d822d4fb710e0200400d1da87c06f450573f36cf5b81afd28fd9e327e58c39c5

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2024, 17:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-03_dfec5c61fec25e91dde9819d0af1839f_goldeneye.exe
Size

408KB
MD5

dfec5c61fec25e91dde9819d0af1839f
SHA1

643ec0651aa1f5c8588f83bff744653c5fbffc1c
SHA256

d822d4fb710e0200400d1da87c06f450573f36cf5b81afd28fd9e327e58c39c5
SHA512

44afd58e3324e78167bb67091e13abfc48a71d3d5569e5898e4bb8401a38f47fc62566a2c26a7cc45077bcb80ee23260eac23a951ab38813d03a88a5fc0e5d7a
SSDEEP

3072:CEGh0o2l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGUldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x000600000002321f-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023224-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002322b-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023224-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000215c9-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000215c9-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000215d0-21.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000215c9-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000713-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000711-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000713-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000071d-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAAB609A-A318-49ea-9635-4953F4AE1939}	{2CA26B2C-21C7-42b6-B778-473A7E830889}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72D85090-4E5E-4979-858C-BEBCFC6C3202}\stubpath = "C:\\Windows\\{72D85090-4E5E-4979-858C-BEBCFC6C3202}.exe"	{12245B70-0612-4261-91B8-24081457370F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0130734-BFBE-4f4b-BEE2-E077733A0B35}	{72D85090-4E5E-4979-858C-BEBCFC6C3202}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{734591FC-67F9-41c2-8843-21B88CF34215}	{BBA3F782-0D42-4d35-8BA9-C5268737499B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0130734-BFBE-4f4b-BEE2-E077733A0B35}\stubpath = "C:\\Windows\\{F0130734-BFBE-4f4b-BEE2-E077733A0B35}.exe"	{72D85090-4E5E-4979-858C-BEBCFC6C3202}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{734591FC-67F9-41c2-8843-21B88CF34215}\stubpath = "C:\\Windows\\{734591FC-67F9-41c2-8843-21B88CF34215}.exe"	{BBA3F782-0D42-4d35-8BA9-C5268737499B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1254710-8F45-41f9-A0FE-CA7E0553B6D1}\stubpath = "C:\\Windows\\{A1254710-8F45-41f9-A0FE-CA7E0553B6D1}.exe"	2024-02-03_dfec5c61fec25e91dde9819d0af1839f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CA26B2C-21C7-42b6-B778-473A7E830889}	{A1254710-8F45-41f9-A0FE-CA7E0553B6D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CA26B2C-21C7-42b6-B778-473A7E830889}\stubpath = "C:\\Windows\\{2CA26B2C-21C7-42b6-B778-473A7E830889}.exe"	{A1254710-8F45-41f9-A0FE-CA7E0553B6D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAAB609A-A318-49ea-9635-4953F4AE1939}\stubpath = "C:\\Windows\\{DAAB609A-A318-49ea-9635-4953F4AE1939}.exe"	{2CA26B2C-21C7-42b6-B778-473A7E830889}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB36061C-A61A-48de-9153-89A5F51F7336}	{DAAB609A-A318-49ea-9635-4953F4AE1939}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9B926D3-DCBB-4ce7-A5BC-C613839F3949}	{FB36061C-A61A-48de-9153-89A5F51F7336}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{261EFE1A-E208-4c89-858B-B375330FEC58}\stubpath = "C:\\Windows\\{261EFE1A-E208-4c89-858B-B375330FEC58}.exe"	{734591FC-67F9-41c2-8843-21B88CF34215}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72D85090-4E5E-4979-858C-BEBCFC6C3202}	{12245B70-0612-4261-91B8-24081457370F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBA3F782-0D42-4d35-8BA9-C5268737499B}\stubpath = "C:\\Windows\\{BBA3F782-0D42-4d35-8BA9-C5268737499B}.exe"	{F0130734-BFBE-4f4b-BEE2-E077733A0B35}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{261EFE1A-E208-4c89-858B-B375330FEC58}	{734591FC-67F9-41c2-8843-21B88CF34215}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E632E92-4F58-4f2b-B1EA-1B1F8CAD25F0}	{261EFE1A-E208-4c89-858B-B375330FEC58}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E632E92-4F58-4f2b-B1EA-1B1F8CAD25F0}\stubpath = "C:\\Windows\\{5E632E92-4F58-4f2b-B1EA-1B1F8CAD25F0}.exe"	{261EFE1A-E208-4c89-858B-B375330FEC58}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1254710-8F45-41f9-A0FE-CA7E0553B6D1}	2024-02-03_dfec5c61fec25e91dde9819d0af1839f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB36061C-A61A-48de-9153-89A5F51F7336}\stubpath = "C:\\Windows\\{FB36061C-A61A-48de-9153-89A5F51F7336}.exe"	{DAAB609A-A318-49ea-9635-4953F4AE1939}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9B926D3-DCBB-4ce7-A5BC-C613839F3949}\stubpath = "C:\\Windows\\{C9B926D3-DCBB-4ce7-A5BC-C613839F3949}.exe"	{FB36061C-A61A-48de-9153-89A5F51F7336}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12245B70-0612-4261-91B8-24081457370F}	{C9B926D3-DCBB-4ce7-A5BC-C613839F3949}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{12245B70-0612-4261-91B8-24081457370F}\stubpath = "C:\\Windows\\{12245B70-0612-4261-91B8-24081457370F}.exe"	{C9B926D3-DCBB-4ce7-A5BC-C613839F3949}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBA3F782-0D42-4d35-8BA9-C5268737499B}	{F0130734-BFBE-4f4b-BEE2-E077733A0B35}.exe

Executes dropped EXE 12 IoCs

pid	Process
4948	{A1254710-8F45-41f9-A0FE-CA7E0553B6D1}.exe
3780	{2CA26B2C-21C7-42b6-B778-473A7E830889}.exe
2504	{DAAB609A-A318-49ea-9635-4953F4AE1939}.exe
3208	{FB36061C-A61A-48de-9153-89A5F51F7336}.exe
2200	{C9B926D3-DCBB-4ce7-A5BC-C613839F3949}.exe
2660	{12245B70-0612-4261-91B8-24081457370F}.exe
3540	{72D85090-4E5E-4979-858C-BEBCFC6C3202}.exe
656	{F0130734-BFBE-4f4b-BEE2-E077733A0B35}.exe
496	{BBA3F782-0D42-4d35-8BA9-C5268737499B}.exe
4536	{734591FC-67F9-41c2-8843-21B88CF34215}.exe
4908	{261EFE1A-E208-4c89-858B-B375330FEC58}.exe
4340	{5E632E92-4F58-4f2b-B1EA-1B1F8CAD25F0}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{12245B70-0612-4261-91B8-24081457370F}.exe	{C9B926D3-DCBB-4ce7-A5BC-C613839F3949}.exe
File created	C:\Windows\{BBA3F782-0D42-4d35-8BA9-C5268737499B}.exe	{F0130734-BFBE-4f4b-BEE2-E077733A0B35}.exe
File created	C:\Windows\{261EFE1A-E208-4c89-858B-B375330FEC58}.exe	{734591FC-67F9-41c2-8843-21B88CF34215}.exe
File created	C:\Windows\{5E632E92-4F58-4f2b-B1EA-1B1F8CAD25F0}.exe	{261EFE1A-E208-4c89-858B-B375330FEC58}.exe
File created	C:\Windows\{C9B926D3-DCBB-4ce7-A5BC-C613839F3949}.exe	{FB36061C-A61A-48de-9153-89A5F51F7336}.exe
File created	C:\Windows\{72D85090-4E5E-4979-858C-BEBCFC6C3202}.exe	{12245B70-0612-4261-91B8-24081457370F}.exe
File created	C:\Windows\{F0130734-BFBE-4f4b-BEE2-E077733A0B35}.exe	{72D85090-4E5E-4979-858C-BEBCFC6C3202}.exe
File created	C:\Windows\{734591FC-67F9-41c2-8843-21B88CF34215}.exe	{BBA3F782-0D42-4d35-8BA9-C5268737499B}.exe
File created	C:\Windows\{A1254710-8F45-41f9-A0FE-CA7E0553B6D1}.exe	2024-02-03_dfec5c61fec25e91dde9819d0af1839f_goldeneye.exe
File created	C:\Windows\{2CA26B2C-21C7-42b6-B778-473A7E830889}.exe	{A1254710-8F45-41f9-A0FE-CA7E0553B6D1}.exe
File created	C:\Windows\{DAAB609A-A318-49ea-9635-4953F4AE1939}.exe	{2CA26B2C-21C7-42b6-B778-473A7E830889}.exe
File created	C:\Windows\{FB36061C-A61A-48de-9153-89A5F51F7336}.exe	{DAAB609A-A318-49ea-9635-4953F4AE1939}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4888	2024-02-03_dfec5c61fec25e91dde9819d0af1839f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4948	{A1254710-8F45-41f9-A0FE-CA7E0553B6D1}.exe
Token: SeIncBasePriorityPrivilege	3780	{2CA26B2C-21C7-42b6-B778-473A7E830889}.exe
Token: SeIncBasePriorityPrivilege	2504	{DAAB609A-A318-49ea-9635-4953F4AE1939}.exe
Token: SeIncBasePriorityPrivilege	3208	{FB36061C-A61A-48de-9153-89A5F51F7336}.exe
Token: SeIncBasePriorityPrivilege	2200	{C9B926D3-DCBB-4ce7-A5BC-C613839F3949}.exe
Token: SeIncBasePriorityPrivilege	2660	{12245B70-0612-4261-91B8-24081457370F}.exe
Token: SeIncBasePriorityPrivilege	3540	{72D85090-4E5E-4979-858C-BEBCFC6C3202}.exe
Token: SeIncBasePriorityPrivilege	656	{F0130734-BFBE-4f4b-BEE2-E077733A0B35}.exe
Token: SeIncBasePriorityPrivilege	496	{BBA3F782-0D42-4d35-8BA9-C5268737499B}.exe
Token: SeIncBasePriorityPrivilege	4536	{734591FC-67F9-41c2-8843-21B88CF34215}.exe
Token: SeIncBasePriorityPrivilege	4908	{261EFE1A-E208-4c89-858B-B375330FEC58}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 4948	4888	2024-02-03_dfec5c61fec25e91dde9819d0af1839f_goldeneye.exe	91
PID 4888 wrote to memory of 4948	4888	2024-02-03_dfec5c61fec25e91dde9819d0af1839f_goldeneye.exe	91
PID 4888 wrote to memory of 4948	4888	2024-02-03_dfec5c61fec25e91dde9819d0af1839f_goldeneye.exe	91
PID 4888 wrote to memory of 2860	4888	2024-02-03_dfec5c61fec25e91dde9819d0af1839f_goldeneye.exe	92
PID 4888 wrote to memory of 2860	4888	2024-02-03_dfec5c61fec25e91dde9819d0af1839f_goldeneye.exe	92
PID 4888 wrote to memory of 2860	4888	2024-02-03_dfec5c61fec25e91dde9819d0af1839f_goldeneye.exe	92
PID 4948 wrote to memory of 3780	4948	{A1254710-8F45-41f9-A0FE-CA7E0553B6D1}.exe	93
PID 4948 wrote to memory of 3780	4948	{A1254710-8F45-41f9-A0FE-CA7E0553B6D1}.exe	93
PID 4948 wrote to memory of 3780	4948	{A1254710-8F45-41f9-A0FE-CA7E0553B6D1}.exe	93
PID 4948 wrote to memory of 4640	4948	{A1254710-8F45-41f9-A0FE-CA7E0553B6D1}.exe	94
PID 4948 wrote to memory of 4640	4948	{A1254710-8F45-41f9-A0FE-CA7E0553B6D1}.exe	94
PID 4948 wrote to memory of 4640	4948	{A1254710-8F45-41f9-A0FE-CA7E0553B6D1}.exe	94
PID 3780 wrote to memory of 2504	3780	{2CA26B2C-21C7-42b6-B778-473A7E830889}.exe	96
PID 3780 wrote to memory of 2504	3780	{2CA26B2C-21C7-42b6-B778-473A7E830889}.exe	96
PID 3780 wrote to memory of 2504	3780	{2CA26B2C-21C7-42b6-B778-473A7E830889}.exe	96
PID 3780 wrote to memory of 3632	3780	{2CA26B2C-21C7-42b6-B778-473A7E830889}.exe	97
PID 3780 wrote to memory of 3632	3780	{2CA26B2C-21C7-42b6-B778-473A7E830889}.exe	97
PID 3780 wrote to memory of 3632	3780	{2CA26B2C-21C7-42b6-B778-473A7E830889}.exe	97
PID 2504 wrote to memory of 3208	2504	{DAAB609A-A318-49ea-9635-4953F4AE1939}.exe	98
PID 2504 wrote to memory of 3208	2504	{DAAB609A-A318-49ea-9635-4953F4AE1939}.exe	98
PID 2504 wrote to memory of 3208	2504	{DAAB609A-A318-49ea-9635-4953F4AE1939}.exe	98
PID 2504 wrote to memory of 1472	2504	{DAAB609A-A318-49ea-9635-4953F4AE1939}.exe	99
PID 2504 wrote to memory of 1472	2504	{DAAB609A-A318-49ea-9635-4953F4AE1939}.exe	99
PID 2504 wrote to memory of 1472	2504	{DAAB609A-A318-49ea-9635-4953F4AE1939}.exe	99
PID 3208 wrote to memory of 2200	3208	{FB36061C-A61A-48de-9153-89A5F51F7336}.exe	100
PID 3208 wrote to memory of 2200	3208	{FB36061C-A61A-48de-9153-89A5F51F7336}.exe	100
PID 3208 wrote to memory of 2200	3208	{FB36061C-A61A-48de-9153-89A5F51F7336}.exe	100
PID 3208 wrote to memory of 1740	3208	{FB36061C-A61A-48de-9153-89A5F51F7336}.exe	101
PID 3208 wrote to memory of 1740	3208	{FB36061C-A61A-48de-9153-89A5F51F7336}.exe	101
PID 3208 wrote to memory of 1740	3208	{FB36061C-A61A-48de-9153-89A5F51F7336}.exe	101
PID 2200 wrote to memory of 2660	2200	{C9B926D3-DCBB-4ce7-A5BC-C613839F3949}.exe	102
PID 2200 wrote to memory of 2660	2200	{C9B926D3-DCBB-4ce7-A5BC-C613839F3949}.exe	102
PID 2200 wrote to memory of 2660	2200	{C9B926D3-DCBB-4ce7-A5BC-C613839F3949}.exe	102
PID 2200 wrote to memory of 2188	2200	{C9B926D3-DCBB-4ce7-A5BC-C613839F3949}.exe	103
PID 2200 wrote to memory of 2188	2200	{C9B926D3-DCBB-4ce7-A5BC-C613839F3949}.exe	103
PID 2200 wrote to memory of 2188	2200	{C9B926D3-DCBB-4ce7-A5BC-C613839F3949}.exe	103
PID 2660 wrote to memory of 3540	2660	{12245B70-0612-4261-91B8-24081457370F}.exe	104
PID 2660 wrote to memory of 3540	2660	{12245B70-0612-4261-91B8-24081457370F}.exe	104
PID 2660 wrote to memory of 3540	2660	{12245B70-0612-4261-91B8-24081457370F}.exe	104
PID 2660 wrote to memory of 2036	2660	{12245B70-0612-4261-91B8-24081457370F}.exe	105
PID 2660 wrote to memory of 2036	2660	{12245B70-0612-4261-91B8-24081457370F}.exe	105
PID 2660 wrote to memory of 2036	2660	{12245B70-0612-4261-91B8-24081457370F}.exe	105
PID 3540 wrote to memory of 656	3540	{72D85090-4E5E-4979-858C-BEBCFC6C3202}.exe	106
PID 3540 wrote to memory of 656	3540	{72D85090-4E5E-4979-858C-BEBCFC6C3202}.exe	106
PID 3540 wrote to memory of 656	3540	{72D85090-4E5E-4979-858C-BEBCFC6C3202}.exe	106
PID 3540 wrote to memory of 2668	3540	{72D85090-4E5E-4979-858C-BEBCFC6C3202}.exe	107
PID 3540 wrote to memory of 2668	3540	{72D85090-4E5E-4979-858C-BEBCFC6C3202}.exe	107
PID 3540 wrote to memory of 2668	3540	{72D85090-4E5E-4979-858C-BEBCFC6C3202}.exe	107
PID 656 wrote to memory of 496	656	{F0130734-BFBE-4f4b-BEE2-E077733A0B35}.exe	108
PID 656 wrote to memory of 496	656	{F0130734-BFBE-4f4b-BEE2-E077733A0B35}.exe	108
PID 656 wrote to memory of 496	656	{F0130734-BFBE-4f4b-BEE2-E077733A0B35}.exe	108
PID 656 wrote to memory of 2000	656	{F0130734-BFBE-4f4b-BEE2-E077733A0B35}.exe	109
PID 656 wrote to memory of 2000	656	{F0130734-BFBE-4f4b-BEE2-E077733A0B35}.exe	109
PID 656 wrote to memory of 2000	656	{F0130734-BFBE-4f4b-BEE2-E077733A0B35}.exe	109
PID 496 wrote to memory of 4536	496	{BBA3F782-0D42-4d35-8BA9-C5268737499B}.exe	110
PID 496 wrote to memory of 4536	496	{BBA3F782-0D42-4d35-8BA9-C5268737499B}.exe	110
PID 496 wrote to memory of 4536	496	{BBA3F782-0D42-4d35-8BA9-C5268737499B}.exe	110
PID 496 wrote to memory of 4384	496	{BBA3F782-0D42-4d35-8BA9-C5268737499B}.exe	111
PID 496 wrote to memory of 4384	496	{BBA3F782-0D42-4d35-8BA9-C5268737499B}.exe	111
PID 496 wrote to memory of 4384	496	{BBA3F782-0D42-4d35-8BA9-C5268737499B}.exe	111
PID 4536 wrote to memory of 4908	4536	{734591FC-67F9-41c2-8843-21B88CF34215}.exe	112
PID 4536 wrote to memory of 4908	4536	{734591FC-67F9-41c2-8843-21B88CF34215}.exe	112
PID 4536 wrote to memory of 4908	4536	{734591FC-67F9-41c2-8843-21B88CF34215}.exe	112
PID 4536 wrote to memory of 1692	4536	{734591FC-67F9-41c2-8843-21B88CF34215}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-03_dfec5c61fec25e91dde9819d0af1839f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-03_dfec5c61fec25e91dde9819d0af1839f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Windows\{A1254710-8F45-41f9-A0FE-CA7E0553B6D1}.exe
  C:\Windows\{A1254710-8F45-41f9-A0FE-CA7E0553B6D1}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4948
- - C:\Windows\{2CA26B2C-21C7-42b6-B778-473A7E830889}.exe
    C:\Windows\{2CA26B2C-21C7-42b6-B778-473A7E830889}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3780
  - - C:\Windows\{DAAB609A-A318-49ea-9635-4953F4AE1939}.exe
      C:\Windows\{DAAB609A-A318-49ea-9635-4953F4AE1939}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2504
    - - C:\Windows\{FB36061C-A61A-48de-9153-89A5F51F7336}.exe
        
        C:\Windows\{FB36061C-A61A-48de-9153-89A5F51F7336}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3208
      - C:\Windows\{C9B926D3-DCBB-4ce7-A5BC-C613839F3949}.exe
        
        C:\Windows\{C9B926D3-DCBB-4ce7-A5BC-C613839F3949}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\{12245B70-0612-4261-91B8-24081457370F}.exe
        
        C:\Windows\{12245B70-0612-4261-91B8-24081457370F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\{72D85090-4E5E-4979-858C-BEBCFC6C3202}.exe
        
        C:\Windows\{72D85090-4E5E-4979-858C-BEBCFC6C3202}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\{F0130734-BFBE-4f4b-BEE2-E077733A0B35}.exe
        
        C:\Windows\{F0130734-BFBE-4f4b-BEE2-E077733A0B35}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:656
        
        C:\Windows\{BBA3F782-0D42-4d35-8BA9-C5268737499B}.exe
        
        C:\Windows\{BBA3F782-0D42-4d35-8BA9-C5268737499B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:496
        
        C:\Windows\{734591FC-67F9-41c2-8843-21B88CF34215}.exe
        
        C:\Windows\{734591FC-67F9-41c2-8843-21B88CF34215}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\{261EFE1A-E208-4c89-858B-B375330FEC58}.exe
        
        C:\Windows\{261EFE1A-E208-4c89-858B-B375330FEC58}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4908
        
        C:\Windows\{5E632E92-4F58-4f2b-B1EA-1B1F8CAD25F0}.exe
        
        C:\Windows\{5E632E92-4F58-4f2b-B1EA-1B1F8CAD25F0}.exe
        13⤵
        Executes dropped EXE
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{261EF~1.EXE > nul
        13⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73459~1.EXE > nul
        12⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BBA3F~1.EXE > nul
        11⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0130~1.EXE > nul
        10⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72D85~1.EXE > nul
        9⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12245~1.EXE > nul
        8⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9B92~1.EXE > nul
        7⤵
        
        PID:2188
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB360~1.EXE > nul
        6⤵
        
        PID:1740
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DAAB6~1.EXE > nul
        5⤵
        
        PID:1472
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2CA26~1.EXE > nul
      4⤵
      PID:3632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A1254~1.EXE > nul
    3⤵
    PID:4640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{12245B70-0612-4261-91B8-24081457370F}.exe

Filesize
408KB

MD5
2c38a7c0305cf7d2ecceb003c5c01f85

SHA1
dcf76259c4e339b1560152f00ccfc7afd24a1899

SHA256
173ef159ffb9badddb6c37fe174c1cc318b8ff996f399162bffc429af0944c53

SHA512
5ede354fa4174ad6ac9562a363b3aa8f56fb2627f0d50bc75cd5c3e7ab9ec559ce73a0489de38d01e267b8b277b38b80ebd570b2189a9d510992dc26dd11f0ea

Download Submit
C:\Windows\{261EFE1A-E208-4c89-858B-B375330FEC58}.exe

Filesize
408KB

MD5
f15e2fec66ee5998836c4be9aa67abb1

SHA1
aed22aca4534d4d268b6864ef4ad9ccc38f88a19

SHA256
dbd33dce4df5c18e3281bd32a48d3ac36d8e686bd5aa7af550072e074a9b7eeb

SHA512
74ccb61756c1ddf74e8b3d140b4ae5ddd7706b9c4f3e8e481422980802a078aeffc2a6ca1fb492ad39f1902756f32f4f42dbc50454592f168e4240330ce91720

Download Submit
C:\Windows\{2CA26B2C-21C7-42b6-B778-473A7E830889}.exe

Filesize
408KB

MD5
66c20ba08b2fd1af384ff4424ce5a25e

SHA1
17769696e91fae23b901048df603774f6502c0b7

SHA256
4282e916f9a02359979cf670b9579756af7c2d0051f568cce775d991d4d350a7

SHA512
fe53dc620e01326bd10301e29b1ee482a4a2d74a4910b113bfaac1740d01011d65b0aa624c4c5030aafa1fff5e7cd46ac87c65445d4635544984e34f90db2462

Download Submit
C:\Windows\{5E632E92-4F58-4f2b-B1EA-1B1F8CAD25F0}.exe

Filesize
408KB

MD5
32cee8ca6416e0e613fa64db0b197fd8

SHA1
475b8777ffc38b72a6222612b36a5d6873bdeaa8

SHA256
ad10199fd6c2d9f6dd75d28b258bbd3e2bd0d43c4745d7bc16db33d0ff3de9de

SHA512
75abcc716889a6db1cf030c83d25a4f71b1683df038fa22eccdb614903422090b0258dc909d822ba5041d7f8b7cfbc1dbfb21a3bb04e2e79048845e8e631d85f

Download Submit
C:\Windows\{72D85090-4E5E-4979-858C-BEBCFC6C3202}.exe

Filesize
408KB

MD5
93dabec8eef18996af3e2d6398c75520

SHA1
022e8405ff307e69992fee2fc4ac5679bace5f68

SHA256
4721c796f2e2363aff0056c29ecb6c0f780964f9c99dc8ec00eaf363fad2c3fa

SHA512
ae0497e5687ca43a91c1748c4b1e4b208bc749e5b4069ef216d76db0073ad0f59ad33b437ba97ab531cb9d24a3e00077a8e5fd82dd33432b8fc0eaaa9cd3ca92

Download Submit
C:\Windows\{734591FC-67F9-41c2-8843-21B88CF34215}.exe

Filesize
408KB

MD5
07a6b5c7117255b1270b4f84caf85436

SHA1
cb98e766b0b493b808899cc3c7ff6c0d9cfb48d3

SHA256
8ea7237b10ed0c04ba63e8a06965cc8214e5eccc12fa2f05bf2fa04cd0025086

SHA512
fdc58376855c0deb0a2c06b25bc668c7eea56af90deffbf0bbb4f4b665c2fc351bb0e2f4aff73afb66118d8e755c2c6de2a7707fdd9a4f92159fd4e68becb222

Download Submit
C:\Windows\{A1254710-8F45-41f9-A0FE-CA7E0553B6D1}.exe

Filesize
408KB

MD5
af4df800d240248485986caf8bb71eb3

SHA1
7a6348e3385dd1f3e29e7ae747d2348cab9a3e8c

SHA256
e666c3e9c1e7f10bb18e71fc99def70dd264324cf32393646d4f72738fc2ca38

SHA512
0ab854e8594325e7016c3ce61157e5cc526cfb678d50134295e1791a0e4d369bb209783738102679d23eb5a6420efa7e046f368a1e20d4fe64c188bf83bf29f8

Download Submit
C:\Windows\{BBA3F782-0D42-4d35-8BA9-C5268737499B}.exe

Filesize
408KB

MD5
15b9107f3f55f677e44a6cfaa5e1a236

SHA1
cdc9fca7bfc08aabeefcc58a8e719ab72739c9ae

SHA256
692dc341d23aa74c509032366b883db68679ef0e8fcf2d231214b040505a79b6

SHA512
8f874b3e3a1afc78ed6d01325acaa9cce87969e9683dc70b8dfa16a11174ff48df558f504d15435abd2e1882ffaa7c51b4987d2cc9d716a48446a989e667c7f6

Download Submit
C:\Windows\{C9B926D3-DCBB-4ce7-A5BC-C613839F3949}.exe

Filesize
303KB

MD5
837535b21e986cd060ff8e2e273c359c

SHA1
018d5201c431de83a4696f48e3de248706b7b067

SHA256
42c035a64e9441bbbf9c8b5bedd35cd950c5b567a89da42074ac7992dfc78a3a

SHA512
b239c43f135f03b9cf668456ab9c0d392b9cf83b33ba3324dcfe624905d12392d7d49b85d949cfd41552fdf7420159004429330f684434fbe8eb8ff8cd4f4277

Download Submit
C:\Windows\{C9B926D3-DCBB-4ce7-A5BC-C613839F3949}.exe

Filesize
227KB

MD5
152273b8b8f79f4bf9f2fe3430eb35b9

SHA1
a7d20de3fc6c4589e48c60b176d1fcc3b25acd7b

SHA256
8af86499a72e3b7aba3df4923852e7a3d097637e5a60b4eea847346ec6b8e348

SHA512
c877515eed3d824db793bd867b0e002faf802eaaf27157857c2c5936a4bcae8d6e64665fd2addfeef5d391eac3d3a91dbe2c9baffdaa8519e3977b2da900fc78

Download Submit
C:\Windows\{DAAB609A-A318-49ea-9635-4953F4AE1939}.exe

Filesize
408KB

MD5
565c05cbb1cf085be145ef4beb8a866d

SHA1
ea08e3c3843690964f994027951ee6ba9d03a34d

SHA256
72f25654d14422502d177a0983a35bb92a20129579d1b4ed369da03fc84bd248

SHA512
fcee57c134b28174083be9dbaf03185c5328cf3749493e44277e91a0e48c0000b9f8adb1605a07041c3da4b88dbe1184757f9cea9ff885fc261a83d78476434d

Download Submit
C:\Windows\{F0130734-BFBE-4f4b-BEE2-E077733A0B35}.exe

Filesize
408KB

MD5
a516b8c2a4f5ec83e341d0c4ccb7d5fa

SHA1
fa5c5b513b9bcea692a3ba84a51e3459b4cf127c

SHA256
a4b7731e0d0c067cce9c2d993f2d0cee952a50ad1493ecc1ba4109d6a0998bcc

SHA512
4a74955411ea1199eea6dccc4f632dbd1dc60d6ca2a8dd0d46344b56a93cd6ca5721fcaa4cca919a0d565ece2c5d6da661840a2b8b5194379f6a5b359fcdef8b

Download Submit
C:\Windows\{FB36061C-A61A-48de-9153-89A5F51F7336}.exe

Filesize
408KB

MD5
c09fe3f06411b3baa56253afd958dedc

SHA1
f76fb8a534bb437f16275fc493a2d70a907f5116

SHA256
c4be3b3e773a2d353710d18cd36dfe0b4a327b74f01ea3f9018bd43289cd25e3

SHA512
c2ccfb6507ff51ed787b48010f82a31b51679e970ff86ebc09a058b77deae835f824c6cf6c0f91ad274c9f95775b0a82c74edc880063514e3ff9aaab2c4e9e95

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads