166af6e6befcaf6399193884dc0bd421a88dc7af7fb7f6c1a43237027be9498c

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18/04/2024, 20:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-18_f4963d3d17f87bee3664ebfb6e388992_goldeneye.exe
Size

168KB
MD5

f4963d3d17f87bee3664ebfb6e388992
SHA1

9ae4a4d340f2921f8885c1f6afe3114885b54457
SHA256

166af6e6befcaf6399193884dc0bd421a88dc7af7fb7f6c1a43237027be9498c
SHA512

fbc04c28d872a1f2010f01a42c81dceeae73d35bc40622e01e8ef453fef7ee11cf5a919042663f8cf1c917c5dfa7d24efffbde5e2bdd96d00aeb8e060dd43ef6
SSDEEP

1536:1EGh0o1lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o1lqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000122c3-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000014a92-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122c3-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f2-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f2-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f2-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f2-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2055DBF9-9530-40fa-94A3-7C810433B58F}\stubpath = "C:\\Windows\\{2055DBF9-9530-40fa-94A3-7C810433B58F}.exe"	{CF8F7D9D-904F-42bc-BCD9-6F753DE3F88B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71A839E9-0D43-43a3-9058-3187920D633E}	{2055DBF9-9530-40fa-94A3-7C810433B58F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71A839E9-0D43-43a3-9058-3187920D633E}\stubpath = "C:\\Windows\\{71A839E9-0D43-43a3-9058-3187920D633E}.exe"	{2055DBF9-9530-40fa-94A3-7C810433B58F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{278D54C9-F47E-4160-8FA9-54E952228E86}	2024-04-18_f4963d3d17f87bee3664ebfb6e388992_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{278D54C9-F47E-4160-8FA9-54E952228E86}\stubpath = "C:\\Windows\\{278D54C9-F47E-4160-8FA9-54E952228E86}.exe"	2024-04-18_f4963d3d17f87bee3664ebfb6e388992_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19A8059D-4032-4f3e-A2DA-AEBA1BCF2FBD}\stubpath = "C:\\Windows\\{19A8059D-4032-4f3e-A2DA-AEBA1BCF2FBD}.exe"	{A12FF576-BA94-46f3-93BC-AF5F3016B9A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{686F46AD-67B2-41b1-B8E7-48AB7EC89194}\stubpath = "C:\\Windows\\{686F46AD-67B2-41b1-B8E7-48AB7EC89194}.exe"	{19A8059D-4032-4f3e-A2DA-AEBA1BCF2FBD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF8F7D9D-904F-42bc-BCD9-6F753DE3F88B}	{686F46AD-67B2-41b1-B8E7-48AB7EC89194}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F1C5A50-8618-4104-A9B4-F57FEE13E6A5}	{71A839E9-0D43-43a3-9058-3187920D633E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A12FF576-BA94-46f3-93BC-AF5F3016B9A2}	{A0CBC39B-F916-4cd7-A960-CB71B8872E3B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19A8059D-4032-4f3e-A2DA-AEBA1BCF2FBD}	{A12FF576-BA94-46f3-93BC-AF5F3016B9A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF8F7D9D-904F-42bc-BCD9-6F753DE3F88B}\stubpath = "C:\\Windows\\{CF8F7D9D-904F-42bc-BCD9-6F753DE3F88B}.exe"	{686F46AD-67B2-41b1-B8E7-48AB7EC89194}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F31A866-C76E-4bc3-94F0-E275134771D7}	{278D54C9-F47E-4160-8FA9-54E952228E86}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C6A6CB0-6FD6-4d82-9B59-9B170E37E3E4}	{4F31A866-C76E-4bc3-94F0-E275134771D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0CBC39B-F916-4cd7-A960-CB71B8872E3B}	{4C6A6CB0-6FD6-4d82-9B59-9B170E37E3E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2055DBF9-9530-40fa-94A3-7C810433B58F}	{CF8F7D9D-904F-42bc-BCD9-6F753DE3F88B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F1C5A50-8618-4104-A9B4-F57FEE13E6A5}\stubpath = "C:\\Windows\\{5F1C5A50-8618-4104-A9B4-F57FEE13E6A5}.exe"	{71A839E9-0D43-43a3-9058-3187920D633E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F31A866-C76E-4bc3-94F0-E275134771D7}\stubpath = "C:\\Windows\\{4F31A866-C76E-4bc3-94F0-E275134771D7}.exe"	{278D54C9-F47E-4160-8FA9-54E952228E86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C6A6CB0-6FD6-4d82-9B59-9B170E37E3E4}\stubpath = "C:\\Windows\\{4C6A6CB0-6FD6-4d82-9B59-9B170E37E3E4}.exe"	{4F31A866-C76E-4bc3-94F0-E275134771D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0CBC39B-F916-4cd7-A960-CB71B8872E3B}\stubpath = "C:\\Windows\\{A0CBC39B-F916-4cd7-A960-CB71B8872E3B}.exe"	{4C6A6CB0-6FD6-4d82-9B59-9B170E37E3E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A12FF576-BA94-46f3-93BC-AF5F3016B9A2}\stubpath = "C:\\Windows\\{A12FF576-BA94-46f3-93BC-AF5F3016B9A2}.exe"	{A0CBC39B-F916-4cd7-A960-CB71B8872E3B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{686F46AD-67B2-41b1-B8E7-48AB7EC89194}	{19A8059D-4032-4f3e-A2DA-AEBA1BCF2FBD}.exe

Executes dropped EXE 11 IoCs

pid	Process
3004	{278D54C9-F47E-4160-8FA9-54E952228E86}.exe
2728	{4F31A866-C76E-4bc3-94F0-E275134771D7}.exe
2664	{4C6A6CB0-6FD6-4d82-9B59-9B170E37E3E4}.exe
1964	{A0CBC39B-F916-4cd7-A960-CB71B8872E3B}.exe
2888	{A12FF576-BA94-46f3-93BC-AF5F3016B9A2}.exe
1712	{19A8059D-4032-4f3e-A2DA-AEBA1BCF2FBD}.exe
1752	{686F46AD-67B2-41b1-B8E7-48AB7EC89194}.exe
2492	{CF8F7D9D-904F-42bc-BCD9-6F753DE3F88B}.exe
980	{2055DBF9-9530-40fa-94A3-7C810433B58F}.exe
2280	{71A839E9-0D43-43a3-9058-3187920D633E}.exe
3008	{5F1C5A50-8618-4104-A9B4-F57FEE13E6A5}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{278D54C9-F47E-4160-8FA9-54E952228E86}.exe	2024-04-18_f4963d3d17f87bee3664ebfb6e388992_goldeneye.exe
File created	C:\Windows\{4C6A6CB0-6FD6-4d82-9B59-9B170E37E3E4}.exe	{4F31A866-C76E-4bc3-94F0-E275134771D7}.exe
File created	C:\Windows\{19A8059D-4032-4f3e-A2DA-AEBA1BCF2FBD}.exe	{A12FF576-BA94-46f3-93BC-AF5F3016B9A2}.exe
File created	C:\Windows\{4F31A866-C76E-4bc3-94F0-E275134771D7}.exe	{278D54C9-F47E-4160-8FA9-54E952228E86}.exe
File created	C:\Windows\{A0CBC39B-F916-4cd7-A960-CB71B8872E3B}.exe	{4C6A6CB0-6FD6-4d82-9B59-9B170E37E3E4}.exe
File created	C:\Windows\{A12FF576-BA94-46f3-93BC-AF5F3016B9A2}.exe	{A0CBC39B-F916-4cd7-A960-CB71B8872E3B}.exe
File created	C:\Windows\{686F46AD-67B2-41b1-B8E7-48AB7EC89194}.exe	{19A8059D-4032-4f3e-A2DA-AEBA1BCF2FBD}.exe
File created	C:\Windows\{CF8F7D9D-904F-42bc-BCD9-6F753DE3F88B}.exe	{686F46AD-67B2-41b1-B8E7-48AB7EC89194}.exe
File created	C:\Windows\{2055DBF9-9530-40fa-94A3-7C810433B58F}.exe	{CF8F7D9D-904F-42bc-BCD9-6F753DE3F88B}.exe
File created	C:\Windows\{71A839E9-0D43-43a3-9058-3187920D633E}.exe	{2055DBF9-9530-40fa-94A3-7C810433B58F}.exe
File created	C:\Windows\{5F1C5A50-8618-4104-A9B4-F57FEE13E6A5}.exe	{71A839E9-0D43-43a3-9058-3187920D633E}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2512	2024-04-18_f4963d3d17f87bee3664ebfb6e388992_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3004	{278D54C9-F47E-4160-8FA9-54E952228E86}.exe
Token: SeIncBasePriorityPrivilege	2728	{4F31A866-C76E-4bc3-94F0-E275134771D7}.exe
Token: SeIncBasePriorityPrivilege	2664	{4C6A6CB0-6FD6-4d82-9B59-9B170E37E3E4}.exe
Token: SeIncBasePriorityPrivilege	1964	{A0CBC39B-F916-4cd7-A960-CB71B8872E3B}.exe
Token: SeIncBasePriorityPrivilege	2888	{A12FF576-BA94-46f3-93BC-AF5F3016B9A2}.exe
Token: SeIncBasePriorityPrivilege	1712	{19A8059D-4032-4f3e-A2DA-AEBA1BCF2FBD}.exe
Token: SeIncBasePriorityPrivilege	1752	{686F46AD-67B2-41b1-B8E7-48AB7EC89194}.exe
Token: SeIncBasePriorityPrivilege	2492	{CF8F7D9D-904F-42bc-BCD9-6F753DE3F88B}.exe
Token: SeIncBasePriorityPrivilege	980	{2055DBF9-9530-40fa-94A3-7C810433B58F}.exe
Token: SeIncBasePriorityPrivilege	2280	{71A839E9-0D43-43a3-9058-3187920D633E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 3004	2512	2024-04-18_f4963d3d17f87bee3664ebfb6e388992_goldeneye.exe	28
PID 2512 wrote to memory of 3004	2512	2024-04-18_f4963d3d17f87bee3664ebfb6e388992_goldeneye.exe	28
PID 2512 wrote to memory of 3004	2512	2024-04-18_f4963d3d17f87bee3664ebfb6e388992_goldeneye.exe	28
PID 2512 wrote to memory of 3004	2512	2024-04-18_f4963d3d17f87bee3664ebfb6e388992_goldeneye.exe	28
PID 2512 wrote to memory of 2648	2512	2024-04-18_f4963d3d17f87bee3664ebfb6e388992_goldeneye.exe	29
PID 2512 wrote to memory of 2648	2512	2024-04-18_f4963d3d17f87bee3664ebfb6e388992_goldeneye.exe	29
PID 2512 wrote to memory of 2648	2512	2024-04-18_f4963d3d17f87bee3664ebfb6e388992_goldeneye.exe	29
PID 2512 wrote to memory of 2648	2512	2024-04-18_f4963d3d17f87bee3664ebfb6e388992_goldeneye.exe	29
PID 3004 wrote to memory of 2728	3004	{278D54C9-F47E-4160-8FA9-54E952228E86}.exe	30
PID 3004 wrote to memory of 2728	3004	{278D54C9-F47E-4160-8FA9-54E952228E86}.exe	30
PID 3004 wrote to memory of 2728	3004	{278D54C9-F47E-4160-8FA9-54E952228E86}.exe	30
PID 3004 wrote to memory of 2728	3004	{278D54C9-F47E-4160-8FA9-54E952228E86}.exe	30
PID 3004 wrote to memory of 2548	3004	{278D54C9-F47E-4160-8FA9-54E952228E86}.exe	31
PID 3004 wrote to memory of 2548	3004	{278D54C9-F47E-4160-8FA9-54E952228E86}.exe	31
PID 3004 wrote to memory of 2548	3004	{278D54C9-F47E-4160-8FA9-54E952228E86}.exe	31
PID 3004 wrote to memory of 2548	3004	{278D54C9-F47E-4160-8FA9-54E952228E86}.exe	31
PID 2728 wrote to memory of 2664	2728	{4F31A866-C76E-4bc3-94F0-E275134771D7}.exe	32
PID 2728 wrote to memory of 2664	2728	{4F31A866-C76E-4bc3-94F0-E275134771D7}.exe	32
PID 2728 wrote to memory of 2664	2728	{4F31A866-C76E-4bc3-94F0-E275134771D7}.exe	32
PID 2728 wrote to memory of 2664	2728	{4F31A866-C76E-4bc3-94F0-E275134771D7}.exe	32
PID 2728 wrote to memory of 2544	2728	{4F31A866-C76E-4bc3-94F0-E275134771D7}.exe	33
PID 2728 wrote to memory of 2544	2728	{4F31A866-C76E-4bc3-94F0-E275134771D7}.exe	33
PID 2728 wrote to memory of 2544	2728	{4F31A866-C76E-4bc3-94F0-E275134771D7}.exe	33
PID 2728 wrote to memory of 2544	2728	{4F31A866-C76E-4bc3-94F0-E275134771D7}.exe	33
PID 2664 wrote to memory of 1964	2664	{4C6A6CB0-6FD6-4d82-9B59-9B170E37E3E4}.exe	36
PID 2664 wrote to memory of 1964	2664	{4C6A6CB0-6FD6-4d82-9B59-9B170E37E3E4}.exe	36
PID 2664 wrote to memory of 1964	2664	{4C6A6CB0-6FD6-4d82-9B59-9B170E37E3E4}.exe	36
PID 2664 wrote to memory of 1964	2664	{4C6A6CB0-6FD6-4d82-9B59-9B170E37E3E4}.exe	36
PID 2664 wrote to memory of 2740	2664	{4C6A6CB0-6FD6-4d82-9B59-9B170E37E3E4}.exe	37
PID 2664 wrote to memory of 2740	2664	{4C6A6CB0-6FD6-4d82-9B59-9B170E37E3E4}.exe	37
PID 2664 wrote to memory of 2740	2664	{4C6A6CB0-6FD6-4d82-9B59-9B170E37E3E4}.exe	37
PID 2664 wrote to memory of 2740	2664	{4C6A6CB0-6FD6-4d82-9B59-9B170E37E3E4}.exe	37
PID 1964 wrote to memory of 2888	1964	{A0CBC39B-F916-4cd7-A960-CB71B8872E3B}.exe	38
PID 1964 wrote to memory of 2888	1964	{A0CBC39B-F916-4cd7-A960-CB71B8872E3B}.exe	38
PID 1964 wrote to memory of 2888	1964	{A0CBC39B-F916-4cd7-A960-CB71B8872E3B}.exe	38
PID 1964 wrote to memory of 2888	1964	{A0CBC39B-F916-4cd7-A960-CB71B8872E3B}.exe	38
PID 1964 wrote to memory of 1040	1964	{A0CBC39B-F916-4cd7-A960-CB71B8872E3B}.exe	39
PID 1964 wrote to memory of 1040	1964	{A0CBC39B-F916-4cd7-A960-CB71B8872E3B}.exe	39
PID 1964 wrote to memory of 1040	1964	{A0CBC39B-F916-4cd7-A960-CB71B8872E3B}.exe	39
PID 1964 wrote to memory of 1040	1964	{A0CBC39B-F916-4cd7-A960-CB71B8872E3B}.exe	39
PID 2888 wrote to memory of 1712	2888	{A12FF576-BA94-46f3-93BC-AF5F3016B9A2}.exe	40
PID 2888 wrote to memory of 1712	2888	{A12FF576-BA94-46f3-93BC-AF5F3016B9A2}.exe	40
PID 2888 wrote to memory of 1712	2888	{A12FF576-BA94-46f3-93BC-AF5F3016B9A2}.exe	40
PID 2888 wrote to memory of 1712	2888	{A12FF576-BA94-46f3-93BC-AF5F3016B9A2}.exe	40
PID 2888 wrote to memory of 1204	2888	{A12FF576-BA94-46f3-93BC-AF5F3016B9A2}.exe	41
PID 2888 wrote to memory of 1204	2888	{A12FF576-BA94-46f3-93BC-AF5F3016B9A2}.exe	41
PID 2888 wrote to memory of 1204	2888	{A12FF576-BA94-46f3-93BC-AF5F3016B9A2}.exe	41
PID 2888 wrote to memory of 1204	2888	{A12FF576-BA94-46f3-93BC-AF5F3016B9A2}.exe	41
PID 1712 wrote to memory of 1752	1712	{19A8059D-4032-4f3e-A2DA-AEBA1BCF2FBD}.exe	42
PID 1712 wrote to memory of 1752	1712	{19A8059D-4032-4f3e-A2DA-AEBA1BCF2FBD}.exe	42
PID 1712 wrote to memory of 1752	1712	{19A8059D-4032-4f3e-A2DA-AEBA1BCF2FBD}.exe	42
PID 1712 wrote to memory of 1752	1712	{19A8059D-4032-4f3e-A2DA-AEBA1BCF2FBD}.exe	42
PID 1712 wrote to memory of 588	1712	{19A8059D-4032-4f3e-A2DA-AEBA1BCF2FBD}.exe	43
PID 1712 wrote to memory of 588	1712	{19A8059D-4032-4f3e-A2DA-AEBA1BCF2FBD}.exe	43
PID 1712 wrote to memory of 588	1712	{19A8059D-4032-4f3e-A2DA-AEBA1BCF2FBD}.exe	43
PID 1712 wrote to memory of 588	1712	{19A8059D-4032-4f3e-A2DA-AEBA1BCF2FBD}.exe	43
PID 1752 wrote to memory of 2492	1752	{686F46AD-67B2-41b1-B8E7-48AB7EC89194}.exe	44
PID 1752 wrote to memory of 2492	1752	{686F46AD-67B2-41b1-B8E7-48AB7EC89194}.exe	44
PID 1752 wrote to memory of 2492	1752	{686F46AD-67B2-41b1-B8E7-48AB7EC89194}.exe	44
PID 1752 wrote to memory of 2492	1752	{686F46AD-67B2-41b1-B8E7-48AB7EC89194}.exe	44
PID 1752 wrote to memory of 1048	1752	{686F46AD-67B2-41b1-B8E7-48AB7EC89194}.exe	45
PID 1752 wrote to memory of 1048	1752	{686F46AD-67B2-41b1-B8E7-48AB7EC89194}.exe	45
PID 1752 wrote to memory of 1048	1752	{686F46AD-67B2-41b1-B8E7-48AB7EC89194}.exe	45
PID 1752 wrote to memory of 1048	1752	{686F46AD-67B2-41b1-B8E7-48AB7EC89194}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-18_f4963d3d17f87bee3664ebfb6e388992_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-18_f4963d3d17f87bee3664ebfb6e388992_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\{278D54C9-F47E-4160-8FA9-54E952228E86}.exe
  C:\Windows\{278D54C9-F47E-4160-8FA9-54E952228E86}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\{4F31A866-C76E-4bc3-94F0-E275134771D7}.exe
    C:\Windows\{4F31A866-C76E-4bc3-94F0-E275134771D7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\{4C6A6CB0-6FD6-4d82-9B59-9B170E37E3E4}.exe
      C:\Windows\{4C6A6CB0-6FD6-4d82-9B59-9B170E37E3E4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\{A0CBC39B-F916-4cd7-A960-CB71B8872E3B}.exe
        
        C:\Windows\{A0CBC39B-F916-4cd7-A960-CB71B8872E3B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1964
      - C:\Windows\{A12FF576-BA94-46f3-93BC-AF5F3016B9A2}.exe
        
        C:\Windows\{A12FF576-BA94-46f3-93BC-AF5F3016B9A2}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\{19A8059D-4032-4f3e-A2DA-AEBA1BCF2FBD}.exe
        
        C:\Windows\{19A8059D-4032-4f3e-A2DA-AEBA1BCF2FBD}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\{686F46AD-67B2-41b1-B8E7-48AB7EC89194}.exe
        
        C:\Windows\{686F46AD-67B2-41b1-B8E7-48AB7EC89194}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\{CF8F7D9D-904F-42bc-BCD9-6F753DE3F88B}.exe
        
        C:\Windows\{CF8F7D9D-904F-42bc-BCD9-6F753DE3F88B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
        
        C:\Windows\{2055DBF9-9530-40fa-94A3-7C810433B58F}.exe
        
        C:\Windows\{2055DBF9-9530-40fa-94A3-7C810433B58F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:980
        
        C:\Windows\{71A839E9-0D43-43a3-9058-3187920D633E}.exe
        
        C:\Windows\{71A839E9-0D43-43a3-9058-3187920D633E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\{5F1C5A50-8618-4104-A9B4-F57FEE13E6A5}.exe
        
        C:\Windows\{5F1C5A50-8618-4104-A9B4-F57FEE13E6A5}.exe
        12⤵
        Executes dropped EXE
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71A83~1.EXE > nul
        12⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2055D~1.EXE > nul
        11⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF8F7~1.EXE > nul
        10⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{686F4~1.EXE > nul
        9⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19A80~1.EXE > nul
        8⤵
        
        PID:588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A12FF~1.EXE > nul
        7⤵
        
        PID:1204
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0CBC~1.EXE > nul
        6⤵
        
        PID:1040
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C6A6~1.EXE > nul
        5⤵
        
        PID:2740
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4F31A~1.EXE > nul
      4⤵
      PID:2544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{278D5~1.EXE > nul
    3⤵
    PID:2548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{19A8059D-4032-4f3e-A2DA-AEBA1BCF2FBD}.exe

Filesize
168KB

MD5
2f688c005581db6de2c2b6a5c76183e9

SHA1
bc5995e11fd6bb4043c648c8166f08bde244d907

SHA256
738886856a22e78290fb10614dcdd8f968cba471b2df008633bbd27dcd5961b4

SHA512
cd836b824d7d0e16c25ebcae774490fa6474ca3101ef940c2124d2d36ce0caf8f668db437bae6c42b32d84611b708d6adca4430f481a257cc83481aa58ef78a4

Download Submit
C:\Windows\{2055DBF9-9530-40fa-94A3-7C810433B58F}.exe

Filesize
168KB

MD5
a9b960287c63aea5abb75f973cb8abd5

SHA1
29f8e15dbfe59bf8d5bf4a8d0d7a14a2688879b2

SHA256
4271c866df004f9bac9aa7d8a5aea8ff41c06d5232ab2c5668c2576579e53b50

SHA512
dc4a248cc24d8d396a73e433888a58210bd6e18fe98060e4629bad1edd9e96dc2fd046248efd1392ba5485f3b547dfc82d72291022579b4d74aba35c4a589453

Download Submit
C:\Windows\{278D54C9-F47E-4160-8FA9-54E952228E86}.exe

Filesize
168KB

MD5
0161d2ed30d4f58c5bf4358a88954e1a

SHA1
5e59211cfbf8eddb6911ad51bc2feceb20093015

SHA256
00e179be91a3db48f6673e70a33835d5ad16a3525f819d3b280353f2e04ec3eb

SHA512
3adc6a64092400246ee3c97a9f5d999e65cc406abab3391a1e1bc97c7c0596bfa74da64c8593b6d074ac8833b0537aecd4481eca22f73d004554f3a61d59f19b

Download Submit
C:\Windows\{4C6A6CB0-6FD6-4d82-9B59-9B170E37E3E4}.exe

Filesize
168KB

MD5
2ef0c232a129e514ae599d8a68465010

SHA1
16ddf4c885c2f8e6eef09870f5e213c7800941b8

SHA256
fedb2de024fe85a2c5e1cea799c5d6aa0c90d9ffd1e6cddfdf6c8b90763638af

SHA512
13abcd08421f8bba4ab2d2377db3f5316fe9158083721cf6903abbea62143d4d01033e13922bb7d5ea646a6a85eafe293207c979f9b7f4551f6086767ca2e1ea

Download Submit
C:\Windows\{4F31A866-C76E-4bc3-94F0-E275134771D7}.exe

Filesize
168KB

MD5
3e99a579176beb8686d7f4eade3a31f4

SHA1
5b48d7a17f12d1f505fe7de222b3efc568a06061

SHA256
016ef89268f5d90887a2c9452c7693394f8a23fc8c54df1794dff2d06e0dd2ab

SHA512
7a83721351c5ad6d1e5881d121111bc79f565999411b6121984f697a0cd1a2f36bdbf016157c22801f613988865e270a34271f443ae523f2be00c456b45c5d8c

Download Submit
C:\Windows\{5F1C5A50-8618-4104-A9B4-F57FEE13E6A5}.exe

Filesize
168KB

MD5
8c88872912c57beeee26cd1ce5e1a4cc

SHA1
ffaa460223bca4abcb7368e838443d450706564e

SHA256
3f1a3e9afd4e4525e8652f8fc72f2832d2ef6e0eae2c3b2795ae9d8ab35e3855

SHA512
a7c05e38849155fd83a3bc4023c571068cd9cc41f5780003eb656607463a7383aca3a70c1cad9d5996ed586273a65cf67a3f1d2a9170cb82718cd67e8bdfb6ce

Download Submit
C:\Windows\{686F46AD-67B2-41b1-B8E7-48AB7EC89194}.exe

Filesize
168KB

MD5
61399bae24e855bcad21656d9d8dde13

SHA1
d29253ce6e6e7c57fe9ec5e37fe285456c965356

SHA256
aaf7d745956be6ad67258efcb82e0b0b0e250c0614c68626252da4c1d7074879

SHA512
faf6bcf0262c60f4f1ff7792462b1599751720fdd5ef94f00f5be175102ae8610364cb7c6890979ea3f60a8a9f4f63ad3bd54e4e76b40011be17e44c46f99503

Download Submit
C:\Windows\{71A839E9-0D43-43a3-9058-3187920D633E}.exe

Filesize
168KB

MD5
fff005a1e974b558f2e65d2b52161476

SHA1
7bee4162046e7db239fdf9afed8dd0326248a93c

SHA256
6c10cae2fbd72f9a966611b44c611b6ba25b89efa264ed0ad897e676955c852a

SHA512
4fca9f3e73b573e6a4cf65613b669a65593a7414671082764417187be93466a6352c1d0d05101944b4fb47ac4962415eb87de2d7f1d6460413eab75b9efe30b9

Download Submit
C:\Windows\{A0CBC39B-F916-4cd7-A960-CB71B8872E3B}.exe

Filesize
168KB

MD5
c8310fbb679047f2e10f06e54c220a0f

SHA1
66a74a32109d815336806c1385b2dc4a24af8605

SHA256
ec372170c6ca2b2dedd37fbfd41a71fdcd1b9d1154c0f7c508a12e75b7f45734

SHA512
bc7ca046ac16b9dc53e396eafbd7d58f769e39709e2deeae14fd9a8b05ccc5c8a77752d48639e53e138391c0c15b22f7e13bfce16f06fba885825cd899ff2a93

Download Submit
C:\Windows\{A12FF576-BA94-46f3-93BC-AF5F3016B9A2}.exe

Filesize
168KB

MD5
3258af41f5e721c065906001a39d720c

SHA1
3c5ef18d92c8f413ae755ef9cb420d74d669b508

SHA256
839a63679a5e77b4530a8cd0c85846aa9cda380a068d5264dee6ccf964c33d79

SHA512
14f8df4c59e015571cb2721f8d17f559d66aa834177b8d3d5d2fc61c9cad7d5188670f24ce8a97a104172d47adf5e382de82dff648aa46c25e05e8d8fc230352

Download Submit
C:\Windows\{CF8F7D9D-904F-42bc-BCD9-6F753DE3F88B}.exe

Filesize
168KB

MD5
2a103ab59c345cc2e15d3e27cae80941

SHA1
1523bf0b020e3e719873db8f7de70c35cf0665ef

SHA256
c209ceee878c4b885c3feefd59f42149c611e5822f14205d86af7b964780b983

SHA512
30b1c179a1b6acc4134ea9403cbaddbe5795e6f7e8e23ffab3976084da225843ab5c64a4122ba790a7f98b24d5b58f0babe2a04aa9f5c12f95a8465d6c784a89

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads