ddfbc0eb05f4694a462a238577ecaf16b6b610348830afcf6cd3805631983ee4

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2024, 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-25_4d6bae8d8a733cea2115c1b5d9142b0b_goldeneye.exe
Size

168KB
MD5

4d6bae8d8a733cea2115c1b5d9142b0b
SHA1

d979f9025d054564690d737b108ee57db1522c8c
SHA256

ddfbc0eb05f4694a462a238577ecaf16b6b610348830afcf6cd3805631983ee4
SHA512

7209e36a76b351bed97cc357d13f33259a9e882257f49e6aca9a9b042fdda727137745369c82238c79cb9217f0ee87135f807a42020659ac5873900dc21e3809
SSDEEP

1536:1EGh0oVlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oVlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023423-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001200000002341b-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002342c-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001300000002341b-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023419-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f0000000233a5-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023419-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00120000000233a2-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023419-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00130000000233a2-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000233a0-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00140000000233a2-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6AECC4E-A6F7-4b6f-ADAF-D86602FCC72A}	{2230166B-67C6-4a4f-9662-80B4498664BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB7F2E7B-B68B-43cd-96CA-D4BF20262C86}	{4062A843-871B-48e1-AA91-374A0BC7CC25}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB7F2E7B-B68B-43cd-96CA-D4BF20262C86}\stubpath = "C:\\Windows\\{BB7F2E7B-B68B-43cd-96CA-D4BF20262C86}.exe"	{4062A843-871B-48e1-AA91-374A0BC7CC25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{988D5901-6F86-422c-8D91-23FAD1D70649}	{915990C5-8DA2-4cd3-9846-04FFC8A6029F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A0B0191-319D-4409-B5BC-37A7B0D7611B}	{9EE89B69-5A6B-48f2-BE86-120550373260}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FA23938-A765-4bb4-9735-72AB9DC039AF}	{2A0B0191-319D-4409-B5BC-37A7B0D7611B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FA23938-A765-4bb4-9735-72AB9DC039AF}\stubpath = "C:\\Windows\\{3FA23938-A765-4bb4-9735-72AB9DC039AF}.exe"	{2A0B0191-319D-4409-B5BC-37A7B0D7611B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2230166B-67C6-4a4f-9662-80B4498664BF}	{22DA5D1E-897A-4132-B227-4149E9AC9DE0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6AECC4E-A6F7-4b6f-ADAF-D86602FCC72A}\stubpath = "C:\\Windows\\{D6AECC4E-A6F7-4b6f-ADAF-D86602FCC72A}.exe"	{2230166B-67C6-4a4f-9662-80B4498664BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4062A843-871B-48e1-AA91-374A0BC7CC25}	2024-04-25_4d6bae8d8a733cea2115c1b5d9142b0b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{988D5901-6F86-422c-8D91-23FAD1D70649}\stubpath = "C:\\Windows\\{988D5901-6F86-422c-8D91-23FAD1D70649}.exe"	{915990C5-8DA2-4cd3-9846-04FFC8A6029F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0463174F-FA03-485e-94A7-88AC16592FFA}	{988D5901-6F86-422c-8D91-23FAD1D70649}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0463174F-FA03-485e-94A7-88AC16592FFA}\stubpath = "C:\\Windows\\{0463174F-FA03-485e-94A7-88AC16592FFA}.exe"	{988D5901-6F86-422c-8D91-23FAD1D70649}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EE89B69-5A6B-48f2-BE86-120550373260}	{8B01F19B-1435-48cf-B2E2-441497A233E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22DA5D1E-897A-4132-B227-4149E9AC9DE0}\stubpath = "C:\\Windows\\{22DA5D1E-897A-4132-B227-4149E9AC9DE0}.exe"	{3FA23938-A765-4bb4-9735-72AB9DC039AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2230166B-67C6-4a4f-9662-80B4498664BF}\stubpath = "C:\\Windows\\{2230166B-67C6-4a4f-9662-80B4498664BF}.exe"	{22DA5D1E-897A-4132-B227-4149E9AC9DE0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{915990C5-8DA2-4cd3-9846-04FFC8A6029F}	{BB7F2E7B-B68B-43cd-96CA-D4BF20262C86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{915990C5-8DA2-4cd3-9846-04FFC8A6029F}\stubpath = "C:\\Windows\\{915990C5-8DA2-4cd3-9846-04FFC8A6029F}.exe"	{BB7F2E7B-B68B-43cd-96CA-D4BF20262C86}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B01F19B-1435-48cf-B2E2-441497A233E9}	{0463174F-FA03-485e-94A7-88AC16592FFA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B01F19B-1435-48cf-B2E2-441497A233E9}\stubpath = "C:\\Windows\\{8B01F19B-1435-48cf-B2E2-441497A233E9}.exe"	{0463174F-FA03-485e-94A7-88AC16592FFA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4062A843-871B-48e1-AA91-374A0BC7CC25}\stubpath = "C:\\Windows\\{4062A843-871B-48e1-AA91-374A0BC7CC25}.exe"	2024-04-25_4d6bae8d8a733cea2115c1b5d9142b0b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EE89B69-5A6B-48f2-BE86-120550373260}\stubpath = "C:\\Windows\\{9EE89B69-5A6B-48f2-BE86-120550373260}.exe"	{8B01F19B-1435-48cf-B2E2-441497A233E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A0B0191-319D-4409-B5BC-37A7B0D7611B}\stubpath = "C:\\Windows\\{2A0B0191-319D-4409-B5BC-37A7B0D7611B}.exe"	{9EE89B69-5A6B-48f2-BE86-120550373260}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22DA5D1E-897A-4132-B227-4149E9AC9DE0}	{3FA23938-A765-4bb4-9735-72AB9DC039AF}.exe

Executes dropped EXE 12 IoCs

pid	Process
3016	{4062A843-871B-48e1-AA91-374A0BC7CC25}.exe
2688	{BB7F2E7B-B68B-43cd-96CA-D4BF20262C86}.exe
5076	{915990C5-8DA2-4cd3-9846-04FFC8A6029F}.exe
3496	{988D5901-6F86-422c-8D91-23FAD1D70649}.exe
2020	{0463174F-FA03-485e-94A7-88AC16592FFA}.exe
412	{8B01F19B-1435-48cf-B2E2-441497A233E9}.exe
4760	{9EE89B69-5A6B-48f2-BE86-120550373260}.exe
3496	{2A0B0191-319D-4409-B5BC-37A7B0D7611B}.exe
1684	{3FA23938-A765-4bb4-9735-72AB9DC039AF}.exe
4464	{22DA5D1E-897A-4132-B227-4149E9AC9DE0}.exe
940	{2230166B-67C6-4a4f-9662-80B4498664BF}.exe
4516	{D6AECC4E-A6F7-4b6f-ADAF-D86602FCC72A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BB7F2E7B-B68B-43cd-96CA-D4BF20262C86}.exe	{4062A843-871B-48e1-AA91-374A0BC7CC25}.exe
File created	C:\Windows\{915990C5-8DA2-4cd3-9846-04FFC8A6029F}.exe	{BB7F2E7B-B68B-43cd-96CA-D4BF20262C86}.exe
File created	C:\Windows\{0463174F-FA03-485e-94A7-88AC16592FFA}.exe	{988D5901-6F86-422c-8D91-23FAD1D70649}.exe
File created	C:\Windows\{8B01F19B-1435-48cf-B2E2-441497A233E9}.exe	{0463174F-FA03-485e-94A7-88AC16592FFA}.exe
File created	C:\Windows\{3FA23938-A765-4bb4-9735-72AB9DC039AF}.exe	{2A0B0191-319D-4409-B5BC-37A7B0D7611B}.exe
File created	C:\Windows\{22DA5D1E-897A-4132-B227-4149E9AC9DE0}.exe	{3FA23938-A765-4bb4-9735-72AB9DC039AF}.exe
File created	C:\Windows\{4062A843-871B-48e1-AA91-374A0BC7CC25}.exe	2024-04-25_4d6bae8d8a733cea2115c1b5d9142b0b_goldeneye.exe
File created	C:\Windows\{988D5901-6F86-422c-8D91-23FAD1D70649}.exe	{915990C5-8DA2-4cd3-9846-04FFC8A6029F}.exe
File created	C:\Windows\{9EE89B69-5A6B-48f2-BE86-120550373260}.exe	{8B01F19B-1435-48cf-B2E2-441497A233E9}.exe
File created	C:\Windows\{2A0B0191-319D-4409-B5BC-37A7B0D7611B}.exe	{9EE89B69-5A6B-48f2-BE86-120550373260}.exe
File created	C:\Windows\{2230166B-67C6-4a4f-9662-80B4498664BF}.exe	{22DA5D1E-897A-4132-B227-4149E9AC9DE0}.exe
File created	C:\Windows\{D6AECC4E-A6F7-4b6f-ADAF-D86602FCC72A}.exe	{2230166B-67C6-4a4f-9662-80B4498664BF}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5028	2024-04-25_4d6bae8d8a733cea2115c1b5d9142b0b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3016	{4062A843-871B-48e1-AA91-374A0BC7CC25}.exe
Token: SeIncBasePriorityPrivilege	2688	{BB7F2E7B-B68B-43cd-96CA-D4BF20262C86}.exe
Token: SeIncBasePriorityPrivilege	5076	{915990C5-8DA2-4cd3-9846-04FFC8A6029F}.exe
Token: SeIncBasePriorityPrivilege	3496	{988D5901-6F86-422c-8D91-23FAD1D70649}.exe
Token: SeIncBasePriorityPrivilege	2020	{0463174F-FA03-485e-94A7-88AC16592FFA}.exe
Token: SeIncBasePriorityPrivilege	412	{8B01F19B-1435-48cf-B2E2-441497A233E9}.exe
Token: SeIncBasePriorityPrivilege	4760	{9EE89B69-5A6B-48f2-BE86-120550373260}.exe
Token: SeIncBasePriorityPrivilege	3496	{2A0B0191-319D-4409-B5BC-37A7B0D7611B}.exe
Token: SeIncBasePriorityPrivilege	1684	{3FA23938-A765-4bb4-9735-72AB9DC039AF}.exe
Token: SeIncBasePriorityPrivilege	4464	{22DA5D1E-897A-4132-B227-4149E9AC9DE0}.exe
Token: SeIncBasePriorityPrivilege	940	{2230166B-67C6-4a4f-9662-80B4498664BF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 3016	5028	2024-04-25_4d6bae8d8a733cea2115c1b5d9142b0b_goldeneye.exe	101
PID 5028 wrote to memory of 3016	5028	2024-04-25_4d6bae8d8a733cea2115c1b5d9142b0b_goldeneye.exe	101
PID 5028 wrote to memory of 3016	5028	2024-04-25_4d6bae8d8a733cea2115c1b5d9142b0b_goldeneye.exe	101
PID 5028 wrote to memory of 2984	5028	2024-04-25_4d6bae8d8a733cea2115c1b5d9142b0b_goldeneye.exe	102
PID 5028 wrote to memory of 2984	5028	2024-04-25_4d6bae8d8a733cea2115c1b5d9142b0b_goldeneye.exe	102
PID 5028 wrote to memory of 2984	5028	2024-04-25_4d6bae8d8a733cea2115c1b5d9142b0b_goldeneye.exe	102
PID 3016 wrote to memory of 2688	3016	{4062A843-871B-48e1-AA91-374A0BC7CC25}.exe	103
PID 3016 wrote to memory of 2688	3016	{4062A843-871B-48e1-AA91-374A0BC7CC25}.exe	103
PID 3016 wrote to memory of 2688	3016	{4062A843-871B-48e1-AA91-374A0BC7CC25}.exe	103
PID 3016 wrote to memory of 3844	3016	{4062A843-871B-48e1-AA91-374A0BC7CC25}.exe	104
PID 3016 wrote to memory of 3844	3016	{4062A843-871B-48e1-AA91-374A0BC7CC25}.exe	104
PID 3016 wrote to memory of 3844	3016	{4062A843-871B-48e1-AA91-374A0BC7CC25}.exe	104
PID 2688 wrote to memory of 5076	2688	{BB7F2E7B-B68B-43cd-96CA-D4BF20262C86}.exe	107
PID 2688 wrote to memory of 5076	2688	{BB7F2E7B-B68B-43cd-96CA-D4BF20262C86}.exe	107
PID 2688 wrote to memory of 5076	2688	{BB7F2E7B-B68B-43cd-96CA-D4BF20262C86}.exe	107
PID 2688 wrote to memory of 1896	2688	{BB7F2E7B-B68B-43cd-96CA-D4BF20262C86}.exe	108
PID 2688 wrote to memory of 1896	2688	{BB7F2E7B-B68B-43cd-96CA-D4BF20262C86}.exe	108
PID 2688 wrote to memory of 1896	2688	{BB7F2E7B-B68B-43cd-96CA-D4BF20262C86}.exe	108
PID 5076 wrote to memory of 3496	5076	{915990C5-8DA2-4cd3-9846-04FFC8A6029F}.exe	109
PID 5076 wrote to memory of 3496	5076	{915990C5-8DA2-4cd3-9846-04FFC8A6029F}.exe	109
PID 5076 wrote to memory of 3496	5076	{915990C5-8DA2-4cd3-9846-04FFC8A6029F}.exe	109
PID 5076 wrote to memory of 3140	5076	{915990C5-8DA2-4cd3-9846-04FFC8A6029F}.exe	110
PID 5076 wrote to memory of 3140	5076	{915990C5-8DA2-4cd3-9846-04FFC8A6029F}.exe	110
PID 5076 wrote to memory of 3140	5076	{915990C5-8DA2-4cd3-9846-04FFC8A6029F}.exe	110
PID 3496 wrote to memory of 2020	3496	{988D5901-6F86-422c-8D91-23FAD1D70649}.exe	112
PID 3496 wrote to memory of 2020	3496	{988D5901-6F86-422c-8D91-23FAD1D70649}.exe	112
PID 3496 wrote to memory of 2020	3496	{988D5901-6F86-422c-8D91-23FAD1D70649}.exe	112
PID 3496 wrote to memory of 3384	3496	{988D5901-6F86-422c-8D91-23FAD1D70649}.exe	113
PID 3496 wrote to memory of 3384	3496	{988D5901-6F86-422c-8D91-23FAD1D70649}.exe	113
PID 3496 wrote to memory of 3384	3496	{988D5901-6F86-422c-8D91-23FAD1D70649}.exe	113
PID 2020 wrote to memory of 412	2020	{0463174F-FA03-485e-94A7-88AC16592FFA}.exe	117
PID 2020 wrote to memory of 412	2020	{0463174F-FA03-485e-94A7-88AC16592FFA}.exe	117
PID 2020 wrote to memory of 412	2020	{0463174F-FA03-485e-94A7-88AC16592FFA}.exe	117
PID 2020 wrote to memory of 940	2020	{0463174F-FA03-485e-94A7-88AC16592FFA}.exe	118
PID 2020 wrote to memory of 940	2020	{0463174F-FA03-485e-94A7-88AC16592FFA}.exe	118
PID 2020 wrote to memory of 940	2020	{0463174F-FA03-485e-94A7-88AC16592FFA}.exe	118
PID 412 wrote to memory of 4760	412	{8B01F19B-1435-48cf-B2E2-441497A233E9}.exe	119
PID 412 wrote to memory of 4760	412	{8B01F19B-1435-48cf-B2E2-441497A233E9}.exe	119
PID 412 wrote to memory of 4760	412	{8B01F19B-1435-48cf-B2E2-441497A233E9}.exe	119
PID 412 wrote to memory of 3708	412	{8B01F19B-1435-48cf-B2E2-441497A233E9}.exe	120
PID 412 wrote to memory of 3708	412	{8B01F19B-1435-48cf-B2E2-441497A233E9}.exe	120
PID 412 wrote to memory of 3708	412	{8B01F19B-1435-48cf-B2E2-441497A233E9}.exe	120
PID 4760 wrote to memory of 3496	4760	{9EE89B69-5A6B-48f2-BE86-120550373260}.exe	128
PID 4760 wrote to memory of 3496	4760	{9EE89B69-5A6B-48f2-BE86-120550373260}.exe	128
PID 4760 wrote to memory of 3496	4760	{9EE89B69-5A6B-48f2-BE86-120550373260}.exe	128
PID 4760 wrote to memory of 1184	4760	{9EE89B69-5A6B-48f2-BE86-120550373260}.exe	129
PID 4760 wrote to memory of 1184	4760	{9EE89B69-5A6B-48f2-BE86-120550373260}.exe	129
PID 4760 wrote to memory of 1184	4760	{9EE89B69-5A6B-48f2-BE86-120550373260}.exe	129
PID 3496 wrote to memory of 1684	3496	{2A0B0191-319D-4409-B5BC-37A7B0D7611B}.exe	130
PID 3496 wrote to memory of 1684	3496	{2A0B0191-319D-4409-B5BC-37A7B0D7611B}.exe	130
PID 3496 wrote to memory of 1684	3496	{2A0B0191-319D-4409-B5BC-37A7B0D7611B}.exe	130
PID 3496 wrote to memory of 228	3496	{2A0B0191-319D-4409-B5BC-37A7B0D7611B}.exe	131
PID 3496 wrote to memory of 228	3496	{2A0B0191-319D-4409-B5BC-37A7B0D7611B}.exe	131
PID 3496 wrote to memory of 228	3496	{2A0B0191-319D-4409-B5BC-37A7B0D7611B}.exe	131
PID 1684 wrote to memory of 4464	1684	{3FA23938-A765-4bb4-9735-72AB9DC039AF}.exe	132
PID 1684 wrote to memory of 4464	1684	{3FA23938-A765-4bb4-9735-72AB9DC039AF}.exe	132
PID 1684 wrote to memory of 4464	1684	{3FA23938-A765-4bb4-9735-72AB9DC039AF}.exe	132
PID 1684 wrote to memory of 3184	1684	{3FA23938-A765-4bb4-9735-72AB9DC039AF}.exe	133
PID 1684 wrote to memory of 3184	1684	{3FA23938-A765-4bb4-9735-72AB9DC039AF}.exe	133
PID 1684 wrote to memory of 3184	1684	{3FA23938-A765-4bb4-9735-72AB9DC039AF}.exe	133
PID 4464 wrote to memory of 940	4464	{22DA5D1E-897A-4132-B227-4149E9AC9DE0}.exe	136
PID 4464 wrote to memory of 940	4464	{22DA5D1E-897A-4132-B227-4149E9AC9DE0}.exe	136
PID 4464 wrote to memory of 940	4464	{22DA5D1E-897A-4132-B227-4149E9AC9DE0}.exe	136
PID 4464 wrote to memory of 2020	4464	{22DA5D1E-897A-4132-B227-4149E9AC9DE0}.exe	137

C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d6bae8d8a733cea2115c1b5d9142b0b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-25_4d6bae8d8a733cea2115c1b5d9142b0b_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Windows\{4062A843-871B-48e1-AA91-374A0BC7CC25}.exe
  C:\Windows\{4062A843-871B-48e1-AA91-374A0BC7CC25}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\{BB7F2E7B-B68B-43cd-96CA-D4BF20262C86}.exe
    C:\Windows\{BB7F2E7B-B68B-43cd-96CA-D4BF20262C86}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\{915990C5-8DA2-4cd3-9846-04FFC8A6029F}.exe
      C:\Windows\{915990C5-8DA2-4cd3-9846-04FFC8A6029F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5076
    - - C:\Windows\{988D5901-6F86-422c-8D91-23FAD1D70649}.exe
        
        C:\Windows\{988D5901-6F86-422c-8D91-23FAD1D70649}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3496
      - C:\Windows\{0463174F-FA03-485e-94A7-88AC16592FFA}.exe
        
        C:\Windows\{0463174F-FA03-485e-94A7-88AC16592FFA}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\{8B01F19B-1435-48cf-B2E2-441497A233E9}.exe
        
        C:\Windows\{8B01F19B-1435-48cf-B2E2-441497A233E9}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:412
        
        C:\Windows\{9EE89B69-5A6B-48f2-BE86-120550373260}.exe
        
        C:\Windows\{9EE89B69-5A6B-48f2-BE86-120550373260}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\{2A0B0191-319D-4409-B5BC-37A7B0D7611B}.exe
        
        C:\Windows\{2A0B0191-319D-4409-B5BC-37A7B0D7611B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\{3FA23938-A765-4bb4-9735-72AB9DC039AF}.exe
        
        C:\Windows\{3FA23938-A765-4bb4-9735-72AB9DC039AF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\{22DA5D1E-897A-4132-B227-4149E9AC9DE0}.exe
        
        C:\Windows\{22DA5D1E-897A-4132-B227-4149E9AC9DE0}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\{2230166B-67C6-4a4f-9662-80B4498664BF}.exe
        
        C:\Windows\{2230166B-67C6-4a4f-9662-80B4498664BF}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:940
        
        C:\Windows\{D6AECC4E-A6F7-4b6f-ADAF-D86602FCC72A}.exe
        
        C:\Windows\{D6AECC4E-A6F7-4b6f-ADAF-D86602FCC72A}.exe
        13⤵
        Executes dropped EXE
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22301~1.EXE > nul
        13⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22DA5~1.EXE > nul
        12⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3FA23~1.EXE > nul
        11⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A0B0~1.EXE > nul
        10⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9EE89~1.EXE > nul
        9⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B01F~1.EXE > nul
        8⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04631~1.EXE > nul
        7⤵
        
        PID:940
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{988D5~1.EXE > nul
        6⤵
        
        PID:3384
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91599~1.EXE > nul
        5⤵
        
        PID:3140
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BB7F2~1.EXE > nul
      4⤵
      PID:1896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4062A~1.EXE > nul
    3⤵
    PID:3844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0463174F-FA03-485e-94A7-88AC16592FFA}.exe

Filesize
168KB

MD5
d5672c9fa4a14187f2b84326535792cb

SHA1
31c02e89ac2a05fdc62a70e3676e682cdf091c01

SHA256
9bdd3155385463a2e036a23f47028f26a3187d14507264750c64e5c2f175d5aa

SHA512
5644082a61db2dc1957fb4f40bbb95b25b847c465ac522674bdeba31e3d4f440abf6082a387f6e67805c30878b5ecd7a73f54bc0acff6594ed5569756fae3c2a

Download Submit
C:\Windows\{2230166B-67C6-4a4f-9662-80B4498664BF}.exe

Filesize
168KB

MD5
2df8b90c14f068d5ab3e8d7ce9d823d6

SHA1
12139fa7b55cdb1f8d242a0a5b41e00fb0a47df5

SHA256
0f107c07c561fc6673d45c90cc4a8196a228c91f7b724556361d9a1785f5aca9

SHA512
83efac58152cdf69c8ea1930e7a090c442acdc500b6441d8acf5407be39a594b0714791434989978188668a8c3e0f4b30d4c755af3efcaf4ef8603e4813e0ee0

Download Submit
C:\Windows\{22DA5D1E-897A-4132-B227-4149E9AC9DE0}.exe

Filesize
168KB

MD5
bf9db25be3baae204cce9bb2aac0b7c1

SHA1
a8feecbd7eadc2caeca0cb3043fde35fa07e6c87

SHA256
2f983a00d63104f408d14ec6a8900b6b70339f0325935b301a2bb6359f69a46b

SHA512
13b0f44f20d743fa62b30e7b603801f3a006debecbd647a0fef1f60304f768c537765aa31c5d587c98e88decb7e43aaf013d5dcb155471d1dab755bfe9a46f75

Download Submit
C:\Windows\{2A0B0191-319D-4409-B5BC-37A7B0D7611B}.exe

Filesize
168KB

MD5
3fb7b3e02bcea4aa6fc15bdc383845cf

SHA1
d3cc11595fe40f2c96d2cfde1cdd0e2ef70ddc7e

SHA256
045a467600e2472a78498c641c5f396a30339663058e878c2c07b4458eb9ba63

SHA512
79707f404d2f5785c1adcb8ee1009a70e13a409fd783fa1bc96db38f650cf68bcb43e5598cf3c5fc207e2b1f33fe261eca8cea8079aa1c415d0f75536ec5d25f

Download Submit
C:\Windows\{3FA23938-A765-4bb4-9735-72AB9DC039AF}.exe

Filesize
168KB

MD5
661409908bfda123e769807d88653be0

SHA1
53b589881cf20cde6cab28d72a7ca36da75a063b

SHA256
46e019f1f617821c985136a14b44654815864bab1b0fc9221bce00571fdacfae

SHA512
8e3488e2481aca906b7a6c843b6058d2fcd261330e5d1ffd033777593c9f08aa682fa6c6a2d435b22f4516a1aaf4918ff40124e535116fe7d0da0392bbf9c696

Download Submit
C:\Windows\{4062A843-871B-48e1-AA91-374A0BC7CC25}.exe

Filesize
168KB

MD5
07064268fd70c121b3de9f74556f5c64

SHA1
0c1f48738f257e84598e2a11bfbdcd66559ede0b

SHA256
6379dab2bfadee15ceb452642e192372c60ae15d48e38651a30230692814c3b8

SHA512
0bb10fcf7b55a7d41add57e960f3d551cecbf9a59e1516c2ea4436e70e3840536cd100dc0705b1a10c1732e600f2dfd34fc98cd62e35bd29ea4d7aba3b20cc2f

Download Submit
C:\Windows\{8B01F19B-1435-48cf-B2E2-441497A233E9}.exe

Filesize
168KB

MD5
3a1988a8bf81f55fc874c159a7853923

SHA1
b7d4858151b05acaf64d276415886a34abc77229

SHA256
37c2d5300ee07722f9193ba59e26f35c9f1e9a48381b24dea155f816907c63f0

SHA512
2cf87a48e0ecb94ee33656c6d3d2778b72b1b99be631242f3f355a5c847d5c90c96646e5c9d5ce5bf766b2641b22a5db9a37529f31429a8be1c7f1dba75c546b

Download Submit
C:\Windows\{915990C5-8DA2-4cd3-9846-04FFC8A6029F}.exe

Filesize
168KB

MD5
faeedaef9d3a2c1b2506236625c6a44c

SHA1
fff2c2d5359ebf6698963aed086abeb8a461b4bd

SHA256
52106d0dde56c107ff306f2e9af865aa18cd721e448d4504723cb034737f0cdf

SHA512
ff9824cbef9905aab1e4e71bdf036128b3d9527215efaea4edee1fb6a38e0d84862f6b9aface216c698e85077331a56e4b46c4de36c0a010ca776a9416374c76

Download Submit
C:\Windows\{988D5901-6F86-422c-8D91-23FAD1D70649}.exe

Filesize
168KB

MD5
fc4d33a5d4b3177e8a18440927eab94e

SHA1
025c6574c304cb058f884fabc0026528e91b2d94

SHA256
569d386d5f809426a98008d4287093c8e017d6cf66962a959a7d9d702c998066

SHA512
cc8b2c8a3513fb71c56493781a6f708d7a45d3ab9507925c0266a91046c2fe840d6aecb01e1b00819c08c57575ff8b3cacf7ff20371b531279787fd223955e9c

Download Submit
C:\Windows\{9EE89B69-5A6B-48f2-BE86-120550373260}.exe

Filesize
168KB

MD5
cda5a25ead35b37c88d35aba532d7a3d

SHA1
cd9b2ddd7c4dba8aee368b76bcc4cb0fffa0442b

SHA256
2559f8426b701e1725514c8c71ff457813cf697d173a1cdae0f092d8523f98e1

SHA512
dffc2b3d0bb3af6d59589d9e61b85126211d27ac21ebe46f7bc308db635176139634d77bd8e870a8add599c92fa44e0b2abaef4af511a606db2cad52ce4a4106

Download Submit
C:\Windows\{BB7F2E7B-B68B-43cd-96CA-D4BF20262C86}.exe

Filesize
168KB

MD5
95daaad2dcb2910f887825515937beb0

SHA1
0dc93a91f64095a7b505852443034cd78f7c910e

SHA256
19bd5b79b9a566b4d58283697ae133cb5d5a959963d792cb85ede293d0cb2cd0

SHA512
5fb69f284b53228ded2ca133bfc034b721a340f614d9956a1965b8ffec604f04a0ea24617f545299b670538aaffe9f985d1c09367eb7a42d79ce3f8841692b0b

Download Submit
C:\Windows\{D6AECC4E-A6F7-4b6f-ADAF-D86602FCC72A}.exe

Filesize
168KB

MD5
570f3cc8fdfa13dc000829f04d3a28ee

SHA1
cf78c9c0bd69f1619ccb0ee1d611e1044c95e171

SHA256
b2fcdf913bd4cde9e4e05ad1eed123186f8ed87ea4de267481151a4e47857b70

SHA512
6b07ffbf80c21e0754b80870eda47ed6b8e6f7f46b68b83ea095cbe5feca7282c5c8b3b1e511c73b38490f44623c2431fe2cc98278e93d13f1ac4800766377f2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads