7a09b43a183020add390a6282120f0b3d26f27242bd1f82d87c17eb35056410d

Analysis

max time kernel
144s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/02/2024, 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-18_0261ff0691822157084b12b89134cdef_goldeneye.exe
Size

180KB
MD5

0261ff0691822157084b12b89134cdef
SHA1

10926bd56456880084aa75e5d92b4ec098c0fffa
SHA256

7a09b43a183020add390a6282120f0b3d26f27242bd1f82d87c17eb35056410d
SHA512

cdd5867a457f37ac31f9df712a7e5ee8580789a5af26d3204708d59dba0441eab23d47b5e5796d5d05c603656e06cd41cd2696f68a682b6cfec521c1ea864b2a
SSDEEP

3072:jEGh0oelfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGgl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023138-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000002313f-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002314a-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002313f-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002314a-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00050000000217fa-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002181f-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006df-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3664E6B5-1852-4386-8E03-A5EF13827BE3}	{3BC13664-3F71-4e86-BF51-A54F92898DD2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{367460B3-76F5-4249-930C-72CDF0A66BF3}\stubpath = "C:\\Windows\\{367460B3-76F5-4249-930C-72CDF0A66BF3}.exe"	{3664E6B5-1852-4386-8E03-A5EF13827BE3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3CF2F20-EAAF-402e-95C8-6DEE2E2C282E}	{F2D6BAD6-43F1-4644-AAD6-18DA1C7C8C61}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB5F1A7E-12EF-4cda-A624-9FEB1207F42E}\stubpath = "C:\\Windows\\{BB5F1A7E-12EF-4cda-A624-9FEB1207F42E}.exe"	{EBB3E995-BE08-4edc-8241-7FA36071A553}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0250B675-A806-4622-86E1-A8492CFD9EF6}	{01F0C363-6B82-4fd6-8017-DDD5EC5223B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0250B675-A806-4622-86E1-A8492CFD9EF6}\stubpath = "C:\\Windows\\{0250B675-A806-4622-86E1-A8492CFD9EF6}.exe"	{01F0C363-6B82-4fd6-8017-DDD5EC5223B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99F00ED9-89EF-4b9f-A5B2-75433443B8AE}\stubpath = "C:\\Windows\\{99F00ED9-89EF-4b9f-A5B2-75433443B8AE}.exe"	{0250B675-A806-4622-86E1-A8492CFD9EF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2D6BAD6-43F1-4644-AAD6-18DA1C7C8C61}\stubpath = "C:\\Windows\\{F2D6BAD6-43F1-4644-AAD6-18DA1C7C8C61}.exe"	{367460B3-76F5-4249-930C-72CDF0A66BF3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3CF2F20-EAAF-402e-95C8-6DEE2E2C282E}\stubpath = "C:\\Windows\\{C3CF2F20-EAAF-402e-95C8-6DEE2E2C282E}.exe"	{F2D6BAD6-43F1-4644-AAD6-18DA1C7C8C61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CDEAB6F-D366-4258-A0E6-B5C985CED154}	{C3CF2F20-EAAF-402e-95C8-6DEE2E2C282E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BC13664-3F71-4e86-BF51-A54F92898DD2}	2024-02-18_0261ff0691822157084b12b89134cdef_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3664E6B5-1852-4386-8E03-A5EF13827BE3}\stubpath = "C:\\Windows\\{3664E6B5-1852-4386-8E03-A5EF13827BE3}.exe"	{3BC13664-3F71-4e86-BF51-A54F92898DD2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CDEAB6F-D366-4258-A0E6-B5C985CED154}\stubpath = "C:\\Windows\\{9CDEAB6F-D366-4258-A0E6-B5C985CED154}.exe"	{C3CF2F20-EAAF-402e-95C8-6DEE2E2C282E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBB3E995-BE08-4edc-8241-7FA36071A553}	{9CDEAB6F-D366-4258-A0E6-B5C985CED154}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01F0C363-6B82-4fd6-8017-DDD5EC5223B8}\stubpath = "C:\\Windows\\{01F0C363-6B82-4fd6-8017-DDD5EC5223B8}.exe"	{BB5F1A7E-12EF-4cda-A624-9FEB1207F42E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BC13664-3F71-4e86-BF51-A54F92898DD2}\stubpath = "C:\\Windows\\{3BC13664-3F71-4e86-BF51-A54F92898DD2}.exe"	2024-02-18_0261ff0691822157084b12b89134cdef_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{367460B3-76F5-4249-930C-72CDF0A66BF3}	{3664E6B5-1852-4386-8E03-A5EF13827BE3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2D6BAD6-43F1-4644-AAD6-18DA1C7C8C61}	{367460B3-76F5-4249-930C-72CDF0A66BF3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBB3E995-BE08-4edc-8241-7FA36071A553}\stubpath = "C:\\Windows\\{EBB3E995-BE08-4edc-8241-7FA36071A553}.exe"	{9CDEAB6F-D366-4258-A0E6-B5C985CED154}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB5F1A7E-12EF-4cda-A624-9FEB1207F42E}	{EBB3E995-BE08-4edc-8241-7FA36071A553}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01F0C363-6B82-4fd6-8017-DDD5EC5223B8}	{BB5F1A7E-12EF-4cda-A624-9FEB1207F42E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99F00ED9-89EF-4b9f-A5B2-75433443B8AE}	{0250B675-A806-4622-86E1-A8492CFD9EF6}.exe

Executes dropped EXE 11 IoCs

pid	Process
1080	{3BC13664-3F71-4e86-BF51-A54F92898DD2}.exe
3796	{3664E6B5-1852-4386-8E03-A5EF13827BE3}.exe
3928	{367460B3-76F5-4249-930C-72CDF0A66BF3}.exe
3512	{F2D6BAD6-43F1-4644-AAD6-18DA1C7C8C61}.exe
4456	{C3CF2F20-EAAF-402e-95C8-6DEE2E2C282E}.exe
564	{9CDEAB6F-D366-4258-A0E6-B5C985CED154}.exe
2528	{EBB3E995-BE08-4edc-8241-7FA36071A553}.exe
3628	{BB5F1A7E-12EF-4cda-A624-9FEB1207F42E}.exe
3388	{01F0C363-6B82-4fd6-8017-DDD5EC5223B8}.exe
1580	{0250B675-A806-4622-86E1-A8492CFD9EF6}.exe
4432	{99F00ED9-89EF-4b9f-A5B2-75433443B8AE}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{3BC13664-3F71-4e86-BF51-A54F92898DD2}.exe	2024-02-18_0261ff0691822157084b12b89134cdef_goldeneye.exe
File created	C:\Windows\{3664E6B5-1852-4386-8E03-A5EF13827BE3}.exe	{3BC13664-3F71-4e86-BF51-A54F92898DD2}.exe
File created	C:\Windows\{01F0C363-6B82-4fd6-8017-DDD5EC5223B8}.exe	{BB5F1A7E-12EF-4cda-A624-9FEB1207F42E}.exe
File created	C:\Windows\{99F00ED9-89EF-4b9f-A5B2-75433443B8AE}.exe	{0250B675-A806-4622-86E1-A8492CFD9EF6}.exe
File created	C:\Windows\{367460B3-76F5-4249-930C-72CDF0A66BF3}.exe	{3664E6B5-1852-4386-8E03-A5EF13827BE3}.exe
File created	C:\Windows\{F2D6BAD6-43F1-4644-AAD6-18DA1C7C8C61}.exe	{367460B3-76F5-4249-930C-72CDF0A66BF3}.exe
File created	C:\Windows\{C3CF2F20-EAAF-402e-95C8-6DEE2E2C282E}.exe	{F2D6BAD6-43F1-4644-AAD6-18DA1C7C8C61}.exe
File created	C:\Windows\{9CDEAB6F-D366-4258-A0E6-B5C985CED154}.exe	{C3CF2F20-EAAF-402e-95C8-6DEE2E2C282E}.exe
File created	C:\Windows\{EBB3E995-BE08-4edc-8241-7FA36071A553}.exe	{9CDEAB6F-D366-4258-A0E6-B5C985CED154}.exe
File created	C:\Windows\{BB5F1A7E-12EF-4cda-A624-9FEB1207F42E}.exe	{EBB3E995-BE08-4edc-8241-7FA36071A553}.exe
File created	C:\Windows\{0250B675-A806-4622-86E1-A8492CFD9EF6}.exe	{01F0C363-6B82-4fd6-8017-DDD5EC5223B8}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4432	2024-02-18_0261ff0691822157084b12b89134cdef_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1080	{3BC13664-3F71-4e86-BF51-A54F92898DD2}.exe
Token: SeIncBasePriorityPrivilege	3796	{3664E6B5-1852-4386-8E03-A5EF13827BE3}.exe
Token: SeIncBasePriorityPrivilege	3928	{367460B3-76F5-4249-930C-72CDF0A66BF3}.exe
Token: SeIncBasePriorityPrivilege	3512	{F2D6BAD6-43F1-4644-AAD6-18DA1C7C8C61}.exe
Token: SeIncBasePriorityPrivilege	4456	{C3CF2F20-EAAF-402e-95C8-6DEE2E2C282E}.exe
Token: SeIncBasePriorityPrivilege	564	{9CDEAB6F-D366-4258-A0E6-B5C985CED154}.exe
Token: SeIncBasePriorityPrivilege	2528	{EBB3E995-BE08-4edc-8241-7FA36071A553}.exe
Token: SeIncBasePriorityPrivilege	3628	{BB5F1A7E-12EF-4cda-A624-9FEB1207F42E}.exe
Token: SeIncBasePriorityPrivilege	3388	{01F0C363-6B82-4fd6-8017-DDD5EC5223B8}.exe
Token: SeIncBasePriorityPrivilege	1580	{0250B675-A806-4622-86E1-A8492CFD9EF6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4432 wrote to memory of 1080	4432	2024-02-18_0261ff0691822157084b12b89134cdef_goldeneye.exe	83
PID 4432 wrote to memory of 1080	4432	2024-02-18_0261ff0691822157084b12b89134cdef_goldeneye.exe	83
PID 4432 wrote to memory of 1080	4432	2024-02-18_0261ff0691822157084b12b89134cdef_goldeneye.exe	83
PID 4432 wrote to memory of 3688	4432	2024-02-18_0261ff0691822157084b12b89134cdef_goldeneye.exe	84
PID 4432 wrote to memory of 3688	4432	2024-02-18_0261ff0691822157084b12b89134cdef_goldeneye.exe	84
PID 4432 wrote to memory of 3688	4432	2024-02-18_0261ff0691822157084b12b89134cdef_goldeneye.exe	84
PID 1080 wrote to memory of 3796	1080	{3BC13664-3F71-4e86-BF51-A54F92898DD2}.exe	92
PID 1080 wrote to memory of 3796	1080	{3BC13664-3F71-4e86-BF51-A54F92898DD2}.exe	92
PID 1080 wrote to memory of 3796	1080	{3BC13664-3F71-4e86-BF51-A54F92898DD2}.exe	92
PID 1080 wrote to memory of 1940	1080	{3BC13664-3F71-4e86-BF51-A54F92898DD2}.exe	93
PID 1080 wrote to memory of 1940	1080	{3BC13664-3F71-4e86-BF51-A54F92898DD2}.exe	93
PID 1080 wrote to memory of 1940	1080	{3BC13664-3F71-4e86-BF51-A54F92898DD2}.exe	93
PID 3796 wrote to memory of 3928	3796	{3664E6B5-1852-4386-8E03-A5EF13827BE3}.exe	96
PID 3796 wrote to memory of 3928	3796	{3664E6B5-1852-4386-8E03-A5EF13827BE3}.exe	96
PID 3796 wrote to memory of 3928	3796	{3664E6B5-1852-4386-8E03-A5EF13827BE3}.exe	96
PID 3796 wrote to memory of 3432	3796	{3664E6B5-1852-4386-8E03-A5EF13827BE3}.exe	95
PID 3796 wrote to memory of 3432	3796	{3664E6B5-1852-4386-8E03-A5EF13827BE3}.exe	95
PID 3796 wrote to memory of 3432	3796	{3664E6B5-1852-4386-8E03-A5EF13827BE3}.exe	95
PID 3928 wrote to memory of 3512	3928	{367460B3-76F5-4249-930C-72CDF0A66BF3}.exe	97
PID 3928 wrote to memory of 3512	3928	{367460B3-76F5-4249-930C-72CDF0A66BF3}.exe	97
PID 3928 wrote to memory of 3512	3928	{367460B3-76F5-4249-930C-72CDF0A66BF3}.exe	97
PID 3928 wrote to memory of 3876	3928	{367460B3-76F5-4249-930C-72CDF0A66BF3}.exe	98
PID 3928 wrote to memory of 3876	3928	{367460B3-76F5-4249-930C-72CDF0A66BF3}.exe	98
PID 3928 wrote to memory of 3876	3928	{367460B3-76F5-4249-930C-72CDF0A66BF3}.exe	98
PID 3512 wrote to memory of 4456	3512	{F2D6BAD6-43F1-4644-AAD6-18DA1C7C8C61}.exe	99
PID 3512 wrote to memory of 4456	3512	{F2D6BAD6-43F1-4644-AAD6-18DA1C7C8C61}.exe	99
PID 3512 wrote to memory of 4456	3512	{F2D6BAD6-43F1-4644-AAD6-18DA1C7C8C61}.exe	99
PID 3512 wrote to memory of 1244	3512	{F2D6BAD6-43F1-4644-AAD6-18DA1C7C8C61}.exe	100
PID 3512 wrote to memory of 1244	3512	{F2D6BAD6-43F1-4644-AAD6-18DA1C7C8C61}.exe	100
PID 3512 wrote to memory of 1244	3512	{F2D6BAD6-43F1-4644-AAD6-18DA1C7C8C61}.exe	100
PID 4456 wrote to memory of 564	4456	{C3CF2F20-EAAF-402e-95C8-6DEE2E2C282E}.exe	101
PID 4456 wrote to memory of 564	4456	{C3CF2F20-EAAF-402e-95C8-6DEE2E2C282E}.exe	101
PID 4456 wrote to memory of 564	4456	{C3CF2F20-EAAF-402e-95C8-6DEE2E2C282E}.exe	101
PID 4456 wrote to memory of 3572	4456	{C3CF2F20-EAAF-402e-95C8-6DEE2E2C282E}.exe	102
PID 4456 wrote to memory of 3572	4456	{C3CF2F20-EAAF-402e-95C8-6DEE2E2C282E}.exe	102
PID 4456 wrote to memory of 3572	4456	{C3CF2F20-EAAF-402e-95C8-6DEE2E2C282E}.exe	102
PID 564 wrote to memory of 2528	564	{9CDEAB6F-D366-4258-A0E6-B5C985CED154}.exe	103
PID 564 wrote to memory of 2528	564	{9CDEAB6F-D366-4258-A0E6-B5C985CED154}.exe	103
PID 564 wrote to memory of 2528	564	{9CDEAB6F-D366-4258-A0E6-B5C985CED154}.exe	103
PID 564 wrote to memory of 384	564	{9CDEAB6F-D366-4258-A0E6-B5C985CED154}.exe	104
PID 564 wrote to memory of 384	564	{9CDEAB6F-D366-4258-A0E6-B5C985CED154}.exe	104
PID 564 wrote to memory of 384	564	{9CDEAB6F-D366-4258-A0E6-B5C985CED154}.exe	104
PID 2528 wrote to memory of 3628	2528	{EBB3E995-BE08-4edc-8241-7FA36071A553}.exe	105
PID 2528 wrote to memory of 3628	2528	{EBB3E995-BE08-4edc-8241-7FA36071A553}.exe	105
PID 2528 wrote to memory of 3628	2528	{EBB3E995-BE08-4edc-8241-7FA36071A553}.exe	105
PID 2528 wrote to memory of 2344	2528	{EBB3E995-BE08-4edc-8241-7FA36071A553}.exe	106
PID 2528 wrote to memory of 2344	2528	{EBB3E995-BE08-4edc-8241-7FA36071A553}.exe	106
PID 2528 wrote to memory of 2344	2528	{EBB3E995-BE08-4edc-8241-7FA36071A553}.exe	106
PID 3628 wrote to memory of 3388	3628	{BB5F1A7E-12EF-4cda-A624-9FEB1207F42E}.exe	107
PID 3628 wrote to memory of 3388	3628	{BB5F1A7E-12EF-4cda-A624-9FEB1207F42E}.exe	107
PID 3628 wrote to memory of 3388	3628	{BB5F1A7E-12EF-4cda-A624-9FEB1207F42E}.exe	107
PID 3628 wrote to memory of 3420	3628	{BB5F1A7E-12EF-4cda-A624-9FEB1207F42E}.exe	108
PID 3628 wrote to memory of 3420	3628	{BB5F1A7E-12EF-4cda-A624-9FEB1207F42E}.exe	108
PID 3628 wrote to memory of 3420	3628	{BB5F1A7E-12EF-4cda-A624-9FEB1207F42E}.exe	108
PID 3388 wrote to memory of 1580	3388	{01F0C363-6B82-4fd6-8017-DDD5EC5223B8}.exe	109
PID 3388 wrote to memory of 1580	3388	{01F0C363-6B82-4fd6-8017-DDD5EC5223B8}.exe	109
PID 3388 wrote to memory of 1580	3388	{01F0C363-6B82-4fd6-8017-DDD5EC5223B8}.exe	109
PID 3388 wrote to memory of 2312	3388	{01F0C363-6B82-4fd6-8017-DDD5EC5223B8}.exe	110
PID 3388 wrote to memory of 2312	3388	{01F0C363-6B82-4fd6-8017-DDD5EC5223B8}.exe	110
PID 3388 wrote to memory of 2312	3388	{01F0C363-6B82-4fd6-8017-DDD5EC5223B8}.exe	110
PID 1580 wrote to memory of 4432	1580	{0250B675-A806-4622-86E1-A8492CFD9EF6}.exe	112
PID 1580 wrote to memory of 4432	1580	{0250B675-A806-4622-86E1-A8492CFD9EF6}.exe	112
PID 1580 wrote to memory of 4432	1580	{0250B675-A806-4622-86E1-A8492CFD9EF6}.exe	112
PID 1580 wrote to memory of 3828	1580	{0250B675-A806-4622-86E1-A8492CFD9EF6}.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-02-18_0261ff0691822157084b12b89134cdef_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-18_0261ff0691822157084b12b89134cdef_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4432
- C:\Windows\{3BC13664-3F71-4e86-BF51-A54F92898DD2}.exe
  C:\Windows\{3BC13664-3F71-4e86-BF51-A54F92898DD2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Windows\{3664E6B5-1852-4386-8E03-A5EF13827BE3}.exe
    C:\Windows\{3664E6B5-1852-4386-8E03-A5EF13827BE3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3664E~1.EXE > nul
      4⤵
      PID:3432
  - - C:\Windows\{367460B3-76F5-4249-930C-72CDF0A66BF3}.exe
      C:\Windows\{367460B3-76F5-4249-930C-72CDF0A66BF3}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3928
    - - C:\Windows\{F2D6BAD6-43F1-4644-AAD6-18DA1C7C8C61}.exe
        
        C:\Windows\{F2D6BAD6-43F1-4644-AAD6-18DA1C7C8C61}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3512
      - C:\Windows\{C3CF2F20-EAAF-402e-95C8-6DEE2E2C282E}.exe
        
        C:\Windows\{C3CF2F20-EAAF-402e-95C8-6DEE2E2C282E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\{9CDEAB6F-D366-4258-A0E6-B5C985CED154}.exe
        
        C:\Windows\{9CDEAB6F-D366-4258-A0E6-B5C985CED154}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:564
        
        C:\Windows\{EBB3E995-BE08-4edc-8241-7FA36071A553}.exe
        
        C:\Windows\{EBB3E995-BE08-4edc-8241-7FA36071A553}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\{BB5F1A7E-12EF-4cda-A624-9FEB1207F42E}.exe
        
        C:\Windows\{BB5F1A7E-12EF-4cda-A624-9FEB1207F42E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\{01F0C363-6B82-4fd6-8017-DDD5EC5223B8}.exe
        
        C:\Windows\{01F0C363-6B82-4fd6-8017-DDD5EC5223B8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\{0250B675-A806-4622-86E1-A8492CFD9EF6}.exe
        
        C:\Windows\{0250B675-A806-4622-86E1-A8492CFD9EF6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0250B~1.EXE > nul
        12⤵
        
        PID:3828
        
        C:\Windows\{99F00ED9-89EF-4b9f-A5B2-75433443B8AE}.exe
        
        C:\Windows\{99F00ED9-89EF-4b9f-A5B2-75433443B8AE}.exe
        12⤵
        Executes dropped EXE
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01F0C~1.EXE > nul
        11⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB5F1~1.EXE > nul
        10⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EBB3E~1.EXE > nul
        9⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9CDEA~1.EXE > nul
        8⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3CF2~1.EXE > nul
        7⤵
        
        PID:3572
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2D6B~1.EXE > nul
        6⤵
        
        PID:1244
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36746~1.EXE > nul
        5⤵
        
        PID:3876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3BC13~1.EXE > nul
    3⤵
    PID:1940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01F0C363-6B82-4fd6-8017-DDD5EC5223B8}.exe

Filesize
180KB

MD5
c0918c8ca739b3e56210f48be2c621e8

SHA1
9b62d8982a97b0a3422564d7db2fdd1b33801825

SHA256
d211a2a43d1ae47dd853d0b75a8238b66922c87d671a2047b66c71048ac525b5

SHA512
d154750b9656e25408721b991713f4d29e3598a62c5718703d07a57250939b353fbb7da637c505f6d0eb47ad40a2def3d9acd63a4eb35fdc943c94373519cbde

Download Submit
C:\Windows\{0250B675-A806-4622-86E1-A8492CFD9EF6}.exe

Filesize
180KB

MD5
bc0ff541a9106bd8badf141d630260f1

SHA1
f748e065fdab72feab832d5b874d030ac9a2499d

SHA256
6ff76d7c8a5ff6bd73718c39202dae1cb81142eb5d9f7916db2a26fba1794afd

SHA512
46f6bd1dd61528bc6999e2fa1290abefb76abb128b761c4c090ad0b80874fc3ddd2b4112c33081515d89e5ea7e408057a8fcaeb9b1176aa607ecfedf3074789d

Download Submit
C:\Windows\{3664E6B5-1852-4386-8E03-A5EF13827BE3}.exe

Filesize
180KB

MD5
cf7fcf17ea195bc0e196bc2fa405e1fb

SHA1
95a9134e0fe18f71914e99dc309d4db78e2553bf

SHA256
e53391d282b759e02b5c854c7de9852575755801f7f0e2bcaf306b47aeb77855

SHA512
8c276a140746a539c71a804d9cee69d0742904d9fd3e802453b8b0c53651f1303b6c156f37b043960006a2beeb930cee1ddf78ebfc0f4131469c072d212cf785

Download Submit
C:\Windows\{367460B3-76F5-4249-930C-72CDF0A66BF3}.exe

Filesize
180KB

MD5
608e271538b1e00b06d0f7f7ececfb23

SHA1
bf5974007f38aa4ce19151e6f8e325e5ce2be04b

SHA256
30e72f5cf4db04814bd5676e1702390ec81142b617a911001b3135549c43e8cd

SHA512
fc2fa6576e32a5f73488428dd0645a9988e87aacd6309684ea211305a4f1eb007d022b254b64a671b75f47ffa3064061aa97fed75938940ce3f2880a2ae9fac4

Download Submit
C:\Windows\{3BC13664-3F71-4e86-BF51-A54F92898DD2}.exe

Filesize
180KB

MD5
dc3d2137d88cb57a360e4b1578c54c28

SHA1
c78dc6890bd6050e36a1a7be26ce7208d52b72bc

SHA256
a0df258b04b034407bc500d2743d26938531cf15e7fd8352c91030a4a9ee1014

SHA512
b1fc5194aa59fe5b20723673958199addf220d750d946e3c851caa4f195898da5fe65c36fe6edaf6a7c2f1f9db6fbf30a0d991e8eedafccc8f9231d071c24330

Download Submit
C:\Windows\{99F00ED9-89EF-4b9f-A5B2-75433443B8AE}.exe

Filesize
180KB

MD5
0feee34ecda5adedcfefc950ff69b6be

SHA1
42c733056b0105a2a354a942ed2d0d2d01ae72e4

SHA256
f5009e108c1e4bb50157b1df8b576178cc3cf2ff0285c43dbf0962605cbb545d

SHA512
21835d4e66bd48d3571b9004b0a0c072729a7810fa0febb0d341f19264cb888f63e968c8aa2dcb11731d30dd701c6cbdea9724fa010da0f784a8625230e5a879

Download Submit
C:\Windows\{9CDEAB6F-D366-4258-A0E6-B5C985CED154}.exe

Filesize
180KB

MD5
23851af05b622a0ea7ed6422d79fe7e5

SHA1
a0f65d8f0c3b7e23d91a406e89007df4a4957e93

SHA256
e2d229ece10721ce88af61a0635ddaf92436b2660b50ca0003c2b90d4bf1693d

SHA512
e59fc4f58ddf808830924007d3f37f885319aeb3acd859727d0084dbf69dcd23ce5c036447fd56e77a3a0cba6a56d0ce118b11fdc985dabbccae3fd64265ee56

Download Submit
C:\Windows\{BB5F1A7E-12EF-4cda-A624-9FEB1207F42E}.exe

Filesize
180KB

MD5
09cf6df1e80573286fb22adc1f448afc

SHA1
c2a5b64173f62fc9af019939baadc7e9e30cf882

SHA256
b436bbc0cd5b9fc6ffc96719278a7ec35920b27e7ba31000103bfbfe9fbfb5eb

SHA512
329a3ff4ad849de5b55da59da81a743ed070825534c3528b5ff752826dd33a39f10735dab022d08861fc38104039095f6d0e927d83c701f154cc640e70b20f6e

Download Submit
C:\Windows\{C3CF2F20-EAAF-402e-95C8-6DEE2E2C282E}.exe

Filesize
180KB

MD5
cd96b866d78c383fb8ec3abf1901d287

SHA1
02dbb44e878b9dc63b3d283101433652e2fee416

SHA256
9f3155510d4ca3999a4665c84e6521500a281c2372fc75bda7f0debf40ca74d3

SHA512
1e26801de6189c472d3bc7f7f70dad3b378914e8a9e9e58fd6f125624936855e27a4e1009274f4fff7f35a3d681fcfc05b4fde3fa9ccc6fcf48b67fecf00c677

Download Submit
C:\Windows\{EBB3E995-BE08-4edc-8241-7FA36071A553}.exe

Filesize
180KB

MD5
c6e5a765c5b04792c897f109103d4334

SHA1
a30722a2e52879a94fccdabe78c9962aff811499

SHA256
53fa59adb136e34ffca98830a9226128ef6049d9b0790b04d238c520cd301f21

SHA512
c1277d8e50aaeceb440ffa56ab3a82fac51d747c2d3cc587483e3d76dd5b82e2be473c990ede37236f9a96cf464eea0c9b18cccedbeaacb4762ddda282824fe5

Download Submit
C:\Windows\{F2D6BAD6-43F1-4644-AAD6-18DA1C7C8C61}.exe

Filesize
180KB

MD5
70d5808e5f19a7adb4426dc93b8e629e

SHA1
401244888a209e1fb3b4f7c14b672871bbf797d4

SHA256
5e09daead2f9e1399a04e2ae5f895e2c22c7bff9879a435a70b470bbc991c8d1

SHA512
599719e01f19bae1caed831b92da73268f771ebe6833b57b3b85c7527cfe2228b570ca1a668a2b4f2c232fece6aa5a0c29989ee4e12157ad500a20fef5305b02

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads