49324dfaa5d9bcc9eaac77902913a62aa95ed99ae9d9de6222e5b1947cc9cde0

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-10_60b600c9d25f52882858112a359af891_goldeneye.exe
Size

180KB
MD5

60b600c9d25f52882858112a359af891
SHA1

aee75c0a22b389f4ef93073b43e1025089163aae
SHA256

49324dfaa5d9bcc9eaac77902913a62aa95ed99ae9d9de6222e5b1947cc9cde0
SHA512

451e7388281c96925493a0e23dedb22202e477b3946cdb60ba45e06f38dba30d1d4beb0ea44c435d6506f9f6d4d6e9f7079d29304acc3f4d6f0f678c199281d3
SSDEEP

3072:jEGh0o0lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG2l5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x001100000002321b-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023210-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023222-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023210-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021fa2-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021fa3-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021fa2-25.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000703-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000703-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000703-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B89372E-1B35-4b6a-9CF0-734FD01424EC}	{3620E37F-80AD-477b-B69C-F2E482A1A215}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B89372E-1B35-4b6a-9CF0-734FD01424EC}\stubpath = "C:\\Windows\\{4B89372E-1B35-4b6a-9CF0-734FD01424EC}.exe"	{3620E37F-80AD-477b-B69C-F2E482A1A215}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4582BCC-3BBF-47e5-A518-0C03338F91BD}\stubpath = "C:\\Windows\\{E4582BCC-3BBF-47e5-A518-0C03338F91BD}.exe"	{FDAF471F-D958-4f4b-A1C2-D9E0302689D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DE67190-39E5-4f15-B142-26B9AE542DF9}	{E4582BCC-3BBF-47e5-A518-0C03338F91BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04225A55-4ECF-445d-9424-3B8FB46E3581}\stubpath = "C:\\Windows\\{04225A55-4ECF-445d-9424-3B8FB46E3581}.exe"	2024-04-10_60b600c9d25f52882858112a359af891_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27F26C28-FF71-47ef-A626-ACB2CEA7436F}	{04225A55-4ECF-445d-9424-3B8FB46E3581}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3C049D2-2EF1-4c48-8006-0DFB5E8E1935}\stubpath = "C:\\Windows\\{C3C049D2-2EF1-4c48-8006-0DFB5E8E1935}.exe"	{2AF091CF-6F23-4813-BC3C-D072E258A4A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3620E37F-80AD-477b-B69C-F2E482A1A215}	{03665EBA-B137-46a3-B78D-011FF21C7643}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFF06A6E-B4C2-46d9-8BEA-59632695BAD7}\stubpath = "C:\\Windows\\{AFF06A6E-B4C2-46d9-8BEA-59632695BAD7}.exe"	{4DE67190-39E5-4f15-B142-26B9AE542DF9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04225A55-4ECF-445d-9424-3B8FB46E3581}	2024-04-10_60b600c9d25f52882858112a359af891_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{27F26C28-FF71-47ef-A626-ACB2CEA7436F}\stubpath = "C:\\Windows\\{27F26C28-FF71-47ef-A626-ACB2CEA7436F}.exe"	{04225A55-4ECF-445d-9424-3B8FB46E3581}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3C049D2-2EF1-4c48-8006-0DFB5E8E1935}	{2AF091CF-6F23-4813-BC3C-D072E258A4A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4582BCC-3BBF-47e5-A518-0C03338F91BD}	{FDAF471F-D958-4f4b-A1C2-D9E0302689D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FDAF471F-D958-4f4b-A1C2-D9E0302689D8}\stubpath = "C:\\Windows\\{FDAF471F-D958-4f4b-A1C2-D9E0302689D8}.exe"	{4CD70D1F-8689-4131-B309-A1D27F1319CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFF06A6E-B4C2-46d9-8BEA-59632695BAD7}	{4DE67190-39E5-4f15-B142-26B9AE542DF9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AF091CF-6F23-4813-BC3C-D072E258A4A2}	{27F26C28-FF71-47ef-A626-ACB2CEA7436F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3620E37F-80AD-477b-B69C-F2E482A1A215}\stubpath = "C:\\Windows\\{3620E37F-80AD-477b-B69C-F2E482A1A215}.exe"	{03665EBA-B137-46a3-B78D-011FF21C7643}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4CD70D1F-8689-4131-B309-A1D27F1319CC}	{4B89372E-1B35-4b6a-9CF0-734FD01424EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FDAF471F-D958-4f4b-A1C2-D9E0302689D8}	{4CD70D1F-8689-4131-B309-A1D27F1319CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DE67190-39E5-4f15-B142-26B9AE542DF9}\stubpath = "C:\\Windows\\{4DE67190-39E5-4f15-B142-26B9AE542DF9}.exe"	{E4582BCC-3BBF-47e5-A518-0C03338F91BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AF091CF-6F23-4813-BC3C-D072E258A4A2}\stubpath = "C:\\Windows\\{2AF091CF-6F23-4813-BC3C-D072E258A4A2}.exe"	{27F26C28-FF71-47ef-A626-ACB2CEA7436F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03665EBA-B137-46a3-B78D-011FF21C7643}	{C3C049D2-2EF1-4c48-8006-0DFB5E8E1935}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03665EBA-B137-46a3-B78D-011FF21C7643}\stubpath = "C:\\Windows\\{03665EBA-B137-46a3-B78D-011FF21C7643}.exe"	{C3C049D2-2EF1-4c48-8006-0DFB5E8E1935}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4CD70D1F-8689-4131-B309-A1D27F1319CC}\stubpath = "C:\\Windows\\{4CD70D1F-8689-4131-B309-A1D27F1319CC}.exe"	{4B89372E-1B35-4b6a-9CF0-734FD01424EC}.exe

Executes dropped EXE 12 IoCs

pid	Process
1456	{04225A55-4ECF-445d-9424-3B8FB46E3581}.exe
632	{27F26C28-FF71-47ef-A626-ACB2CEA7436F}.exe
1160	{2AF091CF-6F23-4813-BC3C-D072E258A4A2}.exe
2428	{C3C049D2-2EF1-4c48-8006-0DFB5E8E1935}.exe
3604	{03665EBA-B137-46a3-B78D-011FF21C7643}.exe
1784	{3620E37F-80AD-477b-B69C-F2E482A1A215}.exe
3704	{4B89372E-1B35-4b6a-9CF0-734FD01424EC}.exe
4292	{4CD70D1F-8689-4131-B309-A1D27F1319CC}.exe
4344	{FDAF471F-D958-4f4b-A1C2-D9E0302689D8}.exe
4340	{E4582BCC-3BBF-47e5-A518-0C03338F91BD}.exe
4472	{4DE67190-39E5-4f15-B142-26B9AE542DF9}.exe
2180	{AFF06A6E-B4C2-46d9-8BEA-59632695BAD7}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{2AF091CF-6F23-4813-BC3C-D072E258A4A2}.exe	{27F26C28-FF71-47ef-A626-ACB2CEA7436F}.exe
File created	C:\Windows\{03665EBA-B137-46a3-B78D-011FF21C7643}.exe	{C3C049D2-2EF1-4c48-8006-0DFB5E8E1935}.exe
File created	C:\Windows\{FDAF471F-D958-4f4b-A1C2-D9E0302689D8}.exe	{4CD70D1F-8689-4131-B309-A1D27F1319CC}.exe
File created	C:\Windows\{3620E37F-80AD-477b-B69C-F2E482A1A215}.exe	{03665EBA-B137-46a3-B78D-011FF21C7643}.exe
File created	C:\Windows\{4B89372E-1B35-4b6a-9CF0-734FD01424EC}.exe	{3620E37F-80AD-477b-B69C-F2E482A1A215}.exe
File created	C:\Windows\{4CD70D1F-8689-4131-B309-A1D27F1319CC}.exe	{4B89372E-1B35-4b6a-9CF0-734FD01424EC}.exe
File created	C:\Windows\{E4582BCC-3BBF-47e5-A518-0C03338F91BD}.exe	{FDAF471F-D958-4f4b-A1C2-D9E0302689D8}.exe
File created	C:\Windows\{4DE67190-39E5-4f15-B142-26B9AE542DF9}.exe	{E4582BCC-3BBF-47e5-A518-0C03338F91BD}.exe
File created	C:\Windows\{04225A55-4ECF-445d-9424-3B8FB46E3581}.exe	2024-04-10_60b600c9d25f52882858112a359af891_goldeneye.exe
File created	C:\Windows\{27F26C28-FF71-47ef-A626-ACB2CEA7436F}.exe	{04225A55-4ECF-445d-9424-3B8FB46E3581}.exe
File created	C:\Windows\{C3C049D2-2EF1-4c48-8006-0DFB5E8E1935}.exe	{2AF091CF-6F23-4813-BC3C-D072E258A4A2}.exe
File created	C:\Windows\{AFF06A6E-B4C2-46d9-8BEA-59632695BAD7}.exe	{4DE67190-39E5-4f15-B142-26B9AE542DF9}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4976	2024-04-10_60b600c9d25f52882858112a359af891_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1456	{04225A55-4ECF-445d-9424-3B8FB46E3581}.exe
Token: SeIncBasePriorityPrivilege	632	{27F26C28-FF71-47ef-A626-ACB2CEA7436F}.exe
Token: SeIncBasePriorityPrivilege	1160	{2AF091CF-6F23-4813-BC3C-D072E258A4A2}.exe
Token: SeIncBasePriorityPrivilege	2428	{C3C049D2-2EF1-4c48-8006-0DFB5E8E1935}.exe
Token: SeIncBasePriorityPrivilege	3604	{03665EBA-B137-46a3-B78D-011FF21C7643}.exe
Token: SeIncBasePriorityPrivilege	1784	{3620E37F-80AD-477b-B69C-F2E482A1A215}.exe
Token: SeIncBasePriorityPrivilege	3704	{4B89372E-1B35-4b6a-9CF0-734FD01424EC}.exe
Token: SeIncBasePriorityPrivilege	4292	{4CD70D1F-8689-4131-B309-A1D27F1319CC}.exe
Token: SeIncBasePriorityPrivilege	4344	{FDAF471F-D958-4f4b-A1C2-D9E0302689D8}.exe
Token: SeIncBasePriorityPrivilege	4340	{E4582BCC-3BBF-47e5-A518-0C03338F91BD}.exe
Token: SeIncBasePriorityPrivilege	4472	{4DE67190-39E5-4f15-B142-26B9AE542DF9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4976 wrote to memory of 1456	4976	2024-04-10_60b600c9d25f52882858112a359af891_goldeneye.exe	92
PID 4976 wrote to memory of 1456	4976	2024-04-10_60b600c9d25f52882858112a359af891_goldeneye.exe	92
PID 4976 wrote to memory of 1456	4976	2024-04-10_60b600c9d25f52882858112a359af891_goldeneye.exe	92
PID 4976 wrote to memory of 4180	4976	2024-04-10_60b600c9d25f52882858112a359af891_goldeneye.exe	93
PID 4976 wrote to memory of 4180	4976	2024-04-10_60b600c9d25f52882858112a359af891_goldeneye.exe	93
PID 4976 wrote to memory of 4180	4976	2024-04-10_60b600c9d25f52882858112a359af891_goldeneye.exe	93
PID 1456 wrote to memory of 632	1456	{04225A55-4ECF-445d-9424-3B8FB46E3581}.exe	94
PID 1456 wrote to memory of 632	1456	{04225A55-4ECF-445d-9424-3B8FB46E3581}.exe	94
PID 1456 wrote to memory of 632	1456	{04225A55-4ECF-445d-9424-3B8FB46E3581}.exe	94
PID 1456 wrote to memory of 4032	1456	{04225A55-4ECF-445d-9424-3B8FB46E3581}.exe	95
PID 1456 wrote to memory of 4032	1456	{04225A55-4ECF-445d-9424-3B8FB46E3581}.exe	95
PID 1456 wrote to memory of 4032	1456	{04225A55-4ECF-445d-9424-3B8FB46E3581}.exe	95
PID 632 wrote to memory of 1160	632	{27F26C28-FF71-47ef-A626-ACB2CEA7436F}.exe	97
PID 632 wrote to memory of 1160	632	{27F26C28-FF71-47ef-A626-ACB2CEA7436F}.exe	97
PID 632 wrote to memory of 1160	632	{27F26C28-FF71-47ef-A626-ACB2CEA7436F}.exe	97
PID 632 wrote to memory of 2556	632	{27F26C28-FF71-47ef-A626-ACB2CEA7436F}.exe	98
PID 632 wrote to memory of 2556	632	{27F26C28-FF71-47ef-A626-ACB2CEA7436F}.exe	98
PID 632 wrote to memory of 2556	632	{27F26C28-FF71-47ef-A626-ACB2CEA7436F}.exe	98
PID 1160 wrote to memory of 2428	1160	{2AF091CF-6F23-4813-BC3C-D072E258A4A2}.exe	99
PID 1160 wrote to memory of 2428	1160	{2AF091CF-6F23-4813-BC3C-D072E258A4A2}.exe	99
PID 1160 wrote to memory of 2428	1160	{2AF091CF-6F23-4813-BC3C-D072E258A4A2}.exe	99
PID 1160 wrote to memory of 2032	1160	{2AF091CF-6F23-4813-BC3C-D072E258A4A2}.exe	100
PID 1160 wrote to memory of 2032	1160	{2AF091CF-6F23-4813-BC3C-D072E258A4A2}.exe	100
PID 1160 wrote to memory of 2032	1160	{2AF091CF-6F23-4813-BC3C-D072E258A4A2}.exe	100
PID 2428 wrote to memory of 3604	2428	{C3C049D2-2EF1-4c48-8006-0DFB5E8E1935}.exe	101
PID 2428 wrote to memory of 3604	2428	{C3C049D2-2EF1-4c48-8006-0DFB5E8E1935}.exe	101
PID 2428 wrote to memory of 3604	2428	{C3C049D2-2EF1-4c48-8006-0DFB5E8E1935}.exe	101
PID 2428 wrote to memory of 3880	2428	{C3C049D2-2EF1-4c48-8006-0DFB5E8E1935}.exe	102
PID 2428 wrote to memory of 3880	2428	{C3C049D2-2EF1-4c48-8006-0DFB5E8E1935}.exe	102
PID 2428 wrote to memory of 3880	2428	{C3C049D2-2EF1-4c48-8006-0DFB5E8E1935}.exe	102
PID 3604 wrote to memory of 1784	3604	{03665EBA-B137-46a3-B78D-011FF21C7643}.exe	103
PID 3604 wrote to memory of 1784	3604	{03665EBA-B137-46a3-B78D-011FF21C7643}.exe	103
PID 3604 wrote to memory of 1784	3604	{03665EBA-B137-46a3-B78D-011FF21C7643}.exe	103
PID 3604 wrote to memory of 980	3604	{03665EBA-B137-46a3-B78D-011FF21C7643}.exe	104
PID 3604 wrote to memory of 980	3604	{03665EBA-B137-46a3-B78D-011FF21C7643}.exe	104
PID 3604 wrote to memory of 980	3604	{03665EBA-B137-46a3-B78D-011FF21C7643}.exe	104
PID 1784 wrote to memory of 3704	1784	{3620E37F-80AD-477b-B69C-F2E482A1A215}.exe	105
PID 1784 wrote to memory of 3704	1784	{3620E37F-80AD-477b-B69C-F2E482A1A215}.exe	105
PID 1784 wrote to memory of 3704	1784	{3620E37F-80AD-477b-B69C-F2E482A1A215}.exe	105
PID 1784 wrote to memory of 2896	1784	{3620E37F-80AD-477b-B69C-F2E482A1A215}.exe	106
PID 1784 wrote to memory of 2896	1784	{3620E37F-80AD-477b-B69C-F2E482A1A215}.exe	106
PID 1784 wrote to memory of 2896	1784	{3620E37F-80AD-477b-B69C-F2E482A1A215}.exe	106
PID 3704 wrote to memory of 4292	3704	{4B89372E-1B35-4b6a-9CF0-734FD01424EC}.exe	107
PID 3704 wrote to memory of 4292	3704	{4B89372E-1B35-4b6a-9CF0-734FD01424EC}.exe	107
PID 3704 wrote to memory of 4292	3704	{4B89372E-1B35-4b6a-9CF0-734FD01424EC}.exe	107
PID 3704 wrote to memory of 4916	3704	{4B89372E-1B35-4b6a-9CF0-734FD01424EC}.exe	108
PID 3704 wrote to memory of 4916	3704	{4B89372E-1B35-4b6a-9CF0-734FD01424EC}.exe	108
PID 3704 wrote to memory of 4916	3704	{4B89372E-1B35-4b6a-9CF0-734FD01424EC}.exe	108
PID 4292 wrote to memory of 4344	4292	{4CD70D1F-8689-4131-B309-A1D27F1319CC}.exe	109
PID 4292 wrote to memory of 4344	4292	{4CD70D1F-8689-4131-B309-A1D27F1319CC}.exe	109
PID 4292 wrote to memory of 4344	4292	{4CD70D1F-8689-4131-B309-A1D27F1319CC}.exe	109
PID 4292 wrote to memory of 1344	4292	{4CD70D1F-8689-4131-B309-A1D27F1319CC}.exe	110
PID 4292 wrote to memory of 1344	4292	{4CD70D1F-8689-4131-B309-A1D27F1319CC}.exe	110
PID 4292 wrote to memory of 1344	4292	{4CD70D1F-8689-4131-B309-A1D27F1319CC}.exe	110
PID 4344 wrote to memory of 4340	4344	{FDAF471F-D958-4f4b-A1C2-D9E0302689D8}.exe	111
PID 4344 wrote to memory of 4340	4344	{FDAF471F-D958-4f4b-A1C2-D9E0302689D8}.exe	111
PID 4344 wrote to memory of 4340	4344	{FDAF471F-D958-4f4b-A1C2-D9E0302689D8}.exe	111
PID 4344 wrote to memory of 428	4344	{FDAF471F-D958-4f4b-A1C2-D9E0302689D8}.exe	112
PID 4344 wrote to memory of 428	4344	{FDAF471F-D958-4f4b-A1C2-D9E0302689D8}.exe	112
PID 4344 wrote to memory of 428	4344	{FDAF471F-D958-4f4b-A1C2-D9E0302689D8}.exe	112
PID 4340 wrote to memory of 4472	4340	{E4582BCC-3BBF-47e5-A518-0C03338F91BD}.exe	113
PID 4340 wrote to memory of 4472	4340	{E4582BCC-3BBF-47e5-A518-0C03338F91BD}.exe	113
PID 4340 wrote to memory of 4472	4340	{E4582BCC-3BBF-47e5-A518-0C03338F91BD}.exe	113
PID 4340 wrote to memory of 3220	4340	{E4582BCC-3BBF-47e5-A518-0C03338F91BD}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-04-10_60b600c9d25f52882858112a359af891_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-10_60b600c9d25f52882858112a359af891_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4976
- C:\Windows\{04225A55-4ECF-445d-9424-3B8FB46E3581}.exe
  C:\Windows\{04225A55-4ECF-445d-9424-3B8FB46E3581}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Windows\{27F26C28-FF71-47ef-A626-ACB2CEA7436F}.exe
    C:\Windows\{27F26C28-FF71-47ef-A626-ACB2CEA7436F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:632
  - - C:\Windows\{2AF091CF-6F23-4813-BC3C-D072E258A4A2}.exe
      C:\Windows\{2AF091CF-6F23-4813-BC3C-D072E258A4A2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1160
    - - C:\Windows\{C3C049D2-2EF1-4c48-8006-0DFB5E8E1935}.exe
        
        C:\Windows\{C3C049D2-2EF1-4c48-8006-0DFB5E8E1935}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2428
      - C:\Windows\{03665EBA-B137-46a3-B78D-011FF21C7643}.exe
        
        C:\Windows\{03665EBA-B137-46a3-B78D-011FF21C7643}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\{3620E37F-80AD-477b-B69C-F2E482A1A215}.exe
        
        C:\Windows\{3620E37F-80AD-477b-B69C-F2E482A1A215}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\{4B89372E-1B35-4b6a-9CF0-734FD01424EC}.exe
        
        C:\Windows\{4B89372E-1B35-4b6a-9CF0-734FD01424EC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Windows\{4CD70D1F-8689-4131-B309-A1D27F1319CC}.exe
        
        C:\Windows\{4CD70D1F-8689-4131-B309-A1D27F1319CC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\{FDAF471F-D958-4f4b-A1C2-D9E0302689D8}.exe
        
        C:\Windows\{FDAF471F-D958-4f4b-A1C2-D9E0302689D8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\{E4582BCC-3BBF-47e5-A518-0C03338F91BD}.exe
        
        C:\Windows\{E4582BCC-3BBF-47e5-A518-0C03338F91BD}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\{4DE67190-39E5-4f15-B142-26B9AE542DF9}.exe
        
        C:\Windows\{4DE67190-39E5-4f15-B142-26B9AE542DF9}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4472
        
        C:\Windows\{AFF06A6E-B4C2-46d9-8BEA-59632695BAD7}.exe
        
        C:\Windows\{AFF06A6E-B4C2-46d9-8BEA-59632695BAD7}.exe
        13⤵
        Executes dropped EXE
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4DE67~1.EXE > nul
        13⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4582~1.EXE > nul
        12⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FDAF4~1.EXE > nul
        11⤵
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4CD70~1.EXE > nul
        10⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B893~1.EXE > nul
        9⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3620E~1.EXE > nul
        8⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03665~1.EXE > nul
        7⤵
        
        PID:980
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3C04~1.EXE > nul
        6⤵
        
        PID:3880
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2AF09~1.EXE > nul
        5⤵
        
        PID:2032
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{27F26~1.EXE > nul
      4⤵
      PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{04225~1.EXE > nul
    3⤵
    PID:4032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03665EBA-B137-46a3-B78D-011FF21C7643}.exe

Filesize
180KB

MD5
17736d152e2b6824a724f909736600d1

SHA1
cbbc17c780f2f45dae9715b0c611ff43a39c71c5

SHA256
c2eecb6abb11c6374b02155a8c74702b01467ad68624ff9a3090372469874a0c

SHA512
4b8dceb93cfabf0dc95dc5c77132d12b2b052b70830c42c150604dd112493f0cf113a2f87367ebc6ddb14af588b3d28bf6562d58220b717a5e44e1cb09cff1fd

Download Submit
C:\Windows\{04225A55-4ECF-445d-9424-3B8FB46E3581}.exe

Filesize
180KB

MD5
7d71dafb58b16a49cdc0a71f9bf75709

SHA1
74b9d4da883f89e5716fb0279c78aeea609cc2ea

SHA256
25535061a33619c9dca66895ae3a16755ae54764efaa085ab37d2e297c3f1c1f

SHA512
729dfc2508f7b3a1408cac065e783b2778eb435bd2c7be9873a9680541494406b301852e598929690e366828ca11f80ceb58f42c3943bf6f90e5d32cc09837f9

Download Submit
C:\Windows\{27F26C28-FF71-47ef-A626-ACB2CEA7436F}.exe

Filesize
180KB

MD5
8a51a5395523325cdb501c62d8243f72

SHA1
f4bc77908da21ed7bf4f67cdf89fa2205dabbefb

SHA256
50f7e9f98c638d2063f6b003d1073e2ff73a52069b80ebea4f59094d0f2c1932

SHA512
86bc9f1f2f3ab27da2609ac0a6b9133431261e10fe9fd5d8ff34022bc94d65e58436f6fbdcac285b157a7095b3a119e2e8cbfeaf8c576e61d331481d07796590

Download Submit
C:\Windows\{2AF091CF-6F23-4813-BC3C-D072E258A4A2}.exe

Filesize
180KB

MD5
a19ce3ea81223a7472cf2cfebfef0ee7

SHA1
49058f7df0a3027147a47ee9528916504c7dc79a

SHA256
ac10b9582913225971cdf7097582fc43470037dffdfc4eb23e08e9271d401f39

SHA512
dcec5611f256a4fb975e5a69127c00da4c3c9b2bf491070841356a24dbb2d7034fe7a4d49c2dcb65a4d5a9150e360d0f6d304b649b96dc797d71dec64decd82f

Download Submit
C:\Windows\{3620E37F-80AD-477b-B69C-F2E482A1A215}.exe

Filesize
180KB

MD5
43ed131817fc44467f51db8068de88c3

SHA1
d4a87924a87976a3ec75b95c550ed5dddddf43da

SHA256
54f79c0355bd0e0f305e8cec88413324feac2ab0eda0cec84bfa5bbe74aea355

SHA512
e9576936a7f0652c2dce25ca54a473617ade23016532e19af89b90f3a8083395fd66630e92fb80de54395484ff5b466ce5596c6c8ef085f7ee14b792373c245f

Download Submit
C:\Windows\{4B89372E-1B35-4b6a-9CF0-734FD01424EC}.exe

Filesize
180KB

MD5
278e642fcdd41b6a08b9ca8e5e6fae2f

SHA1
7db7d1a4d14181a6d9045dcb44a9284235163188

SHA256
277ec4899ab0669c705c19048f5197a7e04451121346e746de11e1036dc9616b

SHA512
cbf888f9ff37a485d89fb72fc20e070b498e4adeadb9eec1a535966bedb52d34934244639d985a6279ef91c8ec0f84330b9acc449cb1813f7fcfa503597668bc

Download Submit
C:\Windows\{4CD70D1F-8689-4131-B309-A1D27F1319CC}.exe

Filesize
180KB

MD5
dcada28001aef5b820daafc52613ea00

SHA1
9db25e3984c746890d56a0976ae34686d0c51a65

SHA256
1e38eab2ea713019bdc51aea5131e65c0a637e09ae69f244558e8ac0ffc63325

SHA512
ad6724d412f95bf92c5fc5da018d736c2a0e15797ddb80fbaddb48694ddff9d751d6c5f8649dbb4aad5bc5475fa10e664ee012931b0a9bb4d83a600ad9248d3b

Download Submit
C:\Windows\{4DE67190-39E5-4f15-B142-26B9AE542DF9}.exe

Filesize
180KB

MD5
86df92c56ed03542f48dbb0afacc85a9

SHA1
1e80a6f96d15c30fd3dd77877eaed25c9636dbb4

SHA256
08a79d47781de5fc7cb0f677b54ae25cfd72509b202ab82ea0d16211a6b400d2

SHA512
0eb37809b52cf9ad8a87388e489bc346d2f9b61c98a1f160cbeaf2812348ce0c478611d605b9363a7e109500d2b9cb1b5b1f6f16462d1aca96b11d7bf543f8b3

Download Submit
C:\Windows\{AFF06A6E-B4C2-46d9-8BEA-59632695BAD7}.exe

Filesize
180KB

MD5
a3ff20dc83dc3e3275e7173a3bb13251

SHA1
7ef648835a304256c14fc907e7415872fd672d8b

SHA256
09a7ed87744236120f79224ac987f205bdbf3d36140244053d6a959215b98da2

SHA512
e94f70af9e2febafbdecf634279eaca8c761bb407950e8c99289222bb831a595de56013a5db59ac0c5ad8f3bac10e34959d0698b76ad3765fa5bcfe4d7bb6906

Download Submit
C:\Windows\{C3C049D2-2EF1-4c48-8006-0DFB5E8E1935}.exe

Filesize
180KB

MD5
be909ebe9026fb381c0a359c945fe957

SHA1
c9b81033993f13b6c30ed38487917f2bfc23ebbb

SHA256
cd6d2b24c5bb02919a0ae4531f7417110bccabf3b9ddb6fa5b64f2d2111d6027

SHA512
2c6c69b63cff59dbd5cff37d2e6f221fe3d49b1e42e1925c19abdc77e4492624cd43450530085cc9f72a94281c0382c1b54d1155fcfbc52aae3b6c5171da48cb

Download Submit
C:\Windows\{E4582BCC-3BBF-47e5-A518-0C03338F91BD}.exe

Filesize
180KB

MD5
c86d7f2afd02f2307359d08f854732b7

SHA1
45837fd03f515146845b71f14ba877562eb9910a

SHA256
e7764df79e480019293184b7ce6128b43a49b22309958b85fec29873fa33c8c7

SHA512
2e5d9f2989bde6defb836ed3b9059e6fbcf9ae6de40142bbdff8ee9e7939000b78971f3d71a545e143b5dad733f0dcdf5a87733053caf1bbe4752b7d9c5af645

Download Submit
C:\Windows\{FDAF471F-D958-4f4b-A1C2-D9E0302689D8}.exe

Filesize
180KB

MD5
a951284735bbb925c983ea50e2c3ae08

SHA1
cbe37790cdec6dd9df67babc3e9db92d5c232189

SHA256
f5ffdcd2a5a2302e4978bc38c4df9ee6afdfec088f1386bf238645d43ee47963

SHA512
a68d2f9ac8ad74ec67f3c12eb55d4f56094549ed08957acfdfe29402aa4538c8ed68d9269cdf640a7fb3348e7f43fd448b51f6011d4c82e3a5b244c82020fc14

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads