9db3950edbff3454f1b444194d4ccb4d7642397b085219e8535c6987a0472fa4

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14/02/2024, 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-14_2dd6d90da3f968240d607dbda919c668_goldeneye.exe
Size

197KB
MD5

2dd6d90da3f968240d607dbda919c668
SHA1

1040a917a7dac1bbcfd19e9a13a40a86198d47f0
SHA256

9db3950edbff3454f1b444194d4ccb4d7642397b085219e8535c6987a0472fa4
SHA512

541b48f33b64f80da840047e2eaf74949e0f046e7a8e9e4eed61d3f2763cce2d1e7c63615feb742a5b252ac4e3abaa89d756da008b8d5e782ea54bc70eb676d7
SSDEEP

3072:jEGh0o1l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGnlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023226-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023123-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023233-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023123-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000215c9-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000215d0-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000215c9-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000711-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000713-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000711-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000713-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000071d-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14FD645F-2B02-41b4-A889-9F7CF9B7AEA5}	{59911AA0-18E9-4b71-933C-580215F35B44}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14FD645F-2B02-41b4-A889-9F7CF9B7AEA5}\stubpath = "C:\\Windows\\{14FD645F-2B02-41b4-A889-9F7CF9B7AEA5}.exe"	{59911AA0-18E9-4b71-933C-580215F35B44}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DFE12F9-3504-4c7a-9AC8-D88E8CA6DC8D}\stubpath = "C:\\Windows\\{3DFE12F9-3504-4c7a-9AC8-D88E8CA6DC8D}.exe"	{14FD645F-2B02-41b4-A889-9F7CF9B7AEA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB57ACE1-929D-427d-A8A0-172031A55999}	2024-02-14_2dd6d90da3f968240d607dbda919c668_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E22C5AC2-1569-44e1-A39D-6A73C1662B96}\stubpath = "C:\\Windows\\{E22C5AC2-1569-44e1-A39D-6A73C1662B96}.exe"	{DB57ACE1-929D-427d-A8A0-172031A55999}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0EBEB889-250F-45ea-89F9-C38675F906BA}	{C081A417-8AEE-4e2d-9E1A-973E8FE6579C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0EBEB889-250F-45ea-89F9-C38675F906BA}\stubpath = "C:\\Windows\\{0EBEB889-250F-45ea-89F9-C38675F906BA}.exe"	{C081A417-8AEE-4e2d-9E1A-973E8FE6579C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59911AA0-18E9-4b71-933C-580215F35B44}\stubpath = "C:\\Windows\\{59911AA0-18E9-4b71-933C-580215F35B44}.exe"	{0EBEB889-250F-45ea-89F9-C38675F906BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{314B73B8-E953-4f9f-B465-165F2319968E}\stubpath = "C:\\Windows\\{314B73B8-E953-4f9f-B465-165F2319968E}.exe"	{3DFE12F9-3504-4c7a-9AC8-D88E8CA6DC8D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1673247-9B6D-4437-8037-0D6BC64196F2}	{314B73B8-E953-4f9f-B465-165F2319968E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{624617C5-0851-4d56-A203-774AC6EA52D5}	{6A798127-D4FA-466e-9AB6-46ADD2ED2378}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{624617C5-0851-4d56-A203-774AC6EA52D5}\stubpath = "C:\\Windows\\{624617C5-0851-4d56-A203-774AC6EA52D5}.exe"	{6A798127-D4FA-466e-9AB6-46ADD2ED2378}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C081A417-8AEE-4e2d-9E1A-973E8FE6579C}\stubpath = "C:\\Windows\\{C081A417-8AEE-4e2d-9E1A-973E8FE6579C}.exe"	{E22C5AC2-1569-44e1-A39D-6A73C1662B96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59911AA0-18E9-4b71-933C-580215F35B44}	{0EBEB889-250F-45ea-89F9-C38675F906BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1673247-9B6D-4437-8037-0D6BC64196F2}\stubpath = "C:\\Windows\\{F1673247-9B6D-4437-8037-0D6BC64196F2}.exe"	{314B73B8-E953-4f9f-B465-165F2319968E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A798127-D4FA-466e-9AB6-46ADD2ED2378}\stubpath = "C:\\Windows\\{6A798127-D4FA-466e-9AB6-46ADD2ED2378}.exe"	{F1673247-9B6D-4437-8037-0D6BC64196F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21EB3241-954F-48b8-9943-38EA74768D2C}\stubpath = "C:\\Windows\\{21EB3241-954F-48b8-9943-38EA74768D2C}.exe"	{624617C5-0851-4d56-A203-774AC6EA52D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C081A417-8AEE-4e2d-9E1A-973E8FE6579C}	{E22C5AC2-1569-44e1-A39D-6A73C1662B96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DFE12F9-3504-4c7a-9AC8-D88E8CA6DC8D}	{14FD645F-2B02-41b4-A889-9F7CF9B7AEA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB57ACE1-929D-427d-A8A0-172031A55999}\stubpath = "C:\\Windows\\{DB57ACE1-929D-427d-A8A0-172031A55999}.exe"	2024-02-14_2dd6d90da3f968240d607dbda919c668_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E22C5AC2-1569-44e1-A39D-6A73C1662B96}	{DB57ACE1-929D-427d-A8A0-172031A55999}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{314B73B8-E953-4f9f-B465-165F2319968E}	{3DFE12F9-3504-4c7a-9AC8-D88E8CA6DC8D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A798127-D4FA-466e-9AB6-46ADD2ED2378}	{F1673247-9B6D-4437-8037-0D6BC64196F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21EB3241-954F-48b8-9943-38EA74768D2C}	{624617C5-0851-4d56-A203-774AC6EA52D5}.exe

Executes dropped EXE 12 IoCs

pid	Process
1040	{DB57ACE1-929D-427d-A8A0-172031A55999}.exe
748	{E22C5AC2-1569-44e1-A39D-6A73C1662B96}.exe
3292	{C081A417-8AEE-4e2d-9E1A-973E8FE6579C}.exe
1212	{0EBEB889-250F-45ea-89F9-C38675F906BA}.exe
1988	{59911AA0-18E9-4b71-933C-580215F35B44}.exe
3460	{14FD645F-2B02-41b4-A889-9F7CF9B7AEA5}.exe
2228	{3DFE12F9-3504-4c7a-9AC8-D88E8CA6DC8D}.exe
2448	{314B73B8-E953-4f9f-B465-165F2319968E}.exe
968	{F1673247-9B6D-4437-8037-0D6BC64196F2}.exe
2680	{6A798127-D4FA-466e-9AB6-46ADD2ED2378}.exe
1676	{624617C5-0851-4d56-A203-774AC6EA52D5}.exe
1772	{21EB3241-954F-48b8-9943-38EA74768D2C}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{21EB3241-954F-48b8-9943-38EA74768D2C}.exe	{624617C5-0851-4d56-A203-774AC6EA52D5}.exe
File created	C:\Windows\{DB57ACE1-929D-427d-A8A0-172031A55999}.exe	2024-02-14_2dd6d90da3f968240d607dbda919c668_goldeneye.exe
File created	C:\Windows\{14FD645F-2B02-41b4-A889-9F7CF9B7AEA5}.exe	{59911AA0-18E9-4b71-933C-580215F35B44}.exe
File created	C:\Windows\{3DFE12F9-3504-4c7a-9AC8-D88E8CA6DC8D}.exe	{14FD645F-2B02-41b4-A889-9F7CF9B7AEA5}.exe
File created	C:\Windows\{314B73B8-E953-4f9f-B465-165F2319968E}.exe	{3DFE12F9-3504-4c7a-9AC8-D88E8CA6DC8D}.exe
File created	C:\Windows\{F1673247-9B6D-4437-8037-0D6BC64196F2}.exe	{314B73B8-E953-4f9f-B465-165F2319968E}.exe
File created	C:\Windows\{624617C5-0851-4d56-A203-774AC6EA52D5}.exe	{6A798127-D4FA-466e-9AB6-46ADD2ED2378}.exe
File created	C:\Windows\{E22C5AC2-1569-44e1-A39D-6A73C1662B96}.exe	{DB57ACE1-929D-427d-A8A0-172031A55999}.exe
File created	C:\Windows\{C081A417-8AEE-4e2d-9E1A-973E8FE6579C}.exe	{E22C5AC2-1569-44e1-A39D-6A73C1662B96}.exe
File created	C:\Windows\{0EBEB889-250F-45ea-89F9-C38675F906BA}.exe	{C081A417-8AEE-4e2d-9E1A-973E8FE6579C}.exe
File created	C:\Windows\{59911AA0-18E9-4b71-933C-580215F35B44}.exe	{0EBEB889-250F-45ea-89F9-C38675F906BA}.exe
File created	C:\Windows\{6A798127-D4FA-466e-9AB6-46ADD2ED2378}.exe	{F1673247-9B6D-4437-8037-0D6BC64196F2}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5104	2024-02-14_2dd6d90da3f968240d607dbda919c668_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1040	{DB57ACE1-929D-427d-A8A0-172031A55999}.exe
Token: SeIncBasePriorityPrivilege	748	{E22C5AC2-1569-44e1-A39D-6A73C1662B96}.exe
Token: SeIncBasePriorityPrivilege	3292	{C081A417-8AEE-4e2d-9E1A-973E8FE6579C}.exe
Token: SeIncBasePriorityPrivilege	1212	{0EBEB889-250F-45ea-89F9-C38675F906BA}.exe
Token: SeIncBasePriorityPrivilege	1988	{59911AA0-18E9-4b71-933C-580215F35B44}.exe
Token: SeIncBasePriorityPrivilege	3460	{14FD645F-2B02-41b4-A889-9F7CF9B7AEA5}.exe
Token: SeIncBasePriorityPrivilege	2228	{3DFE12F9-3504-4c7a-9AC8-D88E8CA6DC8D}.exe
Token: SeIncBasePriorityPrivilege	2448	{314B73B8-E953-4f9f-B465-165F2319968E}.exe
Token: SeIncBasePriorityPrivilege	968	{F1673247-9B6D-4437-8037-0D6BC64196F2}.exe
Token: SeIncBasePriorityPrivilege	2680	{6A798127-D4FA-466e-9AB6-46ADD2ED2378}.exe
Token: SeIncBasePriorityPrivilege	1676	{624617C5-0851-4d56-A203-774AC6EA52D5}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 1040	5104	2024-02-14_2dd6d90da3f968240d607dbda919c668_goldeneye.exe	89
PID 5104 wrote to memory of 1040	5104	2024-02-14_2dd6d90da3f968240d607dbda919c668_goldeneye.exe	89
PID 5104 wrote to memory of 1040	5104	2024-02-14_2dd6d90da3f968240d607dbda919c668_goldeneye.exe	89
PID 5104 wrote to memory of 2408	5104	2024-02-14_2dd6d90da3f968240d607dbda919c668_goldeneye.exe	90
PID 5104 wrote to memory of 2408	5104	2024-02-14_2dd6d90da3f968240d607dbda919c668_goldeneye.exe	90
PID 5104 wrote to memory of 2408	5104	2024-02-14_2dd6d90da3f968240d607dbda919c668_goldeneye.exe	90
PID 1040 wrote to memory of 748	1040	{DB57ACE1-929D-427d-A8A0-172031A55999}.exe	93
PID 1040 wrote to memory of 748	1040	{DB57ACE1-929D-427d-A8A0-172031A55999}.exe	93
PID 1040 wrote to memory of 748	1040	{DB57ACE1-929D-427d-A8A0-172031A55999}.exe	93
PID 1040 wrote to memory of 2104	1040	{DB57ACE1-929D-427d-A8A0-172031A55999}.exe	94
PID 1040 wrote to memory of 2104	1040	{DB57ACE1-929D-427d-A8A0-172031A55999}.exe	94
PID 1040 wrote to memory of 2104	1040	{DB57ACE1-929D-427d-A8A0-172031A55999}.exe	94
PID 748 wrote to memory of 3292	748	{E22C5AC2-1569-44e1-A39D-6A73C1662B96}.exe	97
PID 748 wrote to memory of 3292	748	{E22C5AC2-1569-44e1-A39D-6A73C1662B96}.exe	97
PID 748 wrote to memory of 3292	748	{E22C5AC2-1569-44e1-A39D-6A73C1662B96}.exe	97
PID 748 wrote to memory of 4980	748	{E22C5AC2-1569-44e1-A39D-6A73C1662B96}.exe	96
PID 748 wrote to memory of 4980	748	{E22C5AC2-1569-44e1-A39D-6A73C1662B96}.exe	96
PID 748 wrote to memory of 4980	748	{E22C5AC2-1569-44e1-A39D-6A73C1662B96}.exe	96
PID 3292 wrote to memory of 1212	3292	{C081A417-8AEE-4e2d-9E1A-973E8FE6579C}.exe	98
PID 3292 wrote to memory of 1212	3292	{C081A417-8AEE-4e2d-9E1A-973E8FE6579C}.exe	98
PID 3292 wrote to memory of 1212	3292	{C081A417-8AEE-4e2d-9E1A-973E8FE6579C}.exe	98
PID 3292 wrote to memory of 4800	3292	{C081A417-8AEE-4e2d-9E1A-973E8FE6579C}.exe	99
PID 3292 wrote to memory of 4800	3292	{C081A417-8AEE-4e2d-9E1A-973E8FE6579C}.exe	99
PID 3292 wrote to memory of 4800	3292	{C081A417-8AEE-4e2d-9E1A-973E8FE6579C}.exe	99
PID 1212 wrote to memory of 1988	1212	{0EBEB889-250F-45ea-89F9-C38675F906BA}.exe	100
PID 1212 wrote to memory of 1988	1212	{0EBEB889-250F-45ea-89F9-C38675F906BA}.exe	100
PID 1212 wrote to memory of 1988	1212	{0EBEB889-250F-45ea-89F9-C38675F906BA}.exe	100
PID 1212 wrote to memory of 3956	1212	{0EBEB889-250F-45ea-89F9-C38675F906BA}.exe	101
PID 1212 wrote to memory of 3956	1212	{0EBEB889-250F-45ea-89F9-C38675F906BA}.exe	101
PID 1212 wrote to memory of 3956	1212	{0EBEB889-250F-45ea-89F9-C38675F906BA}.exe	101
PID 1988 wrote to memory of 3460	1988	{59911AA0-18E9-4b71-933C-580215F35B44}.exe	102
PID 1988 wrote to memory of 3460	1988	{59911AA0-18E9-4b71-933C-580215F35B44}.exe	102
PID 1988 wrote to memory of 3460	1988	{59911AA0-18E9-4b71-933C-580215F35B44}.exe	102
PID 1988 wrote to memory of 3136	1988	{59911AA0-18E9-4b71-933C-580215F35B44}.exe	103
PID 1988 wrote to memory of 3136	1988	{59911AA0-18E9-4b71-933C-580215F35B44}.exe	103
PID 1988 wrote to memory of 3136	1988	{59911AA0-18E9-4b71-933C-580215F35B44}.exe	103
PID 3460 wrote to memory of 2228	3460	{14FD645F-2B02-41b4-A889-9F7CF9B7AEA5}.exe	104
PID 3460 wrote to memory of 2228	3460	{14FD645F-2B02-41b4-A889-9F7CF9B7AEA5}.exe	104
PID 3460 wrote to memory of 2228	3460	{14FD645F-2B02-41b4-A889-9F7CF9B7AEA5}.exe	104
PID 3460 wrote to memory of 3288	3460	{14FD645F-2B02-41b4-A889-9F7CF9B7AEA5}.exe	105
PID 3460 wrote to memory of 3288	3460	{14FD645F-2B02-41b4-A889-9F7CF9B7AEA5}.exe	105
PID 3460 wrote to memory of 3288	3460	{14FD645F-2B02-41b4-A889-9F7CF9B7AEA5}.exe	105
PID 2228 wrote to memory of 2448	2228	{3DFE12F9-3504-4c7a-9AC8-D88E8CA6DC8D}.exe	106
PID 2228 wrote to memory of 2448	2228	{3DFE12F9-3504-4c7a-9AC8-D88E8CA6DC8D}.exe	106
PID 2228 wrote to memory of 2448	2228	{3DFE12F9-3504-4c7a-9AC8-D88E8CA6DC8D}.exe	106
PID 2228 wrote to memory of 4908	2228	{3DFE12F9-3504-4c7a-9AC8-D88E8CA6DC8D}.exe	107
PID 2228 wrote to memory of 4908	2228	{3DFE12F9-3504-4c7a-9AC8-D88E8CA6DC8D}.exe	107
PID 2228 wrote to memory of 4908	2228	{3DFE12F9-3504-4c7a-9AC8-D88E8CA6DC8D}.exe	107
PID 2448 wrote to memory of 968	2448	{314B73B8-E953-4f9f-B465-165F2319968E}.exe	108
PID 2448 wrote to memory of 968	2448	{314B73B8-E953-4f9f-B465-165F2319968E}.exe	108
PID 2448 wrote to memory of 968	2448	{314B73B8-E953-4f9f-B465-165F2319968E}.exe	108
PID 2448 wrote to memory of 4576	2448	{314B73B8-E953-4f9f-B465-165F2319968E}.exe	109
PID 2448 wrote to memory of 4576	2448	{314B73B8-E953-4f9f-B465-165F2319968E}.exe	109
PID 2448 wrote to memory of 4576	2448	{314B73B8-E953-4f9f-B465-165F2319968E}.exe	109
PID 968 wrote to memory of 2680	968	{F1673247-9B6D-4437-8037-0D6BC64196F2}.exe	110
PID 968 wrote to memory of 2680	968	{F1673247-9B6D-4437-8037-0D6BC64196F2}.exe	110
PID 968 wrote to memory of 2680	968	{F1673247-9B6D-4437-8037-0D6BC64196F2}.exe	110
PID 968 wrote to memory of 3036	968	{F1673247-9B6D-4437-8037-0D6BC64196F2}.exe	111
PID 968 wrote to memory of 3036	968	{F1673247-9B6D-4437-8037-0D6BC64196F2}.exe	111
PID 968 wrote to memory of 3036	968	{F1673247-9B6D-4437-8037-0D6BC64196F2}.exe	111
PID 2680 wrote to memory of 1676	2680	{6A798127-D4FA-466e-9AB6-46ADD2ED2378}.exe	112
PID 2680 wrote to memory of 1676	2680	{6A798127-D4FA-466e-9AB6-46ADD2ED2378}.exe	112
PID 2680 wrote to memory of 1676	2680	{6A798127-D4FA-466e-9AB6-46ADD2ED2378}.exe	112
PID 2680 wrote to memory of 2440	2680	{6A798127-D4FA-466e-9AB6-46ADD2ED2378}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-14_2dd6d90da3f968240d607dbda919c668_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-14_2dd6d90da3f968240d607dbda919c668_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Windows\{DB57ACE1-929D-427d-A8A0-172031A55999}.exe
  C:\Windows\{DB57ACE1-929D-427d-A8A0-172031A55999}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Windows\{E22C5AC2-1569-44e1-A39D-6A73C1662B96}.exe
    C:\Windows\{E22C5AC2-1569-44e1-A39D-6A73C1662B96}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:748
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E22C5~1.EXE > nul
      4⤵
      PID:4980
  - - C:\Windows\{C081A417-8AEE-4e2d-9E1A-973E8FE6579C}.exe
      C:\Windows\{C081A417-8AEE-4e2d-9E1A-973E8FE6579C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3292
    - - C:\Windows\{0EBEB889-250F-45ea-89F9-C38675F906BA}.exe
        
        C:\Windows\{0EBEB889-250F-45ea-89F9-C38675F906BA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1212
      - C:\Windows\{59911AA0-18E9-4b71-933C-580215F35B44}.exe
        
        C:\Windows\{59911AA0-18E9-4b71-933C-580215F35B44}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\{14FD645F-2B02-41b4-A889-9F7CF9B7AEA5}.exe
        
        C:\Windows\{14FD645F-2B02-41b4-A889-9F7CF9B7AEA5}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\{3DFE12F9-3504-4c7a-9AC8-D88E8CA6DC8D}.exe
        
        C:\Windows\{3DFE12F9-3504-4c7a-9AC8-D88E8CA6DC8D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\{314B73B8-E953-4f9f-B465-165F2319968E}.exe
        
        C:\Windows\{314B73B8-E953-4f9f-B465-165F2319968E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\{F1673247-9B6D-4437-8037-0D6BC64196F2}.exe
        
        C:\Windows\{F1673247-9B6D-4437-8037-0D6BC64196F2}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\{6A798127-D4FA-466e-9AB6-46ADD2ED2378}.exe
        
        C:\Windows\{6A798127-D4FA-466e-9AB6-46ADD2ED2378}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\{624617C5-0851-4d56-A203-774AC6EA52D5}.exe
        
        C:\Windows\{624617C5-0851-4d56-A203-774AC6EA52D5}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
        
        C:\Windows\{21EB3241-954F-48b8-9943-38EA74768D2C}.exe
        
        C:\Windows\{21EB3241-954F-48b8-9943-38EA74768D2C}.exe
        13⤵
        Executes dropped EXE
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62461~1.EXE > nul
        13⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A798~1.EXE > nul
        12⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1673~1.EXE > nul
        11⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{314B7~1.EXE > nul
        10⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3DFE1~1.EXE > nul
        9⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14FD6~1.EXE > nul
        8⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59911~1.EXE > nul
        7⤵
        
        PID:3136
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0EBEB~1.EXE > nul
        6⤵
        
        PID:3956
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C081A~1.EXE > nul
        5⤵
        
        PID:4800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DB57A~1.EXE > nul
    3⤵
    PID:2104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0EBEB889-250F-45ea-89F9-C38675F906BA}.exe

Filesize
197KB

MD5
0c8466a35bd1a1f783b2a8ffec92ba6f

SHA1
dcf4ba87a7f916b5d1b4b268165385641d462d7b

SHA256
9ad21ff97b498534774e2f5b5a75800ee5ae5996d6dc75cc4737f83626740f1b

SHA512
64b9476f77a742d35b992171f69697af058852c8b5992b3f9d4d9b02d3387c9801ed4177e5d58881cbc2b01ca15382b29c708cea106eb89c9a9a44b6086b81de

Download Submit
C:\Windows\{14FD645F-2B02-41b4-A889-9F7CF9B7AEA5}.exe

Filesize
197KB

MD5
c79b505f7f12fff26287d1a8802c2f81

SHA1
e5074f450c7ce8ff472e96e0c951ddc48489162d

SHA256
0e9d23b1d2e20492083f970a9927c5829b52558090b7883d4adb13dc5a6a978a

SHA512
d33f37fa8ee1d93bafe6c77d64f62efd62dd3fc9f616a984ce03e4714d457d2ae52c4b7591ebdd629371638ec66b805639978d9a941ea9051ca91c611e84d4e5

Download Submit
C:\Windows\{21EB3241-954F-48b8-9943-38EA74768D2C}.exe

Filesize
197KB

MD5
e113ebf600a13127f9a16d7b6d37fb13

SHA1
70d56bc6579ab70746a3b7e5eecb36677e0313b5

SHA256
840f87ec187db82424a863292c1de9c380e95028849fc80394244841260e36a6

SHA512
d2dd701fa84ff8bce8296958c739f0c7acb089c42391dbc0f02ed49de51a0635301129c1925b4318d1f4d8362a098a9e08a83a33a60b1b8e953c5baba0257396

Download Submit
C:\Windows\{314B73B8-E953-4f9f-B465-165F2319968E}.exe

Filesize
197KB

MD5
93b86bb5ef3c96afb118d352b42d49d3

SHA1
20bf271fe58dfae2a03acbf0f63949e243e392c1

SHA256
7ac24e1c5fbfb2b0a5b43113797ad5a32b1a80a23794985e343d05afae4c959b

SHA512
c2ac3b280ffd2cdfa18de7b3933ad0177e79e5f5cd52eb50c553f2a21ba5c384fb760a1670c9b14b728df3863220378df550598ae3c84e8aca9e64b09c460ad0

Download Submit
C:\Windows\{3DFE12F9-3504-4c7a-9AC8-D88E8CA6DC8D}.exe

Filesize
197KB

MD5
0f887a9e3f4627d8e3fcb1698197fd37

SHA1
2071ea6b9ecaa88f37f07efaf15930958d553766

SHA256
75ac9df38aa3899145f5a0a344d964ecd3a1ca47e0e449df699cf696d6fcfaed

SHA512
c658a5a83750c010af5a0c74b3e9ab5a07757ff29ec15a564e566acaf95e33b9e6c3ff95dac134c72ce9cac4d9af02e63e14a55b27c7ddbe196b996e7d848983

Download Submit
C:\Windows\{59911AA0-18E9-4b71-933C-580215F35B44}.exe

Filesize
197KB

MD5
6e1cd3e02d3965541171cf8f1be25d7a

SHA1
5f7a7a9b60062cb08c53c5dd9b2b5ad40defd019

SHA256
abe07dafd14f96dcaa3f3aa854c64aeeac1d62135eebb963be0c485c00e796f1

SHA512
2b88ac7740aaf9c31af78ee9802a2abb7ac753dadeb8e58f99656797154f7cf8769abdbc17d33d9629eb08828def5c6dee99b8e83d2b07ee78fb151456c4f8c9

Download Submit
C:\Windows\{624617C5-0851-4d56-A203-774AC6EA52D5}.exe

Filesize
197KB

MD5
9e88bdec905c3e0bbe3dc1290bd3c27c

SHA1
d0643cc7fa34b14b608440fdf1281ace71acf16a

SHA256
32a14f3618a813e9d8c2732470f2b7b693f69cdb0897d72e8f615bbd189f7df4

SHA512
b7df542f5ec3d001453409eacb2576b1831da50c65e674da7d8918d821ea6d9cfcf65a14e1aad3daf91c564faaaf2a305aeabe1dfd9e17ad00cf00a864cd4a6a

Download Submit
C:\Windows\{6A798127-D4FA-466e-9AB6-46ADD2ED2378}.exe

Filesize
197KB

MD5
075140c5eae55b630b958a08fe78ecf9

SHA1
af9c6b6c4654799415249d65b636a780fc5689fe

SHA256
c1bb38573273c383a14c3d0699d7f744979e6cf844ed318519ea4e86ea85d055

SHA512
5f34935491e0f084653f474e278c37ddeab6601ac0d1579d08d30c788f7116cd60fbf005a902ec4ce5ef58741ad7897f543b5d3476cab716b577ef201bfabf24

Download Submit
C:\Windows\{C081A417-8AEE-4e2d-9E1A-973E8FE6579C}.exe

Filesize
197KB

MD5
01f2d33050c0baf5135bc6d89e90ea11

SHA1
f5f4a7359debab3ae7a774bab2933ea2b61e98af

SHA256
a469b4c6162e84e0f87c42fbd1613a8565b6940cef755252b207ea597d035897

SHA512
1300e0527d62597e32562dc0693679f8cea462aa498e49a1b17de4e13125fd881d8f330acaca8f7a8b6b3643e0cb1c5e9f8dd9b37b77a14f5500c853078910ba

Download Submit
C:\Windows\{DB57ACE1-929D-427d-A8A0-172031A55999}.exe

Filesize
197KB

MD5
c0d981519cbbfab931e8e2ba397fa430

SHA1
1ca997e79ec56a8d51a4fc4e98e34f305d544084

SHA256
253b3adfe85b48127ba7c24458e1b9c9f07bb399c7a0091adae83fab8a796bfc

SHA512
99687caa60cd7f2ff42bcb5cb349b9aa7c490c92e3d607fb0dda602f5edab41c2dded5b17815332ea129a723aac3ee48434bd31075f3c269b2b65b6730ab3030

Download Submit
C:\Windows\{E22C5AC2-1569-44e1-A39D-6A73C1662B96}.exe

Filesize
197KB

MD5
0c753a28f7a00695da7393adfcd9ab66

SHA1
2b297f912689549039e26e26d1a90d23b891d881

SHA256
c775f0083a603cd1acf224c5fba149b5d28000fa41623d8f0986a62330027e1d

SHA512
8556d360c5f03f1672a18b2d80f48826e60759ab1e3d3077bb32b4e2137b14192c4b0dd722bdbdd0483cfeb4884e1c7ffad9a789c88e7e5be0daa0bea05453ee

Download Submit
C:\Windows\{F1673247-9B6D-4437-8037-0D6BC64196F2}.exe

Filesize
197KB

MD5
62120d570ba4939b5a69a0c331bbdcf6

SHA1
8a3f544dec9bd96498b9cb4a46da30f4894dabbb

SHA256
31d37f5ac1f4da42864c13a9261848b8033b0fc64a75af8cc2fdf7592d27964b

SHA512
14fa3c0871bb9c3931f0dcea81f55f73f0c370c8c6714100358e7d9b954ed23d307b43394f0b30b7edcead10be1cdb071d4e18f5ff0733f1328f50d4bddebce9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads