3a3af06efa633c8aeaf0312e888305c1d7e89bcab4f8bd63b3908ac4ed9a98a7

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/02/2024, 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-28_530610d952f0c27e886e4fd074824cd1_goldeneye.exe
Size

168KB
MD5

530610d952f0c27e886e4fd074824cd1
SHA1

fc5549a325c3302f40c2a5d267ad0e92f094297a
SHA256

3a3af06efa633c8aeaf0312e888305c1d7e89bcab4f8bd63b3908ac4ed9a98a7
SHA512

c28260e0f5c5d4d1434e33348fbc17e4ae312341dbc86ec29bce331640819b8a7c935aa75fa42835b592cfd470bc00f782284206aae4910549512fc9ea3f4623
SSDEEP

1536:1EGh0oGlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oGlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000f000000023133-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023217-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000001e76b-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023217-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001e76b-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023217-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e76b-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023217-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e76b-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023217-37.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e76b-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023217-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C91E959-E091-407f-BDBA-C9850107834F}\stubpath = "C:\\Windows\\{6C91E959-E091-407f-BDBA-C9850107834F}.exe"	{464149D8-763F-4c40-A435-BB6B5270648C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7625AA2D-78DB-499c-AA06-DF2AF15FD68B}	{213F2008-68F3-47bd-AB53-77CF1FB89998}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E7E11DB-50B0-4b09-8A1D-A179EC043E3E}\stubpath = "C:\\Windows\\{0E7E11DB-50B0-4b09-8A1D-A179EC043E3E}.exe"	{4142A229-20B7-4f2e-B264-2B1E3BFF871B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7DDC482-4144-41ab-AC5D-7427A7173392}	{C4235437-5FED-4b29-9F17-A6AD6690860B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7DDC482-4144-41ab-AC5D-7427A7173392}\stubpath = "C:\\Windows\\{D7DDC482-4144-41ab-AC5D-7427A7173392}.exe"	{C4235437-5FED-4b29-9F17-A6AD6690860B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9EE7BEC-0055-42df-B337-9C2E497C21F0}\stubpath = "C:\\Windows\\{C9EE7BEC-0055-42df-B337-9C2E497C21F0}.exe"	{2F5042A7-F518-4cc9-B67F-92A5B4E44620}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{464149D8-763F-4c40-A435-BB6B5270648C}\stubpath = "C:\\Windows\\{464149D8-763F-4c40-A435-BB6B5270648C}.exe"	{C9EE7BEC-0055-42df-B337-9C2E497C21F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7625AA2D-78DB-499c-AA06-DF2AF15FD68B}\stubpath = "C:\\Windows\\{7625AA2D-78DB-499c-AA06-DF2AF15FD68B}.exe"	{213F2008-68F3-47bd-AB53-77CF1FB89998}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4235437-5FED-4b29-9F17-A6AD6690860B}	{0E7E11DB-50B0-4b09-8A1D-A179EC043E3E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC2FE820-AAFA-4c19-B246-134039FFAF6F}	{7763C4F0-5B76-4771-974A-218320211865}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC2FE820-AAFA-4c19-B246-134039FFAF6F}\stubpath = "C:\\Windows\\{AC2FE820-AAFA-4c19-B246-134039FFAF6F}.exe"	{7763C4F0-5B76-4771-974A-218320211865}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{464149D8-763F-4c40-A435-BB6B5270648C}	{C9EE7BEC-0055-42df-B337-9C2E497C21F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9EE7BEC-0055-42df-B337-9C2E497C21F0}	{2F5042A7-F518-4cc9-B67F-92A5B4E44620}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4142A229-20B7-4f2e-B264-2B1E3BFF871B}	{7625AA2D-78DB-499c-AA06-DF2AF15FD68B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4142A229-20B7-4f2e-B264-2B1E3BFF871B}\stubpath = "C:\\Windows\\{4142A229-20B7-4f2e-B264-2B1E3BFF871B}.exe"	{7625AA2D-78DB-499c-AA06-DF2AF15FD68B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E7E11DB-50B0-4b09-8A1D-A179EC043E3E}	{4142A229-20B7-4f2e-B264-2B1E3BFF871B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4235437-5FED-4b29-9F17-A6AD6690860B}\stubpath = "C:\\Windows\\{C4235437-5FED-4b29-9F17-A6AD6690860B}.exe"	{0E7E11DB-50B0-4b09-8A1D-A179EC043E3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7763C4F0-5B76-4771-974A-218320211865}\stubpath = "C:\\Windows\\{7763C4F0-5B76-4771-974A-218320211865}.exe"	{D7DDC482-4144-41ab-AC5D-7427A7173392}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F5042A7-F518-4cc9-B67F-92A5B4E44620}	2024-02-28_530610d952f0c27e886e4fd074824cd1_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C91E959-E091-407f-BDBA-C9850107834F}	{464149D8-763F-4c40-A435-BB6B5270648C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{213F2008-68F3-47bd-AB53-77CF1FB89998}	{6C91E959-E091-407f-BDBA-C9850107834F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{213F2008-68F3-47bd-AB53-77CF1FB89998}\stubpath = "C:\\Windows\\{213F2008-68F3-47bd-AB53-77CF1FB89998}.exe"	{6C91E959-E091-407f-BDBA-C9850107834F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7763C4F0-5B76-4771-974A-218320211865}	{D7DDC482-4144-41ab-AC5D-7427A7173392}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F5042A7-F518-4cc9-B67F-92A5B4E44620}\stubpath = "C:\\Windows\\{2F5042A7-F518-4cc9-B67F-92A5B4E44620}.exe"	2024-02-28_530610d952f0c27e886e4fd074824cd1_goldeneye.exe

Executes dropped EXE 12 IoCs

pid	Process
3788	{2F5042A7-F518-4cc9-B67F-92A5B4E44620}.exe
1016	{C9EE7BEC-0055-42df-B337-9C2E497C21F0}.exe
928	{464149D8-763F-4c40-A435-BB6B5270648C}.exe
388	{6C91E959-E091-407f-BDBA-C9850107834F}.exe
536	{213F2008-68F3-47bd-AB53-77CF1FB89998}.exe
540	{7625AA2D-78DB-499c-AA06-DF2AF15FD68B}.exe
1092	{4142A229-20B7-4f2e-B264-2B1E3BFF871B}.exe
1904	{0E7E11DB-50B0-4b09-8A1D-A179EC043E3E}.exe
4436	{C4235437-5FED-4b29-9F17-A6AD6690860B}.exe
1500	{D7DDC482-4144-41ab-AC5D-7427A7173392}.exe
4516	{7763C4F0-5B76-4771-974A-218320211865}.exe
4868	{AC2FE820-AAFA-4c19-B246-134039FFAF6F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{4142A229-20B7-4f2e-B264-2B1E3BFF871B}.exe	{7625AA2D-78DB-499c-AA06-DF2AF15FD68B}.exe
File created	C:\Windows\{0E7E11DB-50B0-4b09-8A1D-A179EC043E3E}.exe	{4142A229-20B7-4f2e-B264-2B1E3BFF871B}.exe
File created	C:\Windows\{C4235437-5FED-4b29-9F17-A6AD6690860B}.exe	{0E7E11DB-50B0-4b09-8A1D-A179EC043E3E}.exe
File created	C:\Windows\{D7DDC482-4144-41ab-AC5D-7427A7173392}.exe	{C4235437-5FED-4b29-9F17-A6AD6690860B}.exe
File created	C:\Windows\{2F5042A7-F518-4cc9-B67F-92A5B4E44620}.exe	2024-02-28_530610d952f0c27e886e4fd074824cd1_goldeneye.exe
File created	C:\Windows\{213F2008-68F3-47bd-AB53-77CF1FB89998}.exe	{6C91E959-E091-407f-BDBA-C9850107834F}.exe
File created	C:\Windows\{6C91E959-E091-407f-BDBA-C9850107834F}.exe	{464149D8-763F-4c40-A435-BB6B5270648C}.exe
File created	C:\Windows\{7625AA2D-78DB-499c-AA06-DF2AF15FD68B}.exe	{213F2008-68F3-47bd-AB53-77CF1FB89998}.exe
File created	C:\Windows\{7763C4F0-5B76-4771-974A-218320211865}.exe	{D7DDC482-4144-41ab-AC5D-7427A7173392}.exe
File created	C:\Windows\{AC2FE820-AAFA-4c19-B246-134039FFAF6F}.exe	{7763C4F0-5B76-4771-974A-218320211865}.exe
File created	C:\Windows\{C9EE7BEC-0055-42df-B337-9C2E497C21F0}.exe	{2F5042A7-F518-4cc9-B67F-92A5B4E44620}.exe
File created	C:\Windows\{464149D8-763F-4c40-A435-BB6B5270648C}.exe	{C9EE7BEC-0055-42df-B337-9C2E497C21F0}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1196	2024-02-28_530610d952f0c27e886e4fd074824cd1_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3788	{2F5042A7-F518-4cc9-B67F-92A5B4E44620}.exe
Token: SeIncBasePriorityPrivilege	1016	{C9EE7BEC-0055-42df-B337-9C2E497C21F0}.exe
Token: SeIncBasePriorityPrivilege	928	{464149D8-763F-4c40-A435-BB6B5270648C}.exe
Token: SeIncBasePriorityPrivilege	388	{6C91E959-E091-407f-BDBA-C9850107834F}.exe
Token: SeIncBasePriorityPrivilege	536	{213F2008-68F3-47bd-AB53-77CF1FB89998}.exe
Token: SeIncBasePriorityPrivilege	540	{7625AA2D-78DB-499c-AA06-DF2AF15FD68B}.exe
Token: SeIncBasePriorityPrivilege	1092	{4142A229-20B7-4f2e-B264-2B1E3BFF871B}.exe
Token: SeIncBasePriorityPrivilege	1904	{0E7E11DB-50B0-4b09-8A1D-A179EC043E3E}.exe
Token: SeIncBasePriorityPrivilege	4436	{C4235437-5FED-4b29-9F17-A6AD6690860B}.exe
Token: SeIncBasePriorityPrivilege	1500	{D7DDC482-4144-41ab-AC5D-7427A7173392}.exe
Token: SeIncBasePriorityPrivilege	4516	{7763C4F0-5B76-4771-974A-218320211865}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 3788	1196	2024-02-28_530610d952f0c27e886e4fd074824cd1_goldeneye.exe	89
PID 1196 wrote to memory of 3788	1196	2024-02-28_530610d952f0c27e886e4fd074824cd1_goldeneye.exe	89
PID 1196 wrote to memory of 3788	1196	2024-02-28_530610d952f0c27e886e4fd074824cd1_goldeneye.exe	89
PID 1196 wrote to memory of 3628	1196	2024-02-28_530610d952f0c27e886e4fd074824cd1_goldeneye.exe	90
PID 1196 wrote to memory of 3628	1196	2024-02-28_530610d952f0c27e886e4fd074824cd1_goldeneye.exe	90
PID 1196 wrote to memory of 3628	1196	2024-02-28_530610d952f0c27e886e4fd074824cd1_goldeneye.exe	90
PID 3788 wrote to memory of 1016	3788	{2F5042A7-F518-4cc9-B67F-92A5B4E44620}.exe	91
PID 3788 wrote to memory of 1016	3788	{2F5042A7-F518-4cc9-B67F-92A5B4E44620}.exe	91
PID 3788 wrote to memory of 1016	3788	{2F5042A7-F518-4cc9-B67F-92A5B4E44620}.exe	91
PID 3788 wrote to memory of 4832	3788	{2F5042A7-F518-4cc9-B67F-92A5B4E44620}.exe	92
PID 3788 wrote to memory of 4832	3788	{2F5042A7-F518-4cc9-B67F-92A5B4E44620}.exe	92
PID 3788 wrote to memory of 4832	3788	{2F5042A7-F518-4cc9-B67F-92A5B4E44620}.exe	92
PID 1016 wrote to memory of 928	1016	{C9EE7BEC-0055-42df-B337-9C2E497C21F0}.exe	96
PID 1016 wrote to memory of 928	1016	{C9EE7BEC-0055-42df-B337-9C2E497C21F0}.exe	96
PID 1016 wrote to memory of 928	1016	{C9EE7BEC-0055-42df-B337-9C2E497C21F0}.exe	96
PID 1016 wrote to memory of 4980	1016	{C9EE7BEC-0055-42df-B337-9C2E497C21F0}.exe	97
PID 1016 wrote to memory of 4980	1016	{C9EE7BEC-0055-42df-B337-9C2E497C21F0}.exe	97
PID 1016 wrote to memory of 4980	1016	{C9EE7BEC-0055-42df-B337-9C2E497C21F0}.exe	97
PID 928 wrote to memory of 388	928	{464149D8-763F-4c40-A435-BB6B5270648C}.exe	98
PID 928 wrote to memory of 388	928	{464149D8-763F-4c40-A435-BB6B5270648C}.exe	98
PID 928 wrote to memory of 388	928	{464149D8-763F-4c40-A435-BB6B5270648C}.exe	98
PID 928 wrote to memory of 404	928	{464149D8-763F-4c40-A435-BB6B5270648C}.exe	99
PID 928 wrote to memory of 404	928	{464149D8-763F-4c40-A435-BB6B5270648C}.exe	99
PID 928 wrote to memory of 404	928	{464149D8-763F-4c40-A435-BB6B5270648C}.exe	99
PID 388 wrote to memory of 536	388	{6C91E959-E091-407f-BDBA-C9850107834F}.exe	100
PID 388 wrote to memory of 536	388	{6C91E959-E091-407f-BDBA-C9850107834F}.exe	100
PID 388 wrote to memory of 536	388	{6C91E959-E091-407f-BDBA-C9850107834F}.exe	100
PID 388 wrote to memory of 4636	388	{6C91E959-E091-407f-BDBA-C9850107834F}.exe	101
PID 388 wrote to memory of 4636	388	{6C91E959-E091-407f-BDBA-C9850107834F}.exe	101
PID 388 wrote to memory of 4636	388	{6C91E959-E091-407f-BDBA-C9850107834F}.exe	101
PID 536 wrote to memory of 540	536	{213F2008-68F3-47bd-AB53-77CF1FB89998}.exe	102
PID 536 wrote to memory of 540	536	{213F2008-68F3-47bd-AB53-77CF1FB89998}.exe	102
PID 536 wrote to memory of 540	536	{213F2008-68F3-47bd-AB53-77CF1FB89998}.exe	102
PID 536 wrote to memory of 2904	536	{213F2008-68F3-47bd-AB53-77CF1FB89998}.exe	103
PID 536 wrote to memory of 2904	536	{213F2008-68F3-47bd-AB53-77CF1FB89998}.exe	103
PID 536 wrote to memory of 2904	536	{213F2008-68F3-47bd-AB53-77CF1FB89998}.exe	103
PID 540 wrote to memory of 1092	540	{7625AA2D-78DB-499c-AA06-DF2AF15FD68B}.exe	104
PID 540 wrote to memory of 1092	540	{7625AA2D-78DB-499c-AA06-DF2AF15FD68B}.exe	104
PID 540 wrote to memory of 1092	540	{7625AA2D-78DB-499c-AA06-DF2AF15FD68B}.exe	104
PID 540 wrote to memory of 1528	540	{7625AA2D-78DB-499c-AA06-DF2AF15FD68B}.exe	105
PID 540 wrote to memory of 1528	540	{7625AA2D-78DB-499c-AA06-DF2AF15FD68B}.exe	105
PID 540 wrote to memory of 1528	540	{7625AA2D-78DB-499c-AA06-DF2AF15FD68B}.exe	105
PID 1092 wrote to memory of 1904	1092	{4142A229-20B7-4f2e-B264-2B1E3BFF871B}.exe	106
PID 1092 wrote to memory of 1904	1092	{4142A229-20B7-4f2e-B264-2B1E3BFF871B}.exe	106
PID 1092 wrote to memory of 1904	1092	{4142A229-20B7-4f2e-B264-2B1E3BFF871B}.exe	106
PID 1092 wrote to memory of 880	1092	{4142A229-20B7-4f2e-B264-2B1E3BFF871B}.exe	107
PID 1092 wrote to memory of 880	1092	{4142A229-20B7-4f2e-B264-2B1E3BFF871B}.exe	107
PID 1092 wrote to memory of 880	1092	{4142A229-20B7-4f2e-B264-2B1E3BFF871B}.exe	107
PID 1904 wrote to memory of 4436	1904	{0E7E11DB-50B0-4b09-8A1D-A179EC043E3E}.exe	108
PID 1904 wrote to memory of 4436	1904	{0E7E11DB-50B0-4b09-8A1D-A179EC043E3E}.exe	108
PID 1904 wrote to memory of 4436	1904	{0E7E11DB-50B0-4b09-8A1D-A179EC043E3E}.exe	108
PID 1904 wrote to memory of 4316	1904	{0E7E11DB-50B0-4b09-8A1D-A179EC043E3E}.exe	109
PID 1904 wrote to memory of 4316	1904	{0E7E11DB-50B0-4b09-8A1D-A179EC043E3E}.exe	109
PID 1904 wrote to memory of 4316	1904	{0E7E11DB-50B0-4b09-8A1D-A179EC043E3E}.exe	109
PID 4436 wrote to memory of 1500	4436	{C4235437-5FED-4b29-9F17-A6AD6690860B}.exe	110
PID 4436 wrote to memory of 1500	4436	{C4235437-5FED-4b29-9F17-A6AD6690860B}.exe	110
PID 4436 wrote to memory of 1500	4436	{C4235437-5FED-4b29-9F17-A6AD6690860B}.exe	110
PID 4436 wrote to memory of 1112	4436	{C4235437-5FED-4b29-9F17-A6AD6690860B}.exe	111
PID 4436 wrote to memory of 1112	4436	{C4235437-5FED-4b29-9F17-A6AD6690860B}.exe	111
PID 4436 wrote to memory of 1112	4436	{C4235437-5FED-4b29-9F17-A6AD6690860B}.exe	111
PID 1500 wrote to memory of 4516	1500	{D7DDC482-4144-41ab-AC5D-7427A7173392}.exe	112
PID 1500 wrote to memory of 4516	1500	{D7DDC482-4144-41ab-AC5D-7427A7173392}.exe	112
PID 1500 wrote to memory of 4516	1500	{D7DDC482-4144-41ab-AC5D-7427A7173392}.exe	112
PID 1500 wrote to memory of 1312	1500	{D7DDC482-4144-41ab-AC5D-7427A7173392}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-28_530610d952f0c27e886e4fd074824cd1_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-28_530610d952f0c27e886e4fd074824cd1_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Windows\{2F5042A7-F518-4cc9-B67F-92A5B4E44620}.exe
  C:\Windows\{2F5042A7-F518-4cc9-B67F-92A5B4E44620}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3788
- - C:\Windows\{C9EE7BEC-0055-42df-B337-9C2E497C21F0}.exe
    C:\Windows\{C9EE7BEC-0055-42df-B337-9C2E497C21F0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1016
  - - C:\Windows\{464149D8-763F-4c40-A435-BB6B5270648C}.exe
      C:\Windows\{464149D8-763F-4c40-A435-BB6B5270648C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:928
    - - C:\Windows\{6C91E959-E091-407f-BDBA-C9850107834F}.exe
        
        C:\Windows\{6C91E959-E091-407f-BDBA-C9850107834F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:388
      - C:\Windows\{213F2008-68F3-47bd-AB53-77CF1FB89998}.exe
        
        C:\Windows\{213F2008-68F3-47bd-AB53-77CF1FB89998}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\{7625AA2D-78DB-499c-AA06-DF2AF15FD68B}.exe
        
        C:\Windows\{7625AA2D-78DB-499c-AA06-DF2AF15FD68B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\{4142A229-20B7-4f2e-B264-2B1E3BFF871B}.exe
        
        C:\Windows\{4142A229-20B7-4f2e-B264-2B1E3BFF871B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\{0E7E11DB-50B0-4b09-8A1D-A179EC043E3E}.exe
        
        C:\Windows\{0E7E11DB-50B0-4b09-8A1D-A179EC043E3E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\{C4235437-5FED-4b29-9F17-A6AD6690860B}.exe
        
        C:\Windows\{C4235437-5FED-4b29-9F17-A6AD6690860B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\{D7DDC482-4144-41ab-AC5D-7427A7173392}.exe
        
        C:\Windows\{D7DDC482-4144-41ab-AC5D-7427A7173392}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\{7763C4F0-5B76-4771-974A-218320211865}.exe
        
        C:\Windows\{7763C4F0-5B76-4771-974A-218320211865}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4516
        
        C:\Windows\{AC2FE820-AAFA-4c19-B246-134039FFAF6F}.exe
        
        C:\Windows\{AC2FE820-AAFA-4c19-B246-134039FFAF6F}.exe
        13⤵
        Executes dropped EXE
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7763C~1.EXE > nul
        13⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7DDC~1.EXE > nul
        12⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4235~1.EXE > nul
        11⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E7E1~1.EXE > nul
        10⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4142A~1.EXE > nul
        9⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7625A~1.EXE > nul
        8⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{213F2~1.EXE > nul
        7⤵
        
        PID:2904
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C91E~1.EXE > nul
        6⤵
        
        PID:4636
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46414~1.EXE > nul
        5⤵
        
        PID:404
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C9EE7~1.EXE > nul
      4⤵
      PID:4980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2F504~1.EXE > nul
    3⤵
    PID:4832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0E7E11DB-50B0-4b09-8A1D-A179EC043E3E}.exe

Filesize
168KB

MD5
c3832e34c47a4dd04e923e3d2b30937c

SHA1
920b3d4c703b9e92b813d59ff747eca6ee853c81

SHA256
271e6b51ba33b6643fdde0ea00d89e034fffb4f1185ae6a9df690ed42f1faad5

SHA512
d88219fd58025bb0fc1a5634e9765d74e34c8c32fe7ca21756286a22c3aeea5b04e55121a79d2fa608682034607202def9e5bd5f631ef282030e9b026d1ee2d3

Download Submit
C:\Windows\{213F2008-68F3-47bd-AB53-77CF1FB89998}.exe

Filesize
168KB

MD5
a1eef43f99e41f1ec4229dd0369959b8

SHA1
bc14317a33700818527eebc4b52a39f6a119f360

SHA256
3e0d753f4d91f4e5dac0706c4d86aaa75f5fe1667267858cdc740df1400bcc38

SHA512
70e0a0c480dc28023496da5c8f72a86d2e033dc4c4acf953d954f71bcce5b46ee3a18edab80e861770cf5eca8152f3663d07051f75671276b7fd08d63b72d1b9

Download Submit
C:\Windows\{2F5042A7-F518-4cc9-B67F-92A5B4E44620}.exe

Filesize
168KB

MD5
667bfffc0529822bfc89ea0026745dae

SHA1
a671c72a8983a9c4f36b40ac95887e184f4dd4ad

SHA256
39c03e2915469cb70843da8f458b3ae56aa9610f3350c1ba5fb3d29aca2d8b80

SHA512
d579c4342c5133a78b7772f0380694c0925b5661fc56a093950ebe74bd5fdcccc0c26875991660e8088e25e5aeff2c5155c76f9889e462899d2dadcb29d23398

Download Submit
C:\Windows\{4142A229-20B7-4f2e-B264-2B1E3BFF871B}.exe

Filesize
168KB

MD5
b870375b08a8a118b708403c3e126c38

SHA1
a546e1cb8efc512436a0c458188a8663ac839a04

SHA256
50b1804939fa5176f2933c53bf0034eb15aad7b6c70373514cd910a4df34348c

SHA512
0ec4b22ffe4a72cbb9f23e3784d8690bec56cf4a90c318e2ef87eb646fcbc15fb57caa7f97d5826e9dd69f40ca44e1533c71cc6f4ae298befd4b37d7edf3d5c2

Download Submit
C:\Windows\{464149D8-763F-4c40-A435-BB6B5270648C}.exe

Filesize
168KB

MD5
cef0d22688cf45d624de4610ab6e3760

SHA1
225cb58ff3befcfee00a8c0c6ea4eec26c187ebc

SHA256
069526879fa3828555744be39021db7a55b0248845c0493394be1bb2f839d372

SHA512
8d3a186fc9224773def073ef1f23beb8f198cf887bec32c528a6dfb65f95423e90a882f1c9d39a1c1c3cc79e01e38636df52ce429ba48b65f7212edbfcb9731b

Download Submit
C:\Windows\{6C91E959-E091-407f-BDBA-C9850107834F}.exe

Filesize
168KB

MD5
b15e3bc09be264bf80ac42453b2a59d3

SHA1
e0d96387dc031d8c9b1491a87f5c00e9ee3d1fce

SHA256
b5fe128805da68ed3d3bef194abe7b2040349b2b6a11854672a5cfb1244cb4d8

SHA512
de5bf452a87488ba363de7c9c5d6554e17f1072acf2fd1d0ba4e5cebd67f897da509bbdf682d86d3ace5964a8c2e549e3056eb26366416f8e39ecd519d8720a4

Download Submit
C:\Windows\{7625AA2D-78DB-499c-AA06-DF2AF15FD68B}.exe

Filesize
168KB

MD5
7830542a9fd3245f02d529310bd30c5d

SHA1
648df5cd7321462f274679474e74bdb72c646502

SHA256
2b682a78d41ce7582b59caafdce92d6e32d6632c25396849c6d09f62c7f11538

SHA512
638be06d6ea3addeda87a4619849857962c35db68eb3104fd8829e53d518e20a6d5a95eb7eed70950a779d265d23f12ff268178a4ef58bd142fcec6c093a8b96

Download Submit
C:\Windows\{7763C4F0-5B76-4771-974A-218320211865}.exe

Filesize
168KB

MD5
1473b2072b59e0176a9f94ed6155aae3

SHA1
93216247faeed588172fe5a2b454d85d5b9348d6

SHA256
62b282024c64e9fdbcd394a6debc525f0dca8b8d965d7abe6102d70763294dcb

SHA512
7a8ce7e3f14a8330c54bfeebf09467888885c99224e2ba2bd7bfbf1a26fffbc16a664b7e53b8c882993b78e24ba6c5ae4585833558bc03fa7cb343787d0cd2bb

Download Submit
C:\Windows\{AC2FE820-AAFA-4c19-B246-134039FFAF6F}.exe

Filesize
168KB

MD5
e35405773571943e51874d12f5fd07f0

SHA1
75d374042a50d924ae55760cc22079c908e6ebc1

SHA256
4195e1772f88239412e124c218b68f7bc0d11a8d837f939364208bd5e1016a53

SHA512
8dcdc05bd1b5c9f880a11fdb1f2733859b6699d79162a32fbe485938161d89010c9c936aebf48397bf3c5ba1a48231494a80528e685bc05a0ddfaaeeb66babb8

Download Submit
C:\Windows\{C4235437-5FED-4b29-9F17-A6AD6690860B}.exe

Filesize
168KB

MD5
97e422f04d754550275113cc15f32518

SHA1
3ce157da647306e3c07eb435e525edcd31efacaa

SHA256
f139dc72be16f28c6856b5857172f4312fd083cc95085a5db939a6a13d94ed6e

SHA512
2c339ba49002dbd7296ffb52a7925eb3d8dee1369f44f6c035b5686d0c6b08c470cd2a682588d455ead41cc95b96eea124b2ac32bf7a28c3406b55b2cad036e8

Download Submit
C:\Windows\{C9EE7BEC-0055-42df-B337-9C2E497C21F0}.exe

Filesize
168KB

MD5
a306da816cbef7e0ce50ffb61db8b372

SHA1
41c44ad76cc18832c76fe672c4a5d2995b77685e

SHA256
2553f1574f48571515a6f597a813b650cb019b8c52c950ea8d725aa6e8bc48f5

SHA512
8f29473704ff7dd9ccffc7096e5218db958a5e645c37f357d2dded771f97c89ee30b729ce18346b9917ad31727f418f82d795a1a231c05286e2ec10638121326

Download Submit
C:\Windows\{D7DDC482-4144-41ab-AC5D-7427A7173392}.exe

Filesize
168KB

MD5
505eb9036f55bd086821a48792daec5d

SHA1
13e187e6829064bf33a7041f62f59541186adb54

SHA256
68393b15c1522f156890044f3adc060e38a4a77e049ef24242c80df7aee10ba3

SHA512
1214c731ccbb6459bd5f5aacc3d3092b2a84a6d5336af02eae34c461b977cfaed0febf91b734194ba034512b288ab0bd05e9085027ac3b8b62cd5362d8cefff0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads