ce796311991101aca934035627c4947a7569bcf1bab0b2452318fea17964d21b

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-13_e7f510277bdcd6abb5ebe0ddf96a1ffd_goldeneye.exe
Size

197KB
MD5

e7f510277bdcd6abb5ebe0ddf96a1ffd
SHA1

33711db72a991450aa7cd2361751b3b8cdfe0952
SHA256

ce796311991101aca934035627c4947a7569bcf1bab0b2452318fea17964d21b
SHA512

6b1a6981070f5d46a562cd20a43c10a31e5440212b0a673f51a2fec2ce525fbaad51e66cf3a607aa98664187b5f8c0cca6f1d0a129d86790d7e8ae2270f05bb5
SSDEEP

3072:jEGh0oEl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGalEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral2/files/0x000600000002314b-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023154-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023035-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023154-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023154-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023035-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00050000000217fa-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{944E5085-BC3E-4bfd-B0B8-A698D6276E24}\stubpath = "C:\\Windows\\{944E5085-BC3E-4bfd-B0B8-A698D6276E24}.exe"	{281EBF4F-9FA7-4b65-B415-5859F2FB60CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E30474C3-9C25-40f6-9DD6-4DED2817B252}	{62364F80-AD45-4b0a-8AD6-A0CFD17CE77F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56FAE80B-0B7F-4b1f-851A-191FBD30BA55}	{50064FCC-0D0C-4b8b-8798-DE19A0A0CF9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56FAE80B-0B7F-4b1f-851A-191FBD30BA55}\stubpath = "C:\\Windows\\{56FAE80B-0B7F-4b1f-851A-191FBD30BA55}.exe"	{50064FCC-0D0C-4b8b-8798-DE19A0A0CF9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71EDF04A-F709-4f6b-A513-5311775BDC03}	{56FAE80B-0B7F-4b1f-851A-191FBD30BA55}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C966FF56-ADF4-4cf9-A100-BA68F08F88D2}\stubpath = "C:\\Windows\\{C966FF56-ADF4-4cf9-A100-BA68F08F88D2}.exe"	{71EDF04A-F709-4f6b-A513-5311775BDC03}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{281EBF4F-9FA7-4b65-B415-5859F2FB60CB}\stubpath = "C:\\Windows\\{281EBF4F-9FA7-4b65-B415-5859F2FB60CB}.exe"	{C966FF56-ADF4-4cf9-A100-BA68F08F88D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{944E5085-BC3E-4bfd-B0B8-A698D6276E24}	{281EBF4F-9FA7-4b65-B415-5859F2FB60CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88F761B8-21CB-4609-B376-CCFCDFABC50C}	{5049F456-2472-43d0-855A-0544AFF22090}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50064FCC-0D0C-4b8b-8798-DE19A0A0CF9B}	2024-02-13_e7f510277bdcd6abb5ebe0ddf96a1ffd_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50064FCC-0D0C-4b8b-8798-DE19A0A0CF9B}\stubpath = "C:\\Windows\\{50064FCC-0D0C-4b8b-8798-DE19A0A0CF9B}.exe"	2024-02-13_e7f510277bdcd6abb5ebe0ddf96a1ffd_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62364F80-AD45-4b0a-8AD6-A0CFD17CE77F}	{944E5085-BC3E-4bfd-B0B8-A698D6276E24}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E30474C3-9C25-40f6-9DD6-4DED2817B252}\stubpath = "C:\\Windows\\{E30474C3-9C25-40f6-9DD6-4DED2817B252}.exe"	{62364F80-AD45-4b0a-8AD6-A0CFD17CE77F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C966FF56-ADF4-4cf9-A100-BA68F08F88D2}	{71EDF04A-F709-4f6b-A513-5311775BDC03}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5049F456-2472-43d0-855A-0544AFF22090}\stubpath = "C:\\Windows\\{5049F456-2472-43d0-855A-0544AFF22090}.exe"	{E30474C3-9C25-40f6-9DD6-4DED2817B252}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88F761B8-21CB-4609-B376-CCFCDFABC50C}\stubpath = "C:\\Windows\\{88F761B8-21CB-4609-B376-CCFCDFABC50C}.exe"	{5049F456-2472-43d0-855A-0544AFF22090}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC2A6DD0-1273-4524-BF9A-35A6F89913D2}	{88F761B8-21CB-4609-B376-CCFCDFABC50C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC2A6DD0-1273-4524-BF9A-35A6F89913D2}\stubpath = "C:\\Windows\\{EC2A6DD0-1273-4524-BF9A-35A6F89913D2}.exe"	{88F761B8-21CB-4609-B376-CCFCDFABC50C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71EDF04A-F709-4f6b-A513-5311775BDC03}\stubpath = "C:\\Windows\\{71EDF04A-F709-4f6b-A513-5311775BDC03}.exe"	{56FAE80B-0B7F-4b1f-851A-191FBD30BA55}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{281EBF4F-9FA7-4b65-B415-5859F2FB60CB}	{C966FF56-ADF4-4cf9-A100-BA68F08F88D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62364F80-AD45-4b0a-8AD6-A0CFD17CE77F}\stubpath = "C:\\Windows\\{62364F80-AD45-4b0a-8AD6-A0CFD17CE77F}.exe"	{944E5085-BC3E-4bfd-B0B8-A698D6276E24}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5049F456-2472-43d0-855A-0544AFF22090}	{E30474C3-9C25-40f6-9DD6-4DED2817B252}.exe

Executes dropped EXE 11 IoCs

pid	Process
772	{50064FCC-0D0C-4b8b-8798-DE19A0A0CF9B}.exe
2756	{56FAE80B-0B7F-4b1f-851A-191FBD30BA55}.exe
3688	{71EDF04A-F709-4f6b-A513-5311775BDC03}.exe
3264	{C966FF56-ADF4-4cf9-A100-BA68F08F88D2}.exe
1628	{281EBF4F-9FA7-4b65-B415-5859F2FB60CB}.exe
1928	{944E5085-BC3E-4bfd-B0B8-A698D6276E24}.exe
464	{62364F80-AD45-4b0a-8AD6-A0CFD17CE77F}.exe
3260	{E30474C3-9C25-40f6-9DD6-4DED2817B252}.exe
1048	{5049F456-2472-43d0-855A-0544AFF22090}.exe
4672	{88F761B8-21CB-4609-B376-CCFCDFABC50C}.exe
3540	{EC2A6DD0-1273-4524-BF9A-35A6F89913D2}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{E30474C3-9C25-40f6-9DD6-4DED2817B252}.exe	{62364F80-AD45-4b0a-8AD6-A0CFD17CE77F}.exe
File created	C:\Windows\{5049F456-2472-43d0-855A-0544AFF22090}.exe	{E30474C3-9C25-40f6-9DD6-4DED2817B252}.exe
File created	C:\Windows\{88F761B8-21CB-4609-B376-CCFCDFABC50C}.exe	{5049F456-2472-43d0-855A-0544AFF22090}.exe
File created	C:\Windows\{EC2A6DD0-1273-4524-BF9A-35A6F89913D2}.exe	{88F761B8-21CB-4609-B376-CCFCDFABC50C}.exe
File created	C:\Windows\{56FAE80B-0B7F-4b1f-851A-191FBD30BA55}.exe	{50064FCC-0D0C-4b8b-8798-DE19A0A0CF9B}.exe
File created	C:\Windows\{281EBF4F-9FA7-4b65-B415-5859F2FB60CB}.exe	{C966FF56-ADF4-4cf9-A100-BA68F08F88D2}.exe
File created	C:\Windows\{944E5085-BC3E-4bfd-B0B8-A698D6276E24}.exe	{281EBF4F-9FA7-4b65-B415-5859F2FB60CB}.exe
File created	C:\Windows\{62364F80-AD45-4b0a-8AD6-A0CFD17CE77F}.exe	{944E5085-BC3E-4bfd-B0B8-A698D6276E24}.exe
File created	C:\Windows\{50064FCC-0D0C-4b8b-8798-DE19A0A0CF9B}.exe	2024-02-13_e7f510277bdcd6abb5ebe0ddf96a1ffd_goldeneye.exe
File created	C:\Windows\{71EDF04A-F709-4f6b-A513-5311775BDC03}.exe	{56FAE80B-0B7F-4b1f-851A-191FBD30BA55}.exe
File created	C:\Windows\{C966FF56-ADF4-4cf9-A100-BA68F08F88D2}.exe	{71EDF04A-F709-4f6b-A513-5311775BDC03}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4876	2024-02-13_e7f510277bdcd6abb5ebe0ddf96a1ffd_goldeneye.exe
Token: SeIncBasePriorityPrivilege	772	{50064FCC-0D0C-4b8b-8798-DE19A0A0CF9B}.exe
Token: SeIncBasePriorityPrivilege	2756	{56FAE80B-0B7F-4b1f-851A-191FBD30BA55}.exe
Token: SeIncBasePriorityPrivilege	3688	{71EDF04A-F709-4f6b-A513-5311775BDC03}.exe
Token: SeIncBasePriorityPrivilege	3264	{C966FF56-ADF4-4cf9-A100-BA68F08F88D2}.exe
Token: SeIncBasePriorityPrivilege	1628	{281EBF4F-9FA7-4b65-B415-5859F2FB60CB}.exe
Token: SeIncBasePriorityPrivilege	1928	{944E5085-BC3E-4bfd-B0B8-A698D6276E24}.exe
Token: SeIncBasePriorityPrivilege	464	{62364F80-AD45-4b0a-8AD6-A0CFD17CE77F}.exe
Token: SeIncBasePriorityPrivilege	3260	{E30474C3-9C25-40f6-9DD6-4DED2817B252}.exe
Token: SeIncBasePriorityPrivilege	1048	{5049F456-2472-43d0-855A-0544AFF22090}.exe
Token: SeIncBasePriorityPrivilege	4672	{88F761B8-21CB-4609-B376-CCFCDFABC50C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4876 wrote to memory of 772	4876	2024-02-13_e7f510277bdcd6abb5ebe0ddf96a1ffd_goldeneye.exe	84
PID 4876 wrote to memory of 772	4876	2024-02-13_e7f510277bdcd6abb5ebe0ddf96a1ffd_goldeneye.exe	84
PID 4876 wrote to memory of 772	4876	2024-02-13_e7f510277bdcd6abb5ebe0ddf96a1ffd_goldeneye.exe	84
PID 4876 wrote to memory of 3140	4876	2024-02-13_e7f510277bdcd6abb5ebe0ddf96a1ffd_goldeneye.exe	85
PID 4876 wrote to memory of 3140	4876	2024-02-13_e7f510277bdcd6abb5ebe0ddf96a1ffd_goldeneye.exe	85
PID 4876 wrote to memory of 3140	4876	2024-02-13_e7f510277bdcd6abb5ebe0ddf96a1ffd_goldeneye.exe	85
PID 772 wrote to memory of 2756	772	{50064FCC-0D0C-4b8b-8798-DE19A0A0CF9B}.exe	92
PID 772 wrote to memory of 2756	772	{50064FCC-0D0C-4b8b-8798-DE19A0A0CF9B}.exe	92
PID 772 wrote to memory of 2756	772	{50064FCC-0D0C-4b8b-8798-DE19A0A0CF9B}.exe	92
PID 772 wrote to memory of 732	772	{50064FCC-0D0C-4b8b-8798-DE19A0A0CF9B}.exe	93
PID 772 wrote to memory of 732	772	{50064FCC-0D0C-4b8b-8798-DE19A0A0CF9B}.exe	93
PID 772 wrote to memory of 732	772	{50064FCC-0D0C-4b8b-8798-DE19A0A0CF9B}.exe	93
PID 2756 wrote to memory of 3688	2756	{56FAE80B-0B7F-4b1f-851A-191FBD30BA55}.exe	96
PID 2756 wrote to memory of 3688	2756	{56FAE80B-0B7F-4b1f-851A-191FBD30BA55}.exe	96
PID 2756 wrote to memory of 3688	2756	{56FAE80B-0B7F-4b1f-851A-191FBD30BA55}.exe	96
PID 2756 wrote to memory of 1436	2756	{56FAE80B-0B7F-4b1f-851A-191FBD30BA55}.exe	97
PID 2756 wrote to memory of 1436	2756	{56FAE80B-0B7F-4b1f-851A-191FBD30BA55}.exe	97
PID 2756 wrote to memory of 1436	2756	{56FAE80B-0B7F-4b1f-851A-191FBD30BA55}.exe	97
PID 3688 wrote to memory of 3264	3688	{71EDF04A-F709-4f6b-A513-5311775BDC03}.exe	98
PID 3688 wrote to memory of 3264	3688	{71EDF04A-F709-4f6b-A513-5311775BDC03}.exe	98
PID 3688 wrote to memory of 3264	3688	{71EDF04A-F709-4f6b-A513-5311775BDC03}.exe	98
PID 3688 wrote to memory of 3256	3688	{71EDF04A-F709-4f6b-A513-5311775BDC03}.exe	99
PID 3688 wrote to memory of 3256	3688	{71EDF04A-F709-4f6b-A513-5311775BDC03}.exe	99
PID 3688 wrote to memory of 3256	3688	{71EDF04A-F709-4f6b-A513-5311775BDC03}.exe	99
PID 3264 wrote to memory of 1628	3264	{C966FF56-ADF4-4cf9-A100-BA68F08F88D2}.exe	100
PID 3264 wrote to memory of 1628	3264	{C966FF56-ADF4-4cf9-A100-BA68F08F88D2}.exe	100
PID 3264 wrote to memory of 1628	3264	{C966FF56-ADF4-4cf9-A100-BA68F08F88D2}.exe	100
PID 3264 wrote to memory of 1160	3264	{C966FF56-ADF4-4cf9-A100-BA68F08F88D2}.exe	101
PID 3264 wrote to memory of 1160	3264	{C966FF56-ADF4-4cf9-A100-BA68F08F88D2}.exe	101
PID 3264 wrote to memory of 1160	3264	{C966FF56-ADF4-4cf9-A100-BA68F08F88D2}.exe	101
PID 1628 wrote to memory of 1928	1628	{281EBF4F-9FA7-4b65-B415-5859F2FB60CB}.exe	102
PID 1628 wrote to memory of 1928	1628	{281EBF4F-9FA7-4b65-B415-5859F2FB60CB}.exe	102
PID 1628 wrote to memory of 1928	1628	{281EBF4F-9FA7-4b65-B415-5859F2FB60CB}.exe	102
PID 1628 wrote to memory of 4596	1628	{281EBF4F-9FA7-4b65-B415-5859F2FB60CB}.exe	103
PID 1628 wrote to memory of 4596	1628	{281EBF4F-9FA7-4b65-B415-5859F2FB60CB}.exe	103
PID 1628 wrote to memory of 4596	1628	{281EBF4F-9FA7-4b65-B415-5859F2FB60CB}.exe	103
PID 1928 wrote to memory of 464	1928	{944E5085-BC3E-4bfd-B0B8-A698D6276E24}.exe	104
PID 1928 wrote to memory of 464	1928	{944E5085-BC3E-4bfd-B0B8-A698D6276E24}.exe	104
PID 1928 wrote to memory of 464	1928	{944E5085-BC3E-4bfd-B0B8-A698D6276E24}.exe	104
PID 1928 wrote to memory of 2676	1928	{944E5085-BC3E-4bfd-B0B8-A698D6276E24}.exe	105
PID 1928 wrote to memory of 2676	1928	{944E5085-BC3E-4bfd-B0B8-A698D6276E24}.exe	105
PID 1928 wrote to memory of 2676	1928	{944E5085-BC3E-4bfd-B0B8-A698D6276E24}.exe	105
PID 464 wrote to memory of 3260	464	{62364F80-AD45-4b0a-8AD6-A0CFD17CE77F}.exe	106
PID 464 wrote to memory of 3260	464	{62364F80-AD45-4b0a-8AD6-A0CFD17CE77F}.exe	106
PID 464 wrote to memory of 3260	464	{62364F80-AD45-4b0a-8AD6-A0CFD17CE77F}.exe	106
PID 464 wrote to memory of 4880	464	{62364F80-AD45-4b0a-8AD6-A0CFD17CE77F}.exe	107
PID 464 wrote to memory of 4880	464	{62364F80-AD45-4b0a-8AD6-A0CFD17CE77F}.exe	107
PID 464 wrote to memory of 4880	464	{62364F80-AD45-4b0a-8AD6-A0CFD17CE77F}.exe	107
PID 3260 wrote to memory of 1048	3260	{E30474C3-9C25-40f6-9DD6-4DED2817B252}.exe	108
PID 3260 wrote to memory of 1048	3260	{E30474C3-9C25-40f6-9DD6-4DED2817B252}.exe	108
PID 3260 wrote to memory of 1048	3260	{E30474C3-9C25-40f6-9DD6-4DED2817B252}.exe	108
PID 3260 wrote to memory of 3496	3260	{E30474C3-9C25-40f6-9DD6-4DED2817B252}.exe	109
PID 3260 wrote to memory of 3496	3260	{E30474C3-9C25-40f6-9DD6-4DED2817B252}.exe	109
PID 3260 wrote to memory of 3496	3260	{E30474C3-9C25-40f6-9DD6-4DED2817B252}.exe	109
PID 1048 wrote to memory of 4672	1048	{5049F456-2472-43d0-855A-0544AFF22090}.exe	110
PID 1048 wrote to memory of 4672	1048	{5049F456-2472-43d0-855A-0544AFF22090}.exe	110
PID 1048 wrote to memory of 4672	1048	{5049F456-2472-43d0-855A-0544AFF22090}.exe	110
PID 1048 wrote to memory of 4556	1048	{5049F456-2472-43d0-855A-0544AFF22090}.exe	111
PID 1048 wrote to memory of 4556	1048	{5049F456-2472-43d0-855A-0544AFF22090}.exe	111
PID 1048 wrote to memory of 4556	1048	{5049F456-2472-43d0-855A-0544AFF22090}.exe	111
PID 4672 wrote to memory of 3540	4672	{88F761B8-21CB-4609-B376-CCFCDFABC50C}.exe	113
PID 4672 wrote to memory of 3540	4672	{88F761B8-21CB-4609-B376-CCFCDFABC50C}.exe	113
PID 4672 wrote to memory of 3540	4672	{88F761B8-21CB-4609-B376-CCFCDFABC50C}.exe	113
PID 4672 wrote to memory of 2680	4672	{88F761B8-21CB-4609-B376-CCFCDFABC50C}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-02-13_e7f510277bdcd6abb5ebe0ddf96a1ffd_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-13_e7f510277bdcd6abb5ebe0ddf96a1ffd_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Windows\{50064FCC-0D0C-4b8b-8798-DE19A0A0CF9B}.exe
  C:\Windows\{50064FCC-0D0C-4b8b-8798-DE19A0A0CF9B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Windows\{56FAE80B-0B7F-4b1f-851A-191FBD30BA55}.exe
    C:\Windows\{56FAE80B-0B7F-4b1f-851A-191FBD30BA55}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\{71EDF04A-F709-4f6b-A513-5311775BDC03}.exe
      C:\Windows\{71EDF04A-F709-4f6b-A513-5311775BDC03}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3688
    - - C:\Windows\{C966FF56-ADF4-4cf9-A100-BA68F08F88D2}.exe
        
        C:\Windows\{C966FF56-ADF4-4cf9-A100-BA68F08F88D2}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3264
      - C:\Windows\{281EBF4F-9FA7-4b65-B415-5859F2FB60CB}.exe
        
        C:\Windows\{281EBF4F-9FA7-4b65-B415-5859F2FB60CB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\{944E5085-BC3E-4bfd-B0B8-A698D6276E24}.exe
        
        C:\Windows\{944E5085-BC3E-4bfd-B0B8-A698D6276E24}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\{62364F80-AD45-4b0a-8AD6-A0CFD17CE77F}.exe
        
        C:\Windows\{62364F80-AD45-4b0a-8AD6-A0CFD17CE77F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\{E30474C3-9C25-40f6-9DD6-4DED2817B252}.exe
        
        C:\Windows\{E30474C3-9C25-40f6-9DD6-4DED2817B252}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\{5049F456-2472-43d0-855A-0544AFF22090}.exe
        
        C:\Windows\{5049F456-2472-43d0-855A-0544AFF22090}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\{88F761B8-21CB-4609-B376-CCFCDFABC50C}.exe
        
        C:\Windows\{88F761B8-21CB-4609-B376-CCFCDFABC50C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88F76~1.EXE > nul
        12⤵
        
        PID:2680
        
        C:\Windows\{EC2A6DD0-1273-4524-BF9A-35A6F89913D2}.exe
        
        C:\Windows\{EC2A6DD0-1273-4524-BF9A-35A6F89913D2}.exe
        12⤵
        Executes dropped EXE
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5049F~1.EXE > nul
        11⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E3047~1.EXE > nul
        10⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62364~1.EXE > nul
        9⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{944E5~1.EXE > nul
        8⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{281EB~1.EXE > nul
        7⤵
        
        PID:4596
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C966F~1.EXE > nul
        6⤵
        
        PID:1160
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71EDF~1.EXE > nul
        5⤵
        
        PID:3256
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{56FAE~1.EXE > nul
      4⤵
      PID:1436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{50064~1.EXE > nul
    3⤵
    PID:732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{281EBF4F-9FA7-4b65-B415-5859F2FB60CB}.exe

Filesize
197KB

MD5
94d63d2ae8bf182eac0b1870549b7517

SHA1
2a7d432b26c8c76ee973670361b1de11ab9dbfaa

SHA256
d01cba0914a56f6d552d8e69e7ba55d01d24d149252805cb64502afd03451e77

SHA512
928ec92b6941f0568230b3538bd7023f131113fffb8b90d947da7ad7150e3687f2deeda2fd662e3fe69faea029712d67a13bd8a21983c5fc3ded9c69da2ae055

Download Submit
C:\Windows\{50064FCC-0D0C-4b8b-8798-DE19A0A0CF9B}.exe

Filesize
197KB

MD5
1380ae1a8fa595344f374fc776551541

SHA1
65fafbe855e0fa9837a92a3174cbc410ac9a844d

SHA256
fcc7f7337a60b013cb3e353921924e202083975db329d9b51403c8ca6f4477d1

SHA512
01ce0efa79486243751c87b76f4b93b0f0cfdadbb7d7b5c84c3824ef04b6a3237d0831dfafe5f4c127e4ba6f430d9b58a0e386768c50eab96730792d5be17cf0

Download Submit
C:\Windows\{5049F456-2472-43d0-855A-0544AFF22090}.exe

Filesize
197KB

MD5
d4650e399bccef0123f665d46569f104

SHA1
32a1a67a26c550f42c217f97d02d0c4456e21281

SHA256
b181035a4e0e14b90f8a5fdcccdb0cfa5d19f8039c43bfaf618c4d759d3d9d6b

SHA512
4a1e8910751c98670b57fff0b4464bd9541eb7c045f9086f3e8680cac1b802e6267b2c4258caaa48b3468e33c173a20787aba8a109aaa7d53cdd0be593f64c19

Download Submit
C:\Windows\{5049F456-2472-43d0-855A-0544AFF22090}.exe

Filesize
133KB

MD5
d8a1e58acea32fca1344b2ecd2384742

SHA1
1c9e22142c524b370bc1511866d9828b5ec09d2c

SHA256
b35a4d8dbce6f9e2767886bbf1184cd1ebdbae6c7e6cab4c2fe6a1acdc8fba45

SHA512
3cde59d98bf627f3e0add13021b39d59a252370e79adb75780797334f1ffc6f485da02518e9bb40be08de8f60969c1dc2ff3eb686a8120298a41b4fac006ada8

Download Submit
C:\Windows\{56FAE80B-0B7F-4b1f-851A-191FBD30BA55}.exe

Filesize
197KB

MD5
68b536adcc231aa9a4b1d207c8cc7fbb

SHA1
8554e1cab2e37f4a95c8e92ca078965b85d99e17

SHA256
590e7549ac05384d373c5fd86f62173f05a304c55c72cca30a34566c8c5ec574

SHA512
0b547d940ac905f274f68362421f7d25a2a2cf247d8cf9d8a38531f48e2f44becb0b5551d41989311be1a60a1e9b34dab97a0adff3e7262a0b919158f06c881b

Download Submit
C:\Windows\{62364F80-AD45-4b0a-8AD6-A0CFD17CE77F}.exe

Filesize
197KB

MD5
6f743c82a50acb88e7cf48296e4b61ea

SHA1
56c09a6a3a671a0390611921c4b4a750dbc4b20b

SHA256
99eed2653ff1b2e6a000df5023174eef5fb2dc321fe3cc61873f6ac00504c201

SHA512
d88bb9c3841e31e3b7719b2bfd6ffa9d7ca044c33f8d29faf4318dd2bfbd6645b939fe3fcae2b188220701f2f2b417f7e6eaf2919e0ccc062da71257917edeb0

Download Submit
C:\Windows\{71EDF04A-F709-4f6b-A513-5311775BDC03}.exe

Filesize
197KB

MD5
a1f3496bb40a1c75506e99c65de3f2a0

SHA1
b21483d88cc58207380c6656ce9107fa269bd879

SHA256
71dd7f8ff1df38d614e3281f382bd2fdf2cc2bdb31f9f3907f5d961972ae3640

SHA512
3f5bcc7d3590d0457fb68f9bfcce7d972679321fd1513cdaec325062a70afa2f409978d3d4c867f6efee5844478f429c1edd4f938eb3a4adeea69af7aa766aa7

Download Submit
C:\Windows\{88F761B8-21CB-4609-B376-CCFCDFABC50C}.exe

Filesize
197KB

MD5
c741c1e5e38484842365d3608a6eabc8

SHA1
b12683929b1d88ccd95d4a352e27109d6df3f658

SHA256
b1e9254611312d260c7c7bdf5d1f7ff61995eddc02cdccb64acbe43c013ff3d9

SHA512
7de27d24a6bd2ffde9e082b43b89471736a95227e2702efb38d84dd800b2670fd8aa6e63303c7fc3b7552ecdf987239b2a2ef86f37d59427ca03616b816c5bff

Download Submit
C:\Windows\{944E5085-BC3E-4bfd-B0B8-A698D6276E24}.exe

Filesize
197KB

MD5
e5320507884e668e5e4f1182427d7458

SHA1
dab06c4eec8b6b8f0288cf3a2292dfbb18ef1a02

SHA256
11d43dcbf19bbdf7bea8966a2b66dfac006a3cc3be003ef16f0c101889ffe5be

SHA512
e96b799d55c1e107b99a4bc7ee0d91ef5340fe4ae48a556862bdbcd87edaef0d782a480f16e9f09f8e8214f54bcba4a4e3d49e88f4263d1875b94ab8d8ae75bb

Download Submit
C:\Windows\{C966FF56-ADF4-4cf9-A100-BA68F08F88D2}.exe

Filesize
197KB

MD5
dc3e7f9512b786c05b32d31fac4b41b7

SHA1
e70c050ab471b34c319f0d5216975460ed98ef39

SHA256
e8d215110013e60b9eb7ac4c13fe10c48f4c855b315c73157aacea934ccf559d

SHA512
96099b463c87947db85ec183db9bc5d4b4e4c77d365fb87c654f43e1b6b5980362a87f8ff468086e4c69d4bf8006e7531a2ac413c78441429cf4d68bcb08fc9f

Download Submit
C:\Windows\{C966FF56-ADF4-4cf9-A100-BA68F08F88D2}.exe

Filesize
108KB

MD5
f797b4ff5b8f0d2623b77c14341f82b5

SHA1
47f0309e4cf249f11cd82904c177a872d358a97f

SHA256
712ebd6a41441e57884b8dc955eec7b1f768697e729e44a624a586453b142807

SHA512
6351a244d24e4f91974346ae813f97c978d64b75904d58641a79293037889ad408107542c3e0cba6ec7a2758ad3a1875e972ac16834c283a1de18cd3c010936b

Download Submit
C:\Windows\{E30474C3-9C25-40f6-9DD6-4DED2817B252}.exe

Filesize
197KB

MD5
fb7522eda0130a8dc86bb759ef2f0458

SHA1
86fdfad6f74d03ccd449f92704d6875055f51edd

SHA256
83108ef82f1b7ef9c1fe36a52990c12ad3f543e953eed69cd0f4bbb276c93b47

SHA512
7fe6cd59e3e14a98ffac7eb819a2ea4d33020623518be7007bcba5f65e0a5c011e82c3a45d6f10e8874a128c20f9a6e4943edcac6106920c2a08e1500a2e5c0f

Download Submit
C:\Windows\{EC2A6DD0-1273-4524-BF9A-35A6F89913D2}.exe

Filesize
197KB

MD5
8eed157969f66a2a23fd52913546df7c

SHA1
6a471a2812d334c95421c0eb711751d28f74ee0f

SHA256
c977b12e6f7a17cf7945987b82abe73df4f8f754cc98ede02ad51cf9a3712c8b

SHA512
b6aead403f2a26606e8ba1152756cb5b7bfc602bbb65dfe8bbb1e125baffdcd5545c0c9bbfef9de4460cbc1e0e029fa401105dfb2d5cff9ddd1507820a8e75b9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads