a59518656442a30a6c8a2caeac983733149b011aeaad8c916e659047c7c2615c

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_0cfc053482265145ccc497d63bc3d217_goldeneye.exe
Size

168KB
MD5

0cfc053482265145ccc497d63bc3d217
SHA1

4230d085a71cd170ae725548283f1e778a53ff42
SHA256

a59518656442a30a6c8a2caeac983733149b011aeaad8c916e659047c7c2615c
SHA512

ccd9c4d53f82ecdba5d292117b2a0e509aa6f2f24695885b908a7c95fb468ce86ee4cd6b7389a68d4a15cd28f23ea0cea21a9e45fb661342276aaf8972f4df44
SSDEEP

1536:1EGh0oElq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oElqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023225-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e354-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023233-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e354-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000215c9-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000001e354-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000215c9-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000713-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000711-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006e7-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DFF3B96-186E-4c5f-8B5A-A4AC23A5DE83}	{5D2C6E35-03FE-4e4f-9003-9699F58ADCAD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D957920C-453C-4fc6-8126-24917B0C26A8}	{7DFF3B96-186E-4c5f-8B5A-A4AC23A5DE83}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D957920C-453C-4fc6-8126-24917B0C26A8}\stubpath = "C:\\Windows\\{D957920C-453C-4fc6-8126-24917B0C26A8}.exe"	{7DFF3B96-186E-4c5f-8B5A-A4AC23A5DE83}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B8A9D53-AE74-4d57-B5D5-5763C5CFC7D6}	2024-02-12_0cfc053482265145ccc497d63bc3d217_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B64D8B0B-AB3A-4ccc-B8C0-774BF18A119E}\stubpath = "C:\\Windows\\{B64D8B0B-AB3A-4ccc-B8C0-774BF18A119E}.exe"	{9B8A9D53-AE74-4d57-B5D5-5763C5CFC7D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D37F41CB-646B-4d8f-863B-F345A8152C05}	{6A1EFBBF-B6E9-4524-B1B4-00214B46151E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D2C6E35-03FE-4e4f-9003-9699F58ADCAD}\stubpath = "C:\\Windows\\{5D2C6E35-03FE-4e4f-9003-9699F58ADCAD}.exe"	{BD260C5D-FE1D-412c-9AC8-7A973199803B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B64D8B0B-AB3A-4ccc-B8C0-774BF18A119E}	{9B8A9D53-AE74-4d57-B5D5-5763C5CFC7D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{540AE989-1116-4fc8-92AD-C1BEBBC0DDA7}\stubpath = "C:\\Windows\\{540AE989-1116-4fc8-92AD-C1BEBBC0DDA7}.exe"	{D37F41CB-646B-4d8f-863B-F345A8152C05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7ADDFB1-6371-4d3c-939F-AB4FDA748249}\stubpath = "C:\\Windows\\{A7ADDFB1-6371-4d3c-939F-AB4FDA748249}.exe"	{540AE989-1116-4fc8-92AD-C1BEBBC0DDA7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D2C6E35-03FE-4e4f-9003-9699F58ADCAD}	{BD260C5D-FE1D-412c-9AC8-7A973199803B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD260C5D-FE1D-412c-9AC8-7A973199803B}	{A7ADDFB1-6371-4d3c-939F-AB4FDA748249}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD260C5D-FE1D-412c-9AC8-7A973199803B}\stubpath = "C:\\Windows\\{BD260C5D-FE1D-412c-9AC8-7A973199803B}.exe"	{A7ADDFB1-6371-4d3c-939F-AB4FDA748249}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DFF3B96-186E-4c5f-8B5A-A4AC23A5DE83}\stubpath = "C:\\Windows\\{7DFF3B96-186E-4c5f-8B5A-A4AC23A5DE83}.exe"	{5D2C6E35-03FE-4e4f-9003-9699F58ADCAD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB6BFADA-96BB-45ed-A6CD-6336C5DE1423}	{D957920C-453C-4fc6-8126-24917B0C26A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B8A9D53-AE74-4d57-B5D5-5763C5CFC7D6}\stubpath = "C:\\Windows\\{9B8A9D53-AE74-4d57-B5D5-5763C5CFC7D6}.exe"	2024-02-12_0cfc053482265145ccc497d63bc3d217_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A1EFBBF-B6E9-4524-B1B4-00214B46151E}\stubpath = "C:\\Windows\\{6A1EFBBF-B6E9-4524-B1B4-00214B46151E}.exe"	{B64D8B0B-AB3A-4ccc-B8C0-774BF18A119E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D37F41CB-646B-4d8f-863B-F345A8152C05}\stubpath = "C:\\Windows\\{D37F41CB-646B-4d8f-863B-F345A8152C05}.exe"	{6A1EFBBF-B6E9-4524-B1B4-00214B46151E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7ADDFB1-6371-4d3c-939F-AB4FDA748249}	{540AE989-1116-4fc8-92AD-C1BEBBC0DDA7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB6BFADA-96BB-45ed-A6CD-6336C5DE1423}\stubpath = "C:\\Windows\\{FB6BFADA-96BB-45ed-A6CD-6336C5DE1423}.exe"	{D957920C-453C-4fc6-8126-24917B0C26A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A1EFBBF-B6E9-4524-B1B4-00214B46151E}	{B64D8B0B-AB3A-4ccc-B8C0-774BF18A119E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{540AE989-1116-4fc8-92AD-C1BEBBC0DDA7}	{D37F41CB-646B-4d8f-863B-F345A8152C05}.exe

Executes dropped EXE 11 IoCs

pid	Process
2784	{9B8A9D53-AE74-4d57-B5D5-5763C5CFC7D6}.exe
2008	{B64D8B0B-AB3A-4ccc-B8C0-774BF18A119E}.exe
4620	{6A1EFBBF-B6E9-4524-B1B4-00214B46151E}.exe
3284	{D37F41CB-646B-4d8f-863B-F345A8152C05}.exe
4012	{540AE989-1116-4fc8-92AD-C1BEBBC0DDA7}.exe
4596	{A7ADDFB1-6371-4d3c-939F-AB4FDA748249}.exe
3760	{BD260C5D-FE1D-412c-9AC8-7A973199803B}.exe
892	{5D2C6E35-03FE-4e4f-9003-9699F58ADCAD}.exe
3080	{7DFF3B96-186E-4c5f-8B5A-A4AC23A5DE83}.exe
3948	{D957920C-453C-4fc6-8126-24917B0C26A8}.exe
3612	{FB6BFADA-96BB-45ed-A6CD-6336C5DE1423}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{9B8A9D53-AE74-4d57-B5D5-5763C5CFC7D6}.exe	2024-02-12_0cfc053482265145ccc497d63bc3d217_goldeneye.exe
File created	C:\Windows\{540AE989-1116-4fc8-92AD-C1BEBBC0DDA7}.exe	{D37F41CB-646B-4d8f-863B-F345A8152C05}.exe
File created	C:\Windows\{A7ADDFB1-6371-4d3c-939F-AB4FDA748249}.exe	{540AE989-1116-4fc8-92AD-C1BEBBC0DDA7}.exe
File created	C:\Windows\{D957920C-453C-4fc6-8126-24917B0C26A8}.exe	{7DFF3B96-186E-4c5f-8B5A-A4AC23A5DE83}.exe
File created	C:\Windows\{5D2C6E35-03FE-4e4f-9003-9699F58ADCAD}.exe	{BD260C5D-FE1D-412c-9AC8-7A973199803B}.exe
File created	C:\Windows\{7DFF3B96-186E-4c5f-8B5A-A4AC23A5DE83}.exe	{5D2C6E35-03FE-4e4f-9003-9699F58ADCAD}.exe
File created	C:\Windows\{FB6BFADA-96BB-45ed-A6CD-6336C5DE1423}.exe	{D957920C-453C-4fc6-8126-24917B0C26A8}.exe
File created	C:\Windows\{B64D8B0B-AB3A-4ccc-B8C0-774BF18A119E}.exe	{9B8A9D53-AE74-4d57-B5D5-5763C5CFC7D6}.exe
File created	C:\Windows\{6A1EFBBF-B6E9-4524-B1B4-00214B46151E}.exe	{B64D8B0B-AB3A-4ccc-B8C0-774BF18A119E}.exe
File created	C:\Windows\{D37F41CB-646B-4d8f-863B-F345A8152C05}.exe	{6A1EFBBF-B6E9-4524-B1B4-00214B46151E}.exe
File created	C:\Windows\{BD260C5D-FE1D-412c-9AC8-7A973199803B}.exe	{A7ADDFB1-6371-4d3c-939F-AB4FDA748249}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4956	2024-02-12_0cfc053482265145ccc497d63bc3d217_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2784	{9B8A9D53-AE74-4d57-B5D5-5763C5CFC7D6}.exe
Token: SeIncBasePriorityPrivilege	2008	{B64D8B0B-AB3A-4ccc-B8C0-774BF18A119E}.exe
Token: SeIncBasePriorityPrivilege	4620	{6A1EFBBF-B6E9-4524-B1B4-00214B46151E}.exe
Token: SeIncBasePriorityPrivilege	3284	{D37F41CB-646B-4d8f-863B-F345A8152C05}.exe
Token: SeIncBasePriorityPrivilege	4012	{540AE989-1116-4fc8-92AD-C1BEBBC0DDA7}.exe
Token: SeIncBasePriorityPrivilege	4596	{A7ADDFB1-6371-4d3c-939F-AB4FDA748249}.exe
Token: SeIncBasePriorityPrivilege	3760	{BD260C5D-FE1D-412c-9AC8-7A973199803B}.exe
Token: SeIncBasePriorityPrivilege	892	{5D2C6E35-03FE-4e4f-9003-9699F58ADCAD}.exe
Token: SeIncBasePriorityPrivilege	3080	{7DFF3B96-186E-4c5f-8B5A-A4AC23A5DE83}.exe
Token: SeIncBasePriorityPrivilege	3948	{D957920C-453C-4fc6-8126-24917B0C26A8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 2784	4956	2024-02-12_0cfc053482265145ccc497d63bc3d217_goldeneye.exe	88
PID 4956 wrote to memory of 2784	4956	2024-02-12_0cfc053482265145ccc497d63bc3d217_goldeneye.exe	88
PID 4956 wrote to memory of 2784	4956	2024-02-12_0cfc053482265145ccc497d63bc3d217_goldeneye.exe	88
PID 4956 wrote to memory of 4696	4956	2024-02-12_0cfc053482265145ccc497d63bc3d217_goldeneye.exe	89
PID 4956 wrote to memory of 4696	4956	2024-02-12_0cfc053482265145ccc497d63bc3d217_goldeneye.exe	89
PID 4956 wrote to memory of 4696	4956	2024-02-12_0cfc053482265145ccc497d63bc3d217_goldeneye.exe	89
PID 2784 wrote to memory of 2008	2784	{9B8A9D53-AE74-4d57-B5D5-5763C5CFC7D6}.exe	93
PID 2784 wrote to memory of 2008	2784	{9B8A9D53-AE74-4d57-B5D5-5763C5CFC7D6}.exe	93
PID 2784 wrote to memory of 2008	2784	{9B8A9D53-AE74-4d57-B5D5-5763C5CFC7D6}.exe	93
PID 2784 wrote to memory of 4680	2784	{9B8A9D53-AE74-4d57-B5D5-5763C5CFC7D6}.exe	94
PID 2784 wrote to memory of 4680	2784	{9B8A9D53-AE74-4d57-B5D5-5763C5CFC7D6}.exe	94
PID 2784 wrote to memory of 4680	2784	{9B8A9D53-AE74-4d57-B5D5-5763C5CFC7D6}.exe	94
PID 2008 wrote to memory of 4620	2008	{B64D8B0B-AB3A-4ccc-B8C0-774BF18A119E}.exe	97
PID 2008 wrote to memory of 4620	2008	{B64D8B0B-AB3A-4ccc-B8C0-774BF18A119E}.exe	97
PID 2008 wrote to memory of 4620	2008	{B64D8B0B-AB3A-4ccc-B8C0-774BF18A119E}.exe	97
PID 2008 wrote to memory of 2044	2008	{B64D8B0B-AB3A-4ccc-B8C0-774BF18A119E}.exe	96
PID 2008 wrote to memory of 2044	2008	{B64D8B0B-AB3A-4ccc-B8C0-774BF18A119E}.exe	96
PID 2008 wrote to memory of 2044	2008	{B64D8B0B-AB3A-4ccc-B8C0-774BF18A119E}.exe	96
PID 4620 wrote to memory of 3284	4620	{6A1EFBBF-B6E9-4524-B1B4-00214B46151E}.exe	98
PID 4620 wrote to memory of 3284	4620	{6A1EFBBF-B6E9-4524-B1B4-00214B46151E}.exe	98
PID 4620 wrote to memory of 3284	4620	{6A1EFBBF-B6E9-4524-B1B4-00214B46151E}.exe	98
PID 4620 wrote to memory of 4248	4620	{6A1EFBBF-B6E9-4524-B1B4-00214B46151E}.exe	99
PID 4620 wrote to memory of 4248	4620	{6A1EFBBF-B6E9-4524-B1B4-00214B46151E}.exe	99
PID 4620 wrote to memory of 4248	4620	{6A1EFBBF-B6E9-4524-B1B4-00214B46151E}.exe	99
PID 3284 wrote to memory of 4012	3284	{D37F41CB-646B-4d8f-863B-F345A8152C05}.exe	100
PID 3284 wrote to memory of 4012	3284	{D37F41CB-646B-4d8f-863B-F345A8152C05}.exe	100
PID 3284 wrote to memory of 4012	3284	{D37F41CB-646B-4d8f-863B-F345A8152C05}.exe	100
PID 3284 wrote to memory of 2400	3284	{D37F41CB-646B-4d8f-863B-F345A8152C05}.exe	101
PID 3284 wrote to memory of 2400	3284	{D37F41CB-646B-4d8f-863B-F345A8152C05}.exe	101
PID 3284 wrote to memory of 2400	3284	{D37F41CB-646B-4d8f-863B-F345A8152C05}.exe	101
PID 4012 wrote to memory of 4596	4012	{540AE989-1116-4fc8-92AD-C1BEBBC0DDA7}.exe	102
PID 4012 wrote to memory of 4596	4012	{540AE989-1116-4fc8-92AD-C1BEBBC0DDA7}.exe	102
PID 4012 wrote to memory of 4596	4012	{540AE989-1116-4fc8-92AD-C1BEBBC0DDA7}.exe	102
PID 4012 wrote to memory of 3392	4012	{540AE989-1116-4fc8-92AD-C1BEBBC0DDA7}.exe	103
PID 4012 wrote to memory of 3392	4012	{540AE989-1116-4fc8-92AD-C1BEBBC0DDA7}.exe	103
PID 4012 wrote to memory of 3392	4012	{540AE989-1116-4fc8-92AD-C1BEBBC0DDA7}.exe	103
PID 4596 wrote to memory of 3760	4596	{A7ADDFB1-6371-4d3c-939F-AB4FDA748249}.exe	104
PID 4596 wrote to memory of 3760	4596	{A7ADDFB1-6371-4d3c-939F-AB4FDA748249}.exe	104
PID 4596 wrote to memory of 3760	4596	{A7ADDFB1-6371-4d3c-939F-AB4FDA748249}.exe	104
PID 4596 wrote to memory of 1592	4596	{A7ADDFB1-6371-4d3c-939F-AB4FDA748249}.exe	105
PID 4596 wrote to memory of 1592	4596	{A7ADDFB1-6371-4d3c-939F-AB4FDA748249}.exe	105
PID 4596 wrote to memory of 1592	4596	{A7ADDFB1-6371-4d3c-939F-AB4FDA748249}.exe	105
PID 3760 wrote to memory of 892	3760	{BD260C5D-FE1D-412c-9AC8-7A973199803B}.exe	106
PID 3760 wrote to memory of 892	3760	{BD260C5D-FE1D-412c-9AC8-7A973199803B}.exe	106
PID 3760 wrote to memory of 892	3760	{BD260C5D-FE1D-412c-9AC8-7A973199803B}.exe	106
PID 3760 wrote to memory of 2112	3760	{BD260C5D-FE1D-412c-9AC8-7A973199803B}.exe	107
PID 3760 wrote to memory of 2112	3760	{BD260C5D-FE1D-412c-9AC8-7A973199803B}.exe	107
PID 3760 wrote to memory of 2112	3760	{BD260C5D-FE1D-412c-9AC8-7A973199803B}.exe	107
PID 892 wrote to memory of 3080	892	{5D2C6E35-03FE-4e4f-9003-9699F58ADCAD}.exe	108
PID 892 wrote to memory of 3080	892	{5D2C6E35-03FE-4e4f-9003-9699F58ADCAD}.exe	108
PID 892 wrote to memory of 3080	892	{5D2C6E35-03FE-4e4f-9003-9699F58ADCAD}.exe	108
PID 892 wrote to memory of 2172	892	{5D2C6E35-03FE-4e4f-9003-9699F58ADCAD}.exe	109
PID 892 wrote to memory of 2172	892	{5D2C6E35-03FE-4e4f-9003-9699F58ADCAD}.exe	109
PID 892 wrote to memory of 2172	892	{5D2C6E35-03FE-4e4f-9003-9699F58ADCAD}.exe	109
PID 3080 wrote to memory of 3948	3080	{7DFF3B96-186E-4c5f-8B5A-A4AC23A5DE83}.exe	110
PID 3080 wrote to memory of 3948	3080	{7DFF3B96-186E-4c5f-8B5A-A4AC23A5DE83}.exe	110
PID 3080 wrote to memory of 3948	3080	{7DFF3B96-186E-4c5f-8B5A-A4AC23A5DE83}.exe	110
PID 3080 wrote to memory of 828	3080	{7DFF3B96-186E-4c5f-8B5A-A4AC23A5DE83}.exe	111
PID 3080 wrote to memory of 828	3080	{7DFF3B96-186E-4c5f-8B5A-A4AC23A5DE83}.exe	111
PID 3080 wrote to memory of 828	3080	{7DFF3B96-186E-4c5f-8B5A-A4AC23A5DE83}.exe	111
PID 3948 wrote to memory of 3612	3948	{D957920C-453C-4fc6-8126-24917B0C26A8}.exe	112
PID 3948 wrote to memory of 3612	3948	{D957920C-453C-4fc6-8126-24917B0C26A8}.exe	112
PID 3948 wrote to memory of 3612	3948	{D957920C-453C-4fc6-8126-24917B0C26A8}.exe	112
PID 3948 wrote to memory of 4448	3948	{D957920C-453C-4fc6-8126-24917B0C26A8}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-12_0cfc053482265145ccc497d63bc3d217_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_0cfc053482265145ccc497d63bc3d217_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Windows\{9B8A9D53-AE74-4d57-B5D5-5763C5CFC7D6}.exe
  C:\Windows\{9B8A9D53-AE74-4d57-B5D5-5763C5CFC7D6}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\{B64D8B0B-AB3A-4ccc-B8C0-774BF18A119E}.exe
    C:\Windows\{B64D8B0B-AB3A-4ccc-B8C0-774BF18A119E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B64D8~1.EXE > nul
      4⤵
      PID:2044
  - - C:\Windows\{6A1EFBBF-B6E9-4524-B1B4-00214B46151E}.exe
      C:\Windows\{6A1EFBBF-B6E9-4524-B1B4-00214B46151E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4620
    - - C:\Windows\{D37F41CB-646B-4d8f-863B-F345A8152C05}.exe
        
        C:\Windows\{D37F41CB-646B-4d8f-863B-F345A8152C05}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3284
      - C:\Windows\{540AE989-1116-4fc8-92AD-C1BEBBC0DDA7}.exe
        
        C:\Windows\{540AE989-1116-4fc8-92AD-C1BEBBC0DDA7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\{A7ADDFB1-6371-4d3c-939F-AB4FDA748249}.exe
        
        C:\Windows\{A7ADDFB1-6371-4d3c-939F-AB4FDA748249}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\{BD260C5D-FE1D-412c-9AC8-7A973199803B}.exe
        
        C:\Windows\{BD260C5D-FE1D-412c-9AC8-7A973199803B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3760
        
        C:\Windows\{5D2C6E35-03FE-4e4f-9003-9699F58ADCAD}.exe
        
        C:\Windows\{5D2C6E35-03FE-4e4f-9003-9699F58ADCAD}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:892
        
        C:\Windows\{7DFF3B96-186E-4c5f-8B5A-A4AC23A5DE83}.exe
        
        C:\Windows\{7DFF3B96-186E-4c5f-8B5A-A4AC23A5DE83}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3080
        
        C:\Windows\{D957920C-453C-4fc6-8126-24917B0C26A8}.exe
        
        C:\Windows\{D957920C-453C-4fc6-8126-24917B0C26A8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\{FB6BFADA-96BB-45ed-A6CD-6336C5DE1423}.exe
        
        C:\Windows\{FB6BFADA-96BB-45ed-A6CD-6336C5DE1423}.exe
        12⤵
        Executes dropped EXE
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9579~1.EXE > nul
        12⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7DFF3~1.EXE > nul
        11⤵
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D2C6~1.EXE > nul
        10⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD260~1.EXE > nul
        9⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7ADD~1.EXE > nul
        8⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{540AE~1.EXE > nul
        7⤵
        
        PID:3392
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D37F4~1.EXE > nul
        6⤵
        
        PID:2400
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A1EF~1.EXE > nul
        5⤵
        
        PID:4248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9B8A9~1.EXE > nul
    3⤵
    PID:4680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{540AE989-1116-4fc8-92AD-C1BEBBC0DDA7}.exe

Filesize
168KB

MD5
7c83df7bebd56b514f0f8c5e07d5a80a

SHA1
b50a538f58892b34a8d74668fe91dd870fadb732

SHA256
f9cc9398efe69ec84ea4efa445dbe7c036088906b5cdbb27ce2ffabd781da635

SHA512
d41dd1d85b2263d1ffb22f23544e4020d322538b363a00f7028c7853aeb5581861c826ca250ab21df465c341893e65ac5d313c98d7ec26731913ae90d08f8f13

Download Submit
C:\Windows\{5D2C6E35-03FE-4e4f-9003-9699F58ADCAD}.exe

Filesize
168KB

MD5
32871edb5f0d6320061d612e501b0f6d

SHA1
33cde216ec5fff75ee70cf163905da6c17f67dbd

SHA256
14f212c9b59a70a302e6a95f48d20007c9a4f746e4642bdb97e74d1cfb57bd00

SHA512
08282e81a09200f22ede61c1cdc735f8bfe66406d253050567eee6aebc4802d6245f372cd684257f9e657045ec2d5b4f162935d90dcee8228cce800b35991932

Download Submit
C:\Windows\{6A1EFBBF-B6E9-4524-B1B4-00214B46151E}.exe

Filesize
168KB

MD5
b7699a4e24f40a6a78025f1bc74050e4

SHA1
2ff91bc3322c5760a16a54d103d908102a54baa5

SHA256
9412dbe1bdfb9a6ca1ca0d619bcd57af37bf35cac4ae4e4e44d8d59e196e5c5d

SHA512
598fc174c84846e7b4064a48e6a5b7921b07eb6b94c71b4c121392e6fff56ea32580e13e6891e791921489ce8a9b8ee5e7520f704da1e97ac13364f03b3a389e

Download Submit
C:\Windows\{7DFF3B96-186E-4c5f-8B5A-A4AC23A5DE83}.exe

Filesize
168KB

MD5
9cbf973211187cc63848b8518faaf544

SHA1
e77d4e84d3f0be3a03b8e26ab964336d54ea5c11

SHA256
6ff08a2d359c6c2c71d3db64bd4c6ac7b5361a4cb0000fecf196441a8778d853

SHA512
26bc7f9326ff6bc9ee96d43720d117af9836a3bc5e9440b3230a195d2e6a0a46a2b9c61d31026043c3f1072b2ea859ea5f3a22b9529afd242864e8533d223cfb

Download Submit
C:\Windows\{9B8A9D53-AE74-4d57-B5D5-5763C5CFC7D6}.exe

Filesize
168KB

MD5
48fe5693cd7ffa3d2fef8cb097cc04e6

SHA1
75aedf0a2b7fdcec24012f4ca5c5f50bb1f8e662

SHA256
0ca15c5ca08f86a297b289153f3587bdb16f4c363980501c59ad064060d4e90d

SHA512
45b6f6f8a632859b061d69cd8f3217dbeb8e2bf8313e1c9e28d5805a3fd11b3289dec0dbcfd082ba25571af68c6a2a0ec1667898f8deeabed198b24cbc362f1a

Download Submit
C:\Windows\{A7ADDFB1-6371-4d3c-939F-AB4FDA748249}.exe

Filesize
168KB

MD5
e1c3f421140ce683da89cf35e177ea79

SHA1
f75849e744440abd1cb1e5ee00a21dc2e9641da7

SHA256
1a66d94829c66c1d8d2cd239322f881cca0b5f5d5979a94f6f50c3f9c8da1a8e

SHA512
945039b69e6d7d955aec4e28748281af96585f2a33bc2528e63e1894c2f33d8875e5b7e042d60ba70abebfd6e2efb964800993e1f416eb1b984646382060a765

Download Submit
C:\Windows\{B64D8B0B-AB3A-4ccc-B8C0-774BF18A119E}.exe

Filesize
168KB

MD5
3918edc12bc8cb0c95a2a8300d1fdfd5

SHA1
c190bf9e5f606015afcf0ecac1ab03c608e4e3be

SHA256
0437dd74af22d776d1cb9c99d9c5ec3ae3e168d2edd9e76387d92acb46cfab3e

SHA512
0223994b72855a87ec1dc062dde1466f323a9cfbcdcf9f3f48ad321bac92041de82a6317ed163841379de53015af25608bd979a90da577b85e0c64d08fbbe933

Download Submit
C:\Windows\{BD260C5D-FE1D-412c-9AC8-7A973199803B}.exe

Filesize
168KB

MD5
b007a91c0217ac8c4288fbfbdcde5cc3

SHA1
8e93e4e25729dbc98fcd12fac5c34caefa9b2d89

SHA256
f47bde0a3c71a2f47197f90904ae404541a6478c0687f0f3b8741d6226c5a9e1

SHA512
e235b5c8c48697e60a53f79cf743eb152f6d519826b56e31dc1612c7b56983c2ee6959fcff6541051d881d843a3b791c4cc334a7dfc55f87aca86e930ae53a55

Download Submit
C:\Windows\{D37F41CB-646B-4d8f-863B-F345A8152C05}.exe

Filesize
168KB

MD5
2324687e08271871dd6ffc8ffb57fe57

SHA1
dae3e61f4cfc0c1dec0654646e6953b2abe93755

SHA256
53dc74514c0bff053eaa46004e74caf89244e676736aef3fa24120a7ebd7b7df

SHA512
73d7b8798707ed59d3a30bcf6fde5684f465e484e8ea2ad1cc3dc9d992047843d6181110d316d43c18c8c0d3b49ea09cb013b79aaf208f7814e3f6497a5f0fa8

Download Submit
C:\Windows\{D957920C-453C-4fc6-8126-24917B0C26A8}.exe

Filesize
168KB

MD5
82b94086daf923c9e0dbce9ce5e3e312

SHA1
d614742a51720156605e8f8e3e3065bec8736df3

SHA256
f5f26a23f0cc738b0c065de0d5000c2e25875593b93ed6b6ab5a80f60fb4f008

SHA512
f08bf9f4b110c53e9bb95ccb9a2340053e17ca3d8b69fb4f6f85e3f8dd9ae4143e604fa88bfc2869218975c9f6cd9a0657af81863671de7176965b20ab452f6e

Download Submit
C:\Windows\{FB6BFADA-96BB-45ed-A6CD-6336C5DE1423}.exe

Filesize
168KB

MD5
35d0f537390524a2e18c83ae0f5bfe7b

SHA1
049d052e9a37ac9c9372763c0e547ebf7dbc6e10

SHA256
1425a5b9b14f4572a63afa1cef93ab41cd619470cc232294096682d81b6c4aa7

SHA512
282132e2c4f036f37b1cf23abe395207e7e3606273cbbcc120ea248f15a22bc103c10a46988d1e34388c68299f1f2b9b7c8adb7792c7a5ea20bfa9ce4dbd2e7b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads