1fb7c115e2f7f6a350c7b6f52f2463061654395cac4bb8f32dfd8eec88179c32

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
02/05/2024, 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-02_82499e7577038cb1c112e1d9025199a3_goldeneye.exe
Size

168KB
MD5

82499e7577038cb1c112e1d9025199a3
SHA1

4548cbd9bfb89f4ddebd96574366160a7aff59b4
SHA256

1fb7c115e2f7f6a350c7b6f52f2463061654395cac4bb8f32dfd8eec88179c32
SHA512

e571d20e408c1c4c2282819fe2075bcfa518373be16e1ff737a6027dd7b010b150c3e728053e811626bdc8175db269523fb2e9080d05060c4f54f8a5472226ac
SSDEEP

1536:1EGh0orlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0orlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023b16-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0019000000023bbe-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023bc9-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001a000000023bbe-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023bc9-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023bca-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023bc9-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023be0-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001f000000023bbe-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023bd2-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0020000000023bbe-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023a77-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B00C5B36-D93F-40e5-9701-A7846397E3B7}	{7E9573D6-BC64-4640-BE3A-068A403412DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB541367-B91B-4bf6-89E6-8F46D8D2A671}\stubpath = "C:\\Windows\\{BB541367-B91B-4bf6-89E6-8F46D8D2A671}.exe"	{2987B025-7A61-4dca-AF23-3485A05E22D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B20FCEB3-0475-48b0-8FFE-0E7C6D18154E}	{783AE48D-7047-40c9-B02C-F38EA13D8AEA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9900A77-972D-4459-9C68-0739A183E1CB}	{5689AA30-3796-4b60-AC9E-C26CBCB22BB2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E9573D6-BC64-4640-BE3A-068A403412DB}	{9C199A03-6240-458e-877A-9C2C58FB046B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B11D5F9F-D030-4667-A900-2B315B3EC7FE}\stubpath = "C:\\Windows\\{B11D5F9F-D030-4667-A900-2B315B3EC7FE}.exe"	{B00C5B36-D93F-40e5-9701-A7846397E3B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2987B025-7A61-4dca-AF23-3485A05E22D7}\stubpath = "C:\\Windows\\{2987B025-7A61-4dca-AF23-3485A05E22D7}.exe"	{B11D5F9F-D030-4667-A900-2B315B3EC7FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB541367-B91B-4bf6-89E6-8F46D8D2A671}	{2987B025-7A61-4dca-AF23-3485A05E22D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{805102D4-D8C4-453d-AF35-E8CF7C2608C8}\stubpath = "C:\\Windows\\{805102D4-D8C4-453d-AF35-E8CF7C2608C8}.exe"	{BB541367-B91B-4bf6-89E6-8F46D8D2A671}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77214488-433A-4c87-868A-1D2F2E2ABF28}\stubpath = "C:\\Windows\\{77214488-433A-4c87-868A-1D2F2E2ABF28}.exe"	{805102D4-D8C4-453d-AF35-E8CF7C2608C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5689AA30-3796-4b60-AC9E-C26CBCB22BB2}	{B20FCEB3-0475-48b0-8FFE-0E7C6D18154E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B00C5B36-D93F-40e5-9701-A7846397E3B7}\stubpath = "C:\\Windows\\{B00C5B36-D93F-40e5-9701-A7846397E3B7}.exe"	{7E9573D6-BC64-4640-BE3A-068A403412DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{805102D4-D8C4-453d-AF35-E8CF7C2608C8}	{BB541367-B91B-4bf6-89E6-8F46D8D2A671}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77214488-433A-4c87-868A-1D2F2E2ABF28}	{805102D4-D8C4-453d-AF35-E8CF7C2608C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{783AE48D-7047-40c9-B02C-F38EA13D8AEA}	{77214488-433A-4c87-868A-1D2F2E2ABF28}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{783AE48D-7047-40c9-B02C-F38EA13D8AEA}\stubpath = "C:\\Windows\\{783AE48D-7047-40c9-B02C-F38EA13D8AEA}.exe"	{77214488-433A-4c87-868A-1D2F2E2ABF28}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B20FCEB3-0475-48b0-8FFE-0E7C6D18154E}\stubpath = "C:\\Windows\\{B20FCEB3-0475-48b0-8FFE-0E7C6D18154E}.exe"	{783AE48D-7047-40c9-B02C-F38EA13D8AEA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9900A77-972D-4459-9C68-0739A183E1CB}\stubpath = "C:\\Windows\\{B9900A77-972D-4459-9C68-0739A183E1CB}.exe"	{5689AA30-3796-4b60-AC9E-C26CBCB22BB2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C199A03-6240-458e-877A-9C2C58FB046B}\stubpath = "C:\\Windows\\{9C199A03-6240-458e-877A-9C2C58FB046B}.exe"	2024-05-02_82499e7577038cb1c112e1d9025199a3_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E9573D6-BC64-4640-BE3A-068A403412DB}\stubpath = "C:\\Windows\\{7E9573D6-BC64-4640-BE3A-068A403412DB}.exe"	{9C199A03-6240-458e-877A-9C2C58FB046B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B11D5F9F-D030-4667-A900-2B315B3EC7FE}	{B00C5B36-D93F-40e5-9701-A7846397E3B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2987B025-7A61-4dca-AF23-3485A05E22D7}	{B11D5F9F-D030-4667-A900-2B315B3EC7FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5689AA30-3796-4b60-AC9E-C26CBCB22BB2}\stubpath = "C:\\Windows\\{5689AA30-3796-4b60-AC9E-C26CBCB22BB2}.exe"	{B20FCEB3-0475-48b0-8FFE-0E7C6D18154E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C199A03-6240-458e-877A-9C2C58FB046B}	2024-05-02_82499e7577038cb1c112e1d9025199a3_goldeneye.exe

Executes dropped EXE 12 IoCs

pid	Process
4944	{9C199A03-6240-458e-877A-9C2C58FB046B}.exe
2080	{7E9573D6-BC64-4640-BE3A-068A403412DB}.exe
1924	{B00C5B36-D93F-40e5-9701-A7846397E3B7}.exe
4716	{B11D5F9F-D030-4667-A900-2B315B3EC7FE}.exe
3524	{2987B025-7A61-4dca-AF23-3485A05E22D7}.exe
4652	{BB541367-B91B-4bf6-89E6-8F46D8D2A671}.exe
2628	{805102D4-D8C4-453d-AF35-E8CF7C2608C8}.exe
1008	{77214488-433A-4c87-868A-1D2F2E2ABF28}.exe
988	{783AE48D-7047-40c9-B02C-F38EA13D8AEA}.exe
4912	{B20FCEB3-0475-48b0-8FFE-0E7C6D18154E}.exe
2856	{5689AA30-3796-4b60-AC9E-C26CBCB22BB2}.exe
3132	{B9900A77-972D-4459-9C68-0739A183E1CB}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{5689AA30-3796-4b60-AC9E-C26CBCB22BB2}.exe	{B20FCEB3-0475-48b0-8FFE-0E7C6D18154E}.exe
File created	C:\Windows\{9C199A03-6240-458e-877A-9C2C58FB046B}.exe	2024-05-02_82499e7577038cb1c112e1d9025199a3_goldeneye.exe
File created	C:\Windows\{7E9573D6-BC64-4640-BE3A-068A403412DB}.exe	{9C199A03-6240-458e-877A-9C2C58FB046B}.exe
File created	C:\Windows\{805102D4-D8C4-453d-AF35-E8CF7C2608C8}.exe	{BB541367-B91B-4bf6-89E6-8F46D8D2A671}.exe
File created	C:\Windows\{77214488-433A-4c87-868A-1D2F2E2ABF28}.exe	{805102D4-D8C4-453d-AF35-E8CF7C2608C8}.exe
File created	C:\Windows\{783AE48D-7047-40c9-B02C-F38EA13D8AEA}.exe	{77214488-433A-4c87-868A-1D2F2E2ABF28}.exe
File created	C:\Windows\{B20FCEB3-0475-48b0-8FFE-0E7C6D18154E}.exe	{783AE48D-7047-40c9-B02C-F38EA13D8AEA}.exe
File created	C:\Windows\{B9900A77-972D-4459-9C68-0739A183E1CB}.exe	{5689AA30-3796-4b60-AC9E-C26CBCB22BB2}.exe
File created	C:\Windows\{B00C5B36-D93F-40e5-9701-A7846397E3B7}.exe	{7E9573D6-BC64-4640-BE3A-068A403412DB}.exe
File created	C:\Windows\{B11D5F9F-D030-4667-A900-2B315B3EC7FE}.exe	{B00C5B36-D93F-40e5-9701-A7846397E3B7}.exe
File created	C:\Windows\{2987B025-7A61-4dca-AF23-3485A05E22D7}.exe	{B11D5F9F-D030-4667-A900-2B315B3EC7FE}.exe
File created	C:\Windows\{BB541367-B91B-4bf6-89E6-8F46D8D2A671}.exe	{2987B025-7A61-4dca-AF23-3485A05E22D7}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3156	2024-05-02_82499e7577038cb1c112e1d9025199a3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4944	{9C199A03-6240-458e-877A-9C2C58FB046B}.exe
Token: SeIncBasePriorityPrivilege	2080	{7E9573D6-BC64-4640-BE3A-068A403412DB}.exe
Token: SeIncBasePriorityPrivilege	1924	{B00C5B36-D93F-40e5-9701-A7846397E3B7}.exe
Token: SeIncBasePriorityPrivilege	4716	{B11D5F9F-D030-4667-A900-2B315B3EC7FE}.exe
Token: SeIncBasePriorityPrivilege	3524	{2987B025-7A61-4dca-AF23-3485A05E22D7}.exe
Token: SeIncBasePriorityPrivilege	4652	{BB541367-B91B-4bf6-89E6-8F46D8D2A671}.exe
Token: SeIncBasePriorityPrivilege	2628	{805102D4-D8C4-453d-AF35-E8CF7C2608C8}.exe
Token: SeIncBasePriorityPrivilege	1008	{77214488-433A-4c87-868A-1D2F2E2ABF28}.exe
Token: SeIncBasePriorityPrivilege	988	{783AE48D-7047-40c9-B02C-F38EA13D8AEA}.exe
Token: SeIncBasePriorityPrivilege	4912	{B20FCEB3-0475-48b0-8FFE-0E7C6D18154E}.exe
Token: SeIncBasePriorityPrivilege	2856	{5689AA30-3796-4b60-AC9E-C26CBCB22BB2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3156 wrote to memory of 4944	3156	2024-05-02_82499e7577038cb1c112e1d9025199a3_goldeneye.exe	97
PID 3156 wrote to memory of 4944	3156	2024-05-02_82499e7577038cb1c112e1d9025199a3_goldeneye.exe	97
PID 3156 wrote to memory of 4944	3156	2024-05-02_82499e7577038cb1c112e1d9025199a3_goldeneye.exe	97
PID 3156 wrote to memory of 2292	3156	2024-05-02_82499e7577038cb1c112e1d9025199a3_goldeneye.exe	98
PID 3156 wrote to memory of 2292	3156	2024-05-02_82499e7577038cb1c112e1d9025199a3_goldeneye.exe	98
PID 3156 wrote to memory of 2292	3156	2024-05-02_82499e7577038cb1c112e1d9025199a3_goldeneye.exe	98
PID 4944 wrote to memory of 2080	4944	{9C199A03-6240-458e-877A-9C2C58FB046B}.exe	99
PID 4944 wrote to memory of 2080	4944	{9C199A03-6240-458e-877A-9C2C58FB046B}.exe	99
PID 4944 wrote to memory of 2080	4944	{9C199A03-6240-458e-877A-9C2C58FB046B}.exe	99
PID 4944 wrote to memory of 1232	4944	{9C199A03-6240-458e-877A-9C2C58FB046B}.exe	100
PID 4944 wrote to memory of 1232	4944	{9C199A03-6240-458e-877A-9C2C58FB046B}.exe	100
PID 4944 wrote to memory of 1232	4944	{9C199A03-6240-458e-877A-9C2C58FB046B}.exe	100
PID 2080 wrote to memory of 1924	2080	{7E9573D6-BC64-4640-BE3A-068A403412DB}.exe	103
PID 2080 wrote to memory of 1924	2080	{7E9573D6-BC64-4640-BE3A-068A403412DB}.exe	103
PID 2080 wrote to memory of 1924	2080	{7E9573D6-BC64-4640-BE3A-068A403412DB}.exe	103
PID 2080 wrote to memory of 1648	2080	{7E9573D6-BC64-4640-BE3A-068A403412DB}.exe	104
PID 2080 wrote to memory of 1648	2080	{7E9573D6-BC64-4640-BE3A-068A403412DB}.exe	104
PID 2080 wrote to memory of 1648	2080	{7E9573D6-BC64-4640-BE3A-068A403412DB}.exe	104
PID 1924 wrote to memory of 4716	1924	{B00C5B36-D93F-40e5-9701-A7846397E3B7}.exe	105
PID 1924 wrote to memory of 4716	1924	{B00C5B36-D93F-40e5-9701-A7846397E3B7}.exe	105
PID 1924 wrote to memory of 4716	1924	{B00C5B36-D93F-40e5-9701-A7846397E3B7}.exe	105
PID 1924 wrote to memory of 2532	1924	{B00C5B36-D93F-40e5-9701-A7846397E3B7}.exe	106
PID 1924 wrote to memory of 2532	1924	{B00C5B36-D93F-40e5-9701-A7846397E3B7}.exe	106
PID 1924 wrote to memory of 2532	1924	{B00C5B36-D93F-40e5-9701-A7846397E3B7}.exe	106
PID 4716 wrote to memory of 3524	4716	{B11D5F9F-D030-4667-A900-2B315B3EC7FE}.exe	107
PID 4716 wrote to memory of 3524	4716	{B11D5F9F-D030-4667-A900-2B315B3EC7FE}.exe	107
PID 4716 wrote to memory of 3524	4716	{B11D5F9F-D030-4667-A900-2B315B3EC7FE}.exe	107
PID 4716 wrote to memory of 512	4716	{B11D5F9F-D030-4667-A900-2B315B3EC7FE}.exe	108
PID 4716 wrote to memory of 512	4716	{B11D5F9F-D030-4667-A900-2B315B3EC7FE}.exe	108
PID 4716 wrote to memory of 512	4716	{B11D5F9F-D030-4667-A900-2B315B3EC7FE}.exe	108
PID 3524 wrote to memory of 4652	3524	{2987B025-7A61-4dca-AF23-3485A05E22D7}.exe	113
PID 3524 wrote to memory of 4652	3524	{2987B025-7A61-4dca-AF23-3485A05E22D7}.exe	113
PID 3524 wrote to memory of 4652	3524	{2987B025-7A61-4dca-AF23-3485A05E22D7}.exe	113
PID 3524 wrote to memory of 4552	3524	{2987B025-7A61-4dca-AF23-3485A05E22D7}.exe	114
PID 3524 wrote to memory of 4552	3524	{2987B025-7A61-4dca-AF23-3485A05E22D7}.exe	114
PID 3524 wrote to memory of 4552	3524	{2987B025-7A61-4dca-AF23-3485A05E22D7}.exe	114
PID 4652 wrote to memory of 2628	4652	{BB541367-B91B-4bf6-89E6-8F46D8D2A671}.exe	115
PID 4652 wrote to memory of 2628	4652	{BB541367-B91B-4bf6-89E6-8F46D8D2A671}.exe	115
PID 4652 wrote to memory of 2628	4652	{BB541367-B91B-4bf6-89E6-8F46D8D2A671}.exe	115
PID 4652 wrote to memory of 3328	4652	{BB541367-B91B-4bf6-89E6-8F46D8D2A671}.exe	116
PID 4652 wrote to memory of 3328	4652	{BB541367-B91B-4bf6-89E6-8F46D8D2A671}.exe	116
PID 4652 wrote to memory of 3328	4652	{BB541367-B91B-4bf6-89E6-8F46D8D2A671}.exe	116
PID 2628 wrote to memory of 1008	2628	{805102D4-D8C4-453d-AF35-E8CF7C2608C8}.exe	121
PID 2628 wrote to memory of 1008	2628	{805102D4-D8C4-453d-AF35-E8CF7C2608C8}.exe	121
PID 2628 wrote to memory of 1008	2628	{805102D4-D8C4-453d-AF35-E8CF7C2608C8}.exe	121
PID 2628 wrote to memory of 3068	2628	{805102D4-D8C4-453d-AF35-E8CF7C2608C8}.exe	122
PID 2628 wrote to memory of 3068	2628	{805102D4-D8C4-453d-AF35-E8CF7C2608C8}.exe	122
PID 2628 wrote to memory of 3068	2628	{805102D4-D8C4-453d-AF35-E8CF7C2608C8}.exe	122
PID 1008 wrote to memory of 988	1008	{77214488-433A-4c87-868A-1D2F2E2ABF28}.exe	126
PID 1008 wrote to memory of 988	1008	{77214488-433A-4c87-868A-1D2F2E2ABF28}.exe	126
PID 1008 wrote to memory of 988	1008	{77214488-433A-4c87-868A-1D2F2E2ABF28}.exe	126
PID 1008 wrote to memory of 5072	1008	{77214488-433A-4c87-868A-1D2F2E2ABF28}.exe	127
PID 1008 wrote to memory of 5072	1008	{77214488-433A-4c87-868A-1D2F2E2ABF28}.exe	127
PID 1008 wrote to memory of 5072	1008	{77214488-433A-4c87-868A-1D2F2E2ABF28}.exe	127
PID 988 wrote to memory of 4912	988	{783AE48D-7047-40c9-B02C-F38EA13D8AEA}.exe	128
PID 988 wrote to memory of 4912	988	{783AE48D-7047-40c9-B02C-F38EA13D8AEA}.exe	128
PID 988 wrote to memory of 4912	988	{783AE48D-7047-40c9-B02C-F38EA13D8AEA}.exe	128
PID 988 wrote to memory of 4716	988	{783AE48D-7047-40c9-B02C-F38EA13D8AEA}.exe	129
PID 988 wrote to memory of 4716	988	{783AE48D-7047-40c9-B02C-F38EA13D8AEA}.exe	129
PID 988 wrote to memory of 4716	988	{783AE48D-7047-40c9-B02C-F38EA13D8AEA}.exe	129
PID 4912 wrote to memory of 2856	4912	{B20FCEB3-0475-48b0-8FFE-0E7C6D18154E}.exe	130
PID 4912 wrote to memory of 2856	4912	{B20FCEB3-0475-48b0-8FFE-0E7C6D18154E}.exe	130
PID 4912 wrote to memory of 2856	4912	{B20FCEB3-0475-48b0-8FFE-0E7C6D18154E}.exe	130
PID 4912 wrote to memory of 1220	4912	{B20FCEB3-0475-48b0-8FFE-0E7C6D18154E}.exe	131

C:\Users\Admin\AppData\Local\Temp\2024-05-02_82499e7577038cb1c112e1d9025199a3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-02_82499e7577038cb1c112e1d9025199a3_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3156
- C:\Windows\{9C199A03-6240-458e-877A-9C2C58FB046B}.exe
  C:\Windows\{9C199A03-6240-458e-877A-9C2C58FB046B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Windows\{7E9573D6-BC64-4640-BE3A-068A403412DB}.exe
    C:\Windows\{7E9573D6-BC64-4640-BE3A-068A403412DB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2080
  - - C:\Windows\{B00C5B36-D93F-40e5-9701-A7846397E3B7}.exe
      C:\Windows\{B00C5B36-D93F-40e5-9701-A7846397E3B7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1924
    - - C:\Windows\{B11D5F9F-D030-4667-A900-2B315B3EC7FE}.exe
        
        C:\Windows\{B11D5F9F-D030-4667-A900-2B315B3EC7FE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4716
      - C:\Windows\{2987B025-7A61-4dca-AF23-3485A05E22D7}.exe
        
        C:\Windows\{2987B025-7A61-4dca-AF23-3485A05E22D7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\{BB541367-B91B-4bf6-89E6-8F46D8D2A671}.exe
        
        C:\Windows\{BB541367-B91B-4bf6-89E6-8F46D8D2A671}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\{805102D4-D8C4-453d-AF35-E8CF7C2608C8}.exe
        
        C:\Windows\{805102D4-D8C4-453d-AF35-E8CF7C2608C8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\{77214488-433A-4c87-868A-1D2F2E2ABF28}.exe
        
        C:\Windows\{77214488-433A-4c87-868A-1D2F2E2ABF28}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\{783AE48D-7047-40c9-B02C-F38EA13D8AEA}.exe
        
        C:\Windows\{783AE48D-7047-40c9-B02C-F38EA13D8AEA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:988
        
        C:\Windows\{B20FCEB3-0475-48b0-8FFE-0E7C6D18154E}.exe
        
        C:\Windows\{B20FCEB3-0475-48b0-8FFE-0E7C6D18154E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\{5689AA30-3796-4b60-AC9E-C26CBCB22BB2}.exe
        
        C:\Windows\{5689AA30-3796-4b60-AC9E-C26CBCB22BB2}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\{B9900A77-972D-4459-9C68-0739A183E1CB}.exe
        
        C:\Windows\{B9900A77-972D-4459-9C68-0739A183E1CB}.exe
        13⤵
        Executes dropped EXE
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5689A~1.EXE > nul
        13⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B20FC~1.EXE > nul
        12⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{783AE~1.EXE > nul
        11⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77214~1.EXE > nul
        10⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80510~1.EXE > nul
        9⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB541~1.EXE > nul
        8⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2987B~1.EXE > nul
        7⤵
        
        PID:4552
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B11D5~1.EXE > nul
        6⤵
        
        PID:512
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B00C5~1.EXE > nul
        5⤵
        
        PID:2532
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7E957~1.EXE > nul
      4⤵
      PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9C199~1.EXE > nul
    3⤵
    PID:1232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2987B025-7A61-4dca-AF23-3485A05E22D7}.exe

Filesize
168KB

MD5
a9b82231b2851b36b7b5acfff411bfef

SHA1
ee07b21493c9d24f5a53b75f6e2c7e96f92ad8d5

SHA256
25572dc10707de60b3cb18103f3602060a99b83a8c38ddc9c24fc064d749fd13

SHA512
3e05083ab462c1ee1364eefc9ae23e2273caf48f240adee88f9b27d6ea2026462989d2ea32ce110a05f054ef1dc1ddda379a353f17bc07b1e602ef9518aae5c8

Download Submit
C:\Windows\{5689AA30-3796-4b60-AC9E-C26CBCB22BB2}.exe

Filesize
168KB

MD5
92f7bf51d86c84ac0bf6c9a53f421c7c

SHA1
4b840c8530a2f1cc3956ace853a64d39e2543f3e

SHA256
953d3cd24af8297544cba1e924490664f3da54a44e4537342ebd506ca3c38347

SHA512
890f006603a3d42952d4788b86c3a046f577f4c048eb9ebdfc1e66c017703bdea799ae504ed1b5001d650ee078c4705e2f6aad4e1e19d74352ba396d31664254

Download Submit
C:\Windows\{77214488-433A-4c87-868A-1D2F2E2ABF28}.exe

Filesize
168KB

MD5
0c294f6b4cb1b650361d1106651f5f47

SHA1
406039b8da71b6dc6733aa1bfb49853779696a75

SHA256
5476aaebd817936e377f0119a876ef84291a1102347e5b5342afb4ab5baac190

SHA512
19e87dc4af24c2bbed6241001a111f42eb553e6995bcb05e26796e660a52e0ad2cbf126201fd5b938f7da4441a1b94ae2b11868de71bc6920a26301e026f1fa1

Download Submit
C:\Windows\{783AE48D-7047-40c9-B02C-F38EA13D8AEA}.exe

Filesize
168KB

MD5
36e08ea5f529aa4fde3a2788a8359302

SHA1
85307fe60be509a1d4ba2e0bfc43fd38b400b4cc

SHA256
05c064278640af4685f8970647484fee55dcc483a0529383e03b158deff46c3d

SHA512
1b18d3c1ae147bc677458f734b14a657f28b19888f38cfb7429002dcfbe744afe273fe464a263650da0d37e1912b178d9ed8a1a4a6402d4bf4fd4f7ee7857468

Download Submit
C:\Windows\{7E9573D6-BC64-4640-BE3A-068A403412DB}.exe

Filesize
168KB

MD5
007b4e57d98a1855b0ca6888683bf633

SHA1
e8a9da0a710c9bc7b67f856cc80fe211c2bb90c1

SHA256
45be1fd157222ff4fe2aecd7ab612e5ff2fcd7725d75c491a26e6c17f2a51e1c

SHA512
a7bc59c7f2c6b2dae27f44c5870e6a8db0f7fa7d37da757365b11711efd6978b0619de8fa57a13a3de97fa73e8a04c78b284bff7d3cc3a91494256a4c36af994

Download Submit
C:\Windows\{805102D4-D8C4-453d-AF35-E8CF7C2608C8}.exe

Filesize
168KB

MD5
0673fb23be21204255e44124c26ee5dd

SHA1
82f31e727af903d98cbb99237cfc781b6a2d3c17

SHA256
c08770dc65c08df8d61ff7abcd5176af1bd58aced182888658591fb271301422

SHA512
6eb7667e4a7f8d6702b1a55a979f90904918056d6d5328af0f13fe665b317962368ef238c097657b81fe7ea7d87d8373a2852fa6b6d540958a5873a8729d3b57

Download Submit
C:\Windows\{9C199A03-6240-458e-877A-9C2C58FB046B}.exe

Filesize
168KB

MD5
3ca5141668e8aa92c3993f77a92dc470

SHA1
383ce7c52405de5c362f66cd4548efc27cdc999e

SHA256
c6780828756f68c504f0520ac998518db22d9e7d7e7919a57a2fc8ca3df251e7

SHA512
6d6ce4e397c1350bcdb45ec60a8e383dbec3d7107aacd4d8a8e4e870177959380c7f8aa9d17564ce932fcf888f247e49995f4101cefbf4185449c526b3423e47

Download Submit
C:\Windows\{B00C5B36-D93F-40e5-9701-A7846397E3B7}.exe

Filesize
168KB

MD5
39448331ba38bce3ce7c75627748493b

SHA1
9ff07d7f14e3552184fdb807c555ab7b31c5f88a

SHA256
f36ce960371456f08b941a4232b9174692a5e7d39682b05d59339e451d86d804

SHA512
cea664fbb3e5a60fba1aee94a8921b1f32ffa0e17476c859c9b71824245339e3e4640d3889994972823896ca663e405718a564886d8cc59f5727bb45157779eb

Download Submit
C:\Windows\{B11D5F9F-D030-4667-A900-2B315B3EC7FE}.exe

Filesize
168KB

MD5
65283a7215c5fbab2f574b808342dca0

SHA1
697cf554cec6a607121b6219b3dfa235e9756fde

SHA256
003b4af2234bf8f5f0448b3b524d50f4ac980715841d4f0231815c8ea7e54335

SHA512
06dc03be0a9aaddaada84cb3a237aea90e6cf33ef68f53e91c0bc4b7c47620225a424dae0872538ab752d2f565df8f38938293298c444877ef2281d878b9389b

Download Submit
C:\Windows\{B20FCEB3-0475-48b0-8FFE-0E7C6D18154E}.exe

Filesize
168KB

MD5
40f13fb2c27f4103ea420bc4bca37d0d

SHA1
602e4715501a4e1f22b99c3ffc3647ad4b7b813f

SHA256
c2ecc8435299152c93959ff8e2ebdbb61b7fcfeacdc519fcc55e6f4b668de899

SHA512
fdcb1df789150e3354a8cbb7d0cb1d963c1a7b3f3ccfa563fe06665d0b47be595d27cb0c6225e5c180eb88274fe6a1bbdc92cd0fc600e843f881b797775c3187

Download Submit
C:\Windows\{B9900A77-972D-4459-9C68-0739A183E1CB}.exe

Filesize
168KB

MD5
3bf591c8de6eb07dbff2fdebd98600b9

SHA1
dea573d6a8c00d104e599124f2bdd67977fc103c

SHA256
791df9c3632f415f772a4d54ec889e36efc7ff635d44343d9692c58b064a053a

SHA512
123aa814c8dfc69b51d73a84d3f5e3904ce227043f2e5d41b4af2c3abf2af7f87b5e1c9fc594e7d6ec73e952ed9bd2352119b5bfad5b9a0cdae7b03753f2ae89

Download Submit
C:\Windows\{BB541367-B91B-4bf6-89E6-8F46D8D2A671}.exe

Filesize
168KB

MD5
e0c15f8a2995732481f2610370404ae5

SHA1
2cd3a39773df080f3514bd17b31ad803cc611289

SHA256
226d083d18f4f3cb306ce7dd6b48b5e2d9c17d7b4b872df4789328488074462b

SHA512
3c5502d252ee9de91b4bb20ea95e626f025e0e52954aa4127f204c50dfe3d8d77dde7c7914327f8f4aaeb5e4771bb064b133dd1cfcddfc254aca18992fd5352d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads