881225db026aac0e0360f4201846ada14867937b2cfa284428db4319dcb17ad1

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2024 20:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-27_8e39310db07304607d7f771358286ab8_goldeneye.exe
Size

408KB
MD5

8e39310db07304607d7f771358286ab8
SHA1

7d53a758f8184ebdd15a8a7864831b9b93905f6d
SHA256

881225db026aac0e0360f4201846ada14867937b2cfa284428db4319dcb17ad1
SHA512

fa4fe4af638ac92907ed1c00885f5d72be2ddc8ee511b72da342c3295ca64e6d700055a2958bee6ecb834727c25ba32023c177ed79b5f8df554762dcd84f80fe
SSDEEP

3072:CEGh0o3l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGtldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231ee-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000018062-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000231fd-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000018062-13.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021f82-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000018062-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021f82-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000705-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91565255-A45E-4319-BEB7-2244E5F5C0EC}	{05C8BBB8-8C2D-44e6-8B01-BC4036C7C03A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93CFC229-6730-4cb1-9FD9-B5D1E4DD6197}	{91565255-A45E-4319-BEB7-2244E5F5C0EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67CE8DEA-DF60-4442-A03F-6A48C502D24A}	{93CFC229-6730-4cb1-9FD9-B5D1E4DD6197}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BAC793E-B142-44c4-B418-A14B0E1B90D7}	{A9E7AB46-EA8D-411a-AC1B-927963E84169}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27501865-28D8-4f9c-A0BC-D535D40E373C}	{682C2A86-A8DE-4e92-9F53-C4E0387D321D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80373635-F8B5-4a48-809A-012EA55034AC}\stubpath = "C:\\Windows\\{80373635-F8B5-4a48-809A-012EA55034AC}.exe"	{81C65AA9-2687-44f9-8D9A-7D43BAE6E529}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74018E54-3F49-40ff-9D5C-1164C22E258E}\stubpath = "C:\\Windows\\{74018E54-3F49-40ff-9D5C-1164C22E258E}.exe"	{80373635-F8B5-4a48-809A-012EA55034AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9E7AB46-EA8D-411a-AC1B-927963E84169}\stubpath = "C:\\Windows\\{A9E7AB46-EA8D-411a-AC1B-927963E84169}.exe"	2024-03-27_8e39310db07304607d7f771358286ab8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27501865-28D8-4f9c-A0BC-D535D40E373C}\stubpath = "C:\\Windows\\{27501865-28D8-4f9c-A0BC-D535D40E373C}.exe"	{682C2A86-A8DE-4e92-9F53-C4E0387D321D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67CE8DEA-DF60-4442-A03F-6A48C502D24A}\stubpath = "C:\\Windows\\{67CE8DEA-DF60-4442-A03F-6A48C502D24A}.exe"	{93CFC229-6730-4cb1-9FD9-B5D1E4DD6197}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74018E54-3F49-40ff-9D5C-1164C22E258E}	{80373635-F8B5-4a48-809A-012EA55034AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05C8BBB8-8C2D-44e6-8B01-BC4036C7C03A}\stubpath = "C:\\Windows\\{05C8BBB8-8C2D-44e6-8B01-BC4036C7C03A}.exe"	{74018E54-3F49-40ff-9D5C-1164C22E258E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91565255-A45E-4319-BEB7-2244E5F5C0EC}\stubpath = "C:\\Windows\\{91565255-A45E-4319-BEB7-2244E5F5C0EC}.exe"	{05C8BBB8-8C2D-44e6-8B01-BC4036C7C03A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{682C2A86-A8DE-4e92-9F53-C4E0387D321D}\stubpath = "C:\\Windows\\{682C2A86-A8DE-4e92-9F53-C4E0387D321D}.exe"	{1BAC793E-B142-44c4-B418-A14B0E1B90D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C89F8BF8-50F5-4744-ABB8-7FE4055C307F}	{27501865-28D8-4f9c-A0BC-D535D40E373C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C89F8BF8-50F5-4744-ABB8-7FE4055C307F}\stubpath = "C:\\Windows\\{C89F8BF8-50F5-4744-ABB8-7FE4055C307F}.exe"	{27501865-28D8-4f9c-A0BC-D535D40E373C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81C65AA9-2687-44f9-8D9A-7D43BAE6E529}\stubpath = "C:\\Windows\\{81C65AA9-2687-44f9-8D9A-7D43BAE6E529}.exe"	{C89F8BF8-50F5-4744-ABB8-7FE4055C307F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80373635-F8B5-4a48-809A-012EA55034AC}	{81C65AA9-2687-44f9-8D9A-7D43BAE6E529}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05C8BBB8-8C2D-44e6-8B01-BC4036C7C03A}	{74018E54-3F49-40ff-9D5C-1164C22E258E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93CFC229-6730-4cb1-9FD9-B5D1E4DD6197}\stubpath = "C:\\Windows\\{93CFC229-6730-4cb1-9FD9-B5D1E4DD6197}.exe"	{91565255-A45E-4319-BEB7-2244E5F5C0EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9E7AB46-EA8D-411a-AC1B-927963E84169}	2024-03-27_8e39310db07304607d7f771358286ab8_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BAC793E-B142-44c4-B418-A14B0E1B90D7}\stubpath = "C:\\Windows\\{1BAC793E-B142-44c4-B418-A14B0E1B90D7}.exe"	{A9E7AB46-EA8D-411a-AC1B-927963E84169}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{682C2A86-A8DE-4e92-9F53-C4E0387D321D}	{1BAC793E-B142-44c4-B418-A14B0E1B90D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81C65AA9-2687-44f9-8D9A-7D43BAE6E529}	{C89F8BF8-50F5-4744-ABB8-7FE4055C307F}.exe

Executes dropped EXE 11 IoCs

pid	Process
3520	{A9E7AB46-EA8D-411a-AC1B-927963E84169}.exe
2060	{1BAC793E-B142-44c4-B418-A14B0E1B90D7}.exe
3080	{682C2A86-A8DE-4e92-9F53-C4E0387D321D}.exe
3484	{27501865-28D8-4f9c-A0BC-D535D40E373C}.exe
2644	{C89F8BF8-50F5-4744-ABB8-7FE4055C307F}.exe
3944	{81C65AA9-2687-44f9-8D9A-7D43BAE6E529}.exe
4336	{80373635-F8B5-4a48-809A-012EA55034AC}.exe
3848	{74018E54-3F49-40ff-9D5C-1164C22E258E}.exe
4868	{05C8BBB8-8C2D-44e6-8B01-BC4036C7C03A}.exe
1032	{91565255-A45E-4319-BEB7-2244E5F5C0EC}.exe
3512	{67CE8DEA-DF60-4442-A03F-6A48C502D24A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{74018E54-3F49-40ff-9D5C-1164C22E258E}.exe	{80373635-F8B5-4a48-809A-012EA55034AC}.exe
File created	C:\Windows\{05C8BBB8-8C2D-44e6-8B01-BC4036C7C03A}.exe	{74018E54-3F49-40ff-9D5C-1164C22E258E}.exe
File created	C:\Windows\{91565255-A45E-4319-BEB7-2244E5F5C0EC}.exe	{05C8BBB8-8C2D-44e6-8B01-BC4036C7C03A}.exe
File created	C:\Windows\{67CE8DEA-DF60-4442-A03F-6A48C502D24A}.exe	{93CFC229-6730-4cb1-9FD9-B5D1E4DD6197}.exe
File created	C:\Windows\{1BAC793E-B142-44c4-B418-A14B0E1B90D7}.exe	{A9E7AB46-EA8D-411a-AC1B-927963E84169}.exe
File created	C:\Windows\{C89F8BF8-50F5-4744-ABB8-7FE4055C307F}.exe	{27501865-28D8-4f9c-A0BC-D535D40E373C}.exe
File created	C:\Windows\{81C65AA9-2687-44f9-8D9A-7D43BAE6E529}.exe	{C89F8BF8-50F5-4744-ABB8-7FE4055C307F}.exe
File created	C:\Windows\{80373635-F8B5-4a48-809A-012EA55034AC}.exe	{81C65AA9-2687-44f9-8D9A-7D43BAE6E529}.exe
File created	C:\Windows\{A9E7AB46-EA8D-411a-AC1B-927963E84169}.exe	2024-03-27_8e39310db07304607d7f771358286ab8_goldeneye.exe
File created	C:\Windows\{682C2A86-A8DE-4e92-9F53-C4E0387D321D}.exe	{1BAC793E-B142-44c4-B418-A14B0E1B90D7}.exe
File created	C:\Windows\{27501865-28D8-4f9c-A0BC-D535D40E373C}.exe	{682C2A86-A8DE-4e92-9F53-C4E0387D321D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4832	2024-03-27_8e39310db07304607d7f771358286ab8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3520	{A9E7AB46-EA8D-411a-AC1B-927963E84169}.exe
Token: SeIncBasePriorityPrivilege	2060	{1BAC793E-B142-44c4-B418-A14B0E1B90D7}.exe
Token: SeIncBasePriorityPrivilege	3080	{682C2A86-A8DE-4e92-9F53-C4E0387D321D}.exe
Token: SeIncBasePriorityPrivilege	3484	{27501865-28D8-4f9c-A0BC-D535D40E373C}.exe
Token: SeIncBasePriorityPrivilege	2644	{C89F8BF8-50F5-4744-ABB8-7FE4055C307F}.exe
Token: SeIncBasePriorityPrivilege	3944	{81C65AA9-2687-44f9-8D9A-7D43BAE6E529}.exe
Token: SeIncBasePriorityPrivilege	4336	{80373635-F8B5-4a48-809A-012EA55034AC}.exe
Token: SeIncBasePriorityPrivilege	3848	{74018E54-3F49-40ff-9D5C-1164C22E258E}.exe
Token: SeIncBasePriorityPrivilege	4868	{05C8BBB8-8C2D-44e6-8B01-BC4036C7C03A}.exe
Token: SeIncBasePriorityPrivilege	2948	{93CFC229-6730-4cb1-9FD9-B5D1E4DD6197}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 3520	4832	2024-03-27_8e39310db07304607d7f771358286ab8_goldeneye.exe	88
PID 4832 wrote to memory of 3520	4832	2024-03-27_8e39310db07304607d7f771358286ab8_goldeneye.exe	88
PID 4832 wrote to memory of 3520	4832	2024-03-27_8e39310db07304607d7f771358286ab8_goldeneye.exe	88
PID 4832 wrote to memory of 440	4832	2024-03-27_8e39310db07304607d7f771358286ab8_goldeneye.exe	89
PID 4832 wrote to memory of 440	4832	2024-03-27_8e39310db07304607d7f771358286ab8_goldeneye.exe	89
PID 4832 wrote to memory of 440	4832	2024-03-27_8e39310db07304607d7f771358286ab8_goldeneye.exe	89
PID 3520 wrote to memory of 2060	3520	{A9E7AB46-EA8D-411a-AC1B-927963E84169}.exe	93
PID 3520 wrote to memory of 2060	3520	{A9E7AB46-EA8D-411a-AC1B-927963E84169}.exe	93
PID 3520 wrote to memory of 2060	3520	{A9E7AB46-EA8D-411a-AC1B-927963E84169}.exe	93
PID 3520 wrote to memory of 5068	3520	{A9E7AB46-EA8D-411a-AC1B-927963E84169}.exe	94
PID 3520 wrote to memory of 5068	3520	{A9E7AB46-EA8D-411a-AC1B-927963E84169}.exe	94
PID 3520 wrote to memory of 5068	3520	{A9E7AB46-EA8D-411a-AC1B-927963E84169}.exe	94
PID 2060 wrote to memory of 3080	2060	{1BAC793E-B142-44c4-B418-A14B0E1B90D7}.exe	96
PID 2060 wrote to memory of 3080	2060	{1BAC793E-B142-44c4-B418-A14B0E1B90D7}.exe	96
PID 2060 wrote to memory of 3080	2060	{1BAC793E-B142-44c4-B418-A14B0E1B90D7}.exe	96
PID 2060 wrote to memory of 4552	2060	{1BAC793E-B142-44c4-B418-A14B0E1B90D7}.exe	97
PID 2060 wrote to memory of 4552	2060	{1BAC793E-B142-44c4-B418-A14B0E1B90D7}.exe	97
PID 2060 wrote to memory of 4552	2060	{1BAC793E-B142-44c4-B418-A14B0E1B90D7}.exe	97
PID 3080 wrote to memory of 3484	3080	{682C2A86-A8DE-4e92-9F53-C4E0387D321D}.exe	98
PID 3080 wrote to memory of 3484	3080	{682C2A86-A8DE-4e92-9F53-C4E0387D321D}.exe	98
PID 3080 wrote to memory of 3484	3080	{682C2A86-A8DE-4e92-9F53-C4E0387D321D}.exe	98
PID 3080 wrote to memory of 1800	3080	{682C2A86-A8DE-4e92-9F53-C4E0387D321D}.exe	99
PID 3080 wrote to memory of 1800	3080	{682C2A86-A8DE-4e92-9F53-C4E0387D321D}.exe	99
PID 3080 wrote to memory of 1800	3080	{682C2A86-A8DE-4e92-9F53-C4E0387D321D}.exe	99
PID 3484 wrote to memory of 2644	3484	{27501865-28D8-4f9c-A0BC-D535D40E373C}.exe	100
PID 3484 wrote to memory of 2644	3484	{27501865-28D8-4f9c-A0BC-D535D40E373C}.exe	100
PID 3484 wrote to memory of 2644	3484	{27501865-28D8-4f9c-A0BC-D535D40E373C}.exe	100
PID 3484 wrote to memory of 3076	3484	{27501865-28D8-4f9c-A0BC-D535D40E373C}.exe	101
PID 3484 wrote to memory of 3076	3484	{27501865-28D8-4f9c-A0BC-D535D40E373C}.exe	101
PID 3484 wrote to memory of 3076	3484	{27501865-28D8-4f9c-A0BC-D535D40E373C}.exe	101
PID 2644 wrote to memory of 3944	2644	{C89F8BF8-50F5-4744-ABB8-7FE4055C307F}.exe	102
PID 2644 wrote to memory of 3944	2644	{C89F8BF8-50F5-4744-ABB8-7FE4055C307F}.exe	102
PID 2644 wrote to memory of 3944	2644	{C89F8BF8-50F5-4744-ABB8-7FE4055C307F}.exe	102
PID 2644 wrote to memory of 4292	2644	{C89F8BF8-50F5-4744-ABB8-7FE4055C307F}.exe	103
PID 2644 wrote to memory of 4292	2644	{C89F8BF8-50F5-4744-ABB8-7FE4055C307F}.exe	103
PID 2644 wrote to memory of 4292	2644	{C89F8BF8-50F5-4744-ABB8-7FE4055C307F}.exe	103
PID 3944 wrote to memory of 4336	3944	{81C65AA9-2687-44f9-8D9A-7D43BAE6E529}.exe	104
PID 3944 wrote to memory of 4336	3944	{81C65AA9-2687-44f9-8D9A-7D43BAE6E529}.exe	104
PID 3944 wrote to memory of 4336	3944	{81C65AA9-2687-44f9-8D9A-7D43BAE6E529}.exe	104
PID 3944 wrote to memory of 3756	3944	{81C65AA9-2687-44f9-8D9A-7D43BAE6E529}.exe	105
PID 3944 wrote to memory of 3756	3944	{81C65AA9-2687-44f9-8D9A-7D43BAE6E529}.exe	105
PID 3944 wrote to memory of 3756	3944	{81C65AA9-2687-44f9-8D9A-7D43BAE6E529}.exe	105
PID 4336 wrote to memory of 3848	4336	{80373635-F8B5-4a48-809A-012EA55034AC}.exe	106
PID 4336 wrote to memory of 3848	4336	{80373635-F8B5-4a48-809A-012EA55034AC}.exe	106
PID 4336 wrote to memory of 3848	4336	{80373635-F8B5-4a48-809A-012EA55034AC}.exe	106
PID 4336 wrote to memory of 3672	4336	{80373635-F8B5-4a48-809A-012EA55034AC}.exe	107
PID 4336 wrote to memory of 3672	4336	{80373635-F8B5-4a48-809A-012EA55034AC}.exe	107
PID 4336 wrote to memory of 3672	4336	{80373635-F8B5-4a48-809A-012EA55034AC}.exe	107
PID 3848 wrote to memory of 4868	3848	{74018E54-3F49-40ff-9D5C-1164C22E258E}.exe	108
PID 3848 wrote to memory of 4868	3848	{74018E54-3F49-40ff-9D5C-1164C22E258E}.exe	108
PID 3848 wrote to memory of 4868	3848	{74018E54-3F49-40ff-9D5C-1164C22E258E}.exe	108
PID 3848 wrote to memory of 1692	3848	{74018E54-3F49-40ff-9D5C-1164C22E258E}.exe	109
PID 3848 wrote to memory of 1692	3848	{74018E54-3F49-40ff-9D5C-1164C22E258E}.exe	109
PID 3848 wrote to memory of 1692	3848	{74018E54-3F49-40ff-9D5C-1164C22E258E}.exe	109
PID 4868 wrote to memory of 1032	4868	{05C8BBB8-8C2D-44e6-8B01-BC4036C7C03A}.exe	110
PID 4868 wrote to memory of 1032	4868	{05C8BBB8-8C2D-44e6-8B01-BC4036C7C03A}.exe	110
PID 4868 wrote to memory of 1032	4868	{05C8BBB8-8C2D-44e6-8B01-BC4036C7C03A}.exe	110
PID 4868 wrote to memory of 4392	4868	{05C8BBB8-8C2D-44e6-8B01-BC4036C7C03A}.exe	111
PID 4868 wrote to memory of 4392	4868	{05C8BBB8-8C2D-44e6-8B01-BC4036C7C03A}.exe	111
PID 4868 wrote to memory of 4392	4868	{05C8BBB8-8C2D-44e6-8B01-BC4036C7C03A}.exe	111
PID 2948 wrote to memory of 3512	2948	{93CFC229-6730-4cb1-9FD9-B5D1E4DD6197}.exe	114
PID 2948 wrote to memory of 3512	2948	{93CFC229-6730-4cb1-9FD9-B5D1E4DD6197}.exe	114
PID 2948 wrote to memory of 3512	2948	{93CFC229-6730-4cb1-9FD9-B5D1E4DD6197}.exe	114
PID 2948 wrote to memory of 744	2948	{93CFC229-6730-4cb1-9FD9-B5D1E4DD6197}.exe	115

C:\Users\Admin\AppData\Local\Temp\2024-03-27_8e39310db07304607d7f771358286ab8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-27_8e39310db07304607d7f771358286ab8_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Windows\{A9E7AB46-EA8D-411a-AC1B-927963E84169}.exe
  C:\Windows\{A9E7AB46-EA8D-411a-AC1B-927963E84169}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3520
- - C:\Windows\{1BAC793E-B142-44c4-B418-A14B0E1B90D7}.exe
    C:\Windows\{1BAC793E-B142-44c4-B418-A14B0E1B90D7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2060
  - - C:\Windows\{682C2A86-A8DE-4e92-9F53-C4E0387D321D}.exe
      C:\Windows\{682C2A86-A8DE-4e92-9F53-C4E0387D321D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3080
    - - C:\Windows\{27501865-28D8-4f9c-A0BC-D535D40E373C}.exe
        
        C:\Windows\{27501865-28D8-4f9c-A0BC-D535D40E373C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3484
      - C:\Windows\{C89F8BF8-50F5-4744-ABB8-7FE4055C307F}.exe
        
        C:\Windows\{C89F8BF8-50F5-4744-ABB8-7FE4055C307F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\{81C65AA9-2687-44f9-8D9A-7D43BAE6E529}.exe
        
        C:\Windows\{81C65AA9-2687-44f9-8D9A-7D43BAE6E529}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\{80373635-F8B5-4a48-809A-012EA55034AC}.exe
        
        C:\Windows\{80373635-F8B5-4a48-809A-012EA55034AC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\{74018E54-3F49-40ff-9D5C-1164C22E258E}.exe
        
        C:\Windows\{74018E54-3F49-40ff-9D5C-1164C22E258E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3848
        
        C:\Windows\{05C8BBB8-8C2D-44e6-8B01-BC4036C7C03A}.exe
        
        C:\Windows\{05C8BBB8-8C2D-44e6-8B01-BC4036C7C03A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\{91565255-A45E-4319-BEB7-2244E5F5C0EC}.exe
        
        C:\Windows\{91565255-A45E-4319-BEB7-2244E5F5C0EC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        
        PID:1032
        
        C:\Windows\{93CFC229-6730-4cb1-9FD9-B5D1E4DD6197}.exe
        
        C:\Windows\{93CFC229-6730-4cb1-9FD9-B5D1E4DD6197}.exe
        12⤵
        Modifies Installed Components in the registry
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\{67CE8DEA-DF60-4442-A03F-6A48C502D24A}.exe
        
        C:\Windows\{67CE8DEA-DF60-4442-A03F-6A48C502D24A}.exe
        13⤵
        Executes dropped EXE
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93CFC~1.EXE > nul
        13⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91565~1.EXE > nul
        12⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05C8B~1.EXE > nul
        11⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74018~1.EXE > nul
        10⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80373~1.EXE > nul
        9⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81C65~1.EXE > nul
        8⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C89F8~1.EXE > nul
        7⤵
        
        PID:4292
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27501~1.EXE > nul
        6⤵
        
        PID:3076
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{682C2~1.EXE > nul
        5⤵
        
        PID:1800
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1BAC7~1.EXE > nul
      4⤵
      PID:4552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A9E7A~1.EXE > nul
    3⤵
    PID:5068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05C8BBB8-8C2D-44e6-8B01-BC4036C7C03A}.exe

Filesize
408KB

MD5
e2630c2c4366afb193dd8732cdd6d72f

SHA1
4e94d8ec627cbe8ed7eafa8488302956ebed0be1

SHA256
334025f532a04ddaaacb0417157afede85120c12eeb680a4d9b655c668f31787

SHA512
aafbcae07c65d65d639a71e109b37b7bb5719a317bc7218cac348894ec7d74fd2c943d2e755c98e21038b71cf358d054ec1d16f966c8983d329ab271f95a802e

Download Submit
C:\Windows\{1BAC793E-B142-44c4-B418-A14B0E1B90D7}.exe

Filesize
408KB

MD5
aff7383b0c643292a0d6b17bd67bb282

SHA1
997c5a600923457fa492b58bedf089ea8a737796

SHA256
e170e277ed40c99b7b1bc617cc88824e79afb999dbbac201daa1c4c95dc1cca9

SHA512
e004658a623d6d332ef7b0e84f6ce5601c017ddcb0514a36b3533b1ccefaa90c48cf4a8d82bc44af0186b67bab653ebd60deb194aa9afc63c643d2b695fd7dba

Download Submit
C:\Windows\{27501865-28D8-4f9c-A0BC-D535D40E373C}.exe

Filesize
408KB

MD5
52c75264c96bdae242ca9c8c69712f0a

SHA1
e38db104bc279b450985dc25f71708fc37bf8f4f

SHA256
6b7a7f2e194794fdb49e93106e6ddc9d0e2013dbf1e5a0dd15964cbb60309be5

SHA512
cd0aa6551dd650301d832829257efa8a7e3be6ed9bf9ff438f9ece1c72e2f7ea9e9471c5104f8548b5a82f76c1223a5a7c75724c85ee0bc7f37f45a84ff4c35b

Download Submit
C:\Windows\{67CE8DEA-DF60-4442-A03F-6A48C502D24A}.exe

Filesize
408KB

MD5
43d6d8f31238e6fef019362bc30ae17c

SHA1
6568dbd35eb7620fdd6b60b05d4df48bb985bca8

SHA256
cd80e5d923e29669e27de37a1c57b55bfb9fb4276dc09fedce87a2ad91d92e88

SHA512
c38e47b134f31bfe3bbcba8cb7842991cf2b089759bfe887c5d9cb3c29a8ed04b8787f7d736de73b9232d556077416d5768e5fcabff0317cc0d6f4773c35d01a

Download Submit
C:\Windows\{682C2A86-A8DE-4e92-9F53-C4E0387D321D}.exe

Filesize
408KB

MD5
c8c60d67e01c66f5fa54e45486737253

SHA1
6c9dfce588c19437741578ec685563c3964e3394

SHA256
3a430d946f58d49936dc42c3f3668d8d484258751a7c0eba67cf65c0eb1230b7

SHA512
428cecc276d85925c81222d9c9ea4865ddc8b0f7108199e86ff1dcdd95dec87f35993971bd838960dcea17372aa0dd6487871abd4b74b4ba327ece7c8810739e

Download Submit
C:\Windows\{74018E54-3F49-40ff-9D5C-1164C22E258E}.exe

Filesize
408KB

MD5
9a17efc76c4e899c378f440021a7d7bc

SHA1
cd6f6583717b499149cdb98ac39567f7c7d9da25

SHA256
e604d369fd17c85f2bcb45bc6d8a4a7cad7d2ceff65760beb6c06a2bcfb810d6

SHA512
af069ea96cf87909fdacfc3cebbce4b11dc6da4b946cbb521581e768230e7e42d6feafd112188991f7fa02e31d4daf84c8500f16a3f950a64a60a91f4dc3594b

Download Submit
C:\Windows\{80373635-F8B5-4a48-809A-012EA55034AC}.exe

Filesize
408KB

MD5
809ac88eab07d05ff476f375d3e15a51

SHA1
68eaeb47c812febab4b951efd413da59f3207ea7

SHA256
7a149dc54e6138848ec61711a30995b2b4e7616ed6ae2ea9da1d6cff6204e7a3

SHA512
272434fb4a66f3f828e79cc3e8aa89a6508747830ddd662e41276445642b064dd2e3ff1b82aa6e6c256b831bd08b8fd4434aed6f5c41f4efc04935640191d23a

Download Submit
C:\Windows\{81C65AA9-2687-44f9-8D9A-7D43BAE6E529}.exe

Filesize
408KB

MD5
5a70b91922c32482ed5fa79f4695a472

SHA1
6b530c522c8cf875b9e71c1f89ad8bd2d3a1ae17

SHA256
fd385e2d1ec4ff162059502982340aef453d140d30f3918c8b0f8ae34a6a0619

SHA512
683acb9f2b59d7eda7076a1e69d8d181d33f30b6eb3601b1f330439370f2b612a6e33ad926ccb5e65bafcff180b086c5d9394815efc2239bcd15b6f16bd82157

Download Submit
C:\Windows\{91565255-A45E-4319-BEB7-2244E5F5C0EC}.exe

Filesize
4KB

MD5
7ebe33c1be64967c78cd552e9a24af19

SHA1
d70f54d0532329446ade324bd0c604dd0252d96a

SHA256
76bc385ed634f46681bb0879a3fca945618518434a1c23356359d16eb6803039

SHA512
be7edd4763c92b76da1af1edb822d39dc9a08d3cc20ef635518ad14d6072301011bcdac5fea8dbd029875e6b23ab52e2a88cd3ede86103ed568c2267ca1be5de

Download Submit
C:\Windows\{91565255-A45E-4319-BEB7-2244E5F5C0EC}.exe

Filesize
408KB

MD5
2f391b2a951432f3a014719d692a8943

SHA1
5ee5ad70e1c219e1d7594e24b4cef925ca65d788

SHA256
5bbebb77f7b41aed467d21194f1fd4601f4f4e60e4ceb74b9253cd5035fb5a35

SHA512
35bd81097a2a1e81678b1e32c39abe1ad7557399a7c7e46b5aa3ae81396535a9511b55c41d49907011ce97943b05f05d1ab3537c4211f126a529cbd9da4662cb

Download Submit
C:\Windows\{A9E7AB46-EA8D-411a-AC1B-927963E84169}.exe

Filesize
408KB

MD5
ac8553cefc7a160b69a1801a2ca4922c

SHA1
46cf218fdd59b5a6a09b073855b7826af02262e8

SHA256
6d6b783e3aa78ba403d5ffaa6467170e45683945ff932f86e82d7e3b1c6942b4

SHA512
4fc117a2e2b3ceece3e750dc5cfe0419f375cb0020c5683f64b4925674cabb56e9975ac0ca9a3842e8bc5a9db2e010eeab6a108a1ce83914c42c9de83736201d

Download Submit
C:\Windows\{C89F8BF8-50F5-4744-ABB8-7FE4055C307F}.exe

Filesize
408KB

MD5
d42c3553befb9b9de5e1ae8d62d6ab6e

SHA1
70e194c4445ae83d3e8297af593647f0e32efa61

SHA256
8c34963e9a9020d83f42d87202fe111e5b58440ea58787ebb7cc5605128c891c

SHA512
373e840f72bd0ff3c228c8bcd847b1725e3755ad9a6f8841e22c5ee1182a33e449d38c3a1fe6720d54dbd8ed80c2eadf8f4c3f69eceb5453eab6e976260dc450

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads