332c3deae86895dc3d6096686596c645afba2414f31f69ac022994da2a2a0f21

Analysis

max time kernel
149s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2024, 10:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-06_25a1894246c3759287116921baa4b1cd_goldeneye.exe
Size

216KB
MD5

25a1894246c3759287116921baa4b1cd
SHA1

5d92e057ca228577fa32b424f96d5b5a3604fac2
SHA256

332c3deae86895dc3d6096686596c645afba2414f31f69ac022994da2a2a0f21
SHA512

abd3a93d9df861903ad18fbbfd8f3fdd7670b0e1b17dfc45ee9ed455b4c871ead077e78ceed0edfdf7cc532347c1a7fca5835ff19154cd3c767e902dd8b4c0ef
SSDEEP

3072:jEGh0ool+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGylEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231d8-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000231e7-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e804-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000231e7-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000001e804-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021f82-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000001e804-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000705-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C23E50BC-508F-4aed-83C5-77D05D1B2A4F}	{FFF08307-F601-45da-8EC9-6AE7165C228A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9F1DA47-F933-45de-81BC-3CD08598C92A}	{C23E50BC-508F-4aed-83C5-77D05D1B2A4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DB2EC0B-B436-42e0-B063-577A99796D6A}	{E9F1DA47-F933-45de-81BC-3CD08598C92A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DB2EC0B-B436-42e0-B063-577A99796D6A}\stubpath = "C:\\Windows\\{1DB2EC0B-B436-42e0-B063-577A99796D6A}.exe"	{E9F1DA47-F933-45de-81BC-3CD08598C92A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3B62C06-C3A3-4e70-BD69-0746C72938AA}	{91B4134D-0C2E-4b48-8D96-309648032880}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EF75D98-9446-4385-857A-EA133790E03E}\stubpath = "C:\\Windows\\{1EF75D98-9446-4385-857A-EA133790E03E}.exe"	2024-04-06_25a1894246c3759287116921baa4b1cd_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FFF08307-F601-45da-8EC9-6AE7165C228A}	{1EF75D98-9446-4385-857A-EA133790E03E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91B4134D-0C2E-4b48-8D96-309648032880}\stubpath = "C:\\Windows\\{91B4134D-0C2E-4b48-8D96-309648032880}.exe"	{59CCBB22-D6B0-44ea-9B84-61C2008DB134}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E0F7E9B-37C1-4a32-A31B-F4E705469056}	{9FA86C83-C254-41ae-A54B-913EF6D0DF6C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E0F7E9B-37C1-4a32-A31B-F4E705469056}\stubpath = "C:\\Windows\\{5E0F7E9B-37C1-4a32-A31B-F4E705469056}.exe"	{9FA86C83-C254-41ae-A54B-913EF6D0DF6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF1835A8-AC8C-4142-9941-81B4872C017E}	{1DB2EC0B-B436-42e0-B063-577A99796D6A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF1835A8-AC8C-4142-9941-81B4872C017E}\stubpath = "C:\\Windows\\{BF1835A8-AC8C-4142-9941-81B4872C017E}.exe"	{1DB2EC0B-B436-42e0-B063-577A99796D6A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C23E50BC-508F-4aed-83C5-77D05D1B2A4F}\stubpath = "C:\\Windows\\{C23E50BC-508F-4aed-83C5-77D05D1B2A4F}.exe"	{FFF08307-F601-45da-8EC9-6AE7165C228A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9F1DA47-F933-45de-81BC-3CD08598C92A}\stubpath = "C:\\Windows\\{E9F1DA47-F933-45de-81BC-3CD08598C92A}.exe"	{C23E50BC-508F-4aed-83C5-77D05D1B2A4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BAD06778-8180-4954-9477-9FF0201DCFAC}	{BF1835A8-AC8C-4142-9941-81B4872C017E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BAD06778-8180-4954-9477-9FF0201DCFAC}\stubpath = "C:\\Windows\\{BAD06778-8180-4954-9477-9FF0201DCFAC}.exe"	{BF1835A8-AC8C-4142-9941-81B4872C017E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59CCBB22-D6B0-44ea-9B84-61C2008DB134}\stubpath = "C:\\Windows\\{59CCBB22-D6B0-44ea-9B84-61C2008DB134}.exe"	{BAD06778-8180-4954-9477-9FF0201DCFAC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3B62C06-C3A3-4e70-BD69-0746C72938AA}\stubpath = "C:\\Windows\\{C3B62C06-C3A3-4e70-BD69-0746C72938AA}.exe"	{91B4134D-0C2E-4b48-8D96-309648032880}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EF75D98-9446-4385-857A-EA133790E03E}	2024-04-06_25a1894246c3759287116921baa4b1cd_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FFF08307-F601-45da-8EC9-6AE7165C228A}\stubpath = "C:\\Windows\\{FFF08307-F601-45da-8EC9-6AE7165C228A}.exe"	{1EF75D98-9446-4385-857A-EA133790E03E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FA86C83-C254-41ae-A54B-913EF6D0DF6C}	{C3B62C06-C3A3-4e70-BD69-0746C72938AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FA86C83-C254-41ae-A54B-913EF6D0DF6C}\stubpath = "C:\\Windows\\{9FA86C83-C254-41ae-A54B-913EF6D0DF6C}.exe"	{C3B62C06-C3A3-4e70-BD69-0746C72938AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59CCBB22-D6B0-44ea-9B84-61C2008DB134}	{BAD06778-8180-4954-9477-9FF0201DCFAC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91B4134D-0C2E-4b48-8D96-309648032880}	{59CCBB22-D6B0-44ea-9B84-61C2008DB134}.exe

Executes dropped EXE 12 IoCs

pid	Process
4764	{1EF75D98-9446-4385-857A-EA133790E03E}.exe
2432	{FFF08307-F601-45da-8EC9-6AE7165C228A}.exe
1948	{C23E50BC-508F-4aed-83C5-77D05D1B2A4F}.exe
3488	{E9F1DA47-F933-45de-81BC-3CD08598C92A}.exe
2228	{1DB2EC0B-B436-42e0-B063-577A99796D6A}.exe
5008	{BF1835A8-AC8C-4142-9941-81B4872C017E}.exe
4680	{BAD06778-8180-4954-9477-9FF0201DCFAC}.exe
636	{59CCBB22-D6B0-44ea-9B84-61C2008DB134}.exe
804	{91B4134D-0C2E-4b48-8D96-309648032880}.exe
4372	{C3B62C06-C3A3-4e70-BD69-0746C72938AA}.exe
208	{9FA86C83-C254-41ae-A54B-913EF6D0DF6C}.exe
4536	{5E0F7E9B-37C1-4a32-A31B-F4E705469056}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{1EF75D98-9446-4385-857A-EA133790E03E}.exe	2024-04-06_25a1894246c3759287116921baa4b1cd_goldeneye.exe
File created	C:\Windows\{C23E50BC-508F-4aed-83C5-77D05D1B2A4F}.exe	{FFF08307-F601-45da-8EC9-6AE7165C228A}.exe
File created	C:\Windows\{1DB2EC0B-B436-42e0-B063-577A99796D6A}.exe	{E9F1DA47-F933-45de-81BC-3CD08598C92A}.exe
File created	C:\Windows\{BF1835A8-AC8C-4142-9941-81B4872C017E}.exe	{1DB2EC0B-B436-42e0-B063-577A99796D6A}.exe
File created	C:\Windows\{C3B62C06-C3A3-4e70-BD69-0746C72938AA}.exe	{91B4134D-0C2E-4b48-8D96-309648032880}.exe
File created	C:\Windows\{5E0F7E9B-37C1-4a32-A31B-F4E705469056}.exe	{9FA86C83-C254-41ae-A54B-913EF6D0DF6C}.exe
File created	C:\Windows\{FFF08307-F601-45da-8EC9-6AE7165C228A}.exe	{1EF75D98-9446-4385-857A-EA133790E03E}.exe
File created	C:\Windows\{E9F1DA47-F933-45de-81BC-3CD08598C92A}.exe	{C23E50BC-508F-4aed-83C5-77D05D1B2A4F}.exe
File created	C:\Windows\{BAD06778-8180-4954-9477-9FF0201DCFAC}.exe	{BF1835A8-AC8C-4142-9941-81B4872C017E}.exe
File created	C:\Windows\{59CCBB22-D6B0-44ea-9B84-61C2008DB134}.exe	{BAD06778-8180-4954-9477-9FF0201DCFAC}.exe
File created	C:\Windows\{91B4134D-0C2E-4b48-8D96-309648032880}.exe	{59CCBB22-D6B0-44ea-9B84-61C2008DB134}.exe
File created	C:\Windows\{9FA86C83-C254-41ae-A54B-913EF6D0DF6C}.exe	{C3B62C06-C3A3-4e70-BD69-0746C72938AA}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	456	2024-04-06_25a1894246c3759287116921baa4b1cd_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4764	{1EF75D98-9446-4385-857A-EA133790E03E}.exe
Token: SeIncBasePriorityPrivilege	2432	{FFF08307-F601-45da-8EC9-6AE7165C228A}.exe
Token: SeIncBasePriorityPrivilege	1948	{C23E50BC-508F-4aed-83C5-77D05D1B2A4F}.exe
Token: SeIncBasePriorityPrivilege	3488	{E9F1DA47-F933-45de-81BC-3CD08598C92A}.exe
Token: SeIncBasePriorityPrivilege	2228	{1DB2EC0B-B436-42e0-B063-577A99796D6A}.exe
Token: SeIncBasePriorityPrivilege	5008	{BF1835A8-AC8C-4142-9941-81B4872C017E}.exe
Token: SeIncBasePriorityPrivilege	4680	{BAD06778-8180-4954-9477-9FF0201DCFAC}.exe
Token: SeIncBasePriorityPrivilege	636	{59CCBB22-D6B0-44ea-9B84-61C2008DB134}.exe
Token: SeIncBasePriorityPrivilege	804	{91B4134D-0C2E-4b48-8D96-309648032880}.exe
Token: SeIncBasePriorityPrivilege	4372	{C3B62C06-C3A3-4e70-BD69-0746C72938AA}.exe
Token: SeIncBasePriorityPrivilege	208	{9FA86C83-C254-41ae-A54B-913EF6D0DF6C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 456 wrote to memory of 4764	456	2024-04-06_25a1894246c3759287116921baa4b1cd_goldeneye.exe	85
PID 456 wrote to memory of 4764	456	2024-04-06_25a1894246c3759287116921baa4b1cd_goldeneye.exe	85
PID 456 wrote to memory of 4764	456	2024-04-06_25a1894246c3759287116921baa4b1cd_goldeneye.exe	85
PID 456 wrote to memory of 1712	456	2024-04-06_25a1894246c3759287116921baa4b1cd_goldeneye.exe	86
PID 456 wrote to memory of 1712	456	2024-04-06_25a1894246c3759287116921baa4b1cd_goldeneye.exe	86
PID 456 wrote to memory of 1712	456	2024-04-06_25a1894246c3759287116921baa4b1cd_goldeneye.exe	86
PID 4764 wrote to memory of 2432	4764	{1EF75D98-9446-4385-857A-EA133790E03E}.exe	94
PID 4764 wrote to memory of 2432	4764	{1EF75D98-9446-4385-857A-EA133790E03E}.exe	94
PID 4764 wrote to memory of 2432	4764	{1EF75D98-9446-4385-857A-EA133790E03E}.exe	94
PID 4764 wrote to memory of 368	4764	{1EF75D98-9446-4385-857A-EA133790E03E}.exe	95
PID 4764 wrote to memory of 368	4764	{1EF75D98-9446-4385-857A-EA133790E03E}.exe	95
PID 4764 wrote to memory of 368	4764	{1EF75D98-9446-4385-857A-EA133790E03E}.exe	95
PID 2432 wrote to memory of 1948	2432	{FFF08307-F601-45da-8EC9-6AE7165C228A}.exe	97
PID 2432 wrote to memory of 1948	2432	{FFF08307-F601-45da-8EC9-6AE7165C228A}.exe	97
PID 2432 wrote to memory of 1948	2432	{FFF08307-F601-45da-8EC9-6AE7165C228A}.exe	97
PID 2432 wrote to memory of 3284	2432	{FFF08307-F601-45da-8EC9-6AE7165C228A}.exe	98
PID 2432 wrote to memory of 3284	2432	{FFF08307-F601-45da-8EC9-6AE7165C228A}.exe	98
PID 2432 wrote to memory of 3284	2432	{FFF08307-F601-45da-8EC9-6AE7165C228A}.exe	98
PID 1948 wrote to memory of 3488	1948	{C23E50BC-508F-4aed-83C5-77D05D1B2A4F}.exe	99
PID 1948 wrote to memory of 3488	1948	{C23E50BC-508F-4aed-83C5-77D05D1B2A4F}.exe	99
PID 1948 wrote to memory of 3488	1948	{C23E50BC-508F-4aed-83C5-77D05D1B2A4F}.exe	99
PID 1948 wrote to memory of 3616	1948	{C23E50BC-508F-4aed-83C5-77D05D1B2A4F}.exe	100
PID 1948 wrote to memory of 3616	1948	{C23E50BC-508F-4aed-83C5-77D05D1B2A4F}.exe	100
PID 1948 wrote to memory of 3616	1948	{C23E50BC-508F-4aed-83C5-77D05D1B2A4F}.exe	100
PID 3488 wrote to memory of 2228	3488	{E9F1DA47-F933-45de-81BC-3CD08598C92A}.exe	101
PID 3488 wrote to memory of 2228	3488	{E9F1DA47-F933-45de-81BC-3CD08598C92A}.exe	101
PID 3488 wrote to memory of 2228	3488	{E9F1DA47-F933-45de-81BC-3CD08598C92A}.exe	101
PID 3488 wrote to memory of 2916	3488	{E9F1DA47-F933-45de-81BC-3CD08598C92A}.exe	102
PID 3488 wrote to memory of 2916	3488	{E9F1DA47-F933-45de-81BC-3CD08598C92A}.exe	102
PID 3488 wrote to memory of 2916	3488	{E9F1DA47-F933-45de-81BC-3CD08598C92A}.exe	102
PID 2228 wrote to memory of 5008	2228	{1DB2EC0B-B436-42e0-B063-577A99796D6A}.exe	103
PID 2228 wrote to memory of 5008	2228	{1DB2EC0B-B436-42e0-B063-577A99796D6A}.exe	103
PID 2228 wrote to memory of 5008	2228	{1DB2EC0B-B436-42e0-B063-577A99796D6A}.exe	103
PID 2228 wrote to memory of 1040	2228	{1DB2EC0B-B436-42e0-B063-577A99796D6A}.exe	104
PID 2228 wrote to memory of 1040	2228	{1DB2EC0B-B436-42e0-B063-577A99796D6A}.exe	104
PID 2228 wrote to memory of 1040	2228	{1DB2EC0B-B436-42e0-B063-577A99796D6A}.exe	104
PID 5008 wrote to memory of 4680	5008	{BF1835A8-AC8C-4142-9941-81B4872C017E}.exe	105
PID 5008 wrote to memory of 4680	5008	{BF1835A8-AC8C-4142-9941-81B4872C017E}.exe	105
PID 5008 wrote to memory of 4680	5008	{BF1835A8-AC8C-4142-9941-81B4872C017E}.exe	105
PID 5008 wrote to memory of 4180	5008	{BF1835A8-AC8C-4142-9941-81B4872C017E}.exe	106
PID 5008 wrote to memory of 4180	5008	{BF1835A8-AC8C-4142-9941-81B4872C017E}.exe	106
PID 5008 wrote to memory of 4180	5008	{BF1835A8-AC8C-4142-9941-81B4872C017E}.exe	106
PID 4680 wrote to memory of 636	4680	{BAD06778-8180-4954-9477-9FF0201DCFAC}.exe	107
PID 4680 wrote to memory of 636	4680	{BAD06778-8180-4954-9477-9FF0201DCFAC}.exe	107
PID 4680 wrote to memory of 636	4680	{BAD06778-8180-4954-9477-9FF0201DCFAC}.exe	107
PID 4680 wrote to memory of 4788	4680	{BAD06778-8180-4954-9477-9FF0201DCFAC}.exe	108
PID 4680 wrote to memory of 4788	4680	{BAD06778-8180-4954-9477-9FF0201DCFAC}.exe	108
PID 4680 wrote to memory of 4788	4680	{BAD06778-8180-4954-9477-9FF0201DCFAC}.exe	108
PID 636 wrote to memory of 804	636	{59CCBB22-D6B0-44ea-9B84-61C2008DB134}.exe	109
PID 636 wrote to memory of 804	636	{59CCBB22-D6B0-44ea-9B84-61C2008DB134}.exe	109
PID 636 wrote to memory of 804	636	{59CCBB22-D6B0-44ea-9B84-61C2008DB134}.exe	109
PID 636 wrote to memory of 4464	636	{59CCBB22-D6B0-44ea-9B84-61C2008DB134}.exe	110
PID 636 wrote to memory of 4464	636	{59CCBB22-D6B0-44ea-9B84-61C2008DB134}.exe	110
PID 636 wrote to memory of 4464	636	{59CCBB22-D6B0-44ea-9B84-61C2008DB134}.exe	110
PID 804 wrote to memory of 4372	804	{91B4134D-0C2E-4b48-8D96-309648032880}.exe	111
PID 804 wrote to memory of 4372	804	{91B4134D-0C2E-4b48-8D96-309648032880}.exe	111
PID 804 wrote to memory of 4372	804	{91B4134D-0C2E-4b48-8D96-309648032880}.exe	111
PID 804 wrote to memory of 1360	804	{91B4134D-0C2E-4b48-8D96-309648032880}.exe	112
PID 804 wrote to memory of 1360	804	{91B4134D-0C2E-4b48-8D96-309648032880}.exe	112
PID 804 wrote to memory of 1360	804	{91B4134D-0C2E-4b48-8D96-309648032880}.exe	112
PID 4372 wrote to memory of 208	4372	{C3B62C06-C3A3-4e70-BD69-0746C72938AA}.exe	113
PID 4372 wrote to memory of 208	4372	{C3B62C06-C3A3-4e70-BD69-0746C72938AA}.exe	113
PID 4372 wrote to memory of 208	4372	{C3B62C06-C3A3-4e70-BD69-0746C72938AA}.exe	113
PID 4372 wrote to memory of 456	4372	{C3B62C06-C3A3-4e70-BD69-0746C72938AA}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-04-06_25a1894246c3759287116921baa4b1cd_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-06_25a1894246c3759287116921baa4b1cd_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:456
- C:\Windows\{1EF75D98-9446-4385-857A-EA133790E03E}.exe
  C:\Windows\{1EF75D98-9446-4385-857A-EA133790E03E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Windows\{FFF08307-F601-45da-8EC9-6AE7165C228A}.exe
    C:\Windows\{FFF08307-F601-45da-8EC9-6AE7165C228A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Windows\{C23E50BC-508F-4aed-83C5-77D05D1B2A4F}.exe
      C:\Windows\{C23E50BC-508F-4aed-83C5-77D05D1B2A4F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1948
    - - C:\Windows\{E9F1DA47-F933-45de-81BC-3CD08598C92A}.exe
        
        C:\Windows\{E9F1DA47-F933-45de-81BC-3CD08598C92A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3488
      - C:\Windows\{1DB2EC0B-B436-42e0-B063-577A99796D6A}.exe
        
        C:\Windows\{1DB2EC0B-B436-42e0-B063-577A99796D6A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\{BF1835A8-AC8C-4142-9941-81B4872C017E}.exe
        
        C:\Windows\{BF1835A8-AC8C-4142-9941-81B4872C017E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\{BAD06778-8180-4954-9477-9FF0201DCFAC}.exe
        
        C:\Windows\{BAD06778-8180-4954-9477-9FF0201DCFAC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4680
        
        C:\Windows\{59CCBB22-D6B0-44ea-9B84-61C2008DB134}.exe
        
        C:\Windows\{59CCBB22-D6B0-44ea-9B84-61C2008DB134}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\{91B4134D-0C2E-4b48-8D96-309648032880}.exe
        
        C:\Windows\{91B4134D-0C2E-4b48-8D96-309648032880}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:804
        
        C:\Windows\{C3B62C06-C3A3-4e70-BD69-0746C72938AA}.exe
        
        C:\Windows\{C3B62C06-C3A3-4e70-BD69-0746C72938AA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\{9FA86C83-C254-41ae-A54B-913EF6D0DF6C}.exe
        
        C:\Windows\{9FA86C83-C254-41ae-A54B-913EF6D0DF6C}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:208
        
        C:\Windows\{5E0F7E9B-37C1-4a32-A31B-F4E705469056}.exe
        
        C:\Windows\{5E0F7E9B-37C1-4a32-A31B-F4E705469056}.exe
        13⤵
        Executes dropped EXE
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9FA86~1.EXE > nul
        13⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3B62~1.EXE > nul
        12⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91B41~1.EXE > nul
        11⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59CCB~1.EXE > nul
        10⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BAD06~1.EXE > nul
        9⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF183~1.EXE > nul
        8⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1DB2E~1.EXE > nul
        7⤵
        
        PID:1040
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9F1D~1.EXE > nul
        6⤵
        
        PID:2916
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C23E5~1.EXE > nul
        5⤵
        
        PID:3616
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FFF08~1.EXE > nul
      4⤵
      PID:3284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1EF75~1.EXE > nul
    3⤵
    PID:368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1DB2EC0B-B436-42e0-B063-577A99796D6A}.exe

Filesize
216KB

MD5
3f75d52c373b9d48af8df1f6880833b1

SHA1
0268dac853ccb0b38d76feacda189e8119a207c7

SHA256
e4a156fdb7e298671f7a01676a8e71614ffe1c385426c599d4c43f6ddf227ec8

SHA512
a896381905192e0dd56b27b3041dc91fa87fec83061ecd3ce4eb3e23189edbd0ce84ed37a96eb1a8664c7002d6aea226fe49e4429c9971a65499930a9435c47a

Download Submit
C:\Windows\{1EF75D98-9446-4385-857A-EA133790E03E}.exe

Filesize
216KB

MD5
4b7e8874b33a2264dce80567feda431a

SHA1
e9f9dbf5daa7bb3ac7c77e4c66d53933e838b4b4

SHA256
fc4c86257f520d531b067f667177d4493d9b3e4d43ec3b52e12323957a5c4c87

SHA512
893e6a0e153ade6adeb35f3121c2fa3abe4a45dfbdb67d9b59b00ab3d89e5c665d11e914c7cb677625a9ae11a842dc9404f2239e0706f235a8b79f820a99333e

Download Submit
C:\Windows\{59CCBB22-D6B0-44ea-9B84-61C2008DB134}.exe

Filesize
216KB

MD5
87a12d8edf91d8beed44b448bc9efa0f

SHA1
68521c5c3a73b43c1bab5de7c4ce92b0dfb83fc2

SHA256
6a1f4c1f78a948652de0c82a385a57ca553e8a4352781f816ba5de19f003ffec

SHA512
c8fe1b3e616120296b60dc4ac49d23b3e47c055541212190e479a7c79e7a14ec42d34d39e827e15352904e9dfb107410c658448649dc11682e4cb9710a6bde3e

Download Submit
C:\Windows\{5E0F7E9B-37C1-4a32-A31B-F4E705469056}.exe

Filesize
216KB

MD5
d9d00f6810751fad0faec7707fa5d454

SHA1
5a783fe2d7fc683df97935ca6068546d95a0324f

SHA256
63b2568dac28a56beee2840d962e2904c90b90229bd32befc3cfe95f40d74ec4

SHA512
53f7710ad65cb4fb84fa54d3856b91716e65300749ae7f9c2e477c4d12963f942fe9c66bb453d861accdf841587f4efeb9ea28d411342f21a2b4818b8ef565d6

Download Submit
C:\Windows\{91B4134D-0C2E-4b48-8D96-309648032880}.exe

Filesize
216KB

MD5
f3ae36a09b5a2aa2e2c58e31d1d96177

SHA1
915438e77142f04f61fccaa1809ce10d310a4813

SHA256
34c16689a1e1982a8b742abff4f2892e6f9ece20622c93be60cf944ef104a405

SHA512
d39625ca2174b58806c1c62b24b9fd00b8ae1b6d0e59b2a446f9369ef4025b922d4fd6a11adcb2e1571532840f147562f0136396c60caf0fb7ea6462395e5d1d

Download Submit
C:\Windows\{9FA86C83-C254-41ae-A54B-913EF6D0DF6C}.exe

Filesize
216KB

MD5
7c9ba88addab20448502fc5b7be18907

SHA1
3585eca497f3a8f7a9818182697475e748e7d4e2

SHA256
768fd1d99d98b25bc2d7338c3f2ebcc9600bfd6efdd11e2a041ca1f88a34e157

SHA512
f6dbdf66d1ab23f872b3f5b8d18cb6e42f019f50af1a75560493cba370b6fee36d8e013aa1901c2e2cf81a6eca6db246107c4cf7a06d83fba649908819c7694c

Download Submit
C:\Windows\{BAD06778-8180-4954-9477-9FF0201DCFAC}.exe

Filesize
216KB

MD5
866b7b484bbbb25addea80f2c285faca

SHA1
0f725cce5d29fcbcab6ed2ad07dbd90d0412221a

SHA256
55a0e851ea4cbc62a283b53d9a064449af12d1242926c1ce5484af065e318b13

SHA512
f7a522fb7c32561679ecb1e0ff6309ea4c54067e99b872940ee31ba7e1e83b848544b7c69f004ab5f39c0c73604ac3e8e4bc2cab687d46db41b72169c02ef521

Download Submit
C:\Windows\{BF1835A8-AC8C-4142-9941-81B4872C017E}.exe

Filesize
216KB

MD5
b2702b2c3e2f9a15f52e736db7016251

SHA1
b704f8130fd9b7681409a20f90aa7d6e4dd6abb1

SHA256
b0abb641450a221613db082b29217a051c4e7188cb7042c50f220064c4cef57f

SHA512
da0e4096e879fb8e894945915de458d23429dbfcff904b7c7767f51f58f05372282313f5437a0b9e70f66b07150f818111ee9b9ca8dab070434a849d84a8888f

Download Submit
C:\Windows\{C23E50BC-508F-4aed-83C5-77D05D1B2A4F}.exe

Filesize
216KB

MD5
54e092778336600b935765960606012b

SHA1
99ab957432bd250471712ee5dc35bc37a50b953d

SHA256
63cf86a8e77192a291bf95d203a5673adf4f47ecdb225489fd1f3321b997204e

SHA512
48e3744634528f8c288c83fef91589ea914b257dcc56637735d2c51600c4ee0342d928dfb2e3d89509e929933078fd91c3782c6bfb8e86165a02ae9c9b8dbda3

Download Submit
C:\Windows\{C3B62C06-C3A3-4e70-BD69-0746C72938AA}.exe

Filesize
216KB

MD5
0964d2a5da8974d28cefd67e756d6eed

SHA1
c1514c93878131b02ea3788aa5198a7677fa7343

SHA256
cb6e2b99be17bc70dcf47f01ec9dfa6bf390de1328df7fc223ab3e25daec3db6

SHA512
bf2b9d7dedf7696bdeddc7c0b88f44ddd006699c2e6ad5477fd5a077537d9a50dbda7963a05611c08f0264b9d32879bf3ba0423964dcac91141ac0aa773f8164

Download Submit
C:\Windows\{E9F1DA47-F933-45de-81BC-3CD08598C92A}.exe

Filesize
216KB

MD5
43fedb2aab8000583f3367ef5375f923

SHA1
2c3700dc9edf9d365a8cc1bef3a8d6d005a61ad3

SHA256
57f98faf5c89abafba1704ae0899eb762831b0278c6e013e74b9f9626b85b1bc

SHA512
698d20e02d395c9ed9dd673d0785ab4604d563b2cc0f97068e5f0d5c3592150da2a6a307d69d044d95749b03a8ee6ab79db0ff7cb49a8cca355c37c0a8c6a411

Download Submit
C:\Windows\{FFF08307-F601-45da-8EC9-6AE7165C228A}.exe

Filesize
216KB

MD5
65d55b5fa28e0c00b122e8188cbb1c83

SHA1
a08375fba897c6bfd9c06aabf73453674fb970b3

SHA256
7f614ed2ec5d5f2fb41e226ae3dd5d675b32aa5cf405c990c4ae61d13d2f5f3e

SHA512
a7d680b16b3a275aa5f7fbd2eafc58c3683519aac5052437c2f9ace153e39b80343797ac75e959ac85161941788d8b6f29d3343de166b35040f4a5c7755cb1e7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads