40f77924bd21308d09b0340b34774c967fa599e4da2547ceb811330d95ae8372

Analysis

max time kernel
186s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2024, 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-05_7320e5b0d9cb34d976c5034bf92bd85c_goldeneye.exe
Size

168KB
MD5

7320e5b0d9cb34d976c5034bf92bd85c
SHA1

556bb4b3b7d6570c5a44a4b0e4373bc9b92cd393
SHA256

40f77924bd21308d09b0340b34774c967fa599e4da2547ceb811330d95ae8372
SHA512

c7ac2af63403a3c5f666c43f5657949a6af199893377b6b0af80567284f7d1b0d1ff5dfd3502ec04a2d57503869756637ad3379cd5b2ee94b3ff645a5328e1db
SSDEEP

1536:1EGh0oAlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oAlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 10 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023235-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023239-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023242-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e80b-13.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023259-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023260-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e2fb-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002335b-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002335d-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002335b-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA870E26-417E-43c2-96CF-DCD1AC237372}	2024-03-05_7320e5b0d9cb34d976c5034bf92bd85c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{432A7828-3B48-4bbf-A833-191E168D613D}\stubpath = "C:\\Windows\\{432A7828-3B48-4bbf-A833-191E168D613D}.exe"	{FA870E26-417E-43c2-96CF-DCD1AC237372}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{829CA623-4B5F-48b4-A78E-0B8270431790}	{989D74E3-A2DC-4df3-A6EE-E95D7595F980}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7211E8F2-8DF9-44d0-8A42-9F85E6FE9C41}\stubpath = "C:\\Windows\\{7211E8F2-8DF9-44d0-8A42-9F85E6FE9C41}.exe"	{0F5F2B54-FD80-4ed6-BE19-CE002213D85D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4046A4FE-9018-46d2-A300-33DE6C2A00FC}\stubpath = "C:\\Windows\\{4046A4FE-9018-46d2-A300-33DE6C2A00FC}.exe"	{7211E8F2-8DF9-44d0-8A42-9F85E6FE9C41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{989D74E3-A2DC-4df3-A6EE-E95D7595F980}\stubpath = "C:\\Windows\\{989D74E3-A2DC-4df3-A6EE-E95D7595F980}.exe"	{432A7828-3B48-4bbf-A833-191E168D613D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F5F2B54-FD80-4ed6-BE19-CE002213D85D}	{C4326187-06B1-457a-9CF1-CDCAA01C769F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B6F9731-68EF-4893-8F07-6989641F6D7C}	{B214FAF4-6473-40e0-9500-AA8802F4B992}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B6F9731-68EF-4893-8F07-6989641F6D7C}\stubpath = "C:\\Windows\\{7B6F9731-68EF-4893-8F07-6989641F6D7C}.exe"	{B214FAF4-6473-40e0-9500-AA8802F4B992}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{432A7828-3B48-4bbf-A833-191E168D613D}	{FA870E26-417E-43c2-96CF-DCD1AC237372}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{829CA623-4B5F-48b4-A78E-0B8270431790}\stubpath = "C:\\Windows\\{829CA623-4B5F-48b4-A78E-0B8270431790}.exe"	{989D74E3-A2DC-4df3-A6EE-E95D7595F980}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F5F2B54-FD80-4ed6-BE19-CE002213D85D}\stubpath = "C:\\Windows\\{0F5F2B54-FD80-4ed6-BE19-CE002213D85D}.exe"	{C4326187-06B1-457a-9CF1-CDCAA01C769F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4046A4FE-9018-46d2-A300-33DE6C2A00FC}	{7211E8F2-8DF9-44d0-8A42-9F85E6FE9C41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B214FAF4-6473-40e0-9500-AA8802F4B992}	{4046A4FE-9018-46d2-A300-33DE6C2A00FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B214FAF4-6473-40e0-9500-AA8802F4B992}\stubpath = "C:\\Windows\\{B214FAF4-6473-40e0-9500-AA8802F4B992}.exe"	{4046A4FE-9018-46d2-A300-33DE6C2A00FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8AEA6B2-5633-468d-A655-A67295082844}\stubpath = "C:\\Windows\\{F8AEA6B2-5633-468d-A655-A67295082844}.exe"	{7B6F9731-68EF-4893-8F07-6989641F6D7C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA870E26-417E-43c2-96CF-DCD1AC237372}\stubpath = "C:\\Windows\\{FA870E26-417E-43c2-96CF-DCD1AC237372}.exe"	2024-03-05_7320e5b0d9cb34d976c5034bf92bd85c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{989D74E3-A2DC-4df3-A6EE-E95D7595F980}	{432A7828-3B48-4bbf-A833-191E168D613D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4326187-06B1-457a-9CF1-CDCAA01C769F}	{829CA623-4B5F-48b4-A78E-0B8270431790}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4326187-06B1-457a-9CF1-CDCAA01C769F}\stubpath = "C:\\Windows\\{C4326187-06B1-457a-9CF1-CDCAA01C769F}.exe"	{829CA623-4B5F-48b4-A78E-0B8270431790}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7211E8F2-8DF9-44d0-8A42-9F85E6FE9C41}	{0F5F2B54-FD80-4ed6-BE19-CE002213D85D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8AEA6B2-5633-468d-A655-A67295082844}	{7B6F9731-68EF-4893-8F07-6989641F6D7C}.exe

Executes dropped EXE 10 IoCs

pid	Process
3436	{FA870E26-417E-43c2-96CF-DCD1AC237372}.exe
1420	{432A7828-3B48-4bbf-A833-191E168D613D}.exe
1172	{989D74E3-A2DC-4df3-A6EE-E95D7595F980}.exe
4460	{829CA623-4B5F-48b4-A78E-0B8270431790}.exe
4912	{C4326187-06B1-457a-9CF1-CDCAA01C769F}.exe
3584	{0F5F2B54-FD80-4ed6-BE19-CE002213D85D}.exe
3668	{7211E8F2-8DF9-44d0-8A42-9F85E6FE9C41}.exe
4208	{4046A4FE-9018-46d2-A300-33DE6C2A00FC}.exe
4204	{B214FAF4-6473-40e0-9500-AA8802F4B992}.exe
3052	{7B6F9731-68EF-4893-8F07-6989641F6D7C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{432A7828-3B48-4bbf-A833-191E168D613D}.exe	{FA870E26-417E-43c2-96CF-DCD1AC237372}.exe
File created	C:\Windows\{829CA623-4B5F-48b4-A78E-0B8270431790}.exe	{989D74E3-A2DC-4df3-A6EE-E95D7595F980}.exe
File created	C:\Windows\{C4326187-06B1-457a-9CF1-CDCAA01C769F}.exe	{829CA623-4B5F-48b4-A78E-0B8270431790}.exe
File created	C:\Windows\{4046A4FE-9018-46d2-A300-33DE6C2A00FC}.exe	{7211E8F2-8DF9-44d0-8A42-9F85E6FE9C41}.exe
File created	C:\Windows\{7B6F9731-68EF-4893-8F07-6989641F6D7C}.exe	{B214FAF4-6473-40e0-9500-AA8802F4B992}.exe
File created	C:\Windows\{F8AEA6B2-5633-468d-A655-A67295082844}.exe	{7B6F9731-68EF-4893-8F07-6989641F6D7C}.exe
File created	C:\Windows\{FA870E26-417E-43c2-96CF-DCD1AC237372}.exe	2024-03-05_7320e5b0d9cb34d976c5034bf92bd85c_goldeneye.exe
File created	C:\Windows\{989D74E3-A2DC-4df3-A6EE-E95D7595F980}.exe	{432A7828-3B48-4bbf-A833-191E168D613D}.exe
File created	C:\Windows\{0F5F2B54-FD80-4ed6-BE19-CE002213D85D}.exe	{C4326187-06B1-457a-9CF1-CDCAA01C769F}.exe
File created	C:\Windows\{7211E8F2-8DF9-44d0-8A42-9F85E6FE9C41}.exe	{0F5F2B54-FD80-4ed6-BE19-CE002213D85D}.exe
File created	C:\Windows\{B214FAF4-6473-40e0-9500-AA8802F4B992}.exe	{4046A4FE-9018-46d2-A300-33DE6C2A00FC}.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4056	2024-03-05_7320e5b0d9cb34d976c5034bf92bd85c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3436	{FA870E26-417E-43c2-96CF-DCD1AC237372}.exe
Token: SeIncBasePriorityPrivilege	1420	{432A7828-3B48-4bbf-A833-191E168D613D}.exe
Token: SeIncBasePriorityPrivilege	1172	{989D74E3-A2DC-4df3-A6EE-E95D7595F980}.exe
Token: SeIncBasePriorityPrivilege	4460	{829CA623-4B5F-48b4-A78E-0B8270431790}.exe
Token: SeIncBasePriorityPrivilege	4912	{C4326187-06B1-457a-9CF1-CDCAA01C769F}.exe
Token: SeIncBasePriorityPrivilege	3584	{0F5F2B54-FD80-4ed6-BE19-CE002213D85D}.exe
Token: SeIncBasePriorityPrivilege	3668	{7211E8F2-8DF9-44d0-8A42-9F85E6FE9C41}.exe
Token: SeIncBasePriorityPrivilege	4208	{4046A4FE-9018-46d2-A300-33DE6C2A00FC}.exe
Token: SeIncBasePriorityPrivilege	4204	{B214FAF4-6473-40e0-9500-AA8802F4B992}.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 4056 wrote to memory of 3436	4056	2024-03-05_7320e5b0d9cb34d976c5034bf92bd85c_goldeneye.exe	93
PID 4056 wrote to memory of 3436	4056	2024-03-05_7320e5b0d9cb34d976c5034bf92bd85c_goldeneye.exe	93
PID 4056 wrote to memory of 3436	4056	2024-03-05_7320e5b0d9cb34d976c5034bf92bd85c_goldeneye.exe	93
PID 4056 wrote to memory of 1480	4056	2024-03-05_7320e5b0d9cb34d976c5034bf92bd85c_goldeneye.exe	94
PID 4056 wrote to memory of 1480	4056	2024-03-05_7320e5b0d9cb34d976c5034bf92bd85c_goldeneye.exe	94
PID 4056 wrote to memory of 1480	4056	2024-03-05_7320e5b0d9cb34d976c5034bf92bd85c_goldeneye.exe	94
PID 3436 wrote to memory of 1420	3436	{FA870E26-417E-43c2-96CF-DCD1AC237372}.exe	99
PID 3436 wrote to memory of 1420	3436	{FA870E26-417E-43c2-96CF-DCD1AC237372}.exe	99
PID 3436 wrote to memory of 1420	3436	{FA870E26-417E-43c2-96CF-DCD1AC237372}.exe	99
PID 3436 wrote to memory of 2300	3436	{FA870E26-417E-43c2-96CF-DCD1AC237372}.exe	100
PID 3436 wrote to memory of 2300	3436	{FA870E26-417E-43c2-96CF-DCD1AC237372}.exe	100
PID 3436 wrote to memory of 2300	3436	{FA870E26-417E-43c2-96CF-DCD1AC237372}.exe	100
PID 1420 wrote to memory of 1172	1420	{432A7828-3B48-4bbf-A833-191E168D613D}.exe	103
PID 1420 wrote to memory of 1172	1420	{432A7828-3B48-4bbf-A833-191E168D613D}.exe	103
PID 1420 wrote to memory of 1172	1420	{432A7828-3B48-4bbf-A833-191E168D613D}.exe	103
PID 1420 wrote to memory of 764	1420	{432A7828-3B48-4bbf-A833-191E168D613D}.exe	104
PID 1420 wrote to memory of 764	1420	{432A7828-3B48-4bbf-A833-191E168D613D}.exe	104
PID 1420 wrote to memory of 764	1420	{432A7828-3B48-4bbf-A833-191E168D613D}.exe	104
PID 1172 wrote to memory of 4460	1172	{989D74E3-A2DC-4df3-A6EE-E95D7595F980}.exe	107
PID 1172 wrote to memory of 4460	1172	{989D74E3-A2DC-4df3-A6EE-E95D7595F980}.exe	107
PID 1172 wrote to memory of 4460	1172	{989D74E3-A2DC-4df3-A6EE-E95D7595F980}.exe	107
PID 1172 wrote to memory of 3772	1172	{989D74E3-A2DC-4df3-A6EE-E95D7595F980}.exe	108
PID 1172 wrote to memory of 3772	1172	{989D74E3-A2DC-4df3-A6EE-E95D7595F980}.exe	108
PID 1172 wrote to memory of 3772	1172	{989D74E3-A2DC-4df3-A6EE-E95D7595F980}.exe	108
PID 4460 wrote to memory of 4912	4460	{829CA623-4B5F-48b4-A78E-0B8270431790}.exe	111
PID 4460 wrote to memory of 4912	4460	{829CA623-4B5F-48b4-A78E-0B8270431790}.exe	111
PID 4460 wrote to memory of 4912	4460	{829CA623-4B5F-48b4-A78E-0B8270431790}.exe	111
PID 4460 wrote to memory of 4212	4460	{829CA623-4B5F-48b4-A78E-0B8270431790}.exe	112
PID 4460 wrote to memory of 4212	4460	{829CA623-4B5F-48b4-A78E-0B8270431790}.exe	112
PID 4460 wrote to memory of 4212	4460	{829CA623-4B5F-48b4-A78E-0B8270431790}.exe	112
PID 4912 wrote to memory of 3584	4912	{C4326187-06B1-457a-9CF1-CDCAA01C769F}.exe	115
PID 4912 wrote to memory of 3584	4912	{C4326187-06B1-457a-9CF1-CDCAA01C769F}.exe	115
PID 4912 wrote to memory of 3584	4912	{C4326187-06B1-457a-9CF1-CDCAA01C769F}.exe	115
PID 4912 wrote to memory of 2180	4912	{C4326187-06B1-457a-9CF1-CDCAA01C769F}.exe	116
PID 4912 wrote to memory of 2180	4912	{C4326187-06B1-457a-9CF1-CDCAA01C769F}.exe	116
PID 4912 wrote to memory of 2180	4912	{C4326187-06B1-457a-9CF1-CDCAA01C769F}.exe	116
PID 3584 wrote to memory of 3668	3584	{0F5F2B54-FD80-4ed6-BE19-CE002213D85D}.exe	117
PID 3584 wrote to memory of 3668	3584	{0F5F2B54-FD80-4ed6-BE19-CE002213D85D}.exe	117
PID 3584 wrote to memory of 3668	3584	{0F5F2B54-FD80-4ed6-BE19-CE002213D85D}.exe	117
PID 3584 wrote to memory of 2100	3584	{0F5F2B54-FD80-4ed6-BE19-CE002213D85D}.exe	118
PID 3584 wrote to memory of 2100	3584	{0F5F2B54-FD80-4ed6-BE19-CE002213D85D}.exe	118
PID 3584 wrote to memory of 2100	3584	{0F5F2B54-FD80-4ed6-BE19-CE002213D85D}.exe	118
PID 3668 wrote to memory of 4208	3668	{7211E8F2-8DF9-44d0-8A42-9F85E6FE9C41}.exe	120
PID 3668 wrote to memory of 4208	3668	{7211E8F2-8DF9-44d0-8A42-9F85E6FE9C41}.exe	120
PID 3668 wrote to memory of 4208	3668	{7211E8F2-8DF9-44d0-8A42-9F85E6FE9C41}.exe	120
PID 3668 wrote to memory of 1180	3668	{7211E8F2-8DF9-44d0-8A42-9F85E6FE9C41}.exe	121
PID 3668 wrote to memory of 1180	3668	{7211E8F2-8DF9-44d0-8A42-9F85E6FE9C41}.exe	121
PID 3668 wrote to memory of 1180	3668	{7211E8F2-8DF9-44d0-8A42-9F85E6FE9C41}.exe	121
PID 4208 wrote to memory of 4204	4208	{4046A4FE-9018-46d2-A300-33DE6C2A00FC}.exe	122
PID 4208 wrote to memory of 4204	4208	{4046A4FE-9018-46d2-A300-33DE6C2A00FC}.exe	122
PID 4208 wrote to memory of 4204	4208	{4046A4FE-9018-46d2-A300-33DE6C2A00FC}.exe	122
PID 4208 wrote to memory of 4840	4208	{4046A4FE-9018-46d2-A300-33DE6C2A00FC}.exe	123
PID 4208 wrote to memory of 4840	4208	{4046A4FE-9018-46d2-A300-33DE6C2A00FC}.exe	123
PID 4208 wrote to memory of 4840	4208	{4046A4FE-9018-46d2-A300-33DE6C2A00FC}.exe	123
PID 4204 wrote to memory of 3052	4204	{B214FAF4-6473-40e0-9500-AA8802F4B992}.exe	124
PID 4204 wrote to memory of 3052	4204	{B214FAF4-6473-40e0-9500-AA8802F4B992}.exe	124
PID 4204 wrote to memory of 3052	4204	{B214FAF4-6473-40e0-9500-AA8802F4B992}.exe	124
PID 4204 wrote to memory of 4500	4204	{B214FAF4-6473-40e0-9500-AA8802F4B992}.exe	125
PID 4204 wrote to memory of 4500	4204	{B214FAF4-6473-40e0-9500-AA8802F4B992}.exe	125
PID 4204 wrote to memory of 4500	4204	{B214FAF4-6473-40e0-9500-AA8802F4B992}.exe	125

C:\Users\Admin\AppData\Local\Temp\2024-03-05_7320e5b0d9cb34d976c5034bf92bd85c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-05_7320e5b0d9cb34d976c5034bf92bd85c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4056
- C:\Windows\{FA870E26-417E-43c2-96CF-DCD1AC237372}.exe
  C:\Windows\{FA870E26-417E-43c2-96CF-DCD1AC237372}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3436
- - C:\Windows\{432A7828-3B48-4bbf-A833-191E168D613D}.exe
    C:\Windows\{432A7828-3B48-4bbf-A833-191E168D613D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1420
  - - C:\Windows\{989D74E3-A2DC-4df3-A6EE-E95D7595F980}.exe
      C:\Windows\{989D74E3-A2DC-4df3-A6EE-E95D7595F980}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1172
    - - C:\Windows\{829CA623-4B5F-48b4-A78E-0B8270431790}.exe
        
        C:\Windows\{829CA623-4B5F-48b4-A78E-0B8270431790}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4460
      - C:\Windows\{C4326187-06B1-457a-9CF1-CDCAA01C769F}.exe
        
        C:\Windows\{C4326187-06B1-457a-9CF1-CDCAA01C769F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\{0F5F2B54-FD80-4ed6-BE19-CE002213D85D}.exe
        
        C:\Windows\{0F5F2B54-FD80-4ed6-BE19-CE002213D85D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\{7211E8F2-8DF9-44d0-8A42-9F85E6FE9C41}.exe
        
        C:\Windows\{7211E8F2-8DF9-44d0-8A42-9F85E6FE9C41}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\{4046A4FE-9018-46d2-A300-33DE6C2A00FC}.exe
        
        C:\Windows\{4046A4FE-9018-46d2-A300-33DE6C2A00FC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Windows\{B214FAF4-6473-40e0-9500-AA8802F4B992}.exe
        
        C:\Windows\{B214FAF4-6473-40e0-9500-AA8802F4B992}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\{7B6F9731-68EF-4893-8F07-6989641F6D7C}.exe
        
        C:\Windows\{7B6F9731-68EF-4893-8F07-6989641F6D7C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B214F~1.EXE > nul
        11⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4046A~1.EXE > nul
        10⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7211E~1.EXE > nul
        9⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F5F2~1.EXE > nul
        8⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4326~1.EXE > nul
        7⤵
        
        PID:2180
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{829CA~1.EXE > nul
        6⤵
        
        PID:4212
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{989D7~1.EXE > nul
        5⤵
        
        PID:3772
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{432A7~1.EXE > nul
      4⤵
      PID:764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FA870~1.EXE > nul
    3⤵
    PID:2300
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F5F2B54-FD80-4ed6-BE19-CE002213D85D}.exe

Filesize
168KB

MD5
629af34f6997d4bbc399ba61ea56d1d7

SHA1
679f647c3a6e1d0d504b47ba5031000514fce215

SHA256
800021769a73c6c4230a8f89bc0dfdebf3e76a78bb0bcc8b22c48dc02f258539

SHA512
4556844351275671e1ade4f85d15a68848f62dfc08a73d34d490cccfb4264e8b03555c051252f208e2a52b4d88165be6cfd65d5e6a7cb958fffdb373dca7111a

Download Submit
C:\Windows\{4046A4FE-9018-46d2-A300-33DE6C2A00FC}.exe

Filesize
168KB

MD5
3255c8f80064ae5dd6fced3d4ca46a48

SHA1
96bc9b4e7a18a5ca57d53b2009a057e293948df6

SHA256
35df39d2d8b860179c0d0008fd088390b7008a6cf66762c8a18fb5cb33f87ded

SHA512
919195f829e0122cc3f4463351c53776803dd22f72cfe07e5d2904745c59a715b8fde1a8b47a705d5325b71fecfb1ccdcdc14894a594da9e36dc994b6cf37454

Download Submit
C:\Windows\{432A7828-3B48-4bbf-A833-191E168D613D}.exe

Filesize
168KB

MD5
5203ed0b784bebc2d1c201ff5973686c

SHA1
2f14477dfdf8216772557ce966b9994ced4b7e29

SHA256
dbf8f2ac4b6742607d9c054de273566c204c8c0de61302252ad748c9ccb87459

SHA512
494314690a33b9c8fdec2b6d5eb3adb44a3ca3f7eedf9fc03b6330a32e09fd31e185196bf033bfdb2dbeba8a903e68e4fac601006364e010fee98eaa8326e100

Download Submit
C:\Windows\{7211E8F2-8DF9-44d0-8A42-9F85E6FE9C41}.exe

Filesize
168KB

MD5
269a0277f585cc20132b7a5948515ddf

SHA1
33d696eaac61ce65fc248efdf6ca29a156019a87

SHA256
8cfb91dcbf298b700a2ac67f051509c4a476194da128162f4e8406c00a04524e

SHA512
5ecba71c6238fa554560b7457894872bc2b831497750b8baf27415074c83ae4ba2e2a97eb2a762e78d6ff22dfcf69bbcf58a6f67354116997681a238e42b266f

Download Submit
C:\Windows\{7B6F9731-68EF-4893-8F07-6989641F6D7C}.exe

Filesize
168KB

MD5
0f5ba9b981f7d8a3b786eb447db68a98

SHA1
c0c894ca598bb4c365bde0b786f346b7241d3687

SHA256
a3090c0d74bb50fe769852558a5d0e185a6a5575871be9025543b38758446dff

SHA512
f759dae484303e89b5fdeb221dc268bf4fcd6b36a48e15c4fc2f5dcc07b041737d52369b6ef98c971500b4fbbe6a8a83038ca178fe00ca19e5842be32796f93c

Download Submit
C:\Windows\{829CA623-4B5F-48b4-A78E-0B8270431790}.exe

Filesize
168KB

MD5
49ccc83dd8ae05e649263a70cc23cee2

SHA1
42d9427bf8e4dd4b270f8b6da4eb0d3cc05c7efa

SHA256
4373e3a4632f06b8326c3960793bc53aca2decc9a18db27b4776b60bd40751bd

SHA512
99cacf8d3c93a5262e314bb356f088a9d163de3a6cd6165be408c83ba3a15d0b1826fdb6b670d9377cca8f0b0f67914ff061ee99371e13ab60f0735b10096a04

Download Submit
C:\Windows\{989D74E3-A2DC-4df3-A6EE-E95D7595F980}.exe

Filesize
168KB

MD5
e19c601599afc4e3ed43170d486c6ffe

SHA1
37e7abdb1983bc249f2636c0e79950460baed6be

SHA256
e07d09de554ca475ab27e1b5580183bd1c012249eca7a0ebdbb9f0433a9f2ff5

SHA512
2af27e96dc51dcd4e3bc41365ebcb64692dcb6d91c1041229ca90af8eeaf158488bd627edbcd3c04b883a7abda1ae8d119733cb544e3950bac8f4f6f2b31aba3

Download Submit
C:\Windows\{B214FAF4-6473-40e0-9500-AA8802F4B992}.exe

Filesize
168KB

MD5
83930f1df426d140268a581c9f57f698

SHA1
1736a13c0ff003cde0747329b0d4639f5b64df1a

SHA256
a9fa4f0a09a7383395c96a85d0c1caa732f6ddbb3985ac2ed0342af94be28450

SHA512
1754904fa2df6d83c2c698b89d98c1d744aab3d18be2cf1940bb70aa0bfa82b5dd94cf7f9320a889be6b8186079f174b1aca2ca85b0ff17fa181982a1de713c4

Download Submit
C:\Windows\{C4326187-06B1-457a-9CF1-CDCAA01C769F}.exe

Filesize
168KB

MD5
645d23471bdc0691907a54cd4339430e

SHA1
ffca0006c9115bb84d940a04401bc96d783b2af0

SHA256
1386d7ff7450f2e423ea19377f3ec88245b32fdaef03b153f6922d8332f68690

SHA512
e2c0091b1fb37957a271638ca4c4ac9a320eafe2bb02d555fd924ebb444bd602491f6f916c355552d9a984f4b2570c262d34b9b33ff92326be63993eb2aebd2d

Download Submit
C:\Windows\{FA870E26-417E-43c2-96CF-DCD1AC237372}.exe

Filesize
168KB

MD5
4c05ba437ed495170c7a8d8e2a509f0e

SHA1
12976757731705a89a938ee5b98c8da9d1bb269b

SHA256
dfe0db2bc1d814b59c5ce67409492b4d33ce429f18554eb2f680afdb1f249de2

SHA512
e0b50d331d4d23252f2f309475133b94b63a6e9c0a92619ff5cc4d8edef38e1d347c90317f5cb53698d7f03a125c3021b62d6afe4e78382ea83969ba23570420

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads