54061a9f4cef58fbcfb360fd57d49fb4e5e22c96d0f72f4ce8b2a4885e3efae4

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25/03/2024, 16:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-25_b85ac041d0abbfc99832f93813141631_goldeneye.exe
Size

168KB
MD5

b85ac041d0abbfc99832f93813141631
SHA1

ac9602a7a45f2d3754404728f249093cd1895b63
SHA256

54061a9f4cef58fbcfb360fd57d49fb4e5e22c96d0f72f4ce8b2a4885e3efae4
SHA512

ab6d8f3a76beffc6bf66166f6a1adc9d65b45f13c01857bfc3a970997e236ee4e870c0f144dca55bf4cb267902969a9384706cfc713923df119aca7b0023c4ce
SSDEEP

1536:1EGh0oYlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oYlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000b0000000231aa-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023205-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000016923-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023228-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000072b-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000072d-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001db1f-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000016923-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233af-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000234a0-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000234a6-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000234b0-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E374B3D-5F56-432a-974A-F0ACA3935C6A}	{D56BC081-2194-41fe-996B-B28BE1EECB4F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13D583A0-C686-44b1-9C16-33D010B69C09}\stubpath = "C:\\Windows\\{13D583A0-C686-44b1-9C16-33D010B69C09}.exe"	{8E374B3D-5F56-432a-974A-F0ACA3935C6A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3702EF51-83F2-46da-9360-7F02BF7842CD}\stubpath = "C:\\Windows\\{3702EF51-83F2-46da-9360-7F02BF7842CD}.exe"	{C813AAD0-4D01-4157-9509-C7EBD510355F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64E8B14A-FC94-461d-84E0-7D4784D9FC5F}	{3702EF51-83F2-46da-9360-7F02BF7842CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB868A5D-213F-4201-AAA8-D93356898263}	{64E8B14A-FC94-461d-84E0-7D4784D9FC5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B9C1EF8-8792-4e8f-BC56-21899599FADB}	{FB868A5D-213F-4201-AAA8-D93356898263}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55606BEC-78D2-456b-BA21-F408A54562D8}\stubpath = "C:\\Windows\\{55606BEC-78D2-456b-BA21-F408A54562D8}.exe"	{18EE1C68-3717-43e9-B89E-E1E177E12882}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18EE1C68-3717-43e9-B89E-E1E177E12882}\stubpath = "C:\\Windows\\{18EE1C68-3717-43e9-B89E-E1E177E12882}.exe"	{7B9C1EF8-8792-4e8f-BC56-21899599FADB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E374B3D-5F56-432a-974A-F0ACA3935C6A}\stubpath = "C:\\Windows\\{8E374B3D-5F56-432a-974A-F0ACA3935C6A}.exe"	{D56BC081-2194-41fe-996B-B28BE1EECB4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13D583A0-C686-44b1-9C16-33D010B69C09}	{8E374B3D-5F56-432a-974A-F0ACA3935C6A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B588F5B-4FBB-4e22-AAC5-04D3B58B23CC}	{13D583A0-C686-44b1-9C16-33D010B69C09}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B588F5B-4FBB-4e22-AAC5-04D3B58B23CC}\stubpath = "C:\\Windows\\{5B588F5B-4FBB-4e22-AAC5-04D3B58B23CC}.exe"	{13D583A0-C686-44b1-9C16-33D010B69C09}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F50263B-D99D-4342-98C6-2052A75D6782}	{5B588F5B-4FBB-4e22-AAC5-04D3B58B23CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F50263B-D99D-4342-98C6-2052A75D6782}\stubpath = "C:\\Windows\\{6F50263B-D99D-4342-98C6-2052A75D6782}.exe"	{5B588F5B-4FBB-4e22-AAC5-04D3B58B23CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C813AAD0-4D01-4157-9509-C7EBD510355F}	2024-03-25_b85ac041d0abbfc99832f93813141631_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C813AAD0-4D01-4157-9509-C7EBD510355F}\stubpath = "C:\\Windows\\{C813AAD0-4D01-4157-9509-C7EBD510355F}.exe"	2024-03-25_b85ac041d0abbfc99832f93813141631_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3702EF51-83F2-46da-9360-7F02BF7842CD}	{C813AAD0-4D01-4157-9509-C7EBD510355F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB868A5D-213F-4201-AAA8-D93356898263}\stubpath = "C:\\Windows\\{FB868A5D-213F-4201-AAA8-D93356898263}.exe"	{64E8B14A-FC94-461d-84E0-7D4784D9FC5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B9C1EF8-8792-4e8f-BC56-21899599FADB}\stubpath = "C:\\Windows\\{7B9C1EF8-8792-4e8f-BC56-21899599FADB}.exe"	{FB868A5D-213F-4201-AAA8-D93356898263}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64E8B14A-FC94-461d-84E0-7D4784D9FC5F}\stubpath = "C:\\Windows\\{64E8B14A-FC94-461d-84E0-7D4784D9FC5F}.exe"	{3702EF51-83F2-46da-9360-7F02BF7842CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18EE1C68-3717-43e9-B89E-E1E177E12882}	{7B9C1EF8-8792-4e8f-BC56-21899599FADB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55606BEC-78D2-456b-BA21-F408A54562D8}	{18EE1C68-3717-43e9-B89E-E1E177E12882}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D56BC081-2194-41fe-996B-B28BE1EECB4F}	{55606BEC-78D2-456b-BA21-F408A54562D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D56BC081-2194-41fe-996B-B28BE1EECB4F}\stubpath = "C:\\Windows\\{D56BC081-2194-41fe-996B-B28BE1EECB4F}.exe"	{55606BEC-78D2-456b-BA21-F408A54562D8}.exe

Executes dropped EXE 12 IoCs

pid	Process
5060	{C813AAD0-4D01-4157-9509-C7EBD510355F}.exe
912	{3702EF51-83F2-46da-9360-7F02BF7842CD}.exe
404	{64E8B14A-FC94-461d-84E0-7D4784D9FC5F}.exe
3420	{FB868A5D-213F-4201-AAA8-D93356898263}.exe
4508	{7B9C1EF8-8792-4e8f-BC56-21899599FADB}.exe
1492	{18EE1C68-3717-43e9-B89E-E1E177E12882}.exe
1908	{55606BEC-78D2-456b-BA21-F408A54562D8}.exe
3956	{D56BC081-2194-41fe-996B-B28BE1EECB4F}.exe
4568	{8E374B3D-5F56-432a-974A-F0ACA3935C6A}.exe
4508	{13D583A0-C686-44b1-9C16-33D010B69C09}.exe
3060	{5B588F5B-4FBB-4e22-AAC5-04D3B58B23CC}.exe
2480	{6F50263B-D99D-4342-98C6-2052A75D6782}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C813AAD0-4D01-4157-9509-C7EBD510355F}.exe	2024-03-25_b85ac041d0abbfc99832f93813141631_goldeneye.exe
File created	C:\Windows\{64E8B14A-FC94-461d-84E0-7D4784D9FC5F}.exe	{3702EF51-83F2-46da-9360-7F02BF7842CD}.exe
File created	C:\Windows\{FB868A5D-213F-4201-AAA8-D93356898263}.exe	{64E8B14A-FC94-461d-84E0-7D4784D9FC5F}.exe
File created	C:\Windows\{18EE1C68-3717-43e9-B89E-E1E177E12882}.exe	{7B9C1EF8-8792-4e8f-BC56-21899599FADB}.exe
File created	C:\Windows\{8E374B3D-5F56-432a-974A-F0ACA3935C6A}.exe	{D56BC081-2194-41fe-996B-B28BE1EECB4F}.exe
File created	C:\Windows\{13D583A0-C686-44b1-9C16-33D010B69C09}.exe	{8E374B3D-5F56-432a-974A-F0ACA3935C6A}.exe
File created	C:\Windows\{3702EF51-83F2-46da-9360-7F02BF7842CD}.exe	{C813AAD0-4D01-4157-9509-C7EBD510355F}.exe
File created	C:\Windows\{7B9C1EF8-8792-4e8f-BC56-21899599FADB}.exe	{FB868A5D-213F-4201-AAA8-D93356898263}.exe
File created	C:\Windows\{55606BEC-78D2-456b-BA21-F408A54562D8}.exe	{18EE1C68-3717-43e9-B89E-E1E177E12882}.exe
File created	C:\Windows\{D56BC081-2194-41fe-996B-B28BE1EECB4F}.exe	{55606BEC-78D2-456b-BA21-F408A54562D8}.exe
File created	C:\Windows\{5B588F5B-4FBB-4e22-AAC5-04D3B58B23CC}.exe	{13D583A0-C686-44b1-9C16-33D010B69C09}.exe
File created	C:\Windows\{6F50263B-D99D-4342-98C6-2052A75D6782}.exe	{5B588F5B-4FBB-4e22-AAC5-04D3B58B23CC}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4868	2024-03-25_b85ac041d0abbfc99832f93813141631_goldeneye.exe
Token: SeIncBasePriorityPrivilege	5060	{C813AAD0-4D01-4157-9509-C7EBD510355F}.exe
Token: SeIncBasePriorityPrivilege	912	{3702EF51-83F2-46da-9360-7F02BF7842CD}.exe
Token: SeIncBasePriorityPrivilege	404	{64E8B14A-FC94-461d-84E0-7D4784D9FC5F}.exe
Token: SeIncBasePriorityPrivilege	3420	{FB868A5D-213F-4201-AAA8-D93356898263}.exe
Token: SeIncBasePriorityPrivilege	4508	{7B9C1EF8-8792-4e8f-BC56-21899599FADB}.exe
Token: SeIncBasePriorityPrivilege	1492	{18EE1C68-3717-43e9-B89E-E1E177E12882}.exe
Token: SeIncBasePriorityPrivilege	1908	{55606BEC-78D2-456b-BA21-F408A54562D8}.exe
Token: SeIncBasePriorityPrivilege	3956	{D56BC081-2194-41fe-996B-B28BE1EECB4F}.exe
Token: SeIncBasePriorityPrivilege	4568	{8E374B3D-5F56-432a-974A-F0ACA3935C6A}.exe
Token: SeIncBasePriorityPrivilege	4508	{13D583A0-C686-44b1-9C16-33D010B69C09}.exe
Token: SeIncBasePriorityPrivilege	3060	{5B588F5B-4FBB-4e22-AAC5-04D3B58B23CC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 5060	4868	2024-03-25_b85ac041d0abbfc99832f93813141631_goldeneye.exe	100
PID 4868 wrote to memory of 5060	4868	2024-03-25_b85ac041d0abbfc99832f93813141631_goldeneye.exe	100
PID 4868 wrote to memory of 5060	4868	2024-03-25_b85ac041d0abbfc99832f93813141631_goldeneye.exe	100
PID 4868 wrote to memory of 3204	4868	2024-03-25_b85ac041d0abbfc99832f93813141631_goldeneye.exe	101
PID 4868 wrote to memory of 3204	4868	2024-03-25_b85ac041d0abbfc99832f93813141631_goldeneye.exe	101
PID 4868 wrote to memory of 3204	4868	2024-03-25_b85ac041d0abbfc99832f93813141631_goldeneye.exe	101
PID 5060 wrote to memory of 912	5060	{C813AAD0-4D01-4157-9509-C7EBD510355F}.exe	102
PID 5060 wrote to memory of 912	5060	{C813AAD0-4D01-4157-9509-C7EBD510355F}.exe	102
PID 5060 wrote to memory of 912	5060	{C813AAD0-4D01-4157-9509-C7EBD510355F}.exe	102
PID 5060 wrote to memory of 2988	5060	{C813AAD0-4D01-4157-9509-C7EBD510355F}.exe	103
PID 5060 wrote to memory of 2988	5060	{C813AAD0-4D01-4157-9509-C7EBD510355F}.exe	103
PID 5060 wrote to memory of 2988	5060	{C813AAD0-4D01-4157-9509-C7EBD510355F}.exe	103
PID 912 wrote to memory of 404	912	{3702EF51-83F2-46da-9360-7F02BF7842CD}.exe	106
PID 912 wrote to memory of 404	912	{3702EF51-83F2-46da-9360-7F02BF7842CD}.exe	106
PID 912 wrote to memory of 404	912	{3702EF51-83F2-46da-9360-7F02BF7842CD}.exe	106
PID 912 wrote to memory of 2328	912	{3702EF51-83F2-46da-9360-7F02BF7842CD}.exe	107
PID 912 wrote to memory of 2328	912	{3702EF51-83F2-46da-9360-7F02BF7842CD}.exe	107
PID 912 wrote to memory of 2328	912	{3702EF51-83F2-46da-9360-7F02BF7842CD}.exe	107
PID 404 wrote to memory of 3420	404	{64E8B14A-FC94-461d-84E0-7D4784D9FC5F}.exe	109
PID 404 wrote to memory of 3420	404	{64E8B14A-FC94-461d-84E0-7D4784D9FC5F}.exe	109
PID 404 wrote to memory of 3420	404	{64E8B14A-FC94-461d-84E0-7D4784D9FC5F}.exe	109
PID 404 wrote to memory of 3044	404	{64E8B14A-FC94-461d-84E0-7D4784D9FC5F}.exe	110
PID 404 wrote to memory of 3044	404	{64E8B14A-FC94-461d-84E0-7D4784D9FC5F}.exe	110
PID 404 wrote to memory of 3044	404	{64E8B14A-FC94-461d-84E0-7D4784D9FC5F}.exe	110
PID 3420 wrote to memory of 4508	3420	{FB868A5D-213F-4201-AAA8-D93356898263}.exe	111
PID 3420 wrote to memory of 4508	3420	{FB868A5D-213F-4201-AAA8-D93356898263}.exe	111
PID 3420 wrote to memory of 4508	3420	{FB868A5D-213F-4201-AAA8-D93356898263}.exe	111
PID 3420 wrote to memory of 1416	3420	{FB868A5D-213F-4201-AAA8-D93356898263}.exe	112
PID 3420 wrote to memory of 1416	3420	{FB868A5D-213F-4201-AAA8-D93356898263}.exe	112
PID 3420 wrote to memory of 1416	3420	{FB868A5D-213F-4201-AAA8-D93356898263}.exe	112
PID 4508 wrote to memory of 1492	4508	{7B9C1EF8-8792-4e8f-BC56-21899599FADB}.exe	114
PID 4508 wrote to memory of 1492	4508	{7B9C1EF8-8792-4e8f-BC56-21899599FADB}.exe	114
PID 4508 wrote to memory of 1492	4508	{7B9C1EF8-8792-4e8f-BC56-21899599FADB}.exe	114
PID 4508 wrote to memory of 4840	4508	{7B9C1EF8-8792-4e8f-BC56-21899599FADB}.exe	115
PID 4508 wrote to memory of 4840	4508	{7B9C1EF8-8792-4e8f-BC56-21899599FADB}.exe	115
PID 4508 wrote to memory of 4840	4508	{7B9C1EF8-8792-4e8f-BC56-21899599FADB}.exe	115
PID 1492 wrote to memory of 1908	1492	{18EE1C68-3717-43e9-B89E-E1E177E12882}.exe	116
PID 1492 wrote to memory of 1908	1492	{18EE1C68-3717-43e9-B89E-E1E177E12882}.exe	116
PID 1492 wrote to memory of 1908	1492	{18EE1C68-3717-43e9-B89E-E1E177E12882}.exe	116
PID 1492 wrote to memory of 3316	1492	{18EE1C68-3717-43e9-B89E-E1E177E12882}.exe	117
PID 1492 wrote to memory of 3316	1492	{18EE1C68-3717-43e9-B89E-E1E177E12882}.exe	117
PID 1492 wrote to memory of 3316	1492	{18EE1C68-3717-43e9-B89E-E1E177E12882}.exe	117
PID 1908 wrote to memory of 3956	1908	{55606BEC-78D2-456b-BA21-F408A54562D8}.exe	118
PID 1908 wrote to memory of 3956	1908	{55606BEC-78D2-456b-BA21-F408A54562D8}.exe	118
PID 1908 wrote to memory of 3956	1908	{55606BEC-78D2-456b-BA21-F408A54562D8}.exe	118
PID 1908 wrote to memory of 664	1908	{55606BEC-78D2-456b-BA21-F408A54562D8}.exe	119
PID 1908 wrote to memory of 664	1908	{55606BEC-78D2-456b-BA21-F408A54562D8}.exe	119
PID 1908 wrote to memory of 664	1908	{55606BEC-78D2-456b-BA21-F408A54562D8}.exe	119
PID 3956 wrote to memory of 4568	3956	{D56BC081-2194-41fe-996B-B28BE1EECB4F}.exe	124
PID 3956 wrote to memory of 4568	3956	{D56BC081-2194-41fe-996B-B28BE1EECB4F}.exe	124
PID 3956 wrote to memory of 4568	3956	{D56BC081-2194-41fe-996B-B28BE1EECB4F}.exe	124
PID 3956 wrote to memory of 640	3956	{D56BC081-2194-41fe-996B-B28BE1EECB4F}.exe	125
PID 3956 wrote to memory of 640	3956	{D56BC081-2194-41fe-996B-B28BE1EECB4F}.exe	125
PID 3956 wrote to memory of 640	3956	{D56BC081-2194-41fe-996B-B28BE1EECB4F}.exe	125
PID 4568 wrote to memory of 4508	4568	{8E374B3D-5F56-432a-974A-F0ACA3935C6A}.exe	126
PID 4568 wrote to memory of 4508	4568	{8E374B3D-5F56-432a-974A-F0ACA3935C6A}.exe	126
PID 4568 wrote to memory of 4508	4568	{8E374B3D-5F56-432a-974A-F0ACA3935C6A}.exe	126
PID 4568 wrote to memory of 4052	4568	{8E374B3D-5F56-432a-974A-F0ACA3935C6A}.exe	127
PID 4568 wrote to memory of 4052	4568	{8E374B3D-5F56-432a-974A-F0ACA3935C6A}.exe	127
PID 4568 wrote to memory of 4052	4568	{8E374B3D-5F56-432a-974A-F0ACA3935C6A}.exe	127
PID 4508 wrote to memory of 3060	4508	{13D583A0-C686-44b1-9C16-33D010B69C09}.exe	128
PID 4508 wrote to memory of 3060	4508	{13D583A0-C686-44b1-9C16-33D010B69C09}.exe	128
PID 4508 wrote to memory of 3060	4508	{13D583A0-C686-44b1-9C16-33D010B69C09}.exe	128
PID 4508 wrote to memory of 232	4508	{13D583A0-C686-44b1-9C16-33D010B69C09}.exe	129

C:\Users\Admin\AppData\Local\Temp\2024-03-25_b85ac041d0abbfc99832f93813141631_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-25_b85ac041d0abbfc99832f93813141631_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Windows\{C813AAD0-4D01-4157-9509-C7EBD510355F}.exe
  C:\Windows\{C813AAD0-4D01-4157-9509-C7EBD510355F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Windows\{3702EF51-83F2-46da-9360-7F02BF7842CD}.exe
    C:\Windows\{3702EF51-83F2-46da-9360-7F02BF7842CD}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:912
  - - C:\Windows\{64E8B14A-FC94-461d-84E0-7D4784D9FC5F}.exe
      C:\Windows\{64E8B14A-FC94-461d-84E0-7D4784D9FC5F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:404
    - - C:\Windows\{FB868A5D-213F-4201-AAA8-D93356898263}.exe
        
        C:\Windows\{FB868A5D-213F-4201-AAA8-D93356898263}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3420
      - C:\Windows\{7B9C1EF8-8792-4e8f-BC56-21899599FADB}.exe
        
        C:\Windows\{7B9C1EF8-8792-4e8f-BC56-21899599FADB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\{18EE1C68-3717-43e9-B89E-E1E177E12882}.exe
        
        C:\Windows\{18EE1C68-3717-43e9-B89E-E1E177E12882}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\{55606BEC-78D2-456b-BA21-F408A54562D8}.exe
        
        C:\Windows\{55606BEC-78D2-456b-BA21-F408A54562D8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\{D56BC081-2194-41fe-996B-B28BE1EECB4F}.exe
        
        C:\Windows\{D56BC081-2194-41fe-996B-B28BE1EECB4F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\{8E374B3D-5F56-432a-974A-F0ACA3935C6A}.exe
        
        C:\Windows\{8E374B3D-5F56-432a-974A-F0ACA3935C6A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\{13D583A0-C686-44b1-9C16-33D010B69C09}.exe
        
        C:\Windows\{13D583A0-C686-44b1-9C16-33D010B69C09}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\{5B588F5B-4FBB-4e22-AAC5-04D3B58B23CC}.exe
        
        C:\Windows\{5B588F5B-4FBB-4e22-AAC5-04D3B58B23CC}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
        
        C:\Windows\{6F50263B-D99D-4342-98C6-2052A75D6782}.exe
        
        C:\Windows\{6F50263B-D99D-4342-98C6-2052A75D6782}.exe
        13⤵
        Executes dropped EXE
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B588~1.EXE > nul
        13⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13D58~1.EXE > nul
        12⤵
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E374~1.EXE > nul
        11⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D56BC~1.EXE > nul
        10⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55606~1.EXE > nul
        9⤵
        
        PID:664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18EE1~1.EXE > nul
        8⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B9C1~1.EXE > nul
        7⤵
        
        PID:4840
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB868~1.EXE > nul
        6⤵
        
        PID:1416
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64E8B~1.EXE > nul
        5⤵
        
        PID:3044
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3702E~1.EXE > nul
      4⤵
      PID:2328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C813A~1.EXE > nul
    3⤵
    PID:2988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{13D583A0-C686-44b1-9C16-33D010B69C09}.exe

Filesize
168KB

MD5
a070ed0be61128e32e577dac0e208e71

SHA1
43535bee8bdce4ed62183873c12f98ab8c9416c6

SHA256
eeb06bc7392375213145b179ece6e7cd3248743517a55b9a59fba7f2c5aa5445

SHA512
29643490e8bd4958c495213b0ce64d34d61b6539c919036f2934418d926dbdfb92bb1e4787e898071a7d06d27c00ea9bd508a2c1c083a391b79673585ca62eeb

Download Submit
C:\Windows\{18EE1C68-3717-43e9-B89E-E1E177E12882}.exe

Filesize
168KB

MD5
9c7e7bf87a35b9e7ff9d292ba4adf8dc

SHA1
df8f21f0b96b052214a6c33aed20b98a09a30695

SHA256
0311eaca72a25bdfb4637526177e11c0df441a18e244c560e248536ab2898889

SHA512
102f753354fa459d2359b4c1574e6cb0058e2510bbef0de098bca39d40a65e586c2428ccc95732a495cb0a12292af8d697cbc7816b2b31cba4a9a3939ecb1e03

Download Submit
C:\Windows\{3702EF51-83F2-46da-9360-7F02BF7842CD}.exe

Filesize
168KB

MD5
0c7daf65f6fff41338637a34e76c3748

SHA1
3a828d198ac029a62574fa631e5e5da312f7a24b

SHA256
57b2dc8baa38688c8ac2c8e32e5816ec857d8372471ff1fdd6dc1829c9e14414

SHA512
48bd656ae50bb2fb4d86901679065792192d2535e4f95cd414f35f481f89844d493535a184249a6cb30e633900e7fb743b4355cda1cab9883d9a4813020e67a2

Download Submit
C:\Windows\{55606BEC-78D2-456b-BA21-F408A54562D8}.exe

Filesize
168KB

MD5
cf7198f57f90608aed65f74b94de1368

SHA1
897e4965828389fe53b16319da3adf866a28afab

SHA256
9e6bcbd7271839b036b675c880a7e50d86ad9193beb5c8ea0d2e069102aaae27

SHA512
57904e0abafee1c330c90e54c157b52eefec1dc1bf07c285574ef35b2b25ce834bb374c7d208f127a683284f637e681438669fcab06da52aa98d0a2546b5402f

Download Submit
C:\Windows\{5B588F5B-4FBB-4e22-AAC5-04D3B58B23CC}.exe

Filesize
168KB

MD5
9ddb4a198bb04adc2368f1eca3f4475b

SHA1
ebb77b78be2992b2650e7de4faf87710cdd689ea

SHA256
d483af30e6e512bf4833e0b842d9f19942a29ab986ee331535621d02a4c7da49

SHA512
cc034b53335b4ceddcd7b6c25799e9c9d289bce73ac13b717db099a0253c49ebba7ce28edf48c003a3a023dc1582355e4f638725300f59d5738c23d751e4443c

Download Submit
C:\Windows\{64E8B14A-FC94-461d-84E0-7D4784D9FC5F}.exe

Filesize
168KB

MD5
e96bdaa9b299265b31cfe0cf3ba0f53c

SHA1
9019687e75c48a2324ada58b642fcabbdb37b26d

SHA256
fd957adb7031498a2ce3e0ff1b0eafc75885f953b2699643b3503bfce7b3a2f8

SHA512
6f77dc7fbb1e46ad4cd7105ccc4b9aa21e5cce0b479f192c6b032bfbbb1d97a5fc821e07eed19c9acafda8645108723663b773c0d19e85b53bd8b96dad6bc1b0

Download Submit
C:\Windows\{6F50263B-D99D-4342-98C6-2052A75D6782}.exe

Filesize
168KB

MD5
87e859245023691b0b634fec5da0e3da

SHA1
7cfe34dcb0fec0b0960818b389f3361f0b402185

SHA256
81f033d16c09108d79c4b2c4d1a066a0ffcc28d9f1c2d3c95f14cbc5aac5610b

SHA512
e7af9717c9be2c37b6f92f83c57a81b445d67de65aebb009eafad2537b4149313821661f22121e182384aa675ab51afd91e15ee7a1bb2c75b1fd34a868c79920

Download Submit
C:\Windows\{7B9C1EF8-8792-4e8f-BC56-21899599FADB}.exe

Filesize
168KB

MD5
52bdfa853c988f99717d79edf6e883da

SHA1
ce9eb9c0ece061ecf1499f6a76b0b8ec30ec7a8f

SHA256
1f3d141b9eb7cd85ba5a757d8b966ef95b4c0721520d4d29d21cf5f39410300b

SHA512
af82a875f5df356bbbf68d726ef1ba71a3a52fd083567e40a2d0bdb9755471c149aef827f26ef3f153e36f0bb203e701adcfee0e4ff100c379baca6abd9e3484

Download Submit
C:\Windows\{8E374B3D-5F56-432a-974A-F0ACA3935C6A}.exe

Filesize
168KB

MD5
152aa8d843349515021709019b694605

SHA1
7ed45a5fd0de20c0f930c5cd3490b7c0133eccfe

SHA256
276f2964c317a17f822d4b26a2df1467df77798468371ff745ff2c55b5976da2

SHA512
205d7bf907c9f94dc251aa170972597dfe334c7be24f3c105eb35e7871819537bf043cc52ba4b761f65a2f1d255b9fb298b2fae676ad10c66fd9ad7a4afabb2c

Download Submit
C:\Windows\{C813AAD0-4D01-4157-9509-C7EBD510355F}.exe

Filesize
168KB

MD5
bcb4f4da2756a4768e2d55061ac9dd31

SHA1
d9f190770453e53b4936bb9323958bb012c8e2a1

SHA256
892ef3ab9d9b442f5af5a74aa2d6e33dbbc447a9c5d7fa42d25899d7b7498f68

SHA512
4fa4968f8708f36b751b5bf921ed53c191029952a10a0d948f6e108131a87f8c4d5ea972f466e5c4b1af8454a64e57d930cda887ae3fb8d05172ac726fce1475

Download Submit
C:\Windows\{D56BC081-2194-41fe-996B-B28BE1EECB4F}.exe

Filesize
168KB

MD5
c06e4dd1b25947452a45f2778b18526f

SHA1
895852f6bc4e9eab8dd2e00fc2fc8272e10d1fb1

SHA256
4d55a572b3eaa4e8fef609f6bde2a1d77d2e5908dbc4489719afa0220f1a314b

SHA512
81a9c7b90bba4d88ac1ba8bd724b541db4635823f2c8ffe011d77f796c0643162df39da95366929507fa81c75bb9c17c08d34661f812cb4ee7d8d8afee01a56f

Download Submit
C:\Windows\{FB868A5D-213F-4201-AAA8-D93356898263}.exe

Filesize
168KB

MD5
edf1628b52adf08a4126a2edebe9db63

SHA1
84da9ca6181d16d51527f3ffce5c7998e9f22be2

SHA256
cdba4ca959441c87c3a20c308651a8384ce67c259ed50e38b3940fa1b08058d0

SHA512
26d68e45ffae1eee6042fc41c84d3af67dcbc86d1480233ff665f3cec5bb99c148391b0bc18a54f514209224d435f8c4aa5ee32ab80a3e0d6153f1ed999b75a3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads