1aaba6f1798acbb1cfbc4c1039686f59d2514d81c4e7901bcf48b48cc85fa506

Analysis

max time kernel
162s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-18_54fdccf6c125d0cadfec4a6cde1307b5_goldeneye.exe
Size

216KB
MD5

54fdccf6c125d0cadfec4a6cde1307b5
SHA1

793e34f2199f03d011711ce03dce78700a126787
SHA256

1aaba6f1798acbb1cfbc4c1039686f59d2514d81c4e7901bcf48b48cc85fa506
SHA512

eb7f5cbe96bc26ac045c96bb6af16d67f1e5577e185c2741577b4d61783100546bf753e855182656ac1d0b68e62abf75d3a0e973a4ed694d3a3adacee9b824ca
SSDEEP

3072:jEGh0ozl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG5lEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x000a00000002354e-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023552-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023310-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023552-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023310-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023552-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023310-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023552-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f00000002334d-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002353d-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001000000002334d-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{599A51FE-56FB-4621-9533-9E0636CA90D7}	2024-04-18_54fdccf6c125d0cadfec4a6cde1307b5_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C21B8503-B38D-4b4d-BC68-79CDD9151CC7}\stubpath = "C:\\Windows\\{C21B8503-B38D-4b4d-BC68-79CDD9151CC7}.exe"	{6265EC94-EF92-4056-A09D-526D80093F3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{248F8C48-0B09-426a-AB4C-DE8EADE0E6A3}	{ABA0C3F7-4015-4a47-92EB-534054552B46}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D17897E9-B3AE-41e1-AE4D-8CCD290EC3CA}	{106F5C33-C8AE-4149-9964-136F8C17252B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D17897E9-B3AE-41e1-AE4D-8CCD290EC3CA}\stubpath = "C:\\Windows\\{D17897E9-B3AE-41e1-AE4D-8CCD290EC3CA}.exe"	{106F5C33-C8AE-4149-9964-136F8C17252B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABA0C3F7-4015-4a47-92EB-534054552B46}\stubpath = "C:\\Windows\\{ABA0C3F7-4015-4a47-92EB-534054552B46}.exe"	{724368A5-C0D3-4c9d-AF95-75EDCC34BF88}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6265EC94-EF92-4056-A09D-526D80093F3C}	{599A51FE-56FB-4621-9533-9E0636CA90D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6265EC94-EF92-4056-A09D-526D80093F3C}\stubpath = "C:\\Windows\\{6265EC94-EF92-4056-A09D-526D80093F3C}.exe"	{599A51FE-56FB-4621-9533-9E0636CA90D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C21B8503-B38D-4b4d-BC68-79CDD9151CC7}	{6265EC94-EF92-4056-A09D-526D80093F3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{106F5C33-C8AE-4149-9964-136F8C17252B}	{47E6BCD7-BA9C-41ae-AD10-1F2F9D183B7A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{106F5C33-C8AE-4149-9964-136F8C17252B}\stubpath = "C:\\Windows\\{106F5C33-C8AE-4149-9964-136F8C17252B}.exe"	{47E6BCD7-BA9C-41ae-AD10-1F2F9D183B7A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{248F8C48-0B09-426a-AB4C-DE8EADE0E6A3}\stubpath = "C:\\Windows\\{248F8C48-0B09-426a-AB4C-DE8EADE0E6A3}.exe"	{ABA0C3F7-4015-4a47-92EB-534054552B46}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{641A183C-2457-4580-A84F-35625FD22523}\stubpath = "C:\\Windows\\{641A183C-2457-4580-A84F-35625FD22523}.exe"	{248F8C48-0B09-426a-AB4C-DE8EADE0E6A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{724368A5-C0D3-4c9d-AF95-75EDCC34BF88}\stubpath = "C:\\Windows\\{724368A5-C0D3-4c9d-AF95-75EDCC34BF88}.exe"	{F7398576-0193-4399-BD99-D7E20F1ED18C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABA0C3F7-4015-4a47-92EB-534054552B46}	{724368A5-C0D3-4c9d-AF95-75EDCC34BF88}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{641A183C-2457-4580-A84F-35625FD22523}	{248F8C48-0B09-426a-AB4C-DE8EADE0E6A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{724368A5-C0D3-4c9d-AF95-75EDCC34BF88}	{F7398576-0193-4399-BD99-D7E20F1ED18C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{599A51FE-56FB-4621-9533-9E0636CA90D7}\stubpath = "C:\\Windows\\{599A51FE-56FB-4621-9533-9E0636CA90D7}.exe"	2024-04-18_54fdccf6c125d0cadfec4a6cde1307b5_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47E6BCD7-BA9C-41ae-AD10-1F2F9D183B7A}	{C21B8503-B38D-4b4d-BC68-79CDD9151CC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47E6BCD7-BA9C-41ae-AD10-1F2F9D183B7A}\stubpath = "C:\\Windows\\{47E6BCD7-BA9C-41ae-AD10-1F2F9D183B7A}.exe"	{C21B8503-B38D-4b4d-BC68-79CDD9151CC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7398576-0193-4399-BD99-D7E20F1ED18C}	{D17897E9-B3AE-41e1-AE4D-8CCD290EC3CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7398576-0193-4399-BD99-D7E20F1ED18C}\stubpath = "C:\\Windows\\{F7398576-0193-4399-BD99-D7E20F1ED18C}.exe"	{D17897E9-B3AE-41e1-AE4D-8CCD290EC3CA}.exe

Executes dropped EXE 11 IoCs

pid	Process
4452	{599A51FE-56FB-4621-9533-9E0636CA90D7}.exe
3008	{6265EC94-EF92-4056-A09D-526D80093F3C}.exe
3360	{C21B8503-B38D-4b4d-BC68-79CDD9151CC7}.exe
1508	{47E6BCD7-BA9C-41ae-AD10-1F2F9D183B7A}.exe
2164	{106F5C33-C8AE-4149-9964-136F8C17252B}.exe
752	{D17897E9-B3AE-41e1-AE4D-8CCD290EC3CA}.exe
4792	{F7398576-0193-4399-BD99-D7E20F1ED18C}.exe
4860	{724368A5-C0D3-4c9d-AF95-75EDCC34BF88}.exe
8	{ABA0C3F7-4015-4a47-92EB-534054552B46}.exe
4240	{248F8C48-0B09-426a-AB4C-DE8EADE0E6A3}.exe
560	{641A183C-2457-4580-A84F-35625FD22523}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{248F8C48-0B09-426a-AB4C-DE8EADE0E6A3}.exe	{ABA0C3F7-4015-4a47-92EB-534054552B46}.exe
File created	C:\Windows\{C21B8503-B38D-4b4d-BC68-79CDD9151CC7}.exe	{6265EC94-EF92-4056-A09D-526D80093F3C}.exe
File created	C:\Windows\{47E6BCD7-BA9C-41ae-AD10-1F2F9D183B7A}.exe	{C21B8503-B38D-4b4d-BC68-79CDD9151CC7}.exe
File created	C:\Windows\{D17897E9-B3AE-41e1-AE4D-8CCD290EC3CA}.exe	{106F5C33-C8AE-4149-9964-136F8C17252B}.exe
File created	C:\Windows\{F7398576-0193-4399-BD99-D7E20F1ED18C}.exe	{D17897E9-B3AE-41e1-AE4D-8CCD290EC3CA}.exe
File created	C:\Windows\{724368A5-C0D3-4c9d-AF95-75EDCC34BF88}.exe	{F7398576-0193-4399-BD99-D7E20F1ED18C}.exe
File created	C:\Windows\{ABA0C3F7-4015-4a47-92EB-534054552B46}.exe	{724368A5-C0D3-4c9d-AF95-75EDCC34BF88}.exe
File created	C:\Windows\{599A51FE-56FB-4621-9533-9E0636CA90D7}.exe	2024-04-18_54fdccf6c125d0cadfec4a6cde1307b5_goldeneye.exe
File created	C:\Windows\{6265EC94-EF92-4056-A09D-526D80093F3C}.exe	{599A51FE-56FB-4621-9533-9E0636CA90D7}.exe
File created	C:\Windows\{106F5C33-C8AE-4149-9964-136F8C17252B}.exe	{47E6BCD7-BA9C-41ae-AD10-1F2F9D183B7A}.exe
File created	C:\Windows\{641A183C-2457-4580-A84F-35625FD22523}.exe	{248F8C48-0B09-426a-AB4C-DE8EADE0E6A3}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5016	2024-04-18_54fdccf6c125d0cadfec4a6cde1307b5_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4452	{599A51FE-56FB-4621-9533-9E0636CA90D7}.exe
Token: SeIncBasePriorityPrivilege	3008	{6265EC94-EF92-4056-A09D-526D80093F3C}.exe
Token: SeIncBasePriorityPrivilege	3360	{C21B8503-B38D-4b4d-BC68-79CDD9151CC7}.exe
Token: SeIncBasePriorityPrivilege	1508	{47E6BCD7-BA9C-41ae-AD10-1F2F9D183B7A}.exe
Token: SeIncBasePriorityPrivilege	2164	{106F5C33-C8AE-4149-9964-136F8C17252B}.exe
Token: SeIncBasePriorityPrivilege	752	{D17897E9-B3AE-41e1-AE4D-8CCD290EC3CA}.exe
Token: SeIncBasePriorityPrivilege	4792	{F7398576-0193-4399-BD99-D7E20F1ED18C}.exe
Token: SeIncBasePriorityPrivilege	4860	{724368A5-C0D3-4c9d-AF95-75EDCC34BF88}.exe
Token: SeIncBasePriorityPrivilege	8	{ABA0C3F7-4015-4a47-92EB-534054552B46}.exe
Token: SeIncBasePriorityPrivilege	4240	{248F8C48-0B09-426a-AB4C-DE8EADE0E6A3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 4452	5016	2024-04-18_54fdccf6c125d0cadfec4a6cde1307b5_goldeneye.exe	100
PID 5016 wrote to memory of 4452	5016	2024-04-18_54fdccf6c125d0cadfec4a6cde1307b5_goldeneye.exe	100
PID 5016 wrote to memory of 4452	5016	2024-04-18_54fdccf6c125d0cadfec4a6cde1307b5_goldeneye.exe	100
PID 5016 wrote to memory of 3916	5016	2024-04-18_54fdccf6c125d0cadfec4a6cde1307b5_goldeneye.exe	101
PID 5016 wrote to memory of 3916	5016	2024-04-18_54fdccf6c125d0cadfec4a6cde1307b5_goldeneye.exe	101
PID 5016 wrote to memory of 3916	5016	2024-04-18_54fdccf6c125d0cadfec4a6cde1307b5_goldeneye.exe	101
PID 4452 wrote to memory of 3008	4452	{599A51FE-56FB-4621-9533-9E0636CA90D7}.exe	102
PID 4452 wrote to memory of 3008	4452	{599A51FE-56FB-4621-9533-9E0636CA90D7}.exe	102
PID 4452 wrote to memory of 3008	4452	{599A51FE-56FB-4621-9533-9E0636CA90D7}.exe	102
PID 4452 wrote to memory of 2232	4452	{599A51FE-56FB-4621-9533-9E0636CA90D7}.exe	103
PID 4452 wrote to memory of 2232	4452	{599A51FE-56FB-4621-9533-9E0636CA90D7}.exe	103
PID 4452 wrote to memory of 2232	4452	{599A51FE-56FB-4621-9533-9E0636CA90D7}.exe	103
PID 3008 wrote to memory of 3360	3008	{6265EC94-EF92-4056-A09D-526D80093F3C}.exe	105
PID 3008 wrote to memory of 3360	3008	{6265EC94-EF92-4056-A09D-526D80093F3C}.exe	105
PID 3008 wrote to memory of 3360	3008	{6265EC94-EF92-4056-A09D-526D80093F3C}.exe	105
PID 3008 wrote to memory of 2864	3008	{6265EC94-EF92-4056-A09D-526D80093F3C}.exe	106
PID 3008 wrote to memory of 2864	3008	{6265EC94-EF92-4056-A09D-526D80093F3C}.exe	106
PID 3008 wrote to memory of 2864	3008	{6265EC94-EF92-4056-A09D-526D80093F3C}.exe	106
PID 3360 wrote to memory of 1508	3360	{C21B8503-B38D-4b4d-BC68-79CDD9151CC7}.exe	107
PID 3360 wrote to memory of 1508	3360	{C21B8503-B38D-4b4d-BC68-79CDD9151CC7}.exe	107
PID 3360 wrote to memory of 1508	3360	{C21B8503-B38D-4b4d-BC68-79CDD9151CC7}.exe	107
PID 3360 wrote to memory of 2296	3360	{C21B8503-B38D-4b4d-BC68-79CDD9151CC7}.exe	108
PID 3360 wrote to memory of 2296	3360	{C21B8503-B38D-4b4d-BC68-79CDD9151CC7}.exe	108
PID 3360 wrote to memory of 2296	3360	{C21B8503-B38D-4b4d-BC68-79CDD9151CC7}.exe	108
PID 1508 wrote to memory of 2164	1508	{47E6BCD7-BA9C-41ae-AD10-1F2F9D183B7A}.exe	109
PID 1508 wrote to memory of 2164	1508	{47E6BCD7-BA9C-41ae-AD10-1F2F9D183B7A}.exe	109
PID 1508 wrote to memory of 2164	1508	{47E6BCD7-BA9C-41ae-AD10-1F2F9D183B7A}.exe	109
PID 1508 wrote to memory of 4736	1508	{47E6BCD7-BA9C-41ae-AD10-1F2F9D183B7A}.exe	110
PID 1508 wrote to memory of 4736	1508	{47E6BCD7-BA9C-41ae-AD10-1F2F9D183B7A}.exe	110
PID 1508 wrote to memory of 4736	1508	{47E6BCD7-BA9C-41ae-AD10-1F2F9D183B7A}.exe	110
PID 2164 wrote to memory of 752	2164	{106F5C33-C8AE-4149-9964-136F8C17252B}.exe	111
PID 2164 wrote to memory of 752	2164	{106F5C33-C8AE-4149-9964-136F8C17252B}.exe	111
PID 2164 wrote to memory of 752	2164	{106F5C33-C8AE-4149-9964-136F8C17252B}.exe	111
PID 2164 wrote to memory of 4680	2164	{106F5C33-C8AE-4149-9964-136F8C17252B}.exe	112
PID 2164 wrote to memory of 4680	2164	{106F5C33-C8AE-4149-9964-136F8C17252B}.exe	112
PID 2164 wrote to memory of 4680	2164	{106F5C33-C8AE-4149-9964-136F8C17252B}.exe	112
PID 752 wrote to memory of 4792	752	{D17897E9-B3AE-41e1-AE4D-8CCD290EC3CA}.exe	113
PID 752 wrote to memory of 4792	752	{D17897E9-B3AE-41e1-AE4D-8CCD290EC3CA}.exe	113
PID 752 wrote to memory of 4792	752	{D17897E9-B3AE-41e1-AE4D-8CCD290EC3CA}.exe	113
PID 752 wrote to memory of 1868	752	{D17897E9-B3AE-41e1-AE4D-8CCD290EC3CA}.exe	114
PID 752 wrote to memory of 1868	752	{D17897E9-B3AE-41e1-AE4D-8CCD290EC3CA}.exe	114
PID 752 wrote to memory of 1868	752	{D17897E9-B3AE-41e1-AE4D-8CCD290EC3CA}.exe	114
PID 4792 wrote to memory of 4860	4792	{F7398576-0193-4399-BD99-D7E20F1ED18C}.exe	115
PID 4792 wrote to memory of 4860	4792	{F7398576-0193-4399-BD99-D7E20F1ED18C}.exe	115
PID 4792 wrote to memory of 4860	4792	{F7398576-0193-4399-BD99-D7E20F1ED18C}.exe	115
PID 4792 wrote to memory of 3348	4792	{F7398576-0193-4399-BD99-D7E20F1ED18C}.exe	116
PID 4792 wrote to memory of 3348	4792	{F7398576-0193-4399-BD99-D7E20F1ED18C}.exe	116
PID 4792 wrote to memory of 3348	4792	{F7398576-0193-4399-BD99-D7E20F1ED18C}.exe	116
PID 4860 wrote to memory of 8	4860	{724368A5-C0D3-4c9d-AF95-75EDCC34BF88}.exe	117
PID 4860 wrote to memory of 8	4860	{724368A5-C0D3-4c9d-AF95-75EDCC34BF88}.exe	117
PID 4860 wrote to memory of 8	4860	{724368A5-C0D3-4c9d-AF95-75EDCC34BF88}.exe	117
PID 4860 wrote to memory of 808	4860	{724368A5-C0D3-4c9d-AF95-75EDCC34BF88}.exe	118
PID 4860 wrote to memory of 808	4860	{724368A5-C0D3-4c9d-AF95-75EDCC34BF88}.exe	118
PID 4860 wrote to memory of 808	4860	{724368A5-C0D3-4c9d-AF95-75EDCC34BF88}.exe	118
PID 8 wrote to memory of 4240	8	{ABA0C3F7-4015-4a47-92EB-534054552B46}.exe	119
PID 8 wrote to memory of 4240	8	{ABA0C3F7-4015-4a47-92EB-534054552B46}.exe	119
PID 8 wrote to memory of 4240	8	{ABA0C3F7-4015-4a47-92EB-534054552B46}.exe	119
PID 8 wrote to memory of 3008	8	{ABA0C3F7-4015-4a47-92EB-534054552B46}.exe	120
PID 8 wrote to memory of 3008	8	{ABA0C3F7-4015-4a47-92EB-534054552B46}.exe	120
PID 8 wrote to memory of 3008	8	{ABA0C3F7-4015-4a47-92EB-534054552B46}.exe	120
PID 4240 wrote to memory of 560	4240	{248F8C48-0B09-426a-AB4C-DE8EADE0E6A3}.exe	121
PID 4240 wrote to memory of 560	4240	{248F8C48-0B09-426a-AB4C-DE8EADE0E6A3}.exe	121
PID 4240 wrote to memory of 560	4240	{248F8C48-0B09-426a-AB4C-DE8EADE0E6A3}.exe	121
PID 4240 wrote to memory of 4560	4240	{248F8C48-0B09-426a-AB4C-DE8EADE0E6A3}.exe	122

C:\Users\Admin\AppData\Local\Temp\2024-04-18_54fdccf6c125d0cadfec4a6cde1307b5_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-18_54fdccf6c125d0cadfec4a6cde1307b5_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Windows\{599A51FE-56FB-4621-9533-9E0636CA90D7}.exe
  C:\Windows\{599A51FE-56FB-4621-9533-9E0636CA90D7}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4452
- - C:\Windows\{6265EC94-EF92-4056-A09D-526D80093F3C}.exe
    C:\Windows\{6265EC94-EF92-4056-A09D-526D80093F3C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Windows\{C21B8503-B38D-4b4d-BC68-79CDD9151CC7}.exe
      C:\Windows\{C21B8503-B38D-4b4d-BC68-79CDD9151CC7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3360
    - - C:\Windows\{47E6BCD7-BA9C-41ae-AD10-1F2F9D183B7A}.exe
        
        C:\Windows\{47E6BCD7-BA9C-41ae-AD10-1F2F9D183B7A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1508
      - C:\Windows\{106F5C33-C8AE-4149-9964-136F8C17252B}.exe
        
        C:\Windows\{106F5C33-C8AE-4149-9964-136F8C17252B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\{D17897E9-B3AE-41e1-AE4D-8CCD290EC3CA}.exe
        
        C:\Windows\{D17897E9-B3AE-41e1-AE4D-8CCD290EC3CA}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\{F7398576-0193-4399-BD99-D7E20F1ED18C}.exe
        
        C:\Windows\{F7398576-0193-4399-BD99-D7E20F1ED18C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\{724368A5-C0D3-4c9d-AF95-75EDCC34BF88}.exe
        
        C:\Windows\{724368A5-C0D3-4c9d-AF95-75EDCC34BF88}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\{ABA0C3F7-4015-4a47-92EB-534054552B46}.exe
        
        C:\Windows\{ABA0C3F7-4015-4a47-92EB-534054552B46}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\{248F8C48-0B09-426a-AB4C-DE8EADE0E6A3}.exe
        
        C:\Windows\{248F8C48-0B09-426a-AB4C-DE8EADE0E6A3}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        C:\Windows\{641A183C-2457-4580-A84F-35625FD22523}.exe
        
        C:\Windows\{641A183C-2457-4580-A84F-35625FD22523}.exe
        12⤵
        Executes dropped EXE
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{248F8~1.EXE > nul
        12⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ABA0C~1.EXE > nul
        11⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72436~1.EXE > nul
        10⤵
        
        PID:808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7398~1.EXE > nul
        9⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D1789~1.EXE > nul
        8⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{106F5~1.EXE > nul
        7⤵
        
        PID:4680
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47E6B~1.EXE > nul
        6⤵
        
        PID:4736
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C21B8~1.EXE > nul
        5⤵
        
        PID:2296
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6265E~1.EXE > nul
      4⤵
      PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{599A5~1.EXE > nul
    3⤵
    PID:2232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{106F5C33-C8AE-4149-9964-136F8C17252B}.exe

Filesize
216KB

MD5
4636a090a1e15b49689a1fbd1e1c45bf

SHA1
a254585c3c184cf7aa106c2ce3bd9b0ee23833ff

SHA256
75947e5d3225e69e5f02831a609729e3ad2dffd515e093c60fe19a0886bd0a08

SHA512
1f73d60f8524e51a625b23107e447f7aaaba0a0b393ba938c0c9b6d7f1f31c9c4238d7f2a7b5473149caee20d30678cb699afa7a1afdc288dc3b24e7f9735f10

Download Submit
C:\Windows\{248F8C48-0B09-426a-AB4C-DE8EADE0E6A3}.exe

Filesize
216KB

MD5
426b4bf718aceba6aedb5ba7446b30fc

SHA1
469a2a17e59d6f05e4867e45f771d80fe52fb07d

SHA256
a933c7b1bc61ebb3e8a59af4e7df325e3cf6cd279e8f7242e971ab13a137d4c9

SHA512
c7ab2239f6faaf61739edc64f3c372bcaae710eaf5aedf3b841f3f92a2be7813e09ceda0571b6067ea8a410bc74bb32c8258c731bf6c03e6f3bce1ba732cfc03

Download Submit
C:\Windows\{47E6BCD7-BA9C-41ae-AD10-1F2F9D183B7A}.exe

Filesize
216KB

MD5
8880a26e9d357506cb6111d83217003c

SHA1
3cf96f587570d07f6c085c1b0937515dae43e3bb

SHA256
39035cb7bad1518aabbc7789e5e5cf33253fdb7d6482b0581ace2ed529826b2b

SHA512
da83b6d9798f394032a24e86ad3bf4063507ea69394bcd4e036224c42707dee6179fa3811f7929c9630f0e5d7b93a59375065716cdc3a84f182c07ac1e77e79f

Download Submit
C:\Windows\{599A51FE-56FB-4621-9533-9E0636CA90D7}.exe

Filesize
216KB

MD5
dc17fc7535b7cad7e50873a617dc5b5f

SHA1
8d42dc25eef56eaa10b5f89c754bb655fda7c2b1

SHA256
d59a29bdf3185c4607c2c6dcdf33754f91f28714d0630eae471b361b485aec0a

SHA512
44ff414431e87065de785ec0c64de28d66942504fccd78e9c603fdef3342c55fe809dcdae3252d13e8c7b1a166fbd5f90eafb0f4f2b264525657037020f91c92

Download Submit
C:\Windows\{6265EC94-EF92-4056-A09D-526D80093F3C}.exe

Filesize
216KB

MD5
9f6c14acd24169249ddf7f2b6dae1874

SHA1
6e5e7af0142db8b0b595c0619004934e857104d1

SHA256
7f597733feade712e976385901b9ba256b8a6bdd139faca056278da975b4a6ff

SHA512
dbd5c813ccd5f6a2668e933e46dc47e7dff56fe14b3f8efcf0c3046e6f19f058f655b92abb87dd5bfd912ab0fad8d0b80c825402790eb6c515129c8a8f5fc2a8

Download Submit
C:\Windows\{641A183C-2457-4580-A84F-35625FD22523}.exe

Filesize
216KB

MD5
05158eaf2041c7c80912268a9386377a

SHA1
3f3b056c218e8a859c91c0929935893f6a7c1d9c

SHA256
0b535b2b6153394a739d065f339bd5e7ad088ad2a87ab46e32af91b24dda1ac5

SHA512
a25d0d6d023d0ded0ecb93b53a2cd55c2e22f6dcbb09817a780838f119ca1fd452928f9cdb5f1e8aac754745651329281717f68d44c15786f5e4935124030a6f

Download Submit
C:\Windows\{724368A5-C0D3-4c9d-AF95-75EDCC34BF88}.exe

Filesize
216KB

MD5
7a03c61dc84cb2c4553f00e4ca1e2df0

SHA1
4195effd24be9cd353507dd5d3521344847edd06

SHA256
e2d1ce3ee0458bcf339e245ed31103a597cfcb1bf21daf9b10e3f446622fb3a6

SHA512
353e20cd09cd3aa5d288e52a7dd0cc052a46df2294f770a1e1b37f26292a2d59e19668d8188740d2d2da4f3ef8af7fe560823b1e2dbb7f89fc4997497fbe3bdf

Download Submit
C:\Windows\{ABA0C3F7-4015-4a47-92EB-534054552B46}.exe

Filesize
216KB

MD5
676ac86142f0c8d7d8c2b2dec34e0df6

SHA1
64fe2ed7f0b0a0a420d8e3774dd20ef30986fcd5

SHA256
66b78f223ae89b46994cb4a227d87c8793d9caddd66dec1b8483de9010210ef8

SHA512
6c90f6410b1de57a936dda5bcc94bbc29b39e2b9b729ab9ae0719dd6553c74e30ff59f9f15889defb6c541771d417674a7179720913273c3c2b77d536bfe4a7d

Download Submit
C:\Windows\{C21B8503-B38D-4b4d-BC68-79CDD9151CC7}.exe

Filesize
216KB

MD5
3085e554209661c7b0cd3724129fad1c

SHA1
88c7ba01939e8ed6f607952d102351f888fb615b

SHA256
339f0c60659945b8547a9745cb7d50cabe3aac8bfad27056276907b7decbf195

SHA512
8439934d6bbe7eccaec90db808869bf3942fa245ff5df7fd235ba0183d9b4e7fa56d939fda78c5abc29813433cf2bd1b8f2343fb93b60eea994d80d0a7b3e97c

Download Submit
C:\Windows\{D17897E9-B3AE-41e1-AE4D-8CCD290EC3CA}.exe

Filesize
216KB

MD5
27fcce39d0053829fa6765911bea54dd

SHA1
a20a2c3a813158d64e15d4d12c274d7b1d580202

SHA256
21c7d9adf8af9a649d6604bc353c953aa41f76634e89b68bdc8278eb5fa9df59

SHA512
46152e86b0d5ad7be93588702ba07e41317f3a1deb6fea0d69fc6892b3b58a1fdbf062df8f6785c4c7b585a8f32844449b5841a0439966c8e1416e44b0cbf5fe

Download Submit
C:\Windows\{F7398576-0193-4399-BD99-D7E20F1ED18C}.exe

Filesize
216KB

MD5
f8c29b01ea5443400019d16091d7c0f5

SHA1
c5a33b64ba3ef4c67fa00029d5d412233b044bc7

SHA256
4327c7d1d6084a715048d1df26451ad6154afdffa526deacedb6f2939b4559ec

SHA512
5163d23a792071d8e36a60099b83f770bd2519fb234bcc4ae062f0a83d55d42832dd0b100bc6e8d38e271f804648169ce453634672529a0f4cd5db28f4486965

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads