a3413ebe071d4c0b594fd321976c8caba4e1b93b86173bf069fda108305d0ded

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-06_1192bb5f2954b454eee6b0997f14f14e_goldeneye.exe
Size

216KB
MD5

1192bb5f2954b454eee6b0997f14f14e
SHA1

20e60a0cb9f42e7a451ed7165b20464e3278e8aa
SHA256

a3413ebe071d4c0b594fd321976c8caba4e1b93b86173bf069fda108305d0ded
SHA512

0876ac9a970e19fb87b9123a5272c0c122368e17c251765a213c05ae6b617c7e90511ea00ca72fe14ef125837d3fa9d0d199a20d2681cb40b82d99878a459a24
SSDEEP

3072:jEGh0oIl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGWlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231f0-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00110000000231fd-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000232fe-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000230ac-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00120000000230c3-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e0000000230ac-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023378-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e0000000230cc-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002339b-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233b0-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023499-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233b0-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12056D03-F863-4c22-9ADA-F6FCD5479349}\stubpath = "C:\\Windows\\{12056D03-F863-4c22-9ADA-F6FCD5479349}.exe"	{E134DADF-DDA0-41ac-8165-385A778448C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5274DF38-A35C-4663-86DA-B770E92F8E59}\stubpath = "C:\\Windows\\{5274DF38-A35C-4663-86DA-B770E92F8E59}.exe"	{93AEEDAF-83DD-4064-9740-8D2EC34D34BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{035C15E7-ED60-4b67-8041-F41B526FE198}\stubpath = "C:\\Windows\\{035C15E7-ED60-4b67-8041-F41B526FE198}.exe"	{5274DF38-A35C-4663-86DA-B770E92F8E59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14DB636E-1E24-4d3d-9B98-F5B8AC6442EA}\stubpath = "C:\\Windows\\{14DB636E-1E24-4d3d-9B98-F5B8AC6442EA}.exe"	{EE15E2C5-84F1-4e8c-AA5B-00FEACE32AAF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CFD1230-4583-4e69-8B9F-1C724D630EDF}	{9B5416EF-740D-455b-A152-4B88062216BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CFD1230-4583-4e69-8B9F-1C724D630EDF}\stubpath = "C:\\Windows\\{6CFD1230-4583-4e69-8B9F-1C724D630EDF}.exe"	{9B5416EF-740D-455b-A152-4B88062216BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F414D96A-663D-4237-9828-F9F30D720F9B}	2024-03-06_1192bb5f2954b454eee6b0997f14f14e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E134DADF-DDA0-41ac-8165-385A778448C4}\stubpath = "C:\\Windows\\{E134DADF-DDA0-41ac-8165-385A778448C4}.exe"	{F414D96A-663D-4237-9828-F9F30D720F9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B5416EF-740D-455b-A152-4B88062216BD}\stubpath = "C:\\Windows\\{9B5416EF-740D-455b-A152-4B88062216BD}.exe"	{14DB636E-1E24-4d3d-9B98-F5B8AC6442EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630E8E50-4950-4ff4-8DB4-8CC20D489128}	{6CFD1230-4583-4e69-8B9F-1C724D630EDF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93AEEDAF-83DD-4064-9740-8D2EC34D34BA}	{12056D03-F863-4c22-9ADA-F6FCD5479349}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE15E2C5-84F1-4e8c-AA5B-00FEACE32AAF}\stubpath = "C:\\Windows\\{EE15E2C5-84F1-4e8c-AA5B-00FEACE32AAF}.exe"	{10210D19-2AF1-4e27-AAA7-4B83BE38EB43}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10210D19-2AF1-4e27-AAA7-4B83BE38EB43}	{035C15E7-ED60-4b67-8041-F41B526FE198}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14DB636E-1E24-4d3d-9B98-F5B8AC6442EA}	{EE15E2C5-84F1-4e8c-AA5B-00FEACE32AAF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F414D96A-663D-4237-9828-F9F30D720F9B}\stubpath = "C:\\Windows\\{F414D96A-663D-4237-9828-F9F30D720F9B}.exe"	2024-03-06_1192bb5f2954b454eee6b0997f14f14e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5274DF38-A35C-4663-86DA-B770E92F8E59}	{93AEEDAF-83DD-4064-9740-8D2EC34D34BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93AEEDAF-83DD-4064-9740-8D2EC34D34BA}\stubpath = "C:\\Windows\\{93AEEDAF-83DD-4064-9740-8D2EC34D34BA}.exe"	{12056D03-F863-4c22-9ADA-F6FCD5479349}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{035C15E7-ED60-4b67-8041-F41B526FE198}	{5274DF38-A35C-4663-86DA-B770E92F8E59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10210D19-2AF1-4e27-AAA7-4B83BE38EB43}\stubpath = "C:\\Windows\\{10210D19-2AF1-4e27-AAA7-4B83BE38EB43}.exe"	{035C15E7-ED60-4b67-8041-F41B526FE198}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE15E2C5-84F1-4e8c-AA5B-00FEACE32AAF}	{10210D19-2AF1-4e27-AAA7-4B83BE38EB43}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B5416EF-740D-455b-A152-4B88062216BD}	{14DB636E-1E24-4d3d-9B98-F5B8AC6442EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630E8E50-4950-4ff4-8DB4-8CC20D489128}\stubpath = "C:\\Windows\\{630E8E50-4950-4ff4-8DB4-8CC20D489128}.exe"	{6CFD1230-4583-4e69-8B9F-1C724D630EDF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E134DADF-DDA0-41ac-8165-385A778448C4}	{F414D96A-663D-4237-9828-F9F30D720F9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12056D03-F863-4c22-9ADA-F6FCD5479349}	{E134DADF-DDA0-41ac-8165-385A778448C4}.exe

Executes dropped EXE 12 IoCs

pid	Process
816	{F414D96A-663D-4237-9828-F9F30D720F9B}.exe
2904	{E134DADF-DDA0-41ac-8165-385A778448C4}.exe
3912	{12056D03-F863-4c22-9ADA-F6FCD5479349}.exe
3120	{93AEEDAF-83DD-4064-9740-8D2EC34D34BA}.exe
3580	{5274DF38-A35C-4663-86DA-B770E92F8E59}.exe
2268	{035C15E7-ED60-4b67-8041-F41B526FE198}.exe
784	{10210D19-2AF1-4e27-AAA7-4B83BE38EB43}.exe
3120	{EE15E2C5-84F1-4e8c-AA5B-00FEACE32AAF}.exe
924	{14DB636E-1E24-4d3d-9B98-F5B8AC6442EA}.exe
4424	{9B5416EF-740D-455b-A152-4B88062216BD}.exe
3908	{6CFD1230-4583-4e69-8B9F-1C724D630EDF}.exe
3888	{630E8E50-4950-4ff4-8DB4-8CC20D489128}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{9B5416EF-740D-455b-A152-4B88062216BD}.exe	{14DB636E-1E24-4d3d-9B98-F5B8AC6442EA}.exe
File created	C:\Windows\{E134DADF-DDA0-41ac-8165-385A778448C4}.exe	{F414D96A-663D-4237-9828-F9F30D720F9B}.exe
File created	C:\Windows\{12056D03-F863-4c22-9ADA-F6FCD5479349}.exe	{E134DADF-DDA0-41ac-8165-385A778448C4}.exe
File created	C:\Windows\{035C15E7-ED60-4b67-8041-F41B526FE198}.exe	{5274DF38-A35C-4663-86DA-B770E92F8E59}.exe
File created	C:\Windows\{10210D19-2AF1-4e27-AAA7-4B83BE38EB43}.exe	{035C15E7-ED60-4b67-8041-F41B526FE198}.exe
File created	C:\Windows\{EE15E2C5-84F1-4e8c-AA5B-00FEACE32AAF}.exe	{10210D19-2AF1-4e27-AAA7-4B83BE38EB43}.exe
File created	C:\Windows\{14DB636E-1E24-4d3d-9B98-F5B8AC6442EA}.exe	{EE15E2C5-84F1-4e8c-AA5B-00FEACE32AAF}.exe
File created	C:\Windows\{6CFD1230-4583-4e69-8B9F-1C724D630EDF}.exe	{9B5416EF-740D-455b-A152-4B88062216BD}.exe
File created	C:\Windows\{630E8E50-4950-4ff4-8DB4-8CC20D489128}.exe	{6CFD1230-4583-4e69-8B9F-1C724D630EDF}.exe
File created	C:\Windows\{F414D96A-663D-4237-9828-F9F30D720F9B}.exe	2024-03-06_1192bb5f2954b454eee6b0997f14f14e_goldeneye.exe
File created	C:\Windows\{93AEEDAF-83DD-4064-9740-8D2EC34D34BA}.exe	{12056D03-F863-4c22-9ADA-F6FCD5479349}.exe
File created	C:\Windows\{5274DF38-A35C-4663-86DA-B770E92F8E59}.exe	{93AEEDAF-83DD-4064-9740-8D2EC34D34BA}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2372	2024-03-06_1192bb5f2954b454eee6b0997f14f14e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	816	{F414D96A-663D-4237-9828-F9F30D720F9B}.exe
Token: SeIncBasePriorityPrivilege	2904	{E134DADF-DDA0-41ac-8165-385A778448C4}.exe
Token: SeIncBasePriorityPrivilege	3912	{12056D03-F863-4c22-9ADA-F6FCD5479349}.exe
Token: SeIncBasePriorityPrivilege	3120	{93AEEDAF-83DD-4064-9740-8D2EC34D34BA}.exe
Token: SeIncBasePriorityPrivilege	3580	{5274DF38-A35C-4663-86DA-B770E92F8E59}.exe
Token: SeIncBasePriorityPrivilege	2268	{035C15E7-ED60-4b67-8041-F41B526FE198}.exe
Token: SeIncBasePriorityPrivilege	784	{10210D19-2AF1-4e27-AAA7-4B83BE38EB43}.exe
Token: SeIncBasePriorityPrivilege	3120	{EE15E2C5-84F1-4e8c-AA5B-00FEACE32AAF}.exe
Token: SeIncBasePriorityPrivilege	924	{14DB636E-1E24-4d3d-9B98-F5B8AC6442EA}.exe
Token: SeIncBasePriorityPrivilege	4424	{9B5416EF-740D-455b-A152-4B88062216BD}.exe
Token: SeIncBasePriorityPrivilege	3908	{6CFD1230-4583-4e69-8B9F-1C724D630EDF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 816	2372	2024-03-06_1192bb5f2954b454eee6b0997f14f14e_goldeneye.exe	97
PID 2372 wrote to memory of 816	2372	2024-03-06_1192bb5f2954b454eee6b0997f14f14e_goldeneye.exe	97
PID 2372 wrote to memory of 816	2372	2024-03-06_1192bb5f2954b454eee6b0997f14f14e_goldeneye.exe	97
PID 2372 wrote to memory of 4596	2372	2024-03-06_1192bb5f2954b454eee6b0997f14f14e_goldeneye.exe	98
PID 2372 wrote to memory of 4596	2372	2024-03-06_1192bb5f2954b454eee6b0997f14f14e_goldeneye.exe	98
PID 2372 wrote to memory of 4596	2372	2024-03-06_1192bb5f2954b454eee6b0997f14f14e_goldeneye.exe	98
PID 816 wrote to memory of 2904	816	{F414D96A-663D-4237-9828-F9F30D720F9B}.exe	102
PID 816 wrote to memory of 2904	816	{F414D96A-663D-4237-9828-F9F30D720F9B}.exe	102
PID 816 wrote to memory of 2904	816	{F414D96A-663D-4237-9828-F9F30D720F9B}.exe	102
PID 816 wrote to memory of 1392	816	{F414D96A-663D-4237-9828-F9F30D720F9B}.exe	103
PID 816 wrote to memory of 1392	816	{F414D96A-663D-4237-9828-F9F30D720F9B}.exe	103
PID 816 wrote to memory of 1392	816	{F414D96A-663D-4237-9828-F9F30D720F9B}.exe	103
PID 2904 wrote to memory of 3912	2904	{E134DADF-DDA0-41ac-8165-385A778448C4}.exe	105
PID 2904 wrote to memory of 3912	2904	{E134DADF-DDA0-41ac-8165-385A778448C4}.exe	105
PID 2904 wrote to memory of 3912	2904	{E134DADF-DDA0-41ac-8165-385A778448C4}.exe	105
PID 2904 wrote to memory of 4272	2904	{E134DADF-DDA0-41ac-8165-385A778448C4}.exe	106
PID 2904 wrote to memory of 4272	2904	{E134DADF-DDA0-41ac-8165-385A778448C4}.exe	106
PID 2904 wrote to memory of 4272	2904	{E134DADF-DDA0-41ac-8165-385A778448C4}.exe	106
PID 3912 wrote to memory of 3120	3912	{12056D03-F863-4c22-9ADA-F6FCD5479349}.exe	107
PID 3912 wrote to memory of 3120	3912	{12056D03-F863-4c22-9ADA-F6FCD5479349}.exe	107
PID 3912 wrote to memory of 3120	3912	{12056D03-F863-4c22-9ADA-F6FCD5479349}.exe	107
PID 3912 wrote to memory of 2452	3912	{12056D03-F863-4c22-9ADA-F6FCD5479349}.exe	108
PID 3912 wrote to memory of 2452	3912	{12056D03-F863-4c22-9ADA-F6FCD5479349}.exe	108
PID 3912 wrote to memory of 2452	3912	{12056D03-F863-4c22-9ADA-F6FCD5479349}.exe	108
PID 3120 wrote to memory of 3580	3120	{93AEEDAF-83DD-4064-9740-8D2EC34D34BA}.exe	118
PID 3120 wrote to memory of 3580	3120	{93AEEDAF-83DD-4064-9740-8D2EC34D34BA}.exe	118
PID 3120 wrote to memory of 3580	3120	{93AEEDAF-83DD-4064-9740-8D2EC34D34BA}.exe	118
PID 3120 wrote to memory of 816	3120	{93AEEDAF-83DD-4064-9740-8D2EC34D34BA}.exe	119
PID 3120 wrote to memory of 816	3120	{93AEEDAF-83DD-4064-9740-8D2EC34D34BA}.exe	119
PID 3120 wrote to memory of 816	3120	{93AEEDAF-83DD-4064-9740-8D2EC34D34BA}.exe	119
PID 3580 wrote to memory of 2268	3580	{5274DF38-A35C-4663-86DA-B770E92F8E59}.exe	120
PID 3580 wrote to memory of 2268	3580	{5274DF38-A35C-4663-86DA-B770E92F8E59}.exe	120
PID 3580 wrote to memory of 2268	3580	{5274DF38-A35C-4663-86DA-B770E92F8E59}.exe	120
PID 3580 wrote to memory of 4024	3580	{5274DF38-A35C-4663-86DA-B770E92F8E59}.exe	121
PID 3580 wrote to memory of 4024	3580	{5274DF38-A35C-4663-86DA-B770E92F8E59}.exe	121
PID 3580 wrote to memory of 4024	3580	{5274DF38-A35C-4663-86DA-B770E92F8E59}.exe	121
PID 2268 wrote to memory of 784	2268	{035C15E7-ED60-4b67-8041-F41B526FE198}.exe	122
PID 2268 wrote to memory of 784	2268	{035C15E7-ED60-4b67-8041-F41B526FE198}.exe	122
PID 2268 wrote to memory of 784	2268	{035C15E7-ED60-4b67-8041-F41B526FE198}.exe	122
PID 2268 wrote to memory of 3744	2268	{035C15E7-ED60-4b67-8041-F41B526FE198}.exe	123
PID 2268 wrote to memory of 3744	2268	{035C15E7-ED60-4b67-8041-F41B526FE198}.exe	123
PID 2268 wrote to memory of 3744	2268	{035C15E7-ED60-4b67-8041-F41B526FE198}.exe	123
PID 784 wrote to memory of 3120	784	{10210D19-2AF1-4e27-AAA7-4B83BE38EB43}.exe	125
PID 784 wrote to memory of 3120	784	{10210D19-2AF1-4e27-AAA7-4B83BE38EB43}.exe	125
PID 784 wrote to memory of 3120	784	{10210D19-2AF1-4e27-AAA7-4B83BE38EB43}.exe	125
PID 784 wrote to memory of 4844	784	{10210D19-2AF1-4e27-AAA7-4B83BE38EB43}.exe	126
PID 784 wrote to memory of 4844	784	{10210D19-2AF1-4e27-AAA7-4B83BE38EB43}.exe	126
PID 784 wrote to memory of 4844	784	{10210D19-2AF1-4e27-AAA7-4B83BE38EB43}.exe	126
PID 3120 wrote to memory of 924	3120	{EE15E2C5-84F1-4e8c-AA5B-00FEACE32AAF}.exe	127
PID 3120 wrote to memory of 924	3120	{EE15E2C5-84F1-4e8c-AA5B-00FEACE32AAF}.exe	127
PID 3120 wrote to memory of 924	3120	{EE15E2C5-84F1-4e8c-AA5B-00FEACE32AAF}.exe	127
PID 3120 wrote to memory of 3888	3120	{EE15E2C5-84F1-4e8c-AA5B-00FEACE32AAF}.exe	128
PID 3120 wrote to memory of 3888	3120	{EE15E2C5-84F1-4e8c-AA5B-00FEACE32AAF}.exe	128
PID 3120 wrote to memory of 3888	3120	{EE15E2C5-84F1-4e8c-AA5B-00FEACE32AAF}.exe	128
PID 924 wrote to memory of 4424	924	{14DB636E-1E24-4d3d-9B98-F5B8AC6442EA}.exe	129
PID 924 wrote to memory of 4424	924	{14DB636E-1E24-4d3d-9B98-F5B8AC6442EA}.exe	129
PID 924 wrote to memory of 4424	924	{14DB636E-1E24-4d3d-9B98-F5B8AC6442EA}.exe	129
PID 924 wrote to memory of 1808	924	{14DB636E-1E24-4d3d-9B98-F5B8AC6442EA}.exe	130
PID 924 wrote to memory of 1808	924	{14DB636E-1E24-4d3d-9B98-F5B8AC6442EA}.exe	130
PID 924 wrote to memory of 1808	924	{14DB636E-1E24-4d3d-9B98-F5B8AC6442EA}.exe	130
PID 4424 wrote to memory of 3908	4424	{9B5416EF-740D-455b-A152-4B88062216BD}.exe	131
PID 4424 wrote to memory of 3908	4424	{9B5416EF-740D-455b-A152-4B88062216BD}.exe	131
PID 4424 wrote to memory of 3908	4424	{9B5416EF-740D-455b-A152-4B88062216BD}.exe	131
PID 4424 wrote to memory of 3984	4424	{9B5416EF-740D-455b-A152-4B88062216BD}.exe	132

C:\Users\Admin\AppData\Local\Temp\2024-03-06_1192bb5f2954b454eee6b0997f14f14e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-06_1192bb5f2954b454eee6b0997f14f14e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\{F414D96A-663D-4237-9828-F9F30D720F9B}.exe
  C:\Windows\{F414D96A-663D-4237-9828-F9F30D720F9B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Windows\{E134DADF-DDA0-41ac-8165-385A778448C4}.exe
    C:\Windows\{E134DADF-DDA0-41ac-8165-385A778448C4}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\{12056D03-F863-4c22-9ADA-F6FCD5479349}.exe
      C:\Windows\{12056D03-F863-4c22-9ADA-F6FCD5479349}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3912
    - - C:\Windows\{93AEEDAF-83DD-4064-9740-8D2EC34D34BA}.exe
        
        C:\Windows\{93AEEDAF-83DD-4064-9740-8D2EC34D34BA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3120
      - C:\Windows\{5274DF38-A35C-4663-86DA-B770E92F8E59}.exe
        
        C:\Windows\{5274DF38-A35C-4663-86DA-B770E92F8E59}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\{035C15E7-ED60-4b67-8041-F41B526FE198}.exe
        
        C:\Windows\{035C15E7-ED60-4b67-8041-F41B526FE198}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\{10210D19-2AF1-4e27-AAA7-4B83BE38EB43}.exe
        
        C:\Windows\{10210D19-2AF1-4e27-AAA7-4B83BE38EB43}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:784
        
        C:\Windows\{EE15E2C5-84F1-4e8c-AA5B-00FEACE32AAF}.exe
        
        C:\Windows\{EE15E2C5-84F1-4e8c-AA5B-00FEACE32AAF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\Windows\{14DB636E-1E24-4d3d-9B98-F5B8AC6442EA}.exe
        
        C:\Windows\{14DB636E-1E24-4d3d-9B98-F5B8AC6442EA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\{9B5416EF-740D-455b-A152-4B88062216BD}.exe
        
        C:\Windows\{9B5416EF-740D-455b-A152-4B88062216BD}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\{6CFD1230-4583-4e69-8B9F-1C724D630EDF}.exe
        
        C:\Windows\{6CFD1230-4583-4e69-8B9F-1C724D630EDF}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3908
        
        C:\Windows\{630E8E50-4950-4ff4-8DB4-8CC20D489128}.exe
        
        C:\Windows\{630E8E50-4950-4ff4-8DB4-8CC20D489128}.exe
        13⤵
        Executes dropped EXE
        
        PID:3888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6CFD1~1.EXE > nul
        13⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B541~1.EXE > nul
        12⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14DB6~1.EXE > nul
        11⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE15E~1.EXE > nul
        10⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10210~1.EXE > nul
        9⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{035C1~1.EXE > nul
        8⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5274D~1.EXE > nul
        7⤵
        
        PID:4024
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93AEE~1.EXE > nul
        6⤵
        
        PID:816
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12056~1.EXE > nul
        5⤵
        
        PID:2452
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E134D~1.EXE > nul
      4⤵
      PID:4272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F414D~1.EXE > nul
    3⤵
    PID:1392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{035C15E7-ED60-4b67-8041-F41B526FE198}.exe

Filesize
216KB

MD5
f65cc2b7262586f4ca9227808d42cfee

SHA1
10ad8386ab1094a9793fc919b8ee22560a32e720

SHA256
2852166294ec0961fef8c65eee3afbca69096dc5769427ed0f616d342a3f2c8e

SHA512
39b266ea606f77dbbd81a53f1e8b1f1f51a7afcecb62c56d5ecc77b41083c138c05acfda541343be8c048faa3cc164ec7365d4f8b91c6675548c6eef97598104

Download Submit
C:\Windows\{10210D19-2AF1-4e27-AAA7-4B83BE38EB43}.exe

Filesize
216KB

MD5
b29a5b0f38e7bce67c34414027bf979f

SHA1
ca9d09e4d8b5f215ce6f986faeed3af857934a09

SHA256
5569d9781531e55335b671271b8d1bbb91b787e10505a8b6e7ff021d8d0ac881

SHA512
e818ffce48bb2bd2311a920df86d561649706dbd9cc9afa34ad3916ddc2642e3221ab1c7add1d76ffe5286bca345dfebafa03866de957a942741a07c7a0aa8eb

Download Submit
C:\Windows\{12056D03-F863-4c22-9ADA-F6FCD5479349}.exe

Filesize
216KB

MD5
98defb59b7548bdd1d47dcdff9d15c47

SHA1
53d02ee230138dd87a1aeaf95afa7be855558e18

SHA256
5746d3569cf6d0eb85369cd96d71f370d8baf81c68f4a65a500e0910661b9f89

SHA512
534481db73ea92d010174a40288c4a75c45506b161569c1ed0c06d2fd987883294bedc479b162d4310165a098691b53c7c84a8b075323c63d6cae7d34a7775b2

Download Submit
C:\Windows\{14DB636E-1E24-4d3d-9B98-F5B8AC6442EA}.exe

Filesize
216KB

MD5
6948cbc341e5b0f6da5e9d3d9cec74e9

SHA1
a6b20244bf447e98340d9da64cebc2f5e7f912fa

SHA256
2e7cbc78ad34f31e393c66fd17921c214dc8f90df90c275982d0780698d0ed53

SHA512
0945c00645ab1ab62b5b48700f26d28fcd13867d848d349d5bfa001740c0e68879efe176efb120d9c8331a69de855a64ff8f04046da80595463457a0ce9570b4

Download Submit
C:\Windows\{5274DF38-A35C-4663-86DA-B770E92F8E59}.exe

Filesize
216KB

MD5
3e8c873fcede234b8c3a7acdd68d8c24

SHA1
426e491befcec3f89e336217637f3e5968b98c28

SHA256
c27e58d8f7778c60abde7e8461eb04f39aeabea3d96f05638f6e859dc4310337

SHA512
bddc506fe69cee81d55d593624fda780c0fad20cc701a24618edf6393ae4007d590409839675224e59946f4ad8ac3d1b5749721b6e5d12900741ca55bafe4d47

Download Submit
C:\Windows\{630E8E50-4950-4ff4-8DB4-8CC20D489128}.exe

Filesize
216KB

MD5
e37161da49f1c8882d29aaf64c114867

SHA1
78b92cd3d1bf1219e3449f52e984d749b524e8cc

SHA256
35d49d3c14e214227542331546279bdf57ff7133a089e7fa2474d8b02dc41c9d

SHA512
58d1b26cccd963971ac91b62fd73b8d7c83f549a3c856c0504411e28e830765260f2c8b056942588edf99dd9c7978c695345535849fc40cb4d2845b211a5a73e

Download Submit
C:\Windows\{6CFD1230-4583-4e69-8B9F-1C724D630EDF}.exe

Filesize
216KB

MD5
96c798e187d8cf45d15e3af5b0bbe8f4

SHA1
98f6aa3e6acd2f9feb758d23bc6515f6aa0b0ffb

SHA256
0b67b412fc51cd090c7b30cd9bb569473caa58f6ed27b034d4915c46d59914bf

SHA512
9dd327e22e68cf6894b7745b451b2ee31bca6c9a8aafebe490a0ab4736a01fbadfd81d05e5f87b5445517084d6ed15922134cd2d3276513a4d95d865916d84fc

Download Submit
C:\Windows\{93AEEDAF-83DD-4064-9740-8D2EC34D34BA}.exe

Filesize
216KB

MD5
38ca437223306f10a18213a114aa410d

SHA1
212fcda1175ff7508ec847e92f5ab6e8b73519bd

SHA256
9bacfdc12f30aae7820807dcdc86042c83d2dda12f6d793fd9a5284212a26215

SHA512
07901ba59576051980b22456e912383a5dcd9eeb57cc416f03d803b6082d1621e443899a6ea0cc7d80ffd5f7f1a76274c45bc51771f1c3bd79d811fcc3a84084

Download Submit
C:\Windows\{9B5416EF-740D-455b-A152-4B88062216BD}.exe

Filesize
216KB

MD5
fea987d1030a87436024dd49d544d392

SHA1
71732640487d5b72bc56a1230f57d2541322cb06

SHA256
603510da879cba74363ed62fb0829944d71c0a853d7c682255bb445fc491462a

SHA512
d52aa838ffb2176f1285c930d3ddf9c3ee307413848b7534c84584aacb806d573e055d579968427e339ddbd10d04e476b78b939b8e9fa1b44d52a8f9909eb838

Download Submit
C:\Windows\{E134DADF-DDA0-41ac-8165-385A778448C4}.exe

Filesize
216KB

MD5
0372fc7256807c8ca543eb4b995b6aed

SHA1
55683f7ece51c5abecf4ea41346b863a5bb8bdfb

SHA256
698f57e80186cd143205afe2e2bd3d5d442994d1288f6706ff128ab600ed598c

SHA512
4992c58950129b4c0006ce4f88a814fd48776c10694f0ce7f990ddb723c31d3421da6944f9cec12624a585f6e1c0f55786592dc585d9d32aa17bf5b4a70d5b3f

Download Submit
C:\Windows\{EE15E2C5-84F1-4e8c-AA5B-00FEACE32AAF}.exe

Filesize
216KB

MD5
0049e013efe40fd4d06bb260018a13d7

SHA1
c33360d326193dec828fe867f6cb488a2c26ae94

SHA256
94e423665ef3c15536606fa9e79c747f3d80967543a88248674e3c6ca6e9b15e

SHA512
d9d574d98dd6051b6f9c12a7207ae0993c25d85436c0b03144949500c2460bf2661add3bc68128db033eabff3cb20f774425a697f410f91fed0134c5bd8acd97

Download Submit
C:\Windows\{F414D96A-663D-4237-9828-F9F30D720F9B}.exe

Filesize
216KB

MD5
1dca8d254983039bf3cecb9f54c3fb69

SHA1
e7a8e9ff3ddb3b6fd66e7dfea581aa58d6ba8c45

SHA256
9d483a128b80904464469827e3655fc9311d5eb1c07b792f369c104ebec04f57

SHA512
9d6a06160527c420a12346d03e8828aa5b85d2c8b61a078364bc42826566551eaa93ea91fa10eca09270d112ecef49126248fbfbf63c9d43c52a6fa270da5902

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads