efe0ece8e69aaecbda78c13bf5cbb26a9ab862413fbd4e8885ffa9d481659c90

Analysis

max time kernel
149s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 11:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-15_e39403bcc0ea77af619c2a4a8501949e_goldeneye.exe
Size

380KB
MD5

e39403bcc0ea77af619c2a4a8501949e
SHA1

04b5e385cd6c75892a5397df786ab4160ed4d77c
SHA256

efe0ece8e69aaecbda78c13bf5cbb26a9ab862413fbd4e8885ffa9d481659c90
SHA512

c0b7b03094e85180f4ecc1ede6a971a06e5a42873fdacfc658ea3451388d7d8fe99e3ec0c55bfb6449175ed13799d6aee8b9e827c2acab69d1c5afa55841a1d5
SSDEEP

3072:mEGh0oslPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGWl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000c0000000006c3-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023377-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023379-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023377-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023379-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023377-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023379-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023377-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023379-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023377-37.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0013000000023379-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023377-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B88E006-5576-4931-9C82-32BA6718769D}	{77CEB90B-69E8-46cd-B637-31A38219BBCD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E980F527-E398-45a0-AF17-3A814D489ACF}	{1EC7E13E-E745-406d-951D-FC0208BA3BD6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCDBDFBD-C85D-46a5-B237-6634873F16F5}\stubpath = "C:\\Windows\\{DCDBDFBD-C85D-46a5-B237-6634873F16F5}.exe"	{0AC39570-B63C-4834-BB83-192F2AFEA13D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B34AE0A-31CC-4e51-AABE-32487289FF3A}\stubpath = "C:\\Windows\\{0B34AE0A-31CC-4e51-AABE-32487289FF3A}.exe"	{3B88E006-5576-4931-9C82-32BA6718769D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D13BA4E-58E9-4b18-A9F3-542D8EF75245}\stubpath = "C:\\Windows\\{6D13BA4E-58E9-4b18-A9F3-542D8EF75245}.exe"	{E148A3E1-CC0F-4641-9865-15160E566777}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{049FD3F1-162B-4c01-BE98-82E4B6E32B2D}	{6D13BA4E-58E9-4b18-A9F3-542D8EF75245}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D564CC6B-9B6F-4689-AFA2-7D754C343994}	{E980F527-E398-45a0-AF17-3A814D489ACF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AC39570-B63C-4834-BB83-192F2AFEA13D}	{EF541B5E-3865-4272-837B-E907407D017C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF541B5E-3865-4272-837B-E907407D017C}\stubpath = "C:\\Windows\\{EF541B5E-3865-4272-837B-E907407D017C}.exe"	2024-06-15_e39403bcc0ea77af619c2a4a8501949e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCDBDFBD-C85D-46a5-B237-6634873F16F5}	{0AC39570-B63C-4834-BB83-192F2AFEA13D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B88E006-5576-4931-9C82-32BA6718769D}\stubpath = "C:\\Windows\\{3B88E006-5576-4931-9C82-32BA6718769D}.exe"	{77CEB90B-69E8-46cd-B637-31A38219BBCD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF541B5E-3865-4272-837B-E907407D017C}	2024-06-15_e39403bcc0ea77af619c2a4a8501949e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77CEB90B-69E8-46cd-B637-31A38219BBCD}	{DCDBDFBD-C85D-46a5-B237-6634873F16F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77CEB90B-69E8-46cd-B637-31A38219BBCD}\stubpath = "C:\\Windows\\{77CEB90B-69E8-46cd-B637-31A38219BBCD}.exe"	{DCDBDFBD-C85D-46a5-B237-6634873F16F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B34AE0A-31CC-4e51-AABE-32487289FF3A}	{3B88E006-5576-4931-9C82-32BA6718769D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E148A3E1-CC0F-4641-9865-15160E566777}	{0B34AE0A-31CC-4e51-AABE-32487289FF3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E148A3E1-CC0F-4641-9865-15160E566777}\stubpath = "C:\\Windows\\{E148A3E1-CC0F-4641-9865-15160E566777}.exe"	{0B34AE0A-31CC-4e51-AABE-32487289FF3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D13BA4E-58E9-4b18-A9F3-542D8EF75245}	{E148A3E1-CC0F-4641-9865-15160E566777}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{049FD3F1-162B-4c01-BE98-82E4B6E32B2D}\stubpath = "C:\\Windows\\{049FD3F1-162B-4c01-BE98-82E4B6E32B2D}.exe"	{6D13BA4E-58E9-4b18-A9F3-542D8EF75245}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AC39570-B63C-4834-BB83-192F2AFEA13D}\stubpath = "C:\\Windows\\{0AC39570-B63C-4834-BB83-192F2AFEA13D}.exe"	{EF541B5E-3865-4272-837B-E907407D017C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EC7E13E-E745-406d-951D-FC0208BA3BD6}\stubpath = "C:\\Windows\\{1EC7E13E-E745-406d-951D-FC0208BA3BD6}.exe"	{049FD3F1-162B-4c01-BE98-82E4B6E32B2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E980F527-E398-45a0-AF17-3A814D489ACF}\stubpath = "C:\\Windows\\{E980F527-E398-45a0-AF17-3A814D489ACF}.exe"	{1EC7E13E-E745-406d-951D-FC0208BA3BD6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D564CC6B-9B6F-4689-AFA2-7D754C343994}\stubpath = "C:\\Windows\\{D564CC6B-9B6F-4689-AFA2-7D754C343994}.exe"	{E980F527-E398-45a0-AF17-3A814D489ACF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EC7E13E-E745-406d-951D-FC0208BA3BD6}	{049FD3F1-162B-4c01-BE98-82E4B6E32B2D}.exe

Executes dropped EXE 12 IoCs

pid	Process
2828	{EF541B5E-3865-4272-837B-E907407D017C}.exe
4704	{0AC39570-B63C-4834-BB83-192F2AFEA13D}.exe
3000	{DCDBDFBD-C85D-46a5-B237-6634873F16F5}.exe
5068	{77CEB90B-69E8-46cd-B637-31A38219BBCD}.exe
2584	{3B88E006-5576-4931-9C82-32BA6718769D}.exe
3016	{0B34AE0A-31CC-4e51-AABE-32487289FF3A}.exe
1428	{E148A3E1-CC0F-4641-9865-15160E566777}.exe
3648	{6D13BA4E-58E9-4b18-A9F3-542D8EF75245}.exe
4596	{049FD3F1-162B-4c01-BE98-82E4B6E32B2D}.exe
4312	{1EC7E13E-E745-406d-951D-FC0208BA3BD6}.exe
4988	{E980F527-E398-45a0-AF17-3A814D489ACF}.exe
3560	{D564CC6B-9B6F-4689-AFA2-7D754C343994}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{0AC39570-B63C-4834-BB83-192F2AFEA13D}.exe	{EF541B5E-3865-4272-837B-E907407D017C}.exe
File created	C:\Windows\{3B88E006-5576-4931-9C82-32BA6718769D}.exe	{77CEB90B-69E8-46cd-B637-31A38219BBCD}.exe
File created	C:\Windows\{0B34AE0A-31CC-4e51-AABE-32487289FF3A}.exe	{3B88E006-5576-4931-9C82-32BA6718769D}.exe
File created	C:\Windows\{E148A3E1-CC0F-4641-9865-15160E566777}.exe	{0B34AE0A-31CC-4e51-AABE-32487289FF3A}.exe
File created	C:\Windows\{1EC7E13E-E745-406d-951D-FC0208BA3BD6}.exe	{049FD3F1-162B-4c01-BE98-82E4B6E32B2D}.exe
File created	C:\Windows\{E980F527-E398-45a0-AF17-3A814D489ACF}.exe	{1EC7E13E-E745-406d-951D-FC0208BA3BD6}.exe
File created	C:\Windows\{EF541B5E-3865-4272-837B-E907407D017C}.exe	2024-06-15_e39403bcc0ea77af619c2a4a8501949e_goldeneye.exe
File created	C:\Windows\{77CEB90B-69E8-46cd-B637-31A38219BBCD}.exe	{DCDBDFBD-C85D-46a5-B237-6634873F16F5}.exe
File created	C:\Windows\{6D13BA4E-58E9-4b18-A9F3-542D8EF75245}.exe	{E148A3E1-CC0F-4641-9865-15160E566777}.exe
File created	C:\Windows\{049FD3F1-162B-4c01-BE98-82E4B6E32B2D}.exe	{6D13BA4E-58E9-4b18-A9F3-542D8EF75245}.exe
File created	C:\Windows\{D564CC6B-9B6F-4689-AFA2-7D754C343994}.exe	{E980F527-E398-45a0-AF17-3A814D489ACF}.exe
File created	C:\Windows\{DCDBDFBD-C85D-46a5-B237-6634873F16F5}.exe	{0AC39570-B63C-4834-BB83-192F2AFEA13D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4608	2024-06-15_e39403bcc0ea77af619c2a4a8501949e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2828	{EF541B5E-3865-4272-837B-E907407D017C}.exe
Token: SeIncBasePriorityPrivilege	4704	{0AC39570-B63C-4834-BB83-192F2AFEA13D}.exe
Token: SeIncBasePriorityPrivilege	3000	{DCDBDFBD-C85D-46a5-B237-6634873F16F5}.exe
Token: SeIncBasePriorityPrivilege	5068	{77CEB90B-69E8-46cd-B637-31A38219BBCD}.exe
Token: SeIncBasePriorityPrivilege	2584	{3B88E006-5576-4931-9C82-32BA6718769D}.exe
Token: SeIncBasePriorityPrivilege	3016	{0B34AE0A-31CC-4e51-AABE-32487289FF3A}.exe
Token: SeIncBasePriorityPrivilege	1428	{E148A3E1-CC0F-4641-9865-15160E566777}.exe
Token: SeIncBasePriorityPrivilege	3648	{6D13BA4E-58E9-4b18-A9F3-542D8EF75245}.exe
Token: SeIncBasePriorityPrivilege	4596	{049FD3F1-162B-4c01-BE98-82E4B6E32B2D}.exe
Token: SeIncBasePriorityPrivilege	4312	{1EC7E13E-E745-406d-951D-FC0208BA3BD6}.exe
Token: SeIncBasePriorityPrivilege	4988	{E980F527-E398-45a0-AF17-3A814D489ACF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 2828	4608	2024-06-15_e39403bcc0ea77af619c2a4a8501949e_goldeneye.exe	84
PID 4608 wrote to memory of 2828	4608	2024-06-15_e39403bcc0ea77af619c2a4a8501949e_goldeneye.exe	84
PID 4608 wrote to memory of 2828	4608	2024-06-15_e39403bcc0ea77af619c2a4a8501949e_goldeneye.exe	84
PID 4608 wrote to memory of 2688	4608	2024-06-15_e39403bcc0ea77af619c2a4a8501949e_goldeneye.exe	85
PID 4608 wrote to memory of 2688	4608	2024-06-15_e39403bcc0ea77af619c2a4a8501949e_goldeneye.exe	85
PID 4608 wrote to memory of 2688	4608	2024-06-15_e39403bcc0ea77af619c2a4a8501949e_goldeneye.exe	85
PID 2828 wrote to memory of 4704	2828	{EF541B5E-3865-4272-837B-E907407D017C}.exe	86
PID 2828 wrote to memory of 4704	2828	{EF541B5E-3865-4272-837B-E907407D017C}.exe	86
PID 2828 wrote to memory of 4704	2828	{EF541B5E-3865-4272-837B-E907407D017C}.exe	86
PID 2828 wrote to memory of 1500	2828	{EF541B5E-3865-4272-837B-E907407D017C}.exe	87
PID 2828 wrote to memory of 1500	2828	{EF541B5E-3865-4272-837B-E907407D017C}.exe	87
PID 2828 wrote to memory of 1500	2828	{EF541B5E-3865-4272-837B-E907407D017C}.exe	87
PID 4704 wrote to memory of 3000	4704	{0AC39570-B63C-4834-BB83-192F2AFEA13D}.exe	91
PID 4704 wrote to memory of 3000	4704	{0AC39570-B63C-4834-BB83-192F2AFEA13D}.exe	91
PID 4704 wrote to memory of 3000	4704	{0AC39570-B63C-4834-BB83-192F2AFEA13D}.exe	91
PID 4704 wrote to memory of 3768	4704	{0AC39570-B63C-4834-BB83-192F2AFEA13D}.exe	92
PID 4704 wrote to memory of 3768	4704	{0AC39570-B63C-4834-BB83-192F2AFEA13D}.exe	92
PID 4704 wrote to memory of 3768	4704	{0AC39570-B63C-4834-BB83-192F2AFEA13D}.exe	92
PID 3000 wrote to memory of 5068	3000	{DCDBDFBD-C85D-46a5-B237-6634873F16F5}.exe	93
PID 3000 wrote to memory of 5068	3000	{DCDBDFBD-C85D-46a5-B237-6634873F16F5}.exe	93
PID 3000 wrote to memory of 5068	3000	{DCDBDFBD-C85D-46a5-B237-6634873F16F5}.exe	93
PID 3000 wrote to memory of 2452	3000	{DCDBDFBD-C85D-46a5-B237-6634873F16F5}.exe	94
PID 3000 wrote to memory of 2452	3000	{DCDBDFBD-C85D-46a5-B237-6634873F16F5}.exe	94
PID 3000 wrote to memory of 2452	3000	{DCDBDFBD-C85D-46a5-B237-6634873F16F5}.exe	94
PID 5068 wrote to memory of 2584	5068	{77CEB90B-69E8-46cd-B637-31A38219BBCD}.exe	95
PID 5068 wrote to memory of 2584	5068	{77CEB90B-69E8-46cd-B637-31A38219BBCD}.exe	95
PID 5068 wrote to memory of 2584	5068	{77CEB90B-69E8-46cd-B637-31A38219BBCD}.exe	95
PID 5068 wrote to memory of 4920	5068	{77CEB90B-69E8-46cd-B637-31A38219BBCD}.exe	96
PID 5068 wrote to memory of 4920	5068	{77CEB90B-69E8-46cd-B637-31A38219BBCD}.exe	96
PID 5068 wrote to memory of 4920	5068	{77CEB90B-69E8-46cd-B637-31A38219BBCD}.exe	96
PID 2584 wrote to memory of 3016	2584	{3B88E006-5576-4931-9C82-32BA6718769D}.exe	97
PID 2584 wrote to memory of 3016	2584	{3B88E006-5576-4931-9C82-32BA6718769D}.exe	97
PID 2584 wrote to memory of 3016	2584	{3B88E006-5576-4931-9C82-32BA6718769D}.exe	97
PID 2584 wrote to memory of 1484	2584	{3B88E006-5576-4931-9C82-32BA6718769D}.exe	98
PID 2584 wrote to memory of 1484	2584	{3B88E006-5576-4931-9C82-32BA6718769D}.exe	98
PID 2584 wrote to memory of 1484	2584	{3B88E006-5576-4931-9C82-32BA6718769D}.exe	98
PID 3016 wrote to memory of 1428	3016	{0B34AE0A-31CC-4e51-AABE-32487289FF3A}.exe	99
PID 3016 wrote to memory of 1428	3016	{0B34AE0A-31CC-4e51-AABE-32487289FF3A}.exe	99
PID 3016 wrote to memory of 1428	3016	{0B34AE0A-31CC-4e51-AABE-32487289FF3A}.exe	99
PID 3016 wrote to memory of 3900	3016	{0B34AE0A-31CC-4e51-AABE-32487289FF3A}.exe	100
PID 3016 wrote to memory of 3900	3016	{0B34AE0A-31CC-4e51-AABE-32487289FF3A}.exe	100
PID 3016 wrote to memory of 3900	3016	{0B34AE0A-31CC-4e51-AABE-32487289FF3A}.exe	100
PID 1428 wrote to memory of 3648	1428	{E148A3E1-CC0F-4641-9865-15160E566777}.exe	101
PID 1428 wrote to memory of 3648	1428	{E148A3E1-CC0F-4641-9865-15160E566777}.exe	101
PID 1428 wrote to memory of 3648	1428	{E148A3E1-CC0F-4641-9865-15160E566777}.exe	101
PID 1428 wrote to memory of 2428	1428	{E148A3E1-CC0F-4641-9865-15160E566777}.exe	102
PID 1428 wrote to memory of 2428	1428	{E148A3E1-CC0F-4641-9865-15160E566777}.exe	102
PID 1428 wrote to memory of 2428	1428	{E148A3E1-CC0F-4641-9865-15160E566777}.exe	102
PID 3648 wrote to memory of 4596	3648	{6D13BA4E-58E9-4b18-A9F3-542D8EF75245}.exe	103
PID 3648 wrote to memory of 4596	3648	{6D13BA4E-58E9-4b18-A9F3-542D8EF75245}.exe	103
PID 3648 wrote to memory of 4596	3648	{6D13BA4E-58E9-4b18-A9F3-542D8EF75245}.exe	103
PID 3648 wrote to memory of 4856	3648	{6D13BA4E-58E9-4b18-A9F3-542D8EF75245}.exe	104
PID 3648 wrote to memory of 4856	3648	{6D13BA4E-58E9-4b18-A9F3-542D8EF75245}.exe	104
PID 3648 wrote to memory of 4856	3648	{6D13BA4E-58E9-4b18-A9F3-542D8EF75245}.exe	104
PID 4596 wrote to memory of 4312	4596	{049FD3F1-162B-4c01-BE98-82E4B6E32B2D}.exe	105
PID 4596 wrote to memory of 4312	4596	{049FD3F1-162B-4c01-BE98-82E4B6E32B2D}.exe	105
PID 4596 wrote to memory of 4312	4596	{049FD3F1-162B-4c01-BE98-82E4B6E32B2D}.exe	105
PID 4596 wrote to memory of 3036	4596	{049FD3F1-162B-4c01-BE98-82E4B6E32B2D}.exe	106
PID 4596 wrote to memory of 3036	4596	{049FD3F1-162B-4c01-BE98-82E4B6E32B2D}.exe	106
PID 4596 wrote to memory of 3036	4596	{049FD3F1-162B-4c01-BE98-82E4B6E32B2D}.exe	106
PID 4312 wrote to memory of 4988	4312	{1EC7E13E-E745-406d-951D-FC0208BA3BD6}.exe	107
PID 4312 wrote to memory of 4988	4312	{1EC7E13E-E745-406d-951D-FC0208BA3BD6}.exe	107
PID 4312 wrote to memory of 4988	4312	{1EC7E13E-E745-406d-951D-FC0208BA3BD6}.exe	107
PID 4312 wrote to memory of 60	4312	{1EC7E13E-E745-406d-951D-FC0208BA3BD6}.exe	108

C:\Users\Admin\AppData\Local\Temp\2024-06-15_e39403bcc0ea77af619c2a4a8501949e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-15_e39403bcc0ea77af619c2a4a8501949e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Windows\{EF541B5E-3865-4272-837B-E907407D017C}.exe
  C:\Windows\{EF541B5E-3865-4272-837B-E907407D017C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\{0AC39570-B63C-4834-BB83-192F2AFEA13D}.exe
    C:\Windows\{0AC39570-B63C-4834-BB83-192F2AFEA13D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4704
  - - C:\Windows\{DCDBDFBD-C85D-46a5-B237-6634873F16F5}.exe
      C:\Windows\{DCDBDFBD-C85D-46a5-B237-6634873F16F5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3000
    - - C:\Windows\{77CEB90B-69E8-46cd-B637-31A38219BBCD}.exe
        
        C:\Windows\{77CEB90B-69E8-46cd-B637-31A38219BBCD}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5068
      - C:\Windows\{3B88E006-5576-4931-9C82-32BA6718769D}.exe
        
        C:\Windows\{3B88E006-5576-4931-9C82-32BA6718769D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\{0B34AE0A-31CC-4e51-AABE-32487289FF3A}.exe
        
        C:\Windows\{0B34AE0A-31CC-4e51-AABE-32487289FF3A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\{E148A3E1-CC0F-4641-9865-15160E566777}.exe
        
        C:\Windows\{E148A3E1-CC0F-4641-9865-15160E566777}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\{6D13BA4E-58E9-4b18-A9F3-542D8EF75245}.exe
        
        C:\Windows\{6D13BA4E-58E9-4b18-A9F3-542D8EF75245}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Windows\{049FD3F1-162B-4c01-BE98-82E4B6E32B2D}.exe
        
        C:\Windows\{049FD3F1-162B-4c01-BE98-82E4B6E32B2D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\{1EC7E13E-E745-406d-951D-FC0208BA3BD6}.exe
        
        C:\Windows\{1EC7E13E-E745-406d-951D-FC0208BA3BD6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\{E980F527-E398-45a0-AF17-3A814D489ACF}.exe
        
        C:\Windows\{E980F527-E398-45a0-AF17-3A814D489ACF}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4988
        
        C:\Windows\{D564CC6B-9B6F-4689-AFA2-7D754C343994}.exe
        
        C:\Windows\{D564CC6B-9B6F-4689-AFA2-7D754C343994}.exe
        13⤵
        Executes dropped EXE
        
        PID:3560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E980F~1.EXE > nul
        13⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1EC7E~1.EXE > nul
        12⤵
        
        PID:60
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{049FD~1.EXE > nul
        11⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D13B~1.EXE > nul
        10⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E148A~1.EXE > nul
        9⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B34A~1.EXE > nul
        8⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B88E~1.EXE > nul
        7⤵
        
        PID:1484
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77CEB~1.EXE > nul
        6⤵
        
        PID:4920
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DCDBD~1.EXE > nul
        5⤵
        
        PID:2452
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0AC39~1.EXE > nul
      4⤵
      PID:3768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EF541~1.EXE > nul
    3⤵
    PID:1500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{049FD3F1-162B-4c01-BE98-82E4B6E32B2D}.exe

Filesize
380KB

MD5
6a99ff4c065b09f9073a827ef98caf45

SHA1
f2dfcf21959d5ceb5e7c97dcbb864470e406ead8

SHA256
67566a0412c7fac3ddec4394ae38e6225945a8edd8e644a63d0394e5a8f000f1

SHA512
cefb9827ac90357f79839d646e438ea3c1c068da2ef73cf46f4584febc596b19c504a10512503c693e25dcfcf95922e4bcfdbc8110f1cfca133df471093e31ae

Download Submit
C:\Windows\{0AC39570-B63C-4834-BB83-192F2AFEA13D}.exe

Filesize
380KB

MD5
09d2bc4b49f739d6533fbd254e132af1

SHA1
32329d42ff53eefe4fc996e4e10e2e5f7fff27d8

SHA256
49c47f7b0be3d812c50676b09df8cacf9982ba7ecda1f91f5b1b4de53bb5cef1

SHA512
30781c590014dae45f249c6617a781795931b9843fa3420f30a85eb2e0ff6fb49d02daa18eeb723d13097e0491aaba3d9390b8e75ac5191808c6d8f7bb05431f

Download Submit
C:\Windows\{0B34AE0A-31CC-4e51-AABE-32487289FF3A}.exe

Filesize
380KB

MD5
a0c4702b7e1be67cb6b84648917264a7

SHA1
9caca968d5f9dadae84095a3a5de525431c6932c

SHA256
83db6391a038c2102900cd316abb56c4c2d75804f5048139af9c0133708e6cbd

SHA512
eefa7bfa36a87b970fdafc8caeb5842a8d620f190aeb83de40bb5df78e935c586b57171301ef48a369841a9a0a8ea7a3dba29ffc0a72769d56dd751ae9c1dda0

Download Submit
C:\Windows\{1EC7E13E-E745-406d-951D-FC0208BA3BD6}.exe

Filesize
380KB

MD5
f5e702e5aaa5013c6804ff5d60fd6925

SHA1
8f45137f10794848544730c1919cf36bbb9d6f66

SHA256
1cff4616dd3120b3a3301ef37fcc9c6d0229f9dfbd8857b0108d5825be058843

SHA512
4cc269ebbf9300dd019098e5f525020c1858c6a03c1b5bbe3019e0d4dc726754a87bc968f30419dee83211d4b909c4330a0ff2915196a19061633484ab3d4dc5

Download Submit
C:\Windows\{3B88E006-5576-4931-9C82-32BA6718769D}.exe

Filesize
380KB

MD5
0374477bb660bbbd8c841747863c43d2

SHA1
4db047e63e15930d80d5d208e27f9d9833efaee2

SHA256
c34a7bdc29c6b8f24b8dd83856b25707ab6bb430ce1035f994b8d641d598e738

SHA512
d9d493c67ab8b5010423b2ef151674a6cc651b9a7397bfbf6f21d27a913488559caac14ca2e256b25261a63b0ebc568416b1ebbf79a1f4a1397390c8d6f33566

Download Submit
C:\Windows\{6D13BA4E-58E9-4b18-A9F3-542D8EF75245}.exe

Filesize
380KB

MD5
9a2d951e76a2ebd11a284cde3e87c5cb

SHA1
a6758fa78969d7362f19b7ab4f8f638910cc2862

SHA256
40e75f3e3539e7e6c1625660a5d32421dc522ac8c2f4edf8b3ca30d29842ecf4

SHA512
f7a3512ddcada6c1922bbfc6e6e1d16009817911bf49e18c9068a92983a809d389072c9a92f393b6cf6825d4f30a84c7789b2d7290d8424a99ad556b908ec1d6

Download Submit
C:\Windows\{77CEB90B-69E8-46cd-B637-31A38219BBCD}.exe

Filesize
380KB

MD5
4fa218b468edeb8c2358fd0dc7e2da46

SHA1
a9c509129aae6569bea628e159232fb3b30610a2

SHA256
6fc0ae3963e29d45f21b647184d0e1fdefe9c06b31e18fe955ceff4932904e4d

SHA512
097fab8386b6a096f7a922c0490554d31e71b13a9bb86f7f4d1e182359a566a83713d087a940a5544ac3a86cd0440c45cc7dd39b920c5eb0c792897444ea7123

Download Submit
C:\Windows\{D564CC6B-9B6F-4689-AFA2-7D754C343994}.exe

Filesize
380KB

MD5
c341f2f64a0d36de4ef240fdab42ddab

SHA1
fa35a5b5ab18272d5d9b0a726be6c281af41e444

SHA256
b356adb54b11a9f4df624db99c9b8c8891c8bcd4999cb6837baaa368495787fe

SHA512
dff54384cf2a12e829d481c2abd7088f09a1ed9b53063471ff6fccb98d0fb28aa7c432b3b0a07ecc4c41b93c483e6bc78ecd757c445ee59db635ba073adbc0b9

Download Submit
C:\Windows\{DCDBDFBD-C85D-46a5-B237-6634873F16F5}.exe

Filesize
380KB

MD5
a74603d2e0aa3cc7ad7052042b9d1585

SHA1
9a8ab7e4edc7f427e783934559bd38a4e4ca7643

SHA256
bea5bcc86786724c65b472a331eaf65a1d5625f1b5a4b5d3f71c9477a7ada437

SHA512
0fab37b23b8778eca0fd1193dd421e48def3c50d3c7cd9aa0069ce45e399504a4b6dd530aa8eb78da414761d9d4012f43323c2a2b0ad90e6f9d924738fbfd90f

Download Submit
C:\Windows\{E148A3E1-CC0F-4641-9865-15160E566777}.exe

Filesize
380KB

MD5
b2a35581ead77dedd64e6a1fcd88ba7b

SHA1
301c411850a08a418500465a42f6a21cf4b791d3

SHA256
7bc673dfbece0e15595df63ad8dbc6f9aa515300b35e25f663fb87e201f4b2e0

SHA512
805a146eb67adf77fca15a5bb82bbf5649727f85e8d26dc45dbc77e59e029e18af3ff7756491f2201cee08da1842e5baceaf33114246fc05a7dc9618fc296cba

Download Submit
C:\Windows\{E980F527-E398-45a0-AF17-3A814D489ACF}.exe

Filesize
380KB

MD5
8a8e5bbf7d8e66de117b7828872a9933

SHA1
2f929145d3c4619b7a600682e45c0c9c32ecb050

SHA256
cf8c488fe81d1e78025aac71752b3d84f4f16e87e87eb51d97bab7591f9a8682

SHA512
3d9a71753a7fbcbcab930e84d4c19fe42a9b908eac0df38c0fd3cc6238f18a8f71590910e802589476e81107c7aa3a1d2b536a03a02b19115a0705aae1131e15

Download Submit
C:\Windows\{EF541B5E-3865-4272-837B-E907407D017C}.exe

Filesize
380KB

MD5
54646f161fe7933131a4c3f6b9fe69bc

SHA1
1907a03e06bf0eaa596cbf2a4065e468111da91d

SHA256
402efd68a920a967e3a04d00e9c5cb68b00566f9ca309dfbe749f0b6b28215cc

SHA512
fdf8874885dab274060849cde4a0567840e940156b47638c4d5336be80d77509132c4daf6b4ad0d0d97ab4d149951659e96ea2c8d1028148d2b7eca02404879e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads