a15e9139c6b7fcdabf3ed41d83b54806eb0410d2da6902d9300f2b5dbd2185b6

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-17_15b5cace224c58021da8f962de4f3657_goldeneye.exe
Size

204KB
MD5

15b5cace224c58021da8f962de4f3657
SHA1

7e22e8e979d37e296ba600640f88ce56c17437b7
SHA256

a15e9139c6b7fcdabf3ed41d83b54806eb0410d2da6902d9300f2b5dbd2185b6
SHA512

d74971c98013d3a56b66574d55ccb90990f7f6fb5415425eaf65563d80b23869fb9e47c7787332eb8d239c4f366863247a9815a1457a8fe109a6be0ade2920f7
SSDEEP

1536:1EGh0oml15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oml1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023386-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023388-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002342e-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023431-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002342e-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023431-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002342e-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023431-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002342e-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023431-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023432-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023431-45.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEA14808-993A-43be-9132-0855D1A6D910}	{6D885C94-3CEE-4e9a-8D0F-6F73A23E936C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A29E35FC-E01E-47c1-B52A-62138F526E94}\stubpath = "C:\\Windows\\{A29E35FC-E01E-47c1-B52A-62138F526E94}.exe"	{51A97E96-33ED-466a-A2DD-6010F6DC75BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B66B8DF-310A-4aeb-9538-3794B4404378}	{E5CB2641-A397-4498-85C2-E139A6E2A8DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D885C94-3CEE-4e9a-8D0F-6F73A23E936C}\stubpath = "C:\\Windows\\{6D885C94-3CEE-4e9a-8D0F-6F73A23E936C}.exe"	{5B66B8DF-310A-4aeb-9538-3794B4404378}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D885C94-3CEE-4e9a-8D0F-6F73A23E936C}	{5B66B8DF-310A-4aeb-9538-3794B4404378}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2394E741-BD0C-472d-9D41-87467BF771E5}\stubpath = "C:\\Windows\\{2394E741-BD0C-472d-9D41-87467BF771E5}.exe"	{CC0D83F9-63CB-4814-B8A0-60BB2A077D5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51A97E96-33ED-466a-A2DD-6010F6DC75BD}\stubpath = "C:\\Windows\\{51A97E96-33ED-466a-A2DD-6010F6DC75BD}.exe"	{2394E741-BD0C-472d-9D41-87467BF771E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A29E35FC-E01E-47c1-B52A-62138F526E94}	{51A97E96-33ED-466a-A2DD-6010F6DC75BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16835282-2390-4f87-A986-ABB3475E46D8}	2024-04-17_15b5cace224c58021da8f962de4f3657_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16835282-2390-4f87-A986-ABB3475E46D8}\stubpath = "C:\\Windows\\{16835282-2390-4f87-A986-ABB3475E46D8}.exe"	2024-04-17_15b5cace224c58021da8f962de4f3657_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{039458EA-2638-4768-A229-C5355FCB297C}\stubpath = "C:\\Windows\\{039458EA-2638-4768-A229-C5355FCB297C}.exe"	{AB874FF5-DB05-408d-A8F5-D237CD78D1AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5CB2641-A397-4498-85C2-E139A6E2A8DA}\stubpath = "C:\\Windows\\{E5CB2641-A397-4498-85C2-E139A6E2A8DA}.exe"	{039458EA-2638-4768-A229-C5355FCB297C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B66B8DF-310A-4aeb-9538-3794B4404378}\stubpath = "C:\\Windows\\{5B66B8DF-310A-4aeb-9538-3794B4404378}.exe"	{E5CB2641-A397-4498-85C2-E139A6E2A8DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEA14808-993A-43be-9132-0855D1A6D910}\stubpath = "C:\\Windows\\{BEA14808-993A-43be-9132-0855D1A6D910}.exe"	{6D885C94-3CEE-4e9a-8D0F-6F73A23E936C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E78BF56F-90C9-41b8-BAE9-706F6E170921}	{A29E35FC-E01E-47c1-B52A-62138F526E94}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E78BF56F-90C9-41b8-BAE9-706F6E170921}\stubpath = "C:\\Windows\\{E78BF56F-90C9-41b8-BAE9-706F6E170921}.exe"	{A29E35FC-E01E-47c1-B52A-62138F526E94}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB874FF5-DB05-408d-A8F5-D237CD78D1AE}	{16835282-2390-4f87-A986-ABB3475E46D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB874FF5-DB05-408d-A8F5-D237CD78D1AE}\stubpath = "C:\\Windows\\{AB874FF5-DB05-408d-A8F5-D237CD78D1AE}.exe"	{16835282-2390-4f87-A986-ABB3475E46D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC0D83F9-63CB-4814-B8A0-60BB2A077D5F}	{BEA14808-993A-43be-9132-0855D1A6D910}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC0D83F9-63CB-4814-B8A0-60BB2A077D5F}\stubpath = "C:\\Windows\\{CC0D83F9-63CB-4814-B8A0-60BB2A077D5F}.exe"	{BEA14808-993A-43be-9132-0855D1A6D910}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2394E741-BD0C-472d-9D41-87467BF771E5}	{CC0D83F9-63CB-4814-B8A0-60BB2A077D5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51A97E96-33ED-466a-A2DD-6010F6DC75BD}	{2394E741-BD0C-472d-9D41-87467BF771E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{039458EA-2638-4768-A229-C5355FCB297C}	{AB874FF5-DB05-408d-A8F5-D237CD78D1AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5CB2641-A397-4498-85C2-E139A6E2A8DA}	{039458EA-2638-4768-A229-C5355FCB297C}.exe

Executes dropped EXE 12 IoCs

pid	Process
1412	{16835282-2390-4f87-A986-ABB3475E46D8}.exe
5024	{AB874FF5-DB05-408d-A8F5-D237CD78D1AE}.exe
5004	{039458EA-2638-4768-A229-C5355FCB297C}.exe
3384	{E5CB2641-A397-4498-85C2-E139A6E2A8DA}.exe
3060	{5B66B8DF-310A-4aeb-9538-3794B4404378}.exe
4900	{6D885C94-3CEE-4e9a-8D0F-6F73A23E936C}.exe
3456	{BEA14808-993A-43be-9132-0855D1A6D910}.exe
1012	{CC0D83F9-63CB-4814-B8A0-60BB2A077D5F}.exe
1352	{2394E741-BD0C-472d-9D41-87467BF771E5}.exe
1860	{51A97E96-33ED-466a-A2DD-6010F6DC75BD}.exe
772	{A29E35FC-E01E-47c1-B52A-62138F526E94}.exe
180	{E78BF56F-90C9-41b8-BAE9-706F6E170921}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{16835282-2390-4f87-A986-ABB3475E46D8}.exe	2024-04-17_15b5cace224c58021da8f962de4f3657_goldeneye.exe
File created	C:\Windows\{039458EA-2638-4768-A229-C5355FCB297C}.exe	{AB874FF5-DB05-408d-A8F5-D237CD78D1AE}.exe
File created	C:\Windows\{E5CB2641-A397-4498-85C2-E139A6E2A8DA}.exe	{039458EA-2638-4768-A229-C5355FCB297C}.exe
File created	C:\Windows\{2394E741-BD0C-472d-9D41-87467BF771E5}.exe	{CC0D83F9-63CB-4814-B8A0-60BB2A077D5F}.exe
File created	C:\Windows\{A29E35FC-E01E-47c1-B52A-62138F526E94}.exe	{51A97E96-33ED-466a-A2DD-6010F6DC75BD}.exe
File created	C:\Windows\{E78BF56F-90C9-41b8-BAE9-706F6E170921}.exe	{A29E35FC-E01E-47c1-B52A-62138F526E94}.exe
File created	C:\Windows\{AB874FF5-DB05-408d-A8F5-D237CD78D1AE}.exe	{16835282-2390-4f87-A986-ABB3475E46D8}.exe
File created	C:\Windows\{5B66B8DF-310A-4aeb-9538-3794B4404378}.exe	{E5CB2641-A397-4498-85C2-E139A6E2A8DA}.exe
File created	C:\Windows\{6D885C94-3CEE-4e9a-8D0F-6F73A23E936C}.exe	{5B66B8DF-310A-4aeb-9538-3794B4404378}.exe
File created	C:\Windows\{BEA14808-993A-43be-9132-0855D1A6D910}.exe	{6D885C94-3CEE-4e9a-8D0F-6F73A23E936C}.exe
File created	C:\Windows\{CC0D83F9-63CB-4814-B8A0-60BB2A077D5F}.exe	{BEA14808-993A-43be-9132-0855D1A6D910}.exe
File created	C:\Windows\{51A97E96-33ED-466a-A2DD-6010F6DC75BD}.exe	{2394E741-BD0C-472d-9D41-87467BF771E5}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1208	2024-04-17_15b5cace224c58021da8f962de4f3657_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1412	{16835282-2390-4f87-A986-ABB3475E46D8}.exe
Token: SeIncBasePriorityPrivilege	5024	{AB874FF5-DB05-408d-A8F5-D237CD78D1AE}.exe
Token: SeIncBasePriorityPrivilege	5004	{039458EA-2638-4768-A229-C5355FCB297C}.exe
Token: SeIncBasePriorityPrivilege	3384	{E5CB2641-A397-4498-85C2-E139A6E2A8DA}.exe
Token: SeIncBasePriorityPrivilege	3060	{5B66B8DF-310A-4aeb-9538-3794B4404378}.exe
Token: SeIncBasePriorityPrivilege	4900	{6D885C94-3CEE-4e9a-8D0F-6F73A23E936C}.exe
Token: SeIncBasePriorityPrivilege	3456	{BEA14808-993A-43be-9132-0855D1A6D910}.exe
Token: SeIncBasePriorityPrivilege	1012	{CC0D83F9-63CB-4814-B8A0-60BB2A077D5F}.exe
Token: SeIncBasePriorityPrivilege	1352	{2394E741-BD0C-472d-9D41-87467BF771E5}.exe
Token: SeIncBasePriorityPrivilege	1860	{51A97E96-33ED-466a-A2DD-6010F6DC75BD}.exe
Token: SeIncBasePriorityPrivilege	772	{A29E35FC-E01E-47c1-B52A-62138F526E94}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 1412	1208	2024-04-17_15b5cace224c58021da8f962de4f3657_goldeneye.exe	94
PID 1208 wrote to memory of 1412	1208	2024-04-17_15b5cace224c58021da8f962de4f3657_goldeneye.exe	94
PID 1208 wrote to memory of 1412	1208	2024-04-17_15b5cace224c58021da8f962de4f3657_goldeneye.exe	94
PID 1208 wrote to memory of 3296	1208	2024-04-17_15b5cace224c58021da8f962de4f3657_goldeneye.exe	95
PID 1208 wrote to memory of 3296	1208	2024-04-17_15b5cace224c58021da8f962de4f3657_goldeneye.exe	95
PID 1208 wrote to memory of 3296	1208	2024-04-17_15b5cace224c58021da8f962de4f3657_goldeneye.exe	95
PID 1412 wrote to memory of 5024	1412	{16835282-2390-4f87-A986-ABB3475E46D8}.exe	96
PID 1412 wrote to memory of 5024	1412	{16835282-2390-4f87-A986-ABB3475E46D8}.exe	96
PID 1412 wrote to memory of 5024	1412	{16835282-2390-4f87-A986-ABB3475E46D8}.exe	96
PID 1412 wrote to memory of 4340	1412	{16835282-2390-4f87-A986-ABB3475E46D8}.exe	97
PID 1412 wrote to memory of 4340	1412	{16835282-2390-4f87-A986-ABB3475E46D8}.exe	97
PID 1412 wrote to memory of 4340	1412	{16835282-2390-4f87-A986-ABB3475E46D8}.exe	97
PID 5024 wrote to memory of 5004	5024	{AB874FF5-DB05-408d-A8F5-D237CD78D1AE}.exe	100
PID 5024 wrote to memory of 5004	5024	{AB874FF5-DB05-408d-A8F5-D237CD78D1AE}.exe	100
PID 5024 wrote to memory of 5004	5024	{AB874FF5-DB05-408d-A8F5-D237CD78D1AE}.exe	100
PID 5024 wrote to memory of 2728	5024	{AB874FF5-DB05-408d-A8F5-D237CD78D1AE}.exe	101
PID 5024 wrote to memory of 2728	5024	{AB874FF5-DB05-408d-A8F5-D237CD78D1AE}.exe	101
PID 5024 wrote to memory of 2728	5024	{AB874FF5-DB05-408d-A8F5-D237CD78D1AE}.exe	101
PID 5004 wrote to memory of 3384	5004	{039458EA-2638-4768-A229-C5355FCB297C}.exe	103
PID 5004 wrote to memory of 3384	5004	{039458EA-2638-4768-A229-C5355FCB297C}.exe	103
PID 5004 wrote to memory of 3384	5004	{039458EA-2638-4768-A229-C5355FCB297C}.exe	103
PID 5004 wrote to memory of 3240	5004	{039458EA-2638-4768-A229-C5355FCB297C}.exe	104
PID 5004 wrote to memory of 3240	5004	{039458EA-2638-4768-A229-C5355FCB297C}.exe	104
PID 5004 wrote to memory of 3240	5004	{039458EA-2638-4768-A229-C5355FCB297C}.exe	104
PID 3384 wrote to memory of 3060	3384	{E5CB2641-A397-4498-85C2-E139A6E2A8DA}.exe	105
PID 3384 wrote to memory of 3060	3384	{E5CB2641-A397-4498-85C2-E139A6E2A8DA}.exe	105
PID 3384 wrote to memory of 3060	3384	{E5CB2641-A397-4498-85C2-E139A6E2A8DA}.exe	105
PID 3384 wrote to memory of 5092	3384	{E5CB2641-A397-4498-85C2-E139A6E2A8DA}.exe	106
PID 3384 wrote to memory of 5092	3384	{E5CB2641-A397-4498-85C2-E139A6E2A8DA}.exe	106
PID 3384 wrote to memory of 5092	3384	{E5CB2641-A397-4498-85C2-E139A6E2A8DA}.exe	106
PID 3060 wrote to memory of 4900	3060	{5B66B8DF-310A-4aeb-9538-3794B4404378}.exe	107
PID 3060 wrote to memory of 4900	3060	{5B66B8DF-310A-4aeb-9538-3794B4404378}.exe	107
PID 3060 wrote to memory of 4900	3060	{5B66B8DF-310A-4aeb-9538-3794B4404378}.exe	107
PID 3060 wrote to memory of 3040	3060	{5B66B8DF-310A-4aeb-9538-3794B4404378}.exe	108
PID 3060 wrote to memory of 3040	3060	{5B66B8DF-310A-4aeb-9538-3794B4404378}.exe	108
PID 3060 wrote to memory of 3040	3060	{5B66B8DF-310A-4aeb-9538-3794B4404378}.exe	108
PID 4900 wrote to memory of 3456	4900	{6D885C94-3CEE-4e9a-8D0F-6F73A23E936C}.exe	109
PID 4900 wrote to memory of 3456	4900	{6D885C94-3CEE-4e9a-8D0F-6F73A23E936C}.exe	109
PID 4900 wrote to memory of 3456	4900	{6D885C94-3CEE-4e9a-8D0F-6F73A23E936C}.exe	109
PID 4900 wrote to memory of 2324	4900	{6D885C94-3CEE-4e9a-8D0F-6F73A23E936C}.exe	110
PID 4900 wrote to memory of 2324	4900	{6D885C94-3CEE-4e9a-8D0F-6F73A23E936C}.exe	110
PID 4900 wrote to memory of 2324	4900	{6D885C94-3CEE-4e9a-8D0F-6F73A23E936C}.exe	110
PID 3456 wrote to memory of 1012	3456	{BEA14808-993A-43be-9132-0855D1A6D910}.exe	111
PID 3456 wrote to memory of 1012	3456	{BEA14808-993A-43be-9132-0855D1A6D910}.exe	111
PID 3456 wrote to memory of 1012	3456	{BEA14808-993A-43be-9132-0855D1A6D910}.exe	111
PID 3456 wrote to memory of 4204	3456	{BEA14808-993A-43be-9132-0855D1A6D910}.exe	112
PID 3456 wrote to memory of 4204	3456	{BEA14808-993A-43be-9132-0855D1A6D910}.exe	112
PID 3456 wrote to memory of 4204	3456	{BEA14808-993A-43be-9132-0855D1A6D910}.exe	112
PID 1012 wrote to memory of 1352	1012	{CC0D83F9-63CB-4814-B8A0-60BB2A077D5F}.exe	113
PID 1012 wrote to memory of 1352	1012	{CC0D83F9-63CB-4814-B8A0-60BB2A077D5F}.exe	113
PID 1012 wrote to memory of 1352	1012	{CC0D83F9-63CB-4814-B8A0-60BB2A077D5F}.exe	113
PID 1012 wrote to memory of 872	1012	{CC0D83F9-63CB-4814-B8A0-60BB2A077D5F}.exe	114
PID 1012 wrote to memory of 872	1012	{CC0D83F9-63CB-4814-B8A0-60BB2A077D5F}.exe	114
PID 1012 wrote to memory of 872	1012	{CC0D83F9-63CB-4814-B8A0-60BB2A077D5F}.exe	114
PID 1352 wrote to memory of 1860	1352	{2394E741-BD0C-472d-9D41-87467BF771E5}.exe	115
PID 1352 wrote to memory of 1860	1352	{2394E741-BD0C-472d-9D41-87467BF771E5}.exe	115
PID 1352 wrote to memory of 1860	1352	{2394E741-BD0C-472d-9D41-87467BF771E5}.exe	115
PID 1352 wrote to memory of 2536	1352	{2394E741-BD0C-472d-9D41-87467BF771E5}.exe	116
PID 1352 wrote to memory of 2536	1352	{2394E741-BD0C-472d-9D41-87467BF771E5}.exe	116
PID 1352 wrote to memory of 2536	1352	{2394E741-BD0C-472d-9D41-87467BF771E5}.exe	116
PID 1860 wrote to memory of 772	1860	{51A97E96-33ED-466a-A2DD-6010F6DC75BD}.exe	117
PID 1860 wrote to memory of 772	1860	{51A97E96-33ED-466a-A2DD-6010F6DC75BD}.exe	117
PID 1860 wrote to memory of 772	1860	{51A97E96-33ED-466a-A2DD-6010F6DC75BD}.exe	117
PID 1860 wrote to memory of 4472	1860	{51A97E96-33ED-466a-A2DD-6010F6DC75BD}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-04-17_15b5cace224c58021da8f962de4f3657_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-17_15b5cace224c58021da8f962de4f3657_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Windows\{16835282-2390-4f87-A986-ABB3475E46D8}.exe
  C:\Windows\{16835282-2390-4f87-A986-ABB3475E46D8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Windows\{AB874FF5-DB05-408d-A8F5-D237CD78D1AE}.exe
    C:\Windows\{AB874FF5-DB05-408d-A8F5-D237CD78D1AE}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5024
  - - C:\Windows\{039458EA-2638-4768-A229-C5355FCB297C}.exe
      C:\Windows\{039458EA-2638-4768-A229-C5355FCB297C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5004
    - - C:\Windows\{E5CB2641-A397-4498-85C2-E139A6E2A8DA}.exe
        
        C:\Windows\{E5CB2641-A397-4498-85C2-E139A6E2A8DA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3384
      - C:\Windows\{5B66B8DF-310A-4aeb-9538-3794B4404378}.exe
        
        C:\Windows\{5B66B8DF-310A-4aeb-9538-3794B4404378}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\{6D885C94-3CEE-4e9a-8D0F-6F73A23E936C}.exe
        
        C:\Windows\{6D885C94-3CEE-4e9a-8D0F-6F73A23E936C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\{BEA14808-993A-43be-9132-0855D1A6D910}.exe
        
        C:\Windows\{BEA14808-993A-43be-9132-0855D1A6D910}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\{CC0D83F9-63CB-4814-B8A0-60BB2A077D5F}.exe
        
        C:\Windows\{CC0D83F9-63CB-4814-B8A0-60BB2A077D5F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\{2394E741-BD0C-472d-9D41-87467BF771E5}.exe
        
        C:\Windows\{2394E741-BD0C-472d-9D41-87467BF771E5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\{51A97E96-33ED-466a-A2DD-6010F6DC75BD}.exe
        
        C:\Windows\{51A97E96-33ED-466a-A2DD-6010F6DC75BD}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\{A29E35FC-E01E-47c1-B52A-62138F526E94}.exe
        
        C:\Windows\{A29E35FC-E01E-47c1-B52A-62138F526E94}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
        
        C:\Windows\{E78BF56F-90C9-41b8-BAE9-706F6E170921}.exe
        
        C:\Windows\{E78BF56F-90C9-41b8-BAE9-706F6E170921}.exe
        13⤵
        Executes dropped EXE
        
        PID:180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A29E3~1.EXE > nul
        13⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51A97~1.EXE > nul
        12⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2394E~1.EXE > nul
        11⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC0D8~1.EXE > nul
        10⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BEA14~1.EXE > nul
        9⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D885~1.EXE > nul
        8⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B66B~1.EXE > nul
        7⤵
        
        PID:3040
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5CB2~1.EXE > nul
        6⤵
        
        PID:5092
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03945~1.EXE > nul
        5⤵
        
        PID:3240
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AB874~1.EXE > nul
      4⤵
      PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{16835~1.EXE > nul
    3⤵
    PID:4340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{039458EA-2638-4768-A229-C5355FCB297C}.exe

Filesize
204KB

MD5
540d0aaab9cccba4217fe86ab0107fe3

SHA1
c267bdd2af93f6a20335bc3d3b42bd54ef2e0e8e

SHA256
1af03caa09ba87dc90653dd7526da01972483ddfaf5a8c45ffc4ed34def743d1

SHA512
0dc13722e700c309f7b5a2fd9c890dd749fc635c569db5a61dee120c51a92c1da269197275661af092e8a685a92637863f53cec12ead57515d031dee36810dd4

Download Submit
C:\Windows\{16835282-2390-4f87-A986-ABB3475E46D8}.exe

Filesize
204KB

MD5
0e706e8c784cd969a6e5438f677c3a67

SHA1
0356c6e9149d90f8a4895334cb59bfc4cb3cd388

SHA256
1f730bc2c8e028f6a61f3c7e78c0ea38d63f53da0978b4f0982e43877ce9bac6

SHA512
e7ca839dc04de0c2c763481fb6a83ba50168b38bae889111fa74914059610457d7e2a2dbb9ea1e3558e56f32f33e2d842d7f04a12dd1ad7a0e67486cf2ca9d35

Download Submit
C:\Windows\{2394E741-BD0C-472d-9D41-87467BF771E5}.exe

Filesize
204KB

MD5
4d8e489c1e4b0a8f893b4f1082e013da

SHA1
379397767b8305a44214725b3972c558931104f7

SHA256
083ee850654a83d092c37abad5c38b2090ef41a3d2361b44e0e0056f0bae5ce4

SHA512
757f9507f6f7b35576adaa9f4e34caa305557624f03ed674a30aca473e4d9599e2a711f2420940a505c6b596b78032aa67b9c603ce571f28aa60fa0db3a7ca7e

Download Submit
C:\Windows\{51A97E96-33ED-466a-A2DD-6010F6DC75BD}.exe

Filesize
204KB

MD5
ea138991e924b714c8c51db189c3c73f

SHA1
084647c025f39bf71461f228e7452b3f0c8037ff

SHA256
553527cbeda29f6c29f7e92848162f4afa058fc99bbb780f1caa7cee4041d5c2

SHA512
93f7f5782c3787465d63f7e3e9663d5e5c4cdb7564aca9db02c0270888b4c85625db19af2b938e6f6aa3fed2fede797384320435ff5052256bca36c61cff54ea

Download Submit
C:\Windows\{5B66B8DF-310A-4aeb-9538-3794B4404378}.exe

Filesize
204KB

MD5
24ac99693de21c3f4d3fd9c282e029d6

SHA1
ad0b0399c670f452c0fd4475dd95dfa0e6b94f45

SHA256
c66065d417bbef4e2fa51ab0ad3b14844d122350e65f35fc64eafff0ef8ef86a

SHA512
396bb01cf73937c12c1b3e2b6c1064b611cd6b918c3ce8f6cea7294cb84dc41851fca86657706db968bbbb701c602453d3b4c66f8da7034eb42c12dff090d6c1

Download Submit
C:\Windows\{6D885C94-3CEE-4e9a-8D0F-6F73A23E936C}.exe

Filesize
204KB

MD5
affbcba995510bcda9e2f9629ff5cf4f

SHA1
04ce5258aef6fc12e50f9243fb615263aad5b9b5

SHA256
7292049605dc22cf1ab1aae024487449fe513b14163a4c0cf673e1588d50c97c

SHA512
62b02d0f089b34d0303ffc90278c57869df6cf5e4c102c94f927aaad0f7d8dcace5e97765f53f3616ccd71b7f46766ba61c14f6efc31c0cd39626ef9de657c98

Download Submit
C:\Windows\{A29E35FC-E01E-47c1-B52A-62138F526E94}.exe

Filesize
204KB

MD5
ebb8ad0216f27222f8b032cdf03e5c8c

SHA1
fb82104e3a015554e87fa3ec82040bc7e031c95b

SHA256
624458a5e4b2baa59e95614304526dd3e790f1a287a63cfbb7d47c39b3daa45e

SHA512
797d4653962b164d07ce1c05dabae9427d607ffb9e2960beebc24334a2eb4a9d1f73548c09d954a9fda7e022ba1195356fcb11ed9da1d34e58370cccde7d16d1

Download Submit
C:\Windows\{AB874FF5-DB05-408d-A8F5-D237CD78D1AE}.exe

Filesize
204KB

MD5
c2334d26617e864252c25e563c17d84b

SHA1
fc86bfc003c1bbb9e15f7d3c1dcf0c5c109d4b1b

SHA256
d811e45cee9803470728cdfa39535a0b79ef12b2b0968348fcd75d0b5a78a52b

SHA512
e4b6a9779e54cb9dc10a105d90fee7cb0e521d9353dbe78a90939f3aebaedafa102ab5abab497b93933bae3af4c45f5c93f20a55acff259ec75ca805a27d15a0

Download Submit
C:\Windows\{BEA14808-993A-43be-9132-0855D1A6D910}.exe

Filesize
204KB

MD5
64ea18c5ebdb99c0d1809d6d210a62bf

SHA1
ad5d4fe1a2de871e1cb7b8b3a99ea0aafbb797f6

SHA256
c4f75622c5ca7fa55517e358c874f77ce3e6b9e9eb2b67013920ca67d7d0378b

SHA512
bb4ebe5bc389e0b0a20af18395e5c8c5baff474362fc3e01c7feee61a88ea7915791dba71be04bcf4dd6d9f940eecd45c5774e0eb327bfd02bfb3c37464564ca

Download Submit
C:\Windows\{CC0D83F9-63CB-4814-B8A0-60BB2A077D5F}.exe

Filesize
204KB

MD5
6d931a6d9dca09bab7ad2c094de38922

SHA1
8f091fa4827cd0671c3bd13d15de265779fd7bb3

SHA256
e8f95a0653926b25c515abd356e3e1b8b67c8b430aa75b6e6cea9752cc14d977

SHA512
b9262872d3f43521626f82dc5f61cb85ae56348a63c0c09d17eb2eee73c5311aa9639549f940493bd4908f472e067449733ce9870c4557e1a6aa5dcc2b81e013

Download Submit
C:\Windows\{E5CB2641-A397-4498-85C2-E139A6E2A8DA}.exe

Filesize
204KB

MD5
1e0a04d368a46cbf2b88f85e7e6ec2f3

SHA1
e0989e6756122ad4e813441101e8b784e60bddc0

SHA256
8b285beab5bab77bac49133aa9e6f74b13fed6a56fa429cfa30fbdd16a427de8

SHA512
9aca05a783ec1c44bd83b35b1ae5d4998062f084c0fbd0af76e77d9047ac3d901ad260170351bb2429f0a204d3f3f2fc3194857838689d33c129ec8b4c0a4e4e

Download Submit
C:\Windows\{E78BF56F-90C9-41b8-BAE9-706F6E170921}.exe

Filesize
204KB

MD5
1a3ac6d4707ccd4711497c8612fb5afa

SHA1
8072341cad935a2b59ac462c9979021723dd210e

SHA256
04eeb9015cb75bf92434d4644452127c8349ac80ffee437c1ac4ea2369560b0e

SHA512
bac9c9e4aabe382c03de65539da5cd56279e816fc724ea5028166086b1d353479b5c49f0c6ff7c3bc5f0ec38f17b117bdf8385217e626f5787bc4df981810a01

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads