899abfeacc8a5603c15e0579688405ff8541d0241e174b6009dfac95c9f83d24

Analysis

max time kernel
144s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2024, 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-15_c5ea9ceb439a00213a35e329951520fe_goldeneye.exe
Size

408KB
MD5

c5ea9ceb439a00213a35e329951520fe
SHA1

d1ca2185baab12023f2f8cf98ea13eb69989d418
SHA256

899abfeacc8a5603c15e0579688405ff8541d0241e174b6009dfac95c9f83d24
SHA512

484661f568bf8497f225e326f269b3cff67419e2f75ff2fe1a990445a424290d7b66ceba88c4ecedde274b2d1952618eeb2eb6aed32f227b5a61a8f49d8b4789
SSDEEP

3072:CEGh0osl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGCldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x000800000002340e-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002340f-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023417-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000001e74c-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023417-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001e74c-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023417-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e74c-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023417-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e74c-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023413-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F64A28B-D7F3-4887-8C01-B3C5A0082932}	{EE312238-7B16-4eb6-A208-BA70C81A303C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEF08C80-45F1-4589-8213-55C5E7D96A56}\stubpath = "C:\\Windows\\{EEF08C80-45F1-4589-8213-55C5E7D96A56}.exe"	2024-04-15_c5ea9ceb439a00213a35e329951520fe_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98E5F49E-1224-47f7-ABB8-17F186B6C3BD}	{5DFAE56F-1EBE-43d1-A114-6B37DFF0A652}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE312238-7B16-4eb6-A208-BA70C81A303C}	{98E5F49E-1224-47f7-ABB8-17F186B6C3BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F64A28B-D7F3-4887-8C01-B3C5A0082932}\stubpath = "C:\\Windows\\{2F64A28B-D7F3-4887-8C01-B3C5A0082932}.exe"	{EE312238-7B16-4eb6-A208-BA70C81A303C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3233F5FD-51B1-494c-BD86-AB39878C8BA5}	{2F64A28B-D7F3-4887-8C01-B3C5A0082932}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3233F5FD-51B1-494c-BD86-AB39878C8BA5}\stubpath = "C:\\Windows\\{3233F5FD-51B1-494c-BD86-AB39878C8BA5}.exe"	{2F64A28B-D7F3-4887-8C01-B3C5A0082932}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFBBEC45-8048-40cc-A8C4-D244959F336E}\stubpath = "C:\\Windows\\{AFBBEC45-8048-40cc-A8C4-D244959F336E}.exe"	{C6F27E90-3313-47e0-80AD-7943E60F09C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DFAE56F-1EBE-43d1-A114-6B37DFF0A652}	{FE1E85AE-C0C2-4407-B6F1-2154132EFE1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE1E85AE-C0C2-4407-B6F1-2154132EFE1E}\stubpath = "C:\\Windows\\{FE1E85AE-C0C2-4407-B6F1-2154132EFE1E}.exe"	{D9D26117-FA35-4320-AB3F-CBD107710CD9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FC4EB39-1B45-4a54-9371-C04086E98A05}	{3233F5FD-51B1-494c-BD86-AB39878C8BA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6F27E90-3313-47e0-80AD-7943E60F09C4}	{3FC4EB39-1B45-4a54-9371-C04086E98A05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6F27E90-3313-47e0-80AD-7943E60F09C4}\stubpath = "C:\\Windows\\{C6F27E90-3313-47e0-80AD-7943E60F09C4}.exe"	{3FC4EB39-1B45-4a54-9371-C04086E98A05}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFBBEC45-8048-40cc-A8C4-D244959F336E}	{C6F27E90-3313-47e0-80AD-7943E60F09C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9D26117-FA35-4320-AB3F-CBD107710CD9}	{EEF08C80-45F1-4589-8213-55C5E7D96A56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9D26117-FA35-4320-AB3F-CBD107710CD9}\stubpath = "C:\\Windows\\{D9D26117-FA35-4320-AB3F-CBD107710CD9}.exe"	{EEF08C80-45F1-4589-8213-55C5E7D96A56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE1E85AE-C0C2-4407-B6F1-2154132EFE1E}	{D9D26117-FA35-4320-AB3F-CBD107710CD9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DFAE56F-1EBE-43d1-A114-6B37DFF0A652}\stubpath = "C:\\Windows\\{5DFAE56F-1EBE-43d1-A114-6B37DFF0A652}.exe"	{FE1E85AE-C0C2-4407-B6F1-2154132EFE1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98E5F49E-1224-47f7-ABB8-17F186B6C3BD}\stubpath = "C:\\Windows\\{98E5F49E-1224-47f7-ABB8-17F186B6C3BD}.exe"	{5DFAE56F-1EBE-43d1-A114-6B37DFF0A652}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE312238-7B16-4eb6-A208-BA70C81A303C}\stubpath = "C:\\Windows\\{EE312238-7B16-4eb6-A208-BA70C81A303C}.exe"	{98E5F49E-1224-47f7-ABB8-17F186B6C3BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FC4EB39-1B45-4a54-9371-C04086E98A05}\stubpath = "C:\\Windows\\{3FC4EB39-1B45-4a54-9371-C04086E98A05}.exe"	{3233F5FD-51B1-494c-BD86-AB39878C8BA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEF08C80-45F1-4589-8213-55C5E7D96A56}	2024-04-15_c5ea9ceb439a00213a35e329951520fe_goldeneye.exe

Executes dropped EXE 11 IoCs

pid	Process
2656	{EEF08C80-45F1-4589-8213-55C5E7D96A56}.exe
2256	{D9D26117-FA35-4320-AB3F-CBD107710CD9}.exe
2704	{FE1E85AE-C0C2-4407-B6F1-2154132EFE1E}.exe
4868	{5DFAE56F-1EBE-43d1-A114-6B37DFF0A652}.exe
5044	{98E5F49E-1224-47f7-ABB8-17F186B6C3BD}.exe
3592	{EE312238-7B16-4eb6-A208-BA70C81A303C}.exe
2504	{2F64A28B-D7F3-4887-8C01-B3C5A0082932}.exe
4848	{3233F5FD-51B1-494c-BD86-AB39878C8BA5}.exe
4400	{3FC4EB39-1B45-4a54-9371-C04086E98A05}.exe
3492	{C6F27E90-3313-47e0-80AD-7943E60F09C4}.exe
2996	{AFBBEC45-8048-40cc-A8C4-D244959F336E}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2F64A28B-D7F3-4887-8C01-B3C5A0082932}.exe	{EE312238-7B16-4eb6-A208-BA70C81A303C}.exe
File created	C:\Windows\{3FC4EB39-1B45-4a54-9371-C04086E98A05}.exe	{3233F5FD-51B1-494c-BD86-AB39878C8BA5}.exe
File created	C:\Windows\{FE1E85AE-C0C2-4407-B6F1-2154132EFE1E}.exe	{D9D26117-FA35-4320-AB3F-CBD107710CD9}.exe
File created	C:\Windows\{98E5F49E-1224-47f7-ABB8-17F186B6C3BD}.exe	{5DFAE56F-1EBE-43d1-A114-6B37DFF0A652}.exe
File created	C:\Windows\{EE312238-7B16-4eb6-A208-BA70C81A303C}.exe	{98E5F49E-1224-47f7-ABB8-17F186B6C3BD}.exe
File created	C:\Windows\{3233F5FD-51B1-494c-BD86-AB39878C8BA5}.exe	{2F64A28B-D7F3-4887-8C01-B3C5A0082932}.exe
File created	C:\Windows\{C6F27E90-3313-47e0-80AD-7943E60F09C4}.exe	{3FC4EB39-1B45-4a54-9371-C04086E98A05}.exe
File created	C:\Windows\{AFBBEC45-8048-40cc-A8C4-D244959F336E}.exe	{C6F27E90-3313-47e0-80AD-7943E60F09C4}.exe
File created	C:\Windows\{EEF08C80-45F1-4589-8213-55C5E7D96A56}.exe	2024-04-15_c5ea9ceb439a00213a35e329951520fe_goldeneye.exe
File created	C:\Windows\{D9D26117-FA35-4320-AB3F-CBD107710CD9}.exe	{EEF08C80-45F1-4589-8213-55C5E7D96A56}.exe
File created	C:\Windows\{5DFAE56F-1EBE-43d1-A114-6B37DFF0A652}.exe	{FE1E85AE-C0C2-4407-B6F1-2154132EFE1E}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4940	2024-04-15_c5ea9ceb439a00213a35e329951520fe_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2656	{EEF08C80-45F1-4589-8213-55C5E7D96A56}.exe
Token: SeIncBasePriorityPrivilege	2256	{D9D26117-FA35-4320-AB3F-CBD107710CD9}.exe
Token: SeIncBasePriorityPrivilege	2704	{FE1E85AE-C0C2-4407-B6F1-2154132EFE1E}.exe
Token: SeIncBasePriorityPrivilege	4868	{5DFAE56F-1EBE-43d1-A114-6B37DFF0A652}.exe
Token: SeIncBasePriorityPrivilege	5044	{98E5F49E-1224-47f7-ABB8-17F186B6C3BD}.exe
Token: SeIncBasePriorityPrivilege	3592	{EE312238-7B16-4eb6-A208-BA70C81A303C}.exe
Token: SeIncBasePriorityPrivilege	2504	{2F64A28B-D7F3-4887-8C01-B3C5A0082932}.exe
Token: SeIncBasePriorityPrivilege	4848	{3233F5FD-51B1-494c-BD86-AB39878C8BA5}.exe
Token: SeIncBasePriorityPrivilege	4400	{3FC4EB39-1B45-4a54-9371-C04086E98A05}.exe
Token: SeIncBasePriorityPrivilege	3492	{C6F27E90-3313-47e0-80AD-7943E60F09C4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4940 wrote to memory of 2656	4940	2024-04-15_c5ea9ceb439a00213a35e329951520fe_goldeneye.exe	88
PID 4940 wrote to memory of 2656	4940	2024-04-15_c5ea9ceb439a00213a35e329951520fe_goldeneye.exe	88
PID 4940 wrote to memory of 2656	4940	2024-04-15_c5ea9ceb439a00213a35e329951520fe_goldeneye.exe	88
PID 4940 wrote to memory of 4716	4940	2024-04-15_c5ea9ceb439a00213a35e329951520fe_goldeneye.exe	89
PID 4940 wrote to memory of 4716	4940	2024-04-15_c5ea9ceb439a00213a35e329951520fe_goldeneye.exe	89
PID 4940 wrote to memory of 4716	4940	2024-04-15_c5ea9ceb439a00213a35e329951520fe_goldeneye.exe	89
PID 2656 wrote to memory of 2256	2656	{EEF08C80-45F1-4589-8213-55C5E7D96A56}.exe	90
PID 2656 wrote to memory of 2256	2656	{EEF08C80-45F1-4589-8213-55C5E7D96A56}.exe	90
PID 2656 wrote to memory of 2256	2656	{EEF08C80-45F1-4589-8213-55C5E7D96A56}.exe	90
PID 2656 wrote to memory of 5068	2656	{EEF08C80-45F1-4589-8213-55C5E7D96A56}.exe	91
PID 2656 wrote to memory of 5068	2656	{EEF08C80-45F1-4589-8213-55C5E7D96A56}.exe	91
PID 2656 wrote to memory of 5068	2656	{EEF08C80-45F1-4589-8213-55C5E7D96A56}.exe	91
PID 2256 wrote to memory of 2704	2256	{D9D26117-FA35-4320-AB3F-CBD107710CD9}.exe	94
PID 2256 wrote to memory of 2704	2256	{D9D26117-FA35-4320-AB3F-CBD107710CD9}.exe	94
PID 2256 wrote to memory of 2704	2256	{D9D26117-FA35-4320-AB3F-CBD107710CD9}.exe	94
PID 2256 wrote to memory of 4552	2256	{D9D26117-FA35-4320-AB3F-CBD107710CD9}.exe	95
PID 2256 wrote to memory of 4552	2256	{D9D26117-FA35-4320-AB3F-CBD107710CD9}.exe	95
PID 2256 wrote to memory of 4552	2256	{D9D26117-FA35-4320-AB3F-CBD107710CD9}.exe	95
PID 2704 wrote to memory of 4868	2704	{FE1E85AE-C0C2-4407-B6F1-2154132EFE1E}.exe	97
PID 2704 wrote to memory of 4868	2704	{FE1E85AE-C0C2-4407-B6F1-2154132EFE1E}.exe	97
PID 2704 wrote to memory of 4868	2704	{FE1E85AE-C0C2-4407-B6F1-2154132EFE1E}.exe	97
PID 2704 wrote to memory of 2040	2704	{FE1E85AE-C0C2-4407-B6F1-2154132EFE1E}.exe	98
PID 2704 wrote to memory of 2040	2704	{FE1E85AE-C0C2-4407-B6F1-2154132EFE1E}.exe	98
PID 2704 wrote to memory of 2040	2704	{FE1E85AE-C0C2-4407-B6F1-2154132EFE1E}.exe	98
PID 4868 wrote to memory of 5044	4868	{5DFAE56F-1EBE-43d1-A114-6B37DFF0A652}.exe	99
PID 4868 wrote to memory of 5044	4868	{5DFAE56F-1EBE-43d1-A114-6B37DFF0A652}.exe	99
PID 4868 wrote to memory of 5044	4868	{5DFAE56F-1EBE-43d1-A114-6B37DFF0A652}.exe	99
PID 4868 wrote to memory of 3772	4868	{5DFAE56F-1EBE-43d1-A114-6B37DFF0A652}.exe	100
PID 4868 wrote to memory of 3772	4868	{5DFAE56F-1EBE-43d1-A114-6B37DFF0A652}.exe	100
PID 4868 wrote to memory of 3772	4868	{5DFAE56F-1EBE-43d1-A114-6B37DFF0A652}.exe	100
PID 5044 wrote to memory of 3592	5044	{98E5F49E-1224-47f7-ABB8-17F186B6C3BD}.exe	101
PID 5044 wrote to memory of 3592	5044	{98E5F49E-1224-47f7-ABB8-17F186B6C3BD}.exe	101
PID 5044 wrote to memory of 3592	5044	{98E5F49E-1224-47f7-ABB8-17F186B6C3BD}.exe	101
PID 5044 wrote to memory of 796	5044	{98E5F49E-1224-47f7-ABB8-17F186B6C3BD}.exe	102
PID 5044 wrote to memory of 796	5044	{98E5F49E-1224-47f7-ABB8-17F186B6C3BD}.exe	102
PID 5044 wrote to memory of 796	5044	{98E5F49E-1224-47f7-ABB8-17F186B6C3BD}.exe	102
PID 3592 wrote to memory of 2504	3592	{EE312238-7B16-4eb6-A208-BA70C81A303C}.exe	103
PID 3592 wrote to memory of 2504	3592	{EE312238-7B16-4eb6-A208-BA70C81A303C}.exe	103
PID 3592 wrote to memory of 2504	3592	{EE312238-7B16-4eb6-A208-BA70C81A303C}.exe	103
PID 3592 wrote to memory of 3088	3592	{EE312238-7B16-4eb6-A208-BA70C81A303C}.exe	104
PID 3592 wrote to memory of 3088	3592	{EE312238-7B16-4eb6-A208-BA70C81A303C}.exe	104
PID 3592 wrote to memory of 3088	3592	{EE312238-7B16-4eb6-A208-BA70C81A303C}.exe	104
PID 2504 wrote to memory of 4848	2504	{2F64A28B-D7F3-4887-8C01-B3C5A0082932}.exe	105
PID 2504 wrote to memory of 4848	2504	{2F64A28B-D7F3-4887-8C01-B3C5A0082932}.exe	105
PID 2504 wrote to memory of 4848	2504	{2F64A28B-D7F3-4887-8C01-B3C5A0082932}.exe	105
PID 2504 wrote to memory of 1404	2504	{2F64A28B-D7F3-4887-8C01-B3C5A0082932}.exe	106
PID 2504 wrote to memory of 1404	2504	{2F64A28B-D7F3-4887-8C01-B3C5A0082932}.exe	106
PID 2504 wrote to memory of 1404	2504	{2F64A28B-D7F3-4887-8C01-B3C5A0082932}.exe	106
PID 4848 wrote to memory of 4400	4848	{3233F5FD-51B1-494c-BD86-AB39878C8BA5}.exe	107
PID 4848 wrote to memory of 4400	4848	{3233F5FD-51B1-494c-BD86-AB39878C8BA5}.exe	107
PID 4848 wrote to memory of 4400	4848	{3233F5FD-51B1-494c-BD86-AB39878C8BA5}.exe	107
PID 4848 wrote to memory of 4404	4848	{3233F5FD-51B1-494c-BD86-AB39878C8BA5}.exe	108
PID 4848 wrote to memory of 4404	4848	{3233F5FD-51B1-494c-BD86-AB39878C8BA5}.exe	108
PID 4848 wrote to memory of 4404	4848	{3233F5FD-51B1-494c-BD86-AB39878C8BA5}.exe	108
PID 4400 wrote to memory of 3492	4400	{3FC4EB39-1B45-4a54-9371-C04086E98A05}.exe	109
PID 4400 wrote to memory of 3492	4400	{3FC4EB39-1B45-4a54-9371-C04086E98A05}.exe	109
PID 4400 wrote to memory of 3492	4400	{3FC4EB39-1B45-4a54-9371-C04086E98A05}.exe	109
PID 4400 wrote to memory of 1168	4400	{3FC4EB39-1B45-4a54-9371-C04086E98A05}.exe	110
PID 4400 wrote to memory of 1168	4400	{3FC4EB39-1B45-4a54-9371-C04086E98A05}.exe	110
PID 4400 wrote to memory of 1168	4400	{3FC4EB39-1B45-4a54-9371-C04086E98A05}.exe	110
PID 3492 wrote to memory of 2996	3492	{C6F27E90-3313-47e0-80AD-7943E60F09C4}.exe	111
PID 3492 wrote to memory of 2996	3492	{C6F27E90-3313-47e0-80AD-7943E60F09C4}.exe	111
PID 3492 wrote to memory of 2996	3492	{C6F27E90-3313-47e0-80AD-7943E60F09C4}.exe	111
PID 3492 wrote to memory of 2784	3492	{C6F27E90-3313-47e0-80AD-7943E60F09C4}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-04-15_c5ea9ceb439a00213a35e329951520fe_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-15_c5ea9ceb439a00213a35e329951520fe_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Windows\{EEF08C80-45F1-4589-8213-55C5E7D96A56}.exe
  C:\Windows\{EEF08C80-45F1-4589-8213-55C5E7D96A56}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\{D9D26117-FA35-4320-AB3F-CBD107710CD9}.exe
    C:\Windows\{D9D26117-FA35-4320-AB3F-CBD107710CD9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2256
  - - C:\Windows\{FE1E85AE-C0C2-4407-B6F1-2154132EFE1E}.exe
      C:\Windows\{FE1E85AE-C0C2-4407-B6F1-2154132EFE1E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\{5DFAE56F-1EBE-43d1-A114-6B37DFF0A652}.exe
        
        C:\Windows\{5DFAE56F-1EBE-43d1-A114-6B37DFF0A652}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4868
      - C:\Windows\{98E5F49E-1224-47f7-ABB8-17F186B6C3BD}.exe
        
        C:\Windows\{98E5F49E-1224-47f7-ABB8-17F186B6C3BD}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\{EE312238-7B16-4eb6-A208-BA70C81A303C}.exe
        
        C:\Windows\{EE312238-7B16-4eb6-A208-BA70C81A303C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\{2F64A28B-D7F3-4887-8C01-B3C5A0082932}.exe
        
        C:\Windows\{2F64A28B-D7F3-4887-8C01-B3C5A0082932}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\{3233F5FD-51B1-494c-BD86-AB39878C8BA5}.exe
        
        C:\Windows\{3233F5FD-51B1-494c-BD86-AB39878C8BA5}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\{3FC4EB39-1B45-4a54-9371-C04086E98A05}.exe
        
        C:\Windows\{3FC4EB39-1B45-4a54-9371-C04086E98A05}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\{C6F27E90-3313-47e0-80AD-7943E60F09C4}.exe
        
        C:\Windows\{C6F27E90-3313-47e0-80AD-7943E60F09C4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\{AFBBEC45-8048-40cc-A8C4-D244959F336E}.exe
        
        C:\Windows\{AFBBEC45-8048-40cc-A8C4-D244959F336E}.exe
        12⤵
        Executes dropped EXE
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6F27~1.EXE > nul
        12⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3FC4E~1.EXE > nul
        11⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3233F~1.EXE > nul
        10⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F64A~1.EXE > nul
        9⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE312~1.EXE > nul
        8⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98E5F~1.EXE > nul
        7⤵
        
        PID:796
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5DFAE~1.EXE > nul
        6⤵
        
        PID:3772
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE1E8~1.EXE > nul
        5⤵
        
        PID:2040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D9D26~1.EXE > nul
      4⤵
      PID:4552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EEF08~1.EXE > nul
    3⤵
    PID:5068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2F64A28B-D7F3-4887-8C01-B3C5A0082932}.exe

Filesize
408KB

MD5
d5018f8db49d48e9a5ed3ffc581bf58b

SHA1
e992233563ff38425dc499926b0211669029bfb7

SHA256
0b9f9fe498aee0a7db29532b9327a7487b3013da7c2fabe2889fdd4c9f207ab5

SHA512
f721480504703d59c5c73331141d69f8d89454138a122920f47829e9981fa83c37b358fd9821c6cde72ea3cb860310e6fe8424c391ed035b667d573ca34f6241

Download Submit
C:\Windows\{3233F5FD-51B1-494c-BD86-AB39878C8BA5}.exe

Filesize
408KB

MD5
8c16149861f1c3ce98f3bc57659e6d0c

SHA1
7c97a483ad12ca5f0afe6fb42395ce0dcf77b1fc

SHA256
a53a51f313dc9875064f3c672d7565bfd38f69725e8ffb13070019edd4984908

SHA512
2f1dfa473be1ca38ed0301e4288606afa9339a2cc42524964f6eaf697a885160e8deeaf56e8181b8d63d0db263ddad82ad4af7a4dbe59bbfd74c665b25b44a70

Download Submit
C:\Windows\{3FC4EB39-1B45-4a54-9371-C04086E98A05}.exe

Filesize
408KB

MD5
6ef6badd8869c18c9ed95f5b428905a2

SHA1
509b69038713eb0d946f1983363a96ef7964e005

SHA256
f473026f610836ef74a77aaa8226d78f84d1de9eb39019358db59a6257f5c298

SHA512
8cea888f38a2891e5192f6c20386982cd719e25bd83dee3fdbb8a26e5659962834757955d2524a51ffa64b5c46222f72a352a4da74d34c38aba84e97bc0f1e25

Download Submit
C:\Windows\{5DFAE56F-1EBE-43d1-A114-6B37DFF0A652}.exe

Filesize
408KB

MD5
5a8b4908b1823f37c002cd6d267ca839

SHA1
ced41c7053dbd78abdea9580a5622d7aaa64db04

SHA256
0ecb30b752c8eb1277c1ac9e5af27fe82cdecf9ce089930298bef53cbe3357f1

SHA512
0a14d9bf20473e73a4178f23fd46ce221723d4d9c880aaea0ae7339ec333b23b40964445c8cf2248d48855313e2d5ff143dc6bb619dd3ad2257d3855bbb251b4

Download Submit
C:\Windows\{98E5F49E-1224-47f7-ABB8-17F186B6C3BD}.exe

Filesize
408KB

MD5
d2cb2ab8fffa5f9dd085047af50394f5

SHA1
ac1bf299ddeee55ff6d3809529788981d3fe4e13

SHA256
c177cf3fe0a22b5de39c6f61d05d1606b4c6d75d336f06e5daaa9b0d31fea999

SHA512
0a40fbbe8ee31c3223478602f87ab5455f6a2bea5206239b6094939e4be41f7e6908e3a04f3ef0b98cb877aafd01583df83e6d834421e2cdb057702dd3bdd33e

Download Submit
C:\Windows\{AFBBEC45-8048-40cc-A8C4-D244959F336E}.exe

Filesize
408KB

MD5
550406e78f84aaca895c3c80b4c2fce7

SHA1
d1c9c93e3e1c0293f05a8f1df1f1adc7e957b5cc

SHA256
7afe32a2d023f89f876094d18b094a4a2f970d91803196091fdd55f684675f5d

SHA512
92c07550a33a62dc8e65eedeba60008bf9a21289b8badc20090e3719d2cf7c57037157ee0016fbffdb9c585853a6aa0ff745f5a8640561672afe4a75ba9932bd

Download Submit
C:\Windows\{C6F27E90-3313-47e0-80AD-7943E60F09C4}.exe

Filesize
408KB

MD5
dc080909a29b9e4958b75205295f933b

SHA1
9e81e35b63bb6d965f9983b200fb8c3538e51f91

SHA256
4ebbe2776df58703a2ea1cb779b2b9b80e347c7a5c2e512646dd6591a6df6685

SHA512
0535acc4c868c55d43c1102b46f9410c32647455bb77ae2f2d266de3240b5b216b533dcc5f1e115d1bff46e1a06b174d26587a7c5b7d057c073fca5c41d759e4

Download Submit
C:\Windows\{D9D26117-FA35-4320-AB3F-CBD107710CD9}.exe

Filesize
408KB

MD5
6f4dd042608d4f58254121332ba6474d

SHA1
a27235c17a6f5ad0f907a27f4333cfb56a3f8808

SHA256
f438c22a09cdc14859717b55f72646ebfd27cf48a40700c206bf110f7810fe02

SHA512
ae119c670ab320c9ec77030a93cc084e2862c6a9c89e5aa10136f15d838eb68193173eb9abfdef2d0dc4d003e4349a6a8e1ded3d6ac3638c9f8abd44be7ac8cd

Download Submit
C:\Windows\{EE312238-7B16-4eb6-A208-BA70C81A303C}.exe

Filesize
408KB

MD5
e6fb630671c62aeb2069cd39900967bf

SHA1
75c9438a6f2fc395f618e183bef0cbbea5e3fb6c

SHA256
a314ce7cbb09878a6aa48f7c8c094b85a95665bc8e1c58777f87111c45a34dc4

SHA512
2dcf1fec1dd8e1b64cf4f4f6efb674ab2488a5741929816a7af7e4ccc13e03d87afdb6d76b04c426c30fb0472c86515ac92af57a7870c30293616d9634b939e3

Download Submit
C:\Windows\{EEF08C80-45F1-4589-8213-55C5E7D96A56}.exe

Filesize
408KB

MD5
6abf04c8f23ad8d3de9052f897a74979

SHA1
b9a2767f403d3a2f2dcd47ff3ee7dc6e94a49449

SHA256
a06e2ef951079fd07321f468da1db8e47d8fc8c580af66237f03d19ad7ac8557

SHA512
ec1f0a29b083848f24198e48023a198a5b319627b517043f314d2acf5e75ba6c99762a3ae564445accc4e309ed090491cd1004bf26c900c9334b2a5fe11da534

Download Submit
C:\Windows\{FE1E85AE-C0C2-4407-B6F1-2154132EFE1E}.exe

Filesize
408KB

MD5
e22a3bfe9c642df304418f4fe64070a0

SHA1
c612107ce0c5b3f3a63de880f1005366fc0f3cff

SHA256
8b779f1efe5feb045c76930e1313b4a91b252e177a705c59028e62aefd05682e

SHA512
ddc25ed94ed8e5c7d22dadb19a3e963828bdd6f2b50a8e758b90970875078dec8b6d7c36780e61122e2dd0f3f5af97640555ae7f2427bdc97799f92142fe32a6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads