eb1e24422cd0f0a9cd01a3b603c345ef45a0ccdb98ecbcf35ec3d07ea0b945ac

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-04_4196b372f59b0b37088c30655ac6c6b5_goldeneye.exe
Size

408KB
MD5

4196b372f59b0b37088c30655ac6c6b5
SHA1

3edf03d75127c32995b1914601af564acb3ee2ab
SHA256

eb1e24422cd0f0a9cd01a3b603c345ef45a0ccdb98ecbcf35ec3d07ea0b945ac
SHA512

2743d99fc7a9b6c2ad0bc490272e72e77400fbfaa78ffebde27bfa5c418edc58f1b886869449d8b281fec277a9b43067533da93e0a5f8ad3185dad9fb2f37be5
SSDEEP

3072:CEGh0oQl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGSldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x000f000000023a57-1.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023a66-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023b99-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0013000000023a66-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023b99-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023b99-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023b9f-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023b99-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023b9f-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023baa-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023b9f-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FA99E93-8593-436b-9219-408BF0110B89}\stubpath = "C:\\Windows\\{3FA99E93-8593-436b-9219-408BF0110B89}.exe"	{1F0AE387-F160-48e9-BA13-1A0E3FA527AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DC4B465-4B9A-4129-93BA-AB93C89D9466}	{D87E84B9-5388-407d-94D6-1E7374F482B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B03780C-9A40-4288-A1E5-776F0B324D39}	{1DC4B465-4B9A-4129-93BA-AB93C89D9466}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F60983F-59A4-4137-8D09-6898B27BB6D3}\stubpath = "C:\\Windows\\{4F60983F-59A4-4137-8D09-6898B27BB6D3}.exe"	{6413882C-0EF4-4016-81BB-8F7CB6C3557E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B28DEF3-4869-433e-BB9E-ED5F5AC2A598}	{CC7068D2-450D-4f1e-BE99-9BC6E4C640DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F0AE387-F160-48e9-BA13-1A0E3FA527AB}\stubpath = "C:\\Windows\\{1F0AE387-F160-48e9-BA13-1A0E3FA527AB}.exe"	{4B28DEF3-4869-433e-BB9E-ED5F5AC2A598}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6413882C-0EF4-4016-81BB-8F7CB6C3557E}\stubpath = "C:\\Windows\\{6413882C-0EF4-4016-81BB-8F7CB6C3557E}.exe"	{46968B1E-377D-4827-ADFD-CA95C434311A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC7068D2-450D-4f1e-BE99-9BC6E4C640DC}\stubpath = "C:\\Windows\\{CC7068D2-450D-4f1e-BE99-9BC6E4C640DC}.exe"	{4F60983F-59A4-4137-8D09-6898B27BB6D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F0AE387-F160-48e9-BA13-1A0E3FA527AB}	{4B28DEF3-4869-433e-BB9E-ED5F5AC2A598}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FA99E93-8593-436b-9219-408BF0110B89}	{1F0AE387-F160-48e9-BA13-1A0E3FA527AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E60855A-942C-4339-8BC2-65920253CB3A}\stubpath = "C:\\Windows\\{7E60855A-942C-4339-8BC2-65920253CB3A}.exe"	{B6A5E884-E122-47bc-93C1-D1A5D52923C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46968B1E-377D-4827-ADFD-CA95C434311A}	2024-05-04_4196b372f59b0b37088c30655ac6c6b5_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46968B1E-377D-4827-ADFD-CA95C434311A}\stubpath = "C:\\Windows\\{46968B1E-377D-4827-ADFD-CA95C434311A}.exe"	2024-05-04_4196b372f59b0b37088c30655ac6c6b5_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6413882C-0EF4-4016-81BB-8F7CB6C3557E}	{46968B1E-377D-4827-ADFD-CA95C434311A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B03780C-9A40-4288-A1E5-776F0B324D39}\stubpath = "C:\\Windows\\{1B03780C-9A40-4288-A1E5-776F0B324D39}.exe"	{1DC4B465-4B9A-4129-93BA-AB93C89D9466}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6A5E884-E122-47bc-93C1-D1A5D52923C4}	{1B03780C-9A40-4288-A1E5-776F0B324D39}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6A5E884-E122-47bc-93C1-D1A5D52923C4}\stubpath = "C:\\Windows\\{B6A5E884-E122-47bc-93C1-D1A5D52923C4}.exe"	{1B03780C-9A40-4288-A1E5-776F0B324D39}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E60855A-942C-4339-8BC2-65920253CB3A}	{B6A5E884-E122-47bc-93C1-D1A5D52923C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC7068D2-450D-4f1e-BE99-9BC6E4C640DC}	{4F60983F-59A4-4137-8D09-6898B27BB6D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B28DEF3-4869-433e-BB9E-ED5F5AC2A598}\stubpath = "C:\\Windows\\{4B28DEF3-4869-433e-BB9E-ED5F5AC2A598}.exe"	{CC7068D2-450D-4f1e-BE99-9BC6E4C640DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D87E84B9-5388-407d-94D6-1E7374F482B3}\stubpath = "C:\\Windows\\{D87E84B9-5388-407d-94D6-1E7374F482B3}.exe"	{3FA99E93-8593-436b-9219-408BF0110B89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F60983F-59A4-4137-8D09-6898B27BB6D3}	{6413882C-0EF4-4016-81BB-8F7CB6C3557E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D87E84B9-5388-407d-94D6-1E7374F482B3}	{3FA99E93-8593-436b-9219-408BF0110B89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DC4B465-4B9A-4129-93BA-AB93C89D9466}\stubpath = "C:\\Windows\\{1DC4B465-4B9A-4129-93BA-AB93C89D9466}.exe"	{D87E84B9-5388-407d-94D6-1E7374F482B3}.exe

Executes dropped EXE 11 IoCs

pid	Process
2276	{46968B1E-377D-4827-ADFD-CA95C434311A}.exe
4128	{6413882C-0EF4-4016-81BB-8F7CB6C3557E}.exe
2364	{4F60983F-59A4-4137-8D09-6898B27BB6D3}.exe
4724	{CC7068D2-450D-4f1e-BE99-9BC6E4C640DC}.exe
1112	{4B28DEF3-4869-433e-BB9E-ED5F5AC2A598}.exe
3640	{3FA99E93-8593-436b-9219-408BF0110B89}.exe
4592	{D87E84B9-5388-407d-94D6-1E7374F482B3}.exe
3464	{1DC4B465-4B9A-4129-93BA-AB93C89D9466}.exe
5028	{1B03780C-9A40-4288-A1E5-776F0B324D39}.exe
3412	{B6A5E884-E122-47bc-93C1-D1A5D52923C4}.exe
2864	{7E60855A-942C-4339-8BC2-65920253CB3A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{4B28DEF3-4869-433e-BB9E-ED5F5AC2A598}.exe	{CC7068D2-450D-4f1e-BE99-9BC6E4C640DC}.exe
File created	C:\Windows\{D87E84B9-5388-407d-94D6-1E7374F482B3}.exe	{3FA99E93-8593-436b-9219-408BF0110B89}.exe
File created	C:\Windows\{1B03780C-9A40-4288-A1E5-776F0B324D39}.exe	{1DC4B465-4B9A-4129-93BA-AB93C89D9466}.exe
File created	C:\Windows\{B6A5E884-E122-47bc-93C1-D1A5D52923C4}.exe	{1B03780C-9A40-4288-A1E5-776F0B324D39}.exe
File created	C:\Windows\{7E60855A-942C-4339-8BC2-65920253CB3A}.exe	{B6A5E884-E122-47bc-93C1-D1A5D52923C4}.exe
File created	C:\Windows\{46968B1E-377D-4827-ADFD-CA95C434311A}.exe	2024-05-04_4196b372f59b0b37088c30655ac6c6b5_goldeneye.exe
File created	C:\Windows\{6413882C-0EF4-4016-81BB-8F7CB6C3557E}.exe	{46968B1E-377D-4827-ADFD-CA95C434311A}.exe
File created	C:\Windows\{4F60983F-59A4-4137-8D09-6898B27BB6D3}.exe	{6413882C-0EF4-4016-81BB-8F7CB6C3557E}.exe
File created	C:\Windows\{CC7068D2-450D-4f1e-BE99-9BC6E4C640DC}.exe	{4F60983F-59A4-4137-8D09-6898B27BB6D3}.exe
File created	C:\Windows\{3FA99E93-8593-436b-9219-408BF0110B89}.exe	{1F0AE387-F160-48e9-BA13-1A0E3FA527AB}.exe
File created	C:\Windows\{1DC4B465-4B9A-4129-93BA-AB93C89D9466}.exe	{D87E84B9-5388-407d-94D6-1E7374F482B3}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4528	2024-05-04_4196b372f59b0b37088c30655ac6c6b5_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2276	{46968B1E-377D-4827-ADFD-CA95C434311A}.exe
Token: SeIncBasePriorityPrivilege	4128	{6413882C-0EF4-4016-81BB-8F7CB6C3557E}.exe
Token: SeIncBasePriorityPrivilege	2364	{4F60983F-59A4-4137-8D09-6898B27BB6D3}.exe
Token: SeIncBasePriorityPrivilege	4724	{CC7068D2-450D-4f1e-BE99-9BC6E4C640DC}.exe
Token: SeIncBasePriorityPrivilege	3400	{1F0AE387-F160-48e9-BA13-1A0E3FA527AB}.exe
Token: SeIncBasePriorityPrivilege	3640	{3FA99E93-8593-436b-9219-408BF0110B89}.exe
Token: SeIncBasePriorityPrivilege	4592	{D87E84B9-5388-407d-94D6-1E7374F482B3}.exe
Token: SeIncBasePriorityPrivilege	3464	{1DC4B465-4B9A-4129-93BA-AB93C89D9466}.exe
Token: SeIncBasePriorityPrivilege	5028	{1B03780C-9A40-4288-A1E5-776F0B324D39}.exe
Token: SeIncBasePriorityPrivilege	3412	{B6A5E884-E122-47bc-93C1-D1A5D52923C4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 2276	4528	2024-05-04_4196b372f59b0b37088c30655ac6c6b5_goldeneye.exe	96
PID 4528 wrote to memory of 2276	4528	2024-05-04_4196b372f59b0b37088c30655ac6c6b5_goldeneye.exe	96
PID 4528 wrote to memory of 2276	4528	2024-05-04_4196b372f59b0b37088c30655ac6c6b5_goldeneye.exe	96
PID 4528 wrote to memory of 4064	4528	2024-05-04_4196b372f59b0b37088c30655ac6c6b5_goldeneye.exe	97
PID 4528 wrote to memory of 4064	4528	2024-05-04_4196b372f59b0b37088c30655ac6c6b5_goldeneye.exe	97
PID 4528 wrote to memory of 4064	4528	2024-05-04_4196b372f59b0b37088c30655ac6c6b5_goldeneye.exe	97
PID 2276 wrote to memory of 4128	2276	{46968B1E-377D-4827-ADFD-CA95C434311A}.exe	98
PID 2276 wrote to memory of 4128	2276	{46968B1E-377D-4827-ADFD-CA95C434311A}.exe	98
PID 2276 wrote to memory of 4128	2276	{46968B1E-377D-4827-ADFD-CA95C434311A}.exe	98
PID 2276 wrote to memory of 1680	2276	{46968B1E-377D-4827-ADFD-CA95C434311A}.exe	99
PID 2276 wrote to memory of 1680	2276	{46968B1E-377D-4827-ADFD-CA95C434311A}.exe	99
PID 2276 wrote to memory of 1680	2276	{46968B1E-377D-4827-ADFD-CA95C434311A}.exe	99
PID 4128 wrote to memory of 2364	4128	{6413882C-0EF4-4016-81BB-8F7CB6C3557E}.exe	102
PID 4128 wrote to memory of 2364	4128	{6413882C-0EF4-4016-81BB-8F7CB6C3557E}.exe	102
PID 4128 wrote to memory of 2364	4128	{6413882C-0EF4-4016-81BB-8F7CB6C3557E}.exe	102
PID 4128 wrote to memory of 2792	4128	{6413882C-0EF4-4016-81BB-8F7CB6C3557E}.exe	103
PID 4128 wrote to memory of 2792	4128	{6413882C-0EF4-4016-81BB-8F7CB6C3557E}.exe	103
PID 4128 wrote to memory of 2792	4128	{6413882C-0EF4-4016-81BB-8F7CB6C3557E}.exe	103
PID 2364 wrote to memory of 4724	2364	{4F60983F-59A4-4137-8D09-6898B27BB6D3}.exe	104
PID 2364 wrote to memory of 4724	2364	{4F60983F-59A4-4137-8D09-6898B27BB6D3}.exe	104
PID 2364 wrote to memory of 4724	2364	{4F60983F-59A4-4137-8D09-6898B27BB6D3}.exe	104
PID 2364 wrote to memory of 764	2364	{4F60983F-59A4-4137-8D09-6898B27BB6D3}.exe	105
PID 2364 wrote to memory of 764	2364	{4F60983F-59A4-4137-8D09-6898B27BB6D3}.exe	105
PID 2364 wrote to memory of 764	2364	{4F60983F-59A4-4137-8D09-6898B27BB6D3}.exe	105
PID 4724 wrote to memory of 1112	4724	{CC7068D2-450D-4f1e-BE99-9BC6E4C640DC}.exe	106
PID 4724 wrote to memory of 1112	4724	{CC7068D2-450D-4f1e-BE99-9BC6E4C640DC}.exe	106
PID 4724 wrote to memory of 1112	4724	{CC7068D2-450D-4f1e-BE99-9BC6E4C640DC}.exe	106
PID 4724 wrote to memory of 4440	4724	{CC7068D2-450D-4f1e-BE99-9BC6E4C640DC}.exe	107
PID 4724 wrote to memory of 4440	4724	{CC7068D2-450D-4f1e-BE99-9BC6E4C640DC}.exe	107
PID 4724 wrote to memory of 4440	4724	{CC7068D2-450D-4f1e-BE99-9BC6E4C640DC}.exe	107
PID 3400 wrote to memory of 3640	3400	{1F0AE387-F160-48e9-BA13-1A0E3FA527AB}.exe	115
PID 3400 wrote to memory of 3640	3400	{1F0AE387-F160-48e9-BA13-1A0E3FA527AB}.exe	115
PID 3400 wrote to memory of 3640	3400	{1F0AE387-F160-48e9-BA13-1A0E3FA527AB}.exe	115
PID 3400 wrote to memory of 3876	3400	{1F0AE387-F160-48e9-BA13-1A0E3FA527AB}.exe	116
PID 3400 wrote to memory of 3876	3400	{1F0AE387-F160-48e9-BA13-1A0E3FA527AB}.exe	116
PID 3400 wrote to memory of 3876	3400	{1F0AE387-F160-48e9-BA13-1A0E3FA527AB}.exe	116
PID 3640 wrote to memory of 4592	3640	{3FA99E93-8593-436b-9219-408BF0110B89}.exe	119
PID 3640 wrote to memory of 4592	3640	{3FA99E93-8593-436b-9219-408BF0110B89}.exe	119
PID 3640 wrote to memory of 4592	3640	{3FA99E93-8593-436b-9219-408BF0110B89}.exe	119
PID 3640 wrote to memory of 1584	3640	{3FA99E93-8593-436b-9219-408BF0110B89}.exe	120
PID 3640 wrote to memory of 1584	3640	{3FA99E93-8593-436b-9219-408BF0110B89}.exe	120
PID 3640 wrote to memory of 1584	3640	{3FA99E93-8593-436b-9219-408BF0110B89}.exe	120
PID 4592 wrote to memory of 3464	4592	{D87E84B9-5388-407d-94D6-1E7374F482B3}.exe	121
PID 4592 wrote to memory of 3464	4592	{D87E84B9-5388-407d-94D6-1E7374F482B3}.exe	121
PID 4592 wrote to memory of 3464	4592	{D87E84B9-5388-407d-94D6-1E7374F482B3}.exe	121
PID 4592 wrote to memory of 4060	4592	{D87E84B9-5388-407d-94D6-1E7374F482B3}.exe	122
PID 4592 wrote to memory of 4060	4592	{D87E84B9-5388-407d-94D6-1E7374F482B3}.exe	122
PID 4592 wrote to memory of 4060	4592	{D87E84B9-5388-407d-94D6-1E7374F482B3}.exe	122
PID 3464 wrote to memory of 5028	3464	{1DC4B465-4B9A-4129-93BA-AB93C89D9466}.exe	123
PID 3464 wrote to memory of 5028	3464	{1DC4B465-4B9A-4129-93BA-AB93C89D9466}.exe	123
PID 3464 wrote to memory of 5028	3464	{1DC4B465-4B9A-4129-93BA-AB93C89D9466}.exe	123
PID 3464 wrote to memory of 4320	3464	{1DC4B465-4B9A-4129-93BA-AB93C89D9466}.exe	124
PID 3464 wrote to memory of 4320	3464	{1DC4B465-4B9A-4129-93BA-AB93C89D9466}.exe	124
PID 3464 wrote to memory of 4320	3464	{1DC4B465-4B9A-4129-93BA-AB93C89D9466}.exe	124
PID 5028 wrote to memory of 3412	5028	{1B03780C-9A40-4288-A1E5-776F0B324D39}.exe	127
PID 5028 wrote to memory of 3412	5028	{1B03780C-9A40-4288-A1E5-776F0B324D39}.exe	127
PID 5028 wrote to memory of 3412	5028	{1B03780C-9A40-4288-A1E5-776F0B324D39}.exe	127
PID 5028 wrote to memory of 4672	5028	{1B03780C-9A40-4288-A1E5-776F0B324D39}.exe	128
PID 5028 wrote to memory of 4672	5028	{1B03780C-9A40-4288-A1E5-776F0B324D39}.exe	128
PID 5028 wrote to memory of 4672	5028	{1B03780C-9A40-4288-A1E5-776F0B324D39}.exe	128
PID 3412 wrote to memory of 2864	3412	{B6A5E884-E122-47bc-93C1-D1A5D52923C4}.exe	129
PID 3412 wrote to memory of 2864	3412	{B6A5E884-E122-47bc-93C1-D1A5D52923C4}.exe	129
PID 3412 wrote to memory of 2864	3412	{B6A5E884-E122-47bc-93C1-D1A5D52923C4}.exe	129
PID 3412 wrote to memory of 836	3412	{B6A5E884-E122-47bc-93C1-D1A5D52923C4}.exe	130

C:\Users\Admin\AppData\Local\Temp\2024-05-04_4196b372f59b0b37088c30655ac6c6b5_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-04_4196b372f59b0b37088c30655ac6c6b5_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Windows\{46968B1E-377D-4827-ADFD-CA95C434311A}.exe
  C:\Windows\{46968B1E-377D-4827-ADFD-CA95C434311A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\{6413882C-0EF4-4016-81BB-8F7CB6C3557E}.exe
    C:\Windows\{6413882C-0EF4-4016-81BB-8F7CB6C3557E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4128
  - - C:\Windows\{4F60983F-59A4-4137-8D09-6898B27BB6D3}.exe
      C:\Windows\{4F60983F-59A4-4137-8D09-6898B27BB6D3}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2364
    - - C:\Windows\{CC7068D2-450D-4f1e-BE99-9BC6E4C640DC}.exe
        
        C:\Windows\{CC7068D2-450D-4f1e-BE99-9BC6E4C640DC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4724
      - C:\Windows\{4B28DEF3-4869-433e-BB9E-ED5F5AC2A598}.exe
        
        C:\Windows\{4B28DEF3-4869-433e-BB9E-ED5F5AC2A598}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        
        PID:1112
        
        C:\Windows\{1F0AE387-F160-48e9-BA13-1A0E3FA527AB}.exe
        
        C:\Windows\{1F0AE387-F160-48e9-BA13-1A0E3FA527AB}.exe
        7⤵
        Modifies Installed Components in the registry
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\{3FA99E93-8593-436b-9219-408BF0110B89}.exe
        
        C:\Windows\{3FA99E93-8593-436b-9219-408BF0110B89}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\{D87E84B9-5388-407d-94D6-1E7374F482B3}.exe
        
        C:\Windows\{D87E84B9-5388-407d-94D6-1E7374F482B3}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\{1DC4B465-4B9A-4129-93BA-AB93C89D9466}.exe
        
        C:\Windows\{1DC4B465-4B9A-4129-93BA-AB93C89D9466}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\{1B03780C-9A40-4288-A1E5-776F0B324D39}.exe
        
        C:\Windows\{1B03780C-9A40-4288-A1E5-776F0B324D39}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\{B6A5E884-E122-47bc-93C1-D1A5D52923C4}.exe
        
        C:\Windows\{B6A5E884-E122-47bc-93C1-D1A5D52923C4}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Windows\{7E60855A-942C-4339-8BC2-65920253CB3A}.exe
        
        C:\Windows\{7E60855A-942C-4339-8BC2-65920253CB3A}.exe
        13⤵
        Executes dropped EXE
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6A5E~1.EXE > nul
        13⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B037~1.EXE > nul
        12⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1DC4B~1.EXE > nul
        11⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D87E8~1.EXE > nul
        10⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3FA99~1.EXE > nul
        9⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F0AE~1.EXE > nul
        8⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B28D~1.EXE > nul
        7⤵
        
        PID:4328
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC706~1.EXE > nul
        6⤵
        
        PID:4440
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4F609~1.EXE > nul
        5⤵
        
        PID:764
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{64138~1.EXE > nul
      4⤵
      PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{46968~1.EXE > nul
    3⤵
    PID:1680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1B03780C-9A40-4288-A1E5-776F0B324D39}.exe

Filesize
408KB

MD5
01f33760327cf704cf31cc12c8c66e40

SHA1
5ad96482f2f0c006fa4c5f332c9e9680e0fcb6a4

SHA256
f05c8aac57e21c5533b4e8cff9a46bcba3831d03c15f8bd0fbfa8d1b3eb3d89f

SHA512
ed5863364d43ed93f32e59d88a1e1d64a4ab3e30e3b4f0f7271aa66b9f7be2a5a5acf72b02338da7f54ec339d030ef734cc80b320d6187dee1668057f9bac49c

Download Submit
C:\Windows\{1DC4B465-4B9A-4129-93BA-AB93C89D9466}.exe

Filesize
408KB

MD5
da709c55bcec4ae0be7e679c8dbb9e92

SHA1
3b512ae10c1666946a4771b60b64a37cceaa1a09

SHA256
e50ae4fe51fc03302c4439028b8c648ff0d4a765482de94a3c68592ad17c009f

SHA512
5ab833897718acece8b775858f1bb1a8cdd208d5b5937642b84e01e2bd1dce3546c83ee1693bd7e8f913c49264c514d2a56691e1557f73d6f9901b552355893b

Download Submit
C:\Windows\{3FA99E93-8593-436b-9219-408BF0110B89}.exe

Filesize
408KB

MD5
0a0566a1ae8720d3ae62c53dd0bef478

SHA1
197fbba51e5d9de1731665479c42424c8b32ec69

SHA256
a9a0478139cbf4c91ad06ce14d7df306d0b470aaf8354b83d6c615b6f5a17183

SHA512
8a7c66834d55ccecdc9184647d05d0480e220e82dafcbce84ddc14927a4d3aed2951f28d714d95cd7b24dada5a2fd87bc60548c239672a951448bd77f8bab6f0

Download Submit
C:\Windows\{46968B1E-377D-4827-ADFD-CA95C434311A}.exe

Filesize
408KB

MD5
57bc5f138d17f78ab79979be38cf0b00

SHA1
9e4737e509aaf576d3b3df92f3d45a4395a85541

SHA256
25f810f49aada001817cd316f72218980479fe99643fb3d4470217b098a52a5d

SHA512
7718724dfd34beedaa99fb2801859ef68eb5eced4d71edd008587e5b2e92cd87f6d05b6377fd23a0199377b1d604a8985bbcd3cc846931374d37d1f99f1ba3c3

Download Submit
C:\Windows\{4B28DEF3-4869-433e-BB9E-ED5F5AC2A598}.exe

Filesize
408KB

MD5
51604f36382c0cb48b5089dde6607cd7

SHA1
b46f7ab9776e5667bb2408d5a1f9cc8e8d7d484f

SHA256
75a147205a879b44064ca28de435790925829d2d101abc54e036b73ed5835b38

SHA512
8788385060921663f740b224a4725d46ba31a63f0d02da1823370a1bbbd0fc049d5830277c865baf68584be85107101c07dd7ea12758f68401f4339eb596387e

Download Submit
C:\Windows\{4F60983F-59A4-4137-8D09-6898B27BB6D3}.exe

Filesize
408KB

MD5
d80f5a37945d06823ca083474df96da7

SHA1
41e700642c568859081edbcd4b152ae030c86db5

SHA256
1f4de04f63fd6d4d4caa839bd1c4acb31544fdbf961d8ae19bf94c59300dfab8

SHA512
ab58539a2bcc06ad7b90530621302f45c9f6d1e816073a9b863671a3ec96d569bca9644bc4c41a6bf2a9bae776559063dc6b9a6e97a357034c3e317b72509280

Download Submit
C:\Windows\{6413882C-0EF4-4016-81BB-8F7CB6C3557E}.exe

Filesize
408KB

MD5
3da5e09a84e05b2356631c99d88d87cd

SHA1
11b3289b584011f3cbad5b306bbbac086e53d724

SHA256
8916eae68aae24e3c0dc2dada06fe6a4dcb14dc7fba9bd556cdb951ff84f5086

SHA512
08ab9cc244c15ba7a8d2dd277d322aaf6c8a9e51e92b2543c2aa7f58402b1865e055481b9bdc19a81a22952da9c5475a5e26b8fd6ab920eddc4d25ffd37fe1b0

Download Submit
C:\Windows\{7E60855A-942C-4339-8BC2-65920253CB3A}.exe

Filesize
408KB

MD5
2a50a2310106142ab8ccdbdf12137dc7

SHA1
869b5484314d85b53cfc899944eb00a38c13d1bb

SHA256
3648719c5f0a4c49576d98b45177381215bd0a16dacf2356dc99ff3b1fa67b64

SHA512
0038889cc7866adaa91447d76ba682d773b5726ccd1f49edd9663833ed4bd47466b5f4e80281f8c9ef2d55c2bb4e16324815d976998ee27f38d3e3c7995ede43

Download Submit
C:\Windows\{B6A5E884-E122-47bc-93C1-D1A5D52923C4}.exe

Filesize
408KB

MD5
2d60d8c9b9e4e5f73c5c72b2c7d2dd30

SHA1
0c9fa1c6151cfad1007458a5d02f8a48dfc1d19d

SHA256
4298bcb0a3436165ec750cd3b5e68454fc30c2036d82b28ada680a67af2cdde2

SHA512
419c0ba44b1d45a9d205c73208ddbf24a9c56b7ed1b73e40e0545fa96c4412079f01eeb65528d87cc4538377da687089496c4c3dccb1a3cfe1aa1465bf9a27fa

Download Submit
C:\Windows\{CC7068D2-450D-4f1e-BE99-9BC6E4C640DC}.exe

Filesize
408KB

MD5
6a5c523b13125b326edeba823f102111

SHA1
a89319d22c0e2cbf7f4ec7487b06b0cbb606eefe

SHA256
054d8820f3d3f44a41794fc31ca79819722c1b51878414e8aedf73db7113aacb

SHA512
0966474457a1c5c3205cb6eb2a49edf9fb8e9d8d0006682af73b45dfe0f8b57e589e282b61407eb44a0499fe6a1b750b076b6666621df7d4a0270aebdcb2cddc

Download Submit
C:\Windows\{D87E84B9-5388-407d-94D6-1E7374F482B3}.exe

Filesize
408KB

MD5
cd712b113ad24b323fd3c7f48b84b97c

SHA1
c0a1445b676edf0e3d6129ec6c8cbe97d8d3ea68

SHA256
6653f3bcd5e0b36fbebe3968e551384ff2de507e1abde9f8775943e503f1be94

SHA512
88f990db70eff519b0516255902c25192f1229fcfd9e0cf35ae8b39bb76108704ec6841c54f3f6d41bd0ae38bc9b07ccd91b6c0466ffacdb419fdab4b23a0c88

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads