5983d104d260c0ae6fd7a81f518f55fcb6865119330001897f6cc2a1b307fb0f

Analysis

max time kernel
149s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08-04-2024 22:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_d577f7e788fd9a50112955cf07553fcb_goldeneye.exe
Size

408KB
MD5

d577f7e788fd9a50112955cf07553fcb
SHA1

5c42fc5a7ed19105d54d543c0fe9d71c3dfe15e6
SHA256

5983d104d260c0ae6fd7a81f518f55fcb6865119330001897f6cc2a1b307fb0f
SHA512

f1d115f2fa0678c7a7fc8b38aff74ef3b988424b3980989e7ffa033329a51c3bccbf9447d12c9b8dc808c7e776b771354385bba3170d264599ea67e82617a3ba
SSDEEP

3072:CEGh0oKl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGoldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000700000002320c-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023211-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023218-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023211-13.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023218-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021d05-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021d06-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-29.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000705-45.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC5DD223-8152-44a6-832F-45CED937A8FE}	{37EBD3F1-DBFB-4d4a-9A27-0719FD28C135}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC5DD223-8152-44a6-832F-45CED937A8FE}\stubpath = "C:\\Windows\\{CC5DD223-8152-44a6-832F-45CED937A8FE}.exe"	{37EBD3F1-DBFB-4d4a-9A27-0719FD28C135}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{612C23C8-35B0-4121-9729-48B6771A8F39}	{CC5DD223-8152-44a6-832F-45CED937A8FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{136F8C23-46BD-489d-88D4-41024D3CEF20}\stubpath = "C:\\Windows\\{136F8C23-46BD-489d-88D4-41024D3CEF20}.exe"	{612C23C8-35B0-4121-9729-48B6771A8F39}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC470DC8-EB5F-4807-A73E-F85E33431871}	{136F8C23-46BD-489d-88D4-41024D3CEF20}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A504D378-AE82-4a62-8510-DF9D702A0705}	{E543F5E0-BAF4-45f5-A466-03B772362177}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37EBD3F1-DBFB-4d4a-9A27-0719FD28C135}	2024-04-08_d577f7e788fd9a50112955cf07553fcb_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37EBD3F1-DBFB-4d4a-9A27-0719FD28C135}\stubpath = "C:\\Windows\\{37EBD3F1-DBFB-4d4a-9A27-0719FD28C135}.exe"	2024-04-08_d577f7e788fd9a50112955cf07553fcb_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{020291E3-F0D9-4ea9-B926-653A6358D19C}\stubpath = "C:\\Windows\\{020291E3-F0D9-4ea9-B926-653A6358D19C}.exe"	{BC470DC8-EB5F-4807-A73E-F85E33431871}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F0322DC-8502-43d3-8280-6D2CD6913696}	{029341BF-9D0F-4d06-B64C-3B621997F139}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E543F5E0-BAF4-45f5-A466-03B772362177}	{7F0322DC-8502-43d3-8280-6D2CD6913696}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E91069A-73BA-4033-9365-A9FDC4CF9662}\stubpath = "C:\\Windows\\{7E91069A-73BA-4033-9365-A9FDC4CF9662}.exe"	{A504D378-AE82-4a62-8510-DF9D702A0705}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC470DC8-EB5F-4807-A73E-F85E33431871}\stubpath = "C:\\Windows\\{BC470DC8-EB5F-4807-A73E-F85E33431871}.exe"	{136F8C23-46BD-489d-88D4-41024D3CEF20}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{020291E3-F0D9-4ea9-B926-653A6358D19C}	{BC470DC8-EB5F-4807-A73E-F85E33431871}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{029341BF-9D0F-4d06-B64C-3B621997F139}\stubpath = "C:\\Windows\\{029341BF-9D0F-4d06-B64C-3B621997F139}.exe"	{020291E3-F0D9-4ea9-B926-653A6358D19C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D6ED202-4B88-4243-90AD-A3BE6F91B392}	{7E91069A-73BA-4033-9365-A9FDC4CF9662}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{136F8C23-46BD-489d-88D4-41024D3CEF20}	{612C23C8-35B0-4121-9729-48B6771A8F39}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{029341BF-9D0F-4d06-B64C-3B621997F139}	{020291E3-F0D9-4ea9-B926-653A6358D19C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E543F5E0-BAF4-45f5-A466-03B772362177}\stubpath = "C:\\Windows\\{E543F5E0-BAF4-45f5-A466-03B772362177}.exe"	{7F0322DC-8502-43d3-8280-6D2CD6913696}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A504D378-AE82-4a62-8510-DF9D702A0705}\stubpath = "C:\\Windows\\{A504D378-AE82-4a62-8510-DF9D702A0705}.exe"	{E543F5E0-BAF4-45f5-A466-03B772362177}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E91069A-73BA-4033-9365-A9FDC4CF9662}	{A504D378-AE82-4a62-8510-DF9D702A0705}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D6ED202-4B88-4243-90AD-A3BE6F91B392}\stubpath = "C:\\Windows\\{4D6ED202-4B88-4243-90AD-A3BE6F91B392}.exe"	{7E91069A-73BA-4033-9365-A9FDC4CF9662}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{612C23C8-35B0-4121-9729-48B6771A8F39}\stubpath = "C:\\Windows\\{612C23C8-35B0-4121-9729-48B6771A8F39}.exe"	{CC5DD223-8152-44a6-832F-45CED937A8FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F0322DC-8502-43d3-8280-6D2CD6913696}\stubpath = "C:\\Windows\\{7F0322DC-8502-43d3-8280-6D2CD6913696}.exe"	{029341BF-9D0F-4d06-B64C-3B621997F139}.exe

Executes dropped EXE 12 IoCs

pid	Process
860	{37EBD3F1-DBFB-4d4a-9A27-0719FD28C135}.exe
5020	{CC5DD223-8152-44a6-832F-45CED937A8FE}.exe
4972	{612C23C8-35B0-4121-9729-48B6771A8F39}.exe
1720	{136F8C23-46BD-489d-88D4-41024D3CEF20}.exe
1416	{BC470DC8-EB5F-4807-A73E-F85E33431871}.exe
4028	{020291E3-F0D9-4ea9-B926-653A6358D19C}.exe
4804	{029341BF-9D0F-4d06-B64C-3B621997F139}.exe
2976	{7F0322DC-8502-43d3-8280-6D2CD6913696}.exe
3300	{E543F5E0-BAF4-45f5-A466-03B772362177}.exe
1980	{A504D378-AE82-4a62-8510-DF9D702A0705}.exe
1300	{7E91069A-73BA-4033-9365-A9FDC4CF9662}.exe
2636	{4D6ED202-4B88-4243-90AD-A3BE6F91B392}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{CC5DD223-8152-44a6-832F-45CED937A8FE}.exe	{37EBD3F1-DBFB-4d4a-9A27-0719FD28C135}.exe
File created	C:\Windows\{BC470DC8-EB5F-4807-A73E-F85E33431871}.exe	{136F8C23-46BD-489d-88D4-41024D3CEF20}.exe
File created	C:\Windows\{029341BF-9D0F-4d06-B64C-3B621997F139}.exe	{020291E3-F0D9-4ea9-B926-653A6358D19C}.exe
File created	C:\Windows\{7E91069A-73BA-4033-9365-A9FDC4CF9662}.exe	{A504D378-AE82-4a62-8510-DF9D702A0705}.exe
File created	C:\Windows\{37EBD3F1-DBFB-4d4a-9A27-0719FD28C135}.exe	2024-04-08_d577f7e788fd9a50112955cf07553fcb_goldeneye.exe
File created	C:\Windows\{612C23C8-35B0-4121-9729-48B6771A8F39}.exe	{CC5DD223-8152-44a6-832F-45CED937A8FE}.exe
File created	C:\Windows\{136F8C23-46BD-489d-88D4-41024D3CEF20}.exe	{612C23C8-35B0-4121-9729-48B6771A8F39}.exe
File created	C:\Windows\{020291E3-F0D9-4ea9-B926-653A6358D19C}.exe	{BC470DC8-EB5F-4807-A73E-F85E33431871}.exe
File created	C:\Windows\{7F0322DC-8502-43d3-8280-6D2CD6913696}.exe	{029341BF-9D0F-4d06-B64C-3B621997F139}.exe
File created	C:\Windows\{E543F5E0-BAF4-45f5-A466-03B772362177}.exe	{7F0322DC-8502-43d3-8280-6D2CD6913696}.exe
File created	C:\Windows\{A504D378-AE82-4a62-8510-DF9D702A0705}.exe	{E543F5E0-BAF4-45f5-A466-03B772362177}.exe
File created	C:\Windows\{4D6ED202-4B88-4243-90AD-A3BE6F91B392}.exe	{7E91069A-73BA-4033-9365-A9FDC4CF9662}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3464	2024-04-08_d577f7e788fd9a50112955cf07553fcb_goldeneye.exe
Token: SeIncBasePriorityPrivilege	860	{37EBD3F1-DBFB-4d4a-9A27-0719FD28C135}.exe
Token: SeIncBasePriorityPrivilege	5020	{CC5DD223-8152-44a6-832F-45CED937A8FE}.exe
Token: SeIncBasePriorityPrivilege	4972	{612C23C8-35B0-4121-9729-48B6771A8F39}.exe
Token: SeIncBasePriorityPrivilege	1720	{136F8C23-46BD-489d-88D4-41024D3CEF20}.exe
Token: SeIncBasePriorityPrivilege	1416	{BC470DC8-EB5F-4807-A73E-F85E33431871}.exe
Token: SeIncBasePriorityPrivilege	4028	{020291E3-F0D9-4ea9-B926-653A6358D19C}.exe
Token: SeIncBasePriorityPrivilege	4804	{029341BF-9D0F-4d06-B64C-3B621997F139}.exe
Token: SeIncBasePriorityPrivilege	2976	{7F0322DC-8502-43d3-8280-6D2CD6913696}.exe
Token: SeIncBasePriorityPrivilege	3300	{E543F5E0-BAF4-45f5-A466-03B772362177}.exe
Token: SeIncBasePriorityPrivilege	1980	{A504D378-AE82-4a62-8510-DF9D702A0705}.exe
Token: SeIncBasePriorityPrivilege	1300	{7E91069A-73BA-4033-9365-A9FDC4CF9662}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3464 wrote to memory of 860	3464	2024-04-08_d577f7e788fd9a50112955cf07553fcb_goldeneye.exe	96
PID 3464 wrote to memory of 860	3464	2024-04-08_d577f7e788fd9a50112955cf07553fcb_goldeneye.exe	96
PID 3464 wrote to memory of 860	3464	2024-04-08_d577f7e788fd9a50112955cf07553fcb_goldeneye.exe	96
PID 3464 wrote to memory of 3660	3464	2024-04-08_d577f7e788fd9a50112955cf07553fcb_goldeneye.exe	97
PID 3464 wrote to memory of 3660	3464	2024-04-08_d577f7e788fd9a50112955cf07553fcb_goldeneye.exe	97
PID 3464 wrote to memory of 3660	3464	2024-04-08_d577f7e788fd9a50112955cf07553fcb_goldeneye.exe	97
PID 860 wrote to memory of 5020	860	{37EBD3F1-DBFB-4d4a-9A27-0719FD28C135}.exe	98
PID 860 wrote to memory of 5020	860	{37EBD3F1-DBFB-4d4a-9A27-0719FD28C135}.exe	98
PID 860 wrote to memory of 5020	860	{37EBD3F1-DBFB-4d4a-9A27-0719FD28C135}.exe	98
PID 860 wrote to memory of 4304	860	{37EBD3F1-DBFB-4d4a-9A27-0719FD28C135}.exe	99
PID 860 wrote to memory of 4304	860	{37EBD3F1-DBFB-4d4a-9A27-0719FD28C135}.exe	99
PID 860 wrote to memory of 4304	860	{37EBD3F1-DBFB-4d4a-9A27-0719FD28C135}.exe	99
PID 5020 wrote to memory of 4972	5020	{CC5DD223-8152-44a6-832F-45CED937A8FE}.exe	101
PID 5020 wrote to memory of 4972	5020	{CC5DD223-8152-44a6-832F-45CED937A8FE}.exe	101
PID 5020 wrote to memory of 4972	5020	{CC5DD223-8152-44a6-832F-45CED937A8FE}.exe	101
PID 5020 wrote to memory of 4152	5020	{CC5DD223-8152-44a6-832F-45CED937A8FE}.exe	102
PID 5020 wrote to memory of 4152	5020	{CC5DD223-8152-44a6-832F-45CED937A8FE}.exe	102
PID 5020 wrote to memory of 4152	5020	{CC5DD223-8152-44a6-832F-45CED937A8FE}.exe	102
PID 4972 wrote to memory of 1720	4972	{612C23C8-35B0-4121-9729-48B6771A8F39}.exe	103
PID 4972 wrote to memory of 1720	4972	{612C23C8-35B0-4121-9729-48B6771A8F39}.exe	103
PID 4972 wrote to memory of 1720	4972	{612C23C8-35B0-4121-9729-48B6771A8F39}.exe	103
PID 4972 wrote to memory of 896	4972	{612C23C8-35B0-4121-9729-48B6771A8F39}.exe	104
PID 4972 wrote to memory of 896	4972	{612C23C8-35B0-4121-9729-48B6771A8F39}.exe	104
PID 4972 wrote to memory of 896	4972	{612C23C8-35B0-4121-9729-48B6771A8F39}.exe	104
PID 1720 wrote to memory of 1416	1720	{136F8C23-46BD-489d-88D4-41024D3CEF20}.exe	105
PID 1720 wrote to memory of 1416	1720	{136F8C23-46BD-489d-88D4-41024D3CEF20}.exe	105
PID 1720 wrote to memory of 1416	1720	{136F8C23-46BD-489d-88D4-41024D3CEF20}.exe	105
PID 1720 wrote to memory of 692	1720	{136F8C23-46BD-489d-88D4-41024D3CEF20}.exe	106
PID 1720 wrote to memory of 692	1720	{136F8C23-46BD-489d-88D4-41024D3CEF20}.exe	106
PID 1720 wrote to memory of 692	1720	{136F8C23-46BD-489d-88D4-41024D3CEF20}.exe	106
PID 1416 wrote to memory of 4028	1416	{BC470DC8-EB5F-4807-A73E-F85E33431871}.exe	107
PID 1416 wrote to memory of 4028	1416	{BC470DC8-EB5F-4807-A73E-F85E33431871}.exe	107
PID 1416 wrote to memory of 4028	1416	{BC470DC8-EB5F-4807-A73E-F85E33431871}.exe	107
PID 1416 wrote to memory of 748	1416	{BC470DC8-EB5F-4807-A73E-F85E33431871}.exe	108
PID 1416 wrote to memory of 748	1416	{BC470DC8-EB5F-4807-A73E-F85E33431871}.exe	108
PID 1416 wrote to memory of 748	1416	{BC470DC8-EB5F-4807-A73E-F85E33431871}.exe	108
PID 4028 wrote to memory of 4804	4028	{020291E3-F0D9-4ea9-B926-653A6358D19C}.exe	109
PID 4028 wrote to memory of 4804	4028	{020291E3-F0D9-4ea9-B926-653A6358D19C}.exe	109
PID 4028 wrote to memory of 4804	4028	{020291E3-F0D9-4ea9-B926-653A6358D19C}.exe	109
PID 4028 wrote to memory of 1968	4028	{020291E3-F0D9-4ea9-B926-653A6358D19C}.exe	110
PID 4028 wrote to memory of 1968	4028	{020291E3-F0D9-4ea9-B926-653A6358D19C}.exe	110
PID 4028 wrote to memory of 1968	4028	{020291E3-F0D9-4ea9-B926-653A6358D19C}.exe	110
PID 4804 wrote to memory of 2976	4804	{029341BF-9D0F-4d06-B64C-3B621997F139}.exe	111
PID 4804 wrote to memory of 2976	4804	{029341BF-9D0F-4d06-B64C-3B621997F139}.exe	111
PID 4804 wrote to memory of 2976	4804	{029341BF-9D0F-4d06-B64C-3B621997F139}.exe	111
PID 4804 wrote to memory of 4452	4804	{029341BF-9D0F-4d06-B64C-3B621997F139}.exe	112
PID 4804 wrote to memory of 4452	4804	{029341BF-9D0F-4d06-B64C-3B621997F139}.exe	112
PID 4804 wrote to memory of 4452	4804	{029341BF-9D0F-4d06-B64C-3B621997F139}.exe	112
PID 2976 wrote to memory of 3300	2976	{7F0322DC-8502-43d3-8280-6D2CD6913696}.exe	113
PID 2976 wrote to memory of 3300	2976	{7F0322DC-8502-43d3-8280-6D2CD6913696}.exe	113
PID 2976 wrote to memory of 3300	2976	{7F0322DC-8502-43d3-8280-6D2CD6913696}.exe	113
PID 2976 wrote to memory of 5084	2976	{7F0322DC-8502-43d3-8280-6D2CD6913696}.exe	114
PID 2976 wrote to memory of 5084	2976	{7F0322DC-8502-43d3-8280-6D2CD6913696}.exe	114
PID 2976 wrote to memory of 5084	2976	{7F0322DC-8502-43d3-8280-6D2CD6913696}.exe	114
PID 3300 wrote to memory of 1980	3300	{E543F5E0-BAF4-45f5-A466-03B772362177}.exe	115
PID 3300 wrote to memory of 1980	3300	{E543F5E0-BAF4-45f5-A466-03B772362177}.exe	115
PID 3300 wrote to memory of 1980	3300	{E543F5E0-BAF4-45f5-A466-03B772362177}.exe	115
PID 3300 wrote to memory of 4284	3300	{E543F5E0-BAF4-45f5-A466-03B772362177}.exe	116
PID 3300 wrote to memory of 4284	3300	{E543F5E0-BAF4-45f5-A466-03B772362177}.exe	116
PID 3300 wrote to memory of 4284	3300	{E543F5E0-BAF4-45f5-A466-03B772362177}.exe	116
PID 1980 wrote to memory of 1300	1980	{A504D378-AE82-4a62-8510-DF9D702A0705}.exe	117
PID 1980 wrote to memory of 1300	1980	{A504D378-AE82-4a62-8510-DF9D702A0705}.exe	117
PID 1980 wrote to memory of 1300	1980	{A504D378-AE82-4a62-8510-DF9D702A0705}.exe	117
PID 1980 wrote to memory of 5044	1980	{A504D378-AE82-4a62-8510-DF9D702A0705}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-04-08_d577f7e788fd9a50112955cf07553fcb_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_d577f7e788fd9a50112955cf07553fcb_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Windows\{37EBD3F1-DBFB-4d4a-9A27-0719FD28C135}.exe
  C:\Windows\{37EBD3F1-DBFB-4d4a-9A27-0719FD28C135}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Windows\{CC5DD223-8152-44a6-832F-45CED937A8FE}.exe
    C:\Windows\{CC5DD223-8152-44a6-832F-45CED937A8FE}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5020
  - - C:\Windows\{612C23C8-35B0-4121-9729-48B6771A8F39}.exe
      C:\Windows\{612C23C8-35B0-4121-9729-48B6771A8F39}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4972
    - - C:\Windows\{136F8C23-46BD-489d-88D4-41024D3CEF20}.exe
        
        C:\Windows\{136F8C23-46BD-489d-88D4-41024D3CEF20}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1720
      - C:\Windows\{BC470DC8-EB5F-4807-A73E-F85E33431871}.exe
        
        C:\Windows\{BC470DC8-EB5F-4807-A73E-F85E33431871}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\{020291E3-F0D9-4ea9-B926-653A6358D19C}.exe
        
        C:\Windows\{020291E3-F0D9-4ea9-B926-653A6358D19C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\{029341BF-9D0F-4d06-B64C-3B621997F139}.exe
        
        C:\Windows\{029341BF-9D0F-4d06-B64C-3B621997F139}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\{7F0322DC-8502-43d3-8280-6D2CD6913696}.exe
        
        C:\Windows\{7F0322DC-8502-43d3-8280-6D2CD6913696}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\{E543F5E0-BAF4-45f5-A466-03B772362177}.exe
        
        C:\Windows\{E543F5E0-BAF4-45f5-A466-03B772362177}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\{A504D378-AE82-4a62-8510-DF9D702A0705}.exe
        
        C:\Windows\{A504D378-AE82-4a62-8510-DF9D702A0705}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\{7E91069A-73BA-4033-9365-A9FDC4CF9662}.exe
        
        C:\Windows\{7E91069A-73BA-4033-9365-A9FDC4CF9662}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1300
        
        C:\Windows\{4D6ED202-4B88-4243-90AD-A3BE6F91B392}.exe
        
        C:\Windows\{4D6ED202-4B88-4243-90AD-A3BE6F91B392}.exe
        13⤵
        Executes dropped EXE
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E910~1.EXE > nul
        13⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A504D~1.EXE > nul
        12⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E543F~1.EXE > nul
        11⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F032~1.EXE > nul
        10⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02934~1.EXE > nul
        9⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02029~1.EXE > nul
        8⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC470~1.EXE > nul
        7⤵
        
        PID:748
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{136F8~1.EXE > nul
        6⤵
        
        PID:692
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{612C2~1.EXE > nul
        5⤵
        
        PID:896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CC5DD~1.EXE > nul
      4⤵
      PID:4152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{37EBD~1.EXE > nul
    3⤵
    PID:4304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{020291E3-F0D9-4ea9-B926-653A6358D19C}.exe

Filesize
408KB

MD5
84e914ad2b216018786caf7ebb6c7125

SHA1
7469df6ea8ef5de90842891c1732782e25467fba

SHA256
6619765fd118c0418d0be14f8019e8dd6479cac512fcec118288368fc33221a1

SHA512
a320a32478e73f320f3e320f7b22f144f030c9688bda1ef6033225a8dd3084e20b16f3cc27a0654a24904b0f0f6be7b1dd744d11641e22c0fcc088b138d5fde6

Download Submit
C:\Windows\{029341BF-9D0F-4d06-B64C-3B621997F139}.exe

Filesize
408KB

MD5
2adf233f259302bdc84796cd87e85bdd

SHA1
9c822dee77d1e89a3363de07f11c48713f18bec2

SHA256
ceb14f075b6ad52e442c40c02634682604bca998b852ed6ed645aca9de233290

SHA512
0f0177dcb045714a551378e63b5a2f7b65077e12af17efa881a2a3d3eabe318f48eb564421a6fb016e3a97331f4cc57d1c9a35b50ff2c077fc6abca952e2bb75

Download Submit
C:\Windows\{136F8C23-46BD-489d-88D4-41024D3CEF20}.exe

Filesize
408KB

MD5
34555dbdcc1f5c59e2e7d1d0ce7d5325

SHA1
03e18f4532affc9916c7a763e3b37c2891d9ee29

SHA256
a618f6d27c9862b8c91f32c93777836e1eb2689cc6a0e05d2855737f8b5d44e1

SHA512
227b1367b4667329d6563e09f773b9f8efcf85d41651ee4627515ecdfc9414e1f0602ae11209bc7525d75e226358a2023e3ac3f3fca31ef0433f6b5215ec8467

Download Submit
C:\Windows\{37EBD3F1-DBFB-4d4a-9A27-0719FD28C135}.exe

Filesize
408KB

MD5
c0774925d008a6eed53b818fa6631e83

SHA1
5e62ba9f21fc095df1d6b14f61ff53b3a1440526

SHA256
f45bf4f9315d654406ced41137c4bc114444334a8e7ee44f0b8dbf03635a018a

SHA512
3119167a20b8f3f490221a700f9f41366151df70ea5e2f5ba6edce022bfe827fade2c24197e3ecbbd987b7a4d48b77373c1db63abd44a19fb3b9eacdbd9387ce

Download Submit
C:\Windows\{4D6ED202-4B88-4243-90AD-A3BE6F91B392}.exe

Filesize
408KB

MD5
43eef4c1261ebc334c1b5c1eaad70bc0

SHA1
3e18958a9afc3a4f0f61f949033a216422ffcc77

SHA256
0a430949290c73fde84e2b33473a10e807ac2e6279c1b0d8b6966dc731816876

SHA512
f172c87644b1a8bad38e53e0f86adb024b2321ee28bdc74c24a4bc3f45880e081a9f72e61328b72db1bd27f407357a4e98b64c3119ee5f91301023e24435c547

Download Submit
C:\Windows\{612C23C8-35B0-4121-9729-48B6771A8F39}.exe

Filesize
408KB

MD5
88073ea07bac3d9df88f1d59a41308e1

SHA1
79b2d0ed2606e54bd61b435c32717d49b7bb2922

SHA256
f34836b6ba5ce15eeb5b3e8a5e4098dfba299a074ebe520d6b6deb3092efb717

SHA512
c886bd03e2070b3a88ca53d3b3fbd6fd44db8ff9557e5a2e5105c145c703a070e783fe292ac5846b3f5a0861610f02bfa845f35e7c6e04bccbe8424915545b29

Download Submit
C:\Windows\{7E91069A-73BA-4033-9365-A9FDC4CF9662}.exe

Filesize
408KB

MD5
223b3a8b23a2c2481b2b5c07cfce3433

SHA1
a7ce78d0c7adb5a70fed6d7211773146d4ae24d5

SHA256
4a53cc8758f71c252404b3c89fa5a5416092c1a51398d033e46f14e99741b688

SHA512
e360568ba58e5c8bc9606dde37ab160b21c78f3a8f78c70482d68822106f1674add8a364c736da39d6eba6863bc0f73fcf9c50a516666293e4ce60e7a9555d01

Download Submit
C:\Windows\{7F0322DC-8502-43d3-8280-6D2CD6913696}.exe

Filesize
408KB

MD5
09fa3287b346f58e6b56e8298a77801d

SHA1
1bafa3ec3020cb4e7591051cefbeb679b5c2c12f

SHA256
dff8b9980dbb2f4a8d5f998a231fad9a4396fb476701826dba63ad9ff9aa8320

SHA512
efda5a2327e451f3ea4124b57de6ac9a664d72ad1fe6f0b74c12a804974483b4882996dd30425964d58a4a5be3105a5c7bdacf8b660d991c0439ab578ac97340

Download Submit
C:\Windows\{A504D378-AE82-4a62-8510-DF9D702A0705}.exe

Filesize
408KB

MD5
9eb97cd2e0f5688ea74dd009cd98d660

SHA1
7caa73086a144927f88771f74b6a388a03636f6d

SHA256
3133cd685fe976b04008a92e09148492400b462db358f0eaf430746421746848

SHA512
638c691869dd84d0df0c6518b1b6e9271a911bc610ce051e336d2662d9e144e11a9091e912c8d95b8adf3c329f8b5b1c5605e2f38af52a7519750847f692dd84

Download Submit
C:\Windows\{BC470DC8-EB5F-4807-A73E-F85E33431871}.exe

Filesize
408KB

MD5
f3c0248bd3c10d9c9e52159e2fb23857

SHA1
6e235a1c4b94d61badf4da06835212bf524783a0

SHA256
d35e3a09d76fed0e46d4ca0af3d15f8645815dcb89cbd2299873b650da13e2c7

SHA512
b5c1b3ebba6dc9282c9295b11394ed3c5b2c0171f5449a497d06315a290119c271b8977ff6d877bb3fa4f02a9ce334da6b770e49d684a4255d6dc86341adb92b

Download Submit
C:\Windows\{CC5DD223-8152-44a6-832F-45CED937A8FE}.exe

Filesize
408KB

MD5
47ebcf9ad8042b802edaed29b97630a5

SHA1
5c885486298c891c571a112060f2a0feb67af817

SHA256
d8d140ff9beffcb3e03b72cbe913c3af4d33a0b5993177e6774f4a83a11aa413

SHA512
ea70595bfc603a5f5b33641c22ab91dc51cafdaba07b298106248fa4cad6be9ab2c0acd363cc2b5bcaa636534208f44693732f39b8bbdbd9b1038c5d03b953f8

Download Submit
C:\Windows\{E543F5E0-BAF4-45f5-A466-03B772362177}.exe

Filesize
408KB

MD5
3184481db78e95e69b945dcecd80db7d

SHA1
9a4d2848a9967f834e928c635f46563c4dd94659

SHA256
e71e7445de8b8897ec76369a0cc7b8d75423c6c915844f265fba01ce14c80e4c

SHA512
1a703c7ba8890cf44fc965f5667e42ad7e94eb25d06f181cb73fe17bddf845b9ec56061c3681c5a1871f79c66a2a2d139a7eaae1a9823a8e45d585222f69535f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads