1191080d6a84425682b11e776774080bea16ab23033cfb8cec42a17752464e0f

Analysis

max time kernel
149s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2024, 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-05_0239b222ff451ce500b5844dbcf3b6aa_goldeneye.exe
Size

408KB
MD5

0239b222ff451ce500b5844dbcf3b6aa
SHA1

e7daedf8210b60b51762523c347782d8118a0fff
SHA256

1191080d6a84425682b11e776774080bea16ab23033cfb8cec42a17752464e0f
SHA512

1b3c1ab0a380ea4c262a55d519b75829bbd5cd1a6a450d189bfd15627f7098daf47abbdeb26b8d3d5f8625b253a6fa90d466e8e7359945df5b10cb69ec34f2e9
SSDEEP

3072:CEGh0oll3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGDldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x000700000002325c-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023265-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023273-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00040000000228bf-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000001e76b-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002327d-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023282-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023283-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002337a-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002337f-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023382-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1F8C705-EF30-4b92-8699-3CEA225DBA1C}\stubpath = "C:\\Windows\\{B1F8C705-EF30-4b92-8699-3CEA225DBA1C}.exe"	{B3064671-4388-485c-AC2A-D43614874B46}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E207776-EB52-4b44-B495-8641B414E81A}	{D01808CF-AEC1-4e55-8710-14D172724226}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D38C5E9-906B-4f6a-B192-C62D364B79E5}	{9522305E-BB9B-402b-97E7-89EEAD1B6649}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12BB8476-1EA6-4d95-9642-1ED01AF21A86}\stubpath = "C:\\Windows\\{12BB8476-1EA6-4d95-9642-1ED01AF21A86}.exe"	2024-03-05_0239b222ff451ce500b5844dbcf3b6aa_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{667C521E-A8CC-43ed-AAB8-7D50263F88D7}	{12BB8476-1EA6-4d95-9642-1ED01AF21A86}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8EA74C5-840A-4fa1-9173-95B61461BB17}	{6C988BB8-4F93-42c9-AC03-CF62087E58B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8EA74C5-840A-4fa1-9173-95B61461BB17}\stubpath = "C:\\Windows\\{C8EA74C5-840A-4fa1-9173-95B61461BB17}.exe"	{6C988BB8-4F93-42c9-AC03-CF62087E58B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{429CE575-3B5F-45e0-BEE4-96410E7DF94F}	{C8EA74C5-840A-4fa1-9173-95B61461BB17}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1F8C705-EF30-4b92-8699-3CEA225DBA1C}	{B3064671-4388-485c-AC2A-D43614874B46}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A150D0E-C0EB-4d41-9B79-1A9BC7C872E9}\stubpath = "C:\\Windows\\{5A150D0E-C0EB-4d41-9B79-1A9BC7C872E9}.exe"	{B1F8C705-EF30-4b92-8699-3CEA225DBA1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9522305E-BB9B-402b-97E7-89EEAD1B6649}	{6E207776-EB52-4b44-B495-8641B414E81A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9522305E-BB9B-402b-97E7-89EEAD1B6649}\stubpath = "C:\\Windows\\{9522305E-BB9B-402b-97E7-89EEAD1B6649}.exe"	{6E207776-EB52-4b44-B495-8641B414E81A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D01808CF-AEC1-4e55-8710-14D172724226}	{5A150D0E-C0EB-4d41-9B79-1A9BC7C872E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D01808CF-AEC1-4e55-8710-14D172724226}\stubpath = "C:\\Windows\\{D01808CF-AEC1-4e55-8710-14D172724226}.exe"	{5A150D0E-C0EB-4d41-9B79-1A9BC7C872E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E207776-EB52-4b44-B495-8641B414E81A}\stubpath = "C:\\Windows\\{6E207776-EB52-4b44-B495-8641B414E81A}.exe"	{D01808CF-AEC1-4e55-8710-14D172724226}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{667C521E-A8CC-43ed-AAB8-7D50263F88D7}\stubpath = "C:\\Windows\\{667C521E-A8CC-43ed-AAB8-7D50263F88D7}.exe"	{12BB8476-1EA6-4d95-9642-1ED01AF21A86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{429CE575-3B5F-45e0-BEE4-96410E7DF94F}\stubpath = "C:\\Windows\\{429CE575-3B5F-45e0-BEE4-96410E7DF94F}.exe"	{C8EA74C5-840A-4fa1-9173-95B61461BB17}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3064671-4388-485c-AC2A-D43614874B46}	{429CE575-3B5F-45e0-BEE4-96410E7DF94F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3064671-4388-485c-AC2A-D43614874B46}\stubpath = "C:\\Windows\\{B3064671-4388-485c-AC2A-D43614874B46}.exe"	{429CE575-3B5F-45e0-BEE4-96410E7DF94F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A150D0E-C0EB-4d41-9B79-1A9BC7C872E9}	{B1F8C705-EF30-4b92-8699-3CEA225DBA1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D38C5E9-906B-4f6a-B192-C62D364B79E5}\stubpath = "C:\\Windows\\{9D38C5E9-906B-4f6a-B192-C62D364B79E5}.exe"	{9522305E-BB9B-402b-97E7-89EEAD1B6649}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12BB8476-1EA6-4d95-9642-1ED01AF21A86}	2024-03-05_0239b222ff451ce500b5844dbcf3b6aa_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C988BB8-4F93-42c9-AC03-CF62087E58B7}	{667C521E-A8CC-43ed-AAB8-7D50263F88D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C988BB8-4F93-42c9-AC03-CF62087E58B7}\stubpath = "C:\\Windows\\{6C988BB8-4F93-42c9-AC03-CF62087E58B7}.exe"	{667C521E-A8CC-43ed-AAB8-7D50263F88D7}.exe

Executes dropped EXE 11 IoCs

pid	Process
5100	{12BB8476-1EA6-4d95-9642-1ED01AF21A86}.exe
3068	{667C521E-A8CC-43ed-AAB8-7D50263F88D7}.exe
3124	{6C988BB8-4F93-42c9-AC03-CF62087E58B7}.exe
1600	{C8EA74C5-840A-4fa1-9173-95B61461BB17}.exe
3392	{429CE575-3B5F-45e0-BEE4-96410E7DF94F}.exe
4852	{B3064671-4388-485c-AC2A-D43614874B46}.exe
528	{B1F8C705-EF30-4b92-8699-3CEA225DBA1C}.exe
4336	{5A150D0E-C0EB-4d41-9B79-1A9BC7C872E9}.exe
3756	{D01808CF-AEC1-4e55-8710-14D172724226}.exe
2148	{6E207776-EB52-4b44-B495-8641B414E81A}.exe
3084	{9522305E-BB9B-402b-97E7-89EEAD1B6649}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{667C521E-A8CC-43ed-AAB8-7D50263F88D7}.exe	{12BB8476-1EA6-4d95-9642-1ED01AF21A86}.exe
File created	C:\Windows\{429CE575-3B5F-45e0-BEE4-96410E7DF94F}.exe	{C8EA74C5-840A-4fa1-9173-95B61461BB17}.exe
File created	C:\Windows\{B3064671-4388-485c-AC2A-D43614874B46}.exe	{429CE575-3B5F-45e0-BEE4-96410E7DF94F}.exe
File created	C:\Windows\{B1F8C705-EF30-4b92-8699-3CEA225DBA1C}.exe	{B3064671-4388-485c-AC2A-D43614874B46}.exe
File created	C:\Windows\{5A150D0E-C0EB-4d41-9B79-1A9BC7C872E9}.exe	{B1F8C705-EF30-4b92-8699-3CEA225DBA1C}.exe
File created	C:\Windows\{D01808CF-AEC1-4e55-8710-14D172724226}.exe	{5A150D0E-C0EB-4d41-9B79-1A9BC7C872E9}.exe
File created	C:\Windows\{6E207776-EB52-4b44-B495-8641B414E81A}.exe	{D01808CF-AEC1-4e55-8710-14D172724226}.exe
File created	C:\Windows\{9522305E-BB9B-402b-97E7-89EEAD1B6649}.exe	{6E207776-EB52-4b44-B495-8641B414E81A}.exe
File created	C:\Windows\{12BB8476-1EA6-4d95-9642-1ED01AF21A86}.exe	2024-03-05_0239b222ff451ce500b5844dbcf3b6aa_goldeneye.exe
File created	C:\Windows\{6C988BB8-4F93-42c9-AC03-CF62087E58B7}.exe	{667C521E-A8CC-43ed-AAB8-7D50263F88D7}.exe
File created	C:\Windows\{C8EA74C5-840A-4fa1-9173-95B61461BB17}.exe	{6C988BB8-4F93-42c9-AC03-CF62087E58B7}.exe
File created	C:\Windows\{9D38C5E9-906B-4f6a-B192-C62D364B79E5}.exe	{9522305E-BB9B-402b-97E7-89EEAD1B6649}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	416	2024-03-05_0239b222ff451ce500b5844dbcf3b6aa_goldeneye.exe
Token: SeIncBasePriorityPrivilege	5100	{12BB8476-1EA6-4d95-9642-1ED01AF21A86}.exe
Token: SeIncBasePriorityPrivilege	3068	{667C521E-A8CC-43ed-AAB8-7D50263F88D7}.exe
Token: SeIncBasePriorityPrivilege	3124	{6C988BB8-4F93-42c9-AC03-CF62087E58B7}.exe
Token: SeIncBasePriorityPrivilege	1600	{C8EA74C5-840A-4fa1-9173-95B61461BB17}.exe
Token: SeIncBasePriorityPrivilege	3392	{429CE575-3B5F-45e0-BEE4-96410E7DF94F}.exe
Token: SeIncBasePriorityPrivilege	4852	{B3064671-4388-485c-AC2A-D43614874B46}.exe
Token: SeIncBasePriorityPrivilege	528	{B1F8C705-EF30-4b92-8699-3CEA225DBA1C}.exe
Token: SeIncBasePriorityPrivilege	4336	{5A150D0E-C0EB-4d41-9B79-1A9BC7C872E9}.exe
Token: SeIncBasePriorityPrivilege	3756	{D01808CF-AEC1-4e55-8710-14D172724226}.exe
Token: SeIncBasePriorityPrivilege	2148	{6E207776-EB52-4b44-B495-8641B414E81A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 416 wrote to memory of 5100	416	2024-03-05_0239b222ff451ce500b5844dbcf3b6aa_goldeneye.exe	97
PID 416 wrote to memory of 5100	416	2024-03-05_0239b222ff451ce500b5844dbcf3b6aa_goldeneye.exe	97
PID 416 wrote to memory of 5100	416	2024-03-05_0239b222ff451ce500b5844dbcf3b6aa_goldeneye.exe	97
PID 416 wrote to memory of 1336	416	2024-03-05_0239b222ff451ce500b5844dbcf3b6aa_goldeneye.exe	98
PID 416 wrote to memory of 1336	416	2024-03-05_0239b222ff451ce500b5844dbcf3b6aa_goldeneye.exe	98
PID 416 wrote to memory of 1336	416	2024-03-05_0239b222ff451ce500b5844dbcf3b6aa_goldeneye.exe	98
PID 5100 wrote to memory of 3068	5100	{12BB8476-1EA6-4d95-9642-1ED01AF21A86}.exe	100
PID 5100 wrote to memory of 3068	5100	{12BB8476-1EA6-4d95-9642-1ED01AF21A86}.exe	100
PID 5100 wrote to memory of 3068	5100	{12BB8476-1EA6-4d95-9642-1ED01AF21A86}.exe	100
PID 5100 wrote to memory of 3184	5100	{12BB8476-1EA6-4d95-9642-1ED01AF21A86}.exe	101
PID 5100 wrote to memory of 3184	5100	{12BB8476-1EA6-4d95-9642-1ED01AF21A86}.exe	101
PID 5100 wrote to memory of 3184	5100	{12BB8476-1EA6-4d95-9642-1ED01AF21A86}.exe	101
PID 3068 wrote to memory of 3124	3068	{667C521E-A8CC-43ed-AAB8-7D50263F88D7}.exe	104
PID 3068 wrote to memory of 3124	3068	{667C521E-A8CC-43ed-AAB8-7D50263F88D7}.exe	104
PID 3068 wrote to memory of 3124	3068	{667C521E-A8CC-43ed-AAB8-7D50263F88D7}.exe	104
PID 3068 wrote to memory of 4424	3068	{667C521E-A8CC-43ed-AAB8-7D50263F88D7}.exe	105
PID 3068 wrote to memory of 4424	3068	{667C521E-A8CC-43ed-AAB8-7D50263F88D7}.exe	105
PID 3068 wrote to memory of 4424	3068	{667C521E-A8CC-43ed-AAB8-7D50263F88D7}.exe	105
PID 3124 wrote to memory of 1600	3124	{6C988BB8-4F93-42c9-AC03-CF62087E58B7}.exe	106
PID 3124 wrote to memory of 1600	3124	{6C988BB8-4F93-42c9-AC03-CF62087E58B7}.exe	106
PID 3124 wrote to memory of 1600	3124	{6C988BB8-4F93-42c9-AC03-CF62087E58B7}.exe	106
PID 3124 wrote to memory of 4216	3124	{6C988BB8-4F93-42c9-AC03-CF62087E58B7}.exe	107
PID 3124 wrote to memory of 4216	3124	{6C988BB8-4F93-42c9-AC03-CF62087E58B7}.exe	107
PID 3124 wrote to memory of 4216	3124	{6C988BB8-4F93-42c9-AC03-CF62087E58B7}.exe	107
PID 1600 wrote to memory of 3392	1600	{C8EA74C5-840A-4fa1-9173-95B61461BB17}.exe	108
PID 1600 wrote to memory of 3392	1600	{C8EA74C5-840A-4fa1-9173-95B61461BB17}.exe	108
PID 1600 wrote to memory of 3392	1600	{C8EA74C5-840A-4fa1-9173-95B61461BB17}.exe	108
PID 1600 wrote to memory of 3756	1600	{C8EA74C5-840A-4fa1-9173-95B61461BB17}.exe	109
PID 1600 wrote to memory of 3756	1600	{C8EA74C5-840A-4fa1-9173-95B61461BB17}.exe	109
PID 1600 wrote to memory of 3756	1600	{C8EA74C5-840A-4fa1-9173-95B61461BB17}.exe	109
PID 3392 wrote to memory of 4852	3392	{429CE575-3B5F-45e0-BEE4-96410E7DF94F}.exe	113
PID 3392 wrote to memory of 4852	3392	{429CE575-3B5F-45e0-BEE4-96410E7DF94F}.exe	113
PID 3392 wrote to memory of 4852	3392	{429CE575-3B5F-45e0-BEE4-96410E7DF94F}.exe	113
PID 3392 wrote to memory of 784	3392	{429CE575-3B5F-45e0-BEE4-96410E7DF94F}.exe	114
PID 3392 wrote to memory of 784	3392	{429CE575-3B5F-45e0-BEE4-96410E7DF94F}.exe	114
PID 3392 wrote to memory of 784	3392	{429CE575-3B5F-45e0-BEE4-96410E7DF94F}.exe	114
PID 4852 wrote to memory of 528	4852	{B3064671-4388-485c-AC2A-D43614874B46}.exe	116
PID 4852 wrote to memory of 528	4852	{B3064671-4388-485c-AC2A-D43614874B46}.exe	116
PID 4852 wrote to memory of 528	4852	{B3064671-4388-485c-AC2A-D43614874B46}.exe	116
PID 4852 wrote to memory of 1496	4852	{B3064671-4388-485c-AC2A-D43614874B46}.exe	117
PID 4852 wrote to memory of 1496	4852	{B3064671-4388-485c-AC2A-D43614874B46}.exe	117
PID 4852 wrote to memory of 1496	4852	{B3064671-4388-485c-AC2A-D43614874B46}.exe	117
PID 528 wrote to memory of 4336	528	{B1F8C705-EF30-4b92-8699-3CEA225DBA1C}.exe	118
PID 528 wrote to memory of 4336	528	{B1F8C705-EF30-4b92-8699-3CEA225DBA1C}.exe	118
PID 528 wrote to memory of 4336	528	{B1F8C705-EF30-4b92-8699-3CEA225DBA1C}.exe	118
PID 528 wrote to memory of 1376	528	{B1F8C705-EF30-4b92-8699-3CEA225DBA1C}.exe	119
PID 528 wrote to memory of 1376	528	{B1F8C705-EF30-4b92-8699-3CEA225DBA1C}.exe	119
PID 528 wrote to memory of 1376	528	{B1F8C705-EF30-4b92-8699-3CEA225DBA1C}.exe	119
PID 4336 wrote to memory of 3756	4336	{5A150D0E-C0EB-4d41-9B79-1A9BC7C872E9}.exe	120
PID 4336 wrote to memory of 3756	4336	{5A150D0E-C0EB-4d41-9B79-1A9BC7C872E9}.exe	120
PID 4336 wrote to memory of 3756	4336	{5A150D0E-C0EB-4d41-9B79-1A9BC7C872E9}.exe	120
PID 4336 wrote to memory of 2540	4336	{5A150D0E-C0EB-4d41-9B79-1A9BC7C872E9}.exe	121
PID 4336 wrote to memory of 2540	4336	{5A150D0E-C0EB-4d41-9B79-1A9BC7C872E9}.exe	121
PID 4336 wrote to memory of 2540	4336	{5A150D0E-C0EB-4d41-9B79-1A9BC7C872E9}.exe	121
PID 3756 wrote to memory of 2148	3756	{D01808CF-AEC1-4e55-8710-14D172724226}.exe	125
PID 3756 wrote to memory of 2148	3756	{D01808CF-AEC1-4e55-8710-14D172724226}.exe	125
PID 3756 wrote to memory of 2148	3756	{D01808CF-AEC1-4e55-8710-14D172724226}.exe	125
PID 3756 wrote to memory of 772	3756	{D01808CF-AEC1-4e55-8710-14D172724226}.exe	126
PID 3756 wrote to memory of 772	3756	{D01808CF-AEC1-4e55-8710-14D172724226}.exe	126
PID 3756 wrote to memory of 772	3756	{D01808CF-AEC1-4e55-8710-14D172724226}.exe	126
PID 2148 wrote to memory of 3084	2148	{6E207776-EB52-4b44-B495-8641B414E81A}.exe	127
PID 2148 wrote to memory of 3084	2148	{6E207776-EB52-4b44-B495-8641B414E81A}.exe	127
PID 2148 wrote to memory of 3084	2148	{6E207776-EB52-4b44-B495-8641B414E81A}.exe	127
PID 2148 wrote to memory of 740	2148	{6E207776-EB52-4b44-B495-8641B414E81A}.exe	128

C:\Users\Admin\AppData\Local\Temp\2024-03-05_0239b222ff451ce500b5844dbcf3b6aa_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-05_0239b222ff451ce500b5844dbcf3b6aa_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:416
- C:\Windows\{12BB8476-1EA6-4d95-9642-1ED01AF21A86}.exe
  C:\Windows\{12BB8476-1EA6-4d95-9642-1ED01AF21A86}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Windows\{667C521E-A8CC-43ed-AAB8-7D50263F88D7}.exe
    C:\Windows\{667C521E-A8CC-43ed-AAB8-7D50263F88D7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Windows\{6C988BB8-4F93-42c9-AC03-CF62087E58B7}.exe
      C:\Windows\{6C988BB8-4F93-42c9-AC03-CF62087E58B7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3124
    - - C:\Windows\{C8EA74C5-840A-4fa1-9173-95B61461BB17}.exe
        
        C:\Windows\{C8EA74C5-840A-4fa1-9173-95B61461BB17}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1600
      - C:\Windows\{429CE575-3B5F-45e0-BEE4-96410E7DF94F}.exe
        
        C:\Windows\{429CE575-3B5F-45e0-BEE4-96410E7DF94F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3392
        
        C:\Windows\{B3064671-4388-485c-AC2A-D43614874B46}.exe
        
        C:\Windows\{B3064671-4388-485c-AC2A-D43614874B46}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\{B1F8C705-EF30-4b92-8699-3CEA225DBA1C}.exe
        
        C:\Windows\{B1F8C705-EF30-4b92-8699-3CEA225DBA1C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:528
        
        C:\Windows\{5A150D0E-C0EB-4d41-9B79-1A9BC7C872E9}.exe
        
        C:\Windows\{5A150D0E-C0EB-4d41-9B79-1A9BC7C872E9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\{D01808CF-AEC1-4e55-8710-14D172724226}.exe
        
        C:\Windows\{D01808CF-AEC1-4e55-8710-14D172724226}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3756
        
        C:\Windows\{6E207776-EB52-4b44-B495-8641B414E81A}.exe
        
        C:\Windows\{6E207776-EB52-4b44-B495-8641B414E81A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\{9522305E-BB9B-402b-97E7-89EEAD1B6649}.exe
        
        C:\Windows\{9522305E-BB9B-402b-97E7-89EEAD1B6649}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E207~1.EXE > nul
        12⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0180~1.EXE > nul
        11⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A150~1.EXE > nul
        10⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1F8C~1.EXE > nul
        9⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3064~1.EXE > nul
        8⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{429CE~1.EXE > nul
        7⤵
        
        PID:784
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8EA7~1.EXE > nul
        6⤵
        
        PID:3756
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C988~1.EXE > nul
        5⤵
        
        PID:4216
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{667C5~1.EXE > nul
      4⤵
      PID:4424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{12BB8~1.EXE > nul
    3⤵
    PID:3184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{12BB8476-1EA6-4d95-9642-1ED01AF21A86}.exe

Filesize
408KB

MD5
7ac417b72926b3a1ef25462d10683311

SHA1
2be109fc0ae8b4352484b5963bc82357ab817d5e

SHA256
708fd4aeeee6333cced3bf6944db4dfe8c713cc30db7947a181f29f7fcce9555

SHA512
c50c9b9347f4b9dc7a4e3f357e9ca75f4a7c586c56d717bb757b46848750f4502b65b4b8e2628914a24a7bab6b20408a8f72dab8c072440fc6c85cfca3da868a

Download Submit
C:\Windows\{429CE575-3B5F-45e0-BEE4-96410E7DF94F}.exe

Filesize
408KB

MD5
b952d31bf4936cc8a1c2b4267439add7

SHA1
31cc1c94a9b340f854d34672866178faeeb62a9e

SHA256
ca9e6d8427e1efc8639f83b05314481ec478dab2642f9f465dfe20090fece8a9

SHA512
182a32400595a6e7e9179157f38814ecfdb215871cd40c82cfc90bc370317f3374a6f68a594d848b4ebcd1c4e3a9c583cf1fa2b3dcee2c066e309f23e3debb1a

Download Submit
C:\Windows\{5A150D0E-C0EB-4d41-9B79-1A9BC7C872E9}.exe

Filesize
408KB

MD5
83027c4d9dcad81fac3f2629b6ebc095

SHA1
3400fa91c7914e10987d9bd749891305ab2cbb56

SHA256
20fdb5cc94a93912686d074509d0c9da677f551894fde6b4481fe248196bb249

SHA512
834d91ea5147237411cd60fb486ae1cd431509f5741167ef03fa7e77822784eb6ed531d6c30826e7702b8ada3971b52cc716b7fe18176cf994c527c061a793ce

Download Submit
C:\Windows\{667C521E-A8CC-43ed-AAB8-7D50263F88D7}.exe

Filesize
408KB

MD5
8f0c5e035233fafc1b235b17a17fcc01

SHA1
c8e9c1fa04ad073c6194c75bee55e5ee6f9d0ef3

SHA256
101fcc52033ca4f8ae9c22a49d67f298e141501fe50e2e739ccde1a03d60d6ae

SHA512
9f973d7d49d9294f7b0243b00641c7442f6668d3ce99a5bba044fbe729c2cdc93815c16a877f6db1054699d3249a0c609ac6f33d908d6605d83a347a2619d317

Download Submit
C:\Windows\{6C988BB8-4F93-42c9-AC03-CF62087E58B7}.exe

Filesize
408KB

MD5
238893a4141474f983e57248beed610e

SHA1
a244bd294e239e2be5305d18ccf36a2b2168c25a

SHA256
9936b36fa849f3d7817bf28fd91b2506cad4860c7d959b72c2177a5fe421c39c

SHA512
786c0ceaeda0d674397395b50321c33b5f5362b00a5b692fd518a7df4f505dd0bc29ceed1e5ee9a276958dd6482d1f664e9e0cfa577f2a69a325b95692c91833

Download Submit
C:\Windows\{6E207776-EB52-4b44-B495-8641B414E81A}.exe

Filesize
408KB

MD5
2cd28495bab4a3ea0aef425a10bed620

SHA1
c0c6bd39ac1b0ea8bad3d09f21dc3ed3f13a65e3

SHA256
9c10fc14eef3ed0f5f892088ce8fd9a90e1f5aafd383c935bb16757a711ab4c5

SHA512
8d7b09dec88fc694e0cbf735da3f739aa810852f9e5732720e2b62b5eebe2b9f7b832a7530b25322d26fa0689869a4e15a1eb860d2012de84ec6c71c1ee8e46d

Download Submit
C:\Windows\{9522305E-BB9B-402b-97E7-89EEAD1B6649}.exe

Filesize
408KB

MD5
22161ec45046d2c18638da81fad60e09

SHA1
312f0437ebddd844e29c19d1b798418b2725f9d0

SHA256
df913f68c216d2d83087d612cb182bb7d84e2f463d61a7cf9d2abc13581f4a5f

SHA512
6ea64604f513275f1259ac917f27c17cac07ca9dd882150c94ea93eb2aef2ac3d53d6ce57e14bbd3477e9fa096e125e12b229978c9172fb82864ad0f248900b9

Download Submit
C:\Windows\{B1F8C705-EF30-4b92-8699-3CEA225DBA1C}.exe

Filesize
408KB

MD5
25418595fbd1481eb7c9f66f4324b02d

SHA1
ba7f32cf2352dd3d8d2762b942b6b025abb6d6cc

SHA256
e914d48aaf53b502c24cf3252eb2cf214dd0c992e90558502136631211e7c5f4

SHA512
76a97f8d0331b83420cf29cbf039bf1af3c7756ead48aadf2a3b9c41835c55c5a94e6aa0fcf89e1405aab9e23a0e57e0e6dbdf7f86b45156361d64dae51b8cd4

Download Submit
C:\Windows\{B3064671-4388-485c-AC2A-D43614874B46}.exe

Filesize
408KB

MD5
a03cd688ca811f83a831b89435ac288c

SHA1
18a55f40e47d97e07bb29169be66c41dcad4a4e7

SHA256
8f5d742ad79846de72c8ed71e2d6730b1d31fe89bce87d27f6cfed11982f25fd

SHA512
3c47354141eab1a2755483ea3c66698dd12e3d6c0c3ad92212b98b1976b3f3f61cb951fac16de6becd57e245cfd63507488662006c36787e228baf11386659bf

Download Submit
C:\Windows\{C8EA74C5-840A-4fa1-9173-95B61461BB17}.exe

Filesize
408KB

MD5
f80a5bd8bec1e66076c1827aef12dc2b

SHA1
0db41f7b2f73677c4e98548bb325e730ebe658fa

SHA256
3e4a8dee64898e61186926c000bd99b98285097b99fcf162426beafc439a26fb

SHA512
32c9fd9173aa131992cbc3dc0accd94e3753adfc6d3147a47b8df5bb8e4e13ebaa9b1c04d353679f55d898f801fb59947d8e9442e2eaa293ec606390960f2340

Download Submit
C:\Windows\{D01808CF-AEC1-4e55-8710-14D172724226}.exe

Filesize
408KB

MD5
5c0d159798bde291511c4c22afd9c247

SHA1
485003f7f9cae6a9f055c2b49cd65e5dcc52acad

SHA256
b581079a0689d60c78b96e72ba170965dbb86025fdcbda9d1e3837dc1d2c7e56

SHA512
49926b1d4bd639f91b64fe022d0f4b3cbb79bdb51eb8cb0aa8b1f2423f8a24a17a1abee02d9dbe7efb4d8451e4f1f9b43fed15d0f87d1e7e49ddcadac44b9361

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads