8bb540c7f884741f4bb944e6d4b9005668d1fd86df626d6ce7aadc6f8c383260

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2024, 16:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-26_dbf392e8cd700c62799c0c47208fdea7_goldeneye.exe
Size

204KB
MD5

dbf392e8cd700c62799c0c47208fdea7
SHA1

c6257c884312d956d0bfdcae5698c0b5ee78858d
SHA256

8bb540c7f884741f4bb944e6d4b9005668d1fd86df626d6ce7aadc6f8c383260
SHA512

252bf2917b30354151879134c0777b006fd92f535aaae63db590ce6e457ffb2a8ae8746d8ad76e8623ad62ef567362279c7ed78363ed1c496a69ee5618458668
SSDEEP

1536:1EGh0odl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0odl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x000d000000023141-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x008f00000001b58d-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002323f-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x009000000001b58d-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000021569-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x009100000001b58d-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000021569-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070f-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070f-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000711-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D56F9E4-A6A8-4e1e-BCAA-54A3DCB38CA8}\stubpath = "C:\\Windows\\{4D56F9E4-A6A8-4e1e-BCAA-54A3DCB38CA8}.exe"	{AD10B3CC-DBC8-4c3a-890E-1EB3A7DD4126}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D1FE47C-D0DB-4678-A8BC-A718DED3025E}\stubpath = "C:\\Windows\\{5D1FE47C-D0DB-4678-A8BC-A718DED3025E}.exe"	2024-01-26_dbf392e8cd700c62799c0c47208fdea7_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC99A575-B5EA-4fde-8929-E2C7BEA96B4E}	{5D1FE47C-D0DB-4678-A8BC-A718DED3025E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FC07FA8-ABDC-495f-91DA-D2A4A4B20D57}\stubpath = "C:\\Windows\\{1FC07FA8-ABDC-495f-91DA-D2A4A4B20D57}.exe"	{FC99A575-B5EA-4fde-8929-E2C7BEA96B4E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D6B19AE-93D5-4611-8796-68AA51EC5C9B}	{5432285A-DBA5-46cd-8CB2-F90E4B74330B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{729F7281-2FAD-4b32-AF2C-306FCCD2158D}\stubpath = "C:\\Windows\\{729F7281-2FAD-4b32-AF2C-306FCCD2158D}.exe"	{053C721C-F5A5-4478-BB15-6FC8F13E0F04}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5432285A-DBA5-46cd-8CB2-F90E4B74330B}\stubpath = "C:\\Windows\\{5432285A-DBA5-46cd-8CB2-F90E4B74330B}.exe"	{EB2B3E7A-407D-4448-8767-74CDE65DD218}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{053C721C-F5A5-4478-BB15-6FC8F13E0F04}	{5D6B19AE-93D5-4611-8796-68AA51EC5C9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{816A3220-245E-49f8-9644-DDBB19C928D7}	{729F7281-2FAD-4b32-AF2C-306FCCD2158D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD10B3CC-DBC8-4c3a-890E-1EB3A7DD4126}	{816A3220-245E-49f8-9644-DDBB19C928D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D56F9E4-A6A8-4e1e-BCAA-54A3DCB38CA8}	{AD10B3CC-DBC8-4c3a-890E-1EB3A7DD4126}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D1FE47C-D0DB-4678-A8BC-A718DED3025E}	2024-01-26_dbf392e8cd700c62799c0c47208fdea7_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FC07FA8-ABDC-495f-91DA-D2A4A4B20D57}	{FC99A575-B5EA-4fde-8929-E2C7BEA96B4E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{729F7281-2FAD-4b32-AF2C-306FCCD2158D}	{053C721C-F5A5-4478-BB15-6FC8F13E0F04}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{816A3220-245E-49f8-9644-DDBB19C928D7}\stubpath = "C:\\Windows\\{816A3220-245E-49f8-9644-DDBB19C928D7}.exe"	{729F7281-2FAD-4b32-AF2C-306FCCD2158D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD10B3CC-DBC8-4c3a-890E-1EB3A7DD4126}\stubpath = "C:\\Windows\\{AD10B3CC-DBC8-4c3a-890E-1EB3A7DD4126}.exe"	{816A3220-245E-49f8-9644-DDBB19C928D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{053C721C-F5A5-4478-BB15-6FC8F13E0F04}\stubpath = "C:\\Windows\\{053C721C-F5A5-4478-BB15-6FC8F13E0F04}.exe"	{5D6B19AE-93D5-4611-8796-68AA51EC5C9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC99A575-B5EA-4fde-8929-E2C7BEA96B4E}\stubpath = "C:\\Windows\\{FC99A575-B5EA-4fde-8929-E2C7BEA96B4E}.exe"	{5D1FE47C-D0DB-4678-A8BC-A718DED3025E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB2B3E7A-407D-4448-8767-74CDE65DD218}	{1FC07FA8-ABDC-495f-91DA-D2A4A4B20D57}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB2B3E7A-407D-4448-8767-74CDE65DD218}\stubpath = "C:\\Windows\\{EB2B3E7A-407D-4448-8767-74CDE65DD218}.exe"	{1FC07FA8-ABDC-495f-91DA-D2A4A4B20D57}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5432285A-DBA5-46cd-8CB2-F90E4B74330B}	{EB2B3E7A-407D-4448-8767-74CDE65DD218}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D6B19AE-93D5-4611-8796-68AA51EC5C9B}\stubpath = "C:\\Windows\\{5D6B19AE-93D5-4611-8796-68AA51EC5C9B}.exe"	{5432285A-DBA5-46cd-8CB2-F90E4B74330B}.exe

Executes dropped EXE 11 IoCs

pid	Process
4540	{5D1FE47C-D0DB-4678-A8BC-A718DED3025E}.exe
3020	{FC99A575-B5EA-4fde-8929-E2C7BEA96B4E}.exe
3932	{1FC07FA8-ABDC-495f-91DA-D2A4A4B20D57}.exe
948	{EB2B3E7A-407D-4448-8767-74CDE65DD218}.exe
2888	{5432285A-DBA5-46cd-8CB2-F90E4B74330B}.exe
4324	{5D6B19AE-93D5-4611-8796-68AA51EC5C9B}.exe
3940	{053C721C-F5A5-4478-BB15-6FC8F13E0F04}.exe
2784	{729F7281-2FAD-4b32-AF2C-306FCCD2158D}.exe
456	{816A3220-245E-49f8-9644-DDBB19C928D7}.exe
1540	{AD10B3CC-DBC8-4c3a-890E-1EB3A7DD4126}.exe
3968	{4D56F9E4-A6A8-4e1e-BCAA-54A3DCB38CA8}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{5432285A-DBA5-46cd-8CB2-F90E4B74330B}.exe	{EB2B3E7A-407D-4448-8767-74CDE65DD218}.exe
File created	C:\Windows\{AD10B3CC-DBC8-4c3a-890E-1EB3A7DD4126}.exe	{816A3220-245E-49f8-9644-DDBB19C928D7}.exe
File created	C:\Windows\{5D1FE47C-D0DB-4678-A8BC-A718DED3025E}.exe	2024-01-26_dbf392e8cd700c62799c0c47208fdea7_goldeneye.exe
File created	C:\Windows\{FC99A575-B5EA-4fde-8929-E2C7BEA96B4E}.exe	{5D1FE47C-D0DB-4678-A8BC-A718DED3025E}.exe
File created	C:\Windows\{1FC07FA8-ABDC-495f-91DA-D2A4A4B20D57}.exe	{FC99A575-B5EA-4fde-8929-E2C7BEA96B4E}.exe
File created	C:\Windows\{EB2B3E7A-407D-4448-8767-74CDE65DD218}.exe	{1FC07FA8-ABDC-495f-91DA-D2A4A4B20D57}.exe
File created	C:\Windows\{5D6B19AE-93D5-4611-8796-68AA51EC5C9B}.exe	{5432285A-DBA5-46cd-8CB2-F90E4B74330B}.exe
File created	C:\Windows\{053C721C-F5A5-4478-BB15-6FC8F13E0F04}.exe	{5D6B19AE-93D5-4611-8796-68AA51EC5C9B}.exe
File created	C:\Windows\{729F7281-2FAD-4b32-AF2C-306FCCD2158D}.exe	{053C721C-F5A5-4478-BB15-6FC8F13E0F04}.exe
File created	C:\Windows\{816A3220-245E-49f8-9644-DDBB19C928D7}.exe	{729F7281-2FAD-4b32-AF2C-306FCCD2158D}.exe
File created	C:\Windows\{4D56F9E4-A6A8-4e1e-BCAA-54A3DCB38CA8}.exe	{AD10B3CC-DBC8-4c3a-890E-1EB3A7DD4126}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2024	2024-01-26_dbf392e8cd700c62799c0c47208fdea7_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4540	{5D1FE47C-D0DB-4678-A8BC-A718DED3025E}.exe
Token: SeIncBasePriorityPrivilege	3020	{FC99A575-B5EA-4fde-8929-E2C7BEA96B4E}.exe
Token: SeIncBasePriorityPrivilege	3932	{1FC07FA8-ABDC-495f-91DA-D2A4A4B20D57}.exe
Token: SeIncBasePriorityPrivilege	948	{EB2B3E7A-407D-4448-8767-74CDE65DD218}.exe
Token: SeIncBasePriorityPrivilege	2888	{5432285A-DBA5-46cd-8CB2-F90E4B74330B}.exe
Token: SeIncBasePriorityPrivilege	4324	{5D6B19AE-93D5-4611-8796-68AA51EC5C9B}.exe
Token: SeIncBasePriorityPrivilege	3940	{053C721C-F5A5-4478-BB15-6FC8F13E0F04}.exe
Token: SeIncBasePriorityPrivilege	2784	{729F7281-2FAD-4b32-AF2C-306FCCD2158D}.exe
Token: SeIncBasePriorityPrivilege	456	{816A3220-245E-49f8-9644-DDBB19C928D7}.exe
Token: SeIncBasePriorityPrivilege	1540	{AD10B3CC-DBC8-4c3a-890E-1EB3A7DD4126}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 4540	2024	2024-01-26_dbf392e8cd700c62799c0c47208fdea7_goldeneye.exe	94
PID 2024 wrote to memory of 4540	2024	2024-01-26_dbf392e8cd700c62799c0c47208fdea7_goldeneye.exe	94
PID 2024 wrote to memory of 4540	2024	2024-01-26_dbf392e8cd700c62799c0c47208fdea7_goldeneye.exe	94
PID 2024 wrote to memory of 1148	2024	2024-01-26_dbf392e8cd700c62799c0c47208fdea7_goldeneye.exe	95
PID 2024 wrote to memory of 1148	2024	2024-01-26_dbf392e8cd700c62799c0c47208fdea7_goldeneye.exe	95
PID 2024 wrote to memory of 1148	2024	2024-01-26_dbf392e8cd700c62799c0c47208fdea7_goldeneye.exe	95
PID 4540 wrote to memory of 3020	4540	{5D1FE47C-D0DB-4678-A8BC-A718DED3025E}.exe	96
PID 4540 wrote to memory of 3020	4540	{5D1FE47C-D0DB-4678-A8BC-A718DED3025E}.exe	96
PID 4540 wrote to memory of 3020	4540	{5D1FE47C-D0DB-4678-A8BC-A718DED3025E}.exe	96
PID 4540 wrote to memory of 1188	4540	{5D1FE47C-D0DB-4678-A8BC-A718DED3025E}.exe	97
PID 4540 wrote to memory of 1188	4540	{5D1FE47C-D0DB-4678-A8BC-A718DED3025E}.exe	97
PID 4540 wrote to memory of 1188	4540	{5D1FE47C-D0DB-4678-A8BC-A718DED3025E}.exe	97
PID 3020 wrote to memory of 3932	3020	{FC99A575-B5EA-4fde-8929-E2C7BEA96B4E}.exe	99
PID 3020 wrote to memory of 3932	3020	{FC99A575-B5EA-4fde-8929-E2C7BEA96B4E}.exe	99
PID 3020 wrote to memory of 3932	3020	{FC99A575-B5EA-4fde-8929-E2C7BEA96B4E}.exe	99
PID 3020 wrote to memory of 3780	3020	{FC99A575-B5EA-4fde-8929-E2C7BEA96B4E}.exe	100
PID 3020 wrote to memory of 3780	3020	{FC99A575-B5EA-4fde-8929-E2C7BEA96B4E}.exe	100
PID 3020 wrote to memory of 3780	3020	{FC99A575-B5EA-4fde-8929-E2C7BEA96B4E}.exe	100
PID 3932 wrote to memory of 948	3932	{1FC07FA8-ABDC-495f-91DA-D2A4A4B20D57}.exe	101
PID 3932 wrote to memory of 948	3932	{1FC07FA8-ABDC-495f-91DA-D2A4A4B20D57}.exe	101
PID 3932 wrote to memory of 948	3932	{1FC07FA8-ABDC-495f-91DA-D2A4A4B20D57}.exe	101
PID 3932 wrote to memory of 4856	3932	{1FC07FA8-ABDC-495f-91DA-D2A4A4B20D57}.exe	102
PID 3932 wrote to memory of 4856	3932	{1FC07FA8-ABDC-495f-91DA-D2A4A4B20D57}.exe	102
PID 3932 wrote to memory of 4856	3932	{1FC07FA8-ABDC-495f-91DA-D2A4A4B20D57}.exe	102
PID 948 wrote to memory of 2888	948	{EB2B3E7A-407D-4448-8767-74CDE65DD218}.exe	103
PID 948 wrote to memory of 2888	948	{EB2B3E7A-407D-4448-8767-74CDE65DD218}.exe	103
PID 948 wrote to memory of 2888	948	{EB2B3E7A-407D-4448-8767-74CDE65DD218}.exe	103
PID 948 wrote to memory of 4424	948	{EB2B3E7A-407D-4448-8767-74CDE65DD218}.exe	104
PID 948 wrote to memory of 4424	948	{EB2B3E7A-407D-4448-8767-74CDE65DD218}.exe	104
PID 948 wrote to memory of 4424	948	{EB2B3E7A-407D-4448-8767-74CDE65DD218}.exe	104
PID 2888 wrote to memory of 4324	2888	{5432285A-DBA5-46cd-8CB2-F90E4B74330B}.exe	105
PID 2888 wrote to memory of 4324	2888	{5432285A-DBA5-46cd-8CB2-F90E4B74330B}.exe	105
PID 2888 wrote to memory of 4324	2888	{5432285A-DBA5-46cd-8CB2-F90E4B74330B}.exe	105
PID 2888 wrote to memory of 4200	2888	{5432285A-DBA5-46cd-8CB2-F90E4B74330B}.exe	106
PID 2888 wrote to memory of 4200	2888	{5432285A-DBA5-46cd-8CB2-F90E4B74330B}.exe	106
PID 2888 wrote to memory of 4200	2888	{5432285A-DBA5-46cd-8CB2-F90E4B74330B}.exe	106
PID 4324 wrote to memory of 3940	4324	{5D6B19AE-93D5-4611-8796-68AA51EC5C9B}.exe	107
PID 4324 wrote to memory of 3940	4324	{5D6B19AE-93D5-4611-8796-68AA51EC5C9B}.exe	107
PID 4324 wrote to memory of 3940	4324	{5D6B19AE-93D5-4611-8796-68AA51EC5C9B}.exe	107
PID 4324 wrote to memory of 3456	4324	{5D6B19AE-93D5-4611-8796-68AA51EC5C9B}.exe	108
PID 4324 wrote to memory of 3456	4324	{5D6B19AE-93D5-4611-8796-68AA51EC5C9B}.exe	108
PID 4324 wrote to memory of 3456	4324	{5D6B19AE-93D5-4611-8796-68AA51EC5C9B}.exe	108
PID 3940 wrote to memory of 2784	3940	{053C721C-F5A5-4478-BB15-6FC8F13E0F04}.exe	109
PID 3940 wrote to memory of 2784	3940	{053C721C-F5A5-4478-BB15-6FC8F13E0F04}.exe	109
PID 3940 wrote to memory of 2784	3940	{053C721C-F5A5-4478-BB15-6FC8F13E0F04}.exe	109
PID 3940 wrote to memory of 3776	3940	{053C721C-F5A5-4478-BB15-6FC8F13E0F04}.exe	110
PID 3940 wrote to memory of 3776	3940	{053C721C-F5A5-4478-BB15-6FC8F13E0F04}.exe	110
PID 3940 wrote to memory of 3776	3940	{053C721C-F5A5-4478-BB15-6FC8F13E0F04}.exe	110
PID 2784 wrote to memory of 456	2784	{729F7281-2FAD-4b32-AF2C-306FCCD2158D}.exe	112
PID 2784 wrote to memory of 456	2784	{729F7281-2FAD-4b32-AF2C-306FCCD2158D}.exe	112
PID 2784 wrote to memory of 456	2784	{729F7281-2FAD-4b32-AF2C-306FCCD2158D}.exe	112
PID 2784 wrote to memory of 1596	2784	{729F7281-2FAD-4b32-AF2C-306FCCD2158D}.exe	111
PID 2784 wrote to memory of 1596	2784	{729F7281-2FAD-4b32-AF2C-306FCCD2158D}.exe	111
PID 2784 wrote to memory of 1596	2784	{729F7281-2FAD-4b32-AF2C-306FCCD2158D}.exe	111
PID 456 wrote to memory of 1540	456	{816A3220-245E-49f8-9644-DDBB19C928D7}.exe	113
PID 456 wrote to memory of 1540	456	{816A3220-245E-49f8-9644-DDBB19C928D7}.exe	113
PID 456 wrote to memory of 1540	456	{816A3220-245E-49f8-9644-DDBB19C928D7}.exe	113
PID 456 wrote to memory of 3232	456	{816A3220-245E-49f8-9644-DDBB19C928D7}.exe	114
PID 456 wrote to memory of 3232	456	{816A3220-245E-49f8-9644-DDBB19C928D7}.exe	114
PID 456 wrote to memory of 3232	456	{816A3220-245E-49f8-9644-DDBB19C928D7}.exe	114
PID 1540 wrote to memory of 3968	1540	{AD10B3CC-DBC8-4c3a-890E-1EB3A7DD4126}.exe	116
PID 1540 wrote to memory of 3968	1540	{AD10B3CC-DBC8-4c3a-890E-1EB3A7DD4126}.exe	116
PID 1540 wrote to memory of 3968	1540	{AD10B3CC-DBC8-4c3a-890E-1EB3A7DD4126}.exe	116
PID 1540 wrote to memory of 1148	1540	{AD10B3CC-DBC8-4c3a-890E-1EB3A7DD4126}.exe	115

C:\Users\Admin\AppData\Local\Temp\2024-01-26_dbf392e8cd700c62799c0c47208fdea7_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-26_dbf392e8cd700c62799c0c47208fdea7_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\{5D1FE47C-D0DB-4678-A8BC-A718DED3025E}.exe
  C:\Windows\{5D1FE47C-D0DB-4678-A8BC-A718DED3025E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4540
- - C:\Windows\{FC99A575-B5EA-4fde-8929-E2C7BEA96B4E}.exe
    C:\Windows\{FC99A575-B5EA-4fde-8929-E2C7BEA96B4E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Windows\{1FC07FA8-ABDC-495f-91DA-D2A4A4B20D57}.exe
      C:\Windows\{1FC07FA8-ABDC-495f-91DA-D2A4A4B20D57}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3932
    - - C:\Windows\{EB2B3E7A-407D-4448-8767-74CDE65DD218}.exe
        
        C:\Windows\{EB2B3E7A-407D-4448-8767-74CDE65DD218}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:948
      - C:\Windows\{5432285A-DBA5-46cd-8CB2-F90E4B74330B}.exe
        
        C:\Windows\{5432285A-DBA5-46cd-8CB2-F90E4B74330B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\{5D6B19AE-93D5-4611-8796-68AA51EC5C9B}.exe
        
        C:\Windows\{5D6B19AE-93D5-4611-8796-68AA51EC5C9B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\{053C721C-F5A5-4478-BB15-6FC8F13E0F04}.exe
        
        C:\Windows\{053C721C-F5A5-4478-BB15-6FC8F13E0F04}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\{729F7281-2FAD-4b32-AF2C-306FCCD2158D}.exe
        
        C:\Windows\{729F7281-2FAD-4b32-AF2C-306FCCD2158D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{729F7~1.EXE > nul
        10⤵
        
        PID:1596
        
        C:\Windows\{816A3220-245E-49f8-9644-DDBB19C928D7}.exe
        
        C:\Windows\{816A3220-245E-49f8-9644-DDBB19C928D7}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\{AD10B3CC-DBC8-4c3a-890E-1EB3A7DD4126}.exe
        
        C:\Windows\{AD10B3CC-DBC8-4c3a-890E-1EB3A7DD4126}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD10B~1.EXE > nul
        12⤵
        
        PID:1148
        
        C:\Windows\{4D56F9E4-A6A8-4e1e-BCAA-54A3DCB38CA8}.exe
        
        C:\Windows\{4D56F9E4-A6A8-4e1e-BCAA-54A3DCB38CA8}.exe
        12⤵
        Executes dropped EXE
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{816A3~1.EXE > nul
        11⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{053C7~1.EXE > nul
        9⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D6B1~1.EXE > nul
        8⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54322~1.EXE > nul
        7⤵
        
        PID:4200
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB2B3~1.EXE > nul
        6⤵
        
        PID:4424
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1FC07~1.EXE > nul
        5⤵
        
        PID:4856
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FC99A~1.EXE > nul
      4⤵
      PID:3780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5D1FE~1.EXE > nul
    3⤵
    PID:1188
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{053C721C-F5A5-4478-BB15-6FC8F13E0F04}.exe

Filesize
204KB

MD5
d6eb29e615a14441774ee5f9ee4ef49f

SHA1
fbb65aaf24d53c78068ec636da700f3be2d03dc5

SHA256
c48e0f0d5baeaa54a0451431e0c2f96d4fcde6833155a585b0beacb2c175d164

SHA512
2c6edd88ca245483d1fbd4f8d99faac68fc903dfc28d8be1cb7c4fa04b82d421603fb5e9b2b7f4a055cd3cf90aca63180b6ee2cd8f92f0aa611976ca77ea9dfb

Download Submit
C:\Windows\{1FC07FA8-ABDC-495f-91DA-D2A4A4B20D57}.exe

Filesize
204KB

MD5
f18bf1399a2e5b6a1617a3d12dd697b7

SHA1
09dfc2e6fc494e80a071ee57bf48a0bb4ec397b2

SHA256
b9af469f53e7af9276f94083ebceda9045fc866ee694d793221de22bf2a5d87c

SHA512
b00b383eb5807364032653ca12407a2f83033390e43a48d64edad9c2633e74f54197a2af422b5c4b207b30449039b48d75559bb82115de80244df273133f48c9

Download Submit
C:\Windows\{4D56F9E4-A6A8-4e1e-BCAA-54A3DCB38CA8}.exe

Filesize
204KB

MD5
c3ca4358610ab9eda985f83adb74d8d8

SHA1
5d62a3afcf551f0769e6e2cbf82ad15da4fcb8cc

SHA256
7cbd6c3769c3a2c0c21de00c28539b30ddc174e8313ea6e1bf35213404ac48ae

SHA512
adac5d25af098d8fdb0e25fffbe5d6fc91d98f3b659e235344ec27d52f79e610f531029d38c05b5debe51a3581400c1473d9eb1762e96bbb33ba93eb8dfbdf7e

Download Submit
C:\Windows\{5432285A-DBA5-46cd-8CB2-F90E4B74330B}.exe

Filesize
204KB

MD5
33bf7ba73734235dee11e201a411e4cb

SHA1
33ee643de81d9a7566f52c1255b07a2651a37b7d

SHA256
58a1c4756e939d963c2a8b4ffd8c8c02ced9e238767f1d10c256e7c4e12a706f

SHA512
e8ea44cc8e2330cbb843b79e2a51a34b4e39b656973435193e2a1d3422dbc3251e4fb16c47a577105a08804ce10434ed5bcd608e766f0ceea2a123e04a271f8e

Download Submit
C:\Windows\{5D1FE47C-D0DB-4678-A8BC-A718DED3025E}.exe

Filesize
204KB

MD5
09847afdafa9f2eaea187c96bdd93dc1

SHA1
e1b44bd6e9bc94ece6304417d36cee8eee73427f

SHA256
4a6e018f0bde923dc5560bdf3a07d3ee88dc9faf0da21d014b5959211beccb14

SHA512
2427257a729d0b06d232d2735d58809dd06954ae9dbfe20e47551ed492752018481b561a3b36c99785c36ad01206abda834c25650d0ec87ff6c1d484291266c0

Download Submit
C:\Windows\{5D6B19AE-93D5-4611-8796-68AA51EC5C9B}.exe

Filesize
204KB

MD5
bb439bf268ce7b99dbb7a70caba82d0c

SHA1
7203292a3e7f30986b7b60f3c982f57a72fe8342

SHA256
a2caf9f1df515c4aad043281f1ee0658b4188fbe4c0f5fad8199b218cd647cb1

SHA512
632ad298af917ff308a0103af0e85aae12da31ddcb2c734a3cfca71ae74725b362d743907f96510370401faa22993e179dc29f1963c970e909bde458c9c31b56

Download Submit
C:\Windows\{729F7281-2FAD-4b32-AF2C-306FCCD2158D}.exe

Filesize
204KB

MD5
9283646a149d2f30478820f4c80ce25f

SHA1
d2f589cc39f89152d9fb0c9c791302cf46581ef2

SHA256
d04094d537cc4e03a5eee0fd7776c7a5b02a030a4a68067b584e717704c340f5

SHA512
9267d83eb0aaeee318240bfac5d4ec93ecec82078ffabf970fcd75ed1bcba006788b7157c8bf7a9953f103e6f4e57f04d109f31aa233df41e6ed582baf4c6282

Download Submit
C:\Windows\{816A3220-245E-49f8-9644-DDBB19C928D7}.exe

Filesize
204KB

MD5
6ea7b0c2f58be52682eef8b12bf6f01d

SHA1
3bfb3b5bc5df657c7161155f8ee3a474651a44f7

SHA256
63e3a59b4ef6284d1f2d4d2e3aacfc330420e1a1519ee01df8a64b5759132f6c

SHA512
5ca107c63ad50dda9cade369d55170266201e7805e5c94a28393c098217bae56be1e8a50a4c3a3b438a4f119c3302effd04d4a27eaced23b543703b03714deff

Download Submit
C:\Windows\{AD10B3CC-DBC8-4c3a-890E-1EB3A7DD4126}.exe

Filesize
204KB

MD5
534b9281a60a01cfaedf2d361ff41b6b

SHA1
3dd79eae5146b94d0b72c379fb32d3334d501c88

SHA256
fa33f6b374681792ee3fac913f96a357da42c145fd1418f0b089c0e6ff3773bf

SHA512
addd1773847ce9d60128305ab2aae4c3b058e4a92c9cfe07c58646f7f68617c2a9c8e6ead34fe915644b573c178a3dc3bdb2e4768df1541753cc912bc4b14a1d

Download Submit
C:\Windows\{EB2B3E7A-407D-4448-8767-74CDE65DD218}.exe

Filesize
204KB

MD5
64c42de459cf4c272f50a1b39a54b52d

SHA1
59165ec1202139dbf6560f2ab72b964df7f6236d

SHA256
cbe14ea4750f9ceecd648296a114acf2b1ab5848627ae288660b40bcf10380d0

SHA512
d68f4c802f1f4404c62addfd8b4df12ea9268c67920b4ea99fcaf3a1579b53f288d7cd0158bd1aee87abff68490d2b0f9748294dd07aaa6ed258ec1d7663cdc2

Download Submit
C:\Windows\{FC99A575-B5EA-4fde-8929-E2C7BEA96B4E}.exe

Filesize
204KB

MD5
bd0552b2423a0001c105a5c1b3b4119c

SHA1
218c7e5b1a8f868fc1ad55c41196ddc723f3f5d5

SHA256
bd0c7895b41bc5846b3625cdd03ffadd355d4873d5d7052c9c886d36cc95514d

SHA512
e8b8fb84bbddca3e9217b0dedbd26eae48f87deaf3864c58296fc9f6f7b3e00d0674ca07f368d419d130e772820e6d45cfa952147ca23047805c669e712a67ed

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads