3d7d81a6e1593bfc2d2ab1dcfb97161bd49b37ce03a97346d85858e27b4c79ce

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2024, 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-05_3c13dc8b646f1fe4bf9b086392d4d324_goldeneye.exe
Size

204KB
MD5

3c13dc8b646f1fe4bf9b086392d4d324
SHA1

85a2ed26fa101805fc0d679cbf116ef296ca6677
SHA256

3d7d81a6e1593bfc2d2ab1dcfb97161bd49b37ce03a97346d85858e27b4c79ce
SHA512

026b40edfbdc465f789fa70ead8eae20514143d001a21cd9576ecb6112f5bac4c881e66511123fa53200e46e7bc6539e5565068302437acaa7c9a69e2ef6a6a2
SSDEEP

1536:1EGh0oSl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oSl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x000700000002320e-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023317-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023117-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023317-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002338b-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e432-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e595-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233a4-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023105-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023105-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000230fa-45.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51018513-1C56-4200-8FA0-00DC0C7CFF5B}\stubpath = "C:\\Windows\\{51018513-1C56-4200-8FA0-00DC0C7CFF5B}.exe"	{56EE687D-80EE-457f-A580-A28B447A13DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3B89079-565C-4e0b-92C0-A7D27CD8036B}\stubpath = "C:\\Windows\\{D3B89079-565C-4e0b-92C0-A7D27CD8036B}.exe"	{51018513-1C56-4200-8FA0-00DC0C7CFF5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C41E3E8-A44D-4c0e-BC94-F0B22FB49CDF}\stubpath = "C:\\Windows\\{2C41E3E8-A44D-4c0e-BC94-F0B22FB49CDF}.exe"	{61ABDBEB-8F4A-4d54-99C9-3BE22DB12269}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82A36060-7D05-4f79-B781-807558947519}	2024-03-05_3c13dc8b646f1fe4bf9b086392d4d324_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{987A1969-352B-476c-A87B-FC760F4DE3B0}\stubpath = "C:\\Windows\\{987A1969-352B-476c-A87B-FC760F4DE3B0}.exe"	{2F587D25-1F9B-43b2-A334-F9CA4BB32FC0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51018513-1C56-4200-8FA0-00DC0C7CFF5B}	{56EE687D-80EE-457f-A580-A28B447A13DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7507CC7B-D795-4d15-AC93-8358D7A4EA15}	{D3B89079-565C-4e0b-92C0-A7D27CD8036B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7507CC7B-D795-4d15-AC93-8358D7A4EA15}\stubpath = "C:\\Windows\\{7507CC7B-D795-4d15-AC93-8358D7A4EA15}.exe"	{D3B89079-565C-4e0b-92C0-A7D27CD8036B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A222CAD-6126-45f0-B2FC-E52AC3AFC115}\stubpath = "C:\\Windows\\{6A222CAD-6126-45f0-B2FC-E52AC3AFC115}.exe"	{7507CC7B-D795-4d15-AC93-8358D7A4EA15}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2166A3D0-2EBF-4e8a-AE2F-54F2C8515708}\stubpath = "C:\\Windows\\{2166A3D0-2EBF-4e8a-AE2F-54F2C8515708}.exe"	{6A222CAD-6126-45f0-B2FC-E52AC3AFC115}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61ABDBEB-8F4A-4d54-99C9-3BE22DB12269}	{2166A3D0-2EBF-4e8a-AE2F-54F2C8515708}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F587D25-1F9B-43b2-A334-F9CA4BB32FC0}\stubpath = "C:\\Windows\\{2F587D25-1F9B-43b2-A334-F9CA4BB32FC0}.exe"	{8DC0EE32-BEAF-474b-BFAE-4B09A2C09861}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{987A1969-352B-476c-A87B-FC760F4DE3B0}	{2F587D25-1F9B-43b2-A334-F9CA4BB32FC0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C41E3E8-A44D-4c0e-BC94-F0B22FB49CDF}	{61ABDBEB-8F4A-4d54-99C9-3BE22DB12269}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F587D25-1F9B-43b2-A334-F9CA4BB32FC0}	{8DC0EE32-BEAF-474b-BFAE-4B09A2C09861}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56EE687D-80EE-457f-A580-A28B447A13DF}	{987A1969-352B-476c-A87B-FC760F4DE3B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DC0EE32-BEAF-474b-BFAE-4B09A2C09861}	{82A36060-7D05-4f79-B781-807558947519}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DC0EE32-BEAF-474b-BFAE-4B09A2C09861}\stubpath = "C:\\Windows\\{8DC0EE32-BEAF-474b-BFAE-4B09A2C09861}.exe"	{82A36060-7D05-4f79-B781-807558947519}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3B89079-565C-4e0b-92C0-A7D27CD8036B}	{51018513-1C56-4200-8FA0-00DC0C7CFF5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A222CAD-6126-45f0-B2FC-E52AC3AFC115}	{7507CC7B-D795-4d15-AC93-8358D7A4EA15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2166A3D0-2EBF-4e8a-AE2F-54F2C8515708}	{6A222CAD-6126-45f0-B2FC-E52AC3AFC115}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61ABDBEB-8F4A-4d54-99C9-3BE22DB12269}\stubpath = "C:\\Windows\\{61ABDBEB-8F4A-4d54-99C9-3BE22DB12269}.exe"	{2166A3D0-2EBF-4e8a-AE2F-54F2C8515708}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82A36060-7D05-4f79-B781-807558947519}\stubpath = "C:\\Windows\\{82A36060-7D05-4f79-B781-807558947519}.exe"	2024-03-05_3c13dc8b646f1fe4bf9b086392d4d324_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56EE687D-80EE-457f-A580-A28B447A13DF}\stubpath = "C:\\Windows\\{56EE687D-80EE-457f-A580-A28B447A13DF}.exe"	{987A1969-352B-476c-A87B-FC760F4DE3B0}.exe

Executes dropped EXE 11 IoCs

pid	Process
3732	{82A36060-7D05-4f79-B781-807558947519}.exe
4804	{8DC0EE32-BEAF-474b-BFAE-4B09A2C09861}.exe
628	{2F587D25-1F9B-43b2-A334-F9CA4BB32FC0}.exe
3276	{987A1969-352B-476c-A87B-FC760F4DE3B0}.exe
4348	{56EE687D-80EE-457f-A580-A28B447A13DF}.exe
4036	{51018513-1C56-4200-8FA0-00DC0C7CFF5B}.exe
408	{D3B89079-565C-4e0b-92C0-A7D27CD8036B}.exe
3024	{7507CC7B-D795-4d15-AC93-8358D7A4EA15}.exe
3316	{6A222CAD-6126-45f0-B2FC-E52AC3AFC115}.exe
4068	{61ABDBEB-8F4A-4d54-99C9-3BE22DB12269}.exe
3724	{2C41E3E8-A44D-4c0e-BC94-F0B22FB49CDF}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{8DC0EE32-BEAF-474b-BFAE-4B09A2C09861}.exe	{82A36060-7D05-4f79-B781-807558947519}.exe
File created	C:\Windows\{987A1969-352B-476c-A87B-FC760F4DE3B0}.exe	{2F587D25-1F9B-43b2-A334-F9CA4BB32FC0}.exe
File created	C:\Windows\{56EE687D-80EE-457f-A580-A28B447A13DF}.exe	{987A1969-352B-476c-A87B-FC760F4DE3B0}.exe
File created	C:\Windows\{D3B89079-565C-4e0b-92C0-A7D27CD8036B}.exe	{51018513-1C56-4200-8FA0-00DC0C7CFF5B}.exe
File created	C:\Windows\{7507CC7B-D795-4d15-AC93-8358D7A4EA15}.exe	{D3B89079-565C-4e0b-92C0-A7D27CD8036B}.exe
File created	C:\Windows\{6A222CAD-6126-45f0-B2FC-E52AC3AFC115}.exe	{7507CC7B-D795-4d15-AC93-8358D7A4EA15}.exe
File created	C:\Windows\{61ABDBEB-8F4A-4d54-99C9-3BE22DB12269}.exe	{2166A3D0-2EBF-4e8a-AE2F-54F2C8515708}.exe
File created	C:\Windows\{82A36060-7D05-4f79-B781-807558947519}.exe	2024-03-05_3c13dc8b646f1fe4bf9b086392d4d324_goldeneye.exe
File created	C:\Windows\{2F587D25-1F9B-43b2-A334-F9CA4BB32FC0}.exe	{8DC0EE32-BEAF-474b-BFAE-4B09A2C09861}.exe
File created	C:\Windows\{51018513-1C56-4200-8FA0-00DC0C7CFF5B}.exe	{56EE687D-80EE-457f-A580-A28B447A13DF}.exe
File created	C:\Windows\{2C41E3E8-A44D-4c0e-BC94-F0B22FB49CDF}.exe	{61ABDBEB-8F4A-4d54-99C9-3BE22DB12269}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1000	2024-03-05_3c13dc8b646f1fe4bf9b086392d4d324_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3732	{82A36060-7D05-4f79-B781-807558947519}.exe
Token: SeIncBasePriorityPrivilege	4804	{8DC0EE32-BEAF-474b-BFAE-4B09A2C09861}.exe
Token: SeIncBasePriorityPrivilege	628	{2F587D25-1F9B-43b2-A334-F9CA4BB32FC0}.exe
Token: SeIncBasePriorityPrivilege	3276	{987A1969-352B-476c-A87B-FC760F4DE3B0}.exe
Token: SeIncBasePriorityPrivilege	4348	{56EE687D-80EE-457f-A580-A28B447A13DF}.exe
Token: SeIncBasePriorityPrivilege	4036	{51018513-1C56-4200-8FA0-00DC0C7CFF5B}.exe
Token: SeIncBasePriorityPrivilege	408	{D3B89079-565C-4e0b-92C0-A7D27CD8036B}.exe
Token: SeIncBasePriorityPrivilege	3024	{7507CC7B-D795-4d15-AC93-8358D7A4EA15}.exe
Token: SeIncBasePriorityPrivilege	2644	{2166A3D0-2EBF-4e8a-AE2F-54F2C8515708}.exe
Token: SeIncBasePriorityPrivilege	4068	{61ABDBEB-8F4A-4d54-99C9-3BE22DB12269}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1000 wrote to memory of 3732	1000	2024-03-05_3c13dc8b646f1fe4bf9b086392d4d324_goldeneye.exe	98
PID 1000 wrote to memory of 3732	1000	2024-03-05_3c13dc8b646f1fe4bf9b086392d4d324_goldeneye.exe	98
PID 1000 wrote to memory of 3732	1000	2024-03-05_3c13dc8b646f1fe4bf9b086392d4d324_goldeneye.exe	98
PID 1000 wrote to memory of 1204	1000	2024-03-05_3c13dc8b646f1fe4bf9b086392d4d324_goldeneye.exe	99
PID 1000 wrote to memory of 1204	1000	2024-03-05_3c13dc8b646f1fe4bf9b086392d4d324_goldeneye.exe	99
PID 1000 wrote to memory of 1204	1000	2024-03-05_3c13dc8b646f1fe4bf9b086392d4d324_goldeneye.exe	99
PID 3732 wrote to memory of 4804	3732	{82A36060-7D05-4f79-B781-807558947519}.exe	102
PID 3732 wrote to memory of 4804	3732	{82A36060-7D05-4f79-B781-807558947519}.exe	102
PID 3732 wrote to memory of 4804	3732	{82A36060-7D05-4f79-B781-807558947519}.exe	102
PID 3732 wrote to memory of 1876	3732	{82A36060-7D05-4f79-B781-807558947519}.exe	103
PID 3732 wrote to memory of 1876	3732	{82A36060-7D05-4f79-B781-807558947519}.exe	103
PID 3732 wrote to memory of 1876	3732	{82A36060-7D05-4f79-B781-807558947519}.exe	103
PID 4804 wrote to memory of 628	4804	{8DC0EE32-BEAF-474b-BFAE-4B09A2C09861}.exe	106
PID 4804 wrote to memory of 628	4804	{8DC0EE32-BEAF-474b-BFAE-4B09A2C09861}.exe	106
PID 4804 wrote to memory of 628	4804	{8DC0EE32-BEAF-474b-BFAE-4B09A2C09861}.exe	106
PID 4804 wrote to memory of 4272	4804	{8DC0EE32-BEAF-474b-BFAE-4B09A2C09861}.exe	107
PID 4804 wrote to memory of 4272	4804	{8DC0EE32-BEAF-474b-BFAE-4B09A2C09861}.exe	107
PID 4804 wrote to memory of 4272	4804	{8DC0EE32-BEAF-474b-BFAE-4B09A2C09861}.exe	107
PID 628 wrote to memory of 3276	628	{2F587D25-1F9B-43b2-A334-F9CA4BB32FC0}.exe	108
PID 628 wrote to memory of 3276	628	{2F587D25-1F9B-43b2-A334-F9CA4BB32FC0}.exe	108
PID 628 wrote to memory of 3276	628	{2F587D25-1F9B-43b2-A334-F9CA4BB32FC0}.exe	108
PID 628 wrote to memory of 3020	628	{2F587D25-1F9B-43b2-A334-F9CA4BB32FC0}.exe	109
PID 628 wrote to memory of 3020	628	{2F587D25-1F9B-43b2-A334-F9CA4BB32FC0}.exe	109
PID 628 wrote to memory of 3020	628	{2F587D25-1F9B-43b2-A334-F9CA4BB32FC0}.exe	109
PID 3276 wrote to memory of 4348	3276	{987A1969-352B-476c-A87B-FC760F4DE3B0}.exe	110
PID 3276 wrote to memory of 4348	3276	{987A1969-352B-476c-A87B-FC760F4DE3B0}.exe	110
PID 3276 wrote to memory of 4348	3276	{987A1969-352B-476c-A87B-FC760F4DE3B0}.exe	110
PID 3276 wrote to memory of 1860	3276	{987A1969-352B-476c-A87B-FC760F4DE3B0}.exe	111
PID 3276 wrote to memory of 1860	3276	{987A1969-352B-476c-A87B-FC760F4DE3B0}.exe	111
PID 3276 wrote to memory of 1860	3276	{987A1969-352B-476c-A87B-FC760F4DE3B0}.exe	111
PID 4348 wrote to memory of 4036	4348	{56EE687D-80EE-457f-A580-A28B447A13DF}.exe	113
PID 4348 wrote to memory of 4036	4348	{56EE687D-80EE-457f-A580-A28B447A13DF}.exe	113
PID 4348 wrote to memory of 4036	4348	{56EE687D-80EE-457f-A580-A28B447A13DF}.exe	113
PID 4348 wrote to memory of 3572	4348	{56EE687D-80EE-457f-A580-A28B447A13DF}.exe	114
PID 4348 wrote to memory of 3572	4348	{56EE687D-80EE-457f-A580-A28B447A13DF}.exe	114
PID 4348 wrote to memory of 3572	4348	{56EE687D-80EE-457f-A580-A28B447A13DF}.exe	114
PID 4036 wrote to memory of 408	4036	{51018513-1C56-4200-8FA0-00DC0C7CFF5B}.exe	115
PID 4036 wrote to memory of 408	4036	{51018513-1C56-4200-8FA0-00DC0C7CFF5B}.exe	115
PID 4036 wrote to memory of 408	4036	{51018513-1C56-4200-8FA0-00DC0C7CFF5B}.exe	115
PID 4036 wrote to memory of 3612	4036	{51018513-1C56-4200-8FA0-00DC0C7CFF5B}.exe	116
PID 4036 wrote to memory of 3612	4036	{51018513-1C56-4200-8FA0-00DC0C7CFF5B}.exe	116
PID 4036 wrote to memory of 3612	4036	{51018513-1C56-4200-8FA0-00DC0C7CFF5B}.exe	116
PID 408 wrote to memory of 3024	408	{D3B89079-565C-4e0b-92C0-A7D27CD8036B}.exe	117
PID 408 wrote to memory of 3024	408	{D3B89079-565C-4e0b-92C0-A7D27CD8036B}.exe	117
PID 408 wrote to memory of 3024	408	{D3B89079-565C-4e0b-92C0-A7D27CD8036B}.exe	117
PID 408 wrote to memory of 4536	408	{D3B89079-565C-4e0b-92C0-A7D27CD8036B}.exe	118
PID 408 wrote to memory of 4536	408	{D3B89079-565C-4e0b-92C0-A7D27CD8036B}.exe	118
PID 408 wrote to memory of 4536	408	{D3B89079-565C-4e0b-92C0-A7D27CD8036B}.exe	118
PID 3024 wrote to memory of 3316	3024	{7507CC7B-D795-4d15-AC93-8358D7A4EA15}.exe	124
PID 3024 wrote to memory of 3316	3024	{7507CC7B-D795-4d15-AC93-8358D7A4EA15}.exe	124
PID 3024 wrote to memory of 3316	3024	{7507CC7B-D795-4d15-AC93-8358D7A4EA15}.exe	124
PID 3024 wrote to memory of 4532	3024	{7507CC7B-D795-4d15-AC93-8358D7A4EA15}.exe	125
PID 3024 wrote to memory of 4532	3024	{7507CC7B-D795-4d15-AC93-8358D7A4EA15}.exe	125
PID 3024 wrote to memory of 4532	3024	{7507CC7B-D795-4d15-AC93-8358D7A4EA15}.exe	125
PID 2644 wrote to memory of 4068	2644	{2166A3D0-2EBF-4e8a-AE2F-54F2C8515708}.exe	128
PID 2644 wrote to memory of 4068	2644	{2166A3D0-2EBF-4e8a-AE2F-54F2C8515708}.exe	128
PID 2644 wrote to memory of 4068	2644	{2166A3D0-2EBF-4e8a-AE2F-54F2C8515708}.exe	128
PID 2644 wrote to memory of 1204	2644	{2166A3D0-2EBF-4e8a-AE2F-54F2C8515708}.exe	129
PID 2644 wrote to memory of 1204	2644	{2166A3D0-2EBF-4e8a-AE2F-54F2C8515708}.exe	129
PID 2644 wrote to memory of 1204	2644	{2166A3D0-2EBF-4e8a-AE2F-54F2C8515708}.exe	129
PID 4068 wrote to memory of 3724	4068	{61ABDBEB-8F4A-4d54-99C9-3BE22DB12269}.exe	133
PID 4068 wrote to memory of 3724	4068	{61ABDBEB-8F4A-4d54-99C9-3BE22DB12269}.exe	133
PID 4068 wrote to memory of 3724	4068	{61ABDBEB-8F4A-4d54-99C9-3BE22DB12269}.exe	133
PID 4068 wrote to memory of 1432	4068	{61ABDBEB-8F4A-4d54-99C9-3BE22DB12269}.exe	134

C:\Users\Admin\AppData\Local\Temp\2024-03-05_3c13dc8b646f1fe4bf9b086392d4d324_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-05_3c13dc8b646f1fe4bf9b086392d4d324_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Windows\{82A36060-7D05-4f79-B781-807558947519}.exe
  C:\Windows\{82A36060-7D05-4f79-B781-807558947519}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3732
- - C:\Windows\{8DC0EE32-BEAF-474b-BFAE-4B09A2C09861}.exe
    C:\Windows\{8DC0EE32-BEAF-474b-BFAE-4B09A2C09861}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4804
  - - C:\Windows\{2F587D25-1F9B-43b2-A334-F9CA4BB32FC0}.exe
      C:\Windows\{2F587D25-1F9B-43b2-A334-F9CA4BB32FC0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:628
    - - C:\Windows\{987A1969-352B-476c-A87B-FC760F4DE3B0}.exe
        
        C:\Windows\{987A1969-352B-476c-A87B-FC760F4DE3B0}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3276
      - C:\Windows\{56EE687D-80EE-457f-A580-A28B447A13DF}.exe
        
        C:\Windows\{56EE687D-80EE-457f-A580-A28B447A13DF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\{51018513-1C56-4200-8FA0-00DC0C7CFF5B}.exe
        
        C:\Windows\{51018513-1C56-4200-8FA0-00DC0C7CFF5B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\{D3B89079-565C-4e0b-92C0-A7D27CD8036B}.exe
        
        C:\Windows\{D3B89079-565C-4e0b-92C0-A7D27CD8036B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\{7507CC7B-D795-4d15-AC93-8358D7A4EA15}.exe
        
        C:\Windows\{7507CC7B-D795-4d15-AC93-8358D7A4EA15}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\{6A222CAD-6126-45f0-B2FC-E52AC3AFC115}.exe
        
        C:\Windows\{6A222CAD-6126-45f0-B2FC-E52AC3AFC115}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        
        PID:3316
        
        C:\Windows\{2166A3D0-2EBF-4e8a-AE2F-54F2C8515708}.exe
        
        C:\Windows\{2166A3D0-2EBF-4e8a-AE2F-54F2C8515708}.exe
        11⤵
        Modifies Installed Components in the registry
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\{61ABDBEB-8F4A-4d54-99C9-3BE22DB12269}.exe
        
        C:\Windows\{61ABDBEB-8F4A-4d54-99C9-3BE22DB12269}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\{2C41E3E8-A44D-4c0e-BC94-F0B22FB49CDF}.exe
        
        C:\Windows\{2C41E3E8-A44D-4c0e-BC94-F0B22FB49CDF}.exe
        13⤵
        Executes dropped EXE
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61ABD~1.EXE > nul
        13⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2166A~1.EXE > nul
        12⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A222~1.EXE > nul
        11⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7507C~1.EXE > nul
        10⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3B89~1.EXE > nul
        9⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51018~1.EXE > nul
        8⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{56EE6~1.EXE > nul
        7⤵
        
        PID:3572
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{987A1~1.EXE > nul
        6⤵
        
        PID:1860
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F587~1.EXE > nul
        5⤵
        
        PID:3020
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8DC0E~1.EXE > nul
      4⤵
      PID:4272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{82A36~1.EXE > nul
    3⤵
    PID:1876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2C41E3E8-A44D-4c0e-BC94-F0B22FB49CDF}.exe

Filesize
204KB

MD5
1f64f71b03ccbc58bca133397367e620

SHA1
afce047d46d12fae0219229a080e848b86f24526

SHA256
5d4afed9f329dbdb470a9e92072b8bbbf09e0c7772aa596e659a27462ce9e9cc

SHA512
3cb18b3d20aab2cbfa1ed364f30fbd9ccc1bf1fada0d9960db7296057a2c2e1a7a8015d042e59603d8b85a333577b148479ad49f81d91914fbf8b7bda8315614

Download Submit
C:\Windows\{2F587D25-1F9B-43b2-A334-F9CA4BB32FC0}.exe

Filesize
204KB

MD5
a002699fab92f16c6acf81cfefadde6f

SHA1
a0bda37c267889be6816b380791df3efbbece265

SHA256
0a0f047b40f8ae72bbeffce85b6caf122d45d1bc2a936c6f70ebef6afcb4145c

SHA512
17146c82ece12cf61e106ab9781c4681f96caabfa7990af9fbd607216ee16dddad707573820eab96acb8eb8e959fa300d354762d74d392d9405fd9f973361f8b

Download Submit
C:\Windows\{51018513-1C56-4200-8FA0-00DC0C7CFF5B}.exe

Filesize
204KB

MD5
bc0d022f2486442674a5fe36f497755f

SHA1
d07f44ae2b978e1196195735bc827da54be5ad13

SHA256
3c90384161301b9b5cc1f8019c4e56bc72f0b480df14679f59744edcf9ac4b03

SHA512
09ebacba0ad8add7208f26459f1fc8431d745523c5a127bee93d057b16c5bf32536ed6514c53d2e60edaf149d5f958b61ef333dc4f53b94a5db1f7db12f7b933

Download Submit
C:\Windows\{56EE687D-80EE-457f-A580-A28B447A13DF}.exe

Filesize
204KB

MD5
a8f550d9054b6520c31b7bee3a5549e6

SHA1
e551475a403e015f9b9384bbd8eb23471bd952a4

SHA256
4f9a22fb8d6cf3240f439e5189d1e0345b579663d392ac04ab8daf1955f8a9f0

SHA512
9f44a6afee009db373353bfd6b8089dcc55e21edf93694c20293db8639d7fbfbf641e9d190ae3b9322f2a4e1876bd42c2910e5dc244ffbb7713b96aa4610ba70

Download Submit
C:\Windows\{61ABDBEB-8F4A-4d54-99C9-3BE22DB12269}.exe

Filesize
204KB

MD5
d2f4551f55e49457a35b5d67f44589d6

SHA1
88f45de408ce5c978470e873a66e9adae6ede36e

SHA256
463a1faa6782daf3f3de46e9d6c54ee40a839f1188eb5382f6b455a50671fa9c

SHA512
ac72a9da1b7cc32aebd3791bd527a29e1a61b937a47443b3843f6fb665740cd3c4c173a578860ba7eeb0029dcca8dc7f1562e3843932b1283f769f5b2381a5f4

Download Submit
C:\Windows\{6A222CAD-6126-45f0-B2FC-E52AC3AFC115}.exe

Filesize
204KB

MD5
7780764ce754e5faf81c403dd099a77c

SHA1
03aea9b64b847b4f3e623a0852afe12a2ceee002

SHA256
b1e25fe5cdf05efb80e6d82dc175339d84e2e6f1a4ca833fb8272f4dc69cdd3b

SHA512
a3b6ef26e2d20b6a6802314198831d0ad53800195eef8c5f213097d24c1c423d4ce4b05f742c20dfa98e8b2b21e1fc8c85793a37e61a03df4a2345e91cf9f24d

Download Submit
C:\Windows\{7507CC7B-D795-4d15-AC93-8358D7A4EA15}.exe

Filesize
204KB

MD5
de996e0bf42fd7cbb414c37bcb9ca61a

SHA1
12fcb0dbef9688d7a9ebddedadcd32e04ca343cc

SHA256
6d2fabcf062ecc34ca5b3765e14ccd4c1fd4084de67017d675457651152b1749

SHA512
9a93b7d41f004b57355eb975b9d121a9355bbb9151706bafc7d0841d227826905bb80d1a55a74ec4976dd8914a41a75190def5a8c9e30f1257c8ab5054c1f251

Download Submit
C:\Windows\{82A36060-7D05-4f79-B781-807558947519}.exe

Filesize
204KB

MD5
40b9a0ca6b8469493fb8f8d6c066646d

SHA1
c2d709ed4ca434103cd6493eb8325791796b2e25

SHA256
1c4c3a3f59506407a90399d6b63e71617fef67d87ed7f63647452e4979b9812f

SHA512
dc7d2b49df7c7c477586872d65df4f0832e1dc0a7322cf02992fdcb0cf091494be7d0154132a609483df035ccec840107dd2c0c7c61833246f6b0c979233fae7

Download Submit
C:\Windows\{8DC0EE32-BEAF-474b-BFAE-4B09A2C09861}.exe

Filesize
204KB

MD5
91dcf1873b3ab96d028e7cbbd9a7d948

SHA1
b3c78e8ca98bba277de72728dafbb7370b4991ec

SHA256
204c6b2702b62d6db65113926b530499e90af3fc82d62c643cbd52852704a2b0

SHA512
5b7140c471a5405f3332f0f2a1ccd86cc0ce97eb19d43f1ea9ecfd562efdb252620b966ddeef587879d84f30c776d45eda37a64ba29670c8154b173fb4214597

Download Submit
C:\Windows\{987A1969-352B-476c-A87B-FC760F4DE3B0}.exe

Filesize
204KB

MD5
ffc933a66de6e55a6d213bf2a00031f5

SHA1
937ba8bd50f17b422c00460a7119fc7c2542a1d3

SHA256
fcfabb8b5915ca74c2fa80574fb22d836b3b13641d7d47dff82f5112f2b2455c

SHA512
5cac8fc7a84180f249cdf2c2584a3f38551a0ce61f8161403aef1e371a92841e2c0cf6b9e21801a3cff46e6cc0f82c0b65f7df44d20207b28e0257df75308b51

Download Submit
C:\Windows\{D3B89079-565C-4e0b-92C0-A7D27CD8036B}.exe

Filesize
204KB

MD5
e1f57f18e2d653f24b1eb604c5e40e01

SHA1
9ccd245d506b39d21114d7a4f0787a4dd78163cc

SHA256
42ae30b2dedc7d9de0d45064c329c5eb391d2865baf710eee66041ef96e247b6

SHA512
5f432de3102d2351a41aaf334cf3b88f3d96c2bf5c16d3ce6ff54044faf840e5ce4b2d85a227d1c934126c6e27f5224abd4540e8c522b65ae5aa3c445efe8a11

Download Submit
memory/3316-35-0x0000000003820000-0x00000000038FB000-memory.dmp

Filesize
876KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads