e7a05a8128f37af8eefea9473d3048ab9daf91329fda877770032269f143b55e

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2024, 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-28_aa047a8795853552cdef4ed25659fc4a_goldeneye.exe
Size

180KB
MD5

aa047a8795853552cdef4ed25659fc4a
SHA1

7c22e12ca57c99c792f7ff385340f639fe63532a
SHA256

e7a05a8128f37af8eefea9473d3048ab9daf91329fda877770032269f143b55e
SHA512

bf71a6e8540782c52fa63fcd3b771f9238f99ad05b583ca71a9a15c18adf6d43e8751859414351d73875497eb98fb7d2d271d275b197cf94e84652fb70c6e5e1
SSDEEP

3072:jEGh0oQlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGWl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000b00000002314c-1.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023233-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002323a-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023233-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002323a-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023233-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002323a-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000072f-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000731-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000072f-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000731-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000000072f-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DC29E00-7D9E-478a-B073-C5982F17552F}	{E517A5B7-737B-4b75-A746-25970CA7E69B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{496CBFED-253A-4a0c-BF8C-EA97568F8524}	{09E416E3-BF34-4937-AAE4-9934B479832A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2725923D-1EED-4549-AE64-AD3B92E4E3B7}	{24688EED-7636-4fdb-B54B-61507C2D1610}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2725923D-1EED-4549-AE64-AD3B92E4E3B7}\stubpath = "C:\\Windows\\{2725923D-1EED-4549-AE64-AD3B92E4E3B7}.exe"	{24688EED-7636-4fdb-B54B-61507C2D1610}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F499492B-D11F-4dbf-943A-8473F2E90B99}\stubpath = "C:\\Windows\\{F499492B-D11F-4dbf-943A-8473F2E90B99}.exe"	{2725923D-1EED-4549-AE64-AD3B92E4E3B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6F69DDC-9228-4986-BB5E-4391E0C82479}\stubpath = "C:\\Windows\\{D6F69DDC-9228-4986-BB5E-4391E0C82479}.exe"	2024-03-28_aa047a8795853552cdef4ed25659fc4a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14008073-009D-495b-AFD9-27D8C1E1C813}\stubpath = "C:\\Windows\\{14008073-009D-495b-AFD9-27D8C1E1C813}.exe"	{D6F69DDC-9228-4986-BB5E-4391E0C82479}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{174BE9E1-3B97-41ee-99AE-82D9004AEB0F}	{2DC29E00-7D9E-478a-B073-C5982F17552F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{496CBFED-253A-4a0c-BF8C-EA97568F8524}\stubpath = "C:\\Windows\\{496CBFED-253A-4a0c-BF8C-EA97568F8524}.exe"	{09E416E3-BF34-4937-AAE4-9934B479832A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51DBA984-7C40-4f00-B03D-31EA0216EAA8}	{496CBFED-253A-4a0c-BF8C-EA97568F8524}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24688EED-7636-4fdb-B54B-61507C2D1610}	{51DBA984-7C40-4f00-B03D-31EA0216EAA8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6F69DDC-9228-4986-BB5E-4391E0C82479}	2024-03-28_aa047a8795853552cdef4ed25659fc4a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14008073-009D-495b-AFD9-27D8C1E1C813}	{D6F69DDC-9228-4986-BB5E-4391E0C82479}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E517A5B7-737B-4b75-A746-25970CA7E69B}	{14008073-009D-495b-AFD9-27D8C1E1C813}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E517A5B7-737B-4b75-A746-25970CA7E69B}\stubpath = "C:\\Windows\\{E517A5B7-737B-4b75-A746-25970CA7E69B}.exe"	{14008073-009D-495b-AFD9-27D8C1E1C813}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24688EED-7636-4fdb-B54B-61507C2D1610}\stubpath = "C:\\Windows\\{24688EED-7636-4fdb-B54B-61507C2D1610}.exe"	{51DBA984-7C40-4f00-B03D-31EA0216EAA8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A1A19E4-602E-4d0a-8494-22C562AD2381}	{F499492B-D11F-4dbf-943A-8473F2E90B99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A1A19E4-602E-4d0a-8494-22C562AD2381}\stubpath = "C:\\Windows\\{8A1A19E4-602E-4d0a-8494-22C562AD2381}.exe"	{F499492B-D11F-4dbf-943A-8473F2E90B99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DC29E00-7D9E-478a-B073-C5982F17552F}\stubpath = "C:\\Windows\\{2DC29E00-7D9E-478a-B073-C5982F17552F}.exe"	{E517A5B7-737B-4b75-A746-25970CA7E69B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{174BE9E1-3B97-41ee-99AE-82D9004AEB0F}\stubpath = "C:\\Windows\\{174BE9E1-3B97-41ee-99AE-82D9004AEB0F}.exe"	{2DC29E00-7D9E-478a-B073-C5982F17552F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09E416E3-BF34-4937-AAE4-9934B479832A}	{174BE9E1-3B97-41ee-99AE-82D9004AEB0F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09E416E3-BF34-4937-AAE4-9934B479832A}\stubpath = "C:\\Windows\\{09E416E3-BF34-4937-AAE4-9934B479832A}.exe"	{174BE9E1-3B97-41ee-99AE-82D9004AEB0F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51DBA984-7C40-4f00-B03D-31EA0216EAA8}\stubpath = "C:\\Windows\\{51DBA984-7C40-4f00-B03D-31EA0216EAA8}.exe"	{496CBFED-253A-4a0c-BF8C-EA97568F8524}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F499492B-D11F-4dbf-943A-8473F2E90B99}	{2725923D-1EED-4549-AE64-AD3B92E4E3B7}.exe

Executes dropped EXE 12 IoCs

pid	Process
380	{D6F69DDC-9228-4986-BB5E-4391E0C82479}.exe
228	{14008073-009D-495b-AFD9-27D8C1E1C813}.exe
4316	{E517A5B7-737B-4b75-A746-25970CA7E69B}.exe
4340	{2DC29E00-7D9E-478a-B073-C5982F17552F}.exe
3812	{174BE9E1-3B97-41ee-99AE-82D9004AEB0F}.exe
4468	{09E416E3-BF34-4937-AAE4-9934B479832A}.exe
3276	{496CBFED-253A-4a0c-BF8C-EA97568F8524}.exe
2200	{51DBA984-7C40-4f00-B03D-31EA0216EAA8}.exe
3224	{24688EED-7636-4fdb-B54B-61507C2D1610}.exe
2948	{2725923D-1EED-4549-AE64-AD3B92E4E3B7}.exe
2880	{F499492B-D11F-4dbf-943A-8473F2E90B99}.exe
3848	{8A1A19E4-602E-4d0a-8494-22C562AD2381}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{09E416E3-BF34-4937-AAE4-9934B479832A}.exe	{174BE9E1-3B97-41ee-99AE-82D9004AEB0F}.exe
File created	C:\Windows\{14008073-009D-495b-AFD9-27D8C1E1C813}.exe	{D6F69DDC-9228-4986-BB5E-4391E0C82479}.exe
File created	C:\Windows\{174BE9E1-3B97-41ee-99AE-82D9004AEB0F}.exe	{2DC29E00-7D9E-478a-B073-C5982F17552F}.exe
File created	C:\Windows\{2DC29E00-7D9E-478a-B073-C5982F17552F}.exe	{E517A5B7-737B-4b75-A746-25970CA7E69B}.exe
File created	C:\Windows\{496CBFED-253A-4a0c-BF8C-EA97568F8524}.exe	{09E416E3-BF34-4937-AAE4-9934B479832A}.exe
File created	C:\Windows\{51DBA984-7C40-4f00-B03D-31EA0216EAA8}.exe	{496CBFED-253A-4a0c-BF8C-EA97568F8524}.exe
File created	C:\Windows\{24688EED-7636-4fdb-B54B-61507C2D1610}.exe	{51DBA984-7C40-4f00-B03D-31EA0216EAA8}.exe
File created	C:\Windows\{2725923D-1EED-4549-AE64-AD3B92E4E3B7}.exe	{24688EED-7636-4fdb-B54B-61507C2D1610}.exe
File created	C:\Windows\{F499492B-D11F-4dbf-943A-8473F2E90B99}.exe	{2725923D-1EED-4549-AE64-AD3B92E4E3B7}.exe
File created	C:\Windows\{D6F69DDC-9228-4986-BB5E-4391E0C82479}.exe	2024-03-28_aa047a8795853552cdef4ed25659fc4a_goldeneye.exe
File created	C:\Windows\{E517A5B7-737B-4b75-A746-25970CA7E69B}.exe	{14008073-009D-495b-AFD9-27D8C1E1C813}.exe
File created	C:\Windows\{8A1A19E4-602E-4d0a-8494-22C562AD2381}.exe	{F499492B-D11F-4dbf-943A-8473F2E90B99}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1048	2024-03-28_aa047a8795853552cdef4ed25659fc4a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	380	{D6F69DDC-9228-4986-BB5E-4391E0C82479}.exe
Token: SeIncBasePriorityPrivilege	228	{14008073-009D-495b-AFD9-27D8C1E1C813}.exe
Token: SeIncBasePriorityPrivilege	4316	{E517A5B7-737B-4b75-A746-25970CA7E69B}.exe
Token: SeIncBasePriorityPrivilege	4340	{2DC29E00-7D9E-478a-B073-C5982F17552F}.exe
Token: SeIncBasePriorityPrivilege	3812	{174BE9E1-3B97-41ee-99AE-82D9004AEB0F}.exe
Token: SeIncBasePriorityPrivilege	4468	{09E416E3-BF34-4937-AAE4-9934B479832A}.exe
Token: SeIncBasePriorityPrivilege	3276	{496CBFED-253A-4a0c-BF8C-EA97568F8524}.exe
Token: SeIncBasePriorityPrivilege	2200	{51DBA984-7C40-4f00-B03D-31EA0216EAA8}.exe
Token: SeIncBasePriorityPrivilege	3224	{24688EED-7636-4fdb-B54B-61507C2D1610}.exe
Token: SeIncBasePriorityPrivilege	2948	{2725923D-1EED-4549-AE64-AD3B92E4E3B7}.exe
Token: SeIncBasePriorityPrivilege	2880	{F499492B-D11F-4dbf-943A-8473F2E90B99}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 380	1048	2024-03-28_aa047a8795853552cdef4ed25659fc4a_goldeneye.exe	94
PID 1048 wrote to memory of 380	1048	2024-03-28_aa047a8795853552cdef4ed25659fc4a_goldeneye.exe	94
PID 1048 wrote to memory of 380	1048	2024-03-28_aa047a8795853552cdef4ed25659fc4a_goldeneye.exe	94
PID 1048 wrote to memory of 4916	1048	2024-03-28_aa047a8795853552cdef4ed25659fc4a_goldeneye.exe	95
PID 1048 wrote to memory of 4916	1048	2024-03-28_aa047a8795853552cdef4ed25659fc4a_goldeneye.exe	95
PID 1048 wrote to memory of 4916	1048	2024-03-28_aa047a8795853552cdef4ed25659fc4a_goldeneye.exe	95
PID 380 wrote to memory of 228	380	{D6F69DDC-9228-4986-BB5E-4391E0C82479}.exe	98
PID 380 wrote to memory of 228	380	{D6F69DDC-9228-4986-BB5E-4391E0C82479}.exe	98
PID 380 wrote to memory of 228	380	{D6F69DDC-9228-4986-BB5E-4391E0C82479}.exe	98
PID 380 wrote to memory of 3992	380	{D6F69DDC-9228-4986-BB5E-4391E0C82479}.exe	99
PID 380 wrote to memory of 3992	380	{D6F69DDC-9228-4986-BB5E-4391E0C82479}.exe	99
PID 380 wrote to memory of 3992	380	{D6F69DDC-9228-4986-BB5E-4391E0C82479}.exe	99
PID 228 wrote to memory of 4316	228	{14008073-009D-495b-AFD9-27D8C1E1C813}.exe	101
PID 228 wrote to memory of 4316	228	{14008073-009D-495b-AFD9-27D8C1E1C813}.exe	101
PID 228 wrote to memory of 4316	228	{14008073-009D-495b-AFD9-27D8C1E1C813}.exe	101
PID 228 wrote to memory of 4032	228	{14008073-009D-495b-AFD9-27D8C1E1C813}.exe	102
PID 228 wrote to memory of 4032	228	{14008073-009D-495b-AFD9-27D8C1E1C813}.exe	102
PID 228 wrote to memory of 4032	228	{14008073-009D-495b-AFD9-27D8C1E1C813}.exe	102
PID 4316 wrote to memory of 4340	4316	{E517A5B7-737B-4b75-A746-25970CA7E69B}.exe	103
PID 4316 wrote to memory of 4340	4316	{E517A5B7-737B-4b75-A746-25970CA7E69B}.exe	103
PID 4316 wrote to memory of 4340	4316	{E517A5B7-737B-4b75-A746-25970CA7E69B}.exe	103
PID 4316 wrote to memory of 4816	4316	{E517A5B7-737B-4b75-A746-25970CA7E69B}.exe	104
PID 4316 wrote to memory of 4816	4316	{E517A5B7-737B-4b75-A746-25970CA7E69B}.exe	104
PID 4316 wrote to memory of 4816	4316	{E517A5B7-737B-4b75-A746-25970CA7E69B}.exe	104
PID 4340 wrote to memory of 3812	4340	{2DC29E00-7D9E-478a-B073-C5982F17552F}.exe	105
PID 4340 wrote to memory of 3812	4340	{2DC29E00-7D9E-478a-B073-C5982F17552F}.exe	105
PID 4340 wrote to memory of 3812	4340	{2DC29E00-7D9E-478a-B073-C5982F17552F}.exe	105
PID 4340 wrote to memory of 3488	4340	{2DC29E00-7D9E-478a-B073-C5982F17552F}.exe	106
PID 4340 wrote to memory of 3488	4340	{2DC29E00-7D9E-478a-B073-C5982F17552F}.exe	106
PID 4340 wrote to memory of 3488	4340	{2DC29E00-7D9E-478a-B073-C5982F17552F}.exe	106
PID 3812 wrote to memory of 4468	3812	{174BE9E1-3B97-41ee-99AE-82D9004AEB0F}.exe	107
PID 3812 wrote to memory of 4468	3812	{174BE9E1-3B97-41ee-99AE-82D9004AEB0F}.exe	107
PID 3812 wrote to memory of 4468	3812	{174BE9E1-3B97-41ee-99AE-82D9004AEB0F}.exe	107
PID 3812 wrote to memory of 2896	3812	{174BE9E1-3B97-41ee-99AE-82D9004AEB0F}.exe	108
PID 3812 wrote to memory of 2896	3812	{174BE9E1-3B97-41ee-99AE-82D9004AEB0F}.exe	108
PID 3812 wrote to memory of 2896	3812	{174BE9E1-3B97-41ee-99AE-82D9004AEB0F}.exe	108
PID 4468 wrote to memory of 3276	4468	{09E416E3-BF34-4937-AAE4-9934B479832A}.exe	109
PID 4468 wrote to memory of 3276	4468	{09E416E3-BF34-4937-AAE4-9934B479832A}.exe	109
PID 4468 wrote to memory of 3276	4468	{09E416E3-BF34-4937-AAE4-9934B479832A}.exe	109
PID 4468 wrote to memory of 1192	4468	{09E416E3-BF34-4937-AAE4-9934B479832A}.exe	110
PID 4468 wrote to memory of 1192	4468	{09E416E3-BF34-4937-AAE4-9934B479832A}.exe	110
PID 4468 wrote to memory of 1192	4468	{09E416E3-BF34-4937-AAE4-9934B479832A}.exe	110
PID 3276 wrote to memory of 2200	3276	{496CBFED-253A-4a0c-BF8C-EA97568F8524}.exe	111
PID 3276 wrote to memory of 2200	3276	{496CBFED-253A-4a0c-BF8C-EA97568F8524}.exe	111
PID 3276 wrote to memory of 2200	3276	{496CBFED-253A-4a0c-BF8C-EA97568F8524}.exe	111
PID 3276 wrote to memory of 4792	3276	{496CBFED-253A-4a0c-BF8C-EA97568F8524}.exe	112
PID 3276 wrote to memory of 4792	3276	{496CBFED-253A-4a0c-BF8C-EA97568F8524}.exe	112
PID 3276 wrote to memory of 4792	3276	{496CBFED-253A-4a0c-BF8C-EA97568F8524}.exe	112
PID 2200 wrote to memory of 3224	2200	{51DBA984-7C40-4f00-B03D-31EA0216EAA8}.exe	113
PID 2200 wrote to memory of 3224	2200	{51DBA984-7C40-4f00-B03D-31EA0216EAA8}.exe	113
PID 2200 wrote to memory of 3224	2200	{51DBA984-7C40-4f00-B03D-31EA0216EAA8}.exe	113
PID 2200 wrote to memory of 4568	2200	{51DBA984-7C40-4f00-B03D-31EA0216EAA8}.exe	114
PID 2200 wrote to memory of 4568	2200	{51DBA984-7C40-4f00-B03D-31EA0216EAA8}.exe	114
PID 2200 wrote to memory of 4568	2200	{51DBA984-7C40-4f00-B03D-31EA0216EAA8}.exe	114
PID 3224 wrote to memory of 2948	3224	{24688EED-7636-4fdb-B54B-61507C2D1610}.exe	115
PID 3224 wrote to memory of 2948	3224	{24688EED-7636-4fdb-B54B-61507C2D1610}.exe	115
PID 3224 wrote to memory of 2948	3224	{24688EED-7636-4fdb-B54B-61507C2D1610}.exe	115
PID 3224 wrote to memory of 4652	3224	{24688EED-7636-4fdb-B54B-61507C2D1610}.exe	116
PID 3224 wrote to memory of 4652	3224	{24688EED-7636-4fdb-B54B-61507C2D1610}.exe	116
PID 3224 wrote to memory of 4652	3224	{24688EED-7636-4fdb-B54B-61507C2D1610}.exe	116
PID 2948 wrote to memory of 2880	2948	{2725923D-1EED-4549-AE64-AD3B92E4E3B7}.exe	117
PID 2948 wrote to memory of 2880	2948	{2725923D-1EED-4549-AE64-AD3B92E4E3B7}.exe	117
PID 2948 wrote to memory of 2880	2948	{2725923D-1EED-4549-AE64-AD3B92E4E3B7}.exe	117
PID 2948 wrote to memory of 4056	2948	{2725923D-1EED-4549-AE64-AD3B92E4E3B7}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-03-28_aa047a8795853552cdef4ed25659fc4a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-28_aa047a8795853552cdef4ed25659fc4a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\{D6F69DDC-9228-4986-BB5E-4391E0C82479}.exe
  C:\Windows\{D6F69DDC-9228-4986-BB5E-4391E0C82479}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:380
- - C:\Windows\{14008073-009D-495b-AFD9-27D8C1E1C813}.exe
    C:\Windows\{14008073-009D-495b-AFD9-27D8C1E1C813}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:228
  - - C:\Windows\{E517A5B7-737B-4b75-A746-25970CA7E69B}.exe
      C:\Windows\{E517A5B7-737B-4b75-A746-25970CA7E69B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4316
    - - C:\Windows\{2DC29E00-7D9E-478a-B073-C5982F17552F}.exe
        
        C:\Windows\{2DC29E00-7D9E-478a-B073-C5982F17552F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4340
      - C:\Windows\{174BE9E1-3B97-41ee-99AE-82D9004AEB0F}.exe
        
        C:\Windows\{174BE9E1-3B97-41ee-99AE-82D9004AEB0F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3812
        
        C:\Windows\{09E416E3-BF34-4937-AAE4-9934B479832A}.exe
        
        C:\Windows\{09E416E3-BF34-4937-AAE4-9934B479832A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\{496CBFED-253A-4a0c-BF8C-EA97568F8524}.exe
        
        C:\Windows\{496CBFED-253A-4a0c-BF8C-EA97568F8524}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\{51DBA984-7C40-4f00-B03D-31EA0216EAA8}.exe
        
        C:\Windows\{51DBA984-7C40-4f00-B03D-31EA0216EAA8}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\{24688EED-7636-4fdb-B54B-61507C2D1610}.exe
        
        C:\Windows\{24688EED-7636-4fdb-B54B-61507C2D1610}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\{2725923D-1EED-4549-AE64-AD3B92E4E3B7}.exe
        
        C:\Windows\{2725923D-1EED-4549-AE64-AD3B92E4E3B7}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\{F499492B-D11F-4dbf-943A-8473F2E90B99}.exe
        
        C:\Windows\{F499492B-D11F-4dbf-943A-8473F2E90B99}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Windows\{8A1A19E4-602E-4d0a-8494-22C562AD2381}.exe
        
        C:\Windows\{8A1A19E4-602E-4d0a-8494-22C562AD2381}.exe
        13⤵
        Executes dropped EXE
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F4994~1.EXE > nul
        13⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27259~1.EXE > nul
        12⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24688~1.EXE > nul
        11⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51DBA~1.EXE > nul
        10⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{496CB~1.EXE > nul
        9⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09E41~1.EXE > nul
        8⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{174BE~1.EXE > nul
        7⤵
        
        PID:2896
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2DC29~1.EXE > nul
        6⤵
        
        PID:3488
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E517A~1.EXE > nul
        5⤵
        
        PID:4816
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{14008~1.EXE > nul
      4⤵
      PID:4032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D6F69~1.EXE > nul
    3⤵
    PID:3992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09E416E3-BF34-4937-AAE4-9934B479832A}.exe

Filesize
180KB

MD5
71b00762a6fc4482fda6d403ca560cb4

SHA1
2d2ef2dea145ba84aa7825c6cb96136d3671b8e3

SHA256
ef194a9adb0bc4411f5753f2fed2be83c378145eee34acea14a97fca9325f265

SHA512
5d5f9581a06468b780fca5593df29544008a1bc4932b2b97f5ff39d20b4baef219f5ac0f8335ed67610a1a084f0332f2298a67c31241b19b780e612748691bdc

Download Submit
C:\Windows\{14008073-009D-495b-AFD9-27D8C1E1C813}.exe

Filesize
180KB

MD5
c4dc62bdc9d1aa196d9def1e2cc8f03e

SHA1
4021b831f5fe89a8596a111ef095c2aacaf28f19

SHA256
7d0d3c232bd7de12c547ca750817428fb3433dc0113299e3662bc23dd8c6e717

SHA512
02a9a18ae982dc5866cef84cb893e69fdb86d043e1fd8c884fac5c9ac06fc746a251beaade0cf82e9c4c419e8f204efbc9151db14c5217b736e316b2a662acfa

Download Submit
C:\Windows\{174BE9E1-3B97-41ee-99AE-82D9004AEB0F}.exe

Filesize
180KB

MD5
7778947029b768207886f58e82877987

SHA1
82b3cdd29c0ae78215e6fe494456fb5666a49b91

SHA256
e1406a3bb52a2af5cac1be1891c8d1fd9f0d93b14a5e31b0031a781d23672b55

SHA512
d633d35bf96e94b4b3e239c514824344346b7d2a7378850aa3530f531fee5c095e46657fe898286000fe2c9f0e3d93e0f765052e95cfe999da8c751e949618dd

Download Submit
C:\Windows\{24688EED-7636-4fdb-B54B-61507C2D1610}.exe

Filesize
180KB

MD5
cc916d900bd8200457b0fbdc5845170e

SHA1
a8fe65e1ae4c3aeaaaf367176d2f98d07aac9f18

SHA256
9a60dc6616881a5200eceea9a58efc26d1f217123bf8c65c22dd8be0d9044aff

SHA512
7cd563ef7dfd1faf754590c48408a39204bfddf7203095a92be4e8b4252a16fbf091caac3286f8a433d1472763bc7bd90c56467558fd972852d7a8a1f514baaf

Download Submit
C:\Windows\{2725923D-1EED-4549-AE64-AD3B92E4E3B7}.exe

Filesize
180KB

MD5
c4cca8da6754a8627e3dc18272514074

SHA1
c985b6222889f813acad78e8f3f78567ef790eeb

SHA256
a1dd204e91713c20884e2f95aa678c191ac691cca63a4106e196721e159e656a

SHA512
e4590bea1179317e5dc56ddc521d02f8803419e741fe6784deb0f629e4300b7308489b48006610bff974846a99042b32172500078a6007525df864f2e358de8d

Download Submit
C:\Windows\{2DC29E00-7D9E-478a-B073-C5982F17552F}.exe

Filesize
180KB

MD5
3311384bf2b00fbd377276f689e8d85a

SHA1
d1f16cff649026dcc2983792c92a33ed54806377

SHA256
75196e52e4a52c3e92de4dbda3f6d13f566d29cbd0df48d29d0a411f6c782047

SHA512
a67520cf12a0b6e3b6dba9a5f478f9ab743e6df23e0ef618ce11f03ebbfd7a360a35348f111ae110d57abe97e6d439ad4f1e1c535cbbe2d7a797c652c4e89f72

Download Submit
C:\Windows\{496CBFED-253A-4a0c-BF8C-EA97568F8524}.exe

Filesize
180KB

MD5
83ce146dab5bd1d8b9e8851ec1f2e267

SHA1
d6e5307b902625d2e05c2d23abb0b288df2e8d27

SHA256
6c0b3b621ff4c03b2167427dc41698ff7041222b2db40b78019e7041955c90a1

SHA512
5ce23f6696d7594a46dd6be59a557aea7752553a350243c0f858db14c2739b504b79d2b4e3bd0e295308d3053ad5bc834b0969071f0d86344affb1ed0740f4aa

Download Submit
C:\Windows\{51DBA984-7C40-4f00-B03D-31EA0216EAA8}.exe

Filesize
180KB

MD5
2041d888d1793618c31fab4da423f792

SHA1
2568e5648c9eac0d430cd642cf84f746d4eac332

SHA256
95f6265eeb8982c0bfa08549a65635810e8b7a9907a5c883e8567601877e7269

SHA512
97cfd8c82f1802b12ab7352656357e4ce819609503179885b5216b6ae581eedc6f4e73c9a3714b2cc8c6bb428a849e60eadea12286d542fed31c0489b6acd05c

Download Submit
C:\Windows\{8A1A19E4-602E-4d0a-8494-22C562AD2381}.exe

Filesize
180KB

MD5
ac67286040e27208686d9a5559ab9ae7

SHA1
9e79ceef14d6ff54388b12d6ecb809340358c2b0

SHA256
c6ed11a10126cb3e3aba2494577491aa055377b3bfbffec3c55108abd9795035

SHA512
7a9527c44d54535411b68ea7c37fadae85d420caa46360565bdfc4b2d2c75eefb4dceadac5acd70a1ccee28b9d4aa8a0f2ac5b710021f6400ce4e27da3e8ffd7

Download Submit
C:\Windows\{D6F69DDC-9228-4986-BB5E-4391E0C82479}.exe

Filesize
180KB

MD5
2c7253ccba25a4bfa1fa7cf071f97f3a

SHA1
d9dcae2c860e71a01594e2f1342e8ea8970137ce

SHA256
ae4151ba374f7d8abc1911dc19b20a92280887dfab86aeaacf956c3c06bc808d

SHA512
77570602e60c9857a8755bcd2d57b92e9ece30c761ed4c0a0ecde0e42b7c511e94d5d9488deded9ba322f723667a8265f6262d4b53f990d990271a33b127cd09

Download Submit
C:\Windows\{E517A5B7-737B-4b75-A746-25970CA7E69B}.exe

Filesize
180KB

MD5
0aa5b5ebf762a5d4ef00ae20ca96fc70

SHA1
0e53d83a179bd35766361c6df34880b09190c5f6

SHA256
993d5b710708ca2290260f6d203853f732a8aaa499749ee9edbc1432e2da8768

SHA512
22e95394deb9d7531d8cc44c64e07c8ac8d3585886411c50b3cf27292c58f6514652b8c347aab060567cdf58b9230a4f08821a348ee3f32dd05d5e49cef54841

Download Submit
C:\Windows\{F499492B-D11F-4dbf-943A-8473F2E90B99}.exe

Filesize
180KB

MD5
f054dbf1028d3b27bf241175111461c1

SHA1
229ae233fd89f9818b884f7cddad0611b85b7cd7

SHA256
0909a6fd1f96eecabfd611cb643a1bf5638fb612e789cc7a999184e76d115e74

SHA512
5f656028a4f58949afd6956e8bcabd83858120613707ca93db219151ee995d715a95b131b1d7a4da561881f9b2a499b131ac21bd6b7992485ffacbf54526b59a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads