0403a5696d6f3044a288ac106bdbca262b8b353320f1a677f277ebcb39651714

Analysis

max time kernel
149s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2024, 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-06_454824470b1627bac76882b1b989fe73_goldeneye.exe
Size

344KB
MD5

454824470b1627bac76882b1b989fe73
SHA1

efbbd55b529596ac0b94da4dbb0b58840fa7ecca
SHA256

0403a5696d6f3044a288ac106bdbca262b8b353320f1a677f277ebcb39651714
SHA512

37ea6004c64e0be957ea46b613dd49fcc23b99edbe29b3416d15724c3d45d54f5ddd810e696d72bb6d475670e3370e953b12a65bdedc3fab4a2746ef86798151
SSDEEP

3072:mEGh0oAlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGylqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023232-1.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002322b-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002323d-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023038-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021df7-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021df8-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021df7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000707-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2832F641-74EA-404b-91DF-71BCDDA56736}\stubpath = "C:\\Windows\\{2832F641-74EA-404b-91DF-71BCDDA56736}.exe"	{7A24C29C-D21A-4eaa-B44D-DC677FAB9632}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65133547-476F-41bf-B942-A7B70852794E}\stubpath = "C:\\Windows\\{65133547-476F-41bf-B942-A7B70852794E}.exe"	2024-04-06_454824470b1627bac76882b1b989fe73_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A24C29C-D21A-4eaa-B44D-DC677FAB9632}	{F7B333DC-C335-4650-8665-77771CAD5361}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73C34860-E079-40d2-A9AF-0DEA64FA1875}	{2832F641-74EA-404b-91DF-71BCDDA56736}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6500BC19-F39B-4b9a-B0CA-E1EA4840A073}\stubpath = "C:\\Windows\\{6500BC19-F39B-4b9a-B0CA-E1EA4840A073}.exe"	{73C34860-E079-40d2-A9AF-0DEA64FA1875}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{465270C7-C1F8-4c4b-907F-A156780764E6}\stubpath = "C:\\Windows\\{465270C7-C1F8-4c4b-907F-A156780764E6}.exe"	{6500BC19-F39B-4b9a-B0CA-E1EA4840A073}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19B43CFE-FDCD-4a6a-9E78-B84D080914B6}\stubpath = "C:\\Windows\\{19B43CFE-FDCD-4a6a-9E78-B84D080914B6}.exe"	{465270C7-C1F8-4c4b-907F-A156780764E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87A78AC9-FE23-47c4-B985-2F59E7ADF1E7}	{5BE05B01-5959-4e84-B55A-6D40F2185E5E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7B333DC-C335-4650-8665-77771CAD5361}\stubpath = "C:\\Windows\\{F7B333DC-C335-4650-8665-77771CAD5361}.exe"	{C44D9CAA-8392-40c2-8D4B-6BB13B74E750}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5BE05B01-5959-4e84-B55A-6D40F2185E5E}	{495C03EB-BDEF-423d-A817-AD63B8B5D694}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87A78AC9-FE23-47c4-B985-2F59E7ADF1E7}\stubpath = "C:\\Windows\\{87A78AC9-FE23-47c4-B985-2F59E7ADF1E7}.exe"	{5BE05B01-5959-4e84-B55A-6D40F2185E5E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C44D9CAA-8392-40c2-8D4B-6BB13B74E750}\stubpath = "C:\\Windows\\{C44D9CAA-8392-40c2-8D4B-6BB13B74E750}.exe"	{87A78AC9-FE23-47c4-B985-2F59E7ADF1E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A24C29C-D21A-4eaa-B44D-DC677FAB9632}\stubpath = "C:\\Windows\\{7A24C29C-D21A-4eaa-B44D-DC677FAB9632}.exe"	{F7B333DC-C335-4650-8665-77771CAD5361}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2832F641-74EA-404b-91DF-71BCDDA56736}	{7A24C29C-D21A-4eaa-B44D-DC677FAB9632}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65133547-476F-41bf-B942-A7B70852794E}	2024-04-06_454824470b1627bac76882b1b989fe73_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{495C03EB-BDEF-423d-A817-AD63B8B5D694}	{65133547-476F-41bf-B942-A7B70852794E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C44D9CAA-8392-40c2-8D4B-6BB13B74E750}	{87A78AC9-FE23-47c4-B985-2F59E7ADF1E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7B333DC-C335-4650-8665-77771CAD5361}	{C44D9CAA-8392-40c2-8D4B-6BB13B74E750}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73C34860-E079-40d2-A9AF-0DEA64FA1875}\stubpath = "C:\\Windows\\{73C34860-E079-40d2-A9AF-0DEA64FA1875}.exe"	{2832F641-74EA-404b-91DF-71BCDDA56736}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6500BC19-F39B-4b9a-B0CA-E1EA4840A073}	{73C34860-E079-40d2-A9AF-0DEA64FA1875}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{465270C7-C1F8-4c4b-907F-A156780764E6}	{6500BC19-F39B-4b9a-B0CA-E1EA4840A073}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19B43CFE-FDCD-4a6a-9E78-B84D080914B6}	{465270C7-C1F8-4c4b-907F-A156780764E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{495C03EB-BDEF-423d-A817-AD63B8B5D694}\stubpath = "C:\\Windows\\{495C03EB-BDEF-423d-A817-AD63B8B5D694}.exe"	{65133547-476F-41bf-B942-A7B70852794E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5BE05B01-5959-4e84-B55A-6D40F2185E5E}\stubpath = "C:\\Windows\\{5BE05B01-5959-4e84-B55A-6D40F2185E5E}.exe"	{495C03EB-BDEF-423d-A817-AD63B8B5D694}.exe

Executes dropped EXE 12 IoCs

pid	Process
2020	{65133547-476F-41bf-B942-A7B70852794E}.exe
4388	{495C03EB-BDEF-423d-A817-AD63B8B5D694}.exe
3400	{5BE05B01-5959-4e84-B55A-6D40F2185E5E}.exe
3036	{87A78AC9-FE23-47c4-B985-2F59E7ADF1E7}.exe
432	{C44D9CAA-8392-40c2-8D4B-6BB13B74E750}.exe
1536	{F7B333DC-C335-4650-8665-77771CAD5361}.exe
4416	{7A24C29C-D21A-4eaa-B44D-DC677FAB9632}.exe
344	{2832F641-74EA-404b-91DF-71BCDDA56736}.exe
4376	{73C34860-E079-40d2-A9AF-0DEA64FA1875}.exe
1476	{6500BC19-F39B-4b9a-B0CA-E1EA4840A073}.exe
1216	{465270C7-C1F8-4c4b-907F-A156780764E6}.exe
2020	{19B43CFE-FDCD-4a6a-9E78-B84D080914B6}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{465270C7-C1F8-4c4b-907F-A156780764E6}.exe	{6500BC19-F39B-4b9a-B0CA-E1EA4840A073}.exe
File created	C:\Windows\{87A78AC9-FE23-47c4-B985-2F59E7ADF1E7}.exe	{5BE05B01-5959-4e84-B55A-6D40F2185E5E}.exe
File created	C:\Windows\{2832F641-74EA-404b-91DF-71BCDDA56736}.exe	{7A24C29C-D21A-4eaa-B44D-DC677FAB9632}.exe
File created	C:\Windows\{5BE05B01-5959-4e84-B55A-6D40F2185E5E}.exe	{495C03EB-BDEF-423d-A817-AD63B8B5D694}.exe
File created	C:\Windows\{C44D9CAA-8392-40c2-8D4B-6BB13B74E750}.exe	{87A78AC9-FE23-47c4-B985-2F59E7ADF1E7}.exe
File created	C:\Windows\{F7B333DC-C335-4650-8665-77771CAD5361}.exe	{C44D9CAA-8392-40c2-8D4B-6BB13B74E750}.exe
File created	C:\Windows\{7A24C29C-D21A-4eaa-B44D-DC677FAB9632}.exe	{F7B333DC-C335-4650-8665-77771CAD5361}.exe
File created	C:\Windows\{73C34860-E079-40d2-A9AF-0DEA64FA1875}.exe	{2832F641-74EA-404b-91DF-71BCDDA56736}.exe
File created	C:\Windows\{6500BC19-F39B-4b9a-B0CA-E1EA4840A073}.exe	{73C34860-E079-40d2-A9AF-0DEA64FA1875}.exe
File created	C:\Windows\{65133547-476F-41bf-B942-A7B70852794E}.exe	2024-04-06_454824470b1627bac76882b1b989fe73_goldeneye.exe
File created	C:\Windows\{495C03EB-BDEF-423d-A817-AD63B8B5D694}.exe	{65133547-476F-41bf-B942-A7B70852794E}.exe
File created	C:\Windows\{19B43CFE-FDCD-4a6a-9E78-B84D080914B6}.exe	{465270C7-C1F8-4c4b-907F-A156780764E6}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	628	2024-04-06_454824470b1627bac76882b1b989fe73_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2020	{65133547-476F-41bf-B942-A7B70852794E}.exe
Token: SeIncBasePriorityPrivilege	4388	{495C03EB-BDEF-423d-A817-AD63B8B5D694}.exe
Token: SeIncBasePriorityPrivilege	3400	{5BE05B01-5959-4e84-B55A-6D40F2185E5E}.exe
Token: SeIncBasePriorityPrivilege	3036	{87A78AC9-FE23-47c4-B985-2F59E7ADF1E7}.exe
Token: SeIncBasePriorityPrivilege	432	{C44D9CAA-8392-40c2-8D4B-6BB13B74E750}.exe
Token: SeIncBasePriorityPrivilege	1536	{F7B333DC-C335-4650-8665-77771CAD5361}.exe
Token: SeIncBasePriorityPrivilege	4416	{7A24C29C-D21A-4eaa-B44D-DC677FAB9632}.exe
Token: SeIncBasePriorityPrivilege	344	{2832F641-74EA-404b-91DF-71BCDDA56736}.exe
Token: SeIncBasePriorityPrivilege	4376	{73C34860-E079-40d2-A9AF-0DEA64FA1875}.exe
Token: SeIncBasePriorityPrivilege	1476	{6500BC19-F39B-4b9a-B0CA-E1EA4840A073}.exe
Token: SeIncBasePriorityPrivilege	1216	{465270C7-C1F8-4c4b-907F-A156780764E6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 2020	628	2024-04-06_454824470b1627bac76882b1b989fe73_goldeneye.exe	97
PID 628 wrote to memory of 2020	628	2024-04-06_454824470b1627bac76882b1b989fe73_goldeneye.exe	97
PID 628 wrote to memory of 2020	628	2024-04-06_454824470b1627bac76882b1b989fe73_goldeneye.exe	97
PID 628 wrote to memory of 2216	628	2024-04-06_454824470b1627bac76882b1b989fe73_goldeneye.exe	98
PID 628 wrote to memory of 2216	628	2024-04-06_454824470b1627bac76882b1b989fe73_goldeneye.exe	98
PID 628 wrote to memory of 2216	628	2024-04-06_454824470b1627bac76882b1b989fe73_goldeneye.exe	98
PID 2020 wrote to memory of 4388	2020	{65133547-476F-41bf-B942-A7B70852794E}.exe	99
PID 2020 wrote to memory of 4388	2020	{65133547-476F-41bf-B942-A7B70852794E}.exe	99
PID 2020 wrote to memory of 4388	2020	{65133547-476F-41bf-B942-A7B70852794E}.exe	99
PID 2020 wrote to memory of 968	2020	{65133547-476F-41bf-B942-A7B70852794E}.exe	100
PID 2020 wrote to memory of 968	2020	{65133547-476F-41bf-B942-A7B70852794E}.exe	100
PID 2020 wrote to memory of 968	2020	{65133547-476F-41bf-B942-A7B70852794E}.exe	100
PID 4388 wrote to memory of 3400	4388	{495C03EB-BDEF-423d-A817-AD63B8B5D694}.exe	102
PID 4388 wrote to memory of 3400	4388	{495C03EB-BDEF-423d-A817-AD63B8B5D694}.exe	102
PID 4388 wrote to memory of 3400	4388	{495C03EB-BDEF-423d-A817-AD63B8B5D694}.exe	102
PID 4388 wrote to memory of 1052	4388	{495C03EB-BDEF-423d-A817-AD63B8B5D694}.exe	103
PID 4388 wrote to memory of 1052	4388	{495C03EB-BDEF-423d-A817-AD63B8B5D694}.exe	103
PID 4388 wrote to memory of 1052	4388	{495C03EB-BDEF-423d-A817-AD63B8B5D694}.exe	103
PID 3400 wrote to memory of 3036	3400	{5BE05B01-5959-4e84-B55A-6D40F2185E5E}.exe	104
PID 3400 wrote to memory of 3036	3400	{5BE05B01-5959-4e84-B55A-6D40F2185E5E}.exe	104
PID 3400 wrote to memory of 3036	3400	{5BE05B01-5959-4e84-B55A-6D40F2185E5E}.exe	104
PID 3400 wrote to memory of 2168	3400	{5BE05B01-5959-4e84-B55A-6D40F2185E5E}.exe	105
PID 3400 wrote to memory of 2168	3400	{5BE05B01-5959-4e84-B55A-6D40F2185E5E}.exe	105
PID 3400 wrote to memory of 2168	3400	{5BE05B01-5959-4e84-B55A-6D40F2185E5E}.exe	105
PID 3036 wrote to memory of 432	3036	{87A78AC9-FE23-47c4-B985-2F59E7ADF1E7}.exe	106
PID 3036 wrote to memory of 432	3036	{87A78AC9-FE23-47c4-B985-2F59E7ADF1E7}.exe	106
PID 3036 wrote to memory of 432	3036	{87A78AC9-FE23-47c4-B985-2F59E7ADF1E7}.exe	106
PID 3036 wrote to memory of 1000	3036	{87A78AC9-FE23-47c4-B985-2F59E7ADF1E7}.exe	107
PID 3036 wrote to memory of 1000	3036	{87A78AC9-FE23-47c4-B985-2F59E7ADF1E7}.exe	107
PID 3036 wrote to memory of 1000	3036	{87A78AC9-FE23-47c4-B985-2F59E7ADF1E7}.exe	107
PID 432 wrote to memory of 1536	432	{C44D9CAA-8392-40c2-8D4B-6BB13B74E750}.exe	108
PID 432 wrote to memory of 1536	432	{C44D9CAA-8392-40c2-8D4B-6BB13B74E750}.exe	108
PID 432 wrote to memory of 1536	432	{C44D9CAA-8392-40c2-8D4B-6BB13B74E750}.exe	108
PID 432 wrote to memory of 1800	432	{C44D9CAA-8392-40c2-8D4B-6BB13B74E750}.exe	109
PID 432 wrote to memory of 1800	432	{C44D9CAA-8392-40c2-8D4B-6BB13B74E750}.exe	109
PID 432 wrote to memory of 1800	432	{C44D9CAA-8392-40c2-8D4B-6BB13B74E750}.exe	109
PID 1536 wrote to memory of 4416	1536	{F7B333DC-C335-4650-8665-77771CAD5361}.exe	110
PID 1536 wrote to memory of 4416	1536	{F7B333DC-C335-4650-8665-77771CAD5361}.exe	110
PID 1536 wrote to memory of 4416	1536	{F7B333DC-C335-4650-8665-77771CAD5361}.exe	110
PID 1536 wrote to memory of 4992	1536	{F7B333DC-C335-4650-8665-77771CAD5361}.exe	111
PID 1536 wrote to memory of 4992	1536	{F7B333DC-C335-4650-8665-77771CAD5361}.exe	111
PID 1536 wrote to memory of 4992	1536	{F7B333DC-C335-4650-8665-77771CAD5361}.exe	111
PID 4416 wrote to memory of 344	4416	{7A24C29C-D21A-4eaa-B44D-DC677FAB9632}.exe	112
PID 4416 wrote to memory of 344	4416	{7A24C29C-D21A-4eaa-B44D-DC677FAB9632}.exe	112
PID 4416 wrote to memory of 344	4416	{7A24C29C-D21A-4eaa-B44D-DC677FAB9632}.exe	112
PID 4416 wrote to memory of 4340	4416	{7A24C29C-D21A-4eaa-B44D-DC677FAB9632}.exe	113
PID 4416 wrote to memory of 4340	4416	{7A24C29C-D21A-4eaa-B44D-DC677FAB9632}.exe	113
PID 4416 wrote to memory of 4340	4416	{7A24C29C-D21A-4eaa-B44D-DC677FAB9632}.exe	113
PID 344 wrote to memory of 4376	344	{2832F641-74EA-404b-91DF-71BCDDA56736}.exe	114
PID 344 wrote to memory of 4376	344	{2832F641-74EA-404b-91DF-71BCDDA56736}.exe	114
PID 344 wrote to memory of 4376	344	{2832F641-74EA-404b-91DF-71BCDDA56736}.exe	114
PID 344 wrote to memory of 4960	344	{2832F641-74EA-404b-91DF-71BCDDA56736}.exe	115
PID 344 wrote to memory of 4960	344	{2832F641-74EA-404b-91DF-71BCDDA56736}.exe	115
PID 344 wrote to memory of 4960	344	{2832F641-74EA-404b-91DF-71BCDDA56736}.exe	115
PID 4376 wrote to memory of 1476	4376	{73C34860-E079-40d2-A9AF-0DEA64FA1875}.exe	116
PID 4376 wrote to memory of 1476	4376	{73C34860-E079-40d2-A9AF-0DEA64FA1875}.exe	116
PID 4376 wrote to memory of 1476	4376	{73C34860-E079-40d2-A9AF-0DEA64FA1875}.exe	116
PID 4376 wrote to memory of 2260	4376	{73C34860-E079-40d2-A9AF-0DEA64FA1875}.exe	117
PID 4376 wrote to memory of 2260	4376	{73C34860-E079-40d2-A9AF-0DEA64FA1875}.exe	117
PID 4376 wrote to memory of 2260	4376	{73C34860-E079-40d2-A9AF-0DEA64FA1875}.exe	117
PID 1476 wrote to memory of 1216	1476	{6500BC19-F39B-4b9a-B0CA-E1EA4840A073}.exe	118
PID 1476 wrote to memory of 1216	1476	{6500BC19-F39B-4b9a-B0CA-E1EA4840A073}.exe	118
PID 1476 wrote to memory of 1216	1476	{6500BC19-F39B-4b9a-B0CA-E1EA4840A073}.exe	118
PID 1476 wrote to memory of 3440	1476	{6500BC19-F39B-4b9a-B0CA-E1EA4840A073}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-04-06_454824470b1627bac76882b1b989fe73_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-06_454824470b1627bac76882b1b989fe73_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628
- C:\Windows\{65133547-476F-41bf-B942-A7B70852794E}.exe
  C:\Windows\{65133547-476F-41bf-B942-A7B70852794E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\{495C03EB-BDEF-423d-A817-AD63B8B5D694}.exe
    C:\Windows\{495C03EB-BDEF-423d-A817-AD63B8B5D694}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4388
  - - C:\Windows\{5BE05B01-5959-4e84-B55A-6D40F2185E5E}.exe
      C:\Windows\{5BE05B01-5959-4e84-B55A-6D40F2185E5E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3400
    - - C:\Windows\{87A78AC9-FE23-47c4-B985-2F59E7ADF1E7}.exe
        
        C:\Windows\{87A78AC9-FE23-47c4-B985-2F59E7ADF1E7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3036
      - C:\Windows\{C44D9CAA-8392-40c2-8D4B-6BB13B74E750}.exe
        
        C:\Windows\{C44D9CAA-8392-40c2-8D4B-6BB13B74E750}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Windows\{F7B333DC-C335-4650-8665-77771CAD5361}.exe
        
        C:\Windows\{F7B333DC-C335-4650-8665-77771CAD5361}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\{7A24C29C-D21A-4eaa-B44D-DC677FAB9632}.exe
        
        C:\Windows\{7A24C29C-D21A-4eaa-B44D-DC677FAB9632}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\{2832F641-74EA-404b-91DF-71BCDDA56736}.exe
        
        C:\Windows\{2832F641-74EA-404b-91DF-71BCDDA56736}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:344
        
        C:\Windows\{73C34860-E079-40d2-A9AF-0DEA64FA1875}.exe
        
        C:\Windows\{73C34860-E079-40d2-A9AF-0DEA64FA1875}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\{6500BC19-F39B-4b9a-B0CA-E1EA4840A073}.exe
        
        C:\Windows\{6500BC19-F39B-4b9a-B0CA-E1EA4840A073}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\{465270C7-C1F8-4c4b-907F-A156780764E6}.exe
        
        C:\Windows\{465270C7-C1F8-4c4b-907F-A156780764E6}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1216
        
        C:\Windows\{19B43CFE-FDCD-4a6a-9E78-B84D080914B6}.exe
        
        C:\Windows\{19B43CFE-FDCD-4a6a-9E78-B84D080914B6}.exe
        13⤵
        Executes dropped EXE
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46527~1.EXE > nul
        13⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6500B~1.EXE > nul
        12⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73C34~1.EXE > nul
        11⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2832F~1.EXE > nul
        10⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A24C~1.EXE > nul
        9⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7B33~1.EXE > nul
        8⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C44D9~1.EXE > nul
        7⤵
        
        PID:1800
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87A78~1.EXE > nul
        6⤵
        
        PID:1000
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5BE05~1.EXE > nul
        5⤵
        
        PID:2168
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{495C0~1.EXE > nul
      4⤵
      PID:1052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{65133~1.EXE > nul
    3⤵
    PID:968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{19B43CFE-FDCD-4a6a-9E78-B84D080914B6}.exe

Filesize
344KB

MD5
c8a3771c6058103183869172205e0030

SHA1
420f03244352bf08c0bbb65646c98ff3656ba66e

SHA256
b63f450a00cb36f01cde4e0bbc6410d1812ba902806682a293c93b83e3a87c71

SHA512
fb71999ecd45fe2f2185067661be999570b8c6a6d59a97d02a793510035769ed32f53cf56a46ad301115a8854cb4854e15b07e93e82335cb0d195f9c00608f83

Download Submit
C:\Windows\{2832F641-74EA-404b-91DF-71BCDDA56736}.exe

Filesize
344KB

MD5
2f319be56906e5f41eab44dc7138d2a1

SHA1
10049762259050b2e1bc2269891ca11a77cbc47b

SHA256
827a1732321b36a8f654b6944e7e6cbe9066559d4e32830b5f2c62b220d07a1d

SHA512
1a77907b71e1e2c4cf8d766471b55214ab8af68aa8b1e7773b44e45582955d3e1b07899b9b88126f14e5310b24679a9f3c808164e980c8888cf7349b042d0bcb

Download Submit
C:\Windows\{465270C7-C1F8-4c4b-907F-A156780764E6}.exe

Filesize
344KB

MD5
a66af1f632077b48f1798c2a6edd0601

SHA1
eee52884c68eb5328b69622f5896d6db50c0ef0b

SHA256
bf306208d88df3ce673f56d20047bcb3bb51d2d47e19b5b6019d04c76f0880ad

SHA512
b872f96e9d998d4a11560104fe29a0a067ea68d0df8e91528616b92f42581e6140695f4d1778a213a992961b80ec2a74f49f645bff4d357796a99c91ecfc1229

Download Submit
C:\Windows\{495C03EB-BDEF-423d-A817-AD63B8B5D694}.exe

Filesize
344KB

MD5
86825e434c0f6a48d795419532cb82d2

SHA1
68614bd123b29c6a0dbd5fde1e80d5a3d341fee0

SHA256
c7937c37cd09e43bdbb8b0166fa41cb22f792cb52a510ddfcf8fcf624fd9b381

SHA512
3125b83000464c2a1256036da09b94bbef15c4d9837a5b031a0c0aa2aacd0e2e1e204279d0a1474aae77c1dc321709d017f9269a0243b1be7408b5d64975aeb4

Download Submit
C:\Windows\{5BE05B01-5959-4e84-B55A-6D40F2185E5E}.exe

Filesize
344KB

MD5
2ed8f1bcc8bdfe2a5ba99d489d50f497

SHA1
f60e2c05218dcfb36b6a80ab481577033bc6234d

SHA256
aca63ee09673343881babd74cd00029f033641e6ebb850e21abcb6195a529c2b

SHA512
3e06288869ebd9b6bb1db7407f3cb3acf54eda4dce84670038aa8d2490564d71f915703db867eb7156ab1dc5259a3efe86b872902ef5f44c4640e78d8141e005

Download Submit
C:\Windows\{6500BC19-F39B-4b9a-B0CA-E1EA4840A073}.exe

Filesize
344KB

MD5
f6716ba2824d91651d61e3ba50b2b576

SHA1
7cb700a7553a01e92a8314f3875d0577104266e9

SHA256
b7d06f9ee184feeabb41f3f97a38efa7eb991bd742503f0abbfd4f0fe67a15ec

SHA512
f3301457939136eafdc4874acc229a7804d83cf3d520ec2bdf736f09cbf759d5198719e01e4ac249c31200615744ba9413cd336bd9c9e4105c1d324394d457d3

Download Submit
C:\Windows\{65133547-476F-41bf-B942-A7B70852794E}.exe

Filesize
344KB

MD5
d40f8d20abfe982fca19702ab912e9c2

SHA1
06636666c415eae41e2c58ec79c4bce854612800

SHA256
e1902cca8e45b895a5b92e5a6b6c90d6546cb6d96329438e390afbd8b075d789

SHA512
c6e7d5e2ca9761b6a027dd675d8af6e625316dfd9be71a8237427b5b620c0263828c2b50663f9da575cedf4459de0e0a69f2d83bef360e9cb8af36ef38044ce5

Download Submit
C:\Windows\{73C34860-E079-40d2-A9AF-0DEA64FA1875}.exe

Filesize
344KB

MD5
c9a98b55c6599a71c0b31425cf5c6dc7

SHA1
07978cbcc945258555c585661650f128dae8848d

SHA256
6685d4398dbba9c0701416f7d35c8a277f78b22a0903dd19a09361c6db82b038

SHA512
8db0e8f79fda72fcf5bb1276ea37515d0839ae48981a4c805d1c41d6524f062736476870448ebcffe0735a420dd19bbe3d0a3142d10f8a14babbc6092ca580fb

Download Submit
C:\Windows\{7A24C29C-D21A-4eaa-B44D-DC677FAB9632}.exe

Filesize
344KB

MD5
4ab93f9241ae939a60e3b8f49d3d78bf

SHA1
18e6aeb2abbd1b3c05b51c59efc136b6640b38de

SHA256
940ca50b6042c357a3a1559def9b0ea53a4cf5ac2f571c368594dc6399ab4242

SHA512
de1372d37f1d7b590f9e38b806f79542b2e90f217f211be8753c4ef7b37566e52e53761488bf5d69c87bbb19ee07378a542693764baeba0ad4ec82097ea39afa

Download Submit
C:\Windows\{87A78AC9-FE23-47c4-B985-2F59E7ADF1E7}.exe

Filesize
344KB

MD5
835a1d9d32e378029d1fa1d01577b3fe

SHA1
198e7ad15ab0cf460b4493788b9ff7c0bf1af6d5

SHA256
9f5ebf69ee97ffb68c3890505c4e2cfb3c1084bb17d8f9af46f49a4b28b1d454

SHA512
5a880f1d519994053f8e15584043e5acc476dd5d142a04e80ce74cb339f8ce41add933909add17707e13eaf67e6946c311a931785a7f3337417074770f00d8ab

Download Submit
C:\Windows\{C44D9CAA-8392-40c2-8D4B-6BB13B74E750}.exe

Filesize
344KB

MD5
a6c2e27147f43f37def640c605128fa8

SHA1
a73600e737a00872cdf268e5396a73c32b4383f4

SHA256
b5766fd00aefdcd0ce9d2438248b9fbbe291516f3806aed284ee037efa7a7711

SHA512
c4a0be9f8a14fd8b8cda76e842a372e3afc714186c3cc86d1fac8a933db2c7738861b08a8a6bedea3b8c41aa16d16a1e3a02f892a24b84c6bdbe43c15e3e0a3e

Download Submit
C:\Windows\{F7B333DC-C335-4650-8665-77771CAD5361}.exe

Filesize
344KB

MD5
3040b50d60e777613febcdb3b46728fa

SHA1
470f36d8c551ef6092086632cce8f1a1442c22be

SHA256
b362f94b3cfe8381d4e7a8a8c2adbf8e6be647fc2f2fd598e784ece039d043c2

SHA512
681bc6c0bd57f71f1fc6b2efd3e41884fbc596d3210f4df932d5d18b64de70b524252093d78e9107a43e8d44d25ff1b832730d3824d6fad575cf05e2b4506041

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads