a367e49b4f96743627510f18a0c7536b8e85fa00aa15b0e3dfe4f5beba666b16

Analysis

max time kernel
149s
max time network
54s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30/04/2024, 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-30_49e034e10f53b6ab9332e4e3424400c2_goldeneye.exe
Size

204KB
MD5

49e034e10f53b6ab9332e4e3424400c2
SHA1

1149b59d76b478aa33e6858531c5a4d468b03c62
SHA256

a367e49b4f96743627510f18a0c7536b8e85fa00aa15b0e3dfe4f5beba666b16
SHA512

34f25244e146ff26155579fcfa6f53be00ad786f58f359b8e010fe706327672195f0bfa1dcc1c7b2407a81a4e97edbf300e46b566aa25cb3bb68a2e828848e85
SSDEEP

1536:1EGh0ool15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0ool1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023b7e-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023b7f-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023b85-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023b88-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023b94-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023b88-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023b94-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023b88-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023b94-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023b88-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023b94-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023b88-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63D61664-2294-461d-96D1-82F36FD3259C}	{32112511-4C1F-4d0c-BB6E-DC79A547BF93}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3652EFDE-0657-4490-AE36-888C59C91CD9}	{A66F1723-E0C1-47e8-BBFB-F539552137D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7037D56B-1B82-41ca-8F18-BB98AA355128}	{3652EFDE-0657-4490-AE36-888C59C91CD9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F21941D-9E96-476c-88FC-2687840E442C}	{BCF1390F-E7E3-4671-B4CB-E160A13184AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F21941D-9E96-476c-88FC-2687840E442C}\stubpath = "C:\\Windows\\{8F21941D-9E96-476c-88FC-2687840E442C}.exe"	{BCF1390F-E7E3-4671-B4CB-E160A13184AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9AA124C-6906-4590-8AFA-3C81892982CC}	{EFEFD926-D976-4c29-A486-9A1780EC6C39}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32112511-4C1F-4d0c-BB6E-DC79A547BF93}	{C9AA124C-6906-4590-8AFA-3C81892982CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32112511-4C1F-4d0c-BB6E-DC79A547BF93}\stubpath = "C:\\Windows\\{32112511-4C1F-4d0c-BB6E-DC79A547BF93}.exe"	{C9AA124C-6906-4590-8AFA-3C81892982CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63D61664-2294-461d-96D1-82F36FD3259C}\stubpath = "C:\\Windows\\{63D61664-2294-461d-96D1-82F36FD3259C}.exe"	{32112511-4C1F-4d0c-BB6E-DC79A547BF93}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A66F1723-E0C1-47e8-BBFB-F539552137D4}	2024-04-30_49e034e10f53b6ab9332e4e3424400c2_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A66F1723-E0C1-47e8-BBFB-F539552137D4}\stubpath = "C:\\Windows\\{A66F1723-E0C1-47e8-BBFB-F539552137D4}.exe"	2024-04-30_49e034e10f53b6ab9332e4e3424400c2_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFFC9106-78EC-4ebf-BB35-7BDDDA671CDC}	{7037D56B-1B82-41ca-8F18-BB98AA355128}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFFC9106-78EC-4ebf-BB35-7BDDDA671CDC}\stubpath = "C:\\Windows\\{EFFC9106-78EC-4ebf-BB35-7BDDDA671CDC}.exe"	{7037D56B-1B82-41ca-8F18-BB98AA355128}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9AA124C-6906-4590-8AFA-3C81892982CC}\stubpath = "C:\\Windows\\{C9AA124C-6906-4590-8AFA-3C81892982CC}.exe"	{EFEFD926-D976-4c29-A486-9A1780EC6C39}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11A8F4CB-38A1-4901-89B4-462FF41208C0}	{3C573426-94A6-448d-BF7C-C4095A4B0044}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3652EFDE-0657-4490-AE36-888C59C91CD9}\stubpath = "C:\\Windows\\{3652EFDE-0657-4490-AE36-888C59C91CD9}.exe"	{A66F1723-E0C1-47e8-BBFB-F539552137D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFEFD926-D976-4c29-A486-9A1780EC6C39}	{8F21941D-9E96-476c-88FC-2687840E442C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFEFD926-D976-4c29-A486-9A1780EC6C39}\stubpath = "C:\\Windows\\{EFEFD926-D976-4c29-A486-9A1780EC6C39}.exe"	{8F21941D-9E96-476c-88FC-2687840E442C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C573426-94A6-448d-BF7C-C4095A4B0044}\stubpath = "C:\\Windows\\{3C573426-94A6-448d-BF7C-C4095A4B0044}.exe"	{63D61664-2294-461d-96D1-82F36FD3259C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11A8F4CB-38A1-4901-89B4-462FF41208C0}\stubpath = "C:\\Windows\\{11A8F4CB-38A1-4901-89B4-462FF41208C0}.exe"	{3C573426-94A6-448d-BF7C-C4095A4B0044}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7037D56B-1B82-41ca-8F18-BB98AA355128}\stubpath = "C:\\Windows\\{7037D56B-1B82-41ca-8F18-BB98AA355128}.exe"	{3652EFDE-0657-4490-AE36-888C59C91CD9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCF1390F-E7E3-4671-B4CB-E160A13184AE}	{EFFC9106-78EC-4ebf-BB35-7BDDDA671CDC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCF1390F-E7E3-4671-B4CB-E160A13184AE}\stubpath = "C:\\Windows\\{BCF1390F-E7E3-4671-B4CB-E160A13184AE}.exe"	{EFFC9106-78EC-4ebf-BB35-7BDDDA671CDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C573426-94A6-448d-BF7C-C4095A4B0044}	{63D61664-2294-461d-96D1-82F36FD3259C}.exe

Executes dropped EXE 12 IoCs

pid	Process
2368	{A66F1723-E0C1-47e8-BBFB-F539552137D4}.exe
996	{3652EFDE-0657-4490-AE36-888C59C91CD9}.exe
716	{7037D56B-1B82-41ca-8F18-BB98AA355128}.exe
3996	{EFFC9106-78EC-4ebf-BB35-7BDDDA671CDC}.exe
2240	{BCF1390F-E7E3-4671-B4CB-E160A13184AE}.exe
3332	{8F21941D-9E96-476c-88FC-2687840E442C}.exe
464	{EFEFD926-D976-4c29-A486-9A1780EC6C39}.exe
4112	{C9AA124C-6906-4590-8AFA-3C81892982CC}.exe
2996	{32112511-4C1F-4d0c-BB6E-DC79A547BF93}.exe
832	{63D61664-2294-461d-96D1-82F36FD3259C}.exe
1460	{3C573426-94A6-448d-BF7C-C4095A4B0044}.exe
1572	{11A8F4CB-38A1-4901-89B4-462FF41208C0}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{3652EFDE-0657-4490-AE36-888C59C91CD9}.exe	{A66F1723-E0C1-47e8-BBFB-F539552137D4}.exe
File created	C:\Windows\{EFFC9106-78EC-4ebf-BB35-7BDDDA671CDC}.exe	{7037D56B-1B82-41ca-8F18-BB98AA355128}.exe
File created	C:\Windows\{BCF1390F-E7E3-4671-B4CB-E160A13184AE}.exe	{EFFC9106-78EC-4ebf-BB35-7BDDDA671CDC}.exe
File created	C:\Windows\{63D61664-2294-461d-96D1-82F36FD3259C}.exe	{32112511-4C1F-4d0c-BB6E-DC79A547BF93}.exe
File created	C:\Windows\{C9AA124C-6906-4590-8AFA-3C81892982CC}.exe	{EFEFD926-D976-4c29-A486-9A1780EC6C39}.exe
File created	C:\Windows\{32112511-4C1F-4d0c-BB6E-DC79A547BF93}.exe	{C9AA124C-6906-4590-8AFA-3C81892982CC}.exe
File created	C:\Windows\{3C573426-94A6-448d-BF7C-C4095A4B0044}.exe	{63D61664-2294-461d-96D1-82F36FD3259C}.exe
File created	C:\Windows\{11A8F4CB-38A1-4901-89B4-462FF41208C0}.exe	{3C573426-94A6-448d-BF7C-C4095A4B0044}.exe
File created	C:\Windows\{A66F1723-E0C1-47e8-BBFB-F539552137D4}.exe	2024-04-30_49e034e10f53b6ab9332e4e3424400c2_goldeneye.exe
File created	C:\Windows\{7037D56B-1B82-41ca-8F18-BB98AA355128}.exe	{3652EFDE-0657-4490-AE36-888C59C91CD9}.exe
File created	C:\Windows\{8F21941D-9E96-476c-88FC-2687840E442C}.exe	{BCF1390F-E7E3-4671-B4CB-E160A13184AE}.exe
File created	C:\Windows\{EFEFD926-D976-4c29-A486-9A1780EC6C39}.exe	{8F21941D-9E96-476c-88FC-2687840E442C}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5084	2024-04-30_49e034e10f53b6ab9332e4e3424400c2_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2368	{A66F1723-E0C1-47e8-BBFB-F539552137D4}.exe
Token: SeIncBasePriorityPrivilege	996	{3652EFDE-0657-4490-AE36-888C59C91CD9}.exe
Token: SeIncBasePriorityPrivilege	716	{7037D56B-1B82-41ca-8F18-BB98AA355128}.exe
Token: SeIncBasePriorityPrivilege	3996	{EFFC9106-78EC-4ebf-BB35-7BDDDA671CDC}.exe
Token: SeIncBasePriorityPrivilege	2240	{BCF1390F-E7E3-4671-B4CB-E160A13184AE}.exe
Token: SeIncBasePriorityPrivilege	3332	{8F21941D-9E96-476c-88FC-2687840E442C}.exe
Token: SeIncBasePriorityPrivilege	464	{EFEFD926-D976-4c29-A486-9A1780EC6C39}.exe
Token: SeIncBasePriorityPrivilege	4112	{C9AA124C-6906-4590-8AFA-3C81892982CC}.exe
Token: SeIncBasePriorityPrivilege	2996	{32112511-4C1F-4d0c-BB6E-DC79A547BF93}.exe
Token: SeIncBasePriorityPrivilege	832	{63D61664-2294-461d-96D1-82F36FD3259C}.exe
Token: SeIncBasePriorityPrivilege	1460	{3C573426-94A6-448d-BF7C-C4095A4B0044}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5084 wrote to memory of 2368	5084	2024-04-30_49e034e10f53b6ab9332e4e3424400c2_goldeneye.exe	86
PID 5084 wrote to memory of 2368	5084	2024-04-30_49e034e10f53b6ab9332e4e3424400c2_goldeneye.exe	86
PID 5084 wrote to memory of 2368	5084	2024-04-30_49e034e10f53b6ab9332e4e3424400c2_goldeneye.exe	86
PID 5084 wrote to memory of 4760	5084	2024-04-30_49e034e10f53b6ab9332e4e3424400c2_goldeneye.exe	87
PID 5084 wrote to memory of 4760	5084	2024-04-30_49e034e10f53b6ab9332e4e3424400c2_goldeneye.exe	87
PID 5084 wrote to memory of 4760	5084	2024-04-30_49e034e10f53b6ab9332e4e3424400c2_goldeneye.exe	87
PID 2368 wrote to memory of 996	2368	{A66F1723-E0C1-47e8-BBFB-F539552137D4}.exe	88
PID 2368 wrote to memory of 996	2368	{A66F1723-E0C1-47e8-BBFB-F539552137D4}.exe	88
PID 2368 wrote to memory of 996	2368	{A66F1723-E0C1-47e8-BBFB-F539552137D4}.exe	88
PID 2368 wrote to memory of 1900	2368	{A66F1723-E0C1-47e8-BBFB-F539552137D4}.exe	89
PID 2368 wrote to memory of 1900	2368	{A66F1723-E0C1-47e8-BBFB-F539552137D4}.exe	89
PID 2368 wrote to memory of 1900	2368	{A66F1723-E0C1-47e8-BBFB-F539552137D4}.exe	89
PID 996 wrote to memory of 716	996	{3652EFDE-0657-4490-AE36-888C59C91CD9}.exe	92
PID 996 wrote to memory of 716	996	{3652EFDE-0657-4490-AE36-888C59C91CD9}.exe	92
PID 996 wrote to memory of 716	996	{3652EFDE-0657-4490-AE36-888C59C91CD9}.exe	92
PID 996 wrote to memory of 4516	996	{3652EFDE-0657-4490-AE36-888C59C91CD9}.exe	93
PID 996 wrote to memory of 4516	996	{3652EFDE-0657-4490-AE36-888C59C91CD9}.exe	93
PID 996 wrote to memory of 4516	996	{3652EFDE-0657-4490-AE36-888C59C91CD9}.exe	93
PID 716 wrote to memory of 3996	716	{7037D56B-1B82-41ca-8F18-BB98AA355128}.exe	98
PID 716 wrote to memory of 3996	716	{7037D56B-1B82-41ca-8F18-BB98AA355128}.exe	98
PID 716 wrote to memory of 3996	716	{7037D56B-1B82-41ca-8F18-BB98AA355128}.exe	98
PID 716 wrote to memory of 4456	716	{7037D56B-1B82-41ca-8F18-BB98AA355128}.exe	99
PID 716 wrote to memory of 4456	716	{7037D56B-1B82-41ca-8F18-BB98AA355128}.exe	99
PID 716 wrote to memory of 4456	716	{7037D56B-1B82-41ca-8F18-BB98AA355128}.exe	99
PID 3996 wrote to memory of 2240	3996	{EFFC9106-78EC-4ebf-BB35-7BDDDA671CDC}.exe	101
PID 3996 wrote to memory of 2240	3996	{EFFC9106-78EC-4ebf-BB35-7BDDDA671CDC}.exe	101
PID 3996 wrote to memory of 2240	3996	{EFFC9106-78EC-4ebf-BB35-7BDDDA671CDC}.exe	101
PID 3996 wrote to memory of 4292	3996	{EFFC9106-78EC-4ebf-BB35-7BDDDA671CDC}.exe	102
PID 3996 wrote to memory of 4292	3996	{EFFC9106-78EC-4ebf-BB35-7BDDDA671CDC}.exe	102
PID 3996 wrote to memory of 4292	3996	{EFFC9106-78EC-4ebf-BB35-7BDDDA671CDC}.exe	102
PID 2240 wrote to memory of 3332	2240	{BCF1390F-E7E3-4671-B4CB-E160A13184AE}.exe	105
PID 2240 wrote to memory of 3332	2240	{BCF1390F-E7E3-4671-B4CB-E160A13184AE}.exe	105
PID 2240 wrote to memory of 3332	2240	{BCF1390F-E7E3-4671-B4CB-E160A13184AE}.exe	105
PID 2240 wrote to memory of 3112	2240	{BCF1390F-E7E3-4671-B4CB-E160A13184AE}.exe	106
PID 2240 wrote to memory of 3112	2240	{BCF1390F-E7E3-4671-B4CB-E160A13184AE}.exe	106
PID 2240 wrote to memory of 3112	2240	{BCF1390F-E7E3-4671-B4CB-E160A13184AE}.exe	106
PID 3332 wrote to memory of 464	3332	{8F21941D-9E96-476c-88FC-2687840E442C}.exe	107
PID 3332 wrote to memory of 464	3332	{8F21941D-9E96-476c-88FC-2687840E442C}.exe	107
PID 3332 wrote to memory of 464	3332	{8F21941D-9E96-476c-88FC-2687840E442C}.exe	107
PID 3332 wrote to memory of 3956	3332	{8F21941D-9E96-476c-88FC-2687840E442C}.exe	108
PID 3332 wrote to memory of 3956	3332	{8F21941D-9E96-476c-88FC-2687840E442C}.exe	108
PID 3332 wrote to memory of 3956	3332	{8F21941D-9E96-476c-88FC-2687840E442C}.exe	108
PID 464 wrote to memory of 4112	464	{EFEFD926-D976-4c29-A486-9A1780EC6C39}.exe	109
PID 464 wrote to memory of 4112	464	{EFEFD926-D976-4c29-A486-9A1780EC6C39}.exe	109
PID 464 wrote to memory of 4112	464	{EFEFD926-D976-4c29-A486-9A1780EC6C39}.exe	109
PID 464 wrote to memory of 3528	464	{EFEFD926-D976-4c29-A486-9A1780EC6C39}.exe	110
PID 464 wrote to memory of 3528	464	{EFEFD926-D976-4c29-A486-9A1780EC6C39}.exe	110
PID 464 wrote to memory of 3528	464	{EFEFD926-D976-4c29-A486-9A1780EC6C39}.exe	110
PID 4112 wrote to memory of 2996	4112	{C9AA124C-6906-4590-8AFA-3C81892982CC}.exe	111
PID 4112 wrote to memory of 2996	4112	{C9AA124C-6906-4590-8AFA-3C81892982CC}.exe	111
PID 4112 wrote to memory of 2996	4112	{C9AA124C-6906-4590-8AFA-3C81892982CC}.exe	111
PID 4112 wrote to memory of 708	4112	{C9AA124C-6906-4590-8AFA-3C81892982CC}.exe	112
PID 4112 wrote to memory of 708	4112	{C9AA124C-6906-4590-8AFA-3C81892982CC}.exe	112
PID 4112 wrote to memory of 708	4112	{C9AA124C-6906-4590-8AFA-3C81892982CC}.exe	112
PID 2996 wrote to memory of 832	2996	{32112511-4C1F-4d0c-BB6E-DC79A547BF93}.exe	113
PID 2996 wrote to memory of 832	2996	{32112511-4C1F-4d0c-BB6E-DC79A547BF93}.exe	113
PID 2996 wrote to memory of 832	2996	{32112511-4C1F-4d0c-BB6E-DC79A547BF93}.exe	113
PID 2996 wrote to memory of 4548	2996	{32112511-4C1F-4d0c-BB6E-DC79A547BF93}.exe	114
PID 2996 wrote to memory of 4548	2996	{32112511-4C1F-4d0c-BB6E-DC79A547BF93}.exe	114
PID 2996 wrote to memory of 4548	2996	{32112511-4C1F-4d0c-BB6E-DC79A547BF93}.exe	114
PID 832 wrote to memory of 1460	832	{63D61664-2294-461d-96D1-82F36FD3259C}.exe	115
PID 832 wrote to memory of 1460	832	{63D61664-2294-461d-96D1-82F36FD3259C}.exe	115
PID 832 wrote to memory of 1460	832	{63D61664-2294-461d-96D1-82F36FD3259C}.exe	115
PID 832 wrote to memory of 4624	832	{63D61664-2294-461d-96D1-82F36FD3259C}.exe	116

C:\Users\Admin\AppData\Local\Temp\2024-04-30_49e034e10f53b6ab9332e4e3424400c2_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-30_49e034e10f53b6ab9332e4e3424400c2_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Windows\{A66F1723-E0C1-47e8-BBFB-F539552137D4}.exe
  C:\Windows\{A66F1723-E0C1-47e8-BBFB-F539552137D4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\{3652EFDE-0657-4490-AE36-888C59C91CD9}.exe
    C:\Windows\{3652EFDE-0657-4490-AE36-888C59C91CD9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:996
  - - C:\Windows\{7037D56B-1B82-41ca-8F18-BB98AA355128}.exe
      C:\Windows\{7037D56B-1B82-41ca-8F18-BB98AA355128}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:716
    - - C:\Windows\{EFFC9106-78EC-4ebf-BB35-7BDDDA671CDC}.exe
        
        C:\Windows\{EFFC9106-78EC-4ebf-BB35-7BDDDA671CDC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3996
      - C:\Windows\{BCF1390F-E7E3-4671-B4CB-E160A13184AE}.exe
        
        C:\Windows\{BCF1390F-E7E3-4671-B4CB-E160A13184AE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\{8F21941D-9E96-476c-88FC-2687840E442C}.exe
        
        C:\Windows\{8F21941D-9E96-476c-88FC-2687840E442C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Windows\{EFEFD926-D976-4c29-A486-9A1780EC6C39}.exe
        
        C:\Windows\{EFEFD926-D976-4c29-A486-9A1780EC6C39}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\{C9AA124C-6906-4590-8AFA-3C81892982CC}.exe
        
        C:\Windows\{C9AA124C-6906-4590-8AFA-3C81892982CC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\Windows\{32112511-4C1F-4d0c-BB6E-DC79A547BF93}.exe
        
        C:\Windows\{32112511-4C1F-4d0c-BB6E-DC79A547BF93}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\{63D61664-2294-461d-96D1-82F36FD3259C}.exe
        
        C:\Windows\{63D61664-2294-461d-96D1-82F36FD3259C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Windows\{3C573426-94A6-448d-BF7C-C4095A4B0044}.exe
        
        C:\Windows\{3C573426-94A6-448d-BF7C-C4095A4B0044}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1460
        
        C:\Windows\{11A8F4CB-38A1-4901-89B4-462FF41208C0}.exe
        
        C:\Windows\{11A8F4CB-38A1-4901-89B4-462FF41208C0}.exe
        13⤵
        Executes dropped EXE
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C573~1.EXE > nul
        13⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63D61~1.EXE > nul
        12⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32112~1.EXE > nul
        11⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9AA1~1.EXE > nul
        10⤵
        
        PID:708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EFEFD~1.EXE > nul
        9⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F219~1.EXE > nul
        8⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCF13~1.EXE > nul
        7⤵
        
        PID:3112
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EFFC9~1.EXE > nul
        6⤵
        
        PID:4292
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7037D~1.EXE > nul
        5⤵
        
        PID:4456
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3652E~1.EXE > nul
      4⤵
      PID:4516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A66F1~1.EXE > nul
    3⤵
    PID:1900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{11A8F4CB-38A1-4901-89B4-462FF41208C0}.exe

Filesize
204KB

MD5
ca39f23111015d79441b39867c232968

SHA1
2941b04309e02eb5a80bda19dbbce11229584f73

SHA256
e39607dddd2f4dd09a8d1279d84f51cc35d58863a2bb6dfef0a8fa185271579c

SHA512
361894fe7a3de4cc317ca936afcb62b48a2fecdbcbbc455e5d6a682855faa3798676b14b80a41a09f543bdb11a42b420168cd0b1447461f4e3e51168163ba91a

Download Submit
C:\Windows\{32112511-4C1F-4d0c-BB6E-DC79A547BF93}.exe

Filesize
204KB

MD5
28a3ab684c2d50f6e47d9a70d35bd109

SHA1
072d7c6a8c0f03ba569c1f0733066d0bf8f2a5c7

SHA256
391895f8cbc0721343c1e6450a9bd84e30cdfd237db1d34aa5807e42d4b9cec6

SHA512
06b1367aa93c2702b9feccb98154ce66bd256595b88e58f36fc54c5096f9426452fdd48f85d9b2957f47f2fb0358e6e61b92b668e7ffb01ace823e472ba5fec5

Download Submit
C:\Windows\{3652EFDE-0657-4490-AE36-888C59C91CD9}.exe

Filesize
204KB

MD5
429d65abed31920cd79c6fad8d3ca01f

SHA1
b1195e26b72e2338a28ade5c930393e5da969727

SHA256
a1784b372cd8468e1734565a18b069116d75b8c23e1881b40995f9873f627d57

SHA512
d66f8ee4d5124e81536c618215a8210f631239c4d658f05274afffd4679fb032499d2089dd4a75517b7afbb8f1aa75ee048bc9504242146aba34b9aa54eb6c27

Download Submit
C:\Windows\{3C573426-94A6-448d-BF7C-C4095A4B0044}.exe

Filesize
204KB

MD5
15986cd091e0b1fb4bb47310c443f780

SHA1
d0d2a5a3271498fdf0106e1419f6ca8f447b9d47

SHA256
ca5fa52c12820713219a16feb5818a6d0fdef4bacc95b44486fa89a4223f7904

SHA512
23856f2f85c25fa6a830cc8a5a6e502ea0fecb9a09735643aa69211f669e996a50f55ca4a08eeb8abdea3f0101779df1a814909c340c7f765747fe558978e17e

Download Submit
C:\Windows\{63D61664-2294-461d-96D1-82F36FD3259C}.exe

Filesize
204KB

MD5
9a0fc3af13251d063ec9f7f1bdbc3dfd

SHA1
e35b3aedff3bedccd106f57defd370280260e622

SHA256
8259b4f78a97e2871746258ec4cfe261a29427fb81d3a77a1b165f3b92b51f3e

SHA512
208dbc300295a959ed31afe34e4c8f4dc180e2d0f322e3c92ffa16d4856a84729a74d3f58a232851a5b08ca9c1542d50addec41b9d34afcb5c3fe107dff21c9e

Download Submit
C:\Windows\{7037D56B-1B82-41ca-8F18-BB98AA355128}.exe

Filesize
204KB

MD5
c649503de0f572dc32670dbb12456bfc

SHA1
95508773f6ca65e6ae41adf1b2896a32259c395a

SHA256
c8d3fc874210841431ac3657d4d233f4e83d0beb5c92e17bcb2ef2c68ed0e121

SHA512
01ef3f21f3fb5f1149a6b53bbb644ad03984787362f138d1577a123fecb4cc0540ccc4d29442b46cba6c2137428dc503dcf396413736dbf1a111d51feee3318b

Download Submit
C:\Windows\{8F21941D-9E96-476c-88FC-2687840E442C}.exe

Filesize
204KB

MD5
529547d059a669fd8bbd5d1399e0bb3d

SHA1
35904623131e9fdc3d7acd64e811bb20ec8a7ef1

SHA256
330307324ba90055e4e1dbaf785e6f688ba31c61dd545c6f898c7daab7f02e9d

SHA512
ba1edd501caff27c677cced4a1bf4c458313fd661ac51a85455e52060fdf5823a110d13bc34ffb9a4212b55c2ccb45843631987a0bdb60e64a2282262185a79d

Download Submit
C:\Windows\{A66F1723-E0C1-47e8-BBFB-F539552137D4}.exe

Filesize
204KB

MD5
aa451483ed11ea1e3d77daa7ee5eaeca

SHA1
dc66fd633072e87b76f99f9e199bb0e80a8672ed

SHA256
6822bc373ad134511e76505a78ec51b98589656285d928b0800f859c189a72a7

SHA512
298504509bb06e148d2034324109ad5c35de94ae075713340e3ca01e73c65809690651d35fffa13273d63688514253d2eedac18397ba1a77cd9f45c5499866b6

Download Submit
C:\Windows\{BCF1390F-E7E3-4671-B4CB-E160A13184AE}.exe

Filesize
204KB

MD5
8837e64e183446a42b54cd75b68bea0d

SHA1
a3ddd1aa00859a4a1752cea92c5c06e33f1dc274

SHA256
eb2ecf24561ef77a8c144ce5a3bcf275a9a06d245ba6b73ca7c7b15340950484

SHA512
d2a51d3b1d06fd8ab59eafd6778f51fa55b12da5d69f6e7e40eeb2a4a50a70451239bc45341edcaddb5749cc509df9c1c06c937c55f882b4f84a94b8a16ee7b6

Download Submit
C:\Windows\{C9AA124C-6906-4590-8AFA-3C81892982CC}.exe

Filesize
204KB

MD5
5812dcecc2e7331c102a823bf10b9ed4

SHA1
3a6cde2cdcae4c85ea04de4edef729370b748a55

SHA256
0b1dc6287ff515ef475c8ee2d037e56ffe399057b0b04cc9b5009d03c5b99de7

SHA512
aa0be1fce74af4b90f2105fcc86e549f11f6cf1b60959953e014f04f556ef725e65630599cc9a917f1e1a2f9ea17c2187ad816a8b7c585a11df3229c93ea00be

Download Submit
C:\Windows\{EFEFD926-D976-4c29-A486-9A1780EC6C39}.exe

Filesize
204KB

MD5
f4ae8d4bdcc8e4236d8acfedeee52187

SHA1
ca95be6144b0ce8d6fc63faaa1a4577e48604002

SHA256
b565fe041009c21bf414e9d853caefcb48219d4da5c145cf329d0048dc9201bd

SHA512
e1013deca64201a8d2695daf806755188d79cfabd789afaf8013913b104a0b3afb529aeecc5ccee6d7690d53e1de387088899c7f81c1977870c24fae28f99628

Download Submit
C:\Windows\{EFFC9106-78EC-4ebf-BB35-7BDDDA671CDC}.exe

Filesize
204KB

MD5
b46f44c1e675a01fc792af58ebe8addb

SHA1
0442a59c815b9efd270110c150d59987e8effe41

SHA256
55cf6890ab2a340f38dbc629756a1778b64bf13de661d33223d34344489c542d

SHA512
e91be0350ec85cc58f00a2d10f92885f79b7ccf9d209ff01f021955c75b62ea98aeabf6b00e73480bf07f3068af5e879eb367548117f6306bf9e191a4332a1bf

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads