Filesize
408KB

MD5
6dadbab9f6f612529c144838224fb2f3

SHA1
c5e88af72348cb61b390c7ae94eaac8828c6682e

SHA256
17bb766d92926dc7fc80db038961a0e933aca5842d803385a348d3ae3c13dade

SHA512
9a70720d0f34c285ffe8358c008399202f5d572555e8759f88361a63c37d1c6d8328dddf5ffe20b59e842e7371c875c50b3d242f562152b61ed603a9c7483b45

Download Submit
C:\Windows\{69E72F56-20C9-403e-BD69-C3E88B073B6C}.exe

Filesize
408KB

MD5
6bba410a8828f73dc039e9e3142bb19a

SHA1
a88c9c49bf75de473e032d1e58faa1069e3ed604

SHA256
482e64d7ef486662de778f84c2c6776df81d66aacdb7821d99d5c08808d513a7

SHA512
81e3e27b83a1da89608d451a516d2cb7bae8976e8800cffa33e6f6bd92ae795bc3326a7725e498362dcbf827d52d516de0bd80d60d179457ed506fcc3aba742f

Download Submit
C:\Windows\{737AC202-3065-49a9-A2EA-D2901D138119}.exe

Filesize
408KB

MD5
732b54c466d13c330ba0dd2554b58e5b

SHA1
92c6dd39750a9d3a791524ad529c48dd51581ab4

SHA256
64a93066457747e08cee983bc307a10eba0880a1a35730b93960f89288e5f745

SHA512
0967aa5a5b9a5215bba49e5bbb2529bb5bb9dfee157c065e5ea56a92c7af4ed229da4e71cb7e09b12d2ff922635d36e00f7615f4b2fe4554833975932dd10fe0

Download Submit
C:\Windows\{73B5BE5E-F416-4c88-A9CE-A090B028E089}.exe

Filesize
408KB

MD5
5d4c29ff3fd0660e371bfac18905096e

SHA1
2362bc8ffa7b862602bf396bb370c14ecf5be21c

SHA256
cad0117af02c286f1f0290c9499c2af0b920a6f341e3fea3cefde8ce4b224b1e

SHA512
7a18451eaa7cacd64e4a274c2ddf1b50dd7854c4648f381655cf07e6099cff9387d2da0e115796203ccd445d3c657d41c31ef7f7aec6d14a8f6474331b4a32ad

Download Submit
C:\Windows\{7A328556-D303-4832-AD2E-9450EA4FE0C7}.exe

Filesize
408KB

MD5
92fa9c7f399c36d175d5cca3bf657c1b

SHA1
0178007f920ef970537d95fe29d26656617e8a17

SHA256
0e4150766fb1e19c9f71fb8895786603e54347a69d9f4fdfc387b2611083e4d5

SHA512
a123c74f199c6f783bfb2f123b341a9444062e6031cb194993c756193c7fcab6d8a87dc41284c564f3ebf18ee6b3d5b2e00a189dee9810baec00d3a70d9d99f9

Download Submit
C:\Windows\{A8193D59-D611-4d66-A03E-AA020E1C3A6D}.exe

Filesize
408KB

MD5
0f2603e6f60474826947fa576de63a23

SHA1
1c34c70b298388a73397bee3fe0559d4cd6576ce

SHA256
f29cdefde12da1a012ac31f3cc4331eadf5baef4992db3f2e0d97510edbe9700

SHA512
6664b6ad49bb2ab34f62e435045f53b67289796bea0e15750bc6b1d0333c6e0498c497f7dc14dbf5b4d61bec5c9f08f357bdf64b50d82e13b5e499451f50c36e

Download Submit
C:\Windows\{E58F8677-076F-4431-990D-AA50DD691F22}.exe

Filesize
54KB

MD5
eabb1cd7b766ca436ae70def0c91a12e

SHA1
124d695f98dab6506a1d85d51b77e05c6ef15c1e

SHA256
7730a297100022720892dde44abd2a1b16aa6b4352418a992ebf70cecd18ddff

SHA512
c42cd6762c37bf14d516ec81dd796c8fa15ba559e9822885287500b7fd2ebc433833b244a443b2714aec28003939604318ecc9518679a87e13f43b6c836616cd

Download Submit
C:\Windows\{E58F8677-076F-4431-990D-AA50DD691F22}.exe

Filesize
408KB

MD5
c2964b042f8208632eb153dfad2d01fb

SHA1
e175510a6cd28a6123a568ca76ac2e0b0075807d

SHA256
bc4702fdbded15c773ce5ec6a79a51592ceab5bfea1d710fd316b345ec22c2a3

SHA512
fd686952b9a89f24b229798612b027073ac9ff6861b560ad40a2dc75978eb61e30a4ae52b64f7d3963cd2a552876accf48c6d83598d5d0259026d3f72dc4b095

Download Submit
C:\Windows\{F69EF639-0A9D-4445-A963-E1B504CD1C46}.exe

Filesize
408KB

MD5
3c86a2afa6f146382afc7e4c16412f8f

SHA1
da007c0827543e9a387d6f9176b4870c3b264c98

SHA256
d38ace6182e145c8e19d903ec328d48f698d1c848babd4b0824a76fddeeb5d62

SHA512
5cac0c5b5948705cf48fed050a50a6777cee9008c646e3825a117c9e00699e47caac99f43e4d93f31f073fd70d6cadb308dd5b1465b5594c901c9611da90fb7d

Download Submit
C:\Windows\{FF296E38-7E78-41bd-8754-EA71BACC4F13}.exe

Filesize
408KB

MD5
07bb11ad5f7473bf029e7e5e226aea3c

SHA1
3cc2e25e523ccc97f170d855b055c3b881a43bca

SHA256
1e5d265c2c3144cb7589d4427918a940019aca90e006741ce9a28798e8afab89

SHA512
898ba20627ce6c4f48bcc73ef4ba6b28aea3d830e7bd621e4a40e5bdc005ad5273cb5f5fdbaca1b499703157d875a45a8360c77fba901e13b376b19615dd5100

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads