92734afab2f888dd693cd30f81b7b3f3af5067592db1cd15c95252c4268789f9

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/01/2024, 04:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-29_c2faf5decd10736f219db43bc974d356_goldeneye.exe
Size

372KB
MD5

c2faf5decd10736f219db43bc974d356
SHA1

43fce6e20f62127ae99a0355a0a746c26f7df1ae
SHA256

92734afab2f888dd693cd30f81b7b3f3af5067592db1cd15c95252c4268789f9
SHA512

f8dc04797779024b25cc61e7271b29d9f6ce8588c4298197672b6c0820dc9333b5d765c1952ed72e7e73f55df1769bdb1dbd02e330e0201d8f6203b1d744125d
SSDEEP

3072:CEGh0ovlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGRlkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x000600000002313e-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002314b-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002314e-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002314b-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002314e-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00050000000217fa-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-25.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006df-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA23913C-02A0-4112-8C0E-1EEDA94A85F6}\stubpath = "C:\\Windows\\{EA23913C-02A0-4112-8C0E-1EEDA94A85F6}.exe"	{C478F0FF-2FFA-4f3c-BB25-896953E16C78}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D709297-BD17-4915-8E63-3628F3AFA714}	{EA23913C-02A0-4112-8C0E-1EEDA94A85F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E2E3CE5-FFE8-4b24-9D62-94FF37CEE62A}\stubpath = "C:\\Windows\\{4E2E3CE5-FFE8-4b24-9D62-94FF37CEE62A}.exe"	{1D709297-BD17-4915-8E63-3628F3AFA714}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3E2BE3F-14DE-48b6-98B7-51F9DD2DBABA}\stubpath = "C:\\Windows\\{F3E2BE3F-14DE-48b6-98B7-51F9DD2DBABA}.exe"	{03F234A0-F689-44cc-9A9D-1627E514F589}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C478F0FF-2FFA-4f3c-BB25-896953E16C78}	{07D5C5E2-6778-4f67-8BB5-C8C7ACC01420}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D709297-BD17-4915-8E63-3628F3AFA714}\stubpath = "C:\\Windows\\{1D709297-BD17-4915-8E63-3628F3AFA714}.exe"	{EA23913C-02A0-4112-8C0E-1EEDA94A85F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E2E3CE5-FFE8-4b24-9D62-94FF37CEE62A}	{1D709297-BD17-4915-8E63-3628F3AFA714}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E728BB02-43B4-443a-9B33-09C8044913DC}	{4E2E3CE5-FFE8-4b24-9D62-94FF37CEE62A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08D0AF56-897E-4329-8861-128433D6E3F6}	{BE8544F5-790E-451c-B453-88472D911D3E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03F234A0-F689-44cc-9A9D-1627E514F589}	{08D0AF56-897E-4329-8861-128433D6E3F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07D5C5E2-6778-4f67-8BB5-C8C7ACC01420}\stubpath = "C:\\Windows\\{07D5C5E2-6778-4f67-8BB5-C8C7ACC01420}.exe"	{8B8DD395-AF59-427a-9E15-B73722594601}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C478F0FF-2FFA-4f3c-BB25-896953E16C78}\stubpath = "C:\\Windows\\{C478F0FF-2FFA-4f3c-BB25-896953E16C78}.exe"	{07D5C5E2-6778-4f67-8BB5-C8C7ACC01420}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA23913C-02A0-4112-8C0E-1EEDA94A85F6}	{C478F0FF-2FFA-4f3c-BB25-896953E16C78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E728BB02-43B4-443a-9B33-09C8044913DC}\stubpath = "C:\\Windows\\{E728BB02-43B4-443a-9B33-09C8044913DC}.exe"	{4E2E3CE5-FFE8-4b24-9D62-94FF37CEE62A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE8544F5-790E-451c-B453-88472D911D3E}	{E728BB02-43B4-443a-9B33-09C8044913DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03F234A0-F689-44cc-9A9D-1627E514F589}\stubpath = "C:\\Windows\\{03F234A0-F689-44cc-9A9D-1627E514F589}.exe"	{08D0AF56-897E-4329-8861-128433D6E3F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07D5C5E2-6778-4f67-8BB5-C8C7ACC01420}	{8B8DD395-AF59-427a-9E15-B73722594601}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B8DD395-AF59-427a-9E15-B73722594601}\stubpath = "C:\\Windows\\{8B8DD395-AF59-427a-9E15-B73722594601}.exe"	2024-01-29_c2faf5decd10736f219db43bc974d356_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE8544F5-790E-451c-B453-88472D911D3E}\stubpath = "C:\\Windows\\{BE8544F5-790E-451c-B453-88472D911D3E}.exe"	{E728BB02-43B4-443a-9B33-09C8044913DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08D0AF56-897E-4329-8861-128433D6E3F6}\stubpath = "C:\\Windows\\{08D0AF56-897E-4329-8861-128433D6E3F6}.exe"	{BE8544F5-790E-451c-B453-88472D911D3E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3E2BE3F-14DE-48b6-98B7-51F9DD2DBABA}	{03F234A0-F689-44cc-9A9D-1627E514F589}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B8DD395-AF59-427a-9E15-B73722594601}	2024-01-29_c2faf5decd10736f219db43bc974d356_goldeneye.exe

Executes dropped EXE 11 IoCs

pid	Process
1928	{8B8DD395-AF59-427a-9E15-B73722594601}.exe
2432	{07D5C5E2-6778-4f67-8BB5-C8C7ACC01420}.exe
1100	{C478F0FF-2FFA-4f3c-BB25-896953E16C78}.exe
5096	{EA23913C-02A0-4112-8C0E-1EEDA94A85F6}.exe
392	{1D709297-BD17-4915-8E63-3628F3AFA714}.exe
1564	{4E2E3CE5-FFE8-4b24-9D62-94FF37CEE62A}.exe
4440	{E728BB02-43B4-443a-9B33-09C8044913DC}.exe
3848	{BE8544F5-790E-451c-B453-88472D911D3E}.exe
5008	{08D0AF56-897E-4329-8861-128433D6E3F6}.exe
1800	{03F234A0-F689-44cc-9A9D-1627E514F589}.exe
4396	{F3E2BE3F-14DE-48b6-98B7-51F9DD2DBABA}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{F3E2BE3F-14DE-48b6-98B7-51F9DD2DBABA}.exe	{03F234A0-F689-44cc-9A9D-1627E514F589}.exe
File created	C:\Windows\{07D5C5E2-6778-4f67-8BB5-C8C7ACC01420}.exe	{8B8DD395-AF59-427a-9E15-B73722594601}.exe
File created	C:\Windows\{C478F0FF-2FFA-4f3c-BB25-896953E16C78}.exe	{07D5C5E2-6778-4f67-8BB5-C8C7ACC01420}.exe
File created	C:\Windows\{EA23913C-02A0-4112-8C0E-1EEDA94A85F6}.exe	{C478F0FF-2FFA-4f3c-BB25-896953E16C78}.exe
File created	C:\Windows\{4E2E3CE5-FFE8-4b24-9D62-94FF37CEE62A}.exe	{1D709297-BD17-4915-8E63-3628F3AFA714}.exe
File created	C:\Windows\{BE8544F5-790E-451c-B453-88472D911D3E}.exe	{E728BB02-43B4-443a-9B33-09C8044913DC}.exe
File created	C:\Windows\{08D0AF56-897E-4329-8861-128433D6E3F6}.exe	{BE8544F5-790E-451c-B453-88472D911D3E}.exe
File created	C:\Windows\{8B8DD395-AF59-427a-9E15-B73722594601}.exe	2024-01-29_c2faf5decd10736f219db43bc974d356_goldeneye.exe
File created	C:\Windows\{1D709297-BD17-4915-8E63-3628F3AFA714}.exe	{EA23913C-02A0-4112-8C0E-1EEDA94A85F6}.exe
File created	C:\Windows\{E728BB02-43B4-443a-9B33-09C8044913DC}.exe	{4E2E3CE5-FFE8-4b24-9D62-94FF37CEE62A}.exe
File created	C:\Windows\{03F234A0-F689-44cc-9A9D-1627E514F589}.exe	{08D0AF56-897E-4329-8861-128433D6E3F6}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1628	2024-01-29_c2faf5decd10736f219db43bc974d356_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1928	{8B8DD395-AF59-427a-9E15-B73722594601}.exe
Token: SeIncBasePriorityPrivilege	2432	{07D5C5E2-6778-4f67-8BB5-C8C7ACC01420}.exe
Token: SeIncBasePriorityPrivilege	1100	{C478F0FF-2FFA-4f3c-BB25-896953E16C78}.exe
Token: SeIncBasePriorityPrivilege	5096	{EA23913C-02A0-4112-8C0E-1EEDA94A85F6}.exe
Token: SeIncBasePriorityPrivilege	392	{1D709297-BD17-4915-8E63-3628F3AFA714}.exe
Token: SeIncBasePriorityPrivilege	1564	{4E2E3CE5-FFE8-4b24-9D62-94FF37CEE62A}.exe
Token: SeIncBasePriorityPrivilege	4440	{E728BB02-43B4-443a-9B33-09C8044913DC}.exe
Token: SeIncBasePriorityPrivilege	3848	{BE8544F5-790E-451c-B453-88472D911D3E}.exe
Token: SeIncBasePriorityPrivilege	5008	{08D0AF56-897E-4329-8861-128433D6E3F6}.exe
Token: SeIncBasePriorityPrivilege	1800	{03F234A0-F689-44cc-9A9D-1627E514F589}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 1928	1628	2024-01-29_c2faf5decd10736f219db43bc974d356_goldeneye.exe	89
PID 1628 wrote to memory of 1928	1628	2024-01-29_c2faf5decd10736f219db43bc974d356_goldeneye.exe	89
PID 1628 wrote to memory of 1928	1628	2024-01-29_c2faf5decd10736f219db43bc974d356_goldeneye.exe	89
PID 1628 wrote to memory of 2412	1628	2024-01-29_c2faf5decd10736f219db43bc974d356_goldeneye.exe	90
PID 1628 wrote to memory of 2412	1628	2024-01-29_c2faf5decd10736f219db43bc974d356_goldeneye.exe	90
PID 1628 wrote to memory of 2412	1628	2024-01-29_c2faf5decd10736f219db43bc974d356_goldeneye.exe	90
PID 1928 wrote to memory of 2432	1928	{8B8DD395-AF59-427a-9E15-B73722594601}.exe	94
PID 1928 wrote to memory of 2432	1928	{8B8DD395-AF59-427a-9E15-B73722594601}.exe	94
PID 1928 wrote to memory of 2432	1928	{8B8DD395-AF59-427a-9E15-B73722594601}.exe	94
PID 1928 wrote to memory of 568	1928	{8B8DD395-AF59-427a-9E15-B73722594601}.exe	95
PID 1928 wrote to memory of 568	1928	{8B8DD395-AF59-427a-9E15-B73722594601}.exe	95
PID 1928 wrote to memory of 568	1928	{8B8DD395-AF59-427a-9E15-B73722594601}.exe	95
PID 2432 wrote to memory of 1100	2432	{07D5C5E2-6778-4f67-8BB5-C8C7ACC01420}.exe	96
PID 2432 wrote to memory of 1100	2432	{07D5C5E2-6778-4f67-8BB5-C8C7ACC01420}.exe	96
PID 2432 wrote to memory of 1100	2432	{07D5C5E2-6778-4f67-8BB5-C8C7ACC01420}.exe	96
PID 2432 wrote to memory of 636	2432	{07D5C5E2-6778-4f67-8BB5-C8C7ACC01420}.exe	97
PID 2432 wrote to memory of 636	2432	{07D5C5E2-6778-4f67-8BB5-C8C7ACC01420}.exe	97
PID 2432 wrote to memory of 636	2432	{07D5C5E2-6778-4f67-8BB5-C8C7ACC01420}.exe	97
PID 1100 wrote to memory of 5096	1100	{C478F0FF-2FFA-4f3c-BB25-896953E16C78}.exe	98
PID 1100 wrote to memory of 5096	1100	{C478F0FF-2FFA-4f3c-BB25-896953E16C78}.exe	98
PID 1100 wrote to memory of 5096	1100	{C478F0FF-2FFA-4f3c-BB25-896953E16C78}.exe	98
PID 1100 wrote to memory of 4392	1100	{C478F0FF-2FFA-4f3c-BB25-896953E16C78}.exe	99
PID 1100 wrote to memory of 4392	1100	{C478F0FF-2FFA-4f3c-BB25-896953E16C78}.exe	99
PID 1100 wrote to memory of 4392	1100	{C478F0FF-2FFA-4f3c-BB25-896953E16C78}.exe	99
PID 5096 wrote to memory of 392	5096	{EA23913C-02A0-4112-8C0E-1EEDA94A85F6}.exe	100
PID 5096 wrote to memory of 392	5096	{EA23913C-02A0-4112-8C0E-1EEDA94A85F6}.exe	100
PID 5096 wrote to memory of 392	5096	{EA23913C-02A0-4112-8C0E-1EEDA94A85F6}.exe	100
PID 5096 wrote to memory of 216	5096	{EA23913C-02A0-4112-8C0E-1EEDA94A85F6}.exe	101
PID 5096 wrote to memory of 216	5096	{EA23913C-02A0-4112-8C0E-1EEDA94A85F6}.exe	101
PID 5096 wrote to memory of 216	5096	{EA23913C-02A0-4112-8C0E-1EEDA94A85F6}.exe	101
PID 392 wrote to memory of 1564	392	{1D709297-BD17-4915-8E63-3628F3AFA714}.exe	102
PID 392 wrote to memory of 1564	392	{1D709297-BD17-4915-8E63-3628F3AFA714}.exe	102
PID 392 wrote to memory of 1564	392	{1D709297-BD17-4915-8E63-3628F3AFA714}.exe	102
PID 392 wrote to memory of 2940	392	{1D709297-BD17-4915-8E63-3628F3AFA714}.exe	103
PID 392 wrote to memory of 2940	392	{1D709297-BD17-4915-8E63-3628F3AFA714}.exe	103
PID 392 wrote to memory of 2940	392	{1D709297-BD17-4915-8E63-3628F3AFA714}.exe	103
PID 1564 wrote to memory of 4440	1564	{4E2E3CE5-FFE8-4b24-9D62-94FF37CEE62A}.exe	104
PID 1564 wrote to memory of 4440	1564	{4E2E3CE5-FFE8-4b24-9D62-94FF37CEE62A}.exe	104
PID 1564 wrote to memory of 4440	1564	{4E2E3CE5-FFE8-4b24-9D62-94FF37CEE62A}.exe	104
PID 1564 wrote to memory of 700	1564	{4E2E3CE5-FFE8-4b24-9D62-94FF37CEE62A}.exe	105
PID 1564 wrote to memory of 700	1564	{4E2E3CE5-FFE8-4b24-9D62-94FF37CEE62A}.exe	105
PID 1564 wrote to memory of 700	1564	{4E2E3CE5-FFE8-4b24-9D62-94FF37CEE62A}.exe	105
PID 4440 wrote to memory of 3848	4440	{E728BB02-43B4-443a-9B33-09C8044913DC}.exe	106
PID 4440 wrote to memory of 3848	4440	{E728BB02-43B4-443a-9B33-09C8044913DC}.exe	106
PID 4440 wrote to memory of 3848	4440	{E728BB02-43B4-443a-9B33-09C8044913DC}.exe	106
PID 4440 wrote to memory of 2548	4440	{E728BB02-43B4-443a-9B33-09C8044913DC}.exe	107
PID 4440 wrote to memory of 2548	4440	{E728BB02-43B4-443a-9B33-09C8044913DC}.exe	107
PID 4440 wrote to memory of 2548	4440	{E728BB02-43B4-443a-9B33-09C8044913DC}.exe	107
PID 3848 wrote to memory of 5008	3848	{BE8544F5-790E-451c-B453-88472D911D3E}.exe	108
PID 3848 wrote to memory of 5008	3848	{BE8544F5-790E-451c-B453-88472D911D3E}.exe	108
PID 3848 wrote to memory of 5008	3848	{BE8544F5-790E-451c-B453-88472D911D3E}.exe	108
PID 3848 wrote to memory of 952	3848	{BE8544F5-790E-451c-B453-88472D911D3E}.exe	109
PID 3848 wrote to memory of 952	3848	{BE8544F5-790E-451c-B453-88472D911D3E}.exe	109
PID 3848 wrote to memory of 952	3848	{BE8544F5-790E-451c-B453-88472D911D3E}.exe	109
PID 5008 wrote to memory of 1800	5008	{08D0AF56-897E-4329-8861-128433D6E3F6}.exe	110
PID 5008 wrote to memory of 1800	5008	{08D0AF56-897E-4329-8861-128433D6E3F6}.exe	110
PID 5008 wrote to memory of 1800	5008	{08D0AF56-897E-4329-8861-128433D6E3F6}.exe	110
PID 5008 wrote to memory of 5068	5008	{08D0AF56-897E-4329-8861-128433D6E3F6}.exe	111
PID 5008 wrote to memory of 5068	5008	{08D0AF56-897E-4329-8861-128433D6E3F6}.exe	111
PID 5008 wrote to memory of 5068	5008	{08D0AF56-897E-4329-8861-128433D6E3F6}.exe	111
PID 1800 wrote to memory of 4396	1800	{03F234A0-F689-44cc-9A9D-1627E514F589}.exe	112
PID 1800 wrote to memory of 4396	1800	{03F234A0-F689-44cc-9A9D-1627E514F589}.exe	112
PID 1800 wrote to memory of 4396	1800	{03F234A0-F689-44cc-9A9D-1627E514F589}.exe	112
PID 1800 wrote to memory of 180	1800	{03F234A0-F689-44cc-9A9D-1627E514F589}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-01-29_c2faf5decd10736f219db43bc974d356_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-29_c2faf5decd10736f219db43bc974d356_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\{8B8DD395-AF59-427a-9E15-B73722594601}.exe
  C:\Windows\{8B8DD395-AF59-427a-9E15-B73722594601}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Windows\{07D5C5E2-6778-4f67-8BB5-C8C7ACC01420}.exe
    C:\Windows\{07D5C5E2-6778-4f67-8BB5-C8C7ACC01420}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Windows\{C478F0FF-2FFA-4f3c-BB25-896953E16C78}.exe
      C:\Windows\{C478F0FF-2FFA-4f3c-BB25-896953E16C78}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1100
    - - C:\Windows\{EA23913C-02A0-4112-8C0E-1EEDA94A85F6}.exe
        
        C:\Windows\{EA23913C-02A0-4112-8C0E-1EEDA94A85F6}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5096
      - C:\Windows\{1D709297-BD17-4915-8E63-3628F3AFA714}.exe
        
        C:\Windows\{1D709297-BD17-4915-8E63-3628F3AFA714}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\{4E2E3CE5-FFE8-4b24-9D62-94FF37CEE62A}.exe
        
        C:\Windows\{4E2E3CE5-FFE8-4b24-9D62-94FF37CEE62A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\{E728BB02-43B4-443a-9B33-09C8044913DC}.exe
        
        C:\Windows\{E728BB02-43B4-443a-9B33-09C8044913DC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\{BE8544F5-790E-451c-B453-88472D911D3E}.exe
        
        C:\Windows\{BE8544F5-790E-451c-B453-88472D911D3E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3848
        
        C:\Windows\{08D0AF56-897E-4329-8861-128433D6E3F6}.exe
        
        C:\Windows\{08D0AF56-897E-4329-8861-128433D6E3F6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\{03F234A0-F689-44cc-9A9D-1627E514F589}.exe
        
        C:\Windows\{03F234A0-F689-44cc-9A9D-1627E514F589}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\{F3E2BE3F-14DE-48b6-98B7-51F9DD2DBABA}.exe
        
        C:\Windows\{F3E2BE3F-14DE-48b6-98B7-51F9DD2DBABA}.exe
        12⤵
        Executes dropped EXE
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03F23~1.EXE > nul
        12⤵
        
        PID:180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08D0A~1.EXE > nul
        11⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE854~1.EXE > nul
        10⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E728B~1.EXE > nul
        9⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E2E3~1.EXE > nul
        8⤵
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1D709~1.EXE > nul
        7⤵
        
        PID:2940
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA239~1.EXE > nul
        6⤵
        
        PID:216
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C478F~1.EXE > nul
        5⤵
        
        PID:4392
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{07D5C~1.EXE > nul
      4⤵
      PID:636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8B8DD~1.EXE > nul
    3⤵
    PID:568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03F234A0-F689-44cc-9A9D-1627E514F589}.exe

Filesize
372KB

MD5
420337980d768cc4a00fb3f45b861565

SHA1
9cf083dddd0dde6e13a481b9728df8321fe00126

SHA256
86f94bcce09f9b2358948feffbafe32cbabb5aa22f3675821b5f8a65c55318c6

SHA512
f20a8c705c7bb992eb098c15d60b8f026669a56f0b4d12f2cb281f2a7000573f8f4a4027b61430842a040db8cf04ada43c97c88ded2ebbff500e3ba75a57c180

Download Submit
C:\Windows\{07D5C5E2-6778-4f67-8BB5-C8C7ACC01420}.exe

Filesize
372KB

MD5
3a8182385dff3eaf4979c54349de1fac

SHA1
85e673d0472896d64daccf470eed90b46b20a2bf

SHA256
a44bd07cb94ba31153929f93d4871c45e423c7b22c552df7635fef919d184565

SHA512
d99714f098d8ed0deb12bf72b18763f762cce86e35c3685d698349e60e0c5ae3316d2b209fbbf3c268556bd919f8795cc2326cf751f65d56ab6e104fe30233f5

Download Submit
C:\Windows\{08D0AF56-897E-4329-8861-128433D6E3F6}.exe

Filesize
372KB

MD5
7dbf02c71b902ea73ba80c80212b9bc2

SHA1
682f62a5b3c67cc11577eaef293789ed941de0e5

SHA256
7cef4a9050282322f1928cfbbc3862178fd83295334759f96919f1eb05f191a6

SHA512
b37476a7a3137b000ead983f873af0e93d59e8a201d406b83f6461ca77a15779631efb4c9efa7b89023a14eb996f6e2625999f8449bda239251cf792582dad58

Download Submit
C:\Windows\{1D709297-BD17-4915-8E63-3628F3AFA714}.exe

Filesize
372KB

MD5
11778fb70a7f8f6276ad2ba8a5bca9c9

SHA1
2e39363ef3bfb64422b886e113976500c4670f3d

SHA256
c6bda9b06ef34691b8d3b671e77edb55bae2bd2e54d3711647eacca9e28332dc

SHA512
9667946500858c9d8ef7a3357837cd33e1d50fbac8072cf4133d4e6a7b46f72a53d67b2781c02168c684efbae8fc847c74aff0cddf2aea7d0be79410b74c83d6

Download Submit
C:\Windows\{4E2E3CE5-FFE8-4b24-9D62-94FF37CEE62A}.exe

Filesize
372KB

MD5
8ca792d1b4a00f68d93fce1e03bed156

SHA1
3631e8838802b51c329fe537a8c0f7e998d2a5b0

SHA256
2b2a0fcee2c897854d0c53d7a97c0421fc00f430aea8537e300f45831086b11d

SHA512
8bc59608ce2f8fde12d6dab1267a2803b7142a1f23ee606a759c012d8f17c7d66b484f0970bb78fed573f50372576fd64d7622386268490fbceb742d481914f7

Download Submit
C:\Windows\{8B8DD395-AF59-427a-9E15-B73722594601}.exe

Filesize
372KB

MD5
7483f9366c5693bbaa14ffa9599535a9

SHA1
ac832fdb240c9be823fdb32207cdec01a436cb6f

SHA256
451d8554aa8fd097fb367c938467d184a7b7253519e24856e2469587f8486127

SHA512
cdef7d1590cc318ec844f0a202812381deaf5dd2ef781239accad3f6a34cf002c72c359ee1392e6fcefa72d095d40acfd876b2db9c0a3bdf4ff0357d8745a211

Download Submit
C:\Windows\{BE8544F5-790E-451c-B453-88472D911D3E}.exe

Filesize
372KB

MD5
822afdf6a06234334700e5cc4b96a3e7

SHA1
d33a1744cb88f51e54b8aa8a00dc2b9b8a1b9eb0

SHA256
0777662f9b0df25592165ecd24494719903cb28069aaa02df6c9c07e0fb253e0

SHA512
55e66a1f370dfe7d48f57f801f949c39e13573735825ee3e67873cb77875b4c7c413ab383ac920f201b407e654869904da60e306fd78a8c25faa3134655fa068

Download Submit
C:\Windows\{C478F0FF-2FFA-4f3c-BB25-896953E16C78}.exe

Filesize
372KB

MD5
17cee2da5eda5965b185537940810a00

SHA1
abfb1bd1447621d051430c77098700f49b3a29bb

SHA256
6272f84c356d7363877d4d9d6d85bbcd2961873aa0635c1be4222a3796b74168

SHA512
35cbbaa3edcb08001ed2cfbfece5625b19a308f9d49f3253563657ea0d3929be1455c0964671937a4db6abb8dd15b706ca99a2a66e233d88d9a87b96c7140f82

Download Submit
C:\Windows\{E728BB02-43B4-443a-9B33-09C8044913DC}.exe

Filesize
372KB

MD5
e0a548a0feb97760a470b3fad30bc2dc

SHA1
837c45ae024d5ed93f585d145025c65314993761

SHA256
4cad4bf0ccd52fdd9e00a3c6fbfd020c5ba09056f5fcb27faac91780b7abe5d6

SHA512
af79b530fc42165ea1061b5c710eac86a847e806d2ac94dc424c7d304d045d9b7c48631f62391f01691f46371bc665836d092a14f1e562b70cde750a6f7ace43

Download Submit
C:\Windows\{EA23913C-02A0-4112-8C0E-1EEDA94A85F6}.exe

Filesize
372KB

MD5
093a0f82b21c545088018f315395061b

SHA1
2d799739280c711a7612fd05f92f8cec14d02bc1

SHA256
eddb73ec7fe51663c1fc0794edac69a112f6e3b80677ee215cefaa307fecd415

SHA512
cee0ac5a43e234befef4a93333cd42018e65cad9f47ee408a12f98eeecff3440a02736759127a4fe66fad5779ac279e5f6a671b01d4824453beda8563abb6984

Download Submit
C:\Windows\{F3E2BE3F-14DE-48b6-98B7-51F9DD2DBABA}.exe

Filesize
372KB

MD5
e83371b48d26bd166dfc15602fa3e526

SHA1
9150701eeb947ea0efbdc6b7b0b153fe3af5f792

SHA256
6725b411741bb6ada4171652515860802cb313a1b520d731fd684fc86672a6d9

SHA512
f83ee8d2be49b179566f060e31a6a870f95127e916253400192dd301f82e3db363b919ff3834259fd811a9bc7a4971f090a7dc2cb428f879ce5108004b1417ff

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads