9b3acf8ac39f4383d83c88d8deae877977162442dc77a1a559094b673c799a93

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/01/2024, 10:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-19_91a2297f5fb546d43d9a12e120d72fb1_goldeneye.exe
Size

380KB
MD5

91a2297f5fb546d43d9a12e120d72fb1
SHA1

306cac8bea98b3a1fb1bb8df3e66d266335e34b5
SHA256

9b3acf8ac39f4383d83c88d8deae877977162442dc77a1a559094b673c799a93
SHA512

cd0777d722eb08bf0827e17f6d5d8e2473c5aa81719a780d16902d89f8f24d3d26ddd167cabfdecd92878e7cbe30255aa24ab6f8da85b87cd893f0ee6fd024ac
SSDEEP

3072:mEGh0oblPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGNl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000800000002320e-1.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023216-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002321d-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023216-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021f82-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021f83-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021f82-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000705-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A70424D7-6226-46d0-B561-39466C3F8DD9}	{C30D685A-8958-4692-9923-785247A77505}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2021F6D-D000-48f1-B44A-344124D2991F}	{F43DEF9C-D5BD-4dc4-8E77-A4481023EFF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2021F6D-D000-48f1-B44A-344124D2991F}\stubpath = "C:\\Windows\\{A2021F6D-D000-48f1-B44A-344124D2991F}.exe"	{F43DEF9C-D5BD-4dc4-8E77-A4481023EFF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{391654DB-1C27-429f-8251-6E49EBBB5085}\stubpath = "C:\\Windows\\{391654DB-1C27-429f-8251-6E49EBBB5085}.exe"	{B9A98D25-75CD-43fc-9898-F9C34EDC431A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC2D41A8-8BF2-4341-9AE7-8A378118A3B7}\stubpath = "C:\\Windows\\{EC2D41A8-8BF2-4341-9AE7-8A378118A3B7}.exe"	{391654DB-1C27-429f-8251-6E49EBBB5085}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86128945-3327-49c7-9103-BB3522137BCB}\stubpath = "C:\\Windows\\{86128945-3327-49c7-9103-BB3522137BCB}.exe"	2024-01-19_91a2297f5fb546d43d9a12e120d72fb1_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5660461-848A-4b74-AFA3-C38D2A24A09D}	{86128945-3327-49c7-9103-BB3522137BCB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A5660461-848A-4b74-AFA3-C38D2A24A09D}\stubpath = "C:\\Windows\\{A5660461-848A-4b74-AFA3-C38D2A24A09D}.exe"	{86128945-3327-49c7-9103-BB3522137BCB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9A98D25-75CD-43fc-9898-F9C34EDC431A}	{A2021F6D-D000-48f1-B44A-344124D2991F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{391654DB-1C27-429f-8251-6E49EBBB5085}	{B9A98D25-75CD-43fc-9898-F9C34EDC431A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D73AB43F-D0E4-4275-B289-36994CA6CAB9}	{A6555E54-A3F3-477d-BE24-81B5359A40F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C30D685A-8958-4692-9923-785247A77505}\stubpath = "C:\\Windows\\{C30D685A-8958-4692-9923-785247A77505}.exe"	{5EEBF50B-DC12-44dc-9283-3C3444FA1B2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A70424D7-6226-46d0-B561-39466C3F8DD9}\stubpath = "C:\\Windows\\{A70424D7-6226-46d0-B561-39466C3F8DD9}.exe"	{C30D685A-8958-4692-9923-785247A77505}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F43DEF9C-D5BD-4dc4-8E77-A4481023EFF2}	{A70424D7-6226-46d0-B561-39466C3F8DD9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6555E54-A3F3-477d-BE24-81B5359A40F4}\stubpath = "C:\\Windows\\{A6555E54-A3F3-477d-BE24-81B5359A40F4}.exe"	{EC2D41A8-8BF2-4341-9AE7-8A378118A3B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D73AB43F-D0E4-4275-B289-36994CA6CAB9}\stubpath = "C:\\Windows\\{D73AB43F-D0E4-4275-B289-36994CA6CAB9}.exe"	{A6555E54-A3F3-477d-BE24-81B5359A40F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F43DEF9C-D5BD-4dc4-8E77-A4481023EFF2}\stubpath = "C:\\Windows\\{F43DEF9C-D5BD-4dc4-8E77-A4481023EFF2}.exe"	{A70424D7-6226-46d0-B561-39466C3F8DD9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9A98D25-75CD-43fc-9898-F9C34EDC431A}\stubpath = "C:\\Windows\\{B9A98D25-75CD-43fc-9898-F9C34EDC431A}.exe"	{A2021F6D-D000-48f1-B44A-344124D2991F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6555E54-A3F3-477d-BE24-81B5359A40F4}	{EC2D41A8-8BF2-4341-9AE7-8A378118A3B7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C30D685A-8958-4692-9923-785247A77505}	{5EEBF50B-DC12-44dc-9283-3C3444FA1B2B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC2D41A8-8BF2-4341-9AE7-8A378118A3B7}	{391654DB-1C27-429f-8251-6E49EBBB5085}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86128945-3327-49c7-9103-BB3522137BCB}	2024-01-19_91a2297f5fb546d43d9a12e120d72fb1_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5EEBF50B-DC12-44dc-9283-3C3444FA1B2B}	{A5660461-848A-4b74-AFA3-C38D2A24A09D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5EEBF50B-DC12-44dc-9283-3C3444FA1B2B}\stubpath = "C:\\Windows\\{5EEBF50B-DC12-44dc-9283-3C3444FA1B2B}.exe"	{A5660461-848A-4b74-AFA3-C38D2A24A09D}.exe

Executes dropped EXE 12 IoCs

pid	Process
4388	{86128945-3327-49c7-9103-BB3522137BCB}.exe
2972	{A5660461-848A-4b74-AFA3-C38D2A24A09D}.exe
3708	{5EEBF50B-DC12-44dc-9283-3C3444FA1B2B}.exe
4876	{C30D685A-8958-4692-9923-785247A77505}.exe
3676	{A70424D7-6226-46d0-B561-39466C3F8DD9}.exe
4976	{F43DEF9C-D5BD-4dc4-8E77-A4481023EFF2}.exe
1960	{A2021F6D-D000-48f1-B44A-344124D2991F}.exe
4972	{B9A98D25-75CD-43fc-9898-F9C34EDC431A}.exe
4732	{391654DB-1C27-429f-8251-6E49EBBB5085}.exe
3848	{EC2D41A8-8BF2-4341-9AE7-8A378118A3B7}.exe
3712	{A6555E54-A3F3-477d-BE24-81B5359A40F4}.exe
988	{D73AB43F-D0E4-4275-B289-36994CA6CAB9}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{A70424D7-6226-46d0-B561-39466C3F8DD9}.exe	{C30D685A-8958-4692-9923-785247A77505}.exe
File created	C:\Windows\{F43DEF9C-D5BD-4dc4-8E77-A4481023EFF2}.exe	{A70424D7-6226-46d0-B561-39466C3F8DD9}.exe
File created	C:\Windows\{391654DB-1C27-429f-8251-6E49EBBB5085}.exe	{B9A98D25-75CD-43fc-9898-F9C34EDC431A}.exe
File created	C:\Windows\{A6555E54-A3F3-477d-BE24-81B5359A40F4}.exe	{EC2D41A8-8BF2-4341-9AE7-8A378118A3B7}.exe
File created	C:\Windows\{D73AB43F-D0E4-4275-B289-36994CA6CAB9}.exe	{A6555E54-A3F3-477d-BE24-81B5359A40F4}.exe
File created	C:\Windows\{86128945-3327-49c7-9103-BB3522137BCB}.exe	2024-01-19_91a2297f5fb546d43d9a12e120d72fb1_goldeneye.exe
File created	C:\Windows\{A5660461-848A-4b74-AFA3-C38D2A24A09D}.exe	{86128945-3327-49c7-9103-BB3522137BCB}.exe
File created	C:\Windows\{C30D685A-8958-4692-9923-785247A77505}.exe	{5EEBF50B-DC12-44dc-9283-3C3444FA1B2B}.exe
File created	C:\Windows\{EC2D41A8-8BF2-4341-9AE7-8A378118A3B7}.exe	{391654DB-1C27-429f-8251-6E49EBBB5085}.exe
File created	C:\Windows\{5EEBF50B-DC12-44dc-9283-3C3444FA1B2B}.exe	{A5660461-848A-4b74-AFA3-C38D2A24A09D}.exe
File created	C:\Windows\{A2021F6D-D000-48f1-B44A-344124D2991F}.exe	{F43DEF9C-D5BD-4dc4-8E77-A4481023EFF2}.exe
File created	C:\Windows\{B9A98D25-75CD-43fc-9898-F9C34EDC431A}.exe	{A2021F6D-D000-48f1-B44A-344124D2991F}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4928	2024-01-19_91a2297f5fb546d43d9a12e120d72fb1_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4388	{86128945-3327-49c7-9103-BB3522137BCB}.exe
Token: SeIncBasePriorityPrivilege	2972	{A5660461-848A-4b74-AFA3-C38D2A24A09D}.exe
Token: SeIncBasePriorityPrivilege	3708	{5EEBF50B-DC12-44dc-9283-3C3444FA1B2B}.exe
Token: SeIncBasePriorityPrivilege	4876	{C30D685A-8958-4692-9923-785247A77505}.exe
Token: SeIncBasePriorityPrivilege	3676	{A70424D7-6226-46d0-B561-39466C3F8DD9}.exe
Token: SeIncBasePriorityPrivilege	4976	{F43DEF9C-D5BD-4dc4-8E77-A4481023EFF2}.exe
Token: SeIncBasePriorityPrivilege	1960	{A2021F6D-D000-48f1-B44A-344124D2991F}.exe
Token: SeIncBasePriorityPrivilege	4972	{B9A98D25-75CD-43fc-9898-F9C34EDC431A}.exe
Token: SeIncBasePriorityPrivilege	4732	{391654DB-1C27-429f-8251-6E49EBBB5085}.exe
Token: SeIncBasePriorityPrivilege	3848	{EC2D41A8-8BF2-4341-9AE7-8A378118A3B7}.exe
Token: SeIncBasePriorityPrivilege	3712	{A6555E54-A3F3-477d-BE24-81B5359A40F4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 4388	4928	2024-01-19_91a2297f5fb546d43d9a12e120d72fb1_goldeneye.exe	97
PID 4928 wrote to memory of 4388	4928	2024-01-19_91a2297f5fb546d43d9a12e120d72fb1_goldeneye.exe	97
PID 4928 wrote to memory of 4388	4928	2024-01-19_91a2297f5fb546d43d9a12e120d72fb1_goldeneye.exe	97
PID 4928 wrote to memory of 960	4928	2024-01-19_91a2297f5fb546d43d9a12e120d72fb1_goldeneye.exe	98
PID 4928 wrote to memory of 960	4928	2024-01-19_91a2297f5fb546d43d9a12e120d72fb1_goldeneye.exe	98
PID 4928 wrote to memory of 960	4928	2024-01-19_91a2297f5fb546d43d9a12e120d72fb1_goldeneye.exe	98
PID 4388 wrote to memory of 2972	4388	{86128945-3327-49c7-9103-BB3522137BCB}.exe	100
PID 4388 wrote to memory of 2972	4388	{86128945-3327-49c7-9103-BB3522137BCB}.exe	100
PID 4388 wrote to memory of 2972	4388	{86128945-3327-49c7-9103-BB3522137BCB}.exe	100
PID 4388 wrote to memory of 4460	4388	{86128945-3327-49c7-9103-BB3522137BCB}.exe	99
PID 4388 wrote to memory of 4460	4388	{86128945-3327-49c7-9103-BB3522137BCB}.exe	99
PID 4388 wrote to memory of 4460	4388	{86128945-3327-49c7-9103-BB3522137BCB}.exe	99
PID 2972 wrote to memory of 3708	2972	{A5660461-848A-4b74-AFA3-C38D2A24A09D}.exe	102
PID 2972 wrote to memory of 3708	2972	{A5660461-848A-4b74-AFA3-C38D2A24A09D}.exe	102
PID 2972 wrote to memory of 3708	2972	{A5660461-848A-4b74-AFA3-C38D2A24A09D}.exe	102
PID 2972 wrote to memory of 3828	2972	{A5660461-848A-4b74-AFA3-C38D2A24A09D}.exe	103
PID 2972 wrote to memory of 3828	2972	{A5660461-848A-4b74-AFA3-C38D2A24A09D}.exe	103
PID 2972 wrote to memory of 3828	2972	{A5660461-848A-4b74-AFA3-C38D2A24A09D}.exe	103
PID 3708 wrote to memory of 4876	3708	{5EEBF50B-DC12-44dc-9283-3C3444FA1B2B}.exe	104
PID 3708 wrote to memory of 4876	3708	{5EEBF50B-DC12-44dc-9283-3C3444FA1B2B}.exe	104
PID 3708 wrote to memory of 4876	3708	{5EEBF50B-DC12-44dc-9283-3C3444FA1B2B}.exe	104
PID 3708 wrote to memory of 1092	3708	{5EEBF50B-DC12-44dc-9283-3C3444FA1B2B}.exe	105
PID 3708 wrote to memory of 1092	3708	{5EEBF50B-DC12-44dc-9283-3C3444FA1B2B}.exe	105
PID 3708 wrote to memory of 1092	3708	{5EEBF50B-DC12-44dc-9283-3C3444FA1B2B}.exe	105
PID 4876 wrote to memory of 3676	4876	{C30D685A-8958-4692-9923-785247A77505}.exe	106
PID 4876 wrote to memory of 3676	4876	{C30D685A-8958-4692-9923-785247A77505}.exe	106
PID 4876 wrote to memory of 3676	4876	{C30D685A-8958-4692-9923-785247A77505}.exe	106
PID 4876 wrote to memory of 1180	4876	{C30D685A-8958-4692-9923-785247A77505}.exe	107
PID 4876 wrote to memory of 1180	4876	{C30D685A-8958-4692-9923-785247A77505}.exe	107
PID 4876 wrote to memory of 1180	4876	{C30D685A-8958-4692-9923-785247A77505}.exe	107
PID 3676 wrote to memory of 4976	3676	{A70424D7-6226-46d0-B561-39466C3F8DD9}.exe	108
PID 3676 wrote to memory of 4976	3676	{A70424D7-6226-46d0-B561-39466C3F8DD9}.exe	108
PID 3676 wrote to memory of 4976	3676	{A70424D7-6226-46d0-B561-39466C3F8DD9}.exe	108
PID 3676 wrote to memory of 528	3676	{A70424D7-6226-46d0-B561-39466C3F8DD9}.exe	109
PID 3676 wrote to memory of 528	3676	{A70424D7-6226-46d0-B561-39466C3F8DD9}.exe	109
PID 3676 wrote to memory of 528	3676	{A70424D7-6226-46d0-B561-39466C3F8DD9}.exe	109
PID 4976 wrote to memory of 1960	4976	{F43DEF9C-D5BD-4dc4-8E77-A4481023EFF2}.exe	110
PID 4976 wrote to memory of 1960	4976	{F43DEF9C-D5BD-4dc4-8E77-A4481023EFF2}.exe	110
PID 4976 wrote to memory of 1960	4976	{F43DEF9C-D5BD-4dc4-8E77-A4481023EFF2}.exe	110
PID 4976 wrote to memory of 4424	4976	{F43DEF9C-D5BD-4dc4-8E77-A4481023EFF2}.exe	111
PID 4976 wrote to memory of 4424	4976	{F43DEF9C-D5BD-4dc4-8E77-A4481023EFF2}.exe	111
PID 4976 wrote to memory of 4424	4976	{F43DEF9C-D5BD-4dc4-8E77-A4481023EFF2}.exe	111
PID 1960 wrote to memory of 4972	1960	{A2021F6D-D000-48f1-B44A-344124D2991F}.exe	112
PID 1960 wrote to memory of 4972	1960	{A2021F6D-D000-48f1-B44A-344124D2991F}.exe	112
PID 1960 wrote to memory of 4972	1960	{A2021F6D-D000-48f1-B44A-344124D2991F}.exe	112
PID 1960 wrote to memory of 2760	1960	{A2021F6D-D000-48f1-B44A-344124D2991F}.exe	113
PID 1960 wrote to memory of 2760	1960	{A2021F6D-D000-48f1-B44A-344124D2991F}.exe	113
PID 1960 wrote to memory of 2760	1960	{A2021F6D-D000-48f1-B44A-344124D2991F}.exe	113
PID 4972 wrote to memory of 4732	4972	{B9A98D25-75CD-43fc-9898-F9C34EDC431A}.exe	114
PID 4972 wrote to memory of 4732	4972	{B9A98D25-75CD-43fc-9898-F9C34EDC431A}.exe	114
PID 4972 wrote to memory of 4732	4972	{B9A98D25-75CD-43fc-9898-F9C34EDC431A}.exe	114
PID 4972 wrote to memory of 4900	4972	{B9A98D25-75CD-43fc-9898-F9C34EDC431A}.exe	115
PID 4972 wrote to memory of 4900	4972	{B9A98D25-75CD-43fc-9898-F9C34EDC431A}.exe	115
PID 4972 wrote to memory of 4900	4972	{B9A98D25-75CD-43fc-9898-F9C34EDC431A}.exe	115
PID 4732 wrote to memory of 3848	4732	{391654DB-1C27-429f-8251-6E49EBBB5085}.exe	117
PID 4732 wrote to memory of 3848	4732	{391654DB-1C27-429f-8251-6E49EBBB5085}.exe	117
PID 4732 wrote to memory of 3848	4732	{391654DB-1C27-429f-8251-6E49EBBB5085}.exe	117
PID 4732 wrote to memory of 2364	4732	{391654DB-1C27-429f-8251-6E49EBBB5085}.exe	116
PID 4732 wrote to memory of 2364	4732	{391654DB-1C27-429f-8251-6E49EBBB5085}.exe	116
PID 4732 wrote to memory of 2364	4732	{391654DB-1C27-429f-8251-6E49EBBB5085}.exe	116
PID 3848 wrote to memory of 3712	3848	{EC2D41A8-8BF2-4341-9AE7-8A378118A3B7}.exe	118
PID 3848 wrote to memory of 3712	3848	{EC2D41A8-8BF2-4341-9AE7-8A378118A3B7}.exe	118
PID 3848 wrote to memory of 3712	3848	{EC2D41A8-8BF2-4341-9AE7-8A378118A3B7}.exe	118
PID 3848 wrote to memory of 3304	3848	{EC2D41A8-8BF2-4341-9AE7-8A378118A3B7}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-01-19_91a2297f5fb546d43d9a12e120d72fb1_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-19_91a2297f5fb546d43d9a12e120d72fb1_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Windows\{86128945-3327-49c7-9103-BB3522137BCB}.exe
  C:\Windows\{86128945-3327-49c7-9103-BB3522137BCB}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{86128~1.EXE > nul
    3⤵
    PID:4460
- - C:\Windows\{A5660461-848A-4b74-AFA3-C38D2A24A09D}.exe
    C:\Windows\{A5660461-848A-4b74-AFA3-C38D2A24A09D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Windows\{5EEBF50B-DC12-44dc-9283-3C3444FA1B2B}.exe
      C:\Windows\{5EEBF50B-DC12-44dc-9283-3C3444FA1B2B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3708
    - - C:\Windows\{C30D685A-8958-4692-9923-785247A77505}.exe
        
        C:\Windows\{C30D685A-8958-4692-9923-785247A77505}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4876
      - C:\Windows\{A70424D7-6226-46d0-B561-39466C3F8DD9}.exe
        
        C:\Windows\{A70424D7-6226-46d0-B561-39466C3F8DD9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\{F43DEF9C-D5BD-4dc4-8E77-A4481023EFF2}.exe
        
        C:\Windows\{F43DEF9C-D5BD-4dc4-8E77-A4481023EFF2}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\{A2021F6D-D000-48f1-B44A-344124D2991F}.exe
        
        C:\Windows\{A2021F6D-D000-48f1-B44A-344124D2991F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\{B9A98D25-75CD-43fc-9898-F9C34EDC431A}.exe
        
        C:\Windows\{B9A98D25-75CD-43fc-9898-F9C34EDC431A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\{391654DB-1C27-429f-8251-6E49EBBB5085}.exe
        
        C:\Windows\{391654DB-1C27-429f-8251-6E49EBBB5085}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39165~1.EXE > nul
        11⤵
        
        PID:2364
        
        C:\Windows\{EC2D41A8-8BF2-4341-9AE7-8A378118A3B7}.exe
        
        C:\Windows\{EC2D41A8-8BF2-4341-9AE7-8A378118A3B7}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3848
        
        C:\Windows\{A6555E54-A3F3-477d-BE24-81B5359A40F4}.exe
        
        C:\Windows\{A6555E54-A3F3-477d-BE24-81B5359A40F4}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3712
        
        C:\Windows\{D73AB43F-D0E4-4275-B289-36994CA6CAB9}.exe
        
        C:\Windows\{D73AB43F-D0E4-4275-B289-36994CA6CAB9}.exe
        13⤵
        Executes dropped EXE
        
        PID:988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6555~1.EXE > nul
        13⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC2D4~1.EXE > nul
        12⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9A98~1.EXE > nul
        10⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2021~1.EXE > nul
        9⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F43DE~1.EXE > nul
        8⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7042~1.EXE > nul
        7⤵
        
        PID:528
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C30D6~1.EXE > nul
        6⤵
        
        PID:1180
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5EEBF~1.EXE > nul
        5⤵
        
        PID:1092
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A5660~1.EXE > nul
      4⤵
      PID:3828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{391654DB-1C27-429f-8251-6E49EBBB5085}.exe

Filesize
380KB

MD5
3b7d57f9a116f8f9e5298a696dbd3461

SHA1
22766f96146500627653826e4e5423feeeb56266

SHA256
6630f861d44d70597d2327458975ca198d0fc7388ff308398c2039fd5e8ffe40

SHA512
55fdc18bd700eb3bdd86893c60e7f038e6dfb714eb4dc079ded3c1ff2de909c4dae099666316c5c084e9eebd5cfc55653a044f2773b9e90cde0aa971c9999058

Download Submit
C:\Windows\{5EEBF50B-DC12-44dc-9283-3C3444FA1B2B}.exe

Filesize
380KB

MD5
fd88298164e390b61ac24c1a6d2225e1

SHA1
8ae2b2eb566483966f4daaa23e3dc6bd3c4a0c3c

SHA256
89bb1119ea8e7715c43eb2deb814b6cca32928e167391419ffd09e9a4b6b6bdf

SHA512
c394d6da88546ed248e9a3f0691bbeb0f9a3c756f81033c9a06825f00d84fca707227581030b52cc438d90bd35be61b78e3dc95b94edc7e53ed3d30d35211512

Download Submit
C:\Windows\{86128945-3327-49c7-9103-BB3522137BCB}.exe

Filesize
380KB

MD5
9c685b325a207f16e7df2aefc9ac9ad8

SHA1
5c0297100fd98e1934acefb3302aa9d6ca8296ed

SHA256
8a72b8b19576d0bfb5453117a182a14ac8a1c0b37938df76c8982b885bfc3db1

SHA512
1db42ab8af56d78285cddae52cbd374518e33ba38f70323cc272df76789b5ecabbe06b78659b025d810906e5506c68b258243a3bf210531dd78880fe297ce2fa

Download Submit
C:\Windows\{A2021F6D-D000-48f1-B44A-344124D2991F}.exe

Filesize
380KB

MD5
9355d2adafa382de1644fc5c0904a3df

SHA1
33798a29f3cd56ffb91aa95daf7b3a2b3686f078

SHA256
2816373673a7db2117fdaa6dd4ddf1dd0106b4a081a71deca7a5e52208eeb55d

SHA512
56f80595ae3fd0d043db2d9684de61cea2a771caaad993d7464395cdde0905c79a84a9b9a07ad8f86d4c4c1f95e9bc3aa69a99a28bd72a52001589b9554e41db

Download Submit
C:\Windows\{A5660461-848A-4b74-AFA3-C38D2A24A09D}.exe

Filesize
380KB

MD5
f5d901f15e4ef4c2b620d928c1b2cbd4

SHA1
334ff0a8ff7196b754351086c35ca6b7f9b58797

SHA256
27d5e235a7d10cd2673d21a5e53ee16c5806c2a4d6d97b6d6383944892fe1e2d

SHA512
ace19e20fb1dcad10477e9255e74a0317847274f3f67c8fa0d8d4bcabebd59a2c719e4a91730ccc0e20c3230da16419986ff02b672b6744e17fe0f8fae2f5aed

Download Submit
C:\Windows\{A6555E54-A3F3-477d-BE24-81B5359A40F4}.exe

Filesize
380KB

MD5
f768b9fa2b7a86e0882b268005fa4b61

SHA1
6a3345b9ffc91ed8b7f489432074e43e93eba914

SHA256
57206ee9738f2bfd9ea1ec6f1da0236f133ddc56e94e1088b3ce6c2243aa9bfb

SHA512
ee6922106650c9313774aeae0035b9052a640fb92dbb8d78a630514b53a40fd141a202cb9cdb98a02d48efd2d049c6e1f0c64de2710e4b9fd3cea369db1dd981

Download Submit
C:\Windows\{A70424D7-6226-46d0-B561-39466C3F8DD9}.exe

Filesize
380KB

MD5
5991af338c381b699a748205f834384d

SHA1
7f382d06504404335f41fde7b8e82125fc26624c

SHA256
d60fa24de12b085e7962f89d6a00f5f079a3ed47ad3b879d75c3f7ff0bf8aa86

SHA512
43c92343a073fd98c9b8c46eff7eb29396819fcbb0b8bd3fe1a5bed4f993ffcd4d3077111b335d0b105a5adc3f83b5ff3d17f7660e989726eeefb60d822e0a0c

Download Submit
C:\Windows\{B9A98D25-75CD-43fc-9898-F9C34EDC431A}.exe

Filesize
380KB

MD5
0585b00720fff6e801cfc8f14f1fd530

SHA1
c4490b87c058c3f841fc71c063b750887347dca4

SHA256
28de9f2b861503212a22af49541aa6cf01d00189fc29c549af51d54b05cd4c04

SHA512
c94976ff04e510ff748b3eea68d10f7ae08b7bf36715fa924c2d57da01eb0e1722a9f047ae6f53538fd6cdf22f56dca57c8badbf6aa5cadcbda5131452962783

Download Submit
C:\Windows\{C30D685A-8958-4692-9923-785247A77505}.exe

Filesize
380KB

MD5
8731ad8e8b276e847c740fcf5cb99d0f

SHA1
d114beeef117fb5c3b1fd4c52faae764c37711a4

SHA256
1e31b91cb17713be049808232bf9aaf38812d8a6473ca755718e384b15c20739

SHA512
4384506cd776d124aeddde8e86cf9022b228ecc7f7551610ca094472edddb5d8971bb96fba4eba226cd9bab2c2fff0ba89b396b642ef59bbf10b3a78e8e3cbf1

Download Submit
C:\Windows\{D73AB43F-D0E4-4275-B289-36994CA6CAB9}.exe

Filesize
380KB

MD5
9d239c356a3826ecb18c8b39f95cc428

SHA1
857175a09e81177a2c5991b0eeff01157edca12c

SHA256
89efc637b4b7bbffbc718696c6c0168600def13a58d105d0d43b67249acba0dd

SHA512
57be89b44eb44fce3ad0572db19b784ef29fd36a828f2e33b65bf568f2bf737788f019cb99938de147a9396ac1970794b99ef3f63674213014e8a2b0e77d8b3f

Download Submit
C:\Windows\{EC2D41A8-8BF2-4341-9AE7-8A378118A3B7}.exe

Filesize
380KB

MD5
c1cc2a1168a411041f099ee20a1f1c58

SHA1
342f9bb7f6150419458d739cabd577121851da6f

SHA256
6cbeaea6b42d570ddf106a9ed98ea3d39713f311caa92ff49ea11f8ab3ae6d2c

SHA512
b027cf950ce7f2cc212ea08483a9440a74f85615c044792c0f08c424e2cbfb1dd586b240b43440cda3a80e59f561a249e8f16fb20fd23edb8249a83c71291c2d

Download Submit
C:\Windows\{F43DEF9C-D5BD-4dc4-8E77-A4481023EFF2}.exe

Filesize
380KB

MD5
c38a2b84ae7c7fe4319f23a0868a9e72

SHA1
6de44fb5862b52bc5106a2aea79f1d3bebd963ed

SHA256
8f836416c3ab37416c62ff0a438bf46ec234f1dc6aa9cf8d40227240fd274408

SHA512
39973fc3b13d23fd2080c7ba3787114ffd48a168d5e06b83bcaa2ed3959302181d1e7175eed5dc64e17e2560ee2c46b72ff3c4b5033c8312126d8324d7b8da08

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads