7140f6e5de2222cd6d3fbbbb2562ea1b33cf15936824d920369fcdea0e7815cf

Analysis

max time kernel
149s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_3ad941e74aa54f33189e9eb12ea0cb34_goldeneye.exe
Size

180KB
MD5

3ad941e74aa54f33189e9eb12ea0cb34
SHA1

ad4f4e3d3f54a08217e493f81f53bec8dd585be5
SHA256

7140f6e5de2222cd6d3fbbbb2562ea1b33cf15936824d920369fcdea0e7815cf
SHA512

2d2a0c7d81f80c7050ce7c605c985a9ce5bbb4ebfbe9ee2e452175b23063514976ca76ec17969a561ae5d4a1de354b2cdba65a7eaebcce6975b8be2e06c2eb32
SSDEEP

3072:jEGh0o3lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGJl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231fd-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023206-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002320c-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023206-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021f82-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021f83-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021f82-25.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-29.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000705-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53EA1011-CABE-4394-A1FC-B36FD2C7D86A}	{A436C6E0-145E-49f5-81FB-1F081572024C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3C05E7A-9EAC-48f9-A94D-6C42741FD953}	2024-02-12_3ad941e74aa54f33189e9eb12ea0cb34_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD740165-9615-49db-B62E-06C917F2F84B}	{29A57B17-310A-4622-8A81-7295BFA55C16}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF5920FF-3719-4f4d-AC0B-D31A3B1C786F}	{36981F51-55D0-408a-96CD-D8816991EC0A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ECB0DF8F-995B-4ba3-B4CD-839523111178}\stubpath = "C:\\Windows\\{ECB0DF8F-995B-4ba3-B4CD-839523111178}.exe"	{BF5920FF-3719-4f4d-AC0B-D31A3B1C786F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72E17711-95A3-4a93-A4D1-759B4547B238}	{6665F836-6B6C-4fcf-9482-ACDE85DED8AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3C05E7A-9EAC-48f9-A94D-6C42741FD953}\stubpath = "C:\\Windows\\{A3C05E7A-9EAC-48f9-A94D-6C42741FD953}.exe"	2024-02-12_3ad941e74aa54f33189e9eb12ea0cb34_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29A57B17-310A-4622-8A81-7295BFA55C16}	{A3C05E7A-9EAC-48f9-A94D-6C42741FD953}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD740165-9615-49db-B62E-06C917F2F84B}\stubpath = "C:\\Windows\\{CD740165-9615-49db-B62E-06C917F2F84B}.exe"	{29A57B17-310A-4622-8A81-7295BFA55C16}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05493968-74AA-4b6e-ADC3-E5144ADC6320}	{53EA1011-CABE-4394-A1FC-B36FD2C7D86A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC406B29-31A7-4cc5-BD20-FD32D265A30A}\stubpath = "C:\\Windows\\{CC406B29-31A7-4cc5-BD20-FD32D265A30A}.exe"	{72E17711-95A3-4a93-A4D1-759B4547B238}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A436C6E0-145E-49f5-81FB-1F081572024C}	{CC406B29-31A7-4cc5-BD20-FD32D265A30A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29A57B17-310A-4622-8A81-7295BFA55C16}\stubpath = "C:\\Windows\\{29A57B17-310A-4622-8A81-7295BFA55C16}.exe"	{A3C05E7A-9EAC-48f9-A94D-6C42741FD953}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36981F51-55D0-408a-96CD-D8816991EC0A}\stubpath = "C:\\Windows\\{36981F51-55D0-408a-96CD-D8816991EC0A}.exe"	{CD740165-9615-49db-B62E-06C917F2F84B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF5920FF-3719-4f4d-AC0B-D31A3B1C786F}\stubpath = "C:\\Windows\\{BF5920FF-3719-4f4d-AC0B-D31A3B1C786F}.exe"	{36981F51-55D0-408a-96CD-D8816991EC0A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72E17711-95A3-4a93-A4D1-759B4547B238}\stubpath = "C:\\Windows\\{72E17711-95A3-4a93-A4D1-759B4547B238}.exe"	{6665F836-6B6C-4fcf-9482-ACDE85DED8AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC406B29-31A7-4cc5-BD20-FD32D265A30A}	{72E17711-95A3-4a93-A4D1-759B4547B238}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53EA1011-CABE-4394-A1FC-B36FD2C7D86A}\stubpath = "C:\\Windows\\{53EA1011-CABE-4394-A1FC-B36FD2C7D86A}.exe"	{A436C6E0-145E-49f5-81FB-1F081572024C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05493968-74AA-4b6e-ADC3-E5144ADC6320}\stubpath = "C:\\Windows\\{05493968-74AA-4b6e-ADC3-E5144ADC6320}.exe"	{53EA1011-CABE-4394-A1FC-B36FD2C7D86A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36981F51-55D0-408a-96CD-D8816991EC0A}	{CD740165-9615-49db-B62E-06C917F2F84B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ECB0DF8F-995B-4ba3-B4CD-839523111178}	{BF5920FF-3719-4f4d-AC0B-D31A3B1C786F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6665F836-6B6C-4fcf-9482-ACDE85DED8AD}	{ECB0DF8F-995B-4ba3-B4CD-839523111178}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6665F836-6B6C-4fcf-9482-ACDE85DED8AD}\stubpath = "C:\\Windows\\{6665F836-6B6C-4fcf-9482-ACDE85DED8AD}.exe"	{ECB0DF8F-995B-4ba3-B4CD-839523111178}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A436C6E0-145E-49f5-81FB-1F081572024C}\stubpath = "C:\\Windows\\{A436C6E0-145E-49f5-81FB-1F081572024C}.exe"	{CC406B29-31A7-4cc5-BD20-FD32D265A30A}.exe

Executes dropped EXE 12 IoCs

pid	Process
3160	{A3C05E7A-9EAC-48f9-A94D-6C42741FD953}.exe
4340	{29A57B17-310A-4622-8A81-7295BFA55C16}.exe
3744	{CD740165-9615-49db-B62E-06C917F2F84B}.exe
1112	{36981F51-55D0-408a-96CD-D8816991EC0A}.exe
4880	{BF5920FF-3719-4f4d-AC0B-D31A3B1C786F}.exe
1868	{ECB0DF8F-995B-4ba3-B4CD-839523111178}.exe
680	{6665F836-6B6C-4fcf-9482-ACDE85DED8AD}.exe
4664	{72E17711-95A3-4a93-A4D1-759B4547B238}.exe
5032	{CC406B29-31A7-4cc5-BD20-FD32D265A30A}.exe
4424	{A436C6E0-145E-49f5-81FB-1F081572024C}.exe
2912	{53EA1011-CABE-4394-A1FC-B36FD2C7D86A}.exe
3696	{05493968-74AA-4b6e-ADC3-E5144ADC6320}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{A436C6E0-145E-49f5-81FB-1F081572024C}.exe	{CC406B29-31A7-4cc5-BD20-FD32D265A30A}.exe
File created	C:\Windows\{A3C05E7A-9EAC-48f9-A94D-6C42741FD953}.exe	2024-02-12_3ad941e74aa54f33189e9eb12ea0cb34_goldeneye.exe
File created	C:\Windows\{29A57B17-310A-4622-8A81-7295BFA55C16}.exe	{A3C05E7A-9EAC-48f9-A94D-6C42741FD953}.exe
File created	C:\Windows\{72E17711-95A3-4a93-A4D1-759B4547B238}.exe	{6665F836-6B6C-4fcf-9482-ACDE85DED8AD}.exe
File created	C:\Windows\{ECB0DF8F-995B-4ba3-B4CD-839523111178}.exe	{BF5920FF-3719-4f4d-AC0B-D31A3B1C786F}.exe
File created	C:\Windows\{6665F836-6B6C-4fcf-9482-ACDE85DED8AD}.exe	{ECB0DF8F-995B-4ba3-B4CD-839523111178}.exe
File created	C:\Windows\{CC406B29-31A7-4cc5-BD20-FD32D265A30A}.exe	{72E17711-95A3-4a93-A4D1-759B4547B238}.exe
File created	C:\Windows\{53EA1011-CABE-4394-A1FC-B36FD2C7D86A}.exe	{A436C6E0-145E-49f5-81FB-1F081572024C}.exe
File created	C:\Windows\{05493968-74AA-4b6e-ADC3-E5144ADC6320}.exe	{53EA1011-CABE-4394-A1FC-B36FD2C7D86A}.exe
File created	C:\Windows\{CD740165-9615-49db-B62E-06C917F2F84B}.exe	{29A57B17-310A-4622-8A81-7295BFA55C16}.exe
File created	C:\Windows\{36981F51-55D0-408a-96CD-D8816991EC0A}.exe	{CD740165-9615-49db-B62E-06C917F2F84B}.exe
File created	C:\Windows\{BF5920FF-3719-4f4d-AC0B-D31A3B1C786F}.exe	{36981F51-55D0-408a-96CD-D8816991EC0A}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4236	2024-02-12_3ad941e74aa54f33189e9eb12ea0cb34_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3160	{A3C05E7A-9EAC-48f9-A94D-6C42741FD953}.exe
Token: SeIncBasePriorityPrivilege	4340	{29A57B17-310A-4622-8A81-7295BFA55C16}.exe
Token: SeIncBasePriorityPrivilege	3744	{CD740165-9615-49db-B62E-06C917F2F84B}.exe
Token: SeIncBasePriorityPrivilege	1112	{36981F51-55D0-408a-96CD-D8816991EC0A}.exe
Token: SeIncBasePriorityPrivilege	4880	{BF5920FF-3719-4f4d-AC0B-D31A3B1C786F}.exe
Token: SeIncBasePriorityPrivilege	1868	{ECB0DF8F-995B-4ba3-B4CD-839523111178}.exe
Token: SeIncBasePriorityPrivilege	680	{6665F836-6B6C-4fcf-9482-ACDE85DED8AD}.exe
Token: SeIncBasePriorityPrivilege	4664	{72E17711-95A3-4a93-A4D1-759B4547B238}.exe
Token: SeIncBasePriorityPrivilege	5032	{CC406B29-31A7-4cc5-BD20-FD32D265A30A}.exe
Token: SeIncBasePriorityPrivilege	4424	{A436C6E0-145E-49f5-81FB-1F081572024C}.exe
Token: SeIncBasePriorityPrivilege	2912	{53EA1011-CABE-4394-A1FC-B36FD2C7D86A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4236 wrote to memory of 3160	4236	2024-02-12_3ad941e74aa54f33189e9eb12ea0cb34_goldeneye.exe	88
PID 4236 wrote to memory of 3160	4236	2024-02-12_3ad941e74aa54f33189e9eb12ea0cb34_goldeneye.exe	88
PID 4236 wrote to memory of 3160	4236	2024-02-12_3ad941e74aa54f33189e9eb12ea0cb34_goldeneye.exe	88
PID 4236 wrote to memory of 2636	4236	2024-02-12_3ad941e74aa54f33189e9eb12ea0cb34_goldeneye.exe	89
PID 4236 wrote to memory of 2636	4236	2024-02-12_3ad941e74aa54f33189e9eb12ea0cb34_goldeneye.exe	89
PID 4236 wrote to memory of 2636	4236	2024-02-12_3ad941e74aa54f33189e9eb12ea0cb34_goldeneye.exe	89
PID 3160 wrote to memory of 4340	3160	{A3C05E7A-9EAC-48f9-A94D-6C42741FD953}.exe	94
PID 3160 wrote to memory of 4340	3160	{A3C05E7A-9EAC-48f9-A94D-6C42741FD953}.exe	94
PID 3160 wrote to memory of 4340	3160	{A3C05E7A-9EAC-48f9-A94D-6C42741FD953}.exe	94
PID 3160 wrote to memory of 4672	3160	{A3C05E7A-9EAC-48f9-A94D-6C42741FD953}.exe	95
PID 3160 wrote to memory of 4672	3160	{A3C05E7A-9EAC-48f9-A94D-6C42741FD953}.exe	95
PID 3160 wrote to memory of 4672	3160	{A3C05E7A-9EAC-48f9-A94D-6C42741FD953}.exe	95
PID 4340 wrote to memory of 3744	4340	{29A57B17-310A-4622-8A81-7295BFA55C16}.exe	97
PID 4340 wrote to memory of 3744	4340	{29A57B17-310A-4622-8A81-7295BFA55C16}.exe	97
PID 4340 wrote to memory of 3744	4340	{29A57B17-310A-4622-8A81-7295BFA55C16}.exe	97
PID 4340 wrote to memory of 4448	4340	{29A57B17-310A-4622-8A81-7295BFA55C16}.exe	98
PID 4340 wrote to memory of 4448	4340	{29A57B17-310A-4622-8A81-7295BFA55C16}.exe	98
PID 4340 wrote to memory of 4448	4340	{29A57B17-310A-4622-8A81-7295BFA55C16}.exe	98
PID 3744 wrote to memory of 1112	3744	{CD740165-9615-49db-B62E-06C917F2F84B}.exe	99
PID 3744 wrote to memory of 1112	3744	{CD740165-9615-49db-B62E-06C917F2F84B}.exe	99
PID 3744 wrote to memory of 1112	3744	{CD740165-9615-49db-B62E-06C917F2F84B}.exe	99
PID 3744 wrote to memory of 4752	3744	{CD740165-9615-49db-B62E-06C917F2F84B}.exe	100
PID 3744 wrote to memory of 4752	3744	{CD740165-9615-49db-B62E-06C917F2F84B}.exe	100
PID 3744 wrote to memory of 4752	3744	{CD740165-9615-49db-B62E-06C917F2F84B}.exe	100
PID 1112 wrote to memory of 4880	1112	{36981F51-55D0-408a-96CD-D8816991EC0A}.exe	101
PID 1112 wrote to memory of 4880	1112	{36981F51-55D0-408a-96CD-D8816991EC0A}.exe	101
PID 1112 wrote to memory of 4880	1112	{36981F51-55D0-408a-96CD-D8816991EC0A}.exe	101
PID 1112 wrote to memory of 892	1112	{36981F51-55D0-408a-96CD-D8816991EC0A}.exe	102
PID 1112 wrote to memory of 892	1112	{36981F51-55D0-408a-96CD-D8816991EC0A}.exe	102
PID 1112 wrote to memory of 892	1112	{36981F51-55D0-408a-96CD-D8816991EC0A}.exe	102
PID 4880 wrote to memory of 1868	4880	{BF5920FF-3719-4f4d-AC0B-D31A3B1C786F}.exe	103
PID 4880 wrote to memory of 1868	4880	{BF5920FF-3719-4f4d-AC0B-D31A3B1C786F}.exe	103
PID 4880 wrote to memory of 1868	4880	{BF5920FF-3719-4f4d-AC0B-D31A3B1C786F}.exe	103
PID 4880 wrote to memory of 3448	4880	{BF5920FF-3719-4f4d-AC0B-D31A3B1C786F}.exe	104
PID 4880 wrote to memory of 3448	4880	{BF5920FF-3719-4f4d-AC0B-D31A3B1C786F}.exe	104
PID 4880 wrote to memory of 3448	4880	{BF5920FF-3719-4f4d-AC0B-D31A3B1C786F}.exe	104
PID 1868 wrote to memory of 680	1868	{ECB0DF8F-995B-4ba3-B4CD-839523111178}.exe	105
PID 1868 wrote to memory of 680	1868	{ECB0DF8F-995B-4ba3-B4CD-839523111178}.exe	105
PID 1868 wrote to memory of 680	1868	{ECB0DF8F-995B-4ba3-B4CD-839523111178}.exe	105
PID 1868 wrote to memory of 5028	1868	{ECB0DF8F-995B-4ba3-B4CD-839523111178}.exe	106
PID 1868 wrote to memory of 5028	1868	{ECB0DF8F-995B-4ba3-B4CD-839523111178}.exe	106
PID 1868 wrote to memory of 5028	1868	{ECB0DF8F-995B-4ba3-B4CD-839523111178}.exe	106
PID 680 wrote to memory of 4664	680	{6665F836-6B6C-4fcf-9482-ACDE85DED8AD}.exe	107
PID 680 wrote to memory of 4664	680	{6665F836-6B6C-4fcf-9482-ACDE85DED8AD}.exe	107
PID 680 wrote to memory of 4664	680	{6665F836-6B6C-4fcf-9482-ACDE85DED8AD}.exe	107
PID 680 wrote to memory of 4960	680	{6665F836-6B6C-4fcf-9482-ACDE85DED8AD}.exe	108
PID 680 wrote to memory of 4960	680	{6665F836-6B6C-4fcf-9482-ACDE85DED8AD}.exe	108
PID 680 wrote to memory of 4960	680	{6665F836-6B6C-4fcf-9482-ACDE85DED8AD}.exe	108
PID 4664 wrote to memory of 5032	4664	{72E17711-95A3-4a93-A4D1-759B4547B238}.exe	110
PID 4664 wrote to memory of 5032	4664	{72E17711-95A3-4a93-A4D1-759B4547B238}.exe	110
PID 4664 wrote to memory of 5032	4664	{72E17711-95A3-4a93-A4D1-759B4547B238}.exe	110
PID 4664 wrote to memory of 2700	4664	{72E17711-95A3-4a93-A4D1-759B4547B238}.exe	109
PID 4664 wrote to memory of 2700	4664	{72E17711-95A3-4a93-A4D1-759B4547B238}.exe	109
PID 4664 wrote to memory of 2700	4664	{72E17711-95A3-4a93-A4D1-759B4547B238}.exe	109
PID 5032 wrote to memory of 4424	5032	{CC406B29-31A7-4cc5-BD20-FD32D265A30A}.exe	111
PID 5032 wrote to memory of 4424	5032	{CC406B29-31A7-4cc5-BD20-FD32D265A30A}.exe	111
PID 5032 wrote to memory of 4424	5032	{CC406B29-31A7-4cc5-BD20-FD32D265A30A}.exe	111
PID 5032 wrote to memory of 1324	5032	{CC406B29-31A7-4cc5-BD20-FD32D265A30A}.exe	112
PID 5032 wrote to memory of 1324	5032	{CC406B29-31A7-4cc5-BD20-FD32D265A30A}.exe	112
PID 5032 wrote to memory of 1324	5032	{CC406B29-31A7-4cc5-BD20-FD32D265A30A}.exe	112
PID 4424 wrote to memory of 2912	4424	{A436C6E0-145E-49f5-81FB-1F081572024C}.exe	113
PID 4424 wrote to memory of 2912	4424	{A436C6E0-145E-49f5-81FB-1F081572024C}.exe	113
PID 4424 wrote to memory of 2912	4424	{A436C6E0-145E-49f5-81FB-1F081572024C}.exe	113
PID 4424 wrote to memory of 1948	4424	{A436C6E0-145E-49f5-81FB-1F081572024C}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-02-12_3ad941e74aa54f33189e9eb12ea0cb34_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_3ad941e74aa54f33189e9eb12ea0cb34_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4236
- C:\Windows\{A3C05E7A-9EAC-48f9-A94D-6C42741FD953}.exe
  C:\Windows\{A3C05E7A-9EAC-48f9-A94D-6C42741FD953}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3160
- - C:\Windows\{29A57B17-310A-4622-8A81-7295BFA55C16}.exe
    C:\Windows\{29A57B17-310A-4622-8A81-7295BFA55C16}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4340
  - - C:\Windows\{CD740165-9615-49db-B62E-06C917F2F84B}.exe
      C:\Windows\{CD740165-9615-49db-B62E-06C917F2F84B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3744
    - - C:\Windows\{36981F51-55D0-408a-96CD-D8816991EC0A}.exe
        
        C:\Windows\{36981F51-55D0-408a-96CD-D8816991EC0A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1112
      - C:\Windows\{BF5920FF-3719-4f4d-AC0B-D31A3B1C786F}.exe
        
        C:\Windows\{BF5920FF-3719-4f4d-AC0B-D31A3B1C786F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\{ECB0DF8F-995B-4ba3-B4CD-839523111178}.exe
        
        C:\Windows\{ECB0DF8F-995B-4ba3-B4CD-839523111178}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\{6665F836-6B6C-4fcf-9482-ACDE85DED8AD}.exe
        
        C:\Windows\{6665F836-6B6C-4fcf-9482-ACDE85DED8AD}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        C:\Windows\{72E17711-95A3-4a93-A4D1-759B4547B238}.exe
        
        C:\Windows\{72E17711-95A3-4a93-A4D1-759B4547B238}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72E17~1.EXE > nul
        10⤵
        
        PID:2700
        
        C:\Windows\{CC406B29-31A7-4cc5-BD20-FD32D265A30A}.exe
        
        C:\Windows\{CC406B29-31A7-4cc5-BD20-FD32D265A30A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\{A436C6E0-145E-49f5-81FB-1F081572024C}.exe
        
        C:\Windows\{A436C6E0-145E-49f5-81FB-1F081572024C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\{53EA1011-CABE-4394-A1FC-B36FD2C7D86A}.exe
        
        C:\Windows\{53EA1011-CABE-4394-A1FC-B36FD2C7D86A}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Windows\{05493968-74AA-4b6e-ADC3-E5144ADC6320}.exe
        
        C:\Windows\{05493968-74AA-4b6e-ADC3-E5144ADC6320}.exe
        13⤵
        Executes dropped EXE
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53EA1~1.EXE > nul
        13⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A436C~1.EXE > nul
        12⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC406~1.EXE > nul
        11⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6665F~1.EXE > nul
        9⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ECB0D~1.EXE > nul
        8⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF592~1.EXE > nul
        7⤵
        
        PID:3448
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36981~1.EXE > nul
        6⤵
        
        PID:892
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD740~1.EXE > nul
        5⤵
        
        PID:4752
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{29A57~1.EXE > nul
      4⤵
      PID:4448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A3C05~1.EXE > nul
    3⤵
    PID:4672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05493968-74AA-4b6e-ADC3-E5144ADC6320}.exe

Filesize
180KB

MD5
b9926e7d24b148c46c1669b7706008bf

SHA1
a08b0aec68ed7cfb69a4d88ac1f389a1cf845193

SHA256
c070c66b3a45e4b510e8f8ddc6e4bd868519786e1a865633e064bd40a5987ce4

SHA512
3c121432442b9ecddb3c5ba932bd73b4ea99fd52108cb7a0621c298ba806ef83a6797fdc9f4a8896e19ecfccba12b4ed14a572fc19a8adf9799bbffbe361804c

Download Submit
C:\Windows\{29A57B17-310A-4622-8A81-7295BFA55C16}.exe

Filesize
180KB

MD5
32f77f66edfcb0d2ede2bcb5595500ac

SHA1
11dc5a36fe292eb223a5851180a5913a6791c5be

SHA256
7040226ff8c730cb20af8b0fb585c48f4b3382a0de1c2923fc14a2526aaba763

SHA512
4f54e96bf6474747f50b1a1c1c2c092d99d026258cd92836612c6b1a1261b11b2842ed31d405396f5e4d49b9220a21e74e99de6219f21d26c7d1ea9e7349dd26

Download Submit
C:\Windows\{36981F51-55D0-408a-96CD-D8816991EC0A}.exe

Filesize
180KB

MD5
0951c6eaa720631c0fcd86bb39c6c87d

SHA1
1139bd101d4c222167ea1dfc546b82d0da4d2f3d

SHA256
eabe201d771f8737bc0cd843d503f2d7d37168c9f6d9d72ef0cbeceb8d4bd1cd

SHA512
b1834af120cd56e6e84a8767ac8729ee0c8ae7a3bd32632b3b036467f86f369e25d9f49606bd2517f65653cbcc2760054739ba64c9b4f820830dd7bb4f8bb651

Download Submit
C:\Windows\{53EA1011-CABE-4394-A1FC-B36FD2C7D86A}.exe

Filesize
180KB

MD5
537c9b2221ca49132a9d90b799310333

SHA1
b006303f660d66b4247019593ed3e516d8da58e7

SHA256
1dcc532adcaac3787b84e8e0efb1d2d1c4f9e3265f9da5d58d5d195f7182d340

SHA512
3f53a1a26fb6e248e24fcc08714c7e842c2428c14ab62a821a2dd663dcfef7903fb8eacf16a0d944df763fa53656d7297c421382b634f3ab0f18b4f16a17f37b

Download Submit
C:\Windows\{6665F836-6B6C-4fcf-9482-ACDE85DED8AD}.exe

Filesize
180KB

MD5
e64eba28b10fa11b0338c12c5987cf75

SHA1
cb87faa8cdf8c22b816e0e89aac65e163d8b8f40

SHA256
70c3e09a67e5a1897840419e8d99bac2b0aa6f696c78f8b481732706ffce511a

SHA512
1c94e644395ca442cc33fb4d506f6b902532c45bba4c3bea6be4b97db4b1a50eaec769445aee234787fe86bbbeced9a939ac6e82220b193c5ba1fbf08247dd11

Download Submit
C:\Windows\{72E17711-95A3-4a93-A4D1-759B4547B238}.exe

Filesize
180KB

MD5
d738c1a885f604051d58b35bab984113

SHA1
decabfb9c8c2a99a36bdd8519518d12425a20d2a

SHA256
726141180f89096c26e2ca75f1f918b616adfc2d0e8a4af545bd71cf949ee8aa

SHA512
22173f9d32842ee4274eb7b39f78014b2b042d71776114bc3d1a0352883fe21b2ea83be58193c421eebfb9cf1b71ad76cebc282f26bb6e308783885b1d5f2504

Download Submit
C:\Windows\{A3C05E7A-9EAC-48f9-A94D-6C42741FD953}.exe

Filesize
180KB

MD5
4edb4518a14a655b2320e1ee673ad16b

SHA1
e9c0ecb07b703057b6a3632d0c33c53eed0f6564

SHA256
8337a2e9ea231f2cc9885ff6b8f5c3b45a9bfac8ee0ae69e97c2fcf4665416b7

SHA512
6aa1c4ef520395cd77f89c3b3fd78de69b7bb968c615c2d55485a941910b16c4c400d9e3a736eb73bd7b5e081d748e6bdb5723c950534332dbadb2c173aaefbd

Download Submit
C:\Windows\{A436C6E0-145E-49f5-81FB-1F081572024C}.exe

Filesize
180KB

MD5
9e50248f688ef409ee93515f2cbf9db3

SHA1
fd0f6a23d160fc965e91d367ddb0355dc4dd5558

SHA256
8656f4436ae75f57a95befec058af83e64bcc05b68c8e42b5f5af54a47872952

SHA512
c46c98896ecfd8330fcdf5a0fcebdac79e6abbf31b81e7a9ab059f651ef16593ec7b1f7e684f78e24e647c0a31286e68ae6a646549e78e2d9f5b2913a9c3f68f

Download Submit
C:\Windows\{BF5920FF-3719-4f4d-AC0B-D31A3B1C786F}.exe

Filesize
180KB

MD5
fc7e66ac1e2372f70c2e760160bc9eeb

SHA1
f128858da5b4989010b329ccdace0a23b8ab9a6f

SHA256
fa1e797a6292c7a83002cc3921c08f5bd85389002ba2eb99109faed6f7d74c79

SHA512
4cd60e56f50e829e70ba07aea197bf512449fad27c900090ba8cf61bfceb480477aba11a74526e3932a6d92b10ec3b7ebd5096e9d3abe38a0cddc8eeae3b713d

Download Submit
C:\Windows\{CC406B29-31A7-4cc5-BD20-FD32D265A30A}.exe

Filesize
180KB

MD5
1fd58707b6d853ed6f3c019d9853d488

SHA1
787691cbf1a45e4474c7b71477ea1b8e2d602e3c

SHA256
b6a52c8bb60d65621b4ce01751bee516ac86e487a21e96d4d4029a829c5ed679

SHA512
e4616907c414a0a10f2694561d92ffbe31240ba28f48432d21a497cd28cd554d485ada1a644ff7eb4641d5f046ed3c9634012ec86190a9e84faf1e5a537dea71

Download Submit
C:\Windows\{CD740165-9615-49db-B62E-06C917F2F84B}.exe

Filesize
180KB

MD5
1be7038cb4a07c1e470fc7dfef57c20f

SHA1
7b85a5233947496c0fb7817289fe4383e99e2974

SHA256
d97f7eabe76f338c2ae0269bc4fa66d76daf159715baff2a7f62c40bc4f5c11b

SHA512
91882cccd3317d76c0bb79d997accaee5c133dce1402d10fb005cc223c79b4c9931d844849ecf48136ddbcde2afea3222115c5623fd9dab7ea92c0f5bf2180bc

Download Submit
C:\Windows\{ECB0DF8F-995B-4ba3-B4CD-839523111178}.exe

Filesize
180KB

MD5
a765d0706689d2c424a9eaa92460e7fa

SHA1
2631283793a7756dd83d25aed413dfffc5bc466b

SHA256
ab8ec274ca1cebe1ffcb164c11ea462d50ad99562866236d4d72392f97d25975

SHA512
7c43e652cf6590ff1167d0970c4a5bf4a0be1fe15365c2ea98c6d6b11b0e50ce0aeedfc026c4984473d01bbbb87ad327039ced15bc3311429cec85161103b8e8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads