f7040a78fdd3ef2ca443f3917cc5dae2b0c4928a072d4a734b15696fe3a4ec8a

Analysis

max time kernel
174s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 01:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-18_12f439753fd8f6337eef8b5531e3945c_goldeneye.exe
Size

380KB
MD5

12f439753fd8f6337eef8b5531e3945c
SHA1

d00447564f8954256602a133e34a6d9d8b821ed0
SHA256

f7040a78fdd3ef2ca443f3917cc5dae2b0c4928a072d4a734b15696fe3a4ec8a
SHA512

2e3ec8ace3bca4a46a9517ed737a1200ed3c96be8adc2b60954020c1e0b700aec1ab490f02ca66c74a4ce5e7665b51a3c6fedbbef9dec8ee636e5c747bad7691
SSDEEP

3072:mEGh0orlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGhl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023425-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023407-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002341f-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023422-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023374-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f00000002341f-21.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023374-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001000000002341f-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023374-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002341e-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023374-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{106E3546-0EF5-4971-9ED1-6523D9E8E1D8}	{7F96951C-B974-41a8-A566-8927F91E366E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEC40CB1-10CC-4eae-BEE2-8630EF33AEF8}\stubpath = "C:\\Windows\\{FEC40CB1-10CC-4eae-BEE2-8630EF33AEF8}.exe"	{0DA756E5-F070-4502-8C91-B7532CAC9D82}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CEE0258-6B75-4547-8E11-6EE9150DA9B9}\stubpath = "C:\\Windows\\{3CEE0258-6B75-4547-8E11-6EE9150DA9B9}.exe"	2024-04-18_12f439753fd8f6337eef8b5531e3945c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{447DB318-166D-420f-82B9-496D8538A1CB}	{94A92271-42C6-420f-92D3-95A985ECAD85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EE1540E-F88D-46db-9F3F-814356A02F00}\stubpath = "C:\\Windows\\{8EE1540E-F88D-46db-9F3F-814356A02F00}.exe"	{F8B5F1CE-710B-40f8-B751-17EE3C9382C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{106E3546-0EF5-4971-9ED1-6523D9E8E1D8}\stubpath = "C:\\Windows\\{106E3546-0EF5-4971-9ED1-6523D9E8E1D8}.exe"	{7F96951C-B974-41a8-A566-8927F91E366E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DA756E5-F070-4502-8C91-B7532CAC9D82}	{106E3546-0EF5-4971-9ED1-6523D9E8E1D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DA756E5-F070-4502-8C91-B7532CAC9D82}\stubpath = "C:\\Windows\\{0DA756E5-F070-4502-8C91-B7532CAC9D82}.exe"	{106E3546-0EF5-4971-9ED1-6523D9E8E1D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEC40CB1-10CC-4eae-BEE2-8630EF33AEF8}	{0DA756E5-F070-4502-8C91-B7532CAC9D82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0811EA0-40A5-46bf-B908-4AEDCE278470}	{FEC40CB1-10CC-4eae-BEE2-8630EF33AEF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CEE0258-6B75-4547-8E11-6EE9150DA9B9}	2024-04-18_12f439753fd8f6337eef8b5531e3945c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B7352E7-8891-4ed0-B4A6-B97206AEE844}	{447DB318-166D-420f-82B9-496D8538A1CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EE1540E-F88D-46db-9F3F-814356A02F00}	{F8B5F1CE-710B-40f8-B751-17EE3C9382C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0811EA0-40A5-46bf-B908-4AEDCE278470}\stubpath = "C:\\Windows\\{E0811EA0-40A5-46bf-B908-4AEDCE278470}.exe"	{FEC40CB1-10CC-4eae-BEE2-8630EF33AEF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8B5F1CE-710B-40f8-B751-17EE3C9382C7}\stubpath = "C:\\Windows\\{F8B5F1CE-710B-40f8-B751-17EE3C9382C7}.exe"	{0B7352E7-8891-4ed0-B4A6-B97206AEE844}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B7352E7-8891-4ed0-B4A6-B97206AEE844}\stubpath = "C:\\Windows\\{0B7352E7-8891-4ed0-B4A6-B97206AEE844}.exe"	{447DB318-166D-420f-82B9-496D8538A1CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8B5F1CE-710B-40f8-B751-17EE3C9382C7}	{0B7352E7-8891-4ed0-B4A6-B97206AEE844}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F96951C-B974-41a8-A566-8927F91E366E}	{8EE1540E-F88D-46db-9F3F-814356A02F00}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F96951C-B974-41a8-A566-8927F91E366E}\stubpath = "C:\\Windows\\{7F96951C-B974-41a8-A566-8927F91E366E}.exe"	{8EE1540E-F88D-46db-9F3F-814356A02F00}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94A92271-42C6-420f-92D3-95A985ECAD85}	{3CEE0258-6B75-4547-8E11-6EE9150DA9B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94A92271-42C6-420f-92D3-95A985ECAD85}\stubpath = "C:\\Windows\\{94A92271-42C6-420f-92D3-95A985ECAD85}.exe"	{3CEE0258-6B75-4547-8E11-6EE9150DA9B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{447DB318-166D-420f-82B9-496D8538A1CB}\stubpath = "C:\\Windows\\{447DB318-166D-420f-82B9-496D8538A1CB}.exe"	{94A92271-42C6-420f-92D3-95A985ECAD85}.exe

Executes dropped EXE 11 IoCs

pid	Process
4600	{3CEE0258-6B75-4547-8E11-6EE9150DA9B9}.exe
3548	{94A92271-42C6-420f-92D3-95A985ECAD85}.exe
3392	{447DB318-166D-420f-82B9-496D8538A1CB}.exe
3796	{0B7352E7-8891-4ed0-B4A6-B97206AEE844}.exe
4252	{F8B5F1CE-710B-40f8-B751-17EE3C9382C7}.exe
2408	{8EE1540E-F88D-46db-9F3F-814356A02F00}.exe
1188	{7F96951C-B974-41a8-A566-8927F91E366E}.exe
4340	{106E3546-0EF5-4971-9ED1-6523D9E8E1D8}.exe
2852	{0DA756E5-F070-4502-8C91-B7532CAC9D82}.exe
4964	{FEC40CB1-10CC-4eae-BEE2-8630EF33AEF8}.exe
516	{E0811EA0-40A5-46bf-B908-4AEDCE278470}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{E0811EA0-40A5-46bf-B908-4AEDCE278470}.exe	{FEC40CB1-10CC-4eae-BEE2-8630EF33AEF8}.exe
File created	C:\Windows\{3CEE0258-6B75-4547-8E11-6EE9150DA9B9}.exe	2024-04-18_12f439753fd8f6337eef8b5531e3945c_goldeneye.exe
File created	C:\Windows\{7F96951C-B974-41a8-A566-8927F91E366E}.exe	{8EE1540E-F88D-46db-9F3F-814356A02F00}.exe
File created	C:\Windows\{0DA756E5-F070-4502-8C91-B7532CAC9D82}.exe	{106E3546-0EF5-4971-9ED1-6523D9E8E1D8}.exe
File created	C:\Windows\{F8B5F1CE-710B-40f8-B751-17EE3C9382C7}.exe	{0B7352E7-8891-4ed0-B4A6-B97206AEE844}.exe
File created	C:\Windows\{8EE1540E-F88D-46db-9F3F-814356A02F00}.exe	{F8B5F1CE-710B-40f8-B751-17EE3C9382C7}.exe
File created	C:\Windows\{106E3546-0EF5-4971-9ED1-6523D9E8E1D8}.exe	{7F96951C-B974-41a8-A566-8927F91E366E}.exe
File created	C:\Windows\{FEC40CB1-10CC-4eae-BEE2-8630EF33AEF8}.exe	{0DA756E5-F070-4502-8C91-B7532CAC9D82}.exe
File created	C:\Windows\{94A92271-42C6-420f-92D3-95A985ECAD85}.exe	{3CEE0258-6B75-4547-8E11-6EE9150DA9B9}.exe
File created	C:\Windows\{447DB318-166D-420f-82B9-496D8538A1CB}.exe	{94A92271-42C6-420f-92D3-95A985ECAD85}.exe
File created	C:\Windows\{0B7352E7-8891-4ed0-B4A6-B97206AEE844}.exe	{447DB318-166D-420f-82B9-496D8538A1CB}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4972	2024-04-18_12f439753fd8f6337eef8b5531e3945c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4600	{3CEE0258-6B75-4547-8E11-6EE9150DA9B9}.exe
Token: SeIncBasePriorityPrivilege	3548	{94A92271-42C6-420f-92D3-95A985ECAD85}.exe
Token: SeIncBasePriorityPrivilege	3392	{447DB318-166D-420f-82B9-496D8538A1CB}.exe
Token: SeIncBasePriorityPrivilege	3796	{0B7352E7-8891-4ed0-B4A6-B97206AEE844}.exe
Token: SeIncBasePriorityPrivilege	4252	{F8B5F1CE-710B-40f8-B751-17EE3C9382C7}.exe
Token: SeIncBasePriorityPrivilege	2408	{8EE1540E-F88D-46db-9F3F-814356A02F00}.exe
Token: SeIncBasePriorityPrivilege	1188	{7F96951C-B974-41a8-A566-8927F91E366E}.exe
Token: SeIncBasePriorityPrivilege	4340	{106E3546-0EF5-4971-9ED1-6523D9E8E1D8}.exe
Token: SeIncBasePriorityPrivilege	2852	{0DA756E5-F070-4502-8C91-B7532CAC9D82}.exe
Token: SeIncBasePriorityPrivilege	4964	{FEC40CB1-10CC-4eae-BEE2-8630EF33AEF8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 4600	4972	2024-04-18_12f439753fd8f6337eef8b5531e3945c_goldeneye.exe	90
PID 4972 wrote to memory of 4600	4972	2024-04-18_12f439753fd8f6337eef8b5531e3945c_goldeneye.exe	90
PID 4972 wrote to memory of 4600	4972	2024-04-18_12f439753fd8f6337eef8b5531e3945c_goldeneye.exe	90
PID 4972 wrote to memory of 2928	4972	2024-04-18_12f439753fd8f6337eef8b5531e3945c_goldeneye.exe	91
PID 4972 wrote to memory of 2928	4972	2024-04-18_12f439753fd8f6337eef8b5531e3945c_goldeneye.exe	91
PID 4972 wrote to memory of 2928	4972	2024-04-18_12f439753fd8f6337eef8b5531e3945c_goldeneye.exe	91
PID 4600 wrote to memory of 3548	4600	{3CEE0258-6B75-4547-8E11-6EE9150DA9B9}.exe	92
PID 4600 wrote to memory of 3548	4600	{3CEE0258-6B75-4547-8E11-6EE9150DA9B9}.exe	92
PID 4600 wrote to memory of 3548	4600	{3CEE0258-6B75-4547-8E11-6EE9150DA9B9}.exe	92
PID 4600 wrote to memory of 384	4600	{3CEE0258-6B75-4547-8E11-6EE9150DA9B9}.exe	93
PID 4600 wrote to memory of 384	4600	{3CEE0258-6B75-4547-8E11-6EE9150DA9B9}.exe	93
PID 4600 wrote to memory of 384	4600	{3CEE0258-6B75-4547-8E11-6EE9150DA9B9}.exe	93
PID 3548 wrote to memory of 3392	3548	{94A92271-42C6-420f-92D3-95A985ECAD85}.exe	94
PID 3548 wrote to memory of 3392	3548	{94A92271-42C6-420f-92D3-95A985ECAD85}.exe	94
PID 3548 wrote to memory of 3392	3548	{94A92271-42C6-420f-92D3-95A985ECAD85}.exe	94
PID 3548 wrote to memory of 3396	3548	{94A92271-42C6-420f-92D3-95A985ECAD85}.exe	95
PID 3548 wrote to memory of 3396	3548	{94A92271-42C6-420f-92D3-95A985ECAD85}.exe	95
PID 3548 wrote to memory of 3396	3548	{94A92271-42C6-420f-92D3-95A985ECAD85}.exe	95
PID 3392 wrote to memory of 3796	3392	{447DB318-166D-420f-82B9-496D8538A1CB}.exe	98
PID 3392 wrote to memory of 3796	3392	{447DB318-166D-420f-82B9-496D8538A1CB}.exe	98
PID 3392 wrote to memory of 3796	3392	{447DB318-166D-420f-82B9-496D8538A1CB}.exe	98
PID 3392 wrote to memory of 2908	3392	{447DB318-166D-420f-82B9-496D8538A1CB}.exe	99
PID 3392 wrote to memory of 2908	3392	{447DB318-166D-420f-82B9-496D8538A1CB}.exe	99
PID 3392 wrote to memory of 2908	3392	{447DB318-166D-420f-82B9-496D8538A1CB}.exe	99
PID 3796 wrote to memory of 4252	3796	{0B7352E7-8891-4ed0-B4A6-B97206AEE844}.exe	100
PID 3796 wrote to memory of 4252	3796	{0B7352E7-8891-4ed0-B4A6-B97206AEE844}.exe	100
PID 3796 wrote to memory of 4252	3796	{0B7352E7-8891-4ed0-B4A6-B97206AEE844}.exe	100
PID 3796 wrote to memory of 1984	3796	{0B7352E7-8891-4ed0-B4A6-B97206AEE844}.exe	101
PID 3796 wrote to memory of 1984	3796	{0B7352E7-8891-4ed0-B4A6-B97206AEE844}.exe	101
PID 3796 wrote to memory of 1984	3796	{0B7352E7-8891-4ed0-B4A6-B97206AEE844}.exe	101
PID 4252 wrote to memory of 2408	4252	{F8B5F1CE-710B-40f8-B751-17EE3C9382C7}.exe	102
PID 4252 wrote to memory of 2408	4252	{F8B5F1CE-710B-40f8-B751-17EE3C9382C7}.exe	102
PID 4252 wrote to memory of 2408	4252	{F8B5F1CE-710B-40f8-B751-17EE3C9382C7}.exe	102
PID 4252 wrote to memory of 4492	4252	{F8B5F1CE-710B-40f8-B751-17EE3C9382C7}.exe	103
PID 4252 wrote to memory of 4492	4252	{F8B5F1CE-710B-40f8-B751-17EE3C9382C7}.exe	103
PID 4252 wrote to memory of 4492	4252	{F8B5F1CE-710B-40f8-B751-17EE3C9382C7}.exe	103
PID 2408 wrote to memory of 1188	2408	{8EE1540E-F88D-46db-9F3F-814356A02F00}.exe	104
PID 2408 wrote to memory of 1188	2408	{8EE1540E-F88D-46db-9F3F-814356A02F00}.exe	104
PID 2408 wrote to memory of 1188	2408	{8EE1540E-F88D-46db-9F3F-814356A02F00}.exe	104
PID 2408 wrote to memory of 3080	2408	{8EE1540E-F88D-46db-9F3F-814356A02F00}.exe	105
PID 2408 wrote to memory of 3080	2408	{8EE1540E-F88D-46db-9F3F-814356A02F00}.exe	105
PID 2408 wrote to memory of 3080	2408	{8EE1540E-F88D-46db-9F3F-814356A02F00}.exe	105
PID 1188 wrote to memory of 4340	1188	{7F96951C-B974-41a8-A566-8927F91E366E}.exe	106
PID 1188 wrote to memory of 4340	1188	{7F96951C-B974-41a8-A566-8927F91E366E}.exe	106
PID 1188 wrote to memory of 4340	1188	{7F96951C-B974-41a8-A566-8927F91E366E}.exe	106
PID 1188 wrote to memory of 4480	1188	{7F96951C-B974-41a8-A566-8927F91E366E}.exe	107
PID 1188 wrote to memory of 4480	1188	{7F96951C-B974-41a8-A566-8927F91E366E}.exe	107
PID 1188 wrote to memory of 4480	1188	{7F96951C-B974-41a8-A566-8927F91E366E}.exe	107
PID 4340 wrote to memory of 2852	4340	{106E3546-0EF5-4971-9ED1-6523D9E8E1D8}.exe	108
PID 4340 wrote to memory of 2852	4340	{106E3546-0EF5-4971-9ED1-6523D9E8E1D8}.exe	108
PID 4340 wrote to memory of 2852	4340	{106E3546-0EF5-4971-9ED1-6523D9E8E1D8}.exe	108
PID 4340 wrote to memory of 2560	4340	{106E3546-0EF5-4971-9ED1-6523D9E8E1D8}.exe	109
PID 4340 wrote to memory of 2560	4340	{106E3546-0EF5-4971-9ED1-6523D9E8E1D8}.exe	109
PID 4340 wrote to memory of 2560	4340	{106E3546-0EF5-4971-9ED1-6523D9E8E1D8}.exe	109
PID 2852 wrote to memory of 4964	2852	{0DA756E5-F070-4502-8C91-B7532CAC9D82}.exe	110
PID 2852 wrote to memory of 4964	2852	{0DA756E5-F070-4502-8C91-B7532CAC9D82}.exe	110
PID 2852 wrote to memory of 4964	2852	{0DA756E5-F070-4502-8C91-B7532CAC9D82}.exe	110
PID 2852 wrote to memory of 3512	2852	{0DA756E5-F070-4502-8C91-B7532CAC9D82}.exe	111
PID 2852 wrote to memory of 3512	2852	{0DA756E5-F070-4502-8C91-B7532CAC9D82}.exe	111
PID 2852 wrote to memory of 3512	2852	{0DA756E5-F070-4502-8C91-B7532CAC9D82}.exe	111
PID 4964 wrote to memory of 516	4964	{FEC40CB1-10CC-4eae-BEE2-8630EF33AEF8}.exe	112
PID 4964 wrote to memory of 516	4964	{FEC40CB1-10CC-4eae-BEE2-8630EF33AEF8}.exe	112
PID 4964 wrote to memory of 516	4964	{FEC40CB1-10CC-4eae-BEE2-8630EF33AEF8}.exe	112
PID 4964 wrote to memory of 5088	4964	{FEC40CB1-10CC-4eae-BEE2-8630EF33AEF8}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-04-18_12f439753fd8f6337eef8b5531e3945c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-18_12f439753fd8f6337eef8b5531e3945c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Windows\{3CEE0258-6B75-4547-8E11-6EE9150DA9B9}.exe
  C:\Windows\{3CEE0258-6B75-4547-8E11-6EE9150DA9B9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Windows\{94A92271-42C6-420f-92D3-95A985ECAD85}.exe
    C:\Windows\{94A92271-42C6-420f-92D3-95A985ECAD85}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3548
  - - C:\Windows\{447DB318-166D-420f-82B9-496D8538A1CB}.exe
      C:\Windows\{447DB318-166D-420f-82B9-496D8538A1CB}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3392
    - - C:\Windows\{0B7352E7-8891-4ed0-B4A6-B97206AEE844}.exe
        
        C:\Windows\{0B7352E7-8891-4ed0-B4A6-B97206AEE844}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3796
      - C:\Windows\{F8B5F1CE-710B-40f8-B751-17EE3C9382C7}.exe
        
        C:\Windows\{F8B5F1CE-710B-40f8-B751-17EE3C9382C7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\{8EE1540E-F88D-46db-9F3F-814356A02F00}.exe
        
        C:\Windows\{8EE1540E-F88D-46db-9F3F-814356A02F00}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\{7F96951C-B974-41a8-A566-8927F91E366E}.exe
        
        C:\Windows\{7F96951C-B974-41a8-A566-8927F91E366E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\{106E3546-0EF5-4971-9ED1-6523D9E8E1D8}.exe
        
        C:\Windows\{106E3546-0EF5-4971-9ED1-6523D9E8E1D8}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\{0DA756E5-F070-4502-8C91-B7532CAC9D82}.exe
        
        C:\Windows\{0DA756E5-F070-4502-8C91-B7532CAC9D82}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\{FEC40CB1-10CC-4eae-BEE2-8630EF33AEF8}.exe
        
        C:\Windows\{FEC40CB1-10CC-4eae-BEE2-8630EF33AEF8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\{E0811EA0-40A5-46bf-B908-4AEDCE278470}.exe
        
        C:\Windows\{E0811EA0-40A5-46bf-B908-4AEDCE278470}.exe
        12⤵
        Executes dropped EXE
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FEC40~1.EXE > nul
        12⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0DA75~1.EXE > nul
        11⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{106E3~1.EXE > nul
        10⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F969~1.EXE > nul
        9⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8EE15~1.EXE > nul
        8⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F8B5F~1.EXE > nul
        7⤵
        
        PID:4492
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B735~1.EXE > nul
        6⤵
        
        PID:1984
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{447DB~1.EXE > nul
        5⤵
        
        PID:2908
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{94A92~1.EXE > nul
      4⤵
      PID:3396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3CEE0~1.EXE > nul
    3⤵
    PID:384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0B7352E7-8891-4ed0-B4A6-B97206AEE844}.exe

Filesize
380KB

MD5
3c6eabd670ec2395c8da8e8112d650bf

SHA1
fa317237979213c3e1816acc093f9e8fd52c21ce

SHA256
0e4083bed2dd198cbbcf698ee6eb150f0b73aee6a8e790469398c63e37e38c5a

SHA512
f2b93a01ef2b2229fbbf7bd1610d989b9774e8af695968ae46e2d0b13c889d289edb7149c95953d494196822496676d70e5d81e85151f3951ea85a481add2813

Download Submit
C:\Windows\{0DA756E5-F070-4502-8C91-B7532CAC9D82}.exe

Filesize
380KB

MD5
170fe3d61b7edfe34efb8c3b7788899c

SHA1
14b035405c1bc97ab6e1c800bd80c2fe6fb7e2dc

SHA256
1bd689058f1930cb2e723f4fe75bf55257f5c2d8a517b7d88ef1f6ab4c0985d8

SHA512
d8b9a6bdcbd18d0e5b3c1d706647f75f18da7f02cf015c7203ae2df42ae35ba668f5d8a1fba3333d837242e50c3e31d56b68fbb6fe4e7c556272a30b1a83fd61

Download Submit
C:\Windows\{106E3546-0EF5-4971-9ED1-6523D9E8E1D8}.exe

Filesize
380KB

MD5
04298183d14ca8bfa571a7b2488628e9

SHA1
a83b062cdbd850a91796cda28cbace6d8259e9f1

SHA256
aff840620c7e1d23e65da731fc41289c5f7a00d7fdcf8012a231cf2e3309e2ff

SHA512
677d39418087adfd97bf661280d5b7329e5490954c98b02e57a70c52a149569d01914a4b3bfbf806d32021166d80636e04289ac3f610c9bdbfedef1c7701afdc

Download Submit
C:\Windows\{3CEE0258-6B75-4547-8E11-6EE9150DA9B9}.exe

Filesize
380KB

MD5
6d64722f149988ba6869a92adfbbd37a

SHA1
cbeedccedd788cac4ffc990fc5cf7e7fd399dc29

SHA256
4c1474c071ef98bd41cc6713e7ac0cfdaa536b732ac027f05f55d54b0fcfb29a

SHA512
506472e12b0b6378b9c8ceeee82ce9349fa022c2b0f722740717de59eb09e11a8c4aff5d53cc10d9f3ef830ff524e2580273c302c72b954877fe00cfaede6cf6

Download Submit
C:\Windows\{447DB318-166D-420f-82B9-496D8538A1CB}.exe

Filesize
380KB

MD5
b6183ab7bed7d301cd5bec79f06871a1

SHA1
70f50a3db9127d031ddee7feaf9315c8e14865c5

SHA256
2eb0e83e5111f4026022289d0f2a7141d4c0ff4ac0a0a625039b5524681260bc

SHA512
8d2cf8aed2f486844d9fbb8af33921d1a71f1a5017315f8a8b233c10a8cf80c6ead3cb8885e7b48408aee84fd5393b5605c88967518d685c6594cc16097e7cb5

Download Submit
C:\Windows\{7F96951C-B974-41a8-A566-8927F91E366E}.exe

Filesize
380KB

MD5
293f54f0444f4ec62657376921c06d19

SHA1
abcfba24bf4a90ce37f3de6e6cb9746640c4ed5c

SHA256
2ad3ee1157f1494c30a0d3af51a055815829aab79f6a1badf08b251c543566bb

SHA512
2c7b268f8d022accafa64c3c10a49e0ee81bec4eab790bca8f37946206b31abfc4cc4b4e59ee67beaf42aea54896b37a4f380629713624a93fa99dc5936ef9b5

Download Submit
C:\Windows\{8EE1540E-F88D-46db-9F3F-814356A02F00}.exe

Filesize
380KB

MD5
426c3a33aca1a15c2d03c2ad55c864c6

SHA1
0a789bf3099f549f36995dfaf034c1104563acdc

SHA256
f6679e723f386f95dd6a529989066eb8455e94d5b5d9569817abe17d494cae9d

SHA512
201405019ee9551aa65d6f0f779d9de4f5634e3ed23b1ca213d805f02c4458fdd1255f186ce22ee748775bbf85a9776562a398b9b22aa81f6f75f80b0784bc54

Download Submit
C:\Windows\{94A92271-42C6-420f-92D3-95A985ECAD85}.exe

Filesize
380KB

MD5
b628ec07fdd950cd62e23d702bcd1d41

SHA1
4d792e431dd9670a92997e688c78087b833db906

SHA256
7e2cd5149dd972b6f4046bbe2c5e5139e918976974e4c46dfc0cd138e3d12acf

SHA512
98f33170775a6ffb344dc08b1aa14959ae9aace3b0604a38a32cbc5b634a7800a58cdfd083cc4cc604bdcf2fdfb050217606ea3cb11ce6fc66c26b2c01296763

Download Submit
C:\Windows\{E0811EA0-40A5-46bf-B908-4AEDCE278470}.exe

Filesize
380KB

MD5
4835e407fb4d989b024c6e490d90242e

SHA1
2ad6dd6694b3e0c40920a80b88badb0d1d5b2bbd

SHA256
6d71ac99ced10b5b9c957432a6e70bf048db1ba204a588b53eca553438c40e68

SHA512
d383e8af24c3dd09abfaf1f93f697a8e03c5b9e9295df5467d613ee1a2308c6c66ece1d9409aba15af695750e8fe933ab93a00083f1bcbc3dbce30d32130cc3d

Download Submit
C:\Windows\{F8B5F1CE-710B-40f8-B751-17EE3C9382C7}.exe

Filesize
380KB

MD5
5ec9f4f56772a10cf103d5b037048843

SHA1
6c866dbdd50a1b4f3ab5be9a029713bda9e16eed

SHA256
d539a6bba437667d019af3c257b91b06a3920183d459be525a62237ead308fa0

SHA512
6737136c77beaa252a65b505ad8f3082df07f4265fc2905b9005af35ae3910f5fe390dbe4f076d2235f97173229a4fb6f39de059d201e7eafadfccfb6f38003e

Download Submit
C:\Windows\{FEC40CB1-10CC-4eae-BEE2-8630EF33AEF8}.exe

Filesize
380KB

MD5
d6887423a9a06f67cd4201f56fe962e7

SHA1
157604f34328ed586034ccbff3e54df7b6b85263

SHA256
c0e18aeb3c283ed5cc18d6806f18ec8cc2a6d70b4acbf94e3f8ddea901b82b46

SHA512
649ad68519094cd133b41898435d4fa32706b8104534a917d64b21dfe69c8ce7bdbd6c71f0f8fdf53581ebd3dfee36debd83daf92a1bf201e62e0a77bd8e7ee0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads