67eafe7a21f34f092c8fe249cecfa057a069cea83b490b4605b9b58b6630797f

Analysis

max time kernel
149s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 15:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-12_bf6724301d196839373844e721972fe6_goldeneye.exe
Size

204KB
MD5

bf6724301d196839373844e721972fe6
SHA1

1e5855b9fe5e54327f6581f29b2ebcf30c36cdf1
SHA256

67eafe7a21f34f092c8fe249cecfa057a069cea83b490b4605b9b58b6630797f
SHA512

b0c85c03bae82d6f593ee84766470286b7e26f63695464fe913627d2fc1aaadaf001f761c909f1052109f1a99057e52c7ce211a0bb56dd150feafc2dd29d8bd7
SSDEEP

1536:1EGh0oDl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oDl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000a0000000231ee-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00110000000231f4-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000231fb-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000006cf-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000231fb-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000006cf-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000231fb-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023200-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023224-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000231ed-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002310d-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002320a-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2E5C256-71A6-41bf-999C-29FC9AFE6816}	{A0AE8F24-91BC-4617-B700-022C3B92A4EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{961773A2-66D8-4e51-BC1B-0A0676C4112F}\stubpath = "C:\\Windows\\{961773A2-66D8-4e51-BC1B-0A0676C4112F}.exe"	{B2E5C256-71A6-41bf-999C-29FC9AFE6816}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15D17698-6E78-4b43-B32C-F89901468311}	{D820CB3C-0C1E-4676-8EAB-B98AC1F173F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65F31510-7A53-475b-9371-E19EACF0552A}\stubpath = "C:\\Windows\\{65F31510-7A53-475b-9371-E19EACF0552A}.exe"	{6F2123FE-F413-4147-9956-2F2E9A2375C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45BAC9F4-76B5-42f8-AB1D-D43EF026F3DA}	{65F31510-7A53-475b-9371-E19EACF0552A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EEC12DB-F71F-4e27-A786-C1128B0CDBC6}	{45BAC9F4-76B5-42f8-AB1D-D43EF026F3DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EEC12DB-F71F-4e27-A786-C1128B0CDBC6}\stubpath = "C:\\Windows\\{8EEC12DB-F71F-4e27-A786-C1128B0CDBC6}.exe"	{45BAC9F4-76B5-42f8-AB1D-D43EF026F3DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45BAC9F4-76B5-42f8-AB1D-D43EF026F3DA}\stubpath = "C:\\Windows\\{45BAC9F4-76B5-42f8-AB1D-D43EF026F3DA}.exe"	{65F31510-7A53-475b-9371-E19EACF0552A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20465A96-131D-438b-A2EA-0920DD7517C0}\stubpath = "C:\\Windows\\{20465A96-131D-438b-A2EA-0920DD7517C0}.exe"	{8EEC12DB-F71F-4e27-A786-C1128B0CDBC6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0AE8F24-91BC-4617-B700-022C3B92A4EF}	{20465A96-131D-438b-A2EA-0920DD7517C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2E5C256-71A6-41bf-999C-29FC9AFE6816}\stubpath = "C:\\Windows\\{B2E5C256-71A6-41bf-999C-29FC9AFE6816}.exe"	{A0AE8F24-91BC-4617-B700-022C3B92A4EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C645E43B-8712-4401-8051-428113FB3B84}	{961773A2-66D8-4e51-BC1B-0A0676C4112F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C645E43B-8712-4401-8051-428113FB3B84}\stubpath = "C:\\Windows\\{C645E43B-8712-4401-8051-428113FB3B84}.exe"	{961773A2-66D8-4e51-BC1B-0A0676C4112F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D820CB3C-0C1E-4676-8EAB-B98AC1F173F4}\stubpath = "C:\\Windows\\{D820CB3C-0C1E-4676-8EAB-B98AC1F173F4}.exe"	{C645E43B-8712-4401-8051-428113FB3B84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15D17698-6E78-4b43-B32C-F89901468311}\stubpath = "C:\\Windows\\{15D17698-6E78-4b43-B32C-F89901468311}.exe"	{D820CB3C-0C1E-4676-8EAB-B98AC1F173F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF4BFF7D-DBD4-472b-8F20-11908B47AB13}\stubpath = "C:\\Windows\\{BF4BFF7D-DBD4-472b-8F20-11908B47AB13}.exe"	2024-03-12_bf6724301d196839373844e721972fe6_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F2123FE-F413-4147-9956-2F2E9A2375C3}\stubpath = "C:\\Windows\\{6F2123FE-F413-4147-9956-2F2E9A2375C3}.exe"	{BF4BFF7D-DBD4-472b-8F20-11908B47AB13}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65F31510-7A53-475b-9371-E19EACF0552A}	{6F2123FE-F413-4147-9956-2F2E9A2375C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{961773A2-66D8-4e51-BC1B-0A0676C4112F}	{B2E5C256-71A6-41bf-999C-29FC9AFE6816}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D820CB3C-0C1E-4676-8EAB-B98AC1F173F4}	{C645E43B-8712-4401-8051-428113FB3B84}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF4BFF7D-DBD4-472b-8F20-11908B47AB13}	2024-03-12_bf6724301d196839373844e721972fe6_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F2123FE-F413-4147-9956-2F2E9A2375C3}	{BF4BFF7D-DBD4-472b-8F20-11908B47AB13}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20465A96-131D-438b-A2EA-0920DD7517C0}	{8EEC12DB-F71F-4e27-A786-C1128B0CDBC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0AE8F24-91BC-4617-B700-022C3B92A4EF}\stubpath = "C:\\Windows\\{A0AE8F24-91BC-4617-B700-022C3B92A4EF}.exe"	{20465A96-131D-438b-A2EA-0920DD7517C0}.exe

Executes dropped EXE 12 IoCs

pid	Process
2380	{BF4BFF7D-DBD4-472b-8F20-11908B47AB13}.exe
3224	{6F2123FE-F413-4147-9956-2F2E9A2375C3}.exe
4320	{65F31510-7A53-475b-9371-E19EACF0552A}.exe
3904	{45BAC9F4-76B5-42f8-AB1D-D43EF026F3DA}.exe
4284	{8EEC12DB-F71F-4e27-A786-C1128B0CDBC6}.exe
2588	{20465A96-131D-438b-A2EA-0920DD7517C0}.exe
3324	{A0AE8F24-91BC-4617-B700-022C3B92A4EF}.exe
4196	{B2E5C256-71A6-41bf-999C-29FC9AFE6816}.exe
4032	{961773A2-66D8-4e51-BC1B-0A0676C4112F}.exe
2104	{C645E43B-8712-4401-8051-428113FB3B84}.exe
2596	{D820CB3C-0C1E-4676-8EAB-B98AC1F173F4}.exe
1140	{15D17698-6E78-4b43-B32C-F89901468311}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{20465A96-131D-438b-A2EA-0920DD7517C0}.exe	{8EEC12DB-F71F-4e27-A786-C1128B0CDBC6}.exe
File created	C:\Windows\{B2E5C256-71A6-41bf-999C-29FC9AFE6816}.exe	{A0AE8F24-91BC-4617-B700-022C3B92A4EF}.exe
File created	C:\Windows\{961773A2-66D8-4e51-BC1B-0A0676C4112F}.exe	{B2E5C256-71A6-41bf-999C-29FC9AFE6816}.exe
File created	C:\Windows\{C645E43B-8712-4401-8051-428113FB3B84}.exe	{961773A2-66D8-4e51-BC1B-0A0676C4112F}.exe
File created	C:\Windows\{65F31510-7A53-475b-9371-E19EACF0552A}.exe	{6F2123FE-F413-4147-9956-2F2E9A2375C3}.exe
File created	C:\Windows\{8EEC12DB-F71F-4e27-A786-C1128B0CDBC6}.exe	{45BAC9F4-76B5-42f8-AB1D-D43EF026F3DA}.exe
File created	C:\Windows\{45BAC9F4-76B5-42f8-AB1D-D43EF026F3DA}.exe	{65F31510-7A53-475b-9371-E19EACF0552A}.exe
File created	C:\Windows\{A0AE8F24-91BC-4617-B700-022C3B92A4EF}.exe	{20465A96-131D-438b-A2EA-0920DD7517C0}.exe
File created	C:\Windows\{D820CB3C-0C1E-4676-8EAB-B98AC1F173F4}.exe	{C645E43B-8712-4401-8051-428113FB3B84}.exe
File created	C:\Windows\{15D17698-6E78-4b43-B32C-F89901468311}.exe	{D820CB3C-0C1E-4676-8EAB-B98AC1F173F4}.exe
File created	C:\Windows\{BF4BFF7D-DBD4-472b-8F20-11908B47AB13}.exe	2024-03-12_bf6724301d196839373844e721972fe6_goldeneye.exe
File created	C:\Windows\{6F2123FE-F413-4147-9956-2F2E9A2375C3}.exe	{BF4BFF7D-DBD4-472b-8F20-11908B47AB13}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4408	2024-03-12_bf6724301d196839373844e721972fe6_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2380	{BF4BFF7D-DBD4-472b-8F20-11908B47AB13}.exe
Token: SeIncBasePriorityPrivilege	3224	{6F2123FE-F413-4147-9956-2F2E9A2375C3}.exe
Token: SeIncBasePriorityPrivilege	4320	{65F31510-7A53-475b-9371-E19EACF0552A}.exe
Token: SeIncBasePriorityPrivilege	3904	{45BAC9F4-76B5-42f8-AB1D-D43EF026F3DA}.exe
Token: SeIncBasePriorityPrivilege	4284	{8EEC12DB-F71F-4e27-A786-C1128B0CDBC6}.exe
Token: SeIncBasePriorityPrivilege	2588	{20465A96-131D-438b-A2EA-0920DD7517C0}.exe
Token: SeIncBasePriorityPrivilege	3324	{A0AE8F24-91BC-4617-B700-022C3B92A4EF}.exe
Token: SeIncBasePriorityPrivilege	4196	{B2E5C256-71A6-41bf-999C-29FC9AFE6816}.exe
Token: SeIncBasePriorityPrivilege	4032	{961773A2-66D8-4e51-BC1B-0A0676C4112F}.exe
Token: SeIncBasePriorityPrivilege	2104	{C645E43B-8712-4401-8051-428113FB3B84}.exe
Token: SeIncBasePriorityPrivilege	2596	{D820CB3C-0C1E-4676-8EAB-B98AC1F173F4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4408 wrote to memory of 2380	4408	2024-03-12_bf6724301d196839373844e721972fe6_goldeneye.exe	101
PID 4408 wrote to memory of 2380	4408	2024-03-12_bf6724301d196839373844e721972fe6_goldeneye.exe	101
PID 4408 wrote to memory of 2380	4408	2024-03-12_bf6724301d196839373844e721972fe6_goldeneye.exe	101
PID 4408 wrote to memory of 3920	4408	2024-03-12_bf6724301d196839373844e721972fe6_goldeneye.exe	102
PID 4408 wrote to memory of 3920	4408	2024-03-12_bf6724301d196839373844e721972fe6_goldeneye.exe	102
PID 4408 wrote to memory of 3920	4408	2024-03-12_bf6724301d196839373844e721972fe6_goldeneye.exe	102
PID 2380 wrote to memory of 3224	2380	{BF4BFF7D-DBD4-472b-8F20-11908B47AB13}.exe	103
PID 2380 wrote to memory of 3224	2380	{BF4BFF7D-DBD4-472b-8F20-11908B47AB13}.exe	103
PID 2380 wrote to memory of 3224	2380	{BF4BFF7D-DBD4-472b-8F20-11908B47AB13}.exe	103
PID 2380 wrote to memory of 2424	2380	{BF4BFF7D-DBD4-472b-8F20-11908B47AB13}.exe	104
PID 2380 wrote to memory of 2424	2380	{BF4BFF7D-DBD4-472b-8F20-11908B47AB13}.exe	104
PID 2380 wrote to memory of 2424	2380	{BF4BFF7D-DBD4-472b-8F20-11908B47AB13}.exe	104
PID 3224 wrote to memory of 4320	3224	{6F2123FE-F413-4147-9956-2F2E9A2375C3}.exe	107
PID 3224 wrote to memory of 4320	3224	{6F2123FE-F413-4147-9956-2F2E9A2375C3}.exe	107
PID 3224 wrote to memory of 4320	3224	{6F2123FE-F413-4147-9956-2F2E9A2375C3}.exe	107
PID 3224 wrote to memory of 2516	3224	{6F2123FE-F413-4147-9956-2F2E9A2375C3}.exe	108
PID 3224 wrote to memory of 2516	3224	{6F2123FE-F413-4147-9956-2F2E9A2375C3}.exe	108
PID 3224 wrote to memory of 2516	3224	{6F2123FE-F413-4147-9956-2F2E9A2375C3}.exe	108
PID 4320 wrote to memory of 3904	4320	{65F31510-7A53-475b-9371-E19EACF0552A}.exe	109
PID 4320 wrote to memory of 3904	4320	{65F31510-7A53-475b-9371-E19EACF0552A}.exe	109
PID 4320 wrote to memory of 3904	4320	{65F31510-7A53-475b-9371-E19EACF0552A}.exe	109
PID 4320 wrote to memory of 2028	4320	{65F31510-7A53-475b-9371-E19EACF0552A}.exe	110
PID 4320 wrote to memory of 2028	4320	{65F31510-7A53-475b-9371-E19EACF0552A}.exe	110
PID 4320 wrote to memory of 2028	4320	{65F31510-7A53-475b-9371-E19EACF0552A}.exe	110
PID 3904 wrote to memory of 4284	3904	{45BAC9F4-76B5-42f8-AB1D-D43EF026F3DA}.exe	111
PID 3904 wrote to memory of 4284	3904	{45BAC9F4-76B5-42f8-AB1D-D43EF026F3DA}.exe	111
PID 3904 wrote to memory of 4284	3904	{45BAC9F4-76B5-42f8-AB1D-D43EF026F3DA}.exe	111
PID 3904 wrote to memory of 4776	3904	{45BAC9F4-76B5-42f8-AB1D-D43EF026F3DA}.exe	112
PID 3904 wrote to memory of 4776	3904	{45BAC9F4-76B5-42f8-AB1D-D43EF026F3DA}.exe	112
PID 3904 wrote to memory of 4776	3904	{45BAC9F4-76B5-42f8-AB1D-D43EF026F3DA}.exe	112
PID 4284 wrote to memory of 2588	4284	{8EEC12DB-F71F-4e27-A786-C1128B0CDBC6}.exe	114
PID 4284 wrote to memory of 2588	4284	{8EEC12DB-F71F-4e27-A786-C1128B0CDBC6}.exe	114
PID 4284 wrote to memory of 2588	4284	{8EEC12DB-F71F-4e27-A786-C1128B0CDBC6}.exe	114
PID 4284 wrote to memory of 3688	4284	{8EEC12DB-F71F-4e27-A786-C1128B0CDBC6}.exe	115
PID 4284 wrote to memory of 3688	4284	{8EEC12DB-F71F-4e27-A786-C1128B0CDBC6}.exe	115
PID 4284 wrote to memory of 3688	4284	{8EEC12DB-F71F-4e27-A786-C1128B0CDBC6}.exe	115
PID 2588 wrote to memory of 3324	2588	{20465A96-131D-438b-A2EA-0920DD7517C0}.exe	116
PID 2588 wrote to memory of 3324	2588	{20465A96-131D-438b-A2EA-0920DD7517C0}.exe	116
PID 2588 wrote to memory of 3324	2588	{20465A96-131D-438b-A2EA-0920DD7517C0}.exe	116
PID 2588 wrote to memory of 3780	2588	{20465A96-131D-438b-A2EA-0920DD7517C0}.exe	117
PID 2588 wrote to memory of 3780	2588	{20465A96-131D-438b-A2EA-0920DD7517C0}.exe	117
PID 2588 wrote to memory of 3780	2588	{20465A96-131D-438b-A2EA-0920DD7517C0}.exe	117
PID 3324 wrote to memory of 4196	3324	{A0AE8F24-91BC-4617-B700-022C3B92A4EF}.exe	120
PID 3324 wrote to memory of 4196	3324	{A0AE8F24-91BC-4617-B700-022C3B92A4EF}.exe	120
PID 3324 wrote to memory of 4196	3324	{A0AE8F24-91BC-4617-B700-022C3B92A4EF}.exe	120
PID 3324 wrote to memory of 4544	3324	{A0AE8F24-91BC-4617-B700-022C3B92A4EF}.exe	121
PID 3324 wrote to memory of 4544	3324	{A0AE8F24-91BC-4617-B700-022C3B92A4EF}.exe	121
PID 3324 wrote to memory of 4544	3324	{A0AE8F24-91BC-4617-B700-022C3B92A4EF}.exe	121
PID 4196 wrote to memory of 4032	4196	{B2E5C256-71A6-41bf-999C-29FC9AFE6816}.exe	124
PID 4196 wrote to memory of 4032	4196	{B2E5C256-71A6-41bf-999C-29FC9AFE6816}.exe	124
PID 4196 wrote to memory of 4032	4196	{B2E5C256-71A6-41bf-999C-29FC9AFE6816}.exe	124
PID 4196 wrote to memory of 4352	4196	{B2E5C256-71A6-41bf-999C-29FC9AFE6816}.exe	125
PID 4196 wrote to memory of 4352	4196	{B2E5C256-71A6-41bf-999C-29FC9AFE6816}.exe	125
PID 4196 wrote to memory of 4352	4196	{B2E5C256-71A6-41bf-999C-29FC9AFE6816}.exe	125
PID 4032 wrote to memory of 2104	4032	{961773A2-66D8-4e51-BC1B-0A0676C4112F}.exe	126
PID 4032 wrote to memory of 2104	4032	{961773A2-66D8-4e51-BC1B-0A0676C4112F}.exe	126
PID 4032 wrote to memory of 2104	4032	{961773A2-66D8-4e51-BC1B-0A0676C4112F}.exe	126
PID 4032 wrote to memory of 956	4032	{961773A2-66D8-4e51-BC1B-0A0676C4112F}.exe	127
PID 4032 wrote to memory of 956	4032	{961773A2-66D8-4e51-BC1B-0A0676C4112F}.exe	127
PID 4032 wrote to memory of 956	4032	{961773A2-66D8-4e51-BC1B-0A0676C4112F}.exe	127
PID 2104 wrote to memory of 2596	2104	{C645E43B-8712-4401-8051-428113FB3B84}.exe	133
PID 2104 wrote to memory of 2596	2104	{C645E43B-8712-4401-8051-428113FB3B84}.exe	133
PID 2104 wrote to memory of 2596	2104	{C645E43B-8712-4401-8051-428113FB3B84}.exe	133
PID 2104 wrote to memory of 2172	2104	{C645E43B-8712-4401-8051-428113FB3B84}.exe	134

C:\Users\Admin\AppData\Local\Temp\2024-03-12_bf6724301d196839373844e721972fe6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-12_bf6724301d196839373844e721972fe6_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4408
- C:\Windows\{BF4BFF7D-DBD4-472b-8F20-11908B47AB13}.exe
  C:\Windows\{BF4BFF7D-DBD4-472b-8F20-11908B47AB13}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\{6F2123FE-F413-4147-9956-2F2E9A2375C3}.exe
    C:\Windows\{6F2123FE-F413-4147-9956-2F2E9A2375C3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3224
  - - C:\Windows\{65F31510-7A53-475b-9371-E19EACF0552A}.exe
      C:\Windows\{65F31510-7A53-475b-9371-E19EACF0552A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4320
    - - C:\Windows\{45BAC9F4-76B5-42f8-AB1D-D43EF026F3DA}.exe
        
        C:\Windows\{45BAC9F4-76B5-42f8-AB1D-D43EF026F3DA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3904
      - C:\Windows\{8EEC12DB-F71F-4e27-A786-C1128B0CDBC6}.exe
        
        C:\Windows\{8EEC12DB-F71F-4e27-A786-C1128B0CDBC6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\{20465A96-131D-438b-A2EA-0920DD7517C0}.exe
        
        C:\Windows\{20465A96-131D-438b-A2EA-0920DD7517C0}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\{A0AE8F24-91BC-4617-B700-022C3B92A4EF}.exe
        
        C:\Windows\{A0AE8F24-91BC-4617-B700-022C3B92A4EF}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\{B2E5C256-71A6-41bf-999C-29FC9AFE6816}.exe
        
        C:\Windows\{B2E5C256-71A6-41bf-999C-29FC9AFE6816}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\{961773A2-66D8-4e51-BC1B-0A0676C4112F}.exe
        
        C:\Windows\{961773A2-66D8-4e51-BC1B-0A0676C4112F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\{C645E43B-8712-4401-8051-428113FB3B84}.exe
        
        C:\Windows\{C645E43B-8712-4401-8051-428113FB3B84}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\{D820CB3C-0C1E-4676-8EAB-B98AC1F173F4}.exe
        
        C:\Windows\{D820CB3C-0C1E-4676-8EAB-B98AC1F173F4}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
        
        C:\Windows\{15D17698-6E78-4b43-B32C-F89901468311}.exe
        
        C:\Windows\{15D17698-6E78-4b43-B32C-F89901468311}.exe
        13⤵
        Executes dropped EXE
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D820C~1.EXE > nul
        13⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C645E~1.EXE > nul
        12⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96177~1.EXE > nul
        11⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2E5C~1.EXE > nul
        10⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0AE8~1.EXE > nul
        9⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20465~1.EXE > nul
        8⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8EEC1~1.EXE > nul
        7⤵
        
        PID:3688
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45BAC~1.EXE > nul
        6⤵
        
        PID:4776
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65F31~1.EXE > nul
        5⤵
        
        PID:2028
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6F212~1.EXE > nul
      4⤵
      PID:2516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BF4BF~1.EXE > nul
    3⤵
    PID:2424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{15D17698-6E78-4b43-B32C-F89901468311}.exe

Filesize
204KB

MD5
01d793f33421ec31c5df642b6cf24966

SHA1
9165f47fb5497f9f07dd2b67e94bda7b1630b136

SHA256
73f8e318cfe0179ab447ff0afab0e9fcecd50f68ba7d7dddaee826f33752d5ac

SHA512
afeb18e5c299179dff31d7d7576e9d92558bf9b7426326134da3fd02a0269e1ad66f181f46874fe3e7ef4702798538d334063a2b652552cf0e66d230335cc71f

Download Submit
C:\Windows\{20465A96-131D-438b-A2EA-0920DD7517C0}.exe

Filesize
204KB

MD5
1424daa3b0579c73f69bbc8452b1cbac

SHA1
b7aefcc3bf3fc65ab26ca5a83cb19c0a493413a3

SHA256
9e58550f05abd52e971814f6dd862af694bef8f867f844d09937e9efcaea588a

SHA512
8e714a172e54482eb9802d154631ce3d29e01e2aa5603d178f48acb672624f2872030182b32f30939cadabe4ab6c4d4effdfa3b51fd3781941c7430eb7d755df

Download Submit
C:\Windows\{45BAC9F4-76B5-42f8-AB1D-D43EF026F3DA}.exe

Filesize
204KB

MD5
aca2823aaf75c3a8d9a3badce20fa324

SHA1
1eb78f7cd2a2c00535b05a6b5e7ccd3433832787

SHA256
e36812224710f2afd8e208b468ac7de3c3401d7019c4e9d8b59d5ac89b4d930b

SHA512
6e851d9593cc179a4f9ff7ff9d1d3f9b68d66933ab373f7b568daefcfd5bcc7bd5c072bdda48836a28a73bd7d72f05a985930500087bbe7d49fa3665187d5724

Download Submit
C:\Windows\{65F31510-7A53-475b-9371-E19EACF0552A}.exe

Filesize
204KB

MD5
62770443b0b621b53aa79186ba422996

SHA1
65bcf64c47cc8f68e9df628954f834b1046e50aa

SHA256
98cde4b0c3f819f5099e21978d5fa30b0b5a0ad22cdfd2629bb3e8ab07799476

SHA512
e7982e79ffeb0f647d497abcb2b0d4c2668d9b84052bd7e2354d34bf0640c96bfc26c139f4113ea4f926135611e27c64f125e0915babbd0b1d2118ac2c6692c5

Download Submit
C:\Windows\{6F2123FE-F413-4147-9956-2F2E9A2375C3}.exe

Filesize
204KB

MD5
4cfbdc79c59f6437450d9d493300e0c1

SHA1
e75c995151a6711d28191f510e977da8f92020ce

SHA256
892f00a7f2a3468a418820f77e31a4ceec473082315cb7a1570e942856ab45f5

SHA512
7bec0c9aecb9d8245b799831aaf5a0c429fd4c7b1d34ff395cee228cd52adcc7a2c960350f01c2e4a4d09da93b7e28c817f1d51aa232935269811f00091bb29e

Download Submit
C:\Windows\{8EEC12DB-F71F-4e27-A786-C1128B0CDBC6}.exe

Filesize
204KB

MD5
f50a54cfd0c88f70d41a28f7622c34c4

SHA1
5774ce5d6ffe898b65ed89b68fcb8f97ea2042ee

SHA256
df964ba1ce064025be709d298a6313fc061d9007d6c29580b6aaf836bf9f0ecf

SHA512
470f8df0c2f1ab656ea4bcebebae8f2f28b3da7cb0c91dfdcca89b01d0a53ca9af752fe33d6871b9e86818549b79e9a1417c7e9ccb5d0a92809a0d59e8c36514

Download Submit
C:\Windows\{961773A2-66D8-4e51-BC1B-0A0676C4112F}.exe

Filesize
204KB

MD5
f6376a9366c6cf56835ecafcd7749f2d

SHA1
227f0fd7b5a2b9d205d558729892df867543380c

SHA256
45eb01dcf0f6e31502fb1e276b549626ce1351df135779235fed8b6c5d4afddd

SHA512
7e30aadcefa791919c6f45096cf0cee65b81683a4147f2fc01854fdacc8eec9d776cd533cf9bf66eea500e32d7db1d39ebb5cda0d4e49b6ef1a8e1ef4585ad3c

Download Submit
C:\Windows\{A0AE8F24-91BC-4617-B700-022C3B92A4EF}.exe

Filesize
204KB

MD5
68ae4fdbab8476aaf99b062f9e8befd4

SHA1
7a153d5978c98f7959150715843892d7f4690ac6

SHA256
6baae68d77b35d54f132d8d5d2e4a9377865c22ef55faf94bc65afd1198e5361

SHA512
1dcf7398a6d5789e1e6a18bf788422568102b2240ae9989876b58e0751dbb61a9e9ba434316e15cf63d60b7fe11f7d616346e1b36243c7990471811c9507ae18

Download Submit
C:\Windows\{B2E5C256-71A6-41bf-999C-29FC9AFE6816}.exe

Filesize
204KB

MD5
e80c459ecc37f0e68e08493731b1715c

SHA1
87eaf7a9e706bd616aaf1d918481221103fdd9cc

SHA256
8c07c7f2f9f410629cf7ef74d2b130438f7752e62043665e39609e593d5c0e2d

SHA512
8748de42dab84fd4689c80ebf28a48d2af6a09734725f073b3d99b9e61c1ca293dd08fe8a553e17034b929d4114eb9b3f806bf8b9e7d0b7b54e21255d03a5a8d

Download Submit
C:\Windows\{BF4BFF7D-DBD4-472b-8F20-11908B47AB13}.exe

Filesize
204KB

MD5
629440b654261d887e07b39524b1ee03

SHA1
a06b0d3d6f4dd7a771f03647fcda6f4bdfc98234

SHA256
815bd7eb2f1953fd14f697ce2efa5028bdf8c64967413e1e0e353d4f7d81703a

SHA512
8027ea7e2992608edf17df2f4705f7021372c81c036719c94fcfb9ae6e7da7eba33a0d6d1fcc8a470e584ea5b260179a2d04a6b6fa4d3e2c51d4a8f6f017e666

Download Submit
C:\Windows\{C645E43B-8712-4401-8051-428113FB3B84}.exe

Filesize
204KB

MD5
396766de90017020534c57ebcb071338

SHA1
6179016477ad5008177facb127b88bf677d987e8

SHA256
81ae21b87409430c3cba7fe50a7b06ca895028b2bbb9fa213eae2aef2ef666e5

SHA512
a032b555d187ae795f8c79cd3f5a451ac57a2f5e53d18f9e82825cef6511265da8490d4ba75a8a452099b8306832fd88107cc5a36cc976a4057be1584ad89f49

Download Submit
C:\Windows\{D820CB3C-0C1E-4676-8EAB-B98AC1F173F4}.exe

Filesize
204KB

MD5
3d48e88d2bc06cac63c1107a98558cd6

SHA1
501c3afeddbd1081fcfc327ac60b4279048139e2

SHA256
ecba5596fcfbe82a2d5af46fd2771a0f30ae06f369c0dd0616ff006bd034fcb2

SHA512
17a7df30bc0241a849d1c433a0aaa40671445d6bc22dc66cd7e95b11b9a537b523bd96a4279a5cc8720678662e85556f3c892d716d14dfc0a11ca4f844e5fa58

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads