6135d8a2facd519630a607fad27002069d9dd398ee9aa975795f65a77b541097

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2024, 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-26_96495a758464e06885b3d36dfe87f2ca_goldeneye.exe
Size

180KB
MD5

96495a758464e06885b3d36dfe87f2ca
SHA1

21726a5e2ea56c2ac1feb1ed7339ba988282ba9e
SHA256

6135d8a2facd519630a607fad27002069d9dd398ee9aa975795f65a77b541097
SHA512

8b3940203a02cdbcdad2a4f482c63f63b3ec3f0378334715f0d1645a0df073485e72addefbb2e2e56cfec76b493c4b20315b2fa5677913296ef9b8378511c79b
SSDEEP

3072:jEGh0oLlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGtl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023203-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023208-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023213-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023208-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021569-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000021570-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000021569-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070f-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000711-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006e5-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCBD7041-7D59-4cff-A50A-07D4E207E264}\stubpath = "C:\\Windows\\{CCBD7041-7D59-4cff-A50A-07D4E207E264}.exe"	{AE6DB5FC-6132-42e3-B3B5-0DC57B13C064}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2FD226A-1220-471d-A189-CD38F464CA7D}	{692D7F10-1941-4347-B380-292C92ADCDD4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72B34CBA-5C7D-470d-B482-F742872933B4}	{084F5982-711F-4b5d-BF94-D986D611AA8B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9034BF6-B704-499d-94B2-BCE70DE0F572}\stubpath = "C:\\Windows\\{C9034BF6-B704-499d-94B2-BCE70DE0F572}.exe"	{72B34CBA-5C7D-470d-B482-F742872933B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCBD7041-7D59-4cff-A50A-07D4E207E264}	{AE6DB5FC-6132-42e3-B3B5-0DC57B13C064}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C9AA8A6-ACB5-4cfa-B941-980FB5647030}	{CCBD7041-7D59-4cff-A50A-07D4E207E264}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4564C2E-A2D7-4115-A981-1BCD4FF227D8}\stubpath = "C:\\Windows\\{C4564C2E-A2D7-4115-A981-1BCD4FF227D8}.exe"	{FF7B0398-F80A-4af2-997C-4B16410D2FA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{084F5982-711F-4b5d-BF94-D986D611AA8B}\stubpath = "C:\\Windows\\{084F5982-711F-4b5d-BF94-D986D611AA8B}.exe"	{05489C13-0177-4711-8C4C-47DE4F38EDC0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9034BF6-B704-499d-94B2-BCE70DE0F572}	{72B34CBA-5C7D-470d-B482-F742872933B4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6281E7D6-68F7-4aaa-AF89-3B0F14062C8F}\stubpath = "C:\\Windows\\{6281E7D6-68F7-4aaa-AF89-3B0F14062C8F}.exe"	{C9034BF6-B704-499d-94B2-BCE70DE0F572}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05489C13-0177-4711-8C4C-47DE4F38EDC0}	{C4564C2E-A2D7-4115-A981-1BCD4FF227D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05489C13-0177-4711-8C4C-47DE4F38EDC0}\stubpath = "C:\\Windows\\{05489C13-0177-4711-8C4C-47DE4F38EDC0}.exe"	{C4564C2E-A2D7-4115-A981-1BCD4FF227D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6281E7D6-68F7-4aaa-AF89-3B0F14062C8F}	{C9034BF6-B704-499d-94B2-BCE70DE0F572}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE6DB5FC-6132-42e3-B3B5-0DC57B13C064}\stubpath = "C:\\Windows\\{AE6DB5FC-6132-42e3-B3B5-0DC57B13C064}.exe"	{6281E7D6-68F7-4aaa-AF89-3B0F14062C8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{692D7F10-1941-4347-B380-292C92ADCDD4}	2024-01-26_96495a758464e06885b3d36dfe87f2ca_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF7B0398-F80A-4af2-997C-4B16410D2FA4}	{D2FD226A-1220-471d-A189-CD38F464CA7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF7B0398-F80A-4af2-997C-4B16410D2FA4}\stubpath = "C:\\Windows\\{FF7B0398-F80A-4af2-997C-4B16410D2FA4}.exe"	{D2FD226A-1220-471d-A189-CD38F464CA7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4564C2E-A2D7-4115-A981-1BCD4FF227D8}	{FF7B0398-F80A-4af2-997C-4B16410D2FA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE6DB5FC-6132-42e3-B3B5-0DC57B13C064}	{6281E7D6-68F7-4aaa-AF89-3B0F14062C8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C9AA8A6-ACB5-4cfa-B941-980FB5647030}\stubpath = "C:\\Windows\\{7C9AA8A6-ACB5-4cfa-B941-980FB5647030}.exe"	{CCBD7041-7D59-4cff-A50A-07D4E207E264}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{692D7F10-1941-4347-B380-292C92ADCDD4}\stubpath = "C:\\Windows\\{692D7F10-1941-4347-B380-292C92ADCDD4}.exe"	2024-01-26_96495a758464e06885b3d36dfe87f2ca_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2FD226A-1220-471d-A189-CD38F464CA7D}\stubpath = "C:\\Windows\\{D2FD226A-1220-471d-A189-CD38F464CA7D}.exe"	{692D7F10-1941-4347-B380-292C92ADCDD4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{084F5982-711F-4b5d-BF94-D986D611AA8B}	{05489C13-0177-4711-8C4C-47DE4F38EDC0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72B34CBA-5C7D-470d-B482-F742872933B4}\stubpath = "C:\\Windows\\{72B34CBA-5C7D-470d-B482-F742872933B4}.exe"	{084F5982-711F-4b5d-BF94-D986D611AA8B}.exe

Executes dropped EXE 12 IoCs

pid	Process
2480	{692D7F10-1941-4347-B380-292C92ADCDD4}.exe
1036	{D2FD226A-1220-471d-A189-CD38F464CA7D}.exe
4736	{FF7B0398-F80A-4af2-997C-4B16410D2FA4}.exe
708	{C4564C2E-A2D7-4115-A981-1BCD4FF227D8}.exe
4876	{05489C13-0177-4711-8C4C-47DE4F38EDC0}.exe
2404	{084F5982-711F-4b5d-BF94-D986D611AA8B}.exe
1204	{72B34CBA-5C7D-470d-B482-F742872933B4}.exe
5084	{C9034BF6-B704-499d-94B2-BCE70DE0F572}.exe
3976	{6281E7D6-68F7-4aaa-AF89-3B0F14062C8F}.exe
820	{AE6DB5FC-6132-42e3-B3B5-0DC57B13C064}.exe
4992	{CCBD7041-7D59-4cff-A50A-07D4E207E264}.exe
3804	{7C9AA8A6-ACB5-4cfa-B941-980FB5647030}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{CCBD7041-7D59-4cff-A50A-07D4E207E264}.exe	{AE6DB5FC-6132-42e3-B3B5-0DC57B13C064}.exe
File created	C:\Windows\{C4564C2E-A2D7-4115-A981-1BCD4FF227D8}.exe	{FF7B0398-F80A-4af2-997C-4B16410D2FA4}.exe
File created	C:\Windows\{72B34CBA-5C7D-470d-B482-F742872933B4}.exe	{084F5982-711F-4b5d-BF94-D986D611AA8B}.exe
File created	C:\Windows\{C9034BF6-B704-499d-94B2-BCE70DE0F572}.exe	{72B34CBA-5C7D-470d-B482-F742872933B4}.exe
File created	C:\Windows\{6281E7D6-68F7-4aaa-AF89-3B0F14062C8F}.exe	{C9034BF6-B704-499d-94B2-BCE70DE0F572}.exe
File created	C:\Windows\{084F5982-711F-4b5d-BF94-D986D611AA8B}.exe	{05489C13-0177-4711-8C4C-47DE4F38EDC0}.exe
File created	C:\Windows\{AE6DB5FC-6132-42e3-B3B5-0DC57B13C064}.exe	{6281E7D6-68F7-4aaa-AF89-3B0F14062C8F}.exe
File created	C:\Windows\{7C9AA8A6-ACB5-4cfa-B941-980FB5647030}.exe	{CCBD7041-7D59-4cff-A50A-07D4E207E264}.exe
File created	C:\Windows\{692D7F10-1941-4347-B380-292C92ADCDD4}.exe	2024-01-26_96495a758464e06885b3d36dfe87f2ca_goldeneye.exe
File created	C:\Windows\{D2FD226A-1220-471d-A189-CD38F464CA7D}.exe	{692D7F10-1941-4347-B380-292C92ADCDD4}.exe
File created	C:\Windows\{FF7B0398-F80A-4af2-997C-4B16410D2FA4}.exe	{D2FD226A-1220-471d-A189-CD38F464CA7D}.exe
File created	C:\Windows\{05489C13-0177-4711-8C4C-47DE4F38EDC0}.exe	{C4564C2E-A2D7-4115-A981-1BCD4FF227D8}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4364	2024-01-26_96495a758464e06885b3d36dfe87f2ca_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2480	{692D7F10-1941-4347-B380-292C92ADCDD4}.exe
Token: SeIncBasePriorityPrivilege	1036	{D2FD226A-1220-471d-A189-CD38F464CA7D}.exe
Token: SeIncBasePriorityPrivilege	4736	{FF7B0398-F80A-4af2-997C-4B16410D2FA4}.exe
Token: SeIncBasePriorityPrivilege	708	{C4564C2E-A2D7-4115-A981-1BCD4FF227D8}.exe
Token: SeIncBasePriorityPrivilege	4876	{05489C13-0177-4711-8C4C-47DE4F38EDC0}.exe
Token: SeIncBasePriorityPrivilege	2404	{084F5982-711F-4b5d-BF94-D986D611AA8B}.exe
Token: SeIncBasePriorityPrivilege	1204	{72B34CBA-5C7D-470d-B482-F742872933B4}.exe
Token: SeIncBasePriorityPrivilege	5084	{C9034BF6-B704-499d-94B2-BCE70DE0F572}.exe
Token: SeIncBasePriorityPrivilege	3976	{6281E7D6-68F7-4aaa-AF89-3B0F14062C8F}.exe
Token: SeIncBasePriorityPrivilege	820	{AE6DB5FC-6132-42e3-B3B5-0DC57B13C064}.exe
Token: SeIncBasePriorityPrivilege	4992	{CCBD7041-7D59-4cff-A50A-07D4E207E264}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 2480	4364	2024-01-26_96495a758464e06885b3d36dfe87f2ca_goldeneye.exe	94
PID 4364 wrote to memory of 2480	4364	2024-01-26_96495a758464e06885b3d36dfe87f2ca_goldeneye.exe	94
PID 4364 wrote to memory of 2480	4364	2024-01-26_96495a758464e06885b3d36dfe87f2ca_goldeneye.exe	94
PID 4364 wrote to memory of 4596	4364	2024-01-26_96495a758464e06885b3d36dfe87f2ca_goldeneye.exe	95
PID 4364 wrote to memory of 4596	4364	2024-01-26_96495a758464e06885b3d36dfe87f2ca_goldeneye.exe	95
PID 4364 wrote to memory of 4596	4364	2024-01-26_96495a758464e06885b3d36dfe87f2ca_goldeneye.exe	95
PID 2480 wrote to memory of 1036	2480	{692D7F10-1941-4347-B380-292C92ADCDD4}.exe	96
PID 2480 wrote to memory of 1036	2480	{692D7F10-1941-4347-B380-292C92ADCDD4}.exe	96
PID 2480 wrote to memory of 1036	2480	{692D7F10-1941-4347-B380-292C92ADCDD4}.exe	96
PID 2480 wrote to memory of 3636	2480	{692D7F10-1941-4347-B380-292C92ADCDD4}.exe	97
PID 2480 wrote to memory of 3636	2480	{692D7F10-1941-4347-B380-292C92ADCDD4}.exe	97
PID 2480 wrote to memory of 3636	2480	{692D7F10-1941-4347-B380-292C92ADCDD4}.exe	97
PID 1036 wrote to memory of 4736	1036	{D2FD226A-1220-471d-A189-CD38F464CA7D}.exe	99
PID 1036 wrote to memory of 4736	1036	{D2FD226A-1220-471d-A189-CD38F464CA7D}.exe	99
PID 1036 wrote to memory of 4736	1036	{D2FD226A-1220-471d-A189-CD38F464CA7D}.exe	99
PID 1036 wrote to memory of 3616	1036	{D2FD226A-1220-471d-A189-CD38F464CA7D}.exe	100
PID 1036 wrote to memory of 3616	1036	{D2FD226A-1220-471d-A189-CD38F464CA7D}.exe	100
PID 1036 wrote to memory of 3616	1036	{D2FD226A-1220-471d-A189-CD38F464CA7D}.exe	100
PID 4736 wrote to memory of 708	4736	{FF7B0398-F80A-4af2-997C-4B16410D2FA4}.exe	101
PID 4736 wrote to memory of 708	4736	{FF7B0398-F80A-4af2-997C-4B16410D2FA4}.exe	101
PID 4736 wrote to memory of 708	4736	{FF7B0398-F80A-4af2-997C-4B16410D2FA4}.exe	101
PID 4736 wrote to memory of 656	4736	{FF7B0398-F80A-4af2-997C-4B16410D2FA4}.exe	102
PID 4736 wrote to memory of 656	4736	{FF7B0398-F80A-4af2-997C-4B16410D2FA4}.exe	102
PID 4736 wrote to memory of 656	4736	{FF7B0398-F80A-4af2-997C-4B16410D2FA4}.exe	102
PID 708 wrote to memory of 4876	708	{C4564C2E-A2D7-4115-A981-1BCD4FF227D8}.exe	103
PID 708 wrote to memory of 4876	708	{C4564C2E-A2D7-4115-A981-1BCD4FF227D8}.exe	103
PID 708 wrote to memory of 4876	708	{C4564C2E-A2D7-4115-A981-1BCD4FF227D8}.exe	103
PID 708 wrote to memory of 4168	708	{C4564C2E-A2D7-4115-A981-1BCD4FF227D8}.exe	104
PID 708 wrote to memory of 4168	708	{C4564C2E-A2D7-4115-A981-1BCD4FF227D8}.exe	104
PID 708 wrote to memory of 4168	708	{C4564C2E-A2D7-4115-A981-1BCD4FF227D8}.exe	104
PID 4876 wrote to memory of 2404	4876	{05489C13-0177-4711-8C4C-47DE4F38EDC0}.exe	105
PID 4876 wrote to memory of 2404	4876	{05489C13-0177-4711-8C4C-47DE4F38EDC0}.exe	105
PID 4876 wrote to memory of 2404	4876	{05489C13-0177-4711-8C4C-47DE4F38EDC0}.exe	105
PID 4876 wrote to memory of 4832	4876	{05489C13-0177-4711-8C4C-47DE4F38EDC0}.exe	106
PID 4876 wrote to memory of 4832	4876	{05489C13-0177-4711-8C4C-47DE4F38EDC0}.exe	106
PID 4876 wrote to memory of 4832	4876	{05489C13-0177-4711-8C4C-47DE4F38EDC0}.exe	106
PID 2404 wrote to memory of 1204	2404	{084F5982-711F-4b5d-BF94-D986D611AA8B}.exe	107
PID 2404 wrote to memory of 1204	2404	{084F5982-711F-4b5d-BF94-D986D611AA8B}.exe	107
PID 2404 wrote to memory of 1204	2404	{084F5982-711F-4b5d-BF94-D986D611AA8B}.exe	107
PID 2404 wrote to memory of 3388	2404	{084F5982-711F-4b5d-BF94-D986D611AA8B}.exe	108
PID 2404 wrote to memory of 3388	2404	{084F5982-711F-4b5d-BF94-D986D611AA8B}.exe	108
PID 2404 wrote to memory of 3388	2404	{084F5982-711F-4b5d-BF94-D986D611AA8B}.exe	108
PID 1204 wrote to memory of 5084	1204	{72B34CBA-5C7D-470d-B482-F742872933B4}.exe	109
PID 1204 wrote to memory of 5084	1204	{72B34CBA-5C7D-470d-B482-F742872933B4}.exe	109
PID 1204 wrote to memory of 5084	1204	{72B34CBA-5C7D-470d-B482-F742872933B4}.exe	109
PID 1204 wrote to memory of 1308	1204	{72B34CBA-5C7D-470d-B482-F742872933B4}.exe	110
PID 1204 wrote to memory of 1308	1204	{72B34CBA-5C7D-470d-B482-F742872933B4}.exe	110
PID 1204 wrote to memory of 1308	1204	{72B34CBA-5C7D-470d-B482-F742872933B4}.exe	110
PID 5084 wrote to memory of 3976	5084	{C9034BF6-B704-499d-94B2-BCE70DE0F572}.exe	111
PID 5084 wrote to memory of 3976	5084	{C9034BF6-B704-499d-94B2-BCE70DE0F572}.exe	111
PID 5084 wrote to memory of 3976	5084	{C9034BF6-B704-499d-94B2-BCE70DE0F572}.exe	111
PID 5084 wrote to memory of 888	5084	{C9034BF6-B704-499d-94B2-BCE70DE0F572}.exe	112
PID 5084 wrote to memory of 888	5084	{C9034BF6-B704-499d-94B2-BCE70DE0F572}.exe	112
PID 5084 wrote to memory of 888	5084	{C9034BF6-B704-499d-94B2-BCE70DE0F572}.exe	112
PID 3976 wrote to memory of 820	3976	{6281E7D6-68F7-4aaa-AF89-3B0F14062C8F}.exe	113
PID 3976 wrote to memory of 820	3976	{6281E7D6-68F7-4aaa-AF89-3B0F14062C8F}.exe	113
PID 3976 wrote to memory of 820	3976	{6281E7D6-68F7-4aaa-AF89-3B0F14062C8F}.exe	113
PID 3976 wrote to memory of 4000	3976	{6281E7D6-68F7-4aaa-AF89-3B0F14062C8F}.exe	114
PID 3976 wrote to memory of 4000	3976	{6281E7D6-68F7-4aaa-AF89-3B0F14062C8F}.exe	114
PID 3976 wrote to memory of 4000	3976	{6281E7D6-68F7-4aaa-AF89-3B0F14062C8F}.exe	114
PID 820 wrote to memory of 4992	820	{AE6DB5FC-6132-42e3-B3B5-0DC57B13C064}.exe	115
PID 820 wrote to memory of 4992	820	{AE6DB5FC-6132-42e3-B3B5-0DC57B13C064}.exe	115
PID 820 wrote to memory of 4992	820	{AE6DB5FC-6132-42e3-B3B5-0DC57B13C064}.exe	115
PID 820 wrote to memory of 4440	820	{AE6DB5FC-6132-42e3-B3B5-0DC57B13C064}.exe	116

C:\Users\Admin\AppData\Local\Temp\2024-01-26_96495a758464e06885b3d36dfe87f2ca_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-26_96495a758464e06885b3d36dfe87f2ca_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Windows\{692D7F10-1941-4347-B380-292C92ADCDD4}.exe
  C:\Windows\{692D7F10-1941-4347-B380-292C92ADCDD4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\{D2FD226A-1220-471d-A189-CD38F464CA7D}.exe
    C:\Windows\{D2FD226A-1220-471d-A189-CD38F464CA7D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1036
  - - C:\Windows\{FF7B0398-F80A-4af2-997C-4B16410D2FA4}.exe
      C:\Windows\{FF7B0398-F80A-4af2-997C-4B16410D2FA4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4736
    - - C:\Windows\{C4564C2E-A2D7-4115-A981-1BCD4FF227D8}.exe
        
        C:\Windows\{C4564C2E-A2D7-4115-A981-1BCD4FF227D8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:708
      - C:\Windows\{05489C13-0177-4711-8C4C-47DE4F38EDC0}.exe
        
        C:\Windows\{05489C13-0177-4711-8C4C-47DE4F38EDC0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\{084F5982-711F-4b5d-BF94-D986D611AA8B}.exe
        
        C:\Windows\{084F5982-711F-4b5d-BF94-D986D611AA8B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\{72B34CBA-5C7D-470d-B482-F742872933B4}.exe
        
        C:\Windows\{72B34CBA-5C7D-470d-B482-F742872933B4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\{C9034BF6-B704-499d-94B2-BCE70DE0F572}.exe
        
        C:\Windows\{C9034BF6-B704-499d-94B2-BCE70DE0F572}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\{6281E7D6-68F7-4aaa-AF89-3B0F14062C8F}.exe
        
        C:\Windows\{6281E7D6-68F7-4aaa-AF89-3B0F14062C8F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\{AE6DB5FC-6132-42e3-B3B5-0DC57B13C064}.exe
        
        C:\Windows\{AE6DB5FC-6132-42e3-B3B5-0DC57B13C064}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Windows\{CCBD7041-7D59-4cff-A50A-07D4E207E264}.exe
        
        C:\Windows\{CCBD7041-7D59-4cff-A50A-07D4E207E264}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4992
        
        C:\Windows\{7C9AA8A6-ACB5-4cfa-B941-980FB5647030}.exe
        
        C:\Windows\{7C9AA8A6-ACB5-4cfa-B941-980FB5647030}.exe
        13⤵
        Executes dropped EXE
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CCBD7~1.EXE > nul
        13⤵
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE6DB~1.EXE > nul
        12⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6281E~1.EXE > nul
        11⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9034~1.EXE > nul
        10⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72B34~1.EXE > nul
        9⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{084F5~1.EXE > nul
        8⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05489~1.EXE > nul
        7⤵
        
        PID:4832
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4564~1.EXE > nul
        6⤵
        
        PID:4168
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF7B0~1.EXE > nul
        5⤵
        
        PID:656
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D2FD2~1.EXE > nul
      4⤵
      PID:3616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{692D7~1.EXE > nul
    3⤵
    PID:3636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05489C13-0177-4711-8C4C-47DE4F38EDC0}.exe

Filesize
180KB

MD5
d339e5a32d0f10d160532301bec201c0

SHA1
12a22d4ac4677058444b376234dd843e83a757b2

SHA256
213b5910f20311b67508b85a3a443d2e7bfcecc1d050db8feed151dc3ce671bb

SHA512
be5c5db58c9c03a9d9496c7814171954b93a973f76de1310e75674490ab3783b6055100b5534c6eb3d0ce063101c5256648f22fb11634238618c11d6774cddf5

Download Submit
C:\Windows\{084F5982-711F-4b5d-BF94-D986D611AA8B}.exe

Filesize
180KB

MD5
f403ed8b35b38c416ee5c3b76cf65147

SHA1
4778ac11187d2dc5d618a115a44dfc3d5f4bce09

SHA256
4d23a7bf48e3e85eb06dd7a52f9bdcd577c5b813e9425d238bdad90236f08bda

SHA512
77afe55f18657583f7aea3003b4c67f4af5ba242ff8c9acb1a33f0eff200f4d8201c8abc914c7ad07a7b9265d377f428450d907cb7eeab3d71c32bb53aa48477

Download Submit
C:\Windows\{6281E7D6-68F7-4aaa-AF89-3B0F14062C8F}.exe

Filesize
180KB

MD5
3a636e79c95f90ac9de343108250b686

SHA1
22e15926b8f2912cc2e9a40e5cf5cc42141e57cd

SHA256
a6a3d39ea376e01f46692319d3f04dcb921e15a19d37eb4bed90e3e7d9725e5b

SHA512
11776e9c1e7e24c2c3ebb74d7901e70100001e0edc1f806ba2e0f3142d3cb80cf8013d82516ce9869a66099f925f488046d9dc14bdc82430f2661d997486511b

Download Submit
C:\Windows\{692D7F10-1941-4347-B380-292C92ADCDD4}.exe

Filesize
180KB

MD5
605dc23dfb37590f3a0614668cc46be0

SHA1
85fd9591d1191c5c0e41ff71347bd63a4822e3c2

SHA256
5f29e27c558d3ee9f5f19eb1bacdfd89a4307027e8556cd5444575cce40bf2bf

SHA512
45baef1a69ee1ed605963a4da5c6ffdc2b92a19737d79f3ecfe3f59f64243a3dee5244d15e477e09caf8aec5412984980fdda769ad85e14aa498357cf6de36c4

Download Submit
C:\Windows\{72B34CBA-5C7D-470d-B482-F742872933B4}.exe

Filesize
180KB

MD5
d4bfce7d2f1c30e53f0995c5fa020aa6

SHA1
782ca57d74ceaa34e60ba56a64d882b53abb56aa

SHA256
4b89be3356b652bd532124b978f99898230587dedba5a145eafa05de66ea0e14

SHA512
34725b009fa02b2d60fe607f897b0fa998b19b22d9f429bc00d3ed558537576ec2cb2eed1e2c4206638f872d67f1e31208cab51873e3cbcee0afce4906ce8fdd

Download Submit
C:\Windows\{7C9AA8A6-ACB5-4cfa-B941-980FB5647030}.exe

Filesize
180KB

MD5
89d5448c541da779ad0a9235ec03f8f3

SHA1
cb081ac5aac1b4cfd54e2a82257a6f2bca640c0e

SHA256
b08cd905cfea14a4f2a55ceb62c4b2fedeb2f3598d3390d387f4479c2ec114d4

SHA512
974063bd8dafa3ea2519c46cdbafd9a9f2d21e131efb9119fed6eaeee7f4ad77805117b4d032fa74af02105fdbdccb92c35aa948699f987128856de1a50fad2f

Download Submit
C:\Windows\{AE6DB5FC-6132-42e3-B3B5-0DC57B13C064}.exe

Filesize
180KB

MD5
d9bb029f12f37b6cb8c46feeb6828de3

SHA1
a434eb420deeb187d04c9a6afd4b54d4634c70ca

SHA256
e133af10142fc65c4faf57019a4a6faced12a6c37da48d10aa9392f37ab8fef7

SHA512
e1014db9da28de63b492f63b6200c2dcf924a03ed94729997fc2ebb0e6eb3fa45761664766f89aa781c2f92be9ea63c2d9c4cc05ae9771812e206b88a1113cc4

Download Submit
C:\Windows\{C4564C2E-A2D7-4115-A981-1BCD4FF227D8}.exe

Filesize
180KB

MD5
21a80b1feacd212364f2575fe68dbe3a

SHA1
6e53c10bfdbf0b47bc10e1f4d0b742b6d9e45b12

SHA256
505098638d3875211f02c9dd7fc84765704ad936bcc1913b5cae85517a4bb84b

SHA512
ec85d2773459cac4ed308581e9ad15017791a131d9e9e83d35160233824a7fc2f110f6f293bc96337cd5ef4e24626ef03bfbddee61f8a916721435ad4645dd65

Download Submit
C:\Windows\{C9034BF6-B704-499d-94B2-BCE70DE0F572}.exe

Filesize
180KB

MD5
93c5363a30eec467d6fcdae12c855a74

SHA1
6066f5add520978c0e5944ad40296e190265468d

SHA256
0bb6009330807a07dd39097dfbc638c7090e05594cc7bcb343405ab1499eb446

SHA512
0bddf0f6caf20ea8369aec80b95bec4d483b5f74ef2d59c7d554c6903093c2cd85ee4008578650d4017909ebf11e76e493d1c2cea1cd89ae7a3b6804d3cd18b0

Download Submit
C:\Windows\{CCBD7041-7D59-4cff-A50A-07D4E207E264}.exe

Filesize
180KB

MD5
7a03292440cb3630afc0ffb15cdaeeae

SHA1
3123417c0900fcd666c6ef767aadc021c67c397b

SHA256
d5616526d3a02ad0ee72a9336bce81965c204d14b27be4a54d606954592a8290

SHA512
024576bf6ff858c3758949150abd2e935a3bde0c0265926a9cba20c0190ee66e686bab122a31a32d8e8e2d5f5e27951f1645a6159fbb3ae385b32cfb2884927d

Download Submit
C:\Windows\{D2FD226A-1220-471d-A189-CD38F464CA7D}.exe

Filesize
180KB

MD5
49032606c6b54749965eea91483f52fd

SHA1
b4fec6d14ae91afaa1ba712f9a2ba06b9e95b188

SHA256
f02087e0cad29715daf9238b3eda47eadb1595174185bdcdc33d8b249fbf6448

SHA512
af211b816a8536063e7df96bcb677bd58a5010d80f25908453abd07b1f04dfd31618b4f72335933b126e7d53b8cc4e3aa2ca168e318b46387947e6063fdb5850

Download Submit
C:\Windows\{FF7B0398-F80A-4af2-997C-4B16410D2FA4}.exe

Filesize
180KB

MD5
046864ce6c76a52e0f24171ab9f57346

SHA1
834cc0e90ddccdc85971703747ec16f25d1dbac9

SHA256
715b299ca1093ab204cfbb5e201be9706a61cf7e78ae490ed70772956bdd3dd1

SHA512
0da30393d0bda41a84257af5e9dab3505304ca5a729e59434b246b9656a725c651cee59ac8012e022aebc6b66c90cb4365bf3b7ee931612afe715b29038e8f85

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads