ee6e1c1d79b1b823d786467ac8eaf644205add573d0a153435ead491cda49c4c

Analysis

max time kernel
149s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 18:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-09_35441146baac583464095846cc559c5e_goldeneye.exe
Size

180KB
MD5

35441146baac583464095846cc559c5e
SHA1

e36ea8375bf745b52cf5a7b20a3a9e8703c4fcaa
SHA256

ee6e1c1d79b1b823d786467ac8eaf644205add573d0a153435ead491cda49c4c
SHA512

97463538126d0b76dfd6478d9b69d23fbe46227d2442e136fa1e420b3da9b206d12063d51d578059376f381147ba73a66564dd5e12c8599bdd6e1251ed4f0e3c
SSDEEP

3072:jEGh0oZlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGzl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231f3-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000231ec-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000231fe-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002304c-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021d05-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021d06-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021d05-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000705-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FFDDB5A-382F-40bc-A57D-199160A62796}\stubpath = "C:\\Windows\\{0FFDDB5A-382F-40bc-A57D-199160A62796}.exe"	{D25AF582-C729-4642-8A73-F89991FA2FFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{476C8A64-8C3E-4007-AC08-4382BA1B987D}\stubpath = "C:\\Windows\\{476C8A64-8C3E-4007-AC08-4382BA1B987D}.exe"	{54B3804F-4817-4c1a-87D4-D2CFAF069221}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D852BC0D-B09C-46c1-919B-D2DB19E3BEC9}\stubpath = "C:\\Windows\\{D852BC0D-B09C-46c1-919B-D2DB19E3BEC9}.exe"	{710A9537-D936-4261-A18E-414D14F63185}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{314CA7EA-49B4-4396-A5C6-DEF0894C439C}\stubpath = "C:\\Windows\\{314CA7EA-49B4-4396-A5C6-DEF0894C439C}.exe"	{090FD06A-28F6-4036-B314-3F6DC5CCA476}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7538830E-793D-4f8e-8365-686FED535177}\stubpath = "C:\\Windows\\{7538830E-793D-4f8e-8365-686FED535177}.exe"	{314CA7EA-49B4-4396-A5C6-DEF0894C439C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA6436C2-F14F-47fa-BD43-CAC46BB9B847}\stubpath = "C:\\Windows\\{AA6436C2-F14F-47fa-BD43-CAC46BB9B847}.exe"	{6A8EB696-C9D1-4f15-BB6D-B17214120369}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{314CA7EA-49B4-4396-A5C6-DEF0894C439C}	{090FD06A-28F6-4036-B314-3F6DC5CCA476}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7538830E-793D-4f8e-8365-686FED535177}	{314CA7EA-49B4-4396-A5C6-DEF0894C439C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{710A9537-D936-4261-A18E-414D14F63185}	{476C8A64-8C3E-4007-AC08-4382BA1B987D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{710A9537-D936-4261-A18E-414D14F63185}\stubpath = "C:\\Windows\\{710A9537-D936-4261-A18E-414D14F63185}.exe"	{476C8A64-8C3E-4007-AC08-4382BA1B987D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A8EB696-C9D1-4f15-BB6D-B17214120369}	2024-04-09_35441146baac583464095846cc559c5e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA6436C2-F14F-47fa-BD43-CAC46BB9B847}	{6A8EB696-C9D1-4f15-BB6D-B17214120369}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{090FD06A-28F6-4036-B314-3F6DC5CCA476}\stubpath = "C:\\Windows\\{090FD06A-28F6-4036-B314-3F6DC5CCA476}.exe"	{6616E5DD-F401-4977-A3FE-F9417A96EEF6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D25AF582-C729-4642-8A73-F89991FA2FFD}	{7538830E-793D-4f8e-8365-686FED535177}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54B3804F-4817-4c1a-87D4-D2CFAF069221}	{0FFDDB5A-382F-40bc-A57D-199160A62796}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{54B3804F-4817-4c1a-87D4-D2CFAF069221}\stubpath = "C:\\Windows\\{54B3804F-4817-4c1a-87D4-D2CFAF069221}.exe"	{0FFDDB5A-382F-40bc-A57D-199160A62796}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6616E5DD-F401-4977-A3FE-F9417A96EEF6}	{AA6436C2-F14F-47fa-BD43-CAC46BB9B847}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6616E5DD-F401-4977-A3FE-F9417A96EEF6}\stubpath = "C:\\Windows\\{6616E5DD-F401-4977-A3FE-F9417A96EEF6}.exe"	{AA6436C2-F14F-47fa-BD43-CAC46BB9B847}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D25AF582-C729-4642-8A73-F89991FA2FFD}\stubpath = "C:\\Windows\\{D25AF582-C729-4642-8A73-F89991FA2FFD}.exe"	{7538830E-793D-4f8e-8365-686FED535177}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FFDDB5A-382F-40bc-A57D-199160A62796}	{D25AF582-C729-4642-8A73-F89991FA2FFD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{476C8A64-8C3E-4007-AC08-4382BA1B987D}	{54B3804F-4817-4c1a-87D4-D2CFAF069221}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D852BC0D-B09C-46c1-919B-D2DB19E3BEC9}	{710A9537-D936-4261-A18E-414D14F63185}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A8EB696-C9D1-4f15-BB6D-B17214120369}\stubpath = "C:\\Windows\\{6A8EB696-C9D1-4f15-BB6D-B17214120369}.exe"	2024-04-09_35441146baac583464095846cc559c5e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{090FD06A-28F6-4036-B314-3F6DC5CCA476}	{6616E5DD-F401-4977-A3FE-F9417A96EEF6}.exe

Executes dropped EXE 11 IoCs

pid	Process
3740	{6A8EB696-C9D1-4f15-BB6D-B17214120369}.exe
1764	{AA6436C2-F14F-47fa-BD43-CAC46BB9B847}.exe
4920	{6616E5DD-F401-4977-A3FE-F9417A96EEF6}.exe
4276	{090FD06A-28F6-4036-B314-3F6DC5CCA476}.exe
4660	{314CA7EA-49B4-4396-A5C6-DEF0894C439C}.exe
2296	{7538830E-793D-4f8e-8365-686FED535177}.exe
2952	{D25AF582-C729-4642-8A73-F89991FA2FFD}.exe
4244	{0FFDDB5A-382F-40bc-A57D-199160A62796}.exe
184	{476C8A64-8C3E-4007-AC08-4382BA1B987D}.exe
3000	{710A9537-D936-4261-A18E-414D14F63185}.exe
2300	{D852BC0D-B09C-46c1-919B-D2DB19E3BEC9}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D25AF582-C729-4642-8A73-F89991FA2FFD}.exe	{7538830E-793D-4f8e-8365-686FED535177}.exe
File created	C:\Windows\{476C8A64-8C3E-4007-AC08-4382BA1B987D}.exe	{54B3804F-4817-4c1a-87D4-D2CFAF069221}.exe
File created	C:\Windows\{6A8EB696-C9D1-4f15-BB6D-B17214120369}.exe	2024-04-09_35441146baac583464095846cc559c5e_goldeneye.exe
File created	C:\Windows\{AA6436C2-F14F-47fa-BD43-CAC46BB9B847}.exe	{6A8EB696-C9D1-4f15-BB6D-B17214120369}.exe
File created	C:\Windows\{6616E5DD-F401-4977-A3FE-F9417A96EEF6}.exe	{AA6436C2-F14F-47fa-BD43-CAC46BB9B847}.exe
File created	C:\Windows\{090FD06A-28F6-4036-B314-3F6DC5CCA476}.exe	{6616E5DD-F401-4977-A3FE-F9417A96EEF6}.exe
File created	C:\Windows\{314CA7EA-49B4-4396-A5C6-DEF0894C439C}.exe	{090FD06A-28F6-4036-B314-3F6DC5CCA476}.exe
File created	C:\Windows\{7538830E-793D-4f8e-8365-686FED535177}.exe	{314CA7EA-49B4-4396-A5C6-DEF0894C439C}.exe
File created	C:\Windows\{0FFDDB5A-382F-40bc-A57D-199160A62796}.exe	{D25AF582-C729-4642-8A73-F89991FA2FFD}.exe
File created	C:\Windows\{710A9537-D936-4261-A18E-414D14F63185}.exe	{476C8A64-8C3E-4007-AC08-4382BA1B987D}.exe
File created	C:\Windows\{D852BC0D-B09C-46c1-919B-D2DB19E3BEC9}.exe	{710A9537-D936-4261-A18E-414D14F63185}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1780	2024-04-09_35441146baac583464095846cc559c5e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3740	{6A8EB696-C9D1-4f15-BB6D-B17214120369}.exe
Token: SeIncBasePriorityPrivilege	1764	{AA6436C2-F14F-47fa-BD43-CAC46BB9B847}.exe
Token: SeIncBasePriorityPrivilege	4920	{6616E5DD-F401-4977-A3FE-F9417A96EEF6}.exe
Token: SeIncBasePriorityPrivilege	4276	{090FD06A-28F6-4036-B314-3F6DC5CCA476}.exe
Token: SeIncBasePriorityPrivilege	4660	{314CA7EA-49B4-4396-A5C6-DEF0894C439C}.exe
Token: SeIncBasePriorityPrivilege	2296	{7538830E-793D-4f8e-8365-686FED535177}.exe
Token: SeIncBasePriorityPrivilege	2952	{D25AF582-C729-4642-8A73-F89991FA2FFD}.exe
Token: SeIncBasePriorityPrivilege	3728	{54B3804F-4817-4c1a-87D4-D2CFAF069221}.exe
Token: SeIncBasePriorityPrivilege	184	{476C8A64-8C3E-4007-AC08-4382BA1B987D}.exe
Token: SeIncBasePriorityPrivilege	3000	{710A9537-D936-4261-A18E-414D14F63185}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 3740	1780	2024-04-09_35441146baac583464095846cc559c5e_goldeneye.exe	95
PID 1780 wrote to memory of 3740	1780	2024-04-09_35441146baac583464095846cc559c5e_goldeneye.exe	95
PID 1780 wrote to memory of 3740	1780	2024-04-09_35441146baac583464095846cc559c5e_goldeneye.exe	95
PID 1780 wrote to memory of 2556	1780	2024-04-09_35441146baac583464095846cc559c5e_goldeneye.exe	96
PID 1780 wrote to memory of 2556	1780	2024-04-09_35441146baac583464095846cc559c5e_goldeneye.exe	96
PID 1780 wrote to memory of 2556	1780	2024-04-09_35441146baac583464095846cc559c5e_goldeneye.exe	96
PID 3740 wrote to memory of 1764	3740	{6A8EB696-C9D1-4f15-BB6D-B17214120369}.exe	97
PID 3740 wrote to memory of 1764	3740	{6A8EB696-C9D1-4f15-BB6D-B17214120369}.exe	97
PID 3740 wrote to memory of 1764	3740	{6A8EB696-C9D1-4f15-BB6D-B17214120369}.exe	97
PID 3740 wrote to memory of 2020	3740	{6A8EB696-C9D1-4f15-BB6D-B17214120369}.exe	98
PID 3740 wrote to memory of 2020	3740	{6A8EB696-C9D1-4f15-BB6D-B17214120369}.exe	98
PID 3740 wrote to memory of 2020	3740	{6A8EB696-C9D1-4f15-BB6D-B17214120369}.exe	98
PID 1764 wrote to memory of 4920	1764	{AA6436C2-F14F-47fa-BD43-CAC46BB9B847}.exe	100
PID 1764 wrote to memory of 4920	1764	{AA6436C2-F14F-47fa-BD43-CAC46BB9B847}.exe	100
PID 1764 wrote to memory of 4920	1764	{AA6436C2-F14F-47fa-BD43-CAC46BB9B847}.exe	100
PID 1764 wrote to memory of 856	1764	{AA6436C2-F14F-47fa-BD43-CAC46BB9B847}.exe	101
PID 1764 wrote to memory of 856	1764	{AA6436C2-F14F-47fa-BD43-CAC46BB9B847}.exe	101
PID 1764 wrote to memory of 856	1764	{AA6436C2-F14F-47fa-BD43-CAC46BB9B847}.exe	101
PID 4920 wrote to memory of 4276	4920	{6616E5DD-F401-4977-A3FE-F9417A96EEF6}.exe	102
PID 4920 wrote to memory of 4276	4920	{6616E5DD-F401-4977-A3FE-F9417A96EEF6}.exe	102
PID 4920 wrote to memory of 4276	4920	{6616E5DD-F401-4977-A3FE-F9417A96EEF6}.exe	102
PID 4920 wrote to memory of 980	4920	{6616E5DD-F401-4977-A3FE-F9417A96EEF6}.exe	103
PID 4920 wrote to memory of 980	4920	{6616E5DD-F401-4977-A3FE-F9417A96EEF6}.exe	103
PID 4920 wrote to memory of 980	4920	{6616E5DD-F401-4977-A3FE-F9417A96EEF6}.exe	103
PID 4276 wrote to memory of 4660	4276	{090FD06A-28F6-4036-B314-3F6DC5CCA476}.exe	104
PID 4276 wrote to memory of 4660	4276	{090FD06A-28F6-4036-B314-3F6DC5CCA476}.exe	104
PID 4276 wrote to memory of 4660	4276	{090FD06A-28F6-4036-B314-3F6DC5CCA476}.exe	104
PID 4276 wrote to memory of 4080	4276	{090FD06A-28F6-4036-B314-3F6DC5CCA476}.exe	105
PID 4276 wrote to memory of 4080	4276	{090FD06A-28F6-4036-B314-3F6DC5CCA476}.exe	105
PID 4276 wrote to memory of 4080	4276	{090FD06A-28F6-4036-B314-3F6DC5CCA476}.exe	105
PID 4660 wrote to memory of 2296	4660	{314CA7EA-49B4-4396-A5C6-DEF0894C439C}.exe	106
PID 4660 wrote to memory of 2296	4660	{314CA7EA-49B4-4396-A5C6-DEF0894C439C}.exe	106
PID 4660 wrote to memory of 2296	4660	{314CA7EA-49B4-4396-A5C6-DEF0894C439C}.exe	106
PID 4660 wrote to memory of 2600	4660	{314CA7EA-49B4-4396-A5C6-DEF0894C439C}.exe	107
PID 4660 wrote to memory of 2600	4660	{314CA7EA-49B4-4396-A5C6-DEF0894C439C}.exe	107
PID 4660 wrote to memory of 2600	4660	{314CA7EA-49B4-4396-A5C6-DEF0894C439C}.exe	107
PID 2296 wrote to memory of 2952	2296	{7538830E-793D-4f8e-8365-686FED535177}.exe	108
PID 2296 wrote to memory of 2952	2296	{7538830E-793D-4f8e-8365-686FED535177}.exe	108
PID 2296 wrote to memory of 2952	2296	{7538830E-793D-4f8e-8365-686FED535177}.exe	108
PID 2296 wrote to memory of 4212	2296	{7538830E-793D-4f8e-8365-686FED535177}.exe	109
PID 2296 wrote to memory of 4212	2296	{7538830E-793D-4f8e-8365-686FED535177}.exe	109
PID 2296 wrote to memory of 4212	2296	{7538830E-793D-4f8e-8365-686FED535177}.exe	109
PID 2952 wrote to memory of 4244	2952	{D25AF582-C729-4642-8A73-F89991FA2FFD}.exe	110
PID 2952 wrote to memory of 4244	2952	{D25AF582-C729-4642-8A73-F89991FA2FFD}.exe	110
PID 2952 wrote to memory of 4244	2952	{D25AF582-C729-4642-8A73-F89991FA2FFD}.exe	110
PID 2952 wrote to memory of 4452	2952	{D25AF582-C729-4642-8A73-F89991FA2FFD}.exe	111
PID 2952 wrote to memory of 4452	2952	{D25AF582-C729-4642-8A73-F89991FA2FFD}.exe	111
PID 2952 wrote to memory of 4452	2952	{D25AF582-C729-4642-8A73-F89991FA2FFD}.exe	111
PID 3728 wrote to memory of 184	3728	{54B3804F-4817-4c1a-87D4-D2CFAF069221}.exe	114
PID 3728 wrote to memory of 184	3728	{54B3804F-4817-4c1a-87D4-D2CFAF069221}.exe	114
PID 3728 wrote to memory of 184	3728	{54B3804F-4817-4c1a-87D4-D2CFAF069221}.exe	114
PID 3728 wrote to memory of 872	3728	{54B3804F-4817-4c1a-87D4-D2CFAF069221}.exe	115
PID 3728 wrote to memory of 872	3728	{54B3804F-4817-4c1a-87D4-D2CFAF069221}.exe	115
PID 3728 wrote to memory of 872	3728	{54B3804F-4817-4c1a-87D4-D2CFAF069221}.exe	115
PID 184 wrote to memory of 3000	184	{476C8A64-8C3E-4007-AC08-4382BA1B987D}.exe	116
PID 184 wrote to memory of 3000	184	{476C8A64-8C3E-4007-AC08-4382BA1B987D}.exe	116
PID 184 wrote to memory of 3000	184	{476C8A64-8C3E-4007-AC08-4382BA1B987D}.exe	116
PID 184 wrote to memory of 1656	184	{476C8A64-8C3E-4007-AC08-4382BA1B987D}.exe	117
PID 184 wrote to memory of 1656	184	{476C8A64-8C3E-4007-AC08-4382BA1B987D}.exe	117
PID 184 wrote to memory of 1656	184	{476C8A64-8C3E-4007-AC08-4382BA1B987D}.exe	117
PID 3000 wrote to memory of 2300	3000	{710A9537-D936-4261-A18E-414D14F63185}.exe	118
PID 3000 wrote to memory of 2300	3000	{710A9537-D936-4261-A18E-414D14F63185}.exe	118
PID 3000 wrote to memory of 2300	3000	{710A9537-D936-4261-A18E-414D14F63185}.exe	118
PID 3000 wrote to memory of 2136	3000	{710A9537-D936-4261-A18E-414D14F63185}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-04-09_35441146baac583464095846cc559c5e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-09_35441146baac583464095846cc559c5e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Windows\{6A8EB696-C9D1-4f15-BB6D-B17214120369}.exe
  C:\Windows\{6A8EB696-C9D1-4f15-BB6D-B17214120369}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3740
- - C:\Windows\{AA6436C2-F14F-47fa-BD43-CAC46BB9B847}.exe
    C:\Windows\{AA6436C2-F14F-47fa-BD43-CAC46BB9B847}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1764
  - - C:\Windows\{6616E5DD-F401-4977-A3FE-F9417A96EEF6}.exe
      C:\Windows\{6616E5DD-F401-4977-A3FE-F9417A96EEF6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4920
    - - C:\Windows\{090FD06A-28F6-4036-B314-3F6DC5CCA476}.exe
        
        C:\Windows\{090FD06A-28F6-4036-B314-3F6DC5CCA476}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4276
      - C:\Windows\{314CA7EA-49B4-4396-A5C6-DEF0894C439C}.exe
        
        C:\Windows\{314CA7EA-49B4-4396-A5C6-DEF0894C439C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\{7538830E-793D-4f8e-8365-686FED535177}.exe
        
        C:\Windows\{7538830E-793D-4f8e-8365-686FED535177}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\{D25AF582-C729-4642-8A73-F89991FA2FFD}.exe
        
        C:\Windows\{D25AF582-C729-4642-8A73-F89991FA2FFD}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\{0FFDDB5A-382F-40bc-A57D-199160A62796}.exe
        
        C:\Windows\{0FFDDB5A-382F-40bc-A57D-199160A62796}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        
        PID:4244
        
        C:\Windows\{54B3804F-4817-4c1a-87D4-D2CFAF069221}.exe
        
        C:\Windows\{54B3804F-4817-4c1a-87D4-D2CFAF069221}.exe
        10⤵
        Modifies Installed Components in the registry
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\{476C8A64-8C3E-4007-AC08-4382BA1B987D}.exe
        
        C:\Windows\{476C8A64-8C3E-4007-AC08-4382BA1B987D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:184
        
        C:\Windows\{710A9537-D936-4261-A18E-414D14F63185}.exe
        
        C:\Windows\{710A9537-D936-4261-A18E-414D14F63185}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\{D852BC0D-B09C-46c1-919B-D2DB19E3BEC9}.exe
        
        C:\Windows\{D852BC0D-B09C-46c1-919B-D2DB19E3BEC9}.exe
        13⤵
        Executes dropped EXE
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{710A9~1.EXE > nul
        13⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{476C8~1.EXE > nul
        12⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54B38~1.EXE > nul
        11⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0FFDD~1.EXE > nul
        10⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D25AF~1.EXE > nul
        9⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75388~1.EXE > nul
        8⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{314CA~1.EXE > nul
        7⤵
        
        PID:2600
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{090FD~1.EXE > nul
        6⤵
        
        PID:4080
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6616E~1.EXE > nul
        5⤵
        
        PID:980
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AA643~1.EXE > nul
      4⤵
      PID:856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6A8EB~1.EXE > nul
    3⤵
    PID:2020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{090FD06A-28F6-4036-B314-3F6DC5CCA476}.exe

Filesize
180KB

MD5
f8d67cfa11a860346675f511f22f2929

SHA1
f77095cac6adc1f946b9ae70ff01ff0ffc37d6e1

SHA256
7557a4fa17a3816085ce49db70ce6ba636565847031dd820f7fc4482ce463b48

SHA512
d4b846c4179eb506ab114d5a8990fbc8dc1b49fe2f3d509a1586d8f063ac7c36668bb680e93e7e3484b8d3e5363014b5d1a7883db53fd6a34bf2abdd4050bbb4

Download Submit
C:\Windows\{0FFDDB5A-382F-40bc-A57D-199160A62796}.exe

Filesize
180KB

MD5
a96d5f90ed606b1f4b1c51d91f17c460

SHA1
d186b9d4c64c9e589adadb84a1dcc85c13d2d544

SHA256
618c699094f77995a994cf81ecd8d896db2ff5d85bdaee419f11816735b14055

SHA512
0070620d4f5636add046ba873fcd8bc59d121c88e95e39c97658c247da14cb4c8cf10d556bb156b656e8aa4515da264a511177f19f775b25e94e929573526f9f

Download Submit
C:\Windows\{314CA7EA-49B4-4396-A5C6-DEF0894C439C}.exe

Filesize
180KB

MD5
94caf0ffc54588c8bed04071e2afa3cb

SHA1
efc6c93453309b24afd0ee565389f73879b99ec5

SHA256
03e91219ba0ad8049790432eb1fe8f195eabd7a2c5769c01ca9765a6e1c34e4d

SHA512
06fea04247ccc60d2d87857dd94e5d83ba379ef0d8ab8dd87aee09db30854c15e449bef3be779c9f174586131b960704877aae694e38ba6199680ffa47dbc062

Download Submit
C:\Windows\{476C8A64-8C3E-4007-AC08-4382BA1B987D}.exe

Filesize
180KB

MD5
32b810adbe280b76002917a53666d177

SHA1
2dccf2cbdff9f8cbfb35b8748d1eb161984e947c

SHA256
0bc5975fe55c83270a17bbe788bd8dd4a96641a0cd31f433142561e40b873b67

SHA512
bc7645544415ebaace9488876110acc99250ffb93625f979e555c12e2ca4fe93dc6000038371739a8adbfc9529e264dcebe1293a2f5e948f9169722082aa015e

Download Submit
C:\Windows\{6616E5DD-F401-4977-A3FE-F9417A96EEF6}.exe

Filesize
180KB

MD5
9181387948f60b5299c728d24380bf39

SHA1
89d2eb691c3135f0039411c5ac73560d7a7aa0ea

SHA256
6c0d0a0d2a114fa9b04c2e3e3c95fb7bfcd9b3b1f12b4a748425cab6dbccbf6c

SHA512
b52cf2cb820c01e1a94a8344230d16ae9e752788eeb8cb96ff03728365b0adc846bad66aa36a42a55765b279f812b27a2e5036f2fd8a221844cd6a70b25ec660

Download Submit
C:\Windows\{6A8EB696-C9D1-4f15-BB6D-B17214120369}.exe

Filesize
180KB

MD5
dee32e605f5faf4da46cdf0b8cb669ce

SHA1
1bb29bd5e90a49aeefdbe5f3dd916824987ee9d0

SHA256
f583e59246cbb7d0d447328d6a6da50e80b4684837f81b85c5757f45b905498b

SHA512
7050ac27cc5f87940bbdb2693b275001ae8b3fe13f6e9305a1bb89ada9a46b07fea42c6d083417c7a8ba48c765223c82d0ffe527838655214576edc653c71aaa

Download Submit
C:\Windows\{710A9537-D936-4261-A18E-414D14F63185}.exe

Filesize
180KB

MD5
0b51a5b5ea6188e370fc232acbdf820e

SHA1
9bdeb201d0df0b3ff1676df6bcb328a676ccb0a1

SHA256
5fa3d26fee971780917115bb04ccf8532cd08dafa6ff4633aca28a3614f53657

SHA512
6f67f8f97ad681531e18486038efb245af9ad55532905abbbaad4ea4854c0279a5068a8e04d6a865c9973a596771538c3d670f13030b395eecca0587ec239139

Download Submit
C:\Windows\{7538830E-793D-4f8e-8365-686FED535177}.exe

Filesize
180KB

MD5
7fd2368934b0efc89518c80e6b1c3234

SHA1
74b29a58752fa578ca14fa253169341b3585bd28

SHA256
01d15e940bd7b0b717f2e5d261d582a3f9b074ad8b3c24b9d017ac13b123279a

SHA512
d65d315b84651950e6046d0796bd53c5a0cc8fe0ff70da6dff0b513e0bf22760e077f73f0f42ade97703177beabc1b18fc653ae3984917fe6a62cf87292457e5

Download Submit
C:\Windows\{AA6436C2-F14F-47fa-BD43-CAC46BB9B847}.exe

Filesize
180KB

MD5
2deafe33b2b18a37032f67221ce251f6

SHA1
cfac440d22bb4937f5f3fa1d9b86b2ede2a9ac6d

SHA256
8b26026998207e7e19f743d5bec07f9751488d7b426dcf8d774a9093da6af6cd

SHA512
abea7d91612d7340a1fde22fa8a82fee9724c355e596723c60a91cc251bfec216da2b7ab873f605dd22029d697f784c278fb52024669c54f0bd9eea06049728a

Download Submit
C:\Windows\{D25AF582-C729-4642-8A73-F89991FA2FFD}.exe

Filesize
180KB

MD5
5289aab43114acb1606c71242c96f393

SHA1
9f9d592525320450a70564147e4ca616c9ce7a8b

SHA256
76e7ac982085c13ffd8bd0e86264b9c0afd4a87dc3014854a09a9965dfb1796f

SHA512
069b185372e86744ff39fb13593b47cd0deded9880873e1fce63b191c333a72c29f23ff6808ad356e57074edc46f0d222f865ce5ccf1be2bdfe5bd4da7c319e6

Download Submit
C:\Windows\{D852BC0D-B09C-46c1-919B-D2DB19E3BEC9}.exe

Filesize
180KB

MD5
438404ed7074f453f5d3a5723a833b51

SHA1
cbb40381691b7dec0231f54861f945703dac9af9

SHA256
c66e1fe3df8e92e2852edec97de8c5ed71c08a6f749c7a6a1cf56fe2552fb33b

SHA512
cd198e0a5c671d23e1812773260860f619970a156fbf881c2432a867e724353753c0f13301cc1184a07897b6f528f4bfec62841a09848208dbb9d341326dd376

Download Submit
memory/4244-32-0x0000000003AD0000-0x0000000003BAB000-memory.dmp

Filesize
876KB

Download
memory/4244-31-0x00000000039F0000-0x0000000003ACB000-memory.dmp

Filesize
876KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads