7b4acdd3179e92dee83d8d82408d6b534f878e04ff8afdcc918b4035a763f737

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-10_4dd9eec38fa5c3e555f75579e99008ed_goldeneye.exe
Size

204KB
MD5

4dd9eec38fa5c3e555f75579e99008ed
SHA1

06f596e5b2a7b20217f23cec909b67557cca669e
SHA256

7b4acdd3179e92dee83d8d82408d6b534f878e04ff8afdcc918b4035a763f737
SHA512

78408b79e17df6464af797ed955222683081b71410dddca0ebbd96575294b046adb12d022e28cd1cd9c2bf6f8d867f39037577c984bd03224096994e99f4f853
SSDEEP

1536:1EGh0oAl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oAl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x000300000001e2fb-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023227-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002322a-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023227-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021838-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000021841-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000000037-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000000037-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000000037-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12A6372C-B7BF-4d54-B0B1-135D827E8CA3}\stubpath = "C:\\Windows\\{12A6372C-B7BF-4d54-B0B1-135D827E8CA3}.exe"	{A743037E-6143-4c94-B3D9-4032914CEF43}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{407DD94B-00FE-4821-B971-2C4A8E0A31BB}	{12A6372C-B7BF-4d54-B0B1-135D827E8CA3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{407DD94B-00FE-4821-B971-2C4A8E0A31BB}\stubpath = "C:\\Windows\\{407DD94B-00FE-4821-B971-2C4A8E0A31BB}.exe"	{12A6372C-B7BF-4d54-B0B1-135D827E8CA3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EC68D19-817B-4f75-9449-1509D46FD0EF}\stubpath = "C:\\Windows\\{6EC68D19-817B-4f75-9449-1509D46FD0EF}.exe"	{E7C84D66-4F83-45ec-BAB1-944E85588941}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02FC23F7-C46D-402a-9494-E088A45794F9}\stubpath = "C:\\Windows\\{02FC23F7-C46D-402a-9494-E088A45794F9}.exe"	{6EC68D19-817B-4f75-9449-1509D46FD0EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EAE090C-BEA5-4434-9CC0-41D5C749C492}\stubpath = "C:\\Windows\\{8EAE090C-BEA5-4434-9CC0-41D5C749C492}.exe"	{02FC23F7-C46D-402a-9494-E088A45794F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0191627-2055-4372-98D6-1E598EF621B6}\stubpath = "C:\\Windows\\{A0191627-2055-4372-98D6-1E598EF621B6}.exe"	{6028D1F1-F148-47f0-B333-A58FF5C96064}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7C84D66-4F83-45ec-BAB1-944E85588941}	{407DD94B-00FE-4821-B971-2C4A8E0A31BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EC68D19-817B-4f75-9449-1509D46FD0EF}	{E7C84D66-4F83-45ec-BAB1-944E85588941}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A743037E-6143-4c94-B3D9-4032914CEF43}\stubpath = "C:\\Windows\\{A743037E-6143-4c94-B3D9-4032914CEF43}.exe"	{94F0BBF5-F59A-4e70-B25D-FBB582A469D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12A6372C-B7BF-4d54-B0B1-135D827E8CA3}	{A743037E-6143-4c94-B3D9-4032914CEF43}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EAE090C-BEA5-4434-9CC0-41D5C749C492}	{02FC23F7-C46D-402a-9494-E088A45794F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D0BA58A-A956-43ce-8E5D-2CFB5FBF4A69}\stubpath = "C:\\Windows\\{2D0BA58A-A956-43ce-8E5D-2CFB5FBF4A69}.exe"	{8EAE090C-BEA5-4434-9CC0-41D5C749C492}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6028D1F1-F148-47f0-B333-A58FF5C96064}\stubpath = "C:\\Windows\\{6028D1F1-F148-47f0-B333-A58FF5C96064}.exe"	2024-04-10_4dd9eec38fa5c3e555f75579e99008ed_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0191627-2055-4372-98D6-1E598EF621B6}	{6028D1F1-F148-47f0-B333-A58FF5C96064}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94F0BBF5-F59A-4e70-B25D-FBB582A469D9}\stubpath = "C:\\Windows\\{94F0BBF5-F59A-4e70-B25D-FBB582A469D9}.exe"	{A0191627-2055-4372-98D6-1E598EF621B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7C84D66-4F83-45ec-BAB1-944E85588941}\stubpath = "C:\\Windows\\{E7C84D66-4F83-45ec-BAB1-944E85588941}.exe"	{407DD94B-00FE-4821-B971-2C4A8E0A31BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02FC23F7-C46D-402a-9494-E088A45794F9}	{6EC68D19-817B-4f75-9449-1509D46FD0EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D0BA58A-A956-43ce-8E5D-2CFB5FBF4A69}	{8EAE090C-BEA5-4434-9CC0-41D5C749C492}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6028D1F1-F148-47f0-B333-A58FF5C96064}	2024-04-10_4dd9eec38fa5c3e555f75579e99008ed_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94F0BBF5-F59A-4e70-B25D-FBB582A469D9}	{A0191627-2055-4372-98D6-1E598EF621B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A743037E-6143-4c94-B3D9-4032914CEF43}	{94F0BBF5-F59A-4e70-B25D-FBB582A469D9}.exe

Executes dropped EXE 11 IoCs

pid	Process
2172	{6028D1F1-F148-47f0-B333-A58FF5C96064}.exe
5100	{A0191627-2055-4372-98D6-1E598EF621B6}.exe
1992	{94F0BBF5-F59A-4e70-B25D-FBB582A469D9}.exe
3340	{A743037E-6143-4c94-B3D9-4032914CEF43}.exe
3388	{12A6372C-B7BF-4d54-B0B1-135D827E8CA3}.exe
1260	{407DD94B-00FE-4821-B971-2C4A8E0A31BB}.exe
2060	{E7C84D66-4F83-45ec-BAB1-944E85588941}.exe
1680	{6EC68D19-817B-4f75-9449-1509D46FD0EF}.exe
264	{02FC23F7-C46D-402a-9494-E088A45794F9}.exe
4404	{8EAE090C-BEA5-4434-9CC0-41D5C749C492}.exe
3472	{2D0BA58A-A956-43ce-8E5D-2CFB5FBF4A69}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{8EAE090C-BEA5-4434-9CC0-41D5C749C492}.exe	{02FC23F7-C46D-402a-9494-E088A45794F9}.exe
File created	C:\Windows\{6028D1F1-F148-47f0-B333-A58FF5C96064}.exe	2024-04-10_4dd9eec38fa5c3e555f75579e99008ed_goldeneye.exe
File created	C:\Windows\{A743037E-6143-4c94-B3D9-4032914CEF43}.exe	{94F0BBF5-F59A-4e70-B25D-FBB582A469D9}.exe
File created	C:\Windows\{407DD94B-00FE-4821-B971-2C4A8E0A31BB}.exe	{12A6372C-B7BF-4d54-B0B1-135D827E8CA3}.exe
File created	C:\Windows\{6EC68D19-817B-4f75-9449-1509D46FD0EF}.exe	{E7C84D66-4F83-45ec-BAB1-944E85588941}.exe
File created	C:\Windows\{02FC23F7-C46D-402a-9494-E088A45794F9}.exe	{6EC68D19-817B-4f75-9449-1509D46FD0EF}.exe
File created	C:\Windows\{A0191627-2055-4372-98D6-1E598EF621B6}.exe	{6028D1F1-F148-47f0-B333-A58FF5C96064}.exe
File created	C:\Windows\{94F0BBF5-F59A-4e70-B25D-FBB582A469D9}.exe	{A0191627-2055-4372-98D6-1E598EF621B6}.exe
File created	C:\Windows\{12A6372C-B7BF-4d54-B0B1-135D827E8CA3}.exe	{A743037E-6143-4c94-B3D9-4032914CEF43}.exe
File created	C:\Windows\{E7C84D66-4F83-45ec-BAB1-944E85588941}.exe	{407DD94B-00FE-4821-B971-2C4A8E0A31BB}.exe
File created	C:\Windows\{2D0BA58A-A956-43ce-8E5D-2CFB5FBF4A69}.exe	{8EAE090C-BEA5-4434-9CC0-41D5C749C492}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4680	2024-04-10_4dd9eec38fa5c3e555f75579e99008ed_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2172	{6028D1F1-F148-47f0-B333-A58FF5C96064}.exe
Token: SeIncBasePriorityPrivilege	5100	{A0191627-2055-4372-98D6-1E598EF621B6}.exe
Token: SeIncBasePriorityPrivilege	1992	{94F0BBF5-F59A-4e70-B25D-FBB582A469D9}.exe
Token: SeIncBasePriorityPrivilege	3340	{A743037E-6143-4c94-B3D9-4032914CEF43}.exe
Token: SeIncBasePriorityPrivilege	3388	{12A6372C-B7BF-4d54-B0B1-135D827E8CA3}.exe
Token: SeIncBasePriorityPrivilege	1260	{407DD94B-00FE-4821-B971-2C4A8E0A31BB}.exe
Token: SeIncBasePriorityPrivilege	2060	{E7C84D66-4F83-45ec-BAB1-944E85588941}.exe
Token: SeIncBasePriorityPrivilege	1680	{6EC68D19-817B-4f75-9449-1509D46FD0EF}.exe
Token: SeIncBasePriorityPrivilege	264	{02FC23F7-C46D-402a-9494-E088A45794F9}.exe
Token: SeIncBasePriorityPrivilege	4404	{8EAE090C-BEA5-4434-9CC0-41D5C749C492}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4680 wrote to memory of 2172	4680	2024-04-10_4dd9eec38fa5c3e555f75579e99008ed_goldeneye.exe	90
PID 4680 wrote to memory of 2172	4680	2024-04-10_4dd9eec38fa5c3e555f75579e99008ed_goldeneye.exe	90
PID 4680 wrote to memory of 2172	4680	2024-04-10_4dd9eec38fa5c3e555f75579e99008ed_goldeneye.exe	90
PID 4680 wrote to memory of 2844	4680	2024-04-10_4dd9eec38fa5c3e555f75579e99008ed_goldeneye.exe	91
PID 4680 wrote to memory of 2844	4680	2024-04-10_4dd9eec38fa5c3e555f75579e99008ed_goldeneye.exe	91
PID 4680 wrote to memory of 2844	4680	2024-04-10_4dd9eec38fa5c3e555f75579e99008ed_goldeneye.exe	91
PID 2172 wrote to memory of 5100	2172	{6028D1F1-F148-47f0-B333-A58FF5C96064}.exe	98
PID 2172 wrote to memory of 5100	2172	{6028D1F1-F148-47f0-B333-A58FF5C96064}.exe	98
PID 2172 wrote to memory of 5100	2172	{6028D1F1-F148-47f0-B333-A58FF5C96064}.exe	98
PID 2172 wrote to memory of 3608	2172	{6028D1F1-F148-47f0-B333-A58FF5C96064}.exe	99
PID 2172 wrote to memory of 3608	2172	{6028D1F1-F148-47f0-B333-A58FF5C96064}.exe	99
PID 2172 wrote to memory of 3608	2172	{6028D1F1-F148-47f0-B333-A58FF5C96064}.exe	99
PID 5100 wrote to memory of 1992	5100	{A0191627-2055-4372-98D6-1E598EF621B6}.exe	100
PID 5100 wrote to memory of 1992	5100	{A0191627-2055-4372-98D6-1E598EF621B6}.exe	100
PID 5100 wrote to memory of 1992	5100	{A0191627-2055-4372-98D6-1E598EF621B6}.exe	100
PID 5100 wrote to memory of 4012	5100	{A0191627-2055-4372-98D6-1E598EF621B6}.exe	101
PID 5100 wrote to memory of 4012	5100	{A0191627-2055-4372-98D6-1E598EF621B6}.exe	101
PID 5100 wrote to memory of 4012	5100	{A0191627-2055-4372-98D6-1E598EF621B6}.exe	101
PID 1992 wrote to memory of 3340	1992	{94F0BBF5-F59A-4e70-B25D-FBB582A469D9}.exe	102
PID 1992 wrote to memory of 3340	1992	{94F0BBF5-F59A-4e70-B25D-FBB582A469D9}.exe	102
PID 1992 wrote to memory of 3340	1992	{94F0BBF5-F59A-4e70-B25D-FBB582A469D9}.exe	102
PID 1992 wrote to memory of 2300	1992	{94F0BBF5-F59A-4e70-B25D-FBB582A469D9}.exe	103
PID 1992 wrote to memory of 2300	1992	{94F0BBF5-F59A-4e70-B25D-FBB582A469D9}.exe	103
PID 1992 wrote to memory of 2300	1992	{94F0BBF5-F59A-4e70-B25D-FBB582A469D9}.exe	103
PID 3340 wrote to memory of 3388	3340	{A743037E-6143-4c94-B3D9-4032914CEF43}.exe	104
PID 3340 wrote to memory of 3388	3340	{A743037E-6143-4c94-B3D9-4032914CEF43}.exe	104
PID 3340 wrote to memory of 3388	3340	{A743037E-6143-4c94-B3D9-4032914CEF43}.exe	104
PID 3340 wrote to memory of 412	3340	{A743037E-6143-4c94-B3D9-4032914CEF43}.exe	105
PID 3340 wrote to memory of 412	3340	{A743037E-6143-4c94-B3D9-4032914CEF43}.exe	105
PID 3340 wrote to memory of 412	3340	{A743037E-6143-4c94-B3D9-4032914CEF43}.exe	105
PID 3388 wrote to memory of 1260	3388	{12A6372C-B7BF-4d54-B0B1-135D827E8CA3}.exe	106
PID 3388 wrote to memory of 1260	3388	{12A6372C-B7BF-4d54-B0B1-135D827E8CA3}.exe	106
PID 3388 wrote to memory of 1260	3388	{12A6372C-B7BF-4d54-B0B1-135D827E8CA3}.exe	106
PID 3388 wrote to memory of 4824	3388	{12A6372C-B7BF-4d54-B0B1-135D827E8CA3}.exe	107
PID 3388 wrote to memory of 4824	3388	{12A6372C-B7BF-4d54-B0B1-135D827E8CA3}.exe	107
PID 3388 wrote to memory of 4824	3388	{12A6372C-B7BF-4d54-B0B1-135D827E8CA3}.exe	107
PID 1260 wrote to memory of 2060	1260	{407DD94B-00FE-4821-B971-2C4A8E0A31BB}.exe	108
PID 1260 wrote to memory of 2060	1260	{407DD94B-00FE-4821-B971-2C4A8E0A31BB}.exe	108
PID 1260 wrote to memory of 2060	1260	{407DD94B-00FE-4821-B971-2C4A8E0A31BB}.exe	108
PID 1260 wrote to memory of 408	1260	{407DD94B-00FE-4821-B971-2C4A8E0A31BB}.exe	109
PID 1260 wrote to memory of 408	1260	{407DD94B-00FE-4821-B971-2C4A8E0A31BB}.exe	109
PID 1260 wrote to memory of 408	1260	{407DD94B-00FE-4821-B971-2C4A8E0A31BB}.exe	109
PID 2060 wrote to memory of 1680	2060	{E7C84D66-4F83-45ec-BAB1-944E85588941}.exe	110
PID 2060 wrote to memory of 1680	2060	{E7C84D66-4F83-45ec-BAB1-944E85588941}.exe	110
PID 2060 wrote to memory of 1680	2060	{E7C84D66-4F83-45ec-BAB1-944E85588941}.exe	110
PID 2060 wrote to memory of 1232	2060	{E7C84D66-4F83-45ec-BAB1-944E85588941}.exe	111
PID 2060 wrote to memory of 1232	2060	{E7C84D66-4F83-45ec-BAB1-944E85588941}.exe	111
PID 2060 wrote to memory of 1232	2060	{E7C84D66-4F83-45ec-BAB1-944E85588941}.exe	111
PID 1680 wrote to memory of 264	1680	{6EC68D19-817B-4f75-9449-1509D46FD0EF}.exe	112
PID 1680 wrote to memory of 264	1680	{6EC68D19-817B-4f75-9449-1509D46FD0EF}.exe	112
PID 1680 wrote to memory of 264	1680	{6EC68D19-817B-4f75-9449-1509D46FD0EF}.exe	112
PID 1680 wrote to memory of 3128	1680	{6EC68D19-817B-4f75-9449-1509D46FD0EF}.exe	113
PID 1680 wrote to memory of 3128	1680	{6EC68D19-817B-4f75-9449-1509D46FD0EF}.exe	113
PID 1680 wrote to memory of 3128	1680	{6EC68D19-817B-4f75-9449-1509D46FD0EF}.exe	113
PID 264 wrote to memory of 4404	264	{02FC23F7-C46D-402a-9494-E088A45794F9}.exe	114
PID 264 wrote to memory of 4404	264	{02FC23F7-C46D-402a-9494-E088A45794F9}.exe	114
PID 264 wrote to memory of 4404	264	{02FC23F7-C46D-402a-9494-E088A45794F9}.exe	114
PID 264 wrote to memory of 2248	264	{02FC23F7-C46D-402a-9494-E088A45794F9}.exe	115
PID 264 wrote to memory of 2248	264	{02FC23F7-C46D-402a-9494-E088A45794F9}.exe	115
PID 264 wrote to memory of 2248	264	{02FC23F7-C46D-402a-9494-E088A45794F9}.exe	115
PID 4404 wrote to memory of 3472	4404	{8EAE090C-BEA5-4434-9CC0-41D5C749C492}.exe	116
PID 4404 wrote to memory of 3472	4404	{8EAE090C-BEA5-4434-9CC0-41D5C749C492}.exe	116
PID 4404 wrote to memory of 3472	4404	{8EAE090C-BEA5-4434-9CC0-41D5C749C492}.exe	116
PID 4404 wrote to memory of 3804	4404	{8EAE090C-BEA5-4434-9CC0-41D5C749C492}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-04-10_4dd9eec38fa5c3e555f75579e99008ed_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-10_4dd9eec38fa5c3e555f75579e99008ed_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Windows\{6028D1F1-F148-47f0-B333-A58FF5C96064}.exe
  C:\Windows\{6028D1F1-F148-47f0-B333-A58FF5C96064}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\{A0191627-2055-4372-98D6-1E598EF621B6}.exe
    C:\Windows\{A0191627-2055-4372-98D6-1E598EF621B6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5100
  - - C:\Windows\{94F0BBF5-F59A-4e70-B25D-FBB582A469D9}.exe
      C:\Windows\{94F0BBF5-F59A-4e70-B25D-FBB582A469D9}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1992
    - - C:\Windows\{A743037E-6143-4c94-B3D9-4032914CEF43}.exe
        
        C:\Windows\{A743037E-6143-4c94-B3D9-4032914CEF43}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3340
      - C:\Windows\{12A6372C-B7BF-4d54-B0B1-135D827E8CA3}.exe
        
        C:\Windows\{12A6372C-B7BF-4d54-B0B1-135D827E8CA3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\{407DD94B-00FE-4821-B971-2C4A8E0A31BB}.exe
        
        C:\Windows\{407DD94B-00FE-4821-B971-2C4A8E0A31BB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\{E7C84D66-4F83-45ec-BAB1-944E85588941}.exe
        
        C:\Windows\{E7C84D66-4F83-45ec-BAB1-944E85588941}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\{6EC68D19-817B-4f75-9449-1509D46FD0EF}.exe
        
        C:\Windows\{6EC68D19-817B-4f75-9449-1509D46FD0EF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\{02FC23F7-C46D-402a-9494-E088A45794F9}.exe
        
        C:\Windows\{02FC23F7-C46D-402a-9494-E088A45794F9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:264
        
        C:\Windows\{8EAE090C-BEA5-4434-9CC0-41D5C749C492}.exe
        
        C:\Windows\{8EAE090C-BEA5-4434-9CC0-41D5C749C492}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\{2D0BA58A-A956-43ce-8E5D-2CFB5FBF4A69}.exe
        
        C:\Windows\{2D0BA58A-A956-43ce-8E5D-2CFB5FBF4A69}.exe
        12⤵
        Executes dropped EXE
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8EAE0~1.EXE > nul
        12⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02FC2~1.EXE > nul
        11⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6EC68~1.EXE > nul
        10⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7C84~1.EXE > nul
        9⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{407DD~1.EXE > nul
        8⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12A63~1.EXE > nul
        7⤵
        
        PID:4824
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7430~1.EXE > nul
        6⤵
        
        PID:412
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94F0B~1.EXE > nul
        5⤵
        
        PID:2300
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A0191~1.EXE > nul
      4⤵
      PID:4012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6028D~1.EXE > nul
    3⤵
    PID:3608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02FC23F7-C46D-402a-9494-E088A45794F9}.exe

Filesize
204KB

MD5
f0445f3031180cf71b91a3882b2016b7

SHA1
e87a2f1403804a51293df81961a043ca6d2b21b3

SHA256
18a5ae6e41b561827642645ba1bf579229d25ccd3ae61bb49e2e62b99b6ee457

SHA512
9d1593254fd8b28270d6173dfa0e07a5c146901715d06482dae3e567245a17f841955f26caf4fcb6e47b221d5efbeaf1f824bf2a6468bae6431390e7edcef4e7

Download Submit
C:\Windows\{12A6372C-B7BF-4d54-B0B1-135D827E8CA3}.exe

Filesize
204KB

MD5
c3187376bf86d0a3ab7b7c1e7a35e265

SHA1
d153aef615545033bd4f66d6add8a39dd7706f7f

SHA256
4d22d847f6c2f9d758d465d06677e7754f374f1d7a9f9e8933bf44addb23063e

SHA512
09139111962fbdd65607e8272a93f8cbc4a797eb29eb10bbb210535855013549ebfa933c415c7eb46581b76f2af753faa57d510b12a83cdbb3d57b846d7c5973

Download Submit
C:\Windows\{2D0BA58A-A956-43ce-8E5D-2CFB5FBF4A69}.exe

Filesize
204KB

MD5
10a5b9ddad805ad848952d1e08025c64

SHA1
df1c406f3e266adf8fbc767ed74738f4d4ce836f

SHA256
e3fdde9a810f1724fbf631e6f1201deaae291700fad52ba4cae2a3af1b2cd1a5

SHA512
ae654fdecf8f66080f5fbf466698d6ba50b450a2c559caef37e28b25b2d5d69b4c2523268b98cd9dac292d838a290ddf74644ef888eae208a4f30c1871fd34db

Download Submit
C:\Windows\{407DD94B-00FE-4821-B971-2C4A8E0A31BB}.exe

Filesize
204KB

MD5
14af2279b7614ced597cc7e2dae48522

SHA1
cb4d896d079a1f7d417bce40759d48a10ae39350

SHA256
0764e564a141e1921f19680826aa842e923d42b229ca3c927e11d3834159174e

SHA512
398677ac856c5a5aea78c4234d209ecdb142d94e1a83a535fa117cefa1f6622ef2e569fc0c98318adb17e86365b4e8637048c7f22569b31085048ce78f1ca7f2

Download Submit
C:\Windows\{6028D1F1-F148-47f0-B333-A58FF5C96064}.exe

Filesize
204KB

MD5
df4c63179e3d660a5766675cdeca5d4f

SHA1
045660e8865b706f88d6c2c266dae780fe865785

SHA256
90e58026f8dd18964b996a29b8e2303bb3e12c3c0f0f2934fae5d21c5481d8e9

SHA512
5191382fb335e936d61a60c23a51810dff1e267b83020b8287bbd265a7727fe886a64e79a5804a81ab4333073280658e85eac6c8094ce6d319ccec5e75664afe

Download Submit
C:\Windows\{6EC68D19-817B-4f75-9449-1509D46FD0EF}.exe

Filesize
204KB

MD5
ef6661d877d6670df051a8c7b62e3aea

SHA1
81a754a4592d31e5e7ab4471eaac9b9f40aba2bb

SHA256
18452b5fa0ab36e907618885fecd74921d234c907c92f445e2ba6539e6532951

SHA512
ccf69b356585166da886028d8c9d3577d7a6befc2571c16a385b7fb501673d53fae24ee488c55190701b155dcf02b66e376f28bd733e5a8f24915f41bea1cf90

Download Submit
C:\Windows\{8EAE090C-BEA5-4434-9CC0-41D5C749C492}.exe

Filesize
204KB

MD5
63c8e73c99e25c29396e9d9c38ca6393

SHA1
e5c69ea9cf8b659dcc18f93eb0b82e23fee07127

SHA256
bfcd0bc9d75795b4332a7e705f6f51f55bc71cf28b985e36657a755905d5387f

SHA512
4099492ac4c692dfaa0918bf2bc07ff77b017e72c6590b0cedb90e36889fce880c6900df31ad0751022e03aff3735ee9f08ad4f3bc021cc5e8823c8f52be420e

Download Submit
C:\Windows\{94F0BBF5-F59A-4e70-B25D-FBB582A469D9}.exe

Filesize
204KB

MD5
43e4ef32d31d965522ab1f494fd74129

SHA1
2a2f51c8a1465ec892c2b8482a32658e89e934f7

SHA256
ed4da945406a51697bb8db637122107431918d7f5fb32add1b98fa17219eccad

SHA512
18c73d51db86951584dce1986d6415d3f2d6da5d7a9ffb782b2af25ce976dee3d4664a7cb29d90f90050cfa8e7e1eb5c836b58ef8784f04f0874ba837cff3435

Download Submit
C:\Windows\{A0191627-2055-4372-98D6-1E598EF621B6}.exe

Filesize
204KB

MD5
8eb1ee8f943027c86fa30ed5600ca014

SHA1
541dc3b7450290a9f2cbc18d200a872ae7e9edec

SHA256
1ebe19496966912ce401312cb03e0d0bcf55c1934e1b6a87d50c60a93f9551e8

SHA512
864b5d25540be8114458c2b3bd031a4a9d1905619bb87fa1ce7af9a1124082077c66563d5dcd4e16e63654d432d2dcd34ed267bd00d5de772173f0080353f0b6

Download Submit
C:\Windows\{A743037E-6143-4c94-B3D9-4032914CEF43}.exe

Filesize
204KB

MD5
2f8af349a4e9f2af5da8cc37a5fa37eb

SHA1
b4dc21737e5728016c520cf4b2fbfdef4b6aafa2

SHA256
506574a37229c7c87b1e7e920edb72a8e8f7109a5c987e7da585bab8dfc3c4b3

SHA512
5d3f4d94f9645321900e0cd37d97cc36ff3bff36877c32ec2b4bab70a674100f5c1b4e0cdf94cde6e819983b02fcfcf9090b218ce598f516148c9b69dac99545

Download Submit
C:\Windows\{E7C84D66-4F83-45ec-BAB1-944E85588941}.exe

Filesize
204KB

MD5
f2dd6d78fb6194f87089a9f86f0dfe62

SHA1
e6e353033ca81898a52c8a1a21707aa25fd95888

SHA256
608e7eed36bf1333fd2ce5fc82313653fcbf3b8afee8bbd6d2d323d9868572c0

SHA512
0c8f953e084496307385def916ecb80ccb6c77ce2970df8f28a9c014bad816667abde0663c55c983c3b210ef551cacf9c45af7318b4bbdc7a9de6022ccce98da

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads