49878940f3463858d85db3d0623fad9acf32c61a002556f651ae670eb59cac5a

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
13-02-2024 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-13_632e996f941eb8b629da9f7149609861_goldeneye.exe
Size

216KB
MD5

632e996f941eb8b629da9f7149609861
SHA1

83518d294c1517ac2e51d2b86c56dbc74aa247fe
SHA256

49878940f3463858d85db3d0623fad9acf32c61a002556f651ae670eb59cac5a
SHA512

28fa12b26b33ccf8f17f5571051a1039cb4c81bc096f9a98b9f4d8a5f78d5feecc182938b6fec6958918890fbd26648fa2deca09b2ccb5dc4ccf1b0358660e48
SSDEEP

3072:jEGh0o+l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG0lEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023234-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023229-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002323b-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023229-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022008-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000022009-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000022008-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000036-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000036-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000000036-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBF37E7D-858B-40ba-8267-585E2978D0A8}\stubpath = "C:\\Windows\\{DBF37E7D-858B-40ba-8267-585E2978D0A8}.exe"	{BCA341F7-617B-4cec-B75D-37B1403394DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA41B851-1172-46e9-982C-C2FC1ABAB655}\stubpath = "C:\\Windows\\{FA41B851-1172-46e9-982C-C2FC1ABAB655}.exe"	{4A4BD54D-AB67-4936-8A6D-2508642ADA4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FC93EDE-5543-41bb-AFE0-07F5A2F7701F}	{FA41B851-1172-46e9-982C-C2FC1ABAB655}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{452382E9-CBA9-442c-BCE8-A02107B19397}	{6FC93EDE-5543-41bb-AFE0-07F5A2F7701F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCA341F7-617B-4cec-B75D-37B1403394DE}\stubpath = "C:\\Windows\\{BCA341F7-617B-4cec-B75D-37B1403394DE}.exe"	{452382E9-CBA9-442c-BCE8-A02107B19397}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33E2134C-BDF3-41f2-8477-35C3344104AC}	{0D2DE297-474C-41b4-BBC4-BDB6342D25E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53C23AB1-F4D2-429f-80D0-799D1A905E22}\stubpath = "C:\\Windows\\{53C23AB1-F4D2-429f-80D0-799D1A905E22}.exe"	{51F8FA12-E2D3-4b23-9EEA-9016A9414E32}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90D89337-14C6-4e8a-847A-35B691E00919}\stubpath = "C:\\Windows\\{90D89337-14C6-4e8a-847A-35B691E00919}.exe"	{53C23AB1-F4D2-429f-80D0-799D1A905E22}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A4BD54D-AB67-4936-8A6D-2508642ADA4B}\stubpath = "C:\\Windows\\{4A4BD54D-AB67-4936-8A6D-2508642ADA4B}.exe"	2024-02-13_632e996f941eb8b629da9f7149609861_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FC93EDE-5543-41bb-AFE0-07F5A2F7701F}\stubpath = "C:\\Windows\\{6FC93EDE-5543-41bb-AFE0-07F5A2F7701F}.exe"	{FA41B851-1172-46e9-982C-C2FC1ABAB655}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{452382E9-CBA9-442c-BCE8-A02107B19397}\stubpath = "C:\\Windows\\{452382E9-CBA9-442c-BCE8-A02107B19397}.exe"	{6FC93EDE-5543-41bb-AFE0-07F5A2F7701F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEE13521-220B-4f49-8FBB-B10F67CF29CF}\stubpath = "C:\\Windows\\{FEE13521-220B-4f49-8FBB-B10F67CF29CF}.exe"	{DBF37E7D-858B-40ba-8267-585E2978D0A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D2DE297-474C-41b4-BBC4-BDB6342D25E7}\stubpath = "C:\\Windows\\{0D2DE297-474C-41b4-BBC4-BDB6342D25E7}.exe"	{FEE13521-220B-4f49-8FBB-B10F67CF29CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33E2134C-BDF3-41f2-8477-35C3344104AC}\stubpath = "C:\\Windows\\{33E2134C-BDF3-41f2-8477-35C3344104AC}.exe"	{0D2DE297-474C-41b4-BBC4-BDB6342D25E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51F8FA12-E2D3-4b23-9EEA-9016A9414E32}	{33E2134C-BDF3-41f2-8477-35C3344104AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51F8FA12-E2D3-4b23-9EEA-9016A9414E32}\stubpath = "C:\\Windows\\{51F8FA12-E2D3-4b23-9EEA-9016A9414E32}.exe"	{33E2134C-BDF3-41f2-8477-35C3344104AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A4BD54D-AB67-4936-8A6D-2508642ADA4B}	2024-02-13_632e996f941eb8b629da9f7149609861_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90D89337-14C6-4e8a-847A-35B691E00919}	{53C23AB1-F4D2-429f-80D0-799D1A905E22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCA341F7-617B-4cec-B75D-37B1403394DE}	{452382E9-CBA9-442c-BCE8-A02107B19397}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBF37E7D-858B-40ba-8267-585E2978D0A8}	{BCA341F7-617B-4cec-B75D-37B1403394DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEE13521-220B-4f49-8FBB-B10F67CF29CF}	{DBF37E7D-858B-40ba-8267-585E2978D0A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D2DE297-474C-41b4-BBC4-BDB6342D25E7}	{FEE13521-220B-4f49-8FBB-B10F67CF29CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53C23AB1-F4D2-429f-80D0-799D1A905E22}	{51F8FA12-E2D3-4b23-9EEA-9016A9414E32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA41B851-1172-46e9-982C-C2FC1ABAB655}	{4A4BD54D-AB67-4936-8A6D-2508642ADA4B}.exe

Executes dropped EXE 12 IoCs

pid	Process
4592	{4A4BD54D-AB67-4936-8A6D-2508642ADA4B}.exe
4316	{FA41B851-1172-46e9-982C-C2FC1ABAB655}.exe
3792	{6FC93EDE-5543-41bb-AFE0-07F5A2F7701F}.exe
4844	{452382E9-CBA9-442c-BCE8-A02107B19397}.exe
876	{BCA341F7-617B-4cec-B75D-37B1403394DE}.exe
680	{DBF37E7D-858B-40ba-8267-585E2978D0A8}.exe
744	{FEE13521-220B-4f49-8FBB-B10F67CF29CF}.exe
2784	{0D2DE297-474C-41b4-BBC4-BDB6342D25E7}.exe
4288	{33E2134C-BDF3-41f2-8477-35C3344104AC}.exe
2608	{51F8FA12-E2D3-4b23-9EEA-9016A9414E32}.exe
2692	{53C23AB1-F4D2-429f-80D0-799D1A905E22}.exe
536	{90D89337-14C6-4e8a-847A-35B691E00919}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BCA341F7-617B-4cec-B75D-37B1403394DE}.exe	{452382E9-CBA9-442c-BCE8-A02107B19397}.exe
File created	C:\Windows\{FEE13521-220B-4f49-8FBB-B10F67CF29CF}.exe	{DBF37E7D-858B-40ba-8267-585E2978D0A8}.exe
File created	C:\Windows\{33E2134C-BDF3-41f2-8477-35C3344104AC}.exe	{0D2DE297-474C-41b4-BBC4-BDB6342D25E7}.exe
File created	C:\Windows\{53C23AB1-F4D2-429f-80D0-799D1A905E22}.exe	{51F8FA12-E2D3-4b23-9EEA-9016A9414E32}.exe
File created	C:\Windows\{4A4BD54D-AB67-4936-8A6D-2508642ADA4B}.exe	2024-02-13_632e996f941eb8b629da9f7149609861_goldeneye.exe
File created	C:\Windows\{6FC93EDE-5543-41bb-AFE0-07F5A2F7701F}.exe	{FA41B851-1172-46e9-982C-C2FC1ABAB655}.exe
File created	C:\Windows\{452382E9-CBA9-442c-BCE8-A02107B19397}.exe	{6FC93EDE-5543-41bb-AFE0-07F5A2F7701F}.exe
File created	C:\Windows\{51F8FA12-E2D3-4b23-9EEA-9016A9414E32}.exe	{33E2134C-BDF3-41f2-8477-35C3344104AC}.exe
File created	C:\Windows\{90D89337-14C6-4e8a-847A-35B691E00919}.exe	{53C23AB1-F4D2-429f-80D0-799D1A905E22}.exe
File created	C:\Windows\{FA41B851-1172-46e9-982C-C2FC1ABAB655}.exe	{4A4BD54D-AB67-4936-8A6D-2508642ADA4B}.exe
File created	C:\Windows\{DBF37E7D-858B-40ba-8267-585E2978D0A8}.exe	{BCA341F7-617B-4cec-B75D-37B1403394DE}.exe
File created	C:\Windows\{0D2DE297-474C-41b4-BBC4-BDB6342D25E7}.exe	{FEE13521-220B-4f49-8FBB-B10F67CF29CF}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4164	2024-02-13_632e996f941eb8b629da9f7149609861_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4592	{4A4BD54D-AB67-4936-8A6D-2508642ADA4B}.exe
Token: SeIncBasePriorityPrivilege	4316	{FA41B851-1172-46e9-982C-C2FC1ABAB655}.exe
Token: SeIncBasePriorityPrivilege	3792	{6FC93EDE-5543-41bb-AFE0-07F5A2F7701F}.exe
Token: SeIncBasePriorityPrivilege	4844	{452382E9-CBA9-442c-BCE8-A02107B19397}.exe
Token: SeIncBasePriorityPrivilege	876	{BCA341F7-617B-4cec-B75D-37B1403394DE}.exe
Token: SeIncBasePriorityPrivilege	680	{DBF37E7D-858B-40ba-8267-585E2978D0A8}.exe
Token: SeIncBasePriorityPrivilege	744	{FEE13521-220B-4f49-8FBB-B10F67CF29CF}.exe
Token: SeIncBasePriorityPrivilege	2784	{0D2DE297-474C-41b4-BBC4-BDB6342D25E7}.exe
Token: SeIncBasePriorityPrivilege	4288	{33E2134C-BDF3-41f2-8477-35C3344104AC}.exe
Token: SeIncBasePriorityPrivilege	2608	{51F8FA12-E2D3-4b23-9EEA-9016A9414E32}.exe
Token: SeIncBasePriorityPrivilege	2692	{53C23AB1-F4D2-429f-80D0-799D1A905E22}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4164 wrote to memory of 4592	4164	2024-02-13_632e996f941eb8b629da9f7149609861_goldeneye.exe	92
PID 4164 wrote to memory of 4592	4164	2024-02-13_632e996f941eb8b629da9f7149609861_goldeneye.exe	92
PID 4164 wrote to memory of 4592	4164	2024-02-13_632e996f941eb8b629da9f7149609861_goldeneye.exe	92
PID 4164 wrote to memory of 2708	4164	2024-02-13_632e996f941eb8b629da9f7149609861_goldeneye.exe	93
PID 4164 wrote to memory of 2708	4164	2024-02-13_632e996f941eb8b629da9f7149609861_goldeneye.exe	93
PID 4164 wrote to memory of 2708	4164	2024-02-13_632e996f941eb8b629da9f7149609861_goldeneye.exe	93
PID 4592 wrote to memory of 4316	4592	{4A4BD54D-AB67-4936-8A6D-2508642ADA4B}.exe	94
PID 4592 wrote to memory of 4316	4592	{4A4BD54D-AB67-4936-8A6D-2508642ADA4B}.exe	94
PID 4592 wrote to memory of 4316	4592	{4A4BD54D-AB67-4936-8A6D-2508642ADA4B}.exe	94
PID 4592 wrote to memory of 1932	4592	{4A4BD54D-AB67-4936-8A6D-2508642ADA4B}.exe	95
PID 4592 wrote to memory of 1932	4592	{4A4BD54D-AB67-4936-8A6D-2508642ADA4B}.exe	95
PID 4592 wrote to memory of 1932	4592	{4A4BD54D-AB67-4936-8A6D-2508642ADA4B}.exe	95
PID 4316 wrote to memory of 3792	4316	{FA41B851-1172-46e9-982C-C2FC1ABAB655}.exe	98
PID 4316 wrote to memory of 3792	4316	{FA41B851-1172-46e9-982C-C2FC1ABAB655}.exe	98
PID 4316 wrote to memory of 3792	4316	{FA41B851-1172-46e9-982C-C2FC1ABAB655}.exe	98
PID 4316 wrote to memory of 2012	4316	{FA41B851-1172-46e9-982C-C2FC1ABAB655}.exe	97
PID 4316 wrote to memory of 2012	4316	{FA41B851-1172-46e9-982C-C2FC1ABAB655}.exe	97
PID 4316 wrote to memory of 2012	4316	{FA41B851-1172-46e9-982C-C2FC1ABAB655}.exe	97
PID 3792 wrote to memory of 4844	3792	{6FC93EDE-5543-41bb-AFE0-07F5A2F7701F}.exe	99
PID 3792 wrote to memory of 4844	3792	{6FC93EDE-5543-41bb-AFE0-07F5A2F7701F}.exe	99
PID 3792 wrote to memory of 4844	3792	{6FC93EDE-5543-41bb-AFE0-07F5A2F7701F}.exe	99
PID 3792 wrote to memory of 1584	3792	{6FC93EDE-5543-41bb-AFE0-07F5A2F7701F}.exe	100
PID 3792 wrote to memory of 1584	3792	{6FC93EDE-5543-41bb-AFE0-07F5A2F7701F}.exe	100
PID 3792 wrote to memory of 1584	3792	{6FC93EDE-5543-41bb-AFE0-07F5A2F7701F}.exe	100
PID 4844 wrote to memory of 876	4844	{452382E9-CBA9-442c-BCE8-A02107B19397}.exe	101
PID 4844 wrote to memory of 876	4844	{452382E9-CBA9-442c-BCE8-A02107B19397}.exe	101
PID 4844 wrote to memory of 876	4844	{452382E9-CBA9-442c-BCE8-A02107B19397}.exe	101
PID 4844 wrote to memory of 1088	4844	{452382E9-CBA9-442c-BCE8-A02107B19397}.exe	102
PID 4844 wrote to memory of 1088	4844	{452382E9-CBA9-442c-BCE8-A02107B19397}.exe	102
PID 4844 wrote to memory of 1088	4844	{452382E9-CBA9-442c-BCE8-A02107B19397}.exe	102
PID 876 wrote to memory of 680	876	{BCA341F7-617B-4cec-B75D-37B1403394DE}.exe	103
PID 876 wrote to memory of 680	876	{BCA341F7-617B-4cec-B75D-37B1403394DE}.exe	103
PID 876 wrote to memory of 680	876	{BCA341F7-617B-4cec-B75D-37B1403394DE}.exe	103
PID 876 wrote to memory of 4692	876	{BCA341F7-617B-4cec-B75D-37B1403394DE}.exe	104
PID 876 wrote to memory of 4692	876	{BCA341F7-617B-4cec-B75D-37B1403394DE}.exe	104
PID 876 wrote to memory of 4692	876	{BCA341F7-617B-4cec-B75D-37B1403394DE}.exe	104
PID 680 wrote to memory of 744	680	{DBF37E7D-858B-40ba-8267-585E2978D0A8}.exe	105
PID 680 wrote to memory of 744	680	{DBF37E7D-858B-40ba-8267-585E2978D0A8}.exe	105
PID 680 wrote to memory of 744	680	{DBF37E7D-858B-40ba-8267-585E2978D0A8}.exe	105
PID 680 wrote to memory of 3092	680	{DBF37E7D-858B-40ba-8267-585E2978D0A8}.exe	106
PID 680 wrote to memory of 3092	680	{DBF37E7D-858B-40ba-8267-585E2978D0A8}.exe	106
PID 680 wrote to memory of 3092	680	{DBF37E7D-858B-40ba-8267-585E2978D0A8}.exe	106
PID 744 wrote to memory of 2784	744	{FEE13521-220B-4f49-8FBB-B10F67CF29CF}.exe	107
PID 744 wrote to memory of 2784	744	{FEE13521-220B-4f49-8FBB-B10F67CF29CF}.exe	107
PID 744 wrote to memory of 2784	744	{FEE13521-220B-4f49-8FBB-B10F67CF29CF}.exe	107
PID 744 wrote to memory of 3728	744	{FEE13521-220B-4f49-8FBB-B10F67CF29CF}.exe	108
PID 744 wrote to memory of 3728	744	{FEE13521-220B-4f49-8FBB-B10F67CF29CF}.exe	108
PID 744 wrote to memory of 3728	744	{FEE13521-220B-4f49-8FBB-B10F67CF29CF}.exe	108
PID 2784 wrote to memory of 4288	2784	{0D2DE297-474C-41b4-BBC4-BDB6342D25E7}.exe	109
PID 2784 wrote to memory of 4288	2784	{0D2DE297-474C-41b4-BBC4-BDB6342D25E7}.exe	109
PID 2784 wrote to memory of 4288	2784	{0D2DE297-474C-41b4-BBC4-BDB6342D25E7}.exe	109
PID 2784 wrote to memory of 4236	2784	{0D2DE297-474C-41b4-BBC4-BDB6342D25E7}.exe	110
PID 2784 wrote to memory of 4236	2784	{0D2DE297-474C-41b4-BBC4-BDB6342D25E7}.exe	110
PID 2784 wrote to memory of 4236	2784	{0D2DE297-474C-41b4-BBC4-BDB6342D25E7}.exe	110
PID 4288 wrote to memory of 2608	4288	{33E2134C-BDF3-41f2-8477-35C3344104AC}.exe	111
PID 4288 wrote to memory of 2608	4288	{33E2134C-BDF3-41f2-8477-35C3344104AC}.exe	111
PID 4288 wrote to memory of 2608	4288	{33E2134C-BDF3-41f2-8477-35C3344104AC}.exe	111
PID 4288 wrote to memory of 4548	4288	{33E2134C-BDF3-41f2-8477-35C3344104AC}.exe	112
PID 4288 wrote to memory of 4548	4288	{33E2134C-BDF3-41f2-8477-35C3344104AC}.exe	112
PID 4288 wrote to memory of 4548	4288	{33E2134C-BDF3-41f2-8477-35C3344104AC}.exe	112
PID 2608 wrote to memory of 2692	2608	{51F8FA12-E2D3-4b23-9EEA-9016A9414E32}.exe	113
PID 2608 wrote to memory of 2692	2608	{51F8FA12-E2D3-4b23-9EEA-9016A9414E32}.exe	113
PID 2608 wrote to memory of 2692	2608	{51F8FA12-E2D3-4b23-9EEA-9016A9414E32}.exe	113
PID 2608 wrote to memory of 1132	2608	{51F8FA12-E2D3-4b23-9EEA-9016A9414E32}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-02-13_632e996f941eb8b629da9f7149609861_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-13_632e996f941eb8b629da9f7149609861_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Windows\{4A4BD54D-AB67-4936-8A6D-2508642ADA4B}.exe
  C:\Windows\{4A4BD54D-AB67-4936-8A6D-2508642ADA4B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Windows\{FA41B851-1172-46e9-982C-C2FC1ABAB655}.exe
    C:\Windows\{FA41B851-1172-46e9-982C-C2FC1ABAB655}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4316
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FA41B~1.EXE > nul
      4⤵
      PID:2012
  - - C:\Windows\{6FC93EDE-5543-41bb-AFE0-07F5A2F7701F}.exe
      C:\Windows\{6FC93EDE-5543-41bb-AFE0-07F5A2F7701F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3792
    - - C:\Windows\{452382E9-CBA9-442c-BCE8-A02107B19397}.exe
        
        C:\Windows\{452382E9-CBA9-442c-BCE8-A02107B19397}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4844
      - C:\Windows\{BCA341F7-617B-4cec-B75D-37B1403394DE}.exe
        
        C:\Windows\{BCA341F7-617B-4cec-B75D-37B1403394DE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\{DBF37E7D-858B-40ba-8267-585E2978D0A8}.exe
        
        C:\Windows\{DBF37E7D-858B-40ba-8267-585E2978D0A8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        C:\Windows\{FEE13521-220B-4f49-8FBB-B10F67CF29CF}.exe
        
        C:\Windows\{FEE13521-220B-4f49-8FBB-B10F67CF29CF}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\{0D2DE297-474C-41b4-BBC4-BDB6342D25E7}.exe
        
        C:\Windows\{0D2DE297-474C-41b4-BBC4-BDB6342D25E7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\{33E2134C-BDF3-41f2-8477-35C3344104AC}.exe
        
        C:\Windows\{33E2134C-BDF3-41f2-8477-35C3344104AC}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\{51F8FA12-E2D3-4b23-9EEA-9016A9414E32}.exe
        
        C:\Windows\{51F8FA12-E2D3-4b23-9EEA-9016A9414E32}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\{53C23AB1-F4D2-429f-80D0-799D1A905E22}.exe
        
        C:\Windows\{53C23AB1-F4D2-429f-80D0-799D1A905E22}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Windows\{90D89337-14C6-4e8a-847A-35B691E00919}.exe
        
        C:\Windows\{90D89337-14C6-4e8a-847A-35B691E00919}.exe
        13⤵
        Executes dropped EXE
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53C23~1.EXE > nul
        13⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51F8F~1.EXE > nul
        12⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33E21~1.EXE > nul
        11⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D2DE~1.EXE > nul
        10⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FEE13~1.EXE > nul
        9⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DBF37~1.EXE > nul
        8⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCA34~1.EXE > nul
        7⤵
        
        PID:4692
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45238~1.EXE > nul
        6⤵
        
        PID:1088
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6FC93~1.EXE > nul
        5⤵
        
        PID:1584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4A4BD~1.EXE > nul
    3⤵
    PID:1932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0D2DE297-474C-41b4-BBC4-BDB6342D25E7}.exe

Filesize
216KB

MD5
a003f9d8e6557d6ff72b9b1ee3c2d0cc

SHA1
16c46de5eebf9f3c873a092b3a8492096f49bf0e

SHA256
c87ea1fa0e7a605bdb8ba3bcce0a9bdc64b701a46bad613bfa0982e1cc1f516b

SHA512
2a76f6265fc10d97ddfcd6bb011c3cc02d93c074fb6dd97d03dcc48af58ad4d789823467399a2bb1e61f127dfa10a22e86326bbe538c502782434dcc34a88308

Download Submit
C:\Windows\{33E2134C-BDF3-41f2-8477-35C3344104AC}.exe

Filesize
216KB

MD5
8e9e82bdd97302c7cbcdef5955d88c3f

SHA1
91f0c5871faf375e14f8f7a7c8251c5c2b929bae

SHA256
40827ac9daacc0976d74c3acb11b5f04c392944bc5fe877a0e308fd2127852d9

SHA512
6fb6d6aacecb3f6b11415000264bc7f5baf140d2b988f3cd5ea4c293424071acd0707124e6348bae3aabd3f5e90d76a864f90f34e352edf7c24ac2945600e2b8

Download Submit
C:\Windows\{452382E9-CBA9-442c-BCE8-A02107B19397}.exe

Filesize
216KB

MD5
c274d3e3b433e33bc265760b30463bfc

SHA1
4dd02414201a73d8a071550a42a6e612ab8cd2cb

SHA256
73e66283167b6f291cdae3aee274a30bb4239e31da4a2981287d27d6ee159972

SHA512
0e662fc5004687e75ed2d63bcc4c1d009f09d785a532db89eba5444bfb1e1f74285deffb09ecbefa485fededc1fc4b8602c12973ee0a1963bd9f5582f15c3659

Download Submit
C:\Windows\{4A4BD54D-AB67-4936-8A6D-2508642ADA4B}.exe

Filesize
216KB

MD5
d09336b705c630ecde318d31c7b001f8

SHA1
3777d1ee73287568b9914d6931b2477e40718b41

SHA256
0e572fc36f927806edcf22ded3ebd7ea362ebbba254e405ddd589a8d00d55788

SHA512
5ee766f5307c8c9d07956375ead0706c87719da099cffa414f1ebc18b871c70bbab9fcfca487e91832b35771f2cd26af2103692536c9747157bc74c4004557d3

Download Submit
C:\Windows\{51F8FA12-E2D3-4b23-9EEA-9016A9414E32}.exe

Filesize
216KB

MD5
bc257436f61fcd3532225190d04b5c2f

SHA1
881ee3cd7ce3269ea0b892ecb6482741bbe1a75b

SHA256
3a7ebbb3da3b26e87b9dee3be3a86459fbdaac89065d956e91f6269b8bff043f

SHA512
384c53b1647d9af09373b578559bc62317d71d5e33583a6f3e3c8ab729f859e694814d22bd99b72b0e143d7e8229d0e9b66cf60c851fdcc07d0d16d0fed5f0eb

Download Submit
C:\Windows\{53C23AB1-F4D2-429f-80D0-799D1A905E22}.exe

Filesize
216KB

MD5
73ca33bf80eb0e64902e220446742ae8

SHA1
06701533d9f2f33e8da913e2b1b85d56ef521a48

SHA256
30d712b9ddc16aca47077c7723f089a4f87be5764a3d25c4cd48d659ff33f0ca

SHA512
55cf23f4529b66580155e3fc11213464c3248f5ab07c9f33c330e861cdc8672786a0d5d5df7c15f3071dae26ca8d23781d008d4b0b30493e5b9dadf906472a47

Download Submit
C:\Windows\{6FC93EDE-5543-41bb-AFE0-07F5A2F7701F}.exe

Filesize
216KB

MD5
687ca8d644ae08ec18e5ddfe194ea2ad

SHA1
4e3de6682d2df59153494828c96c34ca4cad4e40

SHA256
c684091ed667abc3ff1e26128dcd03c74a4480f675ca34b1c479bd8023dc5a0f

SHA512
f57b8c4ee467854fd1afa767223af58da424c9083d14c74291c837edc1fbd71cfc86e3004d6b94611e753bbecff8c792d3aade5979ac06f1cd01c6771eb27ddc

Download Submit
C:\Windows\{90D89337-14C6-4e8a-847A-35B691E00919}.exe

Filesize
216KB

MD5
13ba5440cec0e5404c463264c5976a7d

SHA1
dcd2f232c7a328b9d1605260e96d04ced8efd31b

SHA256
9032f629024c286952a5f938eefca369a922247c9223d62e0ebacb687ff63de0

SHA512
2b49551651ac460a8037e56a1d371293fb1737a557d94d64d8fca3e5dacbcaf8040198a80cb826cd110bc1cec06021675a6bc0b000eae7b674eae070724179b5

Download Submit
C:\Windows\{BCA341F7-617B-4cec-B75D-37B1403394DE}.exe

Filesize
216KB

MD5
18d64b7f046658ada87e33962314560d

SHA1
05941e127bb57ab793199931dca1097099ecf143

SHA256
e3d3d9c024ee7f69553e75e4dcde0f1e642decd77da30c9b5717b5e951ef79a3

SHA512
e0bed7895ca6590903fb4ec2dfc95a3df02127a7f5b4a48c507155f6fc92d2c519a885746c5bad4906dce7c23375a02867d4faa09075cddf840ebebc7ac6f242

Download Submit
C:\Windows\{DBF37E7D-858B-40ba-8267-585E2978D0A8}.exe

Filesize
216KB

MD5
eff5fbec87f47e410c9f0f07fd1b0bfc

SHA1
9b379759550feaad20b43e780f6887b2a74f7614

SHA256
899e52e993050c3218fab76238254a2787f122fe0148092ee6d447724adab894

SHA512
81b4dc7957929d361bfdd3c7293e202ad5015cd32353fe05d568c0665d24a549bea453966fa6a6089ed95009340b51353b6162bc28ee7eaa4727d87cb14d9554

Download Submit
C:\Windows\{FA41B851-1172-46e9-982C-C2FC1ABAB655}.exe

Filesize
216KB

MD5
db3c339729a6f4eaabe9a64ed256ad40

SHA1
32804246244dc3f4a946b19a1dcf6da2b9a3f4c8

SHA256
c0a57abdcc44c8dd8a25be9395e6ada50b0227b940e7d98cffd6c982f0b23a05

SHA512
5a2c6af356389ae198d08fdf65d13f21cbf926c6c3d9bb2183fd057135d02c54816fa06900e6358bdc46373cc28a785bbc3fe78b0c9dc9ba02d9a6b208b8c185

Download Submit
C:\Windows\{FEE13521-220B-4f49-8FBB-B10F67CF29CF}.exe

Filesize
216KB

MD5
af066f6c5156c03633e8a81b1970a153

SHA1
aef9e1109a6c3fbe860ca46fd37037396fb69df7

SHA256
97e5f4a1b89f77d763de40ae356b116c99bd5136e02767e6a3f7c8c161e5bdbc

SHA512
f7ca75df46eac861cc10d9bca8135c437cd14067fa2ce5b204528b8b9e8db99509895267b16f2113b5a71792e47b56990e49b9925f0dc18fc8ac91560dd7e697

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads