f0313164c9cbd172785b3c96ed1e66e2e02d4765b5558f3141220c5262afe954

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 00:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-14_eea3384f9600956db4f54a28ee66253c_goldeneye.exe
Size

197KB
MD5

eea3384f9600956db4f54a28ee66253c
SHA1

797a10e122a280ef8e8aee7d9fb38bc93d149fb7
SHA256

f0313164c9cbd172785b3c96ed1e66e2e02d4765b5558f3141220c5262afe954
SHA512

e4cc37a38f8b361eaa54a485dfc6e8847e9d5e46f7eee763e240679ede2f0ca1583effc79fcb34c8083ac17c359990cc8c2856e62224416cc373396ef8ccdb94
SSDEEP

3072:jEGh0oCl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGklEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023224-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023229-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002312b-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023229-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e00000002312b-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000001db36-21.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f00000002312b-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000001db36-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002324a-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e00000001db36-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002312e-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023147-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C831E403-8859-4751-947E-637D0A86AE86}	{92F91B7F-6B74-4514-A5F0-3F584B105668}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{361F8C3C-C6A6-4445-9BF1-0AF221C8F0DD}	{C966968B-CE16-48d0-BDB6-8B2C9899133C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C0034A0-79EB-444d-840C-381D565C1C90}\stubpath = "C:\\Windows\\{5C0034A0-79EB-444d-840C-381D565C1C90}.exe"	2024-03-14_eea3384f9600956db4f54a28ee66253c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F354EC01-59BE-41aa-BF30-37481492367E}	{5C0034A0-79EB-444d-840C-381D565C1C90}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92F91B7F-6B74-4514-A5F0-3F584B105668}	{A94482B5-9509-472e-A928-92729028896A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E30D671-3F3E-4468-9285-E181D85C5377}\stubpath = "C:\\Windows\\{8E30D671-3F3E-4468-9285-E181D85C5377}.exe"	{5C3C7C15-211A-42db-BA1D-7781478F28A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C966968B-CE16-48d0-BDB6-8B2C9899133C}	{8E30D671-3F3E-4468-9285-E181D85C5377}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50541B49-E0AD-4223-970A-3D5A3E4FCBE5}	{F354EC01-59BE-41aa-BF30-37481492367E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53A96673-B1A0-46a6-8404-30794CFC184D}	{50541B49-E0AD-4223-970A-3D5A3E4FCBE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A94482B5-9509-472e-A928-92729028896A}	{53A96673-B1A0-46a6-8404-30794CFC184D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E30D671-3F3E-4468-9285-E181D85C5377}	{5C3C7C15-211A-42db-BA1D-7781478F28A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C0034A0-79EB-444d-840C-381D565C1C90}	2024-03-14_eea3384f9600956db4f54a28ee66253c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F354EC01-59BE-41aa-BF30-37481492367E}\stubpath = "C:\\Windows\\{F354EC01-59BE-41aa-BF30-37481492367E}.exe"	{5C0034A0-79EB-444d-840C-381D565C1C90}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C3C7C15-211A-42db-BA1D-7781478F28A1}	{C831E403-8859-4751-947E-637D0A86AE86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92F91B7F-6B74-4514-A5F0-3F584B105668}\stubpath = "C:\\Windows\\{92F91B7F-6B74-4514-A5F0-3F584B105668}.exe"	{A94482B5-9509-472e-A928-92729028896A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C831E403-8859-4751-947E-637D0A86AE86}\stubpath = "C:\\Windows\\{C831E403-8859-4751-947E-637D0A86AE86}.exe"	{92F91B7F-6B74-4514-A5F0-3F584B105668}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C3C7C15-211A-42db-BA1D-7781478F28A1}\stubpath = "C:\\Windows\\{5C3C7C15-211A-42db-BA1D-7781478F28A1}.exe"	{C831E403-8859-4751-947E-637D0A86AE86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C966968B-CE16-48d0-BDB6-8B2C9899133C}\stubpath = "C:\\Windows\\{C966968B-CE16-48d0-BDB6-8B2C9899133C}.exe"	{8E30D671-3F3E-4468-9285-E181D85C5377}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{361F8C3C-C6A6-4445-9BF1-0AF221C8F0DD}\stubpath = "C:\\Windows\\{361F8C3C-C6A6-4445-9BF1-0AF221C8F0DD}.exe"	{C966968B-CE16-48d0-BDB6-8B2C9899133C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50541B49-E0AD-4223-970A-3D5A3E4FCBE5}\stubpath = "C:\\Windows\\{50541B49-E0AD-4223-970A-3D5A3E4FCBE5}.exe"	{F354EC01-59BE-41aa-BF30-37481492367E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53A96673-B1A0-46a6-8404-30794CFC184D}\stubpath = "C:\\Windows\\{53A96673-B1A0-46a6-8404-30794CFC184D}.exe"	{50541B49-E0AD-4223-970A-3D5A3E4FCBE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A94482B5-9509-472e-A928-92729028896A}\stubpath = "C:\\Windows\\{A94482B5-9509-472e-A928-92729028896A}.exe"	{53A96673-B1A0-46a6-8404-30794CFC184D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E300FD4-5820-475e-B253-9078CEF7B590}	{361F8C3C-C6A6-4445-9BF1-0AF221C8F0DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E300FD4-5820-475e-B253-9078CEF7B590}\stubpath = "C:\\Windows\\{9E300FD4-5820-475e-B253-9078CEF7B590}.exe"	{361F8C3C-C6A6-4445-9BF1-0AF221C8F0DD}.exe

Executes dropped EXE 12 IoCs

pid	Process
5068	{5C0034A0-79EB-444d-840C-381D565C1C90}.exe
5100	{F354EC01-59BE-41aa-BF30-37481492367E}.exe
4496	{50541B49-E0AD-4223-970A-3D5A3E4FCBE5}.exe
3004	{53A96673-B1A0-46a6-8404-30794CFC184D}.exe
3344	{A94482B5-9509-472e-A928-92729028896A}.exe
3648	{92F91B7F-6B74-4514-A5F0-3F584B105668}.exe
3100	{C831E403-8859-4751-947E-637D0A86AE86}.exe
3480	{5C3C7C15-211A-42db-BA1D-7781478F28A1}.exe
4392	{8E30D671-3F3E-4468-9285-E181D85C5377}.exe
1824	{C966968B-CE16-48d0-BDB6-8B2C9899133C}.exe
768	{361F8C3C-C6A6-4445-9BF1-0AF221C8F0DD}.exe
3280	{9E300FD4-5820-475e-B253-9078CEF7B590}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{53A96673-B1A0-46a6-8404-30794CFC184D}.exe	{50541B49-E0AD-4223-970A-3D5A3E4FCBE5}.exe
File created	C:\Windows\{A94482B5-9509-472e-A928-92729028896A}.exe	{53A96673-B1A0-46a6-8404-30794CFC184D}.exe
File created	C:\Windows\{C831E403-8859-4751-947E-637D0A86AE86}.exe	{92F91B7F-6B74-4514-A5F0-3F584B105668}.exe
File created	C:\Windows\{5C3C7C15-211A-42db-BA1D-7781478F28A1}.exe	{C831E403-8859-4751-947E-637D0A86AE86}.exe
File created	C:\Windows\{8E30D671-3F3E-4468-9285-E181D85C5377}.exe	{5C3C7C15-211A-42db-BA1D-7781478F28A1}.exe
File created	C:\Windows\{C966968B-CE16-48d0-BDB6-8B2C9899133C}.exe	{8E30D671-3F3E-4468-9285-E181D85C5377}.exe
File created	C:\Windows\{361F8C3C-C6A6-4445-9BF1-0AF221C8F0DD}.exe	{C966968B-CE16-48d0-BDB6-8B2C9899133C}.exe
File created	C:\Windows\{5C0034A0-79EB-444d-840C-381D565C1C90}.exe	2024-03-14_eea3384f9600956db4f54a28ee66253c_goldeneye.exe
File created	C:\Windows\{50541B49-E0AD-4223-970A-3D5A3E4FCBE5}.exe	{F354EC01-59BE-41aa-BF30-37481492367E}.exe
File created	C:\Windows\{92F91B7F-6B74-4514-A5F0-3F584B105668}.exe	{A94482B5-9509-472e-A928-92729028896A}.exe
File created	C:\Windows\{9E300FD4-5820-475e-B253-9078CEF7B590}.exe	{361F8C3C-C6A6-4445-9BF1-0AF221C8F0DD}.exe
File created	C:\Windows\{F354EC01-59BE-41aa-BF30-37481492367E}.exe	{5C0034A0-79EB-444d-840C-381D565C1C90}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3336	2024-03-14_eea3384f9600956db4f54a28ee66253c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	5068	{5C0034A0-79EB-444d-840C-381D565C1C90}.exe
Token: SeIncBasePriorityPrivilege	5100	{F354EC01-59BE-41aa-BF30-37481492367E}.exe
Token: SeIncBasePriorityPrivilege	4496	{50541B49-E0AD-4223-970A-3D5A3E4FCBE5}.exe
Token: SeIncBasePriorityPrivilege	3004	{53A96673-B1A0-46a6-8404-30794CFC184D}.exe
Token: SeIncBasePriorityPrivilege	3344	{A94482B5-9509-472e-A928-92729028896A}.exe
Token: SeIncBasePriorityPrivilege	3648	{92F91B7F-6B74-4514-A5F0-3F584B105668}.exe
Token: SeIncBasePriorityPrivilege	3100	{C831E403-8859-4751-947E-637D0A86AE86}.exe
Token: SeIncBasePriorityPrivilege	3480	{5C3C7C15-211A-42db-BA1D-7781478F28A1}.exe
Token: SeIncBasePriorityPrivilege	4392	{8E30D671-3F3E-4468-9285-E181D85C5377}.exe
Token: SeIncBasePriorityPrivilege	1824	{C966968B-CE16-48d0-BDB6-8B2C9899133C}.exe
Token: SeIncBasePriorityPrivilege	768	{361F8C3C-C6A6-4445-9BF1-0AF221C8F0DD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3336 wrote to memory of 5068	3336	2024-03-14_eea3384f9600956db4f54a28ee66253c_goldeneye.exe	101
PID 3336 wrote to memory of 5068	3336	2024-03-14_eea3384f9600956db4f54a28ee66253c_goldeneye.exe	101
PID 3336 wrote to memory of 5068	3336	2024-03-14_eea3384f9600956db4f54a28ee66253c_goldeneye.exe	101
PID 3336 wrote to memory of 2848	3336	2024-03-14_eea3384f9600956db4f54a28ee66253c_goldeneye.exe	102
PID 3336 wrote to memory of 2848	3336	2024-03-14_eea3384f9600956db4f54a28ee66253c_goldeneye.exe	102
PID 3336 wrote to memory of 2848	3336	2024-03-14_eea3384f9600956db4f54a28ee66253c_goldeneye.exe	102
PID 5068 wrote to memory of 5100	5068	{5C0034A0-79EB-444d-840C-381D565C1C90}.exe	103
PID 5068 wrote to memory of 5100	5068	{5C0034A0-79EB-444d-840C-381D565C1C90}.exe	103
PID 5068 wrote to memory of 5100	5068	{5C0034A0-79EB-444d-840C-381D565C1C90}.exe	103
PID 5068 wrote to memory of 2904	5068	{5C0034A0-79EB-444d-840C-381D565C1C90}.exe	104
PID 5068 wrote to memory of 2904	5068	{5C0034A0-79EB-444d-840C-381D565C1C90}.exe	104
PID 5068 wrote to memory of 2904	5068	{5C0034A0-79EB-444d-840C-381D565C1C90}.exe	104
PID 5100 wrote to memory of 4496	5100	{F354EC01-59BE-41aa-BF30-37481492367E}.exe	107
PID 5100 wrote to memory of 4496	5100	{F354EC01-59BE-41aa-BF30-37481492367E}.exe	107
PID 5100 wrote to memory of 4496	5100	{F354EC01-59BE-41aa-BF30-37481492367E}.exe	107
PID 5100 wrote to memory of 4860	5100	{F354EC01-59BE-41aa-BF30-37481492367E}.exe	108
PID 5100 wrote to memory of 4860	5100	{F354EC01-59BE-41aa-BF30-37481492367E}.exe	108
PID 5100 wrote to memory of 4860	5100	{F354EC01-59BE-41aa-BF30-37481492367E}.exe	108
PID 4496 wrote to memory of 3004	4496	{50541B49-E0AD-4223-970A-3D5A3E4FCBE5}.exe	109
PID 4496 wrote to memory of 3004	4496	{50541B49-E0AD-4223-970A-3D5A3E4FCBE5}.exe	109
PID 4496 wrote to memory of 3004	4496	{50541B49-E0AD-4223-970A-3D5A3E4FCBE5}.exe	109
PID 4496 wrote to memory of 4540	4496	{50541B49-E0AD-4223-970A-3D5A3E4FCBE5}.exe	110
PID 4496 wrote to memory of 4540	4496	{50541B49-E0AD-4223-970A-3D5A3E4FCBE5}.exe	110
PID 4496 wrote to memory of 4540	4496	{50541B49-E0AD-4223-970A-3D5A3E4FCBE5}.exe	110
PID 3004 wrote to memory of 3344	3004	{53A96673-B1A0-46a6-8404-30794CFC184D}.exe	111
PID 3004 wrote to memory of 3344	3004	{53A96673-B1A0-46a6-8404-30794CFC184D}.exe	111
PID 3004 wrote to memory of 3344	3004	{53A96673-B1A0-46a6-8404-30794CFC184D}.exe	111
PID 3004 wrote to memory of 4744	3004	{53A96673-B1A0-46a6-8404-30794CFC184D}.exe	112
PID 3004 wrote to memory of 4744	3004	{53A96673-B1A0-46a6-8404-30794CFC184D}.exe	112
PID 3004 wrote to memory of 4744	3004	{53A96673-B1A0-46a6-8404-30794CFC184D}.exe	112
PID 3344 wrote to memory of 3648	3344	{A94482B5-9509-472e-A928-92729028896A}.exe	114
PID 3344 wrote to memory of 3648	3344	{A94482B5-9509-472e-A928-92729028896A}.exe	114
PID 3344 wrote to memory of 3648	3344	{A94482B5-9509-472e-A928-92729028896A}.exe	114
PID 3344 wrote to memory of 4552	3344	{A94482B5-9509-472e-A928-92729028896A}.exe	115
PID 3344 wrote to memory of 4552	3344	{A94482B5-9509-472e-A928-92729028896A}.exe	115
PID 3344 wrote to memory of 4552	3344	{A94482B5-9509-472e-A928-92729028896A}.exe	115
PID 3648 wrote to memory of 3100	3648	{92F91B7F-6B74-4514-A5F0-3F584B105668}.exe	116
PID 3648 wrote to memory of 3100	3648	{92F91B7F-6B74-4514-A5F0-3F584B105668}.exe	116
PID 3648 wrote to memory of 3100	3648	{92F91B7F-6B74-4514-A5F0-3F584B105668}.exe	116
PID 3648 wrote to memory of 2120	3648	{92F91B7F-6B74-4514-A5F0-3F584B105668}.exe	117
PID 3648 wrote to memory of 2120	3648	{92F91B7F-6B74-4514-A5F0-3F584B105668}.exe	117
PID 3648 wrote to memory of 2120	3648	{92F91B7F-6B74-4514-A5F0-3F584B105668}.exe	117
PID 3100 wrote to memory of 3480	3100	{C831E403-8859-4751-947E-637D0A86AE86}.exe	118
PID 3100 wrote to memory of 3480	3100	{C831E403-8859-4751-947E-637D0A86AE86}.exe	118
PID 3100 wrote to memory of 3480	3100	{C831E403-8859-4751-947E-637D0A86AE86}.exe	118
PID 3100 wrote to memory of 3640	3100	{C831E403-8859-4751-947E-637D0A86AE86}.exe	119
PID 3100 wrote to memory of 3640	3100	{C831E403-8859-4751-947E-637D0A86AE86}.exe	119
PID 3100 wrote to memory of 3640	3100	{C831E403-8859-4751-947E-637D0A86AE86}.exe	119
PID 3480 wrote to memory of 4392	3480	{5C3C7C15-211A-42db-BA1D-7781478F28A1}.exe	124
PID 3480 wrote to memory of 4392	3480	{5C3C7C15-211A-42db-BA1D-7781478F28A1}.exe	124
PID 3480 wrote to memory of 4392	3480	{5C3C7C15-211A-42db-BA1D-7781478F28A1}.exe	124
PID 3480 wrote to memory of 1104	3480	{5C3C7C15-211A-42db-BA1D-7781478F28A1}.exe	125
PID 3480 wrote to memory of 1104	3480	{5C3C7C15-211A-42db-BA1D-7781478F28A1}.exe	125
PID 3480 wrote to memory of 1104	3480	{5C3C7C15-211A-42db-BA1D-7781478F28A1}.exe	125
PID 4392 wrote to memory of 1824	4392	{8E30D671-3F3E-4468-9285-E181D85C5377}.exe	129
PID 4392 wrote to memory of 1824	4392	{8E30D671-3F3E-4468-9285-E181D85C5377}.exe	129
PID 4392 wrote to memory of 1824	4392	{8E30D671-3F3E-4468-9285-E181D85C5377}.exe	129
PID 4392 wrote to memory of 2412	4392	{8E30D671-3F3E-4468-9285-E181D85C5377}.exe	130
PID 4392 wrote to memory of 2412	4392	{8E30D671-3F3E-4468-9285-E181D85C5377}.exe	130
PID 4392 wrote to memory of 2412	4392	{8E30D671-3F3E-4468-9285-E181D85C5377}.exe	130
PID 1824 wrote to memory of 768	1824	{C966968B-CE16-48d0-BDB6-8B2C9899133C}.exe	131
PID 1824 wrote to memory of 768	1824	{C966968B-CE16-48d0-BDB6-8B2C9899133C}.exe	131
PID 1824 wrote to memory of 768	1824	{C966968B-CE16-48d0-BDB6-8B2C9899133C}.exe	131
PID 1824 wrote to memory of 3936	1824	{C966968B-CE16-48d0-BDB6-8B2C9899133C}.exe	132

C:\Users\Admin\AppData\Local\Temp\2024-03-14_eea3384f9600956db4f54a28ee66253c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-14_eea3384f9600956db4f54a28ee66253c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3336
- C:\Windows\{5C0034A0-79EB-444d-840C-381D565C1C90}.exe
  C:\Windows\{5C0034A0-79EB-444d-840C-381D565C1C90}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5068
- - C:\Windows\{F354EC01-59BE-41aa-BF30-37481492367E}.exe
    C:\Windows\{F354EC01-59BE-41aa-BF30-37481492367E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5100
  - - C:\Windows\{50541B49-E0AD-4223-970A-3D5A3E4FCBE5}.exe
      C:\Windows\{50541B49-E0AD-4223-970A-3D5A3E4FCBE5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4496
    - - C:\Windows\{53A96673-B1A0-46a6-8404-30794CFC184D}.exe
        
        C:\Windows\{53A96673-B1A0-46a6-8404-30794CFC184D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3004
      - C:\Windows\{A94482B5-9509-472e-A928-92729028896A}.exe
        
        C:\Windows\{A94482B5-9509-472e-A928-92729028896A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3344
        
        C:\Windows\{92F91B7F-6B74-4514-A5F0-3F584B105668}.exe
        
        C:\Windows\{92F91B7F-6B74-4514-A5F0-3F584B105668}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Windows\{C831E403-8859-4751-947E-637D0A86AE86}.exe
        
        C:\Windows\{C831E403-8859-4751-947E-637D0A86AE86}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\{5C3C7C15-211A-42db-BA1D-7781478F28A1}.exe
        
        C:\Windows\{5C3C7C15-211A-42db-BA1D-7781478F28A1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\{8E30D671-3F3E-4468-9285-E181D85C5377}.exe
        
        C:\Windows\{8E30D671-3F3E-4468-9285-E181D85C5377}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\{C966968B-CE16-48d0-BDB6-8B2C9899133C}.exe
        
        C:\Windows\{C966968B-CE16-48d0-BDB6-8B2C9899133C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\{361F8C3C-C6A6-4445-9BF1-0AF221C8F0DD}.exe
        
        C:\Windows\{361F8C3C-C6A6-4445-9BF1-0AF221C8F0DD}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
        
        C:\Windows\{9E300FD4-5820-475e-B253-9078CEF7B590}.exe
        
        C:\Windows\{9E300FD4-5820-475e-B253-9078CEF7B590}.exe
        13⤵
        Executes dropped EXE
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{361F8~1.EXE > nul
        13⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9669~1.EXE > nul
        12⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E30D~1.EXE > nul
        11⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C3C7~1.EXE > nul
        10⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C831E~1.EXE > nul
        9⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92F91~1.EXE > nul
        8⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A9448~1.EXE > nul
        7⤵
        
        PID:4552
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53A96~1.EXE > nul
        6⤵
        
        PID:4744
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50541~1.EXE > nul
        5⤵
        
        PID:4540
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F354E~1.EXE > nul
      4⤵
      PID:4860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5C003~1.EXE > nul
    3⤵
    PID:2904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{361F8C3C-C6A6-4445-9BF1-0AF221C8F0DD}.exe

Filesize
197KB

MD5
7b7d7d2019dda1835868abfbe3cac36c

SHA1
c3fa65c478bd70cc18a7ef6d047232f68d9dc3b0

SHA256
3515d09bf7d4c625ca7f811738600586fe03ad6636afcdd36a362dd44d783c3d

SHA512
58b6451b153dec7697700ddafc90bb726bb80fa3ffa0db911e4cbd40b9ea70a185f7e2df407ec55a6099cf4db820f43330c724bcad293503cd5e7988cacb92b8

Download Submit
C:\Windows\{50541B49-E0AD-4223-970A-3D5A3E4FCBE5}.exe

Filesize
197KB

MD5
cb8d19ffa98861eb3f94d4d594eb7e35

SHA1
2c0582f0751dec3b49aa3a91c31afb784b97e646

SHA256
68bc082bc29cc6258c6fcadf0bd4d14db9ac525f9db51e638bb4157de791a19c

SHA512
b92e2793c369dd528dce9869c7624c7689bf6818b74527a6ad543b887fed847435e060d486f280ab8796b8de56064134c6a884303637fa238d525a1ee41f7740

Download Submit
C:\Windows\{53A96673-B1A0-46a6-8404-30794CFC184D}.exe

Filesize
197KB

MD5
99e640fd4a023a2170053af5612ba612

SHA1
8eea1612548cd074832b722a341377c8f586b339

SHA256
7212830e684ca6d5eb507cee499d2e0dc4c06ec90ae229073d4f91c5d68b6d5c

SHA512
3d9658edfcb292ae327a3d2d917d4e1dcf8654aa693254bc67c59087261ae5ba38cb1a8b00942a135878a6256f08196bafc7f309180e89e726e821e653125ed7

Download Submit
C:\Windows\{5C0034A0-79EB-444d-840C-381D565C1C90}.exe

Filesize
197KB

MD5
0a892b1ec97518a595e98aa8991d613b

SHA1
eaa3915029ed972a13662da11a4fddeb58fd4830

SHA256
e8d3d0f185a29a1757160209acadd0acfc8676007d38aa534dc85e8520895914

SHA512
9a95eba4d0a978d1c5f8402369d9459d2135126565f9faf0fc1122b8ad1818bebf26d4bbdf22bb5880ed9f512d2f29a3a6f6b42147ce341407a03cb819245b44

Download Submit
C:\Windows\{5C3C7C15-211A-42db-BA1D-7781478F28A1}.exe

Filesize
197KB

MD5
f64da92643ba21c39ff356e4be6aa908

SHA1
f4cf7cf88016b487162fff287a064b8628b2c948

SHA256
dbfa0fc57d79bd89f17ed22319dd1437e7e8f26aefb7b4d2401321096c4e1e5f

SHA512
add2fffa32db4db1fe79a22ea35d61b98799a9552f7f9051091fb4f599b0113a018006c20ee7de6c979b7406be68204393b5dbc1da3bb1820722bcc057774d1d

Download Submit
C:\Windows\{8E30D671-3F3E-4468-9285-E181D85C5377}.exe

Filesize
197KB

MD5
419e647c8f27392db79ad01ee4768e30

SHA1
110f1578b05dda90996c96115de0c02a7c7e4cbb

SHA256
eed4c5c1c4e79546c1434329772323083c603db9db4a6833d3b786ecb4eba084

SHA512
dafefa1461c0b95189de7e19248d972cd1e01eebee1e10bf3aeaba626398e64c266db62c8dde336dd6fd681ee86136fff39a80c803a3c938106aa6ab969c81af

Download Submit
C:\Windows\{92F91B7F-6B74-4514-A5F0-3F584B105668}.exe

Filesize
197KB

MD5
9509834bd3237cf54fe0cba80f5c4d77

SHA1
e0b0822ecc4ee8407c2b8eb1f37a99c8a54f809f

SHA256
0571fecbfd5a671234e2a1e1547583d1a0b4dcebdb2a610bf76c9136ca7777c7

SHA512
8ac4f6969faadc2ead77c6656a90db4c4b65f3d41ef565321c538e48ca93d263b67e35ffca22b9414cce0dcf1c41dd039a2f0f697dd3fea81935244fade3bf1d

Download Submit
C:\Windows\{9E300FD4-5820-475e-B253-9078CEF7B590}.exe

Filesize
197KB

MD5
a7a9c2f26d892ab2282164729773ed5a

SHA1
6d3857cbc24e1be3abcb39c3a52f4d74ea9b6ddb

SHA256
661206eee7b5b0a2372599cb423920f0e36f69a6a6c3954b3ab39f333f80cd12

SHA512
09b6413457478ef65d21006efdc7b411e090b2167a326fa100976ccf18db0d00db586bfbd28517cbf74fd341e5ab64e49595eecd2e3dd1ee4fd7a85612009861

Download Submit
C:\Windows\{A94482B5-9509-472e-A928-92729028896A}.exe

Filesize
197KB

MD5
b566fe0ee9fb0911979a3309e89bd34b

SHA1
1b51cbe2ee914e4a6402a74a25c46acd299cc05c

SHA256
836c854941d7f1eaa79503a5cd18c90693642e5407acedb331470fbb50a9be87

SHA512
9fc4c762cb8212a2eddfba60d355413b3cf7df6e7475f16536523b16be2870673f06c08bc3d72bc5c89832884fa909375b75303e5fc5d893f8215231256f930d

Download Submit
C:\Windows\{C831E403-8859-4751-947E-637D0A86AE86}.exe

Filesize
197KB

MD5
bc8a67bed98d6b2dc8787fb39914afc2

SHA1
6829c0933be40b5984487ade6667c76bc91b2cf7

SHA256
2e4abc4104e91891dd3841a112771705b258a262e1a645f90a8be3b5d9332ea4

SHA512
8cb28903a02748cebf5cbfa36d89e5c486398b6ea27db13f73e71b3eba8796292ac4dea0baa97f77b784a80c1b7f51384907c7acf4566d58991d3349566b2b2b

Download Submit
C:\Windows\{C966968B-CE16-48d0-BDB6-8B2C9899133C}.exe

Filesize
197KB

MD5
098439bfe4f841a71a107fabd624bb46

SHA1
783bd3f231f81054d10510aa9e2a1a439b51b6c2

SHA256
deece9e5caa1d8bfb10c9a2ac41d54f386b2cb090084e54f0ca12683951dfa3f

SHA512
29bc0dc8239376927b0e6a90607f596fe577f2b79e054ddd0a6f50d219ab76eba2aa4e0160408770ae7d3df13fc7fdc73da92dda276b83aa356fad39d6f5238b

Download Submit
C:\Windows\{F354EC01-59BE-41aa-BF30-37481492367E}.exe

Filesize
197KB

MD5
af87e5d72b586e469a7e3dc1edeebe4b

SHA1
d9717e03f5d2896febe3009879dcc8df04f987ad

SHA256
3984c36bdfd6bfeddd3748a0448f8f9c4a31ee63da9b4756ed1d05a3f1e366ad

SHA512
511ad2cf0963ff3fad97ce8e0c5d3a1aacdf4a7a289c76cf92e17daff09cadef5f33bbbb56029207fd4ff1edb1979971b3a71980ba74781ed7e3fcb46d347f1f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads