4eadab237aad1524f6993c04423f3609bb52f32837cd5b45b886111d22758a80

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-15_fe463e5ccaf4ebd28d725cbb0345bc94_goldeneye.exe
Size

380KB
MD5

fe463e5ccaf4ebd28d725cbb0345bc94
SHA1

1832653e8402b0c810d6c37f8e3f085854370ab5
SHA256

4eadab237aad1524f6993c04423f3609bb52f32837cd5b45b886111d22758a80
SHA512

d461c35a9d38b99f1877180636572044955addb6afa539709fdd5d292957aee2fb9b4938ba957eb9f196b721ecd440805cd126cfb1607b3ebf250577b99a089f
SSDEEP

3072:mEGh0oUlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGel7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000d000000023403-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002340c-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023413-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000022f22-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023413-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000022f22-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023413-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000022f22-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023413-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000022f22-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023413-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000022f22-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{705EA804-793F-4218-A397-3A37E5BC4A83}\stubpath = "C:\\Windows\\{705EA804-793F-4218-A397-3A37E5BC4A83}.exe"	2024-06-15_fe463e5ccaf4ebd28d725cbb0345bc94_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{821CA8F1-619D-41b3-B830-01E28E83429B}\stubpath = "C:\\Windows\\{821CA8F1-619D-41b3-B830-01E28E83429B}.exe"	{705EA804-793F-4218-A397-3A37E5BC4A83}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95328037-14CC-41f1-BDC4-FD918B63C185}	{241A5E30-B764-45dd-A175-3879782D8D37}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{951E3A3E-9C60-49b4-9D60-851100F77940}\stubpath = "C:\\Windows\\{951E3A3E-9C60-49b4-9D60-851100F77940}.exe"	{D4C621FA-B325-4c0e-8570-278BD757F90A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{605EAC13-075B-4641-B200-88EF2A23372D}\stubpath = "C:\\Windows\\{605EAC13-075B-4641-B200-88EF2A23372D}.exe"	{951E3A3E-9C60-49b4-9D60-851100F77940}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{705EA804-793F-4218-A397-3A37E5BC4A83}	2024-06-15_fe463e5ccaf4ebd28d725cbb0345bc94_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{821CA8F1-619D-41b3-B830-01E28E83429B}	{705EA804-793F-4218-A397-3A37E5BC4A83}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6637B8F-F5EA-4bc7-8E4F-E5A03595F8B8}\stubpath = "C:\\Windows\\{D6637B8F-F5EA-4bc7-8E4F-E5A03595F8B8}.exe"	{E6768D25-E709-40eb-A772-B450E3F7A7AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{241A5E30-B764-45dd-A175-3879782D8D37}	{D6637B8F-F5EA-4bc7-8E4F-E5A03595F8B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{241A5E30-B764-45dd-A175-3879782D8D37}\stubpath = "C:\\Windows\\{241A5E30-B764-45dd-A175-3879782D8D37}.exe"	{D6637B8F-F5EA-4bc7-8E4F-E5A03595F8B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15C8AD13-F48D-4c41-B04E-2D8A0B74AA23}	{95328037-14CC-41f1-BDC4-FD918B63C185}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15C8AD13-F48D-4c41-B04E-2D8A0B74AA23}\stubpath = "C:\\Windows\\{15C8AD13-F48D-4c41-B04E-2D8A0B74AA23}.exe"	{95328037-14CC-41f1-BDC4-FD918B63C185}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C1E0D8E-EDCB-448b-98F9-E958517B2861}	{15C8AD13-F48D-4c41-B04E-2D8A0B74AA23}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4C621FA-B325-4c0e-8570-278BD757F90A}\stubpath = "C:\\Windows\\{D4C621FA-B325-4c0e-8570-278BD757F90A}.exe"	{6C1E0D8E-EDCB-448b-98F9-E958517B2861}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{401911F4-AE18-40c6-AE0A-B9529CBAF045}	{605EAC13-075B-4641-B200-88EF2A23372D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6637B8F-F5EA-4bc7-8E4F-E5A03595F8B8}	{E6768D25-E709-40eb-A772-B450E3F7A7AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C1E0D8E-EDCB-448b-98F9-E958517B2861}\stubpath = "C:\\Windows\\{6C1E0D8E-EDCB-448b-98F9-E958517B2861}.exe"	{15C8AD13-F48D-4c41-B04E-2D8A0B74AA23}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4C621FA-B325-4c0e-8570-278BD757F90A}	{6C1E0D8E-EDCB-448b-98F9-E958517B2861}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{605EAC13-075B-4641-B200-88EF2A23372D}	{951E3A3E-9C60-49b4-9D60-851100F77940}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6768D25-E709-40eb-A772-B450E3F7A7AF}	{821CA8F1-619D-41b3-B830-01E28E83429B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6768D25-E709-40eb-A772-B450E3F7A7AF}\stubpath = "C:\\Windows\\{E6768D25-E709-40eb-A772-B450E3F7A7AF}.exe"	{821CA8F1-619D-41b3-B830-01E28E83429B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95328037-14CC-41f1-BDC4-FD918B63C185}\stubpath = "C:\\Windows\\{95328037-14CC-41f1-BDC4-FD918B63C185}.exe"	{241A5E30-B764-45dd-A175-3879782D8D37}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{951E3A3E-9C60-49b4-9D60-851100F77940}	{D4C621FA-B325-4c0e-8570-278BD757F90A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{401911F4-AE18-40c6-AE0A-B9529CBAF045}\stubpath = "C:\\Windows\\{401911F4-AE18-40c6-AE0A-B9529CBAF045}.exe"	{605EAC13-075B-4641-B200-88EF2A23372D}.exe

Executes dropped EXE 12 IoCs

pid	Process
4816	{705EA804-793F-4218-A397-3A37E5BC4A83}.exe
2744	{821CA8F1-619D-41b3-B830-01E28E83429B}.exe
3220	{E6768D25-E709-40eb-A772-B450E3F7A7AF}.exe
2300	{D6637B8F-F5EA-4bc7-8E4F-E5A03595F8B8}.exe
4252	{241A5E30-B764-45dd-A175-3879782D8D37}.exe
4188	{95328037-14CC-41f1-BDC4-FD918B63C185}.exe
3364	{15C8AD13-F48D-4c41-B04E-2D8A0B74AA23}.exe
3788	{6C1E0D8E-EDCB-448b-98F9-E958517B2861}.exe
4980	{D4C621FA-B325-4c0e-8570-278BD757F90A}.exe
3092	{951E3A3E-9C60-49b4-9D60-851100F77940}.exe
760	{605EAC13-075B-4641-B200-88EF2A23372D}.exe
744	{401911F4-AE18-40c6-AE0A-B9529CBAF045}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{705EA804-793F-4218-A397-3A37E5BC4A83}.exe	2024-06-15_fe463e5ccaf4ebd28d725cbb0345bc94_goldeneye.exe
File created	C:\Windows\{95328037-14CC-41f1-BDC4-FD918B63C185}.exe	{241A5E30-B764-45dd-A175-3879782D8D37}.exe
File created	C:\Windows\{D4C621FA-B325-4c0e-8570-278BD757F90A}.exe	{6C1E0D8E-EDCB-448b-98F9-E958517B2861}.exe
File created	C:\Windows\{605EAC13-075B-4641-B200-88EF2A23372D}.exe	{951E3A3E-9C60-49b4-9D60-851100F77940}.exe
File created	C:\Windows\{821CA8F1-619D-41b3-B830-01E28E83429B}.exe	{705EA804-793F-4218-A397-3A37E5BC4A83}.exe
File created	C:\Windows\{E6768D25-E709-40eb-A772-B450E3F7A7AF}.exe	{821CA8F1-619D-41b3-B830-01E28E83429B}.exe
File created	C:\Windows\{D6637B8F-F5EA-4bc7-8E4F-E5A03595F8B8}.exe	{E6768D25-E709-40eb-A772-B450E3F7A7AF}.exe
File created	C:\Windows\{241A5E30-B764-45dd-A175-3879782D8D37}.exe	{D6637B8F-F5EA-4bc7-8E4F-E5A03595F8B8}.exe
File created	C:\Windows\{15C8AD13-F48D-4c41-B04E-2D8A0B74AA23}.exe	{95328037-14CC-41f1-BDC4-FD918B63C185}.exe
File created	C:\Windows\{6C1E0D8E-EDCB-448b-98F9-E958517B2861}.exe	{15C8AD13-F48D-4c41-B04E-2D8A0B74AA23}.exe
File created	C:\Windows\{951E3A3E-9C60-49b4-9D60-851100F77940}.exe	{D4C621FA-B325-4c0e-8570-278BD757F90A}.exe
File created	C:\Windows\{401911F4-AE18-40c6-AE0A-B9529CBAF045}.exe	{605EAC13-075B-4641-B200-88EF2A23372D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2832	2024-06-15_fe463e5ccaf4ebd28d725cbb0345bc94_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4816	{705EA804-793F-4218-A397-3A37E5BC4A83}.exe
Token: SeIncBasePriorityPrivilege	2744	{821CA8F1-619D-41b3-B830-01E28E83429B}.exe
Token: SeIncBasePriorityPrivilege	3220	{E6768D25-E709-40eb-A772-B450E3F7A7AF}.exe
Token: SeIncBasePriorityPrivilege	2300	{D6637B8F-F5EA-4bc7-8E4F-E5A03595F8B8}.exe
Token: SeIncBasePriorityPrivilege	4252	{241A5E30-B764-45dd-A175-3879782D8D37}.exe
Token: SeIncBasePriorityPrivilege	4188	{95328037-14CC-41f1-BDC4-FD918B63C185}.exe
Token: SeIncBasePriorityPrivilege	3364	{15C8AD13-F48D-4c41-B04E-2D8A0B74AA23}.exe
Token: SeIncBasePriorityPrivilege	3788	{6C1E0D8E-EDCB-448b-98F9-E958517B2861}.exe
Token: SeIncBasePriorityPrivilege	4980	{D4C621FA-B325-4c0e-8570-278BD757F90A}.exe
Token: SeIncBasePriorityPrivilege	3092	{951E3A3E-9C60-49b4-9D60-851100F77940}.exe
Token: SeIncBasePriorityPrivilege	760	{605EAC13-075B-4641-B200-88EF2A23372D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 4816	2832	2024-06-15_fe463e5ccaf4ebd28d725cbb0345bc94_goldeneye.exe	84
PID 2832 wrote to memory of 4816	2832	2024-06-15_fe463e5ccaf4ebd28d725cbb0345bc94_goldeneye.exe	84
PID 2832 wrote to memory of 4816	2832	2024-06-15_fe463e5ccaf4ebd28d725cbb0345bc94_goldeneye.exe	84
PID 2832 wrote to memory of 3624	2832	2024-06-15_fe463e5ccaf4ebd28d725cbb0345bc94_goldeneye.exe	85
PID 2832 wrote to memory of 3624	2832	2024-06-15_fe463e5ccaf4ebd28d725cbb0345bc94_goldeneye.exe	85
PID 2832 wrote to memory of 3624	2832	2024-06-15_fe463e5ccaf4ebd28d725cbb0345bc94_goldeneye.exe	85
PID 4816 wrote to memory of 2744	4816	{705EA804-793F-4218-A397-3A37E5BC4A83}.exe	86
PID 4816 wrote to memory of 2744	4816	{705EA804-793F-4218-A397-3A37E5BC4A83}.exe	86
PID 4816 wrote to memory of 2744	4816	{705EA804-793F-4218-A397-3A37E5BC4A83}.exe	86
PID 4816 wrote to memory of 4848	4816	{705EA804-793F-4218-A397-3A37E5BC4A83}.exe	87
PID 4816 wrote to memory of 4848	4816	{705EA804-793F-4218-A397-3A37E5BC4A83}.exe	87
PID 4816 wrote to memory of 4848	4816	{705EA804-793F-4218-A397-3A37E5BC4A83}.exe	87
PID 2744 wrote to memory of 3220	2744	{821CA8F1-619D-41b3-B830-01E28E83429B}.exe	90
PID 2744 wrote to memory of 3220	2744	{821CA8F1-619D-41b3-B830-01E28E83429B}.exe	90
PID 2744 wrote to memory of 3220	2744	{821CA8F1-619D-41b3-B830-01E28E83429B}.exe	90
PID 2744 wrote to memory of 1304	2744	{821CA8F1-619D-41b3-B830-01E28E83429B}.exe	91
PID 2744 wrote to memory of 1304	2744	{821CA8F1-619D-41b3-B830-01E28E83429B}.exe	91
PID 2744 wrote to memory of 1304	2744	{821CA8F1-619D-41b3-B830-01E28E83429B}.exe	91
PID 3220 wrote to memory of 2300	3220	{E6768D25-E709-40eb-A772-B450E3F7A7AF}.exe	93
PID 3220 wrote to memory of 2300	3220	{E6768D25-E709-40eb-A772-B450E3F7A7AF}.exe	93
PID 3220 wrote to memory of 2300	3220	{E6768D25-E709-40eb-A772-B450E3F7A7AF}.exe	93
PID 3220 wrote to memory of 1348	3220	{E6768D25-E709-40eb-A772-B450E3F7A7AF}.exe	94
PID 3220 wrote to memory of 1348	3220	{E6768D25-E709-40eb-A772-B450E3F7A7AF}.exe	94
PID 3220 wrote to memory of 1348	3220	{E6768D25-E709-40eb-A772-B450E3F7A7AF}.exe	94
PID 2300 wrote to memory of 4252	2300	{D6637B8F-F5EA-4bc7-8E4F-E5A03595F8B8}.exe	95
PID 2300 wrote to memory of 4252	2300	{D6637B8F-F5EA-4bc7-8E4F-E5A03595F8B8}.exe	95
PID 2300 wrote to memory of 4252	2300	{D6637B8F-F5EA-4bc7-8E4F-E5A03595F8B8}.exe	95
PID 2300 wrote to memory of 3384	2300	{D6637B8F-F5EA-4bc7-8E4F-E5A03595F8B8}.exe	96
PID 2300 wrote to memory of 3384	2300	{D6637B8F-F5EA-4bc7-8E4F-E5A03595F8B8}.exe	96
PID 2300 wrote to memory of 3384	2300	{D6637B8F-F5EA-4bc7-8E4F-E5A03595F8B8}.exe	96
PID 4252 wrote to memory of 4188	4252	{241A5E30-B764-45dd-A175-3879782D8D37}.exe	97
PID 4252 wrote to memory of 4188	4252	{241A5E30-B764-45dd-A175-3879782D8D37}.exe	97
PID 4252 wrote to memory of 4188	4252	{241A5E30-B764-45dd-A175-3879782D8D37}.exe	97
PID 4252 wrote to memory of 1504	4252	{241A5E30-B764-45dd-A175-3879782D8D37}.exe	98
PID 4252 wrote to memory of 1504	4252	{241A5E30-B764-45dd-A175-3879782D8D37}.exe	98
PID 4252 wrote to memory of 1504	4252	{241A5E30-B764-45dd-A175-3879782D8D37}.exe	98
PID 4188 wrote to memory of 3364	4188	{95328037-14CC-41f1-BDC4-FD918B63C185}.exe	99
PID 4188 wrote to memory of 3364	4188	{95328037-14CC-41f1-BDC4-FD918B63C185}.exe	99
PID 4188 wrote to memory of 3364	4188	{95328037-14CC-41f1-BDC4-FD918B63C185}.exe	99
PID 4188 wrote to memory of 4720	4188	{95328037-14CC-41f1-BDC4-FD918B63C185}.exe	100
PID 4188 wrote to memory of 4720	4188	{95328037-14CC-41f1-BDC4-FD918B63C185}.exe	100
PID 4188 wrote to memory of 4720	4188	{95328037-14CC-41f1-BDC4-FD918B63C185}.exe	100
PID 3364 wrote to memory of 3788	3364	{15C8AD13-F48D-4c41-B04E-2D8A0B74AA23}.exe	101
PID 3364 wrote to memory of 3788	3364	{15C8AD13-F48D-4c41-B04E-2D8A0B74AA23}.exe	101
PID 3364 wrote to memory of 3788	3364	{15C8AD13-F48D-4c41-B04E-2D8A0B74AA23}.exe	101
PID 3364 wrote to memory of 2864	3364	{15C8AD13-F48D-4c41-B04E-2D8A0B74AA23}.exe	102
PID 3364 wrote to memory of 2864	3364	{15C8AD13-F48D-4c41-B04E-2D8A0B74AA23}.exe	102
PID 3364 wrote to memory of 2864	3364	{15C8AD13-F48D-4c41-B04E-2D8A0B74AA23}.exe	102
PID 3788 wrote to memory of 4980	3788	{6C1E0D8E-EDCB-448b-98F9-E958517B2861}.exe	103
PID 3788 wrote to memory of 4980	3788	{6C1E0D8E-EDCB-448b-98F9-E958517B2861}.exe	103
PID 3788 wrote to memory of 4980	3788	{6C1E0D8E-EDCB-448b-98F9-E958517B2861}.exe	103
PID 3788 wrote to memory of 3216	3788	{6C1E0D8E-EDCB-448b-98F9-E958517B2861}.exe	104
PID 3788 wrote to memory of 3216	3788	{6C1E0D8E-EDCB-448b-98F9-E958517B2861}.exe	104
PID 3788 wrote to memory of 3216	3788	{6C1E0D8E-EDCB-448b-98F9-E958517B2861}.exe	104
PID 4980 wrote to memory of 3092	4980	{D4C621FA-B325-4c0e-8570-278BD757F90A}.exe	105
PID 4980 wrote to memory of 3092	4980	{D4C621FA-B325-4c0e-8570-278BD757F90A}.exe	105
PID 4980 wrote to memory of 3092	4980	{D4C621FA-B325-4c0e-8570-278BD757F90A}.exe	105
PID 4980 wrote to memory of 4996	4980	{D4C621FA-B325-4c0e-8570-278BD757F90A}.exe	106
PID 4980 wrote to memory of 4996	4980	{D4C621FA-B325-4c0e-8570-278BD757F90A}.exe	106
PID 4980 wrote to memory of 4996	4980	{D4C621FA-B325-4c0e-8570-278BD757F90A}.exe	106
PID 3092 wrote to memory of 760	3092	{951E3A3E-9C60-49b4-9D60-851100F77940}.exe	107
PID 3092 wrote to memory of 760	3092	{951E3A3E-9C60-49b4-9D60-851100F77940}.exe	107
PID 3092 wrote to memory of 760	3092	{951E3A3E-9C60-49b4-9D60-851100F77940}.exe	107
PID 3092 wrote to memory of 4260	3092	{951E3A3E-9C60-49b4-9D60-851100F77940}.exe	108

C:\Users\Admin\AppData\Local\Temp\2024-06-15_fe463e5ccaf4ebd28d725cbb0345bc94_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-15_fe463e5ccaf4ebd28d725cbb0345bc94_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Windows\{705EA804-793F-4218-A397-3A37E5BC4A83}.exe
  C:\Windows\{705EA804-793F-4218-A397-3A37E5BC4A83}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Windows\{821CA8F1-619D-41b3-B830-01E28E83429B}.exe
    C:\Windows\{821CA8F1-619D-41b3-B830-01E28E83429B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\{E6768D25-E709-40eb-A772-B450E3F7A7AF}.exe
      C:\Windows\{E6768D25-E709-40eb-A772-B450E3F7A7AF}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3220
    - - C:\Windows\{D6637B8F-F5EA-4bc7-8E4F-E5A03595F8B8}.exe
        
        C:\Windows\{D6637B8F-F5EA-4bc7-8E4F-E5A03595F8B8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2300
      - C:\Windows\{241A5E30-B764-45dd-A175-3879782D8D37}.exe
        
        C:\Windows\{241A5E30-B764-45dd-A175-3879782D8D37}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\{95328037-14CC-41f1-BDC4-FD918B63C185}.exe
        
        C:\Windows\{95328037-14CC-41f1-BDC4-FD918B63C185}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\Windows\{15C8AD13-F48D-4c41-B04E-2D8A0B74AA23}.exe
        
        C:\Windows\{15C8AD13-F48D-4c41-B04E-2D8A0B74AA23}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Windows\{6C1E0D8E-EDCB-448b-98F9-E958517B2861}.exe
        
        C:\Windows\{6C1E0D8E-EDCB-448b-98F9-E958517B2861}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\{D4C621FA-B325-4c0e-8570-278BD757F90A}.exe
        
        C:\Windows\{D4C621FA-B325-4c0e-8570-278BD757F90A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\{951E3A3E-9C60-49b4-9D60-851100F77940}.exe
        
        C:\Windows\{951E3A3E-9C60-49b4-9D60-851100F77940}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\{605EAC13-075B-4641-B200-88EF2A23372D}.exe
        
        C:\Windows\{605EAC13-075B-4641-B200-88EF2A23372D}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:760
        
        C:\Windows\{401911F4-AE18-40c6-AE0A-B9529CBAF045}.exe
        
        C:\Windows\{401911F4-AE18-40c6-AE0A-B9529CBAF045}.exe
        13⤵
        Executes dropped EXE
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{605EA~1.EXE > nul
        13⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{951E3~1.EXE > nul
        12⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4C62~1.EXE > nul
        11⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C1E0~1.EXE > nul
        10⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15C8A~1.EXE > nul
        9⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95328~1.EXE > nul
        8⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{241A5~1.EXE > nul
        7⤵
        
        PID:1504
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6637~1.EXE > nul
        6⤵
        
        PID:3384
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6768~1.EXE > nul
        5⤵
        
        PID:1348
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{821CA~1.EXE > nul
      4⤵
      PID:1304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{705EA~1.EXE > nul
    3⤵
    PID:4848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{15C8AD13-F48D-4c41-B04E-2D8A0B74AA23}.exe

Filesize
380KB

MD5
91c950e71693ad9040962d7f58c17a26

SHA1
ce65dd7336b225e1b64421f3c0a8e7414963be24

SHA256
54bc6a4a2ccf5dc62ebe86409c37acb3c538d4bd43d616aaead127d96d8ca0e9

SHA512
97a268b773a81cb367379e19fbf162ef9cbbe30507ebf9618f05786e0df9c8a5ee7800421d6faa4077c956cb09d48233de3937d1d9b6ad5d40bed48f49983296

Download Submit
C:\Windows\{241A5E30-B764-45dd-A175-3879782D8D37}.exe

Filesize
380KB

MD5
01b357ccabc2c1880bd8e3b893c0e6fc

SHA1
4dd812f73cb63f940e6be1d719ceb4cce5b50605

SHA256
187b15463104b1f2a3e2c9db74a2eb3bb5e3ece6b7f61701866806d8d4469978

SHA512
3820d80cd845569e2c40a70945cc5313ca4d8f1b0a1979e9017b1b78271862005d949de41952a1023aff5caeb85d2f394dad39657112a887b91228dcb5ab4367

Download Submit
C:\Windows\{401911F4-AE18-40c6-AE0A-B9529CBAF045}.exe

Filesize
380KB

MD5
8fce98b20d4b1bea3113c75f3f668bc7

SHA1
7552cbf3c1d229f9b4027ff6fb79b59e72161b45

SHA256
fbd01c4d3770f047e13f08e253d4c19a8ced7522f91a10a6d9ddbdef0c909a76

SHA512
7d4e724a3a5ba07f6ace1185e390d8d3a63ca96a8eb5cc4c2bca2825c1dfb5d3747e30a2d891dbfb7f3aa88bc23936d108dfaaedbcd70978637eeafd514fcc85

Download Submit
C:\Windows\{605EAC13-075B-4641-B200-88EF2A23372D}.exe

Filesize
380KB

MD5
d1f2115ade304706f225d14b309d1a90

SHA1
a29a2cb7a9b5fb519302605d505ff75d1127f3c6

SHA256
6967ea7ca318ddf9b33c1fa393c982f542f9bdc887ae160fdeadc141e9b867c0

SHA512
b9e2e7dc0c5e453554896414a42cdcc59e907aa753668e1ac02f554ffe01355e4a3b96d2ff50c68b74c13a92bcd37877847d49242c73b72699f3a845be090433

Download Submit
C:\Windows\{6C1E0D8E-EDCB-448b-98F9-E958517B2861}.exe

Filesize
380KB

MD5
2ef73115c2cbab62fe90d2322ff346a5

SHA1
b4ca6220f8e63be49da1a293edff70007641e915

SHA256
326cef879268c7a989d9734df3052058cd3abbc70a64772725eaab6d75e77001

SHA512
99b1ba2e825d4a0d422ac1b3dc259adda43a89e725a77880268f4e00254abde8e6f663d9fd790d20ec28204166e6f8482cc2e31db251ef5263b37a32023f2919

Download Submit
C:\Windows\{705EA804-793F-4218-A397-3A37E5BC4A83}.exe

Filesize
380KB

MD5
e87654f20650a292ccd07ec0ecee1932

SHA1
e3fceb14fc677cc993b2c27dc87914e1123183bb

SHA256
5202702304a84a46ead00b370aef535af27a65cf9dc350b8f039bf584f3c9bfe

SHA512
2fc1354a3acad10c4671fb3e1df451b9d2ec79e7b5a6ef9e5354b6d8e6a7715106b50b1a4b6dd4f6f711a5bb26a0f8e3fd8b63c9283dca045e6e41110b536218

Download Submit
C:\Windows\{821CA8F1-619D-41b3-B830-01E28E83429B}.exe

Filesize
380KB

MD5
33e2669df3f2c0d83975bd7141bce660

SHA1
57c9394e23bdde54c3bffb7d26bdaecd277920df

SHA256
580ad1b26e6ff56afda49984d2739ad7969c1438c836612892232df798614590

SHA512
f216ccf08f85d165561b231c478ad77323e14ceebf7c207cba99091f0d2d9a7418ea4d88e557f9264c8548fbcf497be03addc626e1d65383aeb7f0dcd82ab07d

Download Submit
C:\Windows\{951E3A3E-9C60-49b4-9D60-851100F77940}.exe

Filesize
380KB

MD5
9c4551e46a9dbc6900902c7c235259df

SHA1
f838f7e82b0c1674655d5fdfd01d0be2b4a57d32

SHA256
138bebfd95f76bef0c66efa07ba6a49d8e6d0e7aa240489dbb8011e9f6a97473

SHA512
4e99b7fe1fb2ef96030bd5c435b92e784bc84a57a702d2009d100a0be0509eff7310016fa05ef597224792c94d7afe3b56ac956e5bc7c25ba882ff3961065b92

Download Submit
C:\Windows\{95328037-14CC-41f1-BDC4-FD918B63C185}.exe

Filesize
380KB

MD5
7f6eeeb679740851c2db4f00afa40fe7

SHA1
eaa42dd7d491570df91a490c99abd09743cd1c7c

SHA256
59593bd2e2b00e0d67ceb4e7d39ed77c5cce3c183fbdeff8c4e7badb3ed8a666

SHA512
1a956eafe7083a64e43ae0cd0f84f146d74e63b6ee2da71ed18af82338923f2c4ed8cc66fc40aa8e720dcf7f81cc41f5e02e2552b8a2a14dce0723c572492efd

Download Submit
C:\Windows\{D4C621FA-B325-4c0e-8570-278BD757F90A}.exe

Filesize
380KB

MD5
0b1672467d7a7d0c749d1ce50a6d3e0e

SHA1
bef3da5c21091dbdd7c31f486fcce446caf51048

SHA256
ef3a5d118d6f414e283e1e27cf6e83415a70e4a1ebb426e5167d5e50c45e6e8e

SHA512
7f284950dddb6903fbf152436317fcd350dc71b1607c9ce2803071ca498a9fd6edae390e5ed9c783b85ef9e5f89bbecd1a96b1ff70d0f84a50037b0aa81c210d

Download Submit
C:\Windows\{D6637B8F-F5EA-4bc7-8E4F-E5A03595F8B8}.exe

Filesize
380KB

MD5
46f2dec6299d16766255142409571d5f

SHA1
5479d7293c1870e3945b1fb39196907a2571c8a9

SHA256
b3fb784dd08254d995437ab18d75006e622b22729f478ecff6f490f38bfc9339

SHA512
84142617195fc5e5c180896e4e37f34cc692fdfb038af9af7982da4253c25fd600f3c80e656080e97e7ffe527bb9880d1fc533593f84c7ca308db509ca2b7b24

Download Submit
C:\Windows\{E6768D25-E709-40eb-A772-B450E3F7A7AF}.exe

Filesize
380KB

MD5
66a244b248b7afc9ccd09995b726119b

SHA1
20fb8979d4d2762e9c504c481923fbd220038557

SHA256
c6723f7c91111227a107401c264ea2a83106868eb202d4bc5e5ce956245a4425

SHA512
07bb8b4c2ca756900fac4a1658402c9119e956a76814ad8716f9e55e2cc99d5a9cd398551fb455be65e26b932220459646227ed70451cd347bc5887e1a0ccffd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads