96f7e901ba2792abb0c3fbe32cc482d1ffc180de8b9ddc4eeebe0c9338005e4a

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2024, 20:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-15_e16cf07f15f6b57decdecc58a931a981_goldeneye.exe
Size

408KB
MD5

e16cf07f15f6b57decdecc58a931a981
SHA1

484c24779c9aec3c93c8981ad4a97b346fa15aa1
SHA256

96f7e901ba2792abb0c3fbe32cc482d1ffc180de8b9ddc4eeebe0c9338005e4a
SHA512

89e6fd7fc0f5e51528b0c4f82ecad145d93f7e1c92e2b741f6c446c55b4191c4df86fa9a54734b68c266cb1bbd46dc0dbf3c0e17f7f79c4805277348601a0c48
SSDEEP

3072:CEGh0oWl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEG0ldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000800000002340c-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002340d-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023415-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000001e74c-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023415-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001e74c-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023415-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e74c-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023415-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e74c-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023411-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e74c-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F731427-8302-4d7e-921C-1E04E2AFBC8E}\stubpath = "C:\\Windows\\{6F731427-8302-4d7e-921C-1E04E2AFBC8E}.exe"	{75FA4033-58DC-450e-9B60-CD49E213B071}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36D2FBBF-70DE-4a3a-A01D-BEF394886A1B}\stubpath = "C:\\Windows\\{36D2FBBF-70DE-4a3a-A01D-BEF394886A1B}.exe"	{6F731427-8302-4d7e-921C-1E04E2AFBC8E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87093F7C-469E-4c3a-9CE9-03182FFF69E1}	{36D2FBBF-70DE-4a3a-A01D-BEF394886A1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10352696-3336-4726-A0F8-82834822A379}	{E31E9437-B8EE-41db-BCFF-E379EC966944}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39475DC2-6910-43f4-BE23-0550F438153C}\stubpath = "C:\\Windows\\{39475DC2-6910-43f4-BE23-0550F438153C}.exe"	{94F9FEB8-A594-4688-8D24-24EA6EFDC8EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E31E9437-B8EE-41db-BCFF-E379EC966944}\stubpath = "C:\\Windows\\{E31E9437-B8EE-41db-BCFF-E379EC966944}.exe"	{28DD1E66-EBFD-41d2-B6E3-151F62308502}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17D64277-9E2B-4065-ADA4-7E809A11794A}\stubpath = "C:\\Windows\\{17D64277-9E2B-4065-ADA4-7E809A11794A}.exe"	{10352696-3336-4726-A0F8-82834822A379}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94F9FEB8-A594-4688-8D24-24EA6EFDC8EF}	{17D64277-9E2B-4065-ADA4-7E809A11794A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39475DC2-6910-43f4-BE23-0550F438153C}	{94F9FEB8-A594-4688-8D24-24EA6EFDC8EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75FA4033-58DC-450e-9B60-CD49E213B071}	{AF929DD3-5404-4417-909E-037F46042EC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36D2FBBF-70DE-4a3a-A01D-BEF394886A1B}	{6F731427-8302-4d7e-921C-1E04E2AFBC8E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28DD1E66-EBFD-41d2-B6E3-151F62308502}\stubpath = "C:\\Windows\\{28DD1E66-EBFD-41d2-B6E3-151F62308502}.exe"	2024-04-15_e16cf07f15f6b57decdecc58a931a981_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E31E9437-B8EE-41db-BCFF-E379EC966944}	{28DD1E66-EBFD-41d2-B6E3-151F62308502}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06993B99-831C-4d96-8A3C-EB5889B2C475}	{87093F7C-469E-4c3a-9CE9-03182FFF69E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06993B99-831C-4d96-8A3C-EB5889B2C475}\stubpath = "C:\\Windows\\{06993B99-831C-4d96-8A3C-EB5889B2C475}.exe"	{87093F7C-469E-4c3a-9CE9-03182FFF69E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF929DD3-5404-4417-909E-037F46042EC7}	{39475DC2-6910-43f4-BE23-0550F438153C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F731427-8302-4d7e-921C-1E04E2AFBC8E}	{75FA4033-58DC-450e-9B60-CD49E213B071}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87093F7C-469E-4c3a-9CE9-03182FFF69E1}\stubpath = "C:\\Windows\\{87093F7C-469E-4c3a-9CE9-03182FFF69E1}.exe"	{36D2FBBF-70DE-4a3a-A01D-BEF394886A1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28DD1E66-EBFD-41d2-B6E3-151F62308502}	2024-04-15_e16cf07f15f6b57decdecc58a931a981_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94F9FEB8-A594-4688-8D24-24EA6EFDC8EF}\stubpath = "C:\\Windows\\{94F9FEB8-A594-4688-8D24-24EA6EFDC8EF}.exe"	{17D64277-9E2B-4065-ADA4-7E809A11794A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF929DD3-5404-4417-909E-037F46042EC7}\stubpath = "C:\\Windows\\{AF929DD3-5404-4417-909E-037F46042EC7}.exe"	{39475DC2-6910-43f4-BE23-0550F438153C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75FA4033-58DC-450e-9B60-CD49E213B071}\stubpath = "C:\\Windows\\{75FA4033-58DC-450e-9B60-CD49E213B071}.exe"	{AF929DD3-5404-4417-909E-037F46042EC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10352696-3336-4726-A0F8-82834822A379}\stubpath = "C:\\Windows\\{10352696-3336-4726-A0F8-82834822A379}.exe"	{E31E9437-B8EE-41db-BCFF-E379EC966944}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17D64277-9E2B-4065-ADA4-7E809A11794A}	{10352696-3336-4726-A0F8-82834822A379}.exe

Executes dropped EXE 12 IoCs

pid	Process
1920	{28DD1E66-EBFD-41d2-B6E3-151F62308502}.exe
3736	{E31E9437-B8EE-41db-BCFF-E379EC966944}.exe
3912	{10352696-3336-4726-A0F8-82834822A379}.exe
2624	{17D64277-9E2B-4065-ADA4-7E809A11794A}.exe
1488	{94F9FEB8-A594-4688-8D24-24EA6EFDC8EF}.exe
880	{39475DC2-6910-43f4-BE23-0550F438153C}.exe
3544	{AF929DD3-5404-4417-909E-037F46042EC7}.exe
4184	{75FA4033-58DC-450e-9B60-CD49E213B071}.exe
3132	{6F731427-8302-4d7e-921C-1E04E2AFBC8E}.exe
736	{36D2FBBF-70DE-4a3a-A01D-BEF394886A1B}.exe
1716	{87093F7C-469E-4c3a-9CE9-03182FFF69E1}.exe
2984	{06993B99-831C-4d96-8A3C-EB5889B2C475}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{28DD1E66-EBFD-41d2-B6E3-151F62308502}.exe	2024-04-15_e16cf07f15f6b57decdecc58a931a981_goldeneye.exe
File created	C:\Windows\{E31E9437-B8EE-41db-BCFF-E379EC966944}.exe	{28DD1E66-EBFD-41d2-B6E3-151F62308502}.exe
File created	C:\Windows\{6F731427-8302-4d7e-921C-1E04E2AFBC8E}.exe	{75FA4033-58DC-450e-9B60-CD49E213B071}.exe
File created	C:\Windows\{87093F7C-469E-4c3a-9CE9-03182FFF69E1}.exe	{36D2FBBF-70DE-4a3a-A01D-BEF394886A1B}.exe
File created	C:\Windows\{06993B99-831C-4d96-8A3C-EB5889B2C475}.exe	{87093F7C-469E-4c3a-9CE9-03182FFF69E1}.exe
File created	C:\Windows\{75FA4033-58DC-450e-9B60-CD49E213B071}.exe	{AF929DD3-5404-4417-909E-037F46042EC7}.exe
File created	C:\Windows\{36D2FBBF-70DE-4a3a-A01D-BEF394886A1B}.exe	{6F731427-8302-4d7e-921C-1E04E2AFBC8E}.exe
File created	C:\Windows\{10352696-3336-4726-A0F8-82834822A379}.exe	{E31E9437-B8EE-41db-BCFF-E379EC966944}.exe
File created	C:\Windows\{17D64277-9E2B-4065-ADA4-7E809A11794A}.exe	{10352696-3336-4726-A0F8-82834822A379}.exe
File created	C:\Windows\{94F9FEB8-A594-4688-8D24-24EA6EFDC8EF}.exe	{17D64277-9E2B-4065-ADA4-7E809A11794A}.exe
File created	C:\Windows\{39475DC2-6910-43f4-BE23-0550F438153C}.exe	{94F9FEB8-A594-4688-8D24-24EA6EFDC8EF}.exe
File created	C:\Windows\{AF929DD3-5404-4417-909E-037F46042EC7}.exe	{39475DC2-6910-43f4-BE23-0550F438153C}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4496	2024-04-15_e16cf07f15f6b57decdecc58a931a981_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1920	{28DD1E66-EBFD-41d2-B6E3-151F62308502}.exe
Token: SeIncBasePriorityPrivilege	3736	{E31E9437-B8EE-41db-BCFF-E379EC966944}.exe
Token: SeIncBasePriorityPrivilege	3912	{10352696-3336-4726-A0F8-82834822A379}.exe
Token: SeIncBasePriorityPrivilege	2624	{17D64277-9E2B-4065-ADA4-7E809A11794A}.exe
Token: SeIncBasePriorityPrivilege	1488	{94F9FEB8-A594-4688-8D24-24EA6EFDC8EF}.exe
Token: SeIncBasePriorityPrivilege	880	{39475DC2-6910-43f4-BE23-0550F438153C}.exe
Token: SeIncBasePriorityPrivilege	3544	{AF929DD3-5404-4417-909E-037F46042EC7}.exe
Token: SeIncBasePriorityPrivilege	4184	{75FA4033-58DC-450e-9B60-CD49E213B071}.exe
Token: SeIncBasePriorityPrivilege	3132	{6F731427-8302-4d7e-921C-1E04E2AFBC8E}.exe
Token: SeIncBasePriorityPrivilege	736	{36D2FBBF-70DE-4a3a-A01D-BEF394886A1B}.exe
Token: SeIncBasePriorityPrivilege	1716	{87093F7C-469E-4c3a-9CE9-03182FFF69E1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4496 wrote to memory of 1920	4496	2024-04-15_e16cf07f15f6b57decdecc58a931a981_goldeneye.exe	88
PID 4496 wrote to memory of 1920	4496	2024-04-15_e16cf07f15f6b57decdecc58a931a981_goldeneye.exe	88
PID 4496 wrote to memory of 1920	4496	2024-04-15_e16cf07f15f6b57decdecc58a931a981_goldeneye.exe	88
PID 4496 wrote to memory of 4364	4496	2024-04-15_e16cf07f15f6b57decdecc58a931a981_goldeneye.exe	89
PID 4496 wrote to memory of 4364	4496	2024-04-15_e16cf07f15f6b57decdecc58a931a981_goldeneye.exe	89
PID 4496 wrote to memory of 4364	4496	2024-04-15_e16cf07f15f6b57decdecc58a931a981_goldeneye.exe	89
PID 1920 wrote to memory of 3736	1920	{28DD1E66-EBFD-41d2-B6E3-151F62308502}.exe	90
PID 1920 wrote to memory of 3736	1920	{28DD1E66-EBFD-41d2-B6E3-151F62308502}.exe	90
PID 1920 wrote to memory of 3736	1920	{28DD1E66-EBFD-41d2-B6E3-151F62308502}.exe	90
PID 1920 wrote to memory of 2684	1920	{28DD1E66-EBFD-41d2-B6E3-151F62308502}.exe	91
PID 1920 wrote to memory of 2684	1920	{28DD1E66-EBFD-41d2-B6E3-151F62308502}.exe	91
PID 1920 wrote to memory of 2684	1920	{28DD1E66-EBFD-41d2-B6E3-151F62308502}.exe	91
PID 3736 wrote to memory of 3912	3736	{E31E9437-B8EE-41db-BCFF-E379EC966944}.exe	94
PID 3736 wrote to memory of 3912	3736	{E31E9437-B8EE-41db-BCFF-E379EC966944}.exe	94
PID 3736 wrote to memory of 3912	3736	{E31E9437-B8EE-41db-BCFF-E379EC966944}.exe	94
PID 3736 wrote to memory of 3716	3736	{E31E9437-B8EE-41db-BCFF-E379EC966944}.exe	95
PID 3736 wrote to memory of 3716	3736	{E31E9437-B8EE-41db-BCFF-E379EC966944}.exe	95
PID 3736 wrote to memory of 3716	3736	{E31E9437-B8EE-41db-BCFF-E379EC966944}.exe	95
PID 3912 wrote to memory of 2624	3912	{10352696-3336-4726-A0F8-82834822A379}.exe	97
PID 3912 wrote to memory of 2624	3912	{10352696-3336-4726-A0F8-82834822A379}.exe	97
PID 3912 wrote to memory of 2624	3912	{10352696-3336-4726-A0F8-82834822A379}.exe	97
PID 3912 wrote to memory of 320	3912	{10352696-3336-4726-A0F8-82834822A379}.exe	98
PID 3912 wrote to memory of 320	3912	{10352696-3336-4726-A0F8-82834822A379}.exe	98
PID 3912 wrote to memory of 320	3912	{10352696-3336-4726-A0F8-82834822A379}.exe	98
PID 2624 wrote to memory of 1488	2624	{17D64277-9E2B-4065-ADA4-7E809A11794A}.exe	99
PID 2624 wrote to memory of 1488	2624	{17D64277-9E2B-4065-ADA4-7E809A11794A}.exe	99
PID 2624 wrote to memory of 1488	2624	{17D64277-9E2B-4065-ADA4-7E809A11794A}.exe	99
PID 2624 wrote to memory of 4580	2624	{17D64277-9E2B-4065-ADA4-7E809A11794A}.exe	100
PID 2624 wrote to memory of 4580	2624	{17D64277-9E2B-4065-ADA4-7E809A11794A}.exe	100
PID 2624 wrote to memory of 4580	2624	{17D64277-9E2B-4065-ADA4-7E809A11794A}.exe	100
PID 1488 wrote to memory of 880	1488	{94F9FEB8-A594-4688-8D24-24EA6EFDC8EF}.exe	101
PID 1488 wrote to memory of 880	1488	{94F9FEB8-A594-4688-8D24-24EA6EFDC8EF}.exe	101
PID 1488 wrote to memory of 880	1488	{94F9FEB8-A594-4688-8D24-24EA6EFDC8EF}.exe	101
PID 1488 wrote to memory of 384	1488	{94F9FEB8-A594-4688-8D24-24EA6EFDC8EF}.exe	102
PID 1488 wrote to memory of 384	1488	{94F9FEB8-A594-4688-8D24-24EA6EFDC8EF}.exe	102
PID 1488 wrote to memory of 384	1488	{94F9FEB8-A594-4688-8D24-24EA6EFDC8EF}.exe	102
PID 880 wrote to memory of 3544	880	{39475DC2-6910-43f4-BE23-0550F438153C}.exe	103
PID 880 wrote to memory of 3544	880	{39475DC2-6910-43f4-BE23-0550F438153C}.exe	103
PID 880 wrote to memory of 3544	880	{39475DC2-6910-43f4-BE23-0550F438153C}.exe	103
PID 880 wrote to memory of 4060	880	{39475DC2-6910-43f4-BE23-0550F438153C}.exe	104
PID 880 wrote to memory of 4060	880	{39475DC2-6910-43f4-BE23-0550F438153C}.exe	104
PID 880 wrote to memory of 4060	880	{39475DC2-6910-43f4-BE23-0550F438153C}.exe	104
PID 3544 wrote to memory of 4184	3544	{AF929DD3-5404-4417-909E-037F46042EC7}.exe	105
PID 3544 wrote to memory of 4184	3544	{AF929DD3-5404-4417-909E-037F46042EC7}.exe	105
PID 3544 wrote to memory of 4184	3544	{AF929DD3-5404-4417-909E-037F46042EC7}.exe	105
PID 3544 wrote to memory of 3020	3544	{AF929DD3-5404-4417-909E-037F46042EC7}.exe	106
PID 3544 wrote to memory of 3020	3544	{AF929DD3-5404-4417-909E-037F46042EC7}.exe	106
PID 3544 wrote to memory of 3020	3544	{AF929DD3-5404-4417-909E-037F46042EC7}.exe	106
PID 4184 wrote to memory of 3132	4184	{75FA4033-58DC-450e-9B60-CD49E213B071}.exe	107
PID 4184 wrote to memory of 3132	4184	{75FA4033-58DC-450e-9B60-CD49E213B071}.exe	107
PID 4184 wrote to memory of 3132	4184	{75FA4033-58DC-450e-9B60-CD49E213B071}.exe	107
PID 4184 wrote to memory of 1048	4184	{75FA4033-58DC-450e-9B60-CD49E213B071}.exe	108
PID 4184 wrote to memory of 1048	4184	{75FA4033-58DC-450e-9B60-CD49E213B071}.exe	108
PID 4184 wrote to memory of 1048	4184	{75FA4033-58DC-450e-9B60-CD49E213B071}.exe	108
PID 3132 wrote to memory of 736	3132	{6F731427-8302-4d7e-921C-1E04E2AFBC8E}.exe	109
PID 3132 wrote to memory of 736	3132	{6F731427-8302-4d7e-921C-1E04E2AFBC8E}.exe	109
PID 3132 wrote to memory of 736	3132	{6F731427-8302-4d7e-921C-1E04E2AFBC8E}.exe	109
PID 3132 wrote to memory of 4936	3132	{6F731427-8302-4d7e-921C-1E04E2AFBC8E}.exe	110
PID 3132 wrote to memory of 4936	3132	{6F731427-8302-4d7e-921C-1E04E2AFBC8E}.exe	110
PID 3132 wrote to memory of 4936	3132	{6F731427-8302-4d7e-921C-1E04E2AFBC8E}.exe	110
PID 736 wrote to memory of 1716	736	{36D2FBBF-70DE-4a3a-A01D-BEF394886A1B}.exe	111
PID 736 wrote to memory of 1716	736	{36D2FBBF-70DE-4a3a-A01D-BEF394886A1B}.exe	111
PID 736 wrote to memory of 1716	736	{36D2FBBF-70DE-4a3a-A01D-BEF394886A1B}.exe	111
PID 736 wrote to memory of 3488	736	{36D2FBBF-70DE-4a3a-A01D-BEF394886A1B}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-04-15_e16cf07f15f6b57decdecc58a931a981_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-15_e16cf07f15f6b57decdecc58a931a981_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Windows\{28DD1E66-EBFD-41d2-B6E3-151F62308502}.exe
  C:\Windows\{28DD1E66-EBFD-41d2-B6E3-151F62308502}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\{E31E9437-B8EE-41db-BCFF-E379EC966944}.exe
    C:\Windows\{E31E9437-B8EE-41db-BCFF-E379EC966944}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3736
  - - C:\Windows\{10352696-3336-4726-A0F8-82834822A379}.exe
      C:\Windows\{10352696-3336-4726-A0F8-82834822A379}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3912
    - - C:\Windows\{17D64277-9E2B-4065-ADA4-7E809A11794A}.exe
        
        C:\Windows\{17D64277-9E2B-4065-ADA4-7E809A11794A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2624
      - C:\Windows\{94F9FEB8-A594-4688-8D24-24EA6EFDC8EF}.exe
        
        C:\Windows\{94F9FEB8-A594-4688-8D24-24EA6EFDC8EF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\{39475DC2-6910-43f4-BE23-0550F438153C}.exe
        
        C:\Windows\{39475DC2-6910-43f4-BE23-0550F438153C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\{AF929DD3-5404-4417-909E-037F46042EC7}.exe
        
        C:\Windows\{AF929DD3-5404-4417-909E-037F46042EC7}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Windows\{75FA4033-58DC-450e-9B60-CD49E213B071}.exe
        
        C:\Windows\{75FA4033-58DC-450e-9B60-CD49E213B071}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\{6F731427-8302-4d7e-921C-1E04E2AFBC8E}.exe
        
        C:\Windows\{6F731427-8302-4d7e-921C-1E04E2AFBC8E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Windows\{36D2FBBF-70DE-4a3a-A01D-BEF394886A1B}.exe
        
        C:\Windows\{36D2FBBF-70DE-4a3a-A01D-BEF394886A1B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\{87093F7C-469E-4c3a-9CE9-03182FFF69E1}.exe
        
        C:\Windows\{87093F7C-469E-4c3a-9CE9-03182FFF69E1}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
        
        C:\Windows\{06993B99-831C-4d96-8A3C-EB5889B2C475}.exe
        
        C:\Windows\{06993B99-831C-4d96-8A3C-EB5889B2C475}.exe
        13⤵
        Executes dropped EXE
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87093~1.EXE > nul
        13⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36D2F~1.EXE > nul
        12⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F731~1.EXE > nul
        11⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75FA4~1.EXE > nul
        10⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF929~1.EXE > nul
        9⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39475~1.EXE > nul
        8⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94F9F~1.EXE > nul
        7⤵
        
        PID:384
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17D64~1.EXE > nul
        6⤵
        
        PID:4580
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10352~1.EXE > nul
        5⤵
        
        PID:320
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E31E9~1.EXE > nul
      4⤵
      PID:3716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{28DD1~1.EXE > nul
    3⤵
    PID:2684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06993B99-831C-4d96-8A3C-EB5889B2C475}.exe

Filesize
408KB

MD5
edff960df5fd63869bfa9fade1600af7

SHA1
fe4d32c82499113ea9fd159fa1858a612a7af4b7

SHA256
ccfd8255a863f9d882b355591fccedaf963f87a961a957a82b2b640bc3e1810e

SHA512
d6514536eeab13ff8ac32571372a069fe5197e40248daccc963bd98a6e34aa6a393f30c1e576727c21422047bb316a71edcf96ee1711ef8c90b118dacd34ee24

Download Submit
C:\Windows\{10352696-3336-4726-A0F8-82834822A379}.exe

Filesize
408KB

MD5
564587aac24c89787f5832b2ec400911

SHA1
47e0cc1542f0169a9b658261b5a61d95a216e9b0

SHA256
cbe59317cdd0d478c48b384ecb07478eb7a706ccafa0e69f570d9e2aecd0f38f

SHA512
f449e0eb7c340925577ad6f947d0edea03fae214eed7e290f2d74290b5135ec684466a308532a35ed32ae3585791dde15534ce395dc482c0d7ca63b93faf5963

Download Submit
C:\Windows\{17D64277-9E2B-4065-ADA4-7E809A11794A}.exe

Filesize
408KB

MD5
75c676410afaa56dbcde3362fc6ef72c

SHA1
453fe58431b4871bc585d1934ee43921c85a0200

SHA256
b0a1afdf7f3b2351a387886fea022777f7d123023806567f442915730d6dd5e1

SHA512
813a9e37b80acfefbf87b9f6414cb5e96c73a53f2fb2bbf7982d0577d067ebcc7737ee935d3695e67734664d3dd0ffe5d8e956e9b38d2275bb2bde3ad3767f5b

Download Submit
C:\Windows\{28DD1E66-EBFD-41d2-B6E3-151F62308502}.exe

Filesize
408KB

MD5
f89c33eca0c34270c6c362b511aa02fc

SHA1
cf530d6f021e81a3b08dd55e13c028f84ad69307

SHA256
6e617a46af2aece0a218e6d4dda1bc55656ef4622641929f21b9e4f159a2b70f

SHA512
b630f75007d180eaca39c75aa2769d31d4c6fdb98d0e4e31ee1583aa02c4baa0391cf30354a996876eb41399c9f92f73cba848fad362e2972bd3d64439fad2c9

Download Submit
C:\Windows\{36D2FBBF-70DE-4a3a-A01D-BEF394886A1B}.exe

Filesize
408KB

MD5
3f55bacc6f9b2042c997d0792c9ed7a6

SHA1
b4cb732cfe8fbf4fabb10efeab45d0d10dc1cde3

SHA256
84f813f6026dbd00284aace7c219e6e86625a3eeae597fd5e5f6c1c7de79abb9

SHA512
b9d01a029c2827b67274fe65e1c55a9fdf38174ab335b23042af17ab0fe94058bd929390e288630d8642e935bde4a492ac09854ee0a31f1539f3897f929ea14f

Download Submit
C:\Windows\{39475DC2-6910-43f4-BE23-0550F438153C}.exe

Filesize
408KB

MD5
49eb61cc4e2273b48cb4ef3b4c77050d

SHA1
d74dcb75ac6e63c440a29bff6af5a128d8440789

SHA256
e95d3b76cebb2ffb12d0f0f750a47a2bf61b3d25ee5a28745d442f3122027513

SHA512
e845ba0f0bdd042b6411cf9835dc5e7fa68f5be98aeb93bbd0f2ca7b700c8eaac0b65284798dc3241a3aa11cdc66acb8f7987037786a284f8978c4fd96bea636

Download Submit
C:\Windows\{6F731427-8302-4d7e-921C-1E04E2AFBC8E}.exe

Filesize
408KB

MD5
88df585592017750a59d6c01ca819ece

SHA1
3111919c48df59de7fc1bb4c1a88ea7dfc6d246b

SHA256
a2cf09cc42a4140166c408ce0dcf39ad04e8b461610733882c526b561a5a1940

SHA512
d500d06261d1f713240b2b0bce5bcb132a79a369da612ccbae971f26fd4ed2bed524b0f12dcd86989d4dfa146b8909f0d433d6d9904926c7162aefebe3424ed5

Download Submit
C:\Windows\{75FA4033-58DC-450e-9B60-CD49E213B071}.exe

Filesize
408KB

MD5
8e881606973050269e00bfe85eb9bbc7

SHA1
34a557f961883a9f49408e2ee7eb9b30012c5840

SHA256
547cd324290fc246619d68237ce150ddfc09344357190d73f3046ca7f9dd2690

SHA512
730412efae6a46fceaf703232b462880a5409983c1da84edb9744f7d3447de62fb1876c0044a839691531ec32e3f930b718bbde64fbd431b25be13d366da62fa

Download Submit
C:\Windows\{87093F7C-469E-4c3a-9CE9-03182FFF69E1}.exe

Filesize
408KB

MD5
a0f217c3de1045845e044f55a744d8f4

SHA1
5f6a48662e76e2a67d1a3c593ffb5ac7d741c32e

SHA256
338f5a9506c1152c4756cc5af8f6ad956311ac34648416ed98615aa24b5a3ee3

SHA512
4a39da73d3d0afd04cf60f280b102a397d72183c34eb9b0b8f1bb1acde05c3bba554da87ef0770e55dce8b9a2136a64956691cf1d6c3b9e8eaad531761f8f92d

Download Submit
C:\Windows\{94F9FEB8-A594-4688-8D24-24EA6EFDC8EF}.exe

Filesize
408KB

MD5
d0b5e07a9301d8032862be200bb21093

SHA1
d32fd7b377e7e64c3401f59deea156f1632b43f7

SHA256
cd2444300926764696b99d67747d054e6fed038a59f5c44dd94ad54f41d54ff9

SHA512
bd21db62d0f06bb73c215e1858df1cd772c896c9ad900ab30f8fc014339b7f591ed1d5e06faf0136805ea1982c0aefa69a200cfc897456aa49d52240f13553c6

Download Submit
C:\Windows\{AF929DD3-5404-4417-909E-037F46042EC7}.exe

Filesize
408KB

MD5
eaeac14e25c76ea8e84554fa3bf4c614

SHA1
be3921a09e8f75e8483f92ae73af32817a595653

SHA256
cb2abf290e960c8c2fb8282fec0c66557e00abb57cd023f6cb9aab6bb6f3276a

SHA512
ebb30d5467e2c0500974765ae876334923eed46160713dd778a0a8f5268aced544ca2f2ad77800fbb15bc3a1e49c519f8a5c4a9ae034dcd1249fd136b3e82225

Download Submit
C:\Windows\{E31E9437-B8EE-41db-BCFF-E379EC966944}.exe

Filesize
408KB

MD5
6feafe5d1d52c01688a97e0f17acc78b

SHA1
a275d5ddd2a12df98711c2e5ed38bb8131c806be

SHA256
0445343266907945a518d6abc35d7576192c02c98ae72fc3c2a8744a90cbab89

SHA512
968458ae30f69ce867efdd2cbbbbee32c718bddf55d83602f2a75e8f0bc467f3de861577e7ea198032429569bf8cf4389652ec5658d43c17f31273c31ee2a200

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads