a4f66f30611440ea13369f0250ba98617d26d96f5a3fd7bec33fd9151d3962f5

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2024 20:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-23_7942cf433de728fc0f7f160d29148850_goldeneye.exe
Size

380KB
MD5

7942cf433de728fc0f7f160d29148850
SHA1

38ec9dda65c397bf167c810238f2341a20dce3d4
SHA256

a4f66f30611440ea13369f0250ba98617d26d96f5a3fd7bec33fd9151d3962f5
SHA512

3ae4ae36febb333c17bd8774205a2c25e0e68139342b88497b1db9eafb24606427b861c8302906321ff580a657655fbb5cbd763cfbb4de29cab7db51c9d1b496
SSDEEP

3072:mEGh0oalPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGEl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231eb-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00100000000231f4-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000231fb-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00110000000231f4-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021d92-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021d93-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021d92-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49F6C453-B43D-4437-AC6B-EFEAFA443CA2}\stubpath = "C:\\Windows\\{49F6C453-B43D-4437-AC6B-EFEAFA443CA2}.exe"	{C156B896-EE1B-4b85-B5D4-1FEDFBC8D3E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7BC14BB-29B1-45ba-B1AB-7A901DF13F8B}	{E18BD866-0094-4a1f-A3CA-7727EAA0D9BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC90D56C-CB24-4890-87EA-E3DBB5EDA674}	{1C9EC8E9-34E6-4342-B11C-3EB9132F3F9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F35EF4E2-FF90-447d-ADAF-280BC7E06AB0}\stubpath = "C:\\Windows\\{F35EF4E2-FF90-447d-ADAF-280BC7E06AB0}.exe"	{BC90D56C-CB24-4890-87EA-E3DBB5EDA674}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C156B896-EE1B-4b85-B5D4-1FEDFBC8D3E5}	{DEC1351E-2D70-4011-AE15-806291EEE1DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49F6C453-B43D-4437-AC6B-EFEAFA443CA2}	{C156B896-EE1B-4b85-B5D4-1FEDFBC8D3E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9AAE138-3F5E-4a15-8C7F-039ADE24C81B}	{E7BC14BB-29B1-45ba-B1AB-7A901DF13F8B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9AAE138-3F5E-4a15-8C7F-039ADE24C81B}\stubpath = "C:\\Windows\\{B9AAE138-3F5E-4a15-8C7F-039ADE24C81B}.exe"	{E7BC14BB-29B1-45ba-B1AB-7A901DF13F8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C9EC8E9-34E6-4342-B11C-3EB9132F3F9C}	2024-01-23_7942cf433de728fc0f7f160d29148850_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC90D56C-CB24-4890-87EA-E3DBB5EDA674}\stubpath = "C:\\Windows\\{BC90D56C-CB24-4890-87EA-E3DBB5EDA674}.exe"	{1C9EC8E9-34E6-4342-B11C-3EB9132F3F9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B098BCD6-F6D3-4cc0-9B4F-6DD8E0FBBEDF}	{F35EF4E2-FF90-447d-ADAF-280BC7E06AB0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEC1351E-2D70-4011-AE15-806291EEE1DF}\stubpath = "C:\\Windows\\{DEC1351E-2D70-4011-AE15-806291EEE1DF}.exe"	{CADD6DA1-8C7F-4a52-833B-79BA7D45759D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEC1351E-2D70-4011-AE15-806291EEE1DF}	{CADD6DA1-8C7F-4a52-833B-79BA7D45759D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C156B896-EE1B-4b85-B5D4-1FEDFBC8D3E5}\stubpath = "C:\\Windows\\{C156B896-EE1B-4b85-B5D4-1FEDFBC8D3E5}.exe"	{DEC1351E-2D70-4011-AE15-806291EEE1DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E18BD866-0094-4a1f-A3CA-7727EAA0D9BA}	{49F6C453-B43D-4437-AC6B-EFEAFA443CA2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7BC14BB-29B1-45ba-B1AB-7A901DF13F8B}\stubpath = "C:\\Windows\\{E7BC14BB-29B1-45ba-B1AB-7A901DF13F8B}.exe"	{E18BD866-0094-4a1f-A3CA-7727EAA0D9BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F35EF4E2-FF90-447d-ADAF-280BC7E06AB0}	{BC90D56C-CB24-4890-87EA-E3DBB5EDA674}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B098BCD6-F6D3-4cc0-9B4F-6DD8E0FBBEDF}\stubpath = "C:\\Windows\\{B098BCD6-F6D3-4cc0-9B4F-6DD8E0FBBEDF}.exe"	{F35EF4E2-FF90-447d-ADAF-280BC7E06AB0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CADD6DA1-8C7F-4a52-833B-79BA7D45759D}	{B098BCD6-F6D3-4cc0-9B4F-6DD8E0FBBEDF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CADD6DA1-8C7F-4a52-833B-79BA7D45759D}\stubpath = "C:\\Windows\\{CADD6DA1-8C7F-4a52-833B-79BA7D45759D}.exe"	{B098BCD6-F6D3-4cc0-9B4F-6DD8E0FBBEDF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C9EC8E9-34E6-4342-B11C-3EB9132F3F9C}\stubpath = "C:\\Windows\\{1C9EC8E9-34E6-4342-B11C-3EB9132F3F9C}.exe"	2024-01-23_7942cf433de728fc0f7f160d29148850_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E18BD866-0094-4a1f-A3CA-7727EAA0D9BA}\stubpath = "C:\\Windows\\{E18BD866-0094-4a1f-A3CA-7727EAA0D9BA}.exe"	{49F6C453-B43D-4437-AC6B-EFEAFA443CA2}.exe

Executes dropped EXE 11 IoCs

pid	Process
3928	{1C9EC8E9-34E6-4342-B11C-3EB9132F3F9C}.exe
1812	{BC90D56C-CB24-4890-87EA-E3DBB5EDA674}.exe
2892	{F35EF4E2-FF90-447d-ADAF-280BC7E06AB0}.exe
4788	{B098BCD6-F6D3-4cc0-9B4F-6DD8E0FBBEDF}.exe
2384	{CADD6DA1-8C7F-4a52-833B-79BA7D45759D}.exe
2624	{DEC1351E-2D70-4011-AE15-806291EEE1DF}.exe
3388	{C156B896-EE1B-4b85-B5D4-1FEDFBC8D3E5}.exe
3060	{49F6C453-B43D-4437-AC6B-EFEAFA443CA2}.exe
4476	{E18BD866-0094-4a1f-A3CA-7727EAA0D9BA}.exe
1120	{E7BC14BB-29B1-45ba-B1AB-7A901DF13F8B}.exe
2776	{B9AAE138-3F5E-4a15-8C7F-039ADE24C81B}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{E18BD866-0094-4a1f-A3CA-7727EAA0D9BA}.exe	{49F6C453-B43D-4437-AC6B-EFEAFA443CA2}.exe
File created	C:\Windows\{BC90D56C-CB24-4890-87EA-E3DBB5EDA674}.exe	{1C9EC8E9-34E6-4342-B11C-3EB9132F3F9C}.exe
File created	C:\Windows\{B098BCD6-F6D3-4cc0-9B4F-6DD8E0FBBEDF}.exe	{F35EF4E2-FF90-447d-ADAF-280BC7E06AB0}.exe
File created	C:\Windows\{DEC1351E-2D70-4011-AE15-806291EEE1DF}.exe	{CADD6DA1-8C7F-4a52-833B-79BA7D45759D}.exe
File created	C:\Windows\{C156B896-EE1B-4b85-B5D4-1FEDFBC8D3E5}.exe	{DEC1351E-2D70-4011-AE15-806291EEE1DF}.exe
File created	C:\Windows\{E7BC14BB-29B1-45ba-B1AB-7A901DF13F8B}.exe	{E18BD866-0094-4a1f-A3CA-7727EAA0D9BA}.exe
File created	C:\Windows\{B9AAE138-3F5E-4a15-8C7F-039ADE24C81B}.exe	{E7BC14BB-29B1-45ba-B1AB-7A901DF13F8B}.exe
File created	C:\Windows\{1C9EC8E9-34E6-4342-B11C-3EB9132F3F9C}.exe	2024-01-23_7942cf433de728fc0f7f160d29148850_goldeneye.exe
File created	C:\Windows\{F35EF4E2-FF90-447d-ADAF-280BC7E06AB0}.exe	{BC90D56C-CB24-4890-87EA-E3DBB5EDA674}.exe
File created	C:\Windows\{CADD6DA1-8C7F-4a52-833B-79BA7D45759D}.exe	{B098BCD6-F6D3-4cc0-9B4F-6DD8E0FBBEDF}.exe
File created	C:\Windows\{49F6C453-B43D-4437-AC6B-EFEAFA443CA2}.exe	{C156B896-EE1B-4b85-B5D4-1FEDFBC8D3E5}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	368	2024-01-23_7942cf433de728fc0f7f160d29148850_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3928	{1C9EC8E9-34E6-4342-B11C-3EB9132F3F9C}.exe
Token: SeIncBasePriorityPrivilege	1812	{BC90D56C-CB24-4890-87EA-E3DBB5EDA674}.exe
Token: SeIncBasePriorityPrivilege	2892	{F35EF4E2-FF90-447d-ADAF-280BC7E06AB0}.exe
Token: SeIncBasePriorityPrivilege	4788	{B098BCD6-F6D3-4cc0-9B4F-6DD8E0FBBEDF}.exe
Token: SeIncBasePriorityPrivilege	2384	{CADD6DA1-8C7F-4a52-833B-79BA7D45759D}.exe
Token: SeIncBasePriorityPrivilege	2624	{DEC1351E-2D70-4011-AE15-806291EEE1DF}.exe
Token: SeIncBasePriorityPrivilege	3388	{C156B896-EE1B-4b85-B5D4-1FEDFBC8D3E5}.exe
Token: SeIncBasePriorityPrivilege	3060	{49F6C453-B43D-4437-AC6B-EFEAFA443CA2}.exe
Token: SeIncBasePriorityPrivilege	4476	{E18BD866-0094-4a1f-A3CA-7727EAA0D9BA}.exe
Token: SeIncBasePriorityPrivilege	1120	{E7BC14BB-29B1-45ba-B1AB-7A901DF13F8B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 3928	368	2024-01-23_7942cf433de728fc0f7f160d29148850_goldeneye.exe	96
PID 368 wrote to memory of 3928	368	2024-01-23_7942cf433de728fc0f7f160d29148850_goldeneye.exe	96
PID 368 wrote to memory of 3928	368	2024-01-23_7942cf433de728fc0f7f160d29148850_goldeneye.exe	96
PID 368 wrote to memory of 5112	368	2024-01-23_7942cf433de728fc0f7f160d29148850_goldeneye.exe	97
PID 368 wrote to memory of 5112	368	2024-01-23_7942cf433de728fc0f7f160d29148850_goldeneye.exe	97
PID 368 wrote to memory of 5112	368	2024-01-23_7942cf433de728fc0f7f160d29148850_goldeneye.exe	97
PID 3928 wrote to memory of 1812	3928	{1C9EC8E9-34E6-4342-B11C-3EB9132F3F9C}.exe	98
PID 3928 wrote to memory of 1812	3928	{1C9EC8E9-34E6-4342-B11C-3EB9132F3F9C}.exe	98
PID 3928 wrote to memory of 1812	3928	{1C9EC8E9-34E6-4342-B11C-3EB9132F3F9C}.exe	98
PID 3928 wrote to memory of 3396	3928	{1C9EC8E9-34E6-4342-B11C-3EB9132F3F9C}.exe	99
PID 3928 wrote to memory of 3396	3928	{1C9EC8E9-34E6-4342-B11C-3EB9132F3F9C}.exe	99
PID 3928 wrote to memory of 3396	3928	{1C9EC8E9-34E6-4342-B11C-3EB9132F3F9C}.exe	99
PID 1812 wrote to memory of 2892	1812	{BC90D56C-CB24-4890-87EA-E3DBB5EDA674}.exe	102
PID 1812 wrote to memory of 2892	1812	{BC90D56C-CB24-4890-87EA-E3DBB5EDA674}.exe	102
PID 1812 wrote to memory of 2892	1812	{BC90D56C-CB24-4890-87EA-E3DBB5EDA674}.exe	102
PID 1812 wrote to memory of 3564	1812	{BC90D56C-CB24-4890-87EA-E3DBB5EDA674}.exe	101
PID 1812 wrote to memory of 3564	1812	{BC90D56C-CB24-4890-87EA-E3DBB5EDA674}.exe	101
PID 1812 wrote to memory of 3564	1812	{BC90D56C-CB24-4890-87EA-E3DBB5EDA674}.exe	101
PID 2892 wrote to memory of 4788	2892	{F35EF4E2-FF90-447d-ADAF-280BC7E06AB0}.exe	103
PID 2892 wrote to memory of 4788	2892	{F35EF4E2-FF90-447d-ADAF-280BC7E06AB0}.exe	103
PID 2892 wrote to memory of 4788	2892	{F35EF4E2-FF90-447d-ADAF-280BC7E06AB0}.exe	103
PID 2892 wrote to memory of 4064	2892	{F35EF4E2-FF90-447d-ADAF-280BC7E06AB0}.exe	104
PID 2892 wrote to memory of 4064	2892	{F35EF4E2-FF90-447d-ADAF-280BC7E06AB0}.exe	104
PID 2892 wrote to memory of 4064	2892	{F35EF4E2-FF90-447d-ADAF-280BC7E06AB0}.exe	104
PID 4788 wrote to memory of 2384	4788	{B098BCD6-F6D3-4cc0-9B4F-6DD8E0FBBEDF}.exe	105
PID 4788 wrote to memory of 2384	4788	{B098BCD6-F6D3-4cc0-9B4F-6DD8E0FBBEDF}.exe	105
PID 4788 wrote to memory of 2384	4788	{B098BCD6-F6D3-4cc0-9B4F-6DD8E0FBBEDF}.exe	105
PID 4788 wrote to memory of 1332	4788	{B098BCD6-F6D3-4cc0-9B4F-6DD8E0FBBEDF}.exe	106
PID 4788 wrote to memory of 1332	4788	{B098BCD6-F6D3-4cc0-9B4F-6DD8E0FBBEDF}.exe	106
PID 4788 wrote to memory of 1332	4788	{B098BCD6-F6D3-4cc0-9B4F-6DD8E0FBBEDF}.exe	106
PID 2384 wrote to memory of 2624	2384	{CADD6DA1-8C7F-4a52-833B-79BA7D45759D}.exe	107
PID 2384 wrote to memory of 2624	2384	{CADD6DA1-8C7F-4a52-833B-79BA7D45759D}.exe	107
PID 2384 wrote to memory of 2624	2384	{CADD6DA1-8C7F-4a52-833B-79BA7D45759D}.exe	107
PID 2384 wrote to memory of 740	2384	{CADD6DA1-8C7F-4a52-833B-79BA7D45759D}.exe	108
PID 2384 wrote to memory of 740	2384	{CADD6DA1-8C7F-4a52-833B-79BA7D45759D}.exe	108
PID 2384 wrote to memory of 740	2384	{CADD6DA1-8C7F-4a52-833B-79BA7D45759D}.exe	108
PID 2624 wrote to memory of 3388	2624	{DEC1351E-2D70-4011-AE15-806291EEE1DF}.exe	110
PID 2624 wrote to memory of 3388	2624	{DEC1351E-2D70-4011-AE15-806291EEE1DF}.exe	110
PID 2624 wrote to memory of 3388	2624	{DEC1351E-2D70-4011-AE15-806291EEE1DF}.exe	110
PID 2624 wrote to memory of 220	2624	{DEC1351E-2D70-4011-AE15-806291EEE1DF}.exe	109
PID 2624 wrote to memory of 220	2624	{DEC1351E-2D70-4011-AE15-806291EEE1DF}.exe	109
PID 2624 wrote to memory of 220	2624	{DEC1351E-2D70-4011-AE15-806291EEE1DF}.exe	109
PID 3388 wrote to memory of 3060	3388	{C156B896-EE1B-4b85-B5D4-1FEDFBC8D3E5}.exe	112
PID 3388 wrote to memory of 3060	3388	{C156B896-EE1B-4b85-B5D4-1FEDFBC8D3E5}.exe	112
PID 3388 wrote to memory of 3060	3388	{C156B896-EE1B-4b85-B5D4-1FEDFBC8D3E5}.exe	112
PID 3388 wrote to memory of 4692	3388	{C156B896-EE1B-4b85-B5D4-1FEDFBC8D3E5}.exe	111
PID 3388 wrote to memory of 4692	3388	{C156B896-EE1B-4b85-B5D4-1FEDFBC8D3E5}.exe	111
PID 3388 wrote to memory of 4692	3388	{C156B896-EE1B-4b85-B5D4-1FEDFBC8D3E5}.exe	111
PID 3060 wrote to memory of 4476	3060	{49F6C453-B43D-4437-AC6B-EFEAFA443CA2}.exe	113
PID 3060 wrote to memory of 4476	3060	{49F6C453-B43D-4437-AC6B-EFEAFA443CA2}.exe	113
PID 3060 wrote to memory of 4476	3060	{49F6C453-B43D-4437-AC6B-EFEAFA443CA2}.exe	113
PID 3060 wrote to memory of 116	3060	{49F6C453-B43D-4437-AC6B-EFEAFA443CA2}.exe	114
PID 3060 wrote to memory of 116	3060	{49F6C453-B43D-4437-AC6B-EFEAFA443CA2}.exe	114
PID 3060 wrote to memory of 116	3060	{49F6C453-B43D-4437-AC6B-EFEAFA443CA2}.exe	114
PID 4476 wrote to memory of 1120	4476	{E18BD866-0094-4a1f-A3CA-7727EAA0D9BA}.exe	115
PID 4476 wrote to memory of 1120	4476	{E18BD866-0094-4a1f-A3CA-7727EAA0D9BA}.exe	115
PID 4476 wrote to memory of 1120	4476	{E18BD866-0094-4a1f-A3CA-7727EAA0D9BA}.exe	115
PID 4476 wrote to memory of 1696	4476	{E18BD866-0094-4a1f-A3CA-7727EAA0D9BA}.exe	116
PID 4476 wrote to memory of 1696	4476	{E18BD866-0094-4a1f-A3CA-7727EAA0D9BA}.exe	116
PID 4476 wrote to memory of 1696	4476	{E18BD866-0094-4a1f-A3CA-7727EAA0D9BA}.exe	116
PID 1120 wrote to memory of 2776	1120	{E7BC14BB-29B1-45ba-B1AB-7A901DF13F8B}.exe	117
PID 1120 wrote to memory of 2776	1120	{E7BC14BB-29B1-45ba-B1AB-7A901DF13F8B}.exe	117
PID 1120 wrote to memory of 2776	1120	{E7BC14BB-29B1-45ba-B1AB-7A901DF13F8B}.exe	117
PID 1120 wrote to memory of 216	1120	{E7BC14BB-29B1-45ba-B1AB-7A901DF13F8B}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-01-23_7942cf433de728fc0f7f160d29148850_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-23_7942cf433de728fc0f7f160d29148850_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:368
- C:\Windows\{1C9EC8E9-34E6-4342-B11C-3EB9132F3F9C}.exe
  C:\Windows\{1C9EC8E9-34E6-4342-B11C-3EB9132F3F9C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3928
- - C:\Windows\{BC90D56C-CB24-4890-87EA-E3DBB5EDA674}.exe
    C:\Windows\{BC90D56C-CB24-4890-87EA-E3DBB5EDA674}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1812
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BC90D~1.EXE > nul
      4⤵
      PID:3564
  - - C:\Windows\{F35EF4E2-FF90-447d-ADAF-280BC7E06AB0}.exe
      C:\Windows\{F35EF4E2-FF90-447d-ADAF-280BC7E06AB0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2892
    - - C:\Windows\{B098BCD6-F6D3-4cc0-9B4F-6DD8E0FBBEDF}.exe
        
        C:\Windows\{B098BCD6-F6D3-4cc0-9B4F-6DD8E0FBBEDF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4788
      - C:\Windows\{CADD6DA1-8C7F-4a52-833B-79BA7D45759D}.exe
        
        C:\Windows\{CADD6DA1-8C7F-4a52-833B-79BA7D45759D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\{DEC1351E-2D70-4011-AE15-806291EEE1DF}.exe
        
        C:\Windows\{DEC1351E-2D70-4011-AE15-806291EEE1DF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DEC13~1.EXE > nul
        8⤵
        
        PID:220
        
        C:\Windows\{C156B896-EE1B-4b85-B5D4-1FEDFBC8D3E5}.exe
        
        C:\Windows\{C156B896-EE1B-4b85-B5D4-1FEDFBC8D3E5}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C156B~1.EXE > nul
        9⤵
        
        PID:4692
        
        C:\Windows\{49F6C453-B43D-4437-AC6B-EFEAFA443CA2}.exe
        
        C:\Windows\{49F6C453-B43D-4437-AC6B-EFEAFA443CA2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\{E18BD866-0094-4a1f-A3CA-7727EAA0D9BA}.exe
        
        C:\Windows\{E18BD866-0094-4a1f-A3CA-7727EAA0D9BA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\{E7BC14BB-29B1-45ba-B1AB-7A901DF13F8B}.exe
        
        C:\Windows\{E7BC14BB-29B1-45ba-B1AB-7A901DF13F8B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\{B9AAE138-3F5E-4a15-8C7F-039ADE24C81B}.exe
        
        C:\Windows\{B9AAE138-3F5E-4a15-8C7F-039ADE24C81B}.exe
        12⤵
        Executes dropped EXE
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7BC1~1.EXE > nul
        12⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E18BD~1.EXE > nul
        11⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49F6C~1.EXE > nul
        10⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CADD6~1.EXE > nul
        7⤵
        
        PID:740
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B098B~1.EXE > nul
        6⤵
        
        PID:1332
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F35EF~1.EXE > nul
        5⤵
        
        PID:4064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1C9EC~1.EXE > nul
    3⤵
    PID:3396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1C9EC8E9-34E6-4342-B11C-3EB9132F3F9C}.exe

Filesize
380KB

MD5
d7722b0b77fc4e11078d00f186cb6f05

SHA1
35231dda81f30e65eda3c1206c95ac76f055a86c

SHA256
4b025f747fd617021df3fb1e984f17fe6c696777c69122be184f1d43473451f5

SHA512
5ddb4339d62a81e3ae8c47cc513dd748e7da434bc47591ef1c605e809179a2829b92df14c5b23658771e05f0edfcb47732a1d0f3d5925d6e263c687f38d4c0ec

Download Submit
C:\Windows\{49F6C453-B43D-4437-AC6B-EFEAFA443CA2}.exe

Filesize
380KB

MD5
74db899de38ecf8547220a8c58755056

SHA1
35b76aa94379d6ad7889a579431e094811d8999e

SHA256
33198221314d545fdc2f7ad3014aa9c1e388e1d441ff3f3cf2c3f1b88e246bef

SHA512
c0b20c77c3136e7275b33301ee0aecfd943844ffaa592fc50e32f042014428b7b5e3fe0f2dc76b06b2bf9f32055223df67ab9238cbeaef1d6308d50cdc342664

Download Submit
C:\Windows\{B098BCD6-F6D3-4cc0-9B4F-6DD8E0FBBEDF}.exe

Filesize
380KB

MD5
67fe576268009d14f908e55c219e04e6

SHA1
38b575018c3973dfcdc11214f5905281548e25cb

SHA256
fdf207d306af97cedee59f26155308e8ab3560764fcace4ec73b9254e9620c6f

SHA512
ccaaf94333e927c640c8019c3fdbc214621ce4dda49f8e6a36892e840edd85bcdfb6fccd37d913fee4200e3738abdd6ba23d3b48f21b0e06a6e917caf25a35a5

Download Submit
C:\Windows\{B9AAE138-3F5E-4a15-8C7F-039ADE24C81B}.exe

Filesize
380KB

MD5
3071936e32803090a9e558c03514b31e

SHA1
b42dcb6c38c22dc117ad8c7309848022739a9426

SHA256
7d371e1b6be12cb4aa745057fecc0a6ac916db14dbdce3bcd94ba84dc0fa5c87

SHA512
aad7224c736ca337f13b7efa1a074f17dd3a5c5601d3c4e5d78a7c53e52647be1b092a0b4f28bfc8cc90b613e2a93f33184346387633075fead63f4c63cb1d57

Download Submit
C:\Windows\{BC90D56C-CB24-4890-87EA-E3DBB5EDA674}.exe

Filesize
380KB

MD5
548e31cd28bc98086736329c9428fcba

SHA1
cd312b811657c0ba068a0b56b1578a299e311661

SHA256
7e6f6a152944a76c3fda4caa0e43581545ba3e1b75afa071770af47ca8e3339f

SHA512
197db78d3ac355ff5412831ccfec2af26e46da82ad6e12a6264e94528566c8ed10fd50d2c7cd8896dfa3d1394d72cd7ec1a7bff7391faa0dadfabca0211e381f

Download Submit
C:\Windows\{C156B896-EE1B-4b85-B5D4-1FEDFBC8D3E5}.exe

Filesize
380KB

MD5
f6ff661abddf9b42f2d6f2cebf281611

SHA1
ade5d50036c0eef84cb6eea25fffe9b4f640660b

SHA256
30456e300109db0a2544cb61b57f57d2981272cc0290db2600563513c865d80a

SHA512
3f0714e2f238a48d2337fcb0dc51d75fe2c5b8dc0f5e8914fb981b73d1c11fcde2a4efa846a123aa0590561492005430415df20a5f358a3764655350aaf1b9e0

Download Submit
C:\Windows\{CADD6DA1-8C7F-4a52-833B-79BA7D45759D}.exe

Filesize
380KB

MD5
16f4ffa1dcd24a0de1900532766a8b47

SHA1
dabd76d0bb33ca4c085b61ea07abae96cc997c7e

SHA256
bc8f71bbc1567e67be036ca10697fad3f883bf9a3b341e6685ee49146fe96510

SHA512
bdb406a803a7c57f9d0cc187d39cea01080102e350e8b51e6142cc0a18c238225846d49897e6718f2a8781c177af8cd4fcbb78b9882ce44e2210fdb63ae54c66

Download Submit
C:\Windows\{DEC1351E-2D70-4011-AE15-806291EEE1DF}.exe

Filesize
380KB

MD5
faa8d69d992169c36775e1e9d06d945c

SHA1
c3587167bf21d640848480d91339202352c32da0

SHA256
f8cd547f3146ec3efeb6ef5281fa9de6eccca3002fa7a298f193816e8ea394d8

SHA512
7996b54af3bc76fbc56a023903bc00974a5ff51fd8b9b5f0ff1273fe12aa9dcd4a865ed25b7e71bb179308a07441b201d0fbe872cf4ac8ec5e0039aa06d478c1

Download Submit
C:\Windows\{E18BD866-0094-4a1f-A3CA-7727EAA0D9BA}.exe

Filesize
380KB

MD5
cfbc721991ac97238b55cb453b6fb912

SHA1
22e40497af82a95f51a8e4b9b5ebe5744ef4b2b8

SHA256
344c4808556efb8991af1fd5526d4bf26d51bbdad8ee3780c08eb3758197cd81

SHA512
c1c75d14062feaa94fb748526b92b6ecff47ffe3ec1d23ef1c1a394f29ce9c971c1719f394c74098896668d87ef1d24a593cf08a1e26e0a5618d658ae8f1534b

Download Submit
C:\Windows\{E7BC14BB-29B1-45ba-B1AB-7A901DF13F8B}.exe

Filesize
380KB

MD5
aa371d4e1c6dd76cad00bba96fe72fd2

SHA1
b9dd12ee2cf45a295a0c2fddd89271bf80ceceb9

SHA256
e4f06b6fdb44cbc046bd011035b1f10825bb6b22a6be92d30e2b1bf72f113826

SHA512
05e8a3366fa16e485c07d226627fa7bd72558195fe9f2d5457f7f601ceda0757e311552179a04132568111ced32b689bab7744c54ca03d3d8e1a75022b862889

Download Submit
C:\Windows\{F35EF4E2-FF90-447d-ADAF-280BC7E06AB0}.exe

Filesize
380KB

MD5
f3be023c732768773652ad7b83e2436e

SHA1
2a2346693bea74c51b0d4ab9d5eb864e9fb60e21

SHA256
1b97ce9fd847e5880124e0981bb98b3c20501dc1b6b18261920a5333ccc46fc2

SHA512
3d78f80378deb089cf173dd9efef53c6f9a78df2a485c6ba1fb144c0faa6ae21f15860bbac7bbce824a93c4cdc81f4c3894dc93ad99473594ba2364753dd30ee

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads