fead101260f66ec2a4e9fd67a0ddcb7251564216c067c5483111d76ee3f580ae

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05/04/2024, 12:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-05_7410c56b2660a3bdf505aaad75756cb8_goldeneye.exe
Size

216KB
MD5

7410c56b2660a3bdf505aaad75756cb8
SHA1

983debde21b0b50ff935adc6646560e0e34bfe67
SHA256

fead101260f66ec2a4e9fd67a0ddcb7251564216c067c5483111d76ee3f580ae
SHA512

ebc5a6b39ac9859e6653ff87497d61600dcbd7a7f71aebaaf60eb333d9181b02950756a5a0852903d45b2b86b3d1f37dfbeb34321de837f687d5179eabd03506
SSDEEP

3072:jEGh0o/l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGplEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023219-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000001e804-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023224-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000001e804-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021f82-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000001e804-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021f82-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000705-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7630F3F-659D-4175-B670-D696A29796CA}\stubpath = "C:\\Windows\\{E7630F3F-659D-4175-B670-D696A29796CA}.exe"	2024-04-05_7410c56b2660a3bdf505aaad75756cb8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EB0F6CF-919A-4505-B70A-84F8336F172D}	{E7630F3F-659D-4175-B670-D696A29796CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8672AF95-D833-49a8-94AC-689AE0C8B3C1}	{7CD4C260-A5D6-4199-AC50-96BB16BC525F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7EB0F6CF-919A-4505-B70A-84F8336F172D}\stubpath = "C:\\Windows\\{7EB0F6CF-919A-4505-B70A-84F8336F172D}.exe"	{E7630F3F-659D-4175-B670-D696A29796CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF92598B-A82B-4ab9-9A66-8112CF035587}\stubpath = "C:\\Windows\\{CF92598B-A82B-4ab9-9A66-8112CF035587}.exe"	{7EB0F6CF-919A-4505-B70A-84F8336F172D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F41823E-B513-440a-9489-52E1E3F00440}\stubpath = "C:\\Windows\\{9F41823E-B513-440a-9489-52E1E3F00440}.exe"	{89FC1928-A36F-4fe4-B7FC-47B6A0AD30EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A181B0CF-8832-4bba-A5DB-62DFAFB8F80A}	{82A0FC25-F1AC-40c6-B524-1C0456965F9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D961FB69-C0FD-44b7-AA50-5971718FFE70}\stubpath = "C:\\Windows\\{D961FB69-C0FD-44b7-AA50-5971718FFE70}.exe"	{087F787C-7137-4d10-B853-92A1432448F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{106237B4-EE59-4b77-9202-319E78AF0967}	{D961FB69-C0FD-44b7-AA50-5971718FFE70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D961FB69-C0FD-44b7-AA50-5971718FFE70}	{087F787C-7137-4d10-B853-92A1432448F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{106237B4-EE59-4b77-9202-319E78AF0967}\stubpath = "C:\\Windows\\{106237B4-EE59-4b77-9202-319E78AF0967}.exe"	{D961FB69-C0FD-44b7-AA50-5971718FFE70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7630F3F-659D-4175-B670-D696A29796CA}	2024-04-05_7410c56b2660a3bdf505aaad75756cb8_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF92598B-A82B-4ab9-9A66-8112CF035587}	{7EB0F6CF-919A-4505-B70A-84F8336F172D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89FC1928-A36F-4fe4-B7FC-47B6A0AD30EF}	{CF92598B-A82B-4ab9-9A66-8112CF035587}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82A0FC25-F1AC-40c6-B524-1C0456965F9B}\stubpath = "C:\\Windows\\{82A0FC25-F1AC-40c6-B524-1C0456965F9B}.exe"	{9F41823E-B513-440a-9489-52E1E3F00440}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A181B0CF-8832-4bba-A5DB-62DFAFB8F80A}\stubpath = "C:\\Windows\\{A181B0CF-8832-4bba-A5DB-62DFAFB8F80A}.exe"	{82A0FC25-F1AC-40c6-B524-1C0456965F9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{087F787C-7137-4d10-B853-92A1432448F9}	{A181B0CF-8832-4bba-A5DB-62DFAFB8F80A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CD4C260-A5D6-4199-AC50-96BB16BC525F}\stubpath = "C:\\Windows\\{7CD4C260-A5D6-4199-AC50-96BB16BC525F}.exe"	{106237B4-EE59-4b77-9202-319E78AF0967}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89FC1928-A36F-4fe4-B7FC-47B6A0AD30EF}\stubpath = "C:\\Windows\\{89FC1928-A36F-4fe4-B7FC-47B6A0AD30EF}.exe"	{CF92598B-A82B-4ab9-9A66-8112CF035587}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F41823E-B513-440a-9489-52E1E3F00440}	{89FC1928-A36F-4fe4-B7FC-47B6A0AD30EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82A0FC25-F1AC-40c6-B524-1C0456965F9B}	{9F41823E-B513-440a-9489-52E1E3F00440}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{087F787C-7137-4d10-B853-92A1432448F9}\stubpath = "C:\\Windows\\{087F787C-7137-4d10-B853-92A1432448F9}.exe"	{A181B0CF-8832-4bba-A5DB-62DFAFB8F80A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CD4C260-A5D6-4199-AC50-96BB16BC525F}	{106237B4-EE59-4b77-9202-319E78AF0967}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8672AF95-D833-49a8-94AC-689AE0C8B3C1}\stubpath = "C:\\Windows\\{8672AF95-D833-49a8-94AC-689AE0C8B3C1}.exe"	{7CD4C260-A5D6-4199-AC50-96BB16BC525F}.exe

Executes dropped EXE 12 IoCs

pid	Process
2976	{E7630F3F-659D-4175-B670-D696A29796CA}.exe
2172	{7EB0F6CF-919A-4505-B70A-84F8336F172D}.exe
1916	{CF92598B-A82B-4ab9-9A66-8112CF035587}.exe
4680	{89FC1928-A36F-4fe4-B7FC-47B6A0AD30EF}.exe
976	{9F41823E-B513-440a-9489-52E1E3F00440}.exe
4864	{82A0FC25-F1AC-40c6-B524-1C0456965F9B}.exe
4236	{A181B0CF-8832-4bba-A5DB-62DFAFB8F80A}.exe
2940	{087F787C-7137-4d10-B853-92A1432448F9}.exe
2664	{D961FB69-C0FD-44b7-AA50-5971718FFE70}.exe
1628	{106237B4-EE59-4b77-9202-319E78AF0967}.exe
3952	{7CD4C260-A5D6-4199-AC50-96BB16BC525F}.exe
872	{8672AF95-D833-49a8-94AC-689AE0C8B3C1}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{E7630F3F-659D-4175-B670-D696A29796CA}.exe	2024-04-05_7410c56b2660a3bdf505aaad75756cb8_goldeneye.exe
File created	C:\Windows\{89FC1928-A36F-4fe4-B7FC-47B6A0AD30EF}.exe	{CF92598B-A82B-4ab9-9A66-8112CF035587}.exe
File created	C:\Windows\{9F41823E-B513-440a-9489-52E1E3F00440}.exe	{89FC1928-A36F-4fe4-B7FC-47B6A0AD30EF}.exe
File created	C:\Windows\{A181B0CF-8832-4bba-A5DB-62DFAFB8F80A}.exe	{82A0FC25-F1AC-40c6-B524-1C0456965F9B}.exe
File created	C:\Windows\{D961FB69-C0FD-44b7-AA50-5971718FFE70}.exe	{087F787C-7137-4d10-B853-92A1432448F9}.exe
File created	C:\Windows\{7EB0F6CF-919A-4505-B70A-84F8336F172D}.exe	{E7630F3F-659D-4175-B670-D696A29796CA}.exe
File created	C:\Windows\{CF92598B-A82B-4ab9-9A66-8112CF035587}.exe	{7EB0F6CF-919A-4505-B70A-84F8336F172D}.exe
File created	C:\Windows\{82A0FC25-F1AC-40c6-B524-1C0456965F9B}.exe	{9F41823E-B513-440a-9489-52E1E3F00440}.exe
File created	C:\Windows\{087F787C-7137-4d10-B853-92A1432448F9}.exe	{A181B0CF-8832-4bba-A5DB-62DFAFB8F80A}.exe
File created	C:\Windows\{106237B4-EE59-4b77-9202-319E78AF0967}.exe	{D961FB69-C0FD-44b7-AA50-5971718FFE70}.exe
File created	C:\Windows\{7CD4C260-A5D6-4199-AC50-96BB16BC525F}.exe	{106237B4-EE59-4b77-9202-319E78AF0967}.exe
File created	C:\Windows\{8672AF95-D833-49a8-94AC-689AE0C8B3C1}.exe	{7CD4C260-A5D6-4199-AC50-96BB16BC525F}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3284	2024-04-05_7410c56b2660a3bdf505aaad75756cb8_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2976	{E7630F3F-659D-4175-B670-D696A29796CA}.exe
Token: SeIncBasePriorityPrivilege	2172	{7EB0F6CF-919A-4505-B70A-84F8336F172D}.exe
Token: SeIncBasePriorityPrivilege	1916	{CF92598B-A82B-4ab9-9A66-8112CF035587}.exe
Token: SeIncBasePriorityPrivilege	4680	{89FC1928-A36F-4fe4-B7FC-47B6A0AD30EF}.exe
Token: SeIncBasePriorityPrivilege	976	{9F41823E-B513-440a-9489-52E1E3F00440}.exe
Token: SeIncBasePriorityPrivilege	4864	{82A0FC25-F1AC-40c6-B524-1C0456965F9B}.exe
Token: SeIncBasePriorityPrivilege	4236	{A181B0CF-8832-4bba-A5DB-62DFAFB8F80A}.exe
Token: SeIncBasePriorityPrivilege	2940	{087F787C-7137-4d10-B853-92A1432448F9}.exe
Token: SeIncBasePriorityPrivilege	2664	{D961FB69-C0FD-44b7-AA50-5971718FFE70}.exe
Token: SeIncBasePriorityPrivilege	1628	{106237B4-EE59-4b77-9202-319E78AF0967}.exe
Token: SeIncBasePriorityPrivilege	3952	{7CD4C260-A5D6-4199-AC50-96BB16BC525F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3284 wrote to memory of 2976	3284	2024-04-05_7410c56b2660a3bdf505aaad75756cb8_goldeneye.exe	92
PID 3284 wrote to memory of 2976	3284	2024-04-05_7410c56b2660a3bdf505aaad75756cb8_goldeneye.exe	92
PID 3284 wrote to memory of 2976	3284	2024-04-05_7410c56b2660a3bdf505aaad75756cb8_goldeneye.exe	92
PID 3284 wrote to memory of 752	3284	2024-04-05_7410c56b2660a3bdf505aaad75756cb8_goldeneye.exe	93
PID 3284 wrote to memory of 752	3284	2024-04-05_7410c56b2660a3bdf505aaad75756cb8_goldeneye.exe	93
PID 3284 wrote to memory of 752	3284	2024-04-05_7410c56b2660a3bdf505aaad75756cb8_goldeneye.exe	93
PID 2976 wrote to memory of 2172	2976	{E7630F3F-659D-4175-B670-D696A29796CA}.exe	94
PID 2976 wrote to memory of 2172	2976	{E7630F3F-659D-4175-B670-D696A29796CA}.exe	94
PID 2976 wrote to memory of 2172	2976	{E7630F3F-659D-4175-B670-D696A29796CA}.exe	94
PID 2976 wrote to memory of 4696	2976	{E7630F3F-659D-4175-B670-D696A29796CA}.exe	95
PID 2976 wrote to memory of 4696	2976	{E7630F3F-659D-4175-B670-D696A29796CA}.exe	95
PID 2976 wrote to memory of 4696	2976	{E7630F3F-659D-4175-B670-D696A29796CA}.exe	95
PID 2172 wrote to memory of 1916	2172	{7EB0F6CF-919A-4505-B70A-84F8336F172D}.exe	97
PID 2172 wrote to memory of 1916	2172	{7EB0F6CF-919A-4505-B70A-84F8336F172D}.exe	97
PID 2172 wrote to memory of 1916	2172	{7EB0F6CF-919A-4505-B70A-84F8336F172D}.exe	97
PID 2172 wrote to memory of 396	2172	{7EB0F6CF-919A-4505-B70A-84F8336F172D}.exe	98
PID 2172 wrote to memory of 396	2172	{7EB0F6CF-919A-4505-B70A-84F8336F172D}.exe	98
PID 2172 wrote to memory of 396	2172	{7EB0F6CF-919A-4505-B70A-84F8336F172D}.exe	98
PID 1916 wrote to memory of 4680	1916	{CF92598B-A82B-4ab9-9A66-8112CF035587}.exe	99
PID 1916 wrote to memory of 4680	1916	{CF92598B-A82B-4ab9-9A66-8112CF035587}.exe	99
PID 1916 wrote to memory of 4680	1916	{CF92598B-A82B-4ab9-9A66-8112CF035587}.exe	99
PID 1916 wrote to memory of 3916	1916	{CF92598B-A82B-4ab9-9A66-8112CF035587}.exe	100
PID 1916 wrote to memory of 3916	1916	{CF92598B-A82B-4ab9-9A66-8112CF035587}.exe	100
PID 1916 wrote to memory of 3916	1916	{CF92598B-A82B-4ab9-9A66-8112CF035587}.exe	100
PID 4680 wrote to memory of 976	4680	{89FC1928-A36F-4fe4-B7FC-47B6A0AD30EF}.exe	101
PID 4680 wrote to memory of 976	4680	{89FC1928-A36F-4fe4-B7FC-47B6A0AD30EF}.exe	101
PID 4680 wrote to memory of 976	4680	{89FC1928-A36F-4fe4-B7FC-47B6A0AD30EF}.exe	101
PID 4680 wrote to memory of 4948	4680	{89FC1928-A36F-4fe4-B7FC-47B6A0AD30EF}.exe	102
PID 4680 wrote to memory of 4948	4680	{89FC1928-A36F-4fe4-B7FC-47B6A0AD30EF}.exe	102
PID 4680 wrote to memory of 4948	4680	{89FC1928-A36F-4fe4-B7FC-47B6A0AD30EF}.exe	102
PID 976 wrote to memory of 4864	976	{9F41823E-B513-440a-9489-52E1E3F00440}.exe	103
PID 976 wrote to memory of 4864	976	{9F41823E-B513-440a-9489-52E1E3F00440}.exe	103
PID 976 wrote to memory of 4864	976	{9F41823E-B513-440a-9489-52E1E3F00440}.exe	103
PID 976 wrote to memory of 3012	976	{9F41823E-B513-440a-9489-52E1E3F00440}.exe	104
PID 976 wrote to memory of 3012	976	{9F41823E-B513-440a-9489-52E1E3F00440}.exe	104
PID 976 wrote to memory of 3012	976	{9F41823E-B513-440a-9489-52E1E3F00440}.exe	104
PID 4864 wrote to memory of 4236	4864	{82A0FC25-F1AC-40c6-B524-1C0456965F9B}.exe	105
PID 4864 wrote to memory of 4236	4864	{82A0FC25-F1AC-40c6-B524-1C0456965F9B}.exe	105
PID 4864 wrote to memory of 4236	4864	{82A0FC25-F1AC-40c6-B524-1C0456965F9B}.exe	105
PID 4864 wrote to memory of 1536	4864	{82A0FC25-F1AC-40c6-B524-1C0456965F9B}.exe	106
PID 4864 wrote to memory of 1536	4864	{82A0FC25-F1AC-40c6-B524-1C0456965F9B}.exe	106
PID 4864 wrote to memory of 1536	4864	{82A0FC25-F1AC-40c6-B524-1C0456965F9B}.exe	106
PID 4236 wrote to memory of 2940	4236	{A181B0CF-8832-4bba-A5DB-62DFAFB8F80A}.exe	107
PID 4236 wrote to memory of 2940	4236	{A181B0CF-8832-4bba-A5DB-62DFAFB8F80A}.exe	107
PID 4236 wrote to memory of 2940	4236	{A181B0CF-8832-4bba-A5DB-62DFAFB8F80A}.exe	107
PID 4236 wrote to memory of 2688	4236	{A181B0CF-8832-4bba-A5DB-62DFAFB8F80A}.exe	108
PID 4236 wrote to memory of 2688	4236	{A181B0CF-8832-4bba-A5DB-62DFAFB8F80A}.exe	108
PID 4236 wrote to memory of 2688	4236	{A181B0CF-8832-4bba-A5DB-62DFAFB8F80A}.exe	108
PID 2940 wrote to memory of 2664	2940	{087F787C-7137-4d10-B853-92A1432448F9}.exe	109
PID 2940 wrote to memory of 2664	2940	{087F787C-7137-4d10-B853-92A1432448F9}.exe	109
PID 2940 wrote to memory of 2664	2940	{087F787C-7137-4d10-B853-92A1432448F9}.exe	109
PID 2940 wrote to memory of 436	2940	{087F787C-7137-4d10-B853-92A1432448F9}.exe	110
PID 2940 wrote to memory of 436	2940	{087F787C-7137-4d10-B853-92A1432448F9}.exe	110
PID 2940 wrote to memory of 436	2940	{087F787C-7137-4d10-B853-92A1432448F9}.exe	110
PID 2664 wrote to memory of 1628	2664	{D961FB69-C0FD-44b7-AA50-5971718FFE70}.exe	111
PID 2664 wrote to memory of 1628	2664	{D961FB69-C0FD-44b7-AA50-5971718FFE70}.exe	111
PID 2664 wrote to memory of 1628	2664	{D961FB69-C0FD-44b7-AA50-5971718FFE70}.exe	111
PID 2664 wrote to memory of 4928	2664	{D961FB69-C0FD-44b7-AA50-5971718FFE70}.exe	112
PID 2664 wrote to memory of 4928	2664	{D961FB69-C0FD-44b7-AA50-5971718FFE70}.exe	112
PID 2664 wrote to memory of 4928	2664	{D961FB69-C0FD-44b7-AA50-5971718FFE70}.exe	112
PID 1628 wrote to memory of 3952	1628	{106237B4-EE59-4b77-9202-319E78AF0967}.exe	113
PID 1628 wrote to memory of 3952	1628	{106237B4-EE59-4b77-9202-319E78AF0967}.exe	113
PID 1628 wrote to memory of 3952	1628	{106237B4-EE59-4b77-9202-319E78AF0967}.exe	113
PID 1628 wrote to memory of 1592	1628	{106237B4-EE59-4b77-9202-319E78AF0967}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-04-05_7410c56b2660a3bdf505aaad75756cb8_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-05_7410c56b2660a3bdf505aaad75756cb8_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3284
- C:\Windows\{E7630F3F-659D-4175-B670-D696A29796CA}.exe
  C:\Windows\{E7630F3F-659D-4175-B670-D696A29796CA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\{7EB0F6CF-919A-4505-B70A-84F8336F172D}.exe
    C:\Windows\{7EB0F6CF-919A-4505-B70A-84F8336F172D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Windows\{CF92598B-A82B-4ab9-9A66-8112CF035587}.exe
      C:\Windows\{CF92598B-A82B-4ab9-9A66-8112CF035587}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1916
    - - C:\Windows\{89FC1928-A36F-4fe4-B7FC-47B6A0AD30EF}.exe
        
        C:\Windows\{89FC1928-A36F-4fe4-B7FC-47B6A0AD30EF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4680
      - C:\Windows\{9F41823E-B513-440a-9489-52E1E3F00440}.exe
        
        C:\Windows\{9F41823E-B513-440a-9489-52E1E3F00440}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\{82A0FC25-F1AC-40c6-B524-1C0456965F9B}.exe
        
        C:\Windows\{82A0FC25-F1AC-40c6-B524-1C0456965F9B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\{A181B0CF-8832-4bba-A5DB-62DFAFB8F80A}.exe
        
        C:\Windows\{A181B0CF-8832-4bba-A5DB-62DFAFB8F80A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\{087F787C-7137-4d10-B853-92A1432448F9}.exe
        
        C:\Windows\{087F787C-7137-4d10-B853-92A1432448F9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\{D961FB69-C0FD-44b7-AA50-5971718FFE70}.exe
        
        C:\Windows\{D961FB69-C0FD-44b7-AA50-5971718FFE70}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\{106237B4-EE59-4b77-9202-319E78AF0967}.exe
        
        C:\Windows\{106237B4-EE59-4b77-9202-319E78AF0967}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\{7CD4C260-A5D6-4199-AC50-96BB16BC525F}.exe
        
        C:\Windows\{7CD4C260-A5D6-4199-AC50-96BB16BC525F}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3952
        
        C:\Windows\{8672AF95-D833-49a8-94AC-689AE0C8B3C1}.exe
        
        C:\Windows\{8672AF95-D833-49a8-94AC-689AE0C8B3C1}.exe
        13⤵
        Executes dropped EXE
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7CD4C~1.EXE > nul
        13⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10623~1.EXE > nul
        12⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D961F~1.EXE > nul
        11⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{087F7~1.EXE > nul
        10⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A181B~1.EXE > nul
        9⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82A0F~1.EXE > nul
        8⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F418~1.EXE > nul
        7⤵
        
        PID:3012
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89FC1~1.EXE > nul
        6⤵
        
        PID:4948
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF925~1.EXE > nul
        5⤵
        
        PID:3916
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7EB0F~1.EXE > nul
      4⤵
      PID:396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E7630~1.EXE > nul
    3⤵
    PID:4696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{087F787C-7137-4d10-B853-92A1432448F9}.exe

Filesize
216KB

MD5
4f9389bf6c06a2bc3419e0358eeaaa1e

SHA1
fae95cbb2b5f1ba92e2f0762819d8e108638c8df

SHA256
e7f1bae9db7b07d560e7d9e40dd5c1a2fd5a2b3e975e15cae9738c063b118219

SHA512
1fe1d7e1a4e7e677396a915d8fd90d9f324ccc71d20ac5bf584ea982a81def574853b6105f6959b109ecd100a0704461635524907e7861e58f21f12908ce91a5

Download Submit
C:\Windows\{106237B4-EE59-4b77-9202-319E78AF0967}.exe

Filesize
216KB

MD5
2a401c4579b9056aa3977eb7f9bb60b3

SHA1
e7665869fe8fe67c97d7ce4a6fe8b1975cb8260d

SHA256
25a37dee9b4df2f22c41f9cf0200ead95ea674135a19566dd540b018cb24e6b9

SHA512
125eb5d7aa60ba3402501c962ae29e431631d67440ffc7399b4b436169b193bfc297d68a93cd81e2c117ea16c647b2b65505b1d2fb3e3b3a7a6720f3c0f3db32

Download Submit
C:\Windows\{7CD4C260-A5D6-4199-AC50-96BB16BC525F}.exe

Filesize
216KB

MD5
273c4463570c7d5de67f228d9a480736

SHA1
81edda50c62d1a650eb5eb294cef8532e437e2b3

SHA256
40483b9d75044bb9633d40bb09736b3e1bcde45cb27d543bc7159d2fdf19b860

SHA512
35a74458d0773e866862edc9f625f74f5a3920fc94287c9d4e9bd70a33e69e75546f0f87cedbadcf091e5e9b4f76e07411994f8e4acd5e14fddeb84f1f9b2f35

Download Submit
C:\Windows\{7EB0F6CF-919A-4505-B70A-84F8336F172D}.exe

Filesize
216KB

MD5
e6d9e5820f8119b847acb53c3bccaaf8

SHA1
9e8d0b3e1cd44a9fe48c79c79843687c280212df

SHA256
c840ba2d38f443b5e1a25895d8c4005332445439baefa78f31a5703aaeb557bb

SHA512
577a4cf62b0d645eb02ea020dcf5c29c43ad2aba0a550099aaf7b728fc7010f172d5bade4b9666a7af38d8ba4d6c9974c6adaa92304fd6ef7fd62b1268b8ed5c

Download Submit
C:\Windows\{82A0FC25-F1AC-40c6-B524-1C0456965F9B}.exe

Filesize
216KB

MD5
df70cb3b8ccebaf0386ab517d2050aa2

SHA1
f07b54739dceec4d36596841e705edddb02fa2b5

SHA256
9fcbd0b4fbfb1e444ec66714bc8278adcbe61aa3ac1dfb0596b43a0217d11b3a

SHA512
6e5d1555b1b92debbe4a5eea7528f4cd061fcb35d29c5d17be7b6986c42538c20488c37777cf6a0a6109bb8487ad470a0fe7c61dd5e31a4a60d0e2d7cfc1dd4b

Download Submit
C:\Windows\{8672AF95-D833-49a8-94AC-689AE0C8B3C1}.exe

Filesize
216KB

MD5
9ab5c0670cb4bcd96078b06101768d1c

SHA1
6deaa8af666c7a863c5908868968542d16ecfea2

SHA256
4dc5c4e5e6fdbbaa20653771ceff93b842f1df40fb1a7b4ba8856f0bb2de6829

SHA512
3c99802ca7f06b607c9cd5b1fa6b0f1bce9a93c4498567fd418f75ea373be094d6e9d6b8a92149f63645856cbaef412d002deb9286c3747553b31f0c01785df4

Download Submit
C:\Windows\{89FC1928-A36F-4fe4-B7FC-47B6A0AD30EF}.exe

Filesize
216KB

MD5
17510191a8d551241de0ef0af7b8d2a0

SHA1
a5341b68584a92f6b307e7bed8d4edf00e8c80e8

SHA256
20f092eaed6583b285a4a46e08dd0623b616e296b237d5da5773312274894bb7

SHA512
3d5c3ef7adf8796d4ab6bd356829a9a05e2861a59df6e697864bc082a574966e5db078a5df66751a7e6c6e061b3eb6807767f6f9c34030f3c81332312ea543ec

Download Submit
C:\Windows\{9F41823E-B513-440a-9489-52E1E3F00440}.exe

Filesize
216KB

MD5
e8f80f26472fda8ccd855c7299e185eb

SHA1
75bbea2b883f576a244a2e63f7cd729f4ffa0de7

SHA256
186b9f75390faea35ca6e73dd228194977c3e9a9e8babaf57e3c0ae0d9fe8937

SHA512
bd86f99ff93f9f373f3ad7c36216761a42ca1a32b64b6676dccdf2b709d33dbc9afb0aaf1f9c30eb822e2cfb21a44a5ae67fa3bcae764b6d285c57ba6dd98566

Download Submit
C:\Windows\{A181B0CF-8832-4bba-A5DB-62DFAFB8F80A}.exe

Filesize
216KB

MD5
8b40a89a2366705a9c9047c76033d80b

SHA1
aad25c422ff02fcf35d4d0a19b5d1a95e9b7f71d

SHA256
148cb10dc34c5078a4d9ac990afc1760dc1b6fb6e6d6b1c267d80d2d6050a95b

SHA512
2e9df1a77dc63eabd79a599f8ab7dd3de85d1520ecc5d6481197b4247491736c0dec8da5abcabaca0af0aae171020c342c9858d6044e705f962af8815b3eb7ec

Download Submit
C:\Windows\{CF92598B-A82B-4ab9-9A66-8112CF035587}.exe

Filesize
216KB

MD5
8dd2662b3c47e56a90dbd4dc76c5febc

SHA1
5547b26b66c40c77840b284a61c7b75f133cd0ed

SHA256
41902995bed1dd9f75a40de9f13a5faed5a745c5164856d16b02a36b6ef12bbf

SHA512
894b7ed8abcfb8ff4168f5eac5197d9304699c24b7e839dae9be3cae1e5f340be71a710afe74667674042d249830ad4316215db9420d2b2ce85ccb688f6d0cc2

Download Submit
C:\Windows\{D961FB69-C0FD-44b7-AA50-5971718FFE70}.exe

Filesize
216KB

MD5
e0c2943b658ed533ebec5f94bfa04217

SHA1
c5107389a77c295a51a24ae15d912ac9fea114fa

SHA256
00c177550d6f7fc5944ef79828bd9222416e2ed5e6b3cfa30c611181b8f86f05

SHA512
db072de684aa71d7511b6d248fddcf8980e4e6331ad5af3a7a31b4ac1b50b1a7fbb4039081c2b502dcd4a74740d8d2f549de39c87aa3956e51bd941cb054d4ce

Download Submit
C:\Windows\{E7630F3F-659D-4175-B670-D696A29796CA}.exe

Filesize
216KB

MD5
dcaa011f38d024b7fde8983e3377e2f2

SHA1
b4fd6504cbfdd3c6d8112939e38870af906551b4

SHA256
83933f9ef8fa174e78246d9b59c7425f4ede821b70e8c3fbf8f748383dcbfc04

SHA512
97e6663e8f5f8d6f70563fb3e39d74c9e2e98a1eb37c52edf6ed11709efcc5082fe6a03781b773d9fabba476ad8e1665cb5c8a4c3b360979ce02f15c0de23884

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads