8398cc780c9f9ec016645623b1191150b2a581702c68d972d756c1c0219c51c1

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2024, 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-04_c520f96830d571349746855ed638806e_goldeneye.exe
Size

408KB
MD5

c520f96830d571349746855ed638806e
SHA1

0ba7f003afcd0d940db493664e4663f9a4fb6769
SHA256

8398cc780c9f9ec016645623b1191150b2a581702c68d972d756c1c0219c51c1
SHA512

6ad019c859e84e0ee0a2fae68f5e1066315b7fd02d3b329f9cf48e6837664c1a18b80aef463a57ee54450c9a60d519498fa8206182d5b00ba4bc5639344920cc
SSDEEP

3072:CEGh0oSl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGMldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 14 IoCs

resource	yara_rule
behavioral2/files/0x00020000000228c7-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023237-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002323f-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023237-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022008-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022008-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022009-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000022008-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000717-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000717-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0822DE33-9A20-467e-8A32-4E84656D5DAC}\stubpath = "C:\\Windows\\{0822DE33-9A20-467e-8A32-4E84656D5DAC}.exe"	{596A845E-55E7-4335-BBC4-7E1168EB2266}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB45AAB4-93A4-49ad-8F68-5BAF433BED51}	{0822DE33-9A20-467e-8A32-4E84656D5DAC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C76303BE-C736-4af9-A423-AAC48DC989A2}	2024-02-04_c520f96830d571349746855ed638806e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3855291-17EA-40ee-AF13-01F1041AEBC4}	{8CC92F05-0BC8-4cfb-8451-221065648C7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2606435-EC71-4e36-AEFE-E092D014FC44}\stubpath = "C:\\Windows\\{B2606435-EC71-4e36-AEFE-E092D014FC44}.exe"	{C3855291-17EA-40ee-AF13-01F1041AEBC4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{596A845E-55E7-4335-BBC4-7E1168EB2266}\stubpath = "C:\\Windows\\{596A845E-55E7-4335-BBC4-7E1168EB2266}.exe"	{59FE4872-DE05-468a-91E6-7EA673E42398}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{596A845E-55E7-4335-BBC4-7E1168EB2266}	{59FE4872-DE05-468a-91E6-7EA673E42398}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{775C2E12-0187-46ef-9AF7-6DF43785B735}	{33F468B8-CB0B-4d77-B0CF-674B219B055B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{431F8368-DCD3-4055-BC06-740304E4E55F}\stubpath = "C:\\Windows\\{431F8368-DCD3-4055-BC06-740304E4E55F}.exe"	{775C2E12-0187-46ef-9AF7-6DF43785B735}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CC92F05-0BC8-4cfb-8451-221065648C7B}	{C76303BE-C736-4af9-A423-AAC48DC989A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CC92F05-0BC8-4cfb-8451-221065648C7B}\stubpath = "C:\\Windows\\{8CC92F05-0BC8-4cfb-8451-221065648C7B}.exe"	{C76303BE-C736-4af9-A423-AAC48DC989A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2606435-EC71-4e36-AEFE-E092D014FC44}	{C3855291-17EA-40ee-AF13-01F1041AEBC4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59FE4872-DE05-468a-91E6-7EA673E42398}\stubpath = "C:\\Windows\\{59FE4872-DE05-468a-91E6-7EA673E42398}.exe"	{B2606435-EC71-4e36-AEFE-E092D014FC44}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33F468B8-CB0B-4d77-B0CF-674B219B055B}\stubpath = "C:\\Windows\\{33F468B8-CB0B-4d77-B0CF-674B219B055B}.exe"	{CB45AAB4-93A4-49ad-8F68-5BAF433BED51}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{775C2E12-0187-46ef-9AF7-6DF43785B735}\stubpath = "C:\\Windows\\{775C2E12-0187-46ef-9AF7-6DF43785B735}.exe"	{33F468B8-CB0B-4d77-B0CF-674B219B055B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA9012A9-D6DC-4ea0-81A7-B22A70A2AAF8}\stubpath = "C:\\Windows\\{EA9012A9-D6DC-4ea0-81A7-B22A70A2AAF8}.exe"	{431F8368-DCD3-4055-BC06-740304E4E55F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59FE4872-DE05-468a-91E6-7EA673E42398}	{B2606435-EC71-4e36-AEFE-E092D014FC44}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0822DE33-9A20-467e-8A32-4E84656D5DAC}	{596A845E-55E7-4335-BBC4-7E1168EB2266}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB45AAB4-93A4-49ad-8F68-5BAF433BED51}\stubpath = "C:\\Windows\\{CB45AAB4-93A4-49ad-8F68-5BAF433BED51}.exe"	{0822DE33-9A20-467e-8A32-4E84656D5DAC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33F468B8-CB0B-4d77-B0CF-674B219B055B}	{CB45AAB4-93A4-49ad-8F68-5BAF433BED51}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C76303BE-C736-4af9-A423-AAC48DC989A2}\stubpath = "C:\\Windows\\{C76303BE-C736-4af9-A423-AAC48DC989A2}.exe"	2024-02-04_c520f96830d571349746855ed638806e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3855291-17EA-40ee-AF13-01F1041AEBC4}\stubpath = "C:\\Windows\\{C3855291-17EA-40ee-AF13-01F1041AEBC4}.exe"	{8CC92F05-0BC8-4cfb-8451-221065648C7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{431F8368-DCD3-4055-BC06-740304E4E55F}	{775C2E12-0187-46ef-9AF7-6DF43785B735}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA9012A9-D6DC-4ea0-81A7-B22A70A2AAF8}	{431F8368-DCD3-4055-BC06-740304E4E55F}.exe

Executes dropped EXE 12 IoCs

pid	Process
2232	{C76303BE-C736-4af9-A423-AAC48DC989A2}.exe
2912	{8CC92F05-0BC8-4cfb-8451-221065648C7B}.exe
4684	{C3855291-17EA-40ee-AF13-01F1041AEBC4}.exe
2856	{B2606435-EC71-4e36-AEFE-E092D014FC44}.exe
3988	{59FE4872-DE05-468a-91E6-7EA673E42398}.exe
1924	{596A845E-55E7-4335-BBC4-7E1168EB2266}.exe
5080	{0822DE33-9A20-467e-8A32-4E84656D5DAC}.exe
4980	{CB45AAB4-93A4-49ad-8F68-5BAF433BED51}.exe
2756	{33F468B8-CB0B-4d77-B0CF-674B219B055B}.exe
4532	{775C2E12-0187-46ef-9AF7-6DF43785B735}.exe
2748	{431F8368-DCD3-4055-BC06-740304E4E55F}.exe
4692	{EA9012A9-D6DC-4ea0-81A7-B22A70A2AAF8}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B2606435-EC71-4e36-AEFE-E092D014FC44}.exe	{C3855291-17EA-40ee-AF13-01F1041AEBC4}.exe
File created	C:\Windows\{59FE4872-DE05-468a-91E6-7EA673E42398}.exe	{B2606435-EC71-4e36-AEFE-E092D014FC44}.exe
File created	C:\Windows\{33F468B8-CB0B-4d77-B0CF-674B219B055B}.exe	{CB45AAB4-93A4-49ad-8F68-5BAF433BED51}.exe
File created	C:\Windows\{431F8368-DCD3-4055-BC06-740304E4E55F}.exe	{775C2E12-0187-46ef-9AF7-6DF43785B735}.exe
File created	C:\Windows\{EA9012A9-D6DC-4ea0-81A7-B22A70A2AAF8}.exe	{431F8368-DCD3-4055-BC06-740304E4E55F}.exe
File created	C:\Windows\{C76303BE-C736-4af9-A423-AAC48DC989A2}.exe	2024-02-04_c520f96830d571349746855ed638806e_goldeneye.exe
File created	C:\Windows\{8CC92F05-0BC8-4cfb-8451-221065648C7B}.exe	{C76303BE-C736-4af9-A423-AAC48DC989A2}.exe
File created	C:\Windows\{C3855291-17EA-40ee-AF13-01F1041AEBC4}.exe	{8CC92F05-0BC8-4cfb-8451-221065648C7B}.exe
File created	C:\Windows\{596A845E-55E7-4335-BBC4-7E1168EB2266}.exe	{59FE4872-DE05-468a-91E6-7EA673E42398}.exe
File created	C:\Windows\{0822DE33-9A20-467e-8A32-4E84656D5DAC}.exe	{596A845E-55E7-4335-BBC4-7E1168EB2266}.exe
File created	C:\Windows\{CB45AAB4-93A4-49ad-8F68-5BAF433BED51}.exe	{0822DE33-9A20-467e-8A32-4E84656D5DAC}.exe
File created	C:\Windows\{775C2E12-0187-46ef-9AF7-6DF43785B735}.exe	{33F468B8-CB0B-4d77-B0CF-674B219B055B}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1512	2024-02-04_c520f96830d571349746855ed638806e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2232	{C76303BE-C736-4af9-A423-AAC48DC989A2}.exe
Token: SeIncBasePriorityPrivilege	2912	{8CC92F05-0BC8-4cfb-8451-221065648C7B}.exe
Token: SeIncBasePriorityPrivilege	4684	{C3855291-17EA-40ee-AF13-01F1041AEBC4}.exe
Token: SeIncBasePriorityPrivilege	2856	{B2606435-EC71-4e36-AEFE-E092D014FC44}.exe
Token: SeIncBasePriorityPrivilege	3988	{59FE4872-DE05-468a-91E6-7EA673E42398}.exe
Token: SeIncBasePriorityPrivilege	1924	{596A845E-55E7-4335-BBC4-7E1168EB2266}.exe
Token: SeIncBasePriorityPrivilege	5080	{0822DE33-9A20-467e-8A32-4E84656D5DAC}.exe
Token: SeIncBasePriorityPrivilege	4980	{CB45AAB4-93A4-49ad-8F68-5BAF433BED51}.exe
Token: SeIncBasePriorityPrivilege	2756	{33F468B8-CB0B-4d77-B0CF-674B219B055B}.exe
Token: SeIncBasePriorityPrivilege	4532	{775C2E12-0187-46ef-9AF7-6DF43785B735}.exe
Token: SeIncBasePriorityPrivilege	2748	{431F8368-DCD3-4055-BC06-740304E4E55F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 2232	1512	2024-02-04_c520f96830d571349746855ed638806e_goldeneye.exe	96
PID 1512 wrote to memory of 2232	1512	2024-02-04_c520f96830d571349746855ed638806e_goldeneye.exe	96
PID 1512 wrote to memory of 2232	1512	2024-02-04_c520f96830d571349746855ed638806e_goldeneye.exe	96
PID 1512 wrote to memory of 2148	1512	2024-02-04_c520f96830d571349746855ed638806e_goldeneye.exe	97
PID 1512 wrote to memory of 2148	1512	2024-02-04_c520f96830d571349746855ed638806e_goldeneye.exe	97
PID 1512 wrote to memory of 2148	1512	2024-02-04_c520f96830d571349746855ed638806e_goldeneye.exe	97
PID 2232 wrote to memory of 2912	2232	{C76303BE-C736-4af9-A423-AAC48DC989A2}.exe	98
PID 2232 wrote to memory of 2912	2232	{C76303BE-C736-4af9-A423-AAC48DC989A2}.exe	98
PID 2232 wrote to memory of 2912	2232	{C76303BE-C736-4af9-A423-AAC48DC989A2}.exe	98
PID 2232 wrote to memory of 4884	2232	{C76303BE-C736-4af9-A423-AAC48DC989A2}.exe	99
PID 2232 wrote to memory of 4884	2232	{C76303BE-C736-4af9-A423-AAC48DC989A2}.exe	99
PID 2232 wrote to memory of 4884	2232	{C76303BE-C736-4af9-A423-AAC48DC989A2}.exe	99
PID 2912 wrote to memory of 4684	2912	{8CC92F05-0BC8-4cfb-8451-221065648C7B}.exe	101
PID 2912 wrote to memory of 4684	2912	{8CC92F05-0BC8-4cfb-8451-221065648C7B}.exe	101
PID 2912 wrote to memory of 4684	2912	{8CC92F05-0BC8-4cfb-8451-221065648C7B}.exe	101
PID 2912 wrote to memory of 4876	2912	{8CC92F05-0BC8-4cfb-8451-221065648C7B}.exe	102
PID 2912 wrote to memory of 4876	2912	{8CC92F05-0BC8-4cfb-8451-221065648C7B}.exe	102
PID 2912 wrote to memory of 4876	2912	{8CC92F05-0BC8-4cfb-8451-221065648C7B}.exe	102
PID 4684 wrote to memory of 2856	4684	{C3855291-17EA-40ee-AF13-01F1041AEBC4}.exe	103
PID 4684 wrote to memory of 2856	4684	{C3855291-17EA-40ee-AF13-01F1041AEBC4}.exe	103
PID 4684 wrote to memory of 2856	4684	{C3855291-17EA-40ee-AF13-01F1041AEBC4}.exe	103
PID 4684 wrote to memory of 5000	4684	{C3855291-17EA-40ee-AF13-01F1041AEBC4}.exe	104
PID 4684 wrote to memory of 5000	4684	{C3855291-17EA-40ee-AF13-01F1041AEBC4}.exe	104
PID 4684 wrote to memory of 5000	4684	{C3855291-17EA-40ee-AF13-01F1041AEBC4}.exe	104
PID 2856 wrote to memory of 3988	2856	{B2606435-EC71-4e36-AEFE-E092D014FC44}.exe	105
PID 2856 wrote to memory of 3988	2856	{B2606435-EC71-4e36-AEFE-E092D014FC44}.exe	105
PID 2856 wrote to memory of 3988	2856	{B2606435-EC71-4e36-AEFE-E092D014FC44}.exe	105
PID 2856 wrote to memory of 3308	2856	{B2606435-EC71-4e36-AEFE-E092D014FC44}.exe	106
PID 2856 wrote to memory of 3308	2856	{B2606435-EC71-4e36-AEFE-E092D014FC44}.exe	106
PID 2856 wrote to memory of 3308	2856	{B2606435-EC71-4e36-AEFE-E092D014FC44}.exe	106
PID 3988 wrote to memory of 1924	3988	{59FE4872-DE05-468a-91E6-7EA673E42398}.exe	107
PID 3988 wrote to memory of 1924	3988	{59FE4872-DE05-468a-91E6-7EA673E42398}.exe	107
PID 3988 wrote to memory of 1924	3988	{59FE4872-DE05-468a-91E6-7EA673E42398}.exe	107
PID 3988 wrote to memory of 3708	3988	{59FE4872-DE05-468a-91E6-7EA673E42398}.exe	108
PID 3988 wrote to memory of 3708	3988	{59FE4872-DE05-468a-91E6-7EA673E42398}.exe	108
PID 3988 wrote to memory of 3708	3988	{59FE4872-DE05-468a-91E6-7EA673E42398}.exe	108
PID 1924 wrote to memory of 5080	1924	{596A845E-55E7-4335-BBC4-7E1168EB2266}.exe	109
PID 1924 wrote to memory of 5080	1924	{596A845E-55E7-4335-BBC4-7E1168EB2266}.exe	109
PID 1924 wrote to memory of 5080	1924	{596A845E-55E7-4335-BBC4-7E1168EB2266}.exe	109
PID 1924 wrote to memory of 3588	1924	{596A845E-55E7-4335-BBC4-7E1168EB2266}.exe	110
PID 1924 wrote to memory of 3588	1924	{596A845E-55E7-4335-BBC4-7E1168EB2266}.exe	110
PID 1924 wrote to memory of 3588	1924	{596A845E-55E7-4335-BBC4-7E1168EB2266}.exe	110
PID 5080 wrote to memory of 4980	5080	{0822DE33-9A20-467e-8A32-4E84656D5DAC}.exe	111
PID 5080 wrote to memory of 4980	5080	{0822DE33-9A20-467e-8A32-4E84656D5DAC}.exe	111
PID 5080 wrote to memory of 4980	5080	{0822DE33-9A20-467e-8A32-4E84656D5DAC}.exe	111
PID 5080 wrote to memory of 2448	5080	{0822DE33-9A20-467e-8A32-4E84656D5DAC}.exe	112
PID 5080 wrote to memory of 2448	5080	{0822DE33-9A20-467e-8A32-4E84656D5DAC}.exe	112
PID 5080 wrote to memory of 2448	5080	{0822DE33-9A20-467e-8A32-4E84656D5DAC}.exe	112
PID 4980 wrote to memory of 2756	4980	{CB45AAB4-93A4-49ad-8F68-5BAF433BED51}.exe	113
PID 4980 wrote to memory of 2756	4980	{CB45AAB4-93A4-49ad-8F68-5BAF433BED51}.exe	113
PID 4980 wrote to memory of 2756	4980	{CB45AAB4-93A4-49ad-8F68-5BAF433BED51}.exe	113
PID 4980 wrote to memory of 3548	4980	{CB45AAB4-93A4-49ad-8F68-5BAF433BED51}.exe	114
PID 4980 wrote to memory of 3548	4980	{CB45AAB4-93A4-49ad-8F68-5BAF433BED51}.exe	114
PID 4980 wrote to memory of 3548	4980	{CB45AAB4-93A4-49ad-8F68-5BAF433BED51}.exe	114
PID 2756 wrote to memory of 4532	2756	{33F468B8-CB0B-4d77-B0CF-674B219B055B}.exe	115
PID 2756 wrote to memory of 4532	2756	{33F468B8-CB0B-4d77-B0CF-674B219B055B}.exe	115
PID 2756 wrote to memory of 4532	2756	{33F468B8-CB0B-4d77-B0CF-674B219B055B}.exe	115
PID 2756 wrote to memory of 5104	2756	{33F468B8-CB0B-4d77-B0CF-674B219B055B}.exe	116
PID 2756 wrote to memory of 5104	2756	{33F468B8-CB0B-4d77-B0CF-674B219B055B}.exe	116
PID 2756 wrote to memory of 5104	2756	{33F468B8-CB0B-4d77-B0CF-674B219B055B}.exe	116
PID 4532 wrote to memory of 2748	4532	{775C2E12-0187-46ef-9AF7-6DF43785B735}.exe	118
PID 4532 wrote to memory of 2748	4532	{775C2E12-0187-46ef-9AF7-6DF43785B735}.exe	118
PID 4532 wrote to memory of 2748	4532	{775C2E12-0187-46ef-9AF7-6DF43785B735}.exe	118
PID 4532 wrote to memory of 2728	4532	{775C2E12-0187-46ef-9AF7-6DF43785B735}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-02-04_c520f96830d571349746855ed638806e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-04_c520f96830d571349746855ed638806e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\{C76303BE-C736-4af9-A423-AAC48DC989A2}.exe
  C:\Windows\{C76303BE-C736-4af9-A423-AAC48DC989A2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\{8CC92F05-0BC8-4cfb-8451-221065648C7B}.exe
    C:\Windows\{8CC92F05-0BC8-4cfb-8451-221065648C7B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Windows\{C3855291-17EA-40ee-AF13-01F1041AEBC4}.exe
      C:\Windows\{C3855291-17EA-40ee-AF13-01F1041AEBC4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4684
    - - C:\Windows\{B2606435-EC71-4e36-AEFE-E092D014FC44}.exe
        
        C:\Windows\{B2606435-EC71-4e36-AEFE-E092D014FC44}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2856
      - C:\Windows\{59FE4872-DE05-468a-91E6-7EA673E42398}.exe
        
        C:\Windows\{59FE4872-DE05-468a-91E6-7EA673E42398}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\{596A845E-55E7-4335-BBC4-7E1168EB2266}.exe
        
        C:\Windows\{596A845E-55E7-4335-BBC4-7E1168EB2266}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\{0822DE33-9A20-467e-8A32-4E84656D5DAC}.exe
        
        C:\Windows\{0822DE33-9A20-467e-8A32-4E84656D5DAC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\{CB45AAB4-93A4-49ad-8F68-5BAF433BED51}.exe
        
        C:\Windows\{CB45AAB4-93A4-49ad-8F68-5BAF433BED51}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\{33F468B8-CB0B-4d77-B0CF-674B219B055B}.exe
        
        C:\Windows\{33F468B8-CB0B-4d77-B0CF-674B219B055B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\{775C2E12-0187-46ef-9AF7-6DF43785B735}.exe
        
        C:\Windows\{775C2E12-0187-46ef-9AF7-6DF43785B735}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{775C2~1.EXE > nul
        12⤵
        
        PID:2728
        
        C:\Windows\{431F8368-DCD3-4055-BC06-740304E4E55F}.exe
        
        C:\Windows\{431F8368-DCD3-4055-BC06-740304E4E55F}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
        
        C:\Windows\{EA9012A9-D6DC-4ea0-81A7-B22A70A2AAF8}.exe
        
        C:\Windows\{EA9012A9-D6DC-4ea0-81A7-B22A70A2AAF8}.exe
        13⤵
        Executes dropped EXE
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{431F8~1.EXE > nul
        13⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33F46~1.EXE > nul
        11⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB45A~1.EXE > nul
        10⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0822D~1.EXE > nul
        9⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{596A8~1.EXE > nul
        8⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59FE4~1.EXE > nul
        7⤵
        
        PID:3708
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2606~1.EXE > nul
        6⤵
        
        PID:3308
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3855~1.EXE > nul
        5⤵
        
        PID:5000
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8CC92~1.EXE > nul
      4⤵
      PID:4876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C7630~1.EXE > nul
    3⤵
    PID:4884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0822DE33-9A20-467e-8A32-4E84656D5DAC}.exe

Filesize
408KB

MD5
63996c09c292ad061034093fbd0b26c7

SHA1
07214a0a3988aed9b9dfbc6f000fcf12024df5ac

SHA256
752ab3e8db7bc2e20b1d8a4c8e49083f2b790ff36b5c137e0ea4f9d34b13e683

SHA512
f31268ae41f419f8066637830686079990aab07096a9eb7451ec461c2213182a3508923db1145eeae25b37186f63b345599efd3e5c90e51e38ff401ae92a85f6

Download Submit
C:\Windows\{33F468B8-CB0B-4d77-B0CF-674B219B055B}.exe

Filesize
408KB

MD5
d33dc3fef8626d70e678b7744637f760

SHA1
b0fcfaba8659eabbe9b70821c341c9d080cc933a

SHA256
0adc599488ee6d7191f86329c285388613fa522bfc46f4506dde81f4836df86f

SHA512
4ddc1fe8a52d99bb5cd402da216b1d3cdf2ee63fb1c7bc523f46a71867f95d3917b2d05d220687e66af2c6787e1acec02cd037cb3353d7983a93dc76f724f9aa

Download Submit
C:\Windows\{431F8368-DCD3-4055-BC06-740304E4E55F}.exe

Filesize
408KB

MD5
51ca5e9883b252dd121624b8921b8aa5

SHA1
3d0a972fb9438959c8e4b0ccaf565a668223031e

SHA256
edd508815c1020e567abf62733b83f2979eb08b6156ad330d1334c83e0c7a2ef

SHA512
57e26532efe244199660865deaf0ffdd86027f468f946b0931c240caab4fa11fb7cdfac833fc611fc2022af84ee87f596cd211d2ce0f9458df9640129298ef77

Download Submit
C:\Windows\{596A845E-55E7-4335-BBC4-7E1168EB2266}.exe

Filesize
408KB

MD5
c770424419cbc3de3e00f41eb63f4fb4

SHA1
c6f368b5cdc2a7a43d6bb7d1f77fe32add10aa30

SHA256
4b3f4c1e0353c8746ab250c55f29ddbf622c7a9018d8d4caa66f3197ad74c278

SHA512
ff6fa9cca1b9d2ca562912b1931d44514ba620cab1e56bd8fbaa0f359455f3f50db461d53391bc8744179605a096a86ff1fadf1f97cfc4f7ee593af71c022132

Download Submit
C:\Windows\{59FE4872-DE05-468a-91E6-7EA673E42398}.exe

Filesize
265KB

MD5
d6c3b271fa1667ec5d3a4979d2fbcf7a

SHA1
bc11d3e1d31c56bc58e64710e235bdc872247c00

SHA256
5914fff318831079020a53347bf77bd3ccfd3a2e4319b08ce9ad1c3da33887c6

SHA512
b4f9e86d91822705fbd5fe521b293a5240ffbfd1346ca710dedee1111885853c52cdf969d60d32d678b6673ec8faf5d471dae8fdfa44bcc4f6c029e280c01f9d

Download Submit
C:\Windows\{59FE4872-DE05-468a-91E6-7EA673E42398}.exe

Filesize
257KB

MD5
f2553fcefeba2d43982fdbdfaed89c56

SHA1
1ce6efb5d36b15b7b515236a2c1d3a16f5b1fbc7

SHA256
c330269ae47823f50fb093f47fdd5943ae5dcd8aea7a15ba0604ccfe9b1510e7

SHA512
4c4545726547fbebdcf12e38ac941042927f02bf7247ca5095fec636b84df9826f09404e5ac900983ec3c0d9d19cdb5b7dd03e67d2d226b617aa20ae3ef6cd53

Download Submit
C:\Windows\{775C2E12-0187-46ef-9AF7-6DF43785B735}.exe

Filesize
408KB

MD5
149cfd29be41b602f56533abd6267c69

SHA1
1df065c0e0101a8b800c57fdc2e5194c8882db39

SHA256
b8a435799de4b77bece204f26732ff6eca974da7e7c5c2e860c81019d247fb97

SHA512
7af8595615fbcd7d563d7fa4ceb7bd71b3ef1c2fd44ee5c711ff84309856b9dac1be1dda32e3e810f037fe88e452c07b076ad130833d7756bdb5e9fdd41c2a31

Download Submit
C:\Windows\{8CC92F05-0BC8-4cfb-8451-221065648C7B}.exe

Filesize
408KB

MD5
df62fa1db8f1600e00e61be7053b858f

SHA1
0cf6d7aef3168dfd56810bb0d3b3e7e2b2c680ad

SHA256
ff848ba502dd05f23beb8d539632b32ed0b071208da0cbe9ddf05ec968fac3f2

SHA512
f893094df02ddb713a58184e90b0640fec195bd9f34315a937a548d540e8f8d9ef1f654f9f3d849dbf6aab8d9bb62f1bf81aa483abb33d017c566e7dfc27cb65

Download Submit
C:\Windows\{B2606435-EC71-4e36-AEFE-E092D014FC44}.exe

Filesize
408KB

MD5
79865856c558a20372fbdc096ac53c97

SHA1
d99b06fcae666909cdff9c71e4d4f29cc4b4f718

SHA256
07d8e2c88405e0f94f3c4c1044741e9f96346d0f0e1860be66d93af722bde61f

SHA512
369323d2852746a7cfc148a108ec1d8c33c0ab9af614dddc23705a22ed54c4e8216879cd1ce8ab8b4960bfb332ee2add01fb3ec11caa67b7b613dcb82c1b4d43

Download Submit
C:\Windows\{C3855291-17EA-40ee-AF13-01F1041AEBC4}.exe

Filesize
408KB

MD5
7b4f0ef5eb35fed8bad75e4df2a2c4c5

SHA1
c79e2503d9775963d87a360cd200aab87bbfe821

SHA256
2aef1f0b5cf211675b7ff4d5dce90a8e2505d26cbdfe76792f8282393c2cb44e

SHA512
d365edbaaf4129b6260f24c4320840b4dbb2f61f5677156a04cdb20154caca703cd9eaa6dd4f5a4feb205da43c461085baff9ac52b84f8f8fb5d990617390caa

Download Submit
C:\Windows\{C76303BE-C736-4af9-A423-AAC48DC989A2}.exe

Filesize
408KB

MD5
d6e2207d7fc0b1674239c28a92ce79d8

SHA1
e3aa4649998e456a46b2b7a818786f57c1854016

SHA256
8bbcea9ff49af2b917d617cbf65bc31da43e2ae839283d77b5f215bff2b2bf7b

SHA512
29580333374147ef7a5806b2612251827271c03026a66139f09bc44b4f31c4157624ca0f911b591578f55add328fdc31d77abf16a6aa4d66bad869ed9cab557b

Download Submit
C:\Windows\{CB45AAB4-93A4-49ad-8F68-5BAF433BED51}.exe

Filesize
408KB

MD5
e1fece8b57ddb8d8e27cb9dd9cd60f95

SHA1
f7bb8a67b516e8c0d90489592f892bd4d7638724

SHA256
5be4069bc98fe0f2f7735089a3f04a088c54063a2b1b8a2d48029d7f6221957d

SHA512
e98cfe503294a023b2462e83c9b6ed970c2c3739342be4944ea4c2dca96b94511aac522bfe0e6bd9a374e19ee47551bf5490707d4878b7b285fe9ee3ca245cdf

Download Submit
C:\Windows\{EA9012A9-D6DC-4ea0-81A7-B22A70A2AAF8}.exe

Filesize
203KB

MD5
5845a76a23a24070fcf4cd87511ddfce

SHA1
14ae60fbce77f0c8c708860faba7efb5c5fa78f1

SHA256
2e459f4d7ae93f5e63e762610ca24c0917fc0950641f2c5f3ecd53abb5a9b600

SHA512
7406d215a154da75c614f61ccf57a8f90a96d68f8f6c2c22c94f1265653af1f86ba4ae261a606af206ad2d8dfc44252adcc694b2383286515300e88322d4be03

Download Submit
C:\Windows\{EA9012A9-D6DC-4ea0-81A7-B22A70A2AAF8}.exe

Filesize
272KB

MD5
628a8bae18db364ce38ec9a902dbb02a

SHA1
8019872ac6db4484575eedb59521f5637eba85cc

SHA256
0c941cc6620918abb6488123c63a04f9dbe65a5e312a646aefbbb6440a9f4de2

SHA512
f9d29307793a09eb7dafbace6f5dfe766dad109566af4b6339118c7ddc315b3159e333f31569f26273e34a3c797c3c6704bf3e17340c40771a851a63b6a9b41e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads