39b271473ac1d3b4ad99924b083988fa29561cefae8151e2579cc97229bb3daf

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2024, 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-05_5e42f0fa6fc953a37208331982ae2495_goldeneye.exe
Size

180KB
MD5

5e42f0fa6fc953a37208331982ae2495
SHA1

73fdfe13b45032f32280b3c8e3cfceacc55f3342
SHA256

39b271473ac1d3b4ad99924b083988fa29561cefae8151e2579cc97229bb3daf
SHA512

867af215bea2ac1571e6ec8a5e97e6f0678e9d6f922553e4ae8421159854bc51b1ab89ac8e96a09b2c2cef868772df770b2a63496c61321ed2c99e8f486e3d1d
SSDEEP

3072:jEGh0oHlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGtl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231ef-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000231fc-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023219-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000001e693-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023219-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000001e693-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002336d-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000001e693-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233b5-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00100000000230de-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000230ec-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000230f5-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F976513F-6645-4a47-8C87-AA43CDE9406F}\stubpath = "C:\\Windows\\{F976513F-6645-4a47-8C87-AA43CDE9406F}.exe"	{613747AE-78D9-4009-8382-48666B08E4AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27E17347-74E6-4cbf-A6C1-4DBF4CABA0C4}\stubpath = "C:\\Windows\\{27E17347-74E6-4cbf-A6C1-4DBF4CABA0C4}.exe"	{7CF625B7-008B-461f-87FE-9CD46F90CA2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A35C60FF-B920-4345-8F21-AEE81F79EE55}	{27E17347-74E6-4cbf-A6C1-4DBF4CABA0C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06D4676B-A565-483d-8175-A668F3C3A5B0}\stubpath = "C:\\Windows\\{06D4676B-A565-483d-8175-A668F3C3A5B0}.exe"	{A35C60FF-B920-4345-8F21-AEE81F79EE55}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5A49ADC-D4C0-45e7-83F4-75BE37A03DB0}\stubpath = "C:\\Windows\\{F5A49ADC-D4C0-45e7-83F4-75BE37A03DB0}.exe"	{E9C71465-E55C-4b3d-A45D-F59825D25427}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{613747AE-78D9-4009-8382-48666B08E4AF}	{8C4989CB-73ED-4c0e-8D0A-C9E7224710FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CF625B7-008B-461f-87FE-9CD46F90CA2C}	{6FA09429-3CFD-4648-BFD3-90375767B761}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{193856A5-F7A1-4d8c-8DB8-FD7B17D13306}\stubpath = "C:\\Windows\\{193856A5-F7A1-4d8c-8DB8-FD7B17D13306}.exe"	{06D4676B-A565-483d-8175-A668F3C3A5B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5A49ADC-D4C0-45e7-83F4-75BE37A03DB0}	{E9C71465-E55C-4b3d-A45D-F59825D25427}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{613747AE-78D9-4009-8382-48666B08E4AF}\stubpath = "C:\\Windows\\{613747AE-78D9-4009-8382-48666B08E4AF}.exe"	{8C4989CB-73ED-4c0e-8D0A-C9E7224710FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F976513F-6645-4a47-8C87-AA43CDE9406F}	{613747AE-78D9-4009-8382-48666B08E4AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FA09429-3CFD-4648-BFD3-90375767B761}	{F976513F-6645-4a47-8C87-AA43CDE9406F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CF625B7-008B-461f-87FE-9CD46F90CA2C}\stubpath = "C:\\Windows\\{7CF625B7-008B-461f-87FE-9CD46F90CA2C}.exe"	{6FA09429-3CFD-4648-BFD3-90375767B761}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7688F555-52C7-4f45-B067-9909F5B815B6}	2024-03-05_5e42f0fa6fc953a37208331982ae2495_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7688F555-52C7-4f45-B067-9909F5B815B6}\stubpath = "C:\\Windows\\{7688F555-52C7-4f45-B067-9909F5B815B6}.exe"	2024-03-05_5e42f0fa6fc953a37208331982ae2495_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C4989CB-73ED-4c0e-8D0A-C9E7224710FF}	{7688F555-52C7-4f45-B067-9909F5B815B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C4989CB-73ED-4c0e-8D0A-C9E7224710FF}\stubpath = "C:\\Windows\\{8C4989CB-73ED-4c0e-8D0A-C9E7224710FF}.exe"	{7688F555-52C7-4f45-B067-9909F5B815B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06D4676B-A565-483d-8175-A668F3C3A5B0}	{A35C60FF-B920-4345-8F21-AEE81F79EE55}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{193856A5-F7A1-4d8c-8DB8-FD7B17D13306}	{06D4676B-A565-483d-8175-A668F3C3A5B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9C71465-E55C-4b3d-A45D-F59825D25427}	{193856A5-F7A1-4d8c-8DB8-FD7B17D13306}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9C71465-E55C-4b3d-A45D-F59825D25427}\stubpath = "C:\\Windows\\{E9C71465-E55C-4b3d-A45D-F59825D25427}.exe"	{193856A5-F7A1-4d8c-8DB8-FD7B17D13306}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FA09429-3CFD-4648-BFD3-90375767B761}\stubpath = "C:\\Windows\\{6FA09429-3CFD-4648-BFD3-90375767B761}.exe"	{F976513F-6645-4a47-8C87-AA43CDE9406F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27E17347-74E6-4cbf-A6C1-4DBF4CABA0C4}	{7CF625B7-008B-461f-87FE-9CD46F90CA2C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A35C60FF-B920-4345-8F21-AEE81F79EE55}\stubpath = "C:\\Windows\\{A35C60FF-B920-4345-8F21-AEE81F79EE55}.exe"	{27E17347-74E6-4cbf-A6C1-4DBF4CABA0C4}.exe

Executes dropped EXE 12 IoCs

pid	Process
4400	{7688F555-52C7-4f45-B067-9909F5B815B6}.exe
4968	{8C4989CB-73ED-4c0e-8D0A-C9E7224710FF}.exe
4324	{613747AE-78D9-4009-8382-48666B08E4AF}.exe
4648	{F976513F-6645-4a47-8C87-AA43CDE9406F}.exe
4856	{6FA09429-3CFD-4648-BFD3-90375767B761}.exe
1500	{7CF625B7-008B-461f-87FE-9CD46F90CA2C}.exe
4172	{27E17347-74E6-4cbf-A6C1-4DBF4CABA0C4}.exe
1844	{A35C60FF-B920-4345-8F21-AEE81F79EE55}.exe
1472	{06D4676B-A565-483d-8175-A668F3C3A5B0}.exe
4340	{193856A5-F7A1-4d8c-8DB8-FD7B17D13306}.exe
3008	{E9C71465-E55C-4b3d-A45D-F59825D25427}.exe
2392	{F5A49ADC-D4C0-45e7-83F4-75BE37A03DB0}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F976513F-6645-4a47-8C87-AA43CDE9406F}.exe	{613747AE-78D9-4009-8382-48666B08E4AF}.exe
File created	C:\Windows\{6FA09429-3CFD-4648-BFD3-90375767B761}.exe	{F976513F-6645-4a47-8C87-AA43CDE9406F}.exe
File created	C:\Windows\{E9C71465-E55C-4b3d-A45D-F59825D25427}.exe	{193856A5-F7A1-4d8c-8DB8-FD7B17D13306}.exe
File created	C:\Windows\{613747AE-78D9-4009-8382-48666B08E4AF}.exe	{8C4989CB-73ED-4c0e-8D0A-C9E7224710FF}.exe
File created	C:\Windows\{8C4989CB-73ED-4c0e-8D0A-C9E7224710FF}.exe	{7688F555-52C7-4f45-B067-9909F5B815B6}.exe
File created	C:\Windows\{7CF625B7-008B-461f-87FE-9CD46F90CA2C}.exe	{6FA09429-3CFD-4648-BFD3-90375767B761}.exe
File created	C:\Windows\{27E17347-74E6-4cbf-A6C1-4DBF4CABA0C4}.exe	{7CF625B7-008B-461f-87FE-9CD46F90CA2C}.exe
File created	C:\Windows\{A35C60FF-B920-4345-8F21-AEE81F79EE55}.exe	{27E17347-74E6-4cbf-A6C1-4DBF4CABA0C4}.exe
File created	C:\Windows\{06D4676B-A565-483d-8175-A668F3C3A5B0}.exe	{A35C60FF-B920-4345-8F21-AEE81F79EE55}.exe
File created	C:\Windows\{193856A5-F7A1-4d8c-8DB8-FD7B17D13306}.exe	{06D4676B-A565-483d-8175-A668F3C3A5B0}.exe
File created	C:\Windows\{F5A49ADC-D4C0-45e7-83F4-75BE37A03DB0}.exe	{E9C71465-E55C-4b3d-A45D-F59825D25427}.exe
File created	C:\Windows\{7688F555-52C7-4f45-B067-9909F5B815B6}.exe	2024-03-05_5e42f0fa6fc953a37208331982ae2495_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4272	2024-03-05_5e42f0fa6fc953a37208331982ae2495_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4400	{7688F555-52C7-4f45-B067-9909F5B815B6}.exe
Token: SeIncBasePriorityPrivilege	4968	{8C4989CB-73ED-4c0e-8D0A-C9E7224710FF}.exe
Token: SeIncBasePriorityPrivilege	4324	{613747AE-78D9-4009-8382-48666B08E4AF}.exe
Token: SeIncBasePriorityPrivilege	4648	{F976513F-6645-4a47-8C87-AA43CDE9406F}.exe
Token: SeIncBasePriorityPrivilege	4856	{6FA09429-3CFD-4648-BFD3-90375767B761}.exe
Token: SeIncBasePriorityPrivilege	1500	{7CF625B7-008B-461f-87FE-9CD46F90CA2C}.exe
Token: SeIncBasePriorityPrivilege	4172	{27E17347-74E6-4cbf-A6C1-4DBF4CABA0C4}.exe
Token: SeIncBasePriorityPrivilege	1844	{A35C60FF-B920-4345-8F21-AEE81F79EE55}.exe
Token: SeIncBasePriorityPrivilege	1472	{06D4676B-A565-483d-8175-A668F3C3A5B0}.exe
Token: SeIncBasePriorityPrivilege	4340	{193856A5-F7A1-4d8c-8DB8-FD7B17D13306}.exe
Token: SeIncBasePriorityPrivilege	3008	{E9C71465-E55C-4b3d-A45D-F59825D25427}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4272 wrote to memory of 4400	4272	2024-03-05_5e42f0fa6fc953a37208331982ae2495_goldeneye.exe	97
PID 4272 wrote to memory of 4400	4272	2024-03-05_5e42f0fa6fc953a37208331982ae2495_goldeneye.exe	97
PID 4272 wrote to memory of 4400	4272	2024-03-05_5e42f0fa6fc953a37208331982ae2495_goldeneye.exe	97
PID 4272 wrote to memory of 1312	4272	2024-03-05_5e42f0fa6fc953a37208331982ae2495_goldeneye.exe	98
PID 4272 wrote to memory of 1312	4272	2024-03-05_5e42f0fa6fc953a37208331982ae2495_goldeneye.exe	98
PID 4272 wrote to memory of 1312	4272	2024-03-05_5e42f0fa6fc953a37208331982ae2495_goldeneye.exe	98
PID 4400 wrote to memory of 4968	4400	{7688F555-52C7-4f45-B067-9909F5B815B6}.exe	100
PID 4400 wrote to memory of 4968	4400	{7688F555-52C7-4f45-B067-9909F5B815B6}.exe	100
PID 4400 wrote to memory of 4968	4400	{7688F555-52C7-4f45-B067-9909F5B815B6}.exe	100
PID 4400 wrote to memory of 3004	4400	{7688F555-52C7-4f45-B067-9909F5B815B6}.exe	101
PID 4400 wrote to memory of 3004	4400	{7688F555-52C7-4f45-B067-9909F5B815B6}.exe	101
PID 4400 wrote to memory of 3004	4400	{7688F555-52C7-4f45-B067-9909F5B815B6}.exe	101
PID 4968 wrote to memory of 4324	4968	{8C4989CB-73ED-4c0e-8D0A-C9E7224710FF}.exe	106
PID 4968 wrote to memory of 4324	4968	{8C4989CB-73ED-4c0e-8D0A-C9E7224710FF}.exe	106
PID 4968 wrote to memory of 4324	4968	{8C4989CB-73ED-4c0e-8D0A-C9E7224710FF}.exe	106
PID 4968 wrote to memory of 3508	4968	{8C4989CB-73ED-4c0e-8D0A-C9E7224710FF}.exe	107
PID 4968 wrote to memory of 3508	4968	{8C4989CB-73ED-4c0e-8D0A-C9E7224710FF}.exe	107
PID 4968 wrote to memory of 3508	4968	{8C4989CB-73ED-4c0e-8D0A-C9E7224710FF}.exe	107
PID 4324 wrote to memory of 4648	4324	{613747AE-78D9-4009-8382-48666B08E4AF}.exe	108
PID 4324 wrote to memory of 4648	4324	{613747AE-78D9-4009-8382-48666B08E4AF}.exe	108
PID 4324 wrote to memory of 4648	4324	{613747AE-78D9-4009-8382-48666B08E4AF}.exe	108
PID 4324 wrote to memory of 4764	4324	{613747AE-78D9-4009-8382-48666B08E4AF}.exe	109
PID 4324 wrote to memory of 4764	4324	{613747AE-78D9-4009-8382-48666B08E4AF}.exe	109
PID 4324 wrote to memory of 4764	4324	{613747AE-78D9-4009-8382-48666B08E4AF}.exe	109
PID 4648 wrote to memory of 4856	4648	{F976513F-6645-4a47-8C87-AA43CDE9406F}.exe	110
PID 4648 wrote to memory of 4856	4648	{F976513F-6645-4a47-8C87-AA43CDE9406F}.exe	110
PID 4648 wrote to memory of 4856	4648	{F976513F-6645-4a47-8C87-AA43CDE9406F}.exe	110
PID 4648 wrote to memory of 4924	4648	{F976513F-6645-4a47-8C87-AA43CDE9406F}.exe	111
PID 4648 wrote to memory of 4924	4648	{F976513F-6645-4a47-8C87-AA43CDE9406F}.exe	111
PID 4648 wrote to memory of 4924	4648	{F976513F-6645-4a47-8C87-AA43CDE9406F}.exe	111
PID 4856 wrote to memory of 1500	4856	{6FA09429-3CFD-4648-BFD3-90375767B761}.exe	113
PID 4856 wrote to memory of 1500	4856	{6FA09429-3CFD-4648-BFD3-90375767B761}.exe	113
PID 4856 wrote to memory of 1500	4856	{6FA09429-3CFD-4648-BFD3-90375767B761}.exe	113
PID 4856 wrote to memory of 4136	4856	{6FA09429-3CFD-4648-BFD3-90375767B761}.exe	114
PID 4856 wrote to memory of 4136	4856	{6FA09429-3CFD-4648-BFD3-90375767B761}.exe	114
PID 4856 wrote to memory of 4136	4856	{6FA09429-3CFD-4648-BFD3-90375767B761}.exe	114
PID 1500 wrote to memory of 4172	1500	{7CF625B7-008B-461f-87FE-9CD46F90CA2C}.exe	115
PID 1500 wrote to memory of 4172	1500	{7CF625B7-008B-461f-87FE-9CD46F90CA2C}.exe	115
PID 1500 wrote to memory of 4172	1500	{7CF625B7-008B-461f-87FE-9CD46F90CA2C}.exe	115
PID 1500 wrote to memory of 1028	1500	{7CF625B7-008B-461f-87FE-9CD46F90CA2C}.exe	116
PID 1500 wrote to memory of 1028	1500	{7CF625B7-008B-461f-87FE-9CD46F90CA2C}.exe	116
PID 1500 wrote to memory of 1028	1500	{7CF625B7-008B-461f-87FE-9CD46F90CA2C}.exe	116
PID 4172 wrote to memory of 1844	4172	{27E17347-74E6-4cbf-A6C1-4DBF4CABA0C4}.exe	117
PID 4172 wrote to memory of 1844	4172	{27E17347-74E6-4cbf-A6C1-4DBF4CABA0C4}.exe	117
PID 4172 wrote to memory of 1844	4172	{27E17347-74E6-4cbf-A6C1-4DBF4CABA0C4}.exe	117
PID 4172 wrote to memory of 980	4172	{27E17347-74E6-4cbf-A6C1-4DBF4CABA0C4}.exe	118
PID 4172 wrote to memory of 980	4172	{27E17347-74E6-4cbf-A6C1-4DBF4CABA0C4}.exe	118
PID 4172 wrote to memory of 980	4172	{27E17347-74E6-4cbf-A6C1-4DBF4CABA0C4}.exe	118
PID 1844 wrote to memory of 1472	1844	{A35C60FF-B920-4345-8F21-AEE81F79EE55}.exe	123
PID 1844 wrote to memory of 1472	1844	{A35C60FF-B920-4345-8F21-AEE81F79EE55}.exe	123
PID 1844 wrote to memory of 1472	1844	{A35C60FF-B920-4345-8F21-AEE81F79EE55}.exe	123
PID 1844 wrote to memory of 2836	1844	{A35C60FF-B920-4345-8F21-AEE81F79EE55}.exe	124
PID 1844 wrote to memory of 2836	1844	{A35C60FF-B920-4345-8F21-AEE81F79EE55}.exe	124
PID 1844 wrote to memory of 2836	1844	{A35C60FF-B920-4345-8F21-AEE81F79EE55}.exe	124
PID 1472 wrote to memory of 4340	1472	{06D4676B-A565-483d-8175-A668F3C3A5B0}.exe	130
PID 1472 wrote to memory of 4340	1472	{06D4676B-A565-483d-8175-A668F3C3A5B0}.exe	130
PID 1472 wrote to memory of 4340	1472	{06D4676B-A565-483d-8175-A668F3C3A5B0}.exe	130
PID 1472 wrote to memory of 4572	1472	{06D4676B-A565-483d-8175-A668F3C3A5B0}.exe	131
PID 1472 wrote to memory of 4572	1472	{06D4676B-A565-483d-8175-A668F3C3A5B0}.exe	131
PID 1472 wrote to memory of 4572	1472	{06D4676B-A565-483d-8175-A668F3C3A5B0}.exe	131
PID 4340 wrote to memory of 3008	4340	{193856A5-F7A1-4d8c-8DB8-FD7B17D13306}.exe	132
PID 4340 wrote to memory of 3008	4340	{193856A5-F7A1-4d8c-8DB8-FD7B17D13306}.exe	132
PID 4340 wrote to memory of 3008	4340	{193856A5-F7A1-4d8c-8DB8-FD7B17D13306}.exe	132
PID 4340 wrote to memory of 4356	4340	{193856A5-F7A1-4d8c-8DB8-FD7B17D13306}.exe	133

C:\Users\Admin\AppData\Local\Temp\2024-03-05_5e42f0fa6fc953a37208331982ae2495_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-05_5e42f0fa6fc953a37208331982ae2495_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4272
- C:\Windows\{7688F555-52C7-4f45-B067-9909F5B815B6}.exe
  C:\Windows\{7688F555-52C7-4f45-B067-9909F5B815B6}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Windows\{8C4989CB-73ED-4c0e-8D0A-C9E7224710FF}.exe
    C:\Windows\{8C4989CB-73ED-4c0e-8D0A-C9E7224710FF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4968
  - - C:\Windows\{613747AE-78D9-4009-8382-48666B08E4AF}.exe
      C:\Windows\{613747AE-78D9-4009-8382-48666B08E4AF}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4324
    - - C:\Windows\{F976513F-6645-4a47-8C87-AA43CDE9406F}.exe
        
        C:\Windows\{F976513F-6645-4a47-8C87-AA43CDE9406F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4648
      - C:\Windows\{6FA09429-3CFD-4648-BFD3-90375767B761}.exe
        
        C:\Windows\{6FA09429-3CFD-4648-BFD3-90375767B761}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\{7CF625B7-008B-461f-87FE-9CD46F90CA2C}.exe
        
        C:\Windows\{7CF625B7-008B-461f-87FE-9CD46F90CA2C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\{27E17347-74E6-4cbf-A6C1-4DBF4CABA0C4}.exe
        
        C:\Windows\{27E17347-74E6-4cbf-A6C1-4DBF4CABA0C4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\{A35C60FF-B920-4345-8F21-AEE81F79EE55}.exe
        
        C:\Windows\{A35C60FF-B920-4345-8F21-AEE81F79EE55}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\{06D4676B-A565-483d-8175-A668F3C3A5B0}.exe
        
        C:\Windows\{06D4676B-A565-483d-8175-A668F3C3A5B0}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\{193856A5-F7A1-4d8c-8DB8-FD7B17D13306}.exe
        
        C:\Windows\{193856A5-F7A1-4d8c-8DB8-FD7B17D13306}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\{E9C71465-E55C-4b3d-A45D-F59825D25427}.exe
        
        C:\Windows\{E9C71465-E55C-4b3d-A45D-F59825D25427}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
        
        C:\Windows\{F5A49ADC-D4C0-45e7-83F4-75BE37A03DB0}.exe
        
        C:\Windows\{F5A49ADC-D4C0-45e7-83F4-75BE37A03DB0}.exe
        13⤵
        Executes dropped EXE
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9C71~1.EXE > nul
        13⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19385~1.EXE > nul
        12⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06D46~1.EXE > nul
        11⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A35C6~1.EXE > nul
        10⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27E17~1.EXE > nul
        9⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7CF62~1.EXE > nul
        8⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6FA09~1.EXE > nul
        7⤵
        
        PID:4136
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9765~1.EXE > nul
        6⤵
        
        PID:4924
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61374~1.EXE > nul
        5⤵
        
        PID:4764
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8C498~1.EXE > nul
      4⤵
      PID:3508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7688F~1.EXE > nul
    3⤵
    PID:3004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06D4676B-A565-483d-8175-A668F3C3A5B0}.exe

Filesize
180KB

MD5
e0e56558fa311a3b1d6cd86905f95486

SHA1
43d561e49000d9a8eb0d81d01388e5daaf1ec3e0

SHA256
498199e642aee498914fce2e9d89a05245a655efa856fb53b25f1893ea0a5709

SHA512
ee4f48f8e9dde1fe18d38b17ce3a0a5b34797ce589aaa7da7c0877c1d0188474942790c5aabca53643fbe1ab5842adfef58e70383fba13b01dd67a53709c28fb

Download Submit
C:\Windows\{193856A5-F7A1-4d8c-8DB8-FD7B17D13306}.exe

Filesize
180KB

MD5
9f719489aaabb41a4a33cf0cea878daa

SHA1
cd6d1d92bee9fa831f63008290b05ab5abbef8e9

SHA256
90903cad8af660286d98fac12cea141e1ffb7e830ff6e6d2a95328eaaa38073b

SHA512
57a13e19f9a58fde70f272ba7506f42aafa97b7cee43dccba3f059748a17489acb660d4909c073479285c6a5f7c70f84a4b4742a3b016f160a2cfa8dbafa67d3

Download Submit
C:\Windows\{27E17347-74E6-4cbf-A6C1-4DBF4CABA0C4}.exe

Filesize
180KB

MD5
2264c6d0fc6663fb2e3f28d7a35d6046

SHA1
364bef0ab48bb5eec567b1c79df1a2ff148081d2

SHA256
3874512f691695ab8f0556dcf7a6d5ebae6085e47ee5ee1b50beafe83a9378fe

SHA512
696dee81bd0a63ed9c5896d0cc0ae66810f73667dc1228f54acfa5e2de6959eb375caee24c7144da2479d309a272d223f92a88ee087059682d008b5cf05dba55

Download Submit
C:\Windows\{613747AE-78D9-4009-8382-48666B08E4AF}.exe

Filesize
180KB

MD5
f5d3d403964ba9f9d5375471ca58c3c2

SHA1
ccbe6e48a735ea39121cf65f83a5395804ca81c5

SHA256
a889a038c422652ba9098d30b635b139f044e8aab8eb9a6e62227a3b99896453

SHA512
0557ed1146d595dca417044cb264ab065f809e02f307403f233ae73e567919e275e46a6d79f3bec8b98504281977829e966c353215884c2bd3befb6e87a73cf6

Download Submit
C:\Windows\{6FA09429-3CFD-4648-BFD3-90375767B761}.exe

Filesize
180KB

MD5
d57f1b30d840d79065d46d8ad484a0a1

SHA1
7e383e35e75f0c2cdb600ee6cd33eec29dce5584

SHA256
a1026057a4bd53bff5ef0e5e0947ece9855c4cab17e4a8cef562e9bf10db38cc

SHA512
51594e75bd9a310ab5059a9c86bc3d1baac66a533f05f710b824069b598caff5fc6a0bf2c58c47622fb864e8167b096712521f2687b602e99a09a2dd88230bc2

Download Submit
C:\Windows\{7688F555-52C7-4f45-B067-9909F5B815B6}.exe

Filesize
180KB

MD5
662c5492ec7b1c07b738376e4173ecd0

SHA1
32f1ad109288f9ba1b3d824060cd4eebb38c1a1c

SHA256
ec79dacd5564f4a1fef6329ed1f4c68746d83a63821d2686e4f910b5fe97c4a9

SHA512
d0b1187db2f48d2f16f4855af49fa5f1ce3b933ce4229c6ef49b9790a577acd31c28bfa354faf072a5cbdecd21be75b513ecd7292887171b931ee50fa9ecca4e

Download Submit
C:\Windows\{7CF625B7-008B-461f-87FE-9CD46F90CA2C}.exe

Filesize
180KB

MD5
b6ed36a32759d19346a85d7d607ae150

SHA1
931bd94bef61d267b95f853f6906e578a87e8ce8

SHA256
3ebcf7703052de9534f0b71c393b9dc25d0f0c3e3fdc71a7c423463185dd3aed

SHA512
50a2d01c97c717de5aaa63d23cddc83d6b661559f7836e4935e13568cfbeaa0d4ed2036d9c28921d12ca73ef11ec29dd8962d68a1ba3d20d5896ba08ad171278

Download Submit
C:\Windows\{8C4989CB-73ED-4c0e-8D0A-C9E7224710FF}.exe

Filesize
180KB

MD5
7d3dfb7cfa2a64607840e362be543328

SHA1
6d00b798d635ea64f747f038a7b9acb1273cdb8d

SHA256
00dddd6dfb21b7a1e048ae042e2e484a966e470cb0c4a55037f9a8bf9825f683

SHA512
1517194ed4db28c1f5f1fc06b244465374fb7275fe83be22801dcd6f85db7aa065b26c5291cbac940e14478eaaec45f5c836aaf2b502dfb8a6e39a787d006633

Download Submit
C:\Windows\{A35C60FF-B920-4345-8F21-AEE81F79EE55}.exe

Filesize
180KB

MD5
451e62f2200b105a2f07f599aa022c02

SHA1
797c1be40106d3d348825e5b54c748a1b16b7e7d

SHA256
a4aaa74418364e9e9421462c1bc9c9c85e59fb2d04d016afe153bc3230b28107

SHA512
f757b49c0a1101320e576b186d169edbf6c9511c77572cdd2821e8103b23091e0e0a854680fe49ade86a1b05047aeac4b19d84f80d43ed14e9a02d0f44359483

Download Submit
C:\Windows\{E9C71465-E55C-4b3d-A45D-F59825D25427}.exe

Filesize
180KB

MD5
f4cc2e7c6d930ac30a35de99285fdbb5

SHA1
fc84647daabc36eb2c9e0fe8c4b2b2cf439b934f

SHA256
0f83bb843cd00249c903db7ffa1f486ff205c622a4ac7f09190e86c5545cbf35

SHA512
6f6e0620c539a0f83fd27026b8daf3f00cd33efb2d381620fc435cc9a82901c3324ca729fc50ae9b64fefce69a5bb0b69e9c6a986eea4d186e9159ab523ec2c8

Download Submit
C:\Windows\{F5A49ADC-D4C0-45e7-83F4-75BE37A03DB0}.exe

Filesize
180KB

MD5
0d8845a5b6e03cfe8ff31afa7baa0fad

SHA1
0aff3e8699d512e4e706263927cadae84677afa8

SHA256
924642ff15650472fe61fc3fb9bb5b1e4d91e55ca20c7afd90cf10a9377306ac

SHA512
f347ad0b816a2d73c4855bef6d4b041b463357fc40d8bfc022fbba7940e6b7cb912a2666c6f32123a24d06483a7b8d2af625728e126f094dc6864c2d02c36ebe

Download Submit
C:\Windows\{F976513F-6645-4a47-8C87-AA43CDE9406F}.exe

Filesize
180KB

MD5
346f167c8ac6c2739381dc28a244991e

SHA1
06c2f161294e37dc5ed09567a91939be667afc29

SHA256
4e09f8d88b40371ee8373b41e25939be23cebbb370c2bc32c68374d83486bc2b

SHA512
4ce375e0ca7d7f41548dd8e28e9c08a005945bed8fa0a3b5e3812a1079f84b5e9f28daaa0ddc4f032bdacdc0afdab022c48b09d29073705819fce20cebafcf6f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads