ba10b7ab567634261e3b3f14effdc0c8d37ae29e9efe8441976b962e4017328c

Analysis

max time kernel
149s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
29/04/2024, 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-29_fa74038535d0dfaeb0bc143713a1e446_goldeneye.exe
Size

408KB
MD5

fa74038535d0dfaeb0bc143713a1e446
SHA1

3a1206df207200ccc87d82269cc9518530c54909
SHA256

ba10b7ab567634261e3b3f14effdc0c8d37ae29e9efe8441976b962e4017328c
SHA512

d964e61d843265deefead65c00fa0f922ceceadb076c4ad25d135f4f4599e5097fce38c6850944406c18f0c7323212c401c5149ca45195bfb0075b96477469f3
SSDEEP

3072:CEGh0odl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGLldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023b8d-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023b8e-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023b93-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023b96-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023ba2-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023b96-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023ba2-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023ba2-32.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023b96-36.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023ba2-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023b96-44.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C0D2933-6614-45cc-B2B3-8A41C3D0C911}\stubpath = "C:\\Windows\\{1C0D2933-6614-45cc-B2B3-8A41C3D0C911}.exe"	{BCF713BA-563E-42e6-8AF9-1C5B644CA966}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97324499-8813-43e9-8D57-CB8AE0140DAE}	{1C0D2933-6614-45cc-B2B3-8A41C3D0C911}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64BCF438-5D25-409d-B3BF-3D9B8767DCED}	{AFB987DC-CCA4-4903-8BE7-F18884EBA675}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{002A81E2-0C88-4a63-A5DF-15D1DC7DAD46}	{4BFE1D30-E8FB-40f5-9FEA-3DEECA55CDAE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DD03347-9BFE-4554-BFF6-FCF7A20111D1}	{63634EF5-9764-471f-99B9-4CCA0C0C97E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DD03347-9BFE-4554-BFF6-FCF7A20111D1}\stubpath = "C:\\Windows\\{2DD03347-9BFE-4554-BFF6-FCF7A20111D1}.exe"	{63634EF5-9764-471f-99B9-4CCA0C0C97E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{464A5E3E-88B2-482e-B9FD-B8AE6521B405}	2024-04-29_fa74038535d0dfaeb0bc143713a1e446_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{776F14B3-0BFB-4333-A081-E792DB296BA9}	{97324499-8813-43e9-8D57-CB8AE0140DAE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFB987DC-CCA4-4903-8BE7-F18884EBA675}	{776F14B3-0BFB-4333-A081-E792DB296BA9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFB987DC-CCA4-4903-8BE7-F18884EBA675}\stubpath = "C:\\Windows\\{AFB987DC-CCA4-4903-8BE7-F18884EBA675}.exe"	{776F14B3-0BFB-4333-A081-E792DB296BA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37B49366-EEA5-4a59-940A-310E947E59DF}	{64BCF438-5D25-409d-B3BF-3D9B8767DCED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BFE1D30-E8FB-40f5-9FEA-3DEECA55CDAE}	{37B49366-EEA5-4a59-940A-310E947E59DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63634EF5-9764-471f-99B9-4CCA0C0C97E7}	{002A81E2-0C88-4a63-A5DF-15D1DC7DAD46}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97324499-8813-43e9-8D57-CB8AE0140DAE}\stubpath = "C:\\Windows\\{97324499-8813-43e9-8D57-CB8AE0140DAE}.exe"	{1C0D2933-6614-45cc-B2B3-8A41C3D0C911}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{776F14B3-0BFB-4333-A081-E792DB296BA9}\stubpath = "C:\\Windows\\{776F14B3-0BFB-4333-A081-E792DB296BA9}.exe"	{97324499-8813-43e9-8D57-CB8AE0140DAE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64BCF438-5D25-409d-B3BF-3D9B8767DCED}\stubpath = "C:\\Windows\\{64BCF438-5D25-409d-B3BF-3D9B8767DCED}.exe"	{AFB987DC-CCA4-4903-8BE7-F18884EBA675}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37B49366-EEA5-4a59-940A-310E947E59DF}\stubpath = "C:\\Windows\\{37B49366-EEA5-4a59-940A-310E947E59DF}.exe"	{64BCF438-5D25-409d-B3BF-3D9B8767DCED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{002A81E2-0C88-4a63-A5DF-15D1DC7DAD46}\stubpath = "C:\\Windows\\{002A81E2-0C88-4a63-A5DF-15D1DC7DAD46}.exe"	{4BFE1D30-E8FB-40f5-9FEA-3DEECA55CDAE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{464A5E3E-88B2-482e-B9FD-B8AE6521B405}\stubpath = "C:\\Windows\\{464A5E3E-88B2-482e-B9FD-B8AE6521B405}.exe"	2024-04-29_fa74038535d0dfaeb0bc143713a1e446_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCF713BA-563E-42e6-8AF9-1C5B644CA966}	{464A5E3E-88B2-482e-B9FD-B8AE6521B405}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCF713BA-563E-42e6-8AF9-1C5B644CA966}\stubpath = "C:\\Windows\\{BCF713BA-563E-42e6-8AF9-1C5B644CA966}.exe"	{464A5E3E-88B2-482e-B9FD-B8AE6521B405}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C0D2933-6614-45cc-B2B3-8A41C3D0C911}	{BCF713BA-563E-42e6-8AF9-1C5B644CA966}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4BFE1D30-E8FB-40f5-9FEA-3DEECA55CDAE}\stubpath = "C:\\Windows\\{4BFE1D30-E8FB-40f5-9FEA-3DEECA55CDAE}.exe"	{37B49366-EEA5-4a59-940A-310E947E59DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63634EF5-9764-471f-99B9-4CCA0C0C97E7}\stubpath = "C:\\Windows\\{63634EF5-9764-471f-99B9-4CCA0C0C97E7}.exe"	{002A81E2-0C88-4a63-A5DF-15D1DC7DAD46}.exe

Executes dropped EXE 11 IoCs

pid	Process
2036	{464A5E3E-88B2-482e-B9FD-B8AE6521B405}.exe
2280	{BCF713BA-563E-42e6-8AF9-1C5B644CA966}.exe
2020	{1C0D2933-6614-45cc-B2B3-8A41C3D0C911}.exe
1756	{97324499-8813-43e9-8D57-CB8AE0140DAE}.exe
2348	{776F14B3-0BFB-4333-A081-E792DB296BA9}.exe
4816	{AFB987DC-CCA4-4903-8BE7-F18884EBA675}.exe
2492	{64BCF438-5D25-409d-B3BF-3D9B8767DCED}.exe
4272	{4BFE1D30-E8FB-40f5-9FEA-3DEECA55CDAE}.exe
4928	{002A81E2-0C88-4a63-A5DF-15D1DC7DAD46}.exe
3716	{63634EF5-9764-471f-99B9-4CCA0C0C97E7}.exe
2780	{2DD03347-9BFE-4554-BFF6-FCF7A20111D1}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{97324499-8813-43e9-8D57-CB8AE0140DAE}.exe	{1C0D2933-6614-45cc-B2B3-8A41C3D0C911}.exe
File created	C:\Windows\{1C0D2933-6614-45cc-B2B3-8A41C3D0C911}.exe	{BCF713BA-563E-42e6-8AF9-1C5B644CA966}.exe
File created	C:\Windows\{BCF713BA-563E-42e6-8AF9-1C5B644CA966}.exe	{464A5E3E-88B2-482e-B9FD-B8AE6521B405}.exe
File created	C:\Windows\{776F14B3-0BFB-4333-A081-E792DB296BA9}.exe	{97324499-8813-43e9-8D57-CB8AE0140DAE}.exe
File created	C:\Windows\{AFB987DC-CCA4-4903-8BE7-F18884EBA675}.exe	{776F14B3-0BFB-4333-A081-E792DB296BA9}.exe
File created	C:\Windows\{64BCF438-5D25-409d-B3BF-3D9B8767DCED}.exe	{AFB987DC-CCA4-4903-8BE7-F18884EBA675}.exe
File created	C:\Windows\{4BFE1D30-E8FB-40f5-9FEA-3DEECA55CDAE}.exe	{37B49366-EEA5-4a59-940A-310E947E59DF}.exe
File created	C:\Windows\{002A81E2-0C88-4a63-A5DF-15D1DC7DAD46}.exe	{4BFE1D30-E8FB-40f5-9FEA-3DEECA55CDAE}.exe
File created	C:\Windows\{63634EF5-9764-471f-99B9-4CCA0C0C97E7}.exe	{002A81E2-0C88-4a63-A5DF-15D1DC7DAD46}.exe
File created	C:\Windows\{464A5E3E-88B2-482e-B9FD-B8AE6521B405}.exe	2024-04-29_fa74038535d0dfaeb0bc143713a1e446_goldeneye.exe
File created	C:\Windows\{2DD03347-9BFE-4554-BFF6-FCF7A20111D1}.exe	{63634EF5-9764-471f-99B9-4CCA0C0C97E7}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4044	2024-04-29_fa74038535d0dfaeb0bc143713a1e446_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2036	{464A5E3E-88B2-482e-B9FD-B8AE6521B405}.exe
Token: SeIncBasePriorityPrivilege	2280	{BCF713BA-563E-42e6-8AF9-1C5B644CA966}.exe
Token: SeIncBasePriorityPrivilege	2020	{1C0D2933-6614-45cc-B2B3-8A41C3D0C911}.exe
Token: SeIncBasePriorityPrivilege	1756	{97324499-8813-43e9-8D57-CB8AE0140DAE}.exe
Token: SeIncBasePriorityPrivilege	2348	{776F14B3-0BFB-4333-A081-E792DB296BA9}.exe
Token: SeIncBasePriorityPrivilege	4816	{AFB987DC-CCA4-4903-8BE7-F18884EBA675}.exe
Token: SeIncBasePriorityPrivilege	2664	{37B49366-EEA5-4a59-940A-310E947E59DF}.exe
Token: SeIncBasePriorityPrivilege	4272	{4BFE1D30-E8FB-40f5-9FEA-3DEECA55CDAE}.exe
Token: SeIncBasePriorityPrivilege	4928	{002A81E2-0C88-4a63-A5DF-15D1DC7DAD46}.exe
Token: SeIncBasePriorityPrivilege	3716	{63634EF5-9764-471f-99B9-4CCA0C0C97E7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4044 wrote to memory of 2036	4044	2024-04-29_fa74038535d0dfaeb0bc143713a1e446_goldeneye.exe	89
PID 4044 wrote to memory of 2036	4044	2024-04-29_fa74038535d0dfaeb0bc143713a1e446_goldeneye.exe	89
PID 4044 wrote to memory of 2036	4044	2024-04-29_fa74038535d0dfaeb0bc143713a1e446_goldeneye.exe	89
PID 4044 wrote to memory of 5068	4044	2024-04-29_fa74038535d0dfaeb0bc143713a1e446_goldeneye.exe	90
PID 4044 wrote to memory of 5068	4044	2024-04-29_fa74038535d0dfaeb0bc143713a1e446_goldeneye.exe	90
PID 4044 wrote to memory of 5068	4044	2024-04-29_fa74038535d0dfaeb0bc143713a1e446_goldeneye.exe	90
PID 2036 wrote to memory of 2280	2036	{464A5E3E-88B2-482e-B9FD-B8AE6521B405}.exe	91
PID 2036 wrote to memory of 2280	2036	{464A5E3E-88B2-482e-B9FD-B8AE6521B405}.exe	91
PID 2036 wrote to memory of 2280	2036	{464A5E3E-88B2-482e-B9FD-B8AE6521B405}.exe	91
PID 2036 wrote to memory of 1648	2036	{464A5E3E-88B2-482e-B9FD-B8AE6521B405}.exe	92
PID 2036 wrote to memory of 1648	2036	{464A5E3E-88B2-482e-B9FD-B8AE6521B405}.exe	92
PID 2036 wrote to memory of 1648	2036	{464A5E3E-88B2-482e-B9FD-B8AE6521B405}.exe	92
PID 2280 wrote to memory of 2020	2280	{BCF713BA-563E-42e6-8AF9-1C5B644CA966}.exe	95
PID 2280 wrote to memory of 2020	2280	{BCF713BA-563E-42e6-8AF9-1C5B644CA966}.exe	95
PID 2280 wrote to memory of 2020	2280	{BCF713BA-563E-42e6-8AF9-1C5B644CA966}.exe	95
PID 2280 wrote to memory of 880	2280	{BCF713BA-563E-42e6-8AF9-1C5B644CA966}.exe	96
PID 2280 wrote to memory of 880	2280	{BCF713BA-563E-42e6-8AF9-1C5B644CA966}.exe	96
PID 2280 wrote to memory of 880	2280	{BCF713BA-563E-42e6-8AF9-1C5B644CA966}.exe	96
PID 2020 wrote to memory of 1756	2020	{1C0D2933-6614-45cc-B2B3-8A41C3D0C911}.exe	101
PID 2020 wrote to memory of 1756	2020	{1C0D2933-6614-45cc-B2B3-8A41C3D0C911}.exe	101
PID 2020 wrote to memory of 1756	2020	{1C0D2933-6614-45cc-B2B3-8A41C3D0C911}.exe	101
PID 2020 wrote to memory of 1916	2020	{1C0D2933-6614-45cc-B2B3-8A41C3D0C911}.exe	102
PID 2020 wrote to memory of 1916	2020	{1C0D2933-6614-45cc-B2B3-8A41C3D0C911}.exe	102
PID 2020 wrote to memory of 1916	2020	{1C0D2933-6614-45cc-B2B3-8A41C3D0C911}.exe	102
PID 1756 wrote to memory of 2348	1756	{97324499-8813-43e9-8D57-CB8AE0140DAE}.exe	104
PID 1756 wrote to memory of 2348	1756	{97324499-8813-43e9-8D57-CB8AE0140DAE}.exe	104
PID 1756 wrote to memory of 2348	1756	{97324499-8813-43e9-8D57-CB8AE0140DAE}.exe	104
PID 1756 wrote to memory of 1712	1756	{97324499-8813-43e9-8D57-CB8AE0140DAE}.exe	105
PID 1756 wrote to memory of 1712	1756	{97324499-8813-43e9-8D57-CB8AE0140DAE}.exe	105
PID 1756 wrote to memory of 1712	1756	{97324499-8813-43e9-8D57-CB8AE0140DAE}.exe	105
PID 2348 wrote to memory of 4816	2348	{776F14B3-0BFB-4333-A081-E792DB296BA9}.exe	108
PID 2348 wrote to memory of 4816	2348	{776F14B3-0BFB-4333-A081-E792DB296BA9}.exe	108
PID 2348 wrote to memory of 4816	2348	{776F14B3-0BFB-4333-A081-E792DB296BA9}.exe	108
PID 2348 wrote to memory of 2832	2348	{776F14B3-0BFB-4333-A081-E792DB296BA9}.exe	109
PID 2348 wrote to memory of 2832	2348	{776F14B3-0BFB-4333-A081-E792DB296BA9}.exe	109
PID 2348 wrote to memory of 2832	2348	{776F14B3-0BFB-4333-A081-E792DB296BA9}.exe	109
PID 4816 wrote to memory of 2492	4816	{AFB987DC-CCA4-4903-8BE7-F18884EBA675}.exe	110
PID 4816 wrote to memory of 2492	4816	{AFB987DC-CCA4-4903-8BE7-F18884EBA675}.exe	110
PID 4816 wrote to memory of 2492	4816	{AFB987DC-CCA4-4903-8BE7-F18884EBA675}.exe	110
PID 4816 wrote to memory of 4420	4816	{AFB987DC-CCA4-4903-8BE7-F18884EBA675}.exe	111
PID 4816 wrote to memory of 4420	4816	{AFB987DC-CCA4-4903-8BE7-F18884EBA675}.exe	111
PID 4816 wrote to memory of 4420	4816	{AFB987DC-CCA4-4903-8BE7-F18884EBA675}.exe	111
PID 2664 wrote to memory of 4272	2664	{37B49366-EEA5-4a59-940A-310E947E59DF}.exe	114
PID 2664 wrote to memory of 4272	2664	{37B49366-EEA5-4a59-940A-310E947E59DF}.exe	114
PID 2664 wrote to memory of 4272	2664	{37B49366-EEA5-4a59-940A-310E947E59DF}.exe	114
PID 2664 wrote to memory of 2712	2664	{37B49366-EEA5-4a59-940A-310E947E59DF}.exe	115
PID 2664 wrote to memory of 2712	2664	{37B49366-EEA5-4a59-940A-310E947E59DF}.exe	115
PID 2664 wrote to memory of 2712	2664	{37B49366-EEA5-4a59-940A-310E947E59DF}.exe	115
PID 4272 wrote to memory of 4928	4272	{4BFE1D30-E8FB-40f5-9FEA-3DEECA55CDAE}.exe	116
PID 4272 wrote to memory of 4928	4272	{4BFE1D30-E8FB-40f5-9FEA-3DEECA55CDAE}.exe	116
PID 4272 wrote to memory of 4928	4272	{4BFE1D30-E8FB-40f5-9FEA-3DEECA55CDAE}.exe	116
PID 4272 wrote to memory of 1192	4272	{4BFE1D30-E8FB-40f5-9FEA-3DEECA55CDAE}.exe	117
PID 4272 wrote to memory of 1192	4272	{4BFE1D30-E8FB-40f5-9FEA-3DEECA55CDAE}.exe	117
PID 4272 wrote to memory of 1192	4272	{4BFE1D30-E8FB-40f5-9FEA-3DEECA55CDAE}.exe	117
PID 4928 wrote to memory of 3716	4928	{002A81E2-0C88-4a63-A5DF-15D1DC7DAD46}.exe	118
PID 4928 wrote to memory of 3716	4928	{002A81E2-0C88-4a63-A5DF-15D1DC7DAD46}.exe	118
PID 4928 wrote to memory of 3716	4928	{002A81E2-0C88-4a63-A5DF-15D1DC7DAD46}.exe	118
PID 4928 wrote to memory of 3728	4928	{002A81E2-0C88-4a63-A5DF-15D1DC7DAD46}.exe	119
PID 4928 wrote to memory of 3728	4928	{002A81E2-0C88-4a63-A5DF-15D1DC7DAD46}.exe	119
PID 4928 wrote to memory of 3728	4928	{002A81E2-0C88-4a63-A5DF-15D1DC7DAD46}.exe	119
PID 3716 wrote to memory of 2780	3716	{63634EF5-9764-471f-99B9-4CCA0C0C97E7}.exe	120
PID 3716 wrote to memory of 2780	3716	{63634EF5-9764-471f-99B9-4CCA0C0C97E7}.exe	120
PID 3716 wrote to memory of 2780	3716	{63634EF5-9764-471f-99B9-4CCA0C0C97E7}.exe	120
PID 3716 wrote to memory of 2700	3716	{63634EF5-9764-471f-99B9-4CCA0C0C97E7}.exe	121

C:\Users\Admin\AppData\Local\Temp\2024-04-29_fa74038535d0dfaeb0bc143713a1e446_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-29_fa74038535d0dfaeb0bc143713a1e446_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Windows\{464A5E3E-88B2-482e-B9FD-B8AE6521B405}.exe
  C:\Windows\{464A5E3E-88B2-482e-B9FD-B8AE6521B405}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\{BCF713BA-563E-42e6-8AF9-1C5B644CA966}.exe
    C:\Windows\{BCF713BA-563E-42e6-8AF9-1C5B644CA966}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2280
  - - C:\Windows\{1C0D2933-6614-45cc-B2B3-8A41C3D0C911}.exe
      C:\Windows\{1C0D2933-6614-45cc-B2B3-8A41C3D0C911}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2020
    - - C:\Windows\{97324499-8813-43e9-8D57-CB8AE0140DAE}.exe
        
        C:\Windows\{97324499-8813-43e9-8D57-CB8AE0140DAE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1756
      - C:\Windows\{776F14B3-0BFB-4333-A081-E792DB296BA9}.exe
        
        C:\Windows\{776F14B3-0BFB-4333-A081-E792DB296BA9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\{AFB987DC-CCA4-4903-8BE7-F18884EBA675}.exe
        
        C:\Windows\{AFB987DC-CCA4-4903-8BE7-F18884EBA675}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\{64BCF438-5D25-409d-B3BF-3D9B8767DCED}.exe
        
        C:\Windows\{64BCF438-5D25-409d-B3BF-3D9B8767DCED}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        
        PID:2492
        
        C:\Windows\{37B49366-EEA5-4a59-940A-310E947E59DF}.exe
        
        C:\Windows\{37B49366-EEA5-4a59-940A-310E947E59DF}.exe
        9⤵
        Modifies Installed Components in the registry
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\{4BFE1D30-E8FB-40f5-9FEA-3DEECA55CDAE}.exe
        
        C:\Windows\{4BFE1D30-E8FB-40f5-9FEA-3DEECA55CDAE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\{002A81E2-0C88-4a63-A5DF-15D1DC7DAD46}.exe
        
        C:\Windows\{002A81E2-0C88-4a63-A5DF-15D1DC7DAD46}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\{63634EF5-9764-471f-99B9-4CCA0C0C97E7}.exe
        
        C:\Windows\{63634EF5-9764-471f-99B9-4CCA0C0C97E7}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\{2DD03347-9BFE-4554-BFF6-FCF7A20111D1}.exe
        
        C:\Windows\{2DD03347-9BFE-4554-BFF6-FCF7A20111D1}.exe
        13⤵
        Executes dropped EXE
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63634~1.EXE > nul
        13⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{002A8~1.EXE > nul
        12⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4BFE1~1.EXE > nul
        11⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37B49~1.EXE > nul
        10⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64BCF~1.EXE > nul
        9⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AFB98~1.EXE > nul
        8⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{776F1~1.EXE > nul
        7⤵
        
        PID:2832
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97324~1.EXE > nul
        6⤵
        
        PID:1712
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C0D2~1.EXE > nul
        5⤵
        
        PID:1916
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BCF71~1.EXE > nul
      4⤵
      PID:880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{464A5~1.EXE > nul
    3⤵
    PID:1648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{002A81E2-0C88-4a63-A5DF-15D1DC7DAD46}.exe

Filesize
408KB

MD5
5d1e21a35b12daaf051a9c50d4f9eee2

SHA1
a8d0d6e63d2d60fe7dc96560b9b9c3bbb0c2dd75

SHA256
3e8795d849af09a01dd49b5f6d8fcf10ef363a8dce4376bd997bd272a58d33d1

SHA512
8e8ee632640c49d0f8b4612813a32a4a78dc82271e1656285b5350839741149b4ce5e8f2ae6b46d05321cd5d3d752067b37fd58af25b200f108cbacf3c4ddaa2

Download Submit
C:\Windows\{1C0D2933-6614-45cc-B2B3-8A41C3D0C911}.exe

Filesize
408KB

MD5
b20f6c8e9af327284dd1b3660811675b

SHA1
07ce2ab728149ae3c2f06c7f13fad662dc280d60

SHA256
c1d67eb5a752171b836c8a54596ed9c5821fb504bd90f903d38c12e85ddccc00

SHA512
69608ed11473741d229b56ff0fcf1b6e01000e991a193fa7f18f461d40c305439b18d63c2d8c278a144e1cbb9ae1b766941c850bff6abbd36c2631ad05dd4d86

Download Submit
C:\Windows\{2DD03347-9BFE-4554-BFF6-FCF7A20111D1}.exe

Filesize
408KB

MD5
e791af70dd8cbf8f3228f1aabc80ae20

SHA1
54f69e4fa9782e07291625a866f8ac9242220d84

SHA256
01a30efe8e79a837e3017a554fffa439b04e41427234bf0983e6f8afc9673b81

SHA512
fde2604d66f65cb8042526e6f1ce1075bc49d739c8cbf3c5a7bc65614a35cab48bd2d0af3fdf8d1f8b5db96777e518e1d4b631a7270eaabe0fadfa69f3d08e9b

Download Submit
C:\Windows\{464A5E3E-88B2-482e-B9FD-B8AE6521B405}.exe

Filesize
408KB

MD5
4e2e969ce20c74c8cb6752c3c84abcb4

SHA1
7e4c5b636d864a0ea02d442b2824482d9a28579b

SHA256
4b706b5b08cbc7f52e0cc077bfb7e61b307f0aac3e9eee4b53c5f3efd3f078d4

SHA512
404eb1b1b27de4b4a55ba5526b53ef2f0a254d1f00665e9f6dfaaaf0df41736d6e716bb50c34dadc18999eee319ba29835ff0a4a85e22fb6b4e50565abb1ac7e

Download Submit
C:\Windows\{4BFE1D30-E8FB-40f5-9FEA-3DEECA55CDAE}.exe

Filesize
408KB

MD5
a5b500241e19c169b41aa1d7c028bec4

SHA1
5b455a107f1b5f9d134faff4aef952c1fca0f935

SHA256
bf6a63d995d9b870b0dffe61a89983b29d57c5019dc863713b8d6c9be18fad32

SHA512
7968b477efa33b9007a6c05d975b1b19c4b4a204c340332a1789480b487305c6b34775381470a19a4dea5ab12a36acb31621935426e6d36d391f8be33eab9b70

Download Submit
C:\Windows\{63634EF5-9764-471f-99B9-4CCA0C0C97E7}.exe

Filesize
408KB

MD5
976d95f6375fe6943554aeb3a5311e74

SHA1
0cdad5c52a50e64a6581ebb5e709d42175eb1fa3

SHA256
5f5ed9bfc18bacdeec23041f94191a8be6a01c1f14b3726b3f45b2a6aad1bfe6

SHA512
083dc06efb232ceb88c8c744aea3e3c00ff620002b37146c2ca4269715f93878d1a516f1dcbbeaaafdb5883190947d9db51ebf4b8055bc43f5d33362aacd7ecb

Download Submit
C:\Windows\{64BCF438-5D25-409d-B3BF-3D9B8767DCED}.exe

Filesize
408KB

MD5
9ef95d5c8d46253652fa7b3d2f24f5b8

SHA1
3465e9011f40e9465f1271fcf3c5366cf2a6eb07

SHA256
cc0da7a01571ae84e4b25cc0f7bccffd339b6255362cb30429662393e42a2638

SHA512
ec5884c4f2cd0fa9ad5d5d70529f240d0685dfcdcc97ebaa62c81def2675f13af252587ab8531001428ae391c5a8bdc3382c5e49aa84f823d96f2b137500b5bc

Download Submit
C:\Windows\{776F14B3-0BFB-4333-A081-E792DB296BA9}.exe

Filesize
408KB

MD5
b9d8be46e49d3e587f095391ca1576d4

SHA1
4c5833e0d69b9f2219cbda3fbc86fe556e176fc8

SHA256
e9ad1447fa72ca1242056e614fad0894dddf00a1b7c75013ff555d56916670b4

SHA512
fd71a2f843b5523ce15eecfada0a384092af10562ff8fa1ff666a53f07df1577947eda623652e389dec6d13bdea9887e227e3dd05b65770fdadbe8c1dc9ad57f

Download Submit
C:\Windows\{97324499-8813-43e9-8D57-CB8AE0140DAE}.exe

Filesize
408KB

MD5
6244efd40a0a6657467ea3d77252ebdd

SHA1
f5c2dec9f7b307dc54b9c8a3302dda5009ca7fd1

SHA256
16d5a2d3268187a3d5fe7f5b0e787d957d56879effb22e7a81295e5f325f415e

SHA512
0f52dc1fd12d9a7f7f0e3c4057d169b3258d262b74aba6ae9184e767e968012693e4258e03384f8907528cc86a587684d34a5f76cd6794adf2260921250211cb

Download Submit
C:\Windows\{AFB987DC-CCA4-4903-8BE7-F18884EBA675}.exe

Filesize
408KB

MD5
5b50349b5d8f232f96bdcdf8b09d32ea

SHA1
886b9fa8d8d0f0b81112e8146bd887e6ee516096

SHA256
064d8268830d776b549687d03c0fbfcd9482c99de4bb99a3023d658fbef99dd1

SHA512
8c184ec3f7f293166a07af4dac81abb1dbfdd7e8474312c67b5ac47466543f4f89c2e127b86c34fa11d117237baff2074576850308c9559d412cafe76dbcafde

Download Submit
C:\Windows\{BCF713BA-563E-42e6-8AF9-1C5B644CA966}.exe

Filesize
408KB

MD5
d6397882c0beca04a2225775a9b58a11

SHA1
50a1a72726843f8fbd4f84eda1d9a9bec4b0fa89

SHA256
dfeae0b0e6f65f42bea2ca2313b8cf7740b082f0f3efbe822a191a10424f77c3

SHA512
bd32bb885b973777f76b06e573cff12c6af8d5b3c90ea4aa2368860ceb17eedfa9ffd8a2f096042596f364606c9d376e17cdf0306f235f9a516fd7f6fcc4c882

Download Submit
memory/2492-27-0x0000000003920000-0x00000000039FB000-memory.dmp

Filesize
876KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads