76fe7a53f738bcda85b99a750cc2e7c355a6b0e2441170c2bfd48e2ab6a4180f

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/02/2024, 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-19_9ef909d3ba51979af295941d9948ecdc_goldeneye.exe
Size

197KB
MD5

9ef909d3ba51979af295941d9948ecdc
SHA1

c24a26328678151f6b093260e6af6f37b2a5cb4b
SHA256

76fe7a53f738bcda85b99a750cc2e7c355a6b0e2441170c2bfd48e2ab6a4180f
SHA512

442bc9071e8a7f9c0cfe21aaf297e4fdf6cd240d4f775d92314a5cc3b8cc796e92e71b785c07918adda415860ff01006a9cb8cd3e1eaea2510f623d0ee9ae31e
SSDEEP

3072:jEGh0oPl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGFlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000600000002320f-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023217-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002321d-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023217-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002177b-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002177d-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002177b-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070d-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070b-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000070d-41.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00030000000006e1-45.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52C5B0D7-6AA1-483d-BEF4-EA97827811BA}\stubpath = "C:\\Windows\\{52C5B0D7-6AA1-483d-BEF4-EA97827811BA}.exe"	2024-02-19_9ef909d3ba51979af295941d9948ecdc_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD61787C-942E-4958-B775-234572CC36F0}	{9112A8E9-0B8F-42d7-ABA3-CD74C63E07BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91B8026D-D3E2-427d-BBD8-EA99D4C8277E}	{863DF561-769B-45ef-9449-8D62089D7D5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF323F85-EFE7-4620-AF8F-18005869F75F}	{EF871099-EA64-41d1-A098-9B07926D465B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2195563D-3218-476b-BCAA-2385F26D2B7E}\stubpath = "C:\\Windows\\{2195563D-3218-476b-BCAA-2385F26D2B7E}.exe"	{52C5B0D7-6AA1-483d-BEF4-EA97827811BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9112A8E9-0B8F-42d7-ABA3-CD74C63E07BC}\stubpath = "C:\\Windows\\{9112A8E9-0B8F-42d7-ABA3-CD74C63E07BC}.exe"	{2195563D-3218-476b-BCAA-2385F26D2B7E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD61787C-942E-4958-B775-234572CC36F0}\stubpath = "C:\\Windows\\{DD61787C-942E-4958-B775-234572CC36F0}.exe"	{9112A8E9-0B8F-42d7-ABA3-CD74C63E07BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91B8026D-D3E2-427d-BBD8-EA99D4C8277E}\stubpath = "C:\\Windows\\{91B8026D-D3E2-427d-BBD8-EA99D4C8277E}.exe"	{863DF561-769B-45ef-9449-8D62089D7D5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF871099-EA64-41d1-A098-9B07926D465B}	{91B8026D-D3E2-427d-BBD8-EA99D4C8277E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B41A9455-AF3C-41b1-8851-3E5F156B4B45}\stubpath = "C:\\Windows\\{B41A9455-AF3C-41b1-8851-3E5F156B4B45}.exe"	{80E5C4E7-433F-48fe-A8F5-53A32D25BCB5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F781176-54D6-4773-B73D-DCCC0EECBBF5}	{B41A9455-AF3C-41b1-8851-3E5F156B4B45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F781176-54D6-4773-B73D-DCCC0EECBBF5}\stubpath = "C:\\Windows\\{9F781176-54D6-4773-B73D-DCCC0EECBBF5}.exe"	{B41A9455-AF3C-41b1-8851-3E5F156B4B45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52C5B0D7-6AA1-483d-BEF4-EA97827811BA}	2024-02-19_9ef909d3ba51979af295941d9948ecdc_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2195563D-3218-476b-BCAA-2385F26D2B7E}	{52C5B0D7-6AA1-483d-BEF4-EA97827811BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9112A8E9-0B8F-42d7-ABA3-CD74C63E07BC}	{2195563D-3218-476b-BCAA-2385F26D2B7E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{863DF561-769B-45ef-9449-8D62089D7D5B}	{DD61787C-942E-4958-B775-234572CC36F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{863DF561-769B-45ef-9449-8D62089D7D5B}\stubpath = "C:\\Windows\\{863DF561-769B-45ef-9449-8D62089D7D5B}.exe"	{DD61787C-942E-4958-B775-234572CC36F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF871099-EA64-41d1-A098-9B07926D465B}\stubpath = "C:\\Windows\\{EF871099-EA64-41d1-A098-9B07926D465B}.exe"	{91B8026D-D3E2-427d-BBD8-EA99D4C8277E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF323F85-EFE7-4620-AF8F-18005869F75F}\stubpath = "C:\\Windows\\{CF323F85-EFE7-4620-AF8F-18005869F75F}.exe"	{EF871099-EA64-41d1-A098-9B07926D465B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB38B916-4FAB-49ec-A767-2A430D7B2F31}	{CF323F85-EFE7-4620-AF8F-18005869F75F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB38B916-4FAB-49ec-A767-2A430D7B2F31}\stubpath = "C:\\Windows\\{AB38B916-4FAB-49ec-A767-2A430D7B2F31}.exe"	{CF323F85-EFE7-4620-AF8F-18005869F75F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80E5C4E7-433F-48fe-A8F5-53A32D25BCB5}	{AB38B916-4FAB-49ec-A767-2A430D7B2F31}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80E5C4E7-433F-48fe-A8F5-53A32D25BCB5}\stubpath = "C:\\Windows\\{80E5C4E7-433F-48fe-A8F5-53A32D25BCB5}.exe"	{AB38B916-4FAB-49ec-A767-2A430D7B2F31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B41A9455-AF3C-41b1-8851-3E5F156B4B45}	{80E5C4E7-433F-48fe-A8F5-53A32D25BCB5}.exe

Executes dropped EXE 12 IoCs

pid	Process
4864	{52C5B0D7-6AA1-483d-BEF4-EA97827811BA}.exe
2268	{2195563D-3218-476b-BCAA-2385F26D2B7E}.exe
1092	{9112A8E9-0B8F-42d7-ABA3-CD74C63E07BC}.exe
1032	{DD61787C-942E-4958-B775-234572CC36F0}.exe
2824	{863DF561-769B-45ef-9449-8D62089D7D5B}.exe
1456	{91B8026D-D3E2-427d-BBD8-EA99D4C8277E}.exe
3912	{EF871099-EA64-41d1-A098-9B07926D465B}.exe
2912	{CF323F85-EFE7-4620-AF8F-18005869F75F}.exe
220	{AB38B916-4FAB-49ec-A767-2A430D7B2F31}.exe
4272	{80E5C4E7-433F-48fe-A8F5-53A32D25BCB5}.exe
4132	{B41A9455-AF3C-41b1-8851-3E5F156B4B45}.exe
4268	{9F781176-54D6-4773-B73D-DCCC0EECBBF5}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{52C5B0D7-6AA1-483d-BEF4-EA97827811BA}.exe	2024-02-19_9ef909d3ba51979af295941d9948ecdc_goldeneye.exe
File created	C:\Windows\{2195563D-3218-476b-BCAA-2385F26D2B7E}.exe	{52C5B0D7-6AA1-483d-BEF4-EA97827811BA}.exe
File created	C:\Windows\{DD61787C-942E-4958-B775-234572CC36F0}.exe	{9112A8E9-0B8F-42d7-ABA3-CD74C63E07BC}.exe
File created	C:\Windows\{91B8026D-D3E2-427d-BBD8-EA99D4C8277E}.exe	{863DF561-769B-45ef-9449-8D62089D7D5B}.exe
File created	C:\Windows\{80E5C4E7-433F-48fe-A8F5-53A32D25BCB5}.exe	{AB38B916-4FAB-49ec-A767-2A430D7B2F31}.exe
File created	C:\Windows\{B41A9455-AF3C-41b1-8851-3E5F156B4B45}.exe	{80E5C4E7-433F-48fe-A8F5-53A32D25BCB5}.exe
File created	C:\Windows\{9F781176-54D6-4773-B73D-DCCC0EECBBF5}.exe	{B41A9455-AF3C-41b1-8851-3E5F156B4B45}.exe
File created	C:\Windows\{9112A8E9-0B8F-42d7-ABA3-CD74C63E07BC}.exe	{2195563D-3218-476b-BCAA-2385F26D2B7E}.exe
File created	C:\Windows\{863DF561-769B-45ef-9449-8D62089D7D5B}.exe	{DD61787C-942E-4958-B775-234572CC36F0}.exe
File created	C:\Windows\{EF871099-EA64-41d1-A098-9B07926D465B}.exe	{91B8026D-D3E2-427d-BBD8-EA99D4C8277E}.exe
File created	C:\Windows\{CF323F85-EFE7-4620-AF8F-18005869F75F}.exe	{EF871099-EA64-41d1-A098-9B07926D465B}.exe
File created	C:\Windows\{AB38B916-4FAB-49ec-A767-2A430D7B2F31}.exe	{CF323F85-EFE7-4620-AF8F-18005869F75F}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	932	2024-02-19_9ef909d3ba51979af295941d9948ecdc_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4864	{52C5B0D7-6AA1-483d-BEF4-EA97827811BA}.exe
Token: SeIncBasePriorityPrivilege	2268	{2195563D-3218-476b-BCAA-2385F26D2B7E}.exe
Token: SeIncBasePriorityPrivilege	1092	{9112A8E9-0B8F-42d7-ABA3-CD74C63E07BC}.exe
Token: SeIncBasePriorityPrivilege	1032	{DD61787C-942E-4958-B775-234572CC36F0}.exe
Token: SeIncBasePriorityPrivilege	2824	{863DF561-769B-45ef-9449-8D62089D7D5B}.exe
Token: SeIncBasePriorityPrivilege	1456	{91B8026D-D3E2-427d-BBD8-EA99D4C8277E}.exe
Token: SeIncBasePriorityPrivilege	3912	{EF871099-EA64-41d1-A098-9B07926D465B}.exe
Token: SeIncBasePriorityPrivilege	2912	{CF323F85-EFE7-4620-AF8F-18005869F75F}.exe
Token: SeIncBasePriorityPrivilege	220	{AB38B916-4FAB-49ec-A767-2A430D7B2F31}.exe
Token: SeIncBasePriorityPrivilege	4272	{80E5C4E7-433F-48fe-A8F5-53A32D25BCB5}.exe
Token: SeIncBasePriorityPrivilege	4132	{B41A9455-AF3C-41b1-8851-3E5F156B4B45}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 932 wrote to memory of 4864	932	2024-02-19_9ef909d3ba51979af295941d9948ecdc_goldeneye.exe	89
PID 932 wrote to memory of 4864	932	2024-02-19_9ef909d3ba51979af295941d9948ecdc_goldeneye.exe	89
PID 932 wrote to memory of 4864	932	2024-02-19_9ef909d3ba51979af295941d9948ecdc_goldeneye.exe	89
PID 932 wrote to memory of 2184	932	2024-02-19_9ef909d3ba51979af295941d9948ecdc_goldeneye.exe	90
PID 932 wrote to memory of 2184	932	2024-02-19_9ef909d3ba51979af295941d9948ecdc_goldeneye.exe	90
PID 932 wrote to memory of 2184	932	2024-02-19_9ef909d3ba51979af295941d9948ecdc_goldeneye.exe	90
PID 4864 wrote to memory of 2268	4864	{52C5B0D7-6AA1-483d-BEF4-EA97827811BA}.exe	93
PID 4864 wrote to memory of 2268	4864	{52C5B0D7-6AA1-483d-BEF4-EA97827811BA}.exe	93
PID 4864 wrote to memory of 2268	4864	{52C5B0D7-6AA1-483d-BEF4-EA97827811BA}.exe	93
PID 4864 wrote to memory of 4792	4864	{52C5B0D7-6AA1-483d-BEF4-EA97827811BA}.exe	94
PID 4864 wrote to memory of 4792	4864	{52C5B0D7-6AA1-483d-BEF4-EA97827811BA}.exe	94
PID 4864 wrote to memory of 4792	4864	{52C5B0D7-6AA1-483d-BEF4-EA97827811BA}.exe	94
PID 2268 wrote to memory of 1092	2268	{2195563D-3218-476b-BCAA-2385F26D2B7E}.exe	96
PID 2268 wrote to memory of 1092	2268	{2195563D-3218-476b-BCAA-2385F26D2B7E}.exe	96
PID 2268 wrote to memory of 1092	2268	{2195563D-3218-476b-BCAA-2385F26D2B7E}.exe	96
PID 2268 wrote to memory of 4704	2268	{2195563D-3218-476b-BCAA-2385F26D2B7E}.exe	97
PID 2268 wrote to memory of 4704	2268	{2195563D-3218-476b-BCAA-2385F26D2B7E}.exe	97
PID 2268 wrote to memory of 4704	2268	{2195563D-3218-476b-BCAA-2385F26D2B7E}.exe	97
PID 1092 wrote to memory of 1032	1092	{9112A8E9-0B8F-42d7-ABA3-CD74C63E07BC}.exe	98
PID 1092 wrote to memory of 1032	1092	{9112A8E9-0B8F-42d7-ABA3-CD74C63E07BC}.exe	98
PID 1092 wrote to memory of 1032	1092	{9112A8E9-0B8F-42d7-ABA3-CD74C63E07BC}.exe	98
PID 1092 wrote to memory of 1676	1092	{9112A8E9-0B8F-42d7-ABA3-CD74C63E07BC}.exe	99
PID 1092 wrote to memory of 1676	1092	{9112A8E9-0B8F-42d7-ABA3-CD74C63E07BC}.exe	99
PID 1092 wrote to memory of 1676	1092	{9112A8E9-0B8F-42d7-ABA3-CD74C63E07BC}.exe	99
PID 1032 wrote to memory of 2824	1032	{DD61787C-942E-4958-B775-234572CC36F0}.exe	100
PID 1032 wrote to memory of 2824	1032	{DD61787C-942E-4958-B775-234572CC36F0}.exe	100
PID 1032 wrote to memory of 2824	1032	{DD61787C-942E-4958-B775-234572CC36F0}.exe	100
PID 1032 wrote to memory of 2652	1032	{DD61787C-942E-4958-B775-234572CC36F0}.exe	101
PID 1032 wrote to memory of 2652	1032	{DD61787C-942E-4958-B775-234572CC36F0}.exe	101
PID 1032 wrote to memory of 2652	1032	{DD61787C-942E-4958-B775-234572CC36F0}.exe	101
PID 2824 wrote to memory of 1456	2824	{863DF561-769B-45ef-9449-8D62089D7D5B}.exe	102
PID 2824 wrote to memory of 1456	2824	{863DF561-769B-45ef-9449-8D62089D7D5B}.exe	102
PID 2824 wrote to memory of 1456	2824	{863DF561-769B-45ef-9449-8D62089D7D5B}.exe	102
PID 2824 wrote to memory of 4344	2824	{863DF561-769B-45ef-9449-8D62089D7D5B}.exe	103
PID 2824 wrote to memory of 4344	2824	{863DF561-769B-45ef-9449-8D62089D7D5B}.exe	103
PID 2824 wrote to memory of 4344	2824	{863DF561-769B-45ef-9449-8D62089D7D5B}.exe	103
PID 1456 wrote to memory of 3912	1456	{91B8026D-D3E2-427d-BBD8-EA99D4C8277E}.exe	104
PID 1456 wrote to memory of 3912	1456	{91B8026D-D3E2-427d-BBD8-EA99D4C8277E}.exe	104
PID 1456 wrote to memory of 3912	1456	{91B8026D-D3E2-427d-BBD8-EA99D4C8277E}.exe	104
PID 1456 wrote to memory of 3216	1456	{91B8026D-D3E2-427d-BBD8-EA99D4C8277E}.exe	105
PID 1456 wrote to memory of 3216	1456	{91B8026D-D3E2-427d-BBD8-EA99D4C8277E}.exe	105
PID 1456 wrote to memory of 3216	1456	{91B8026D-D3E2-427d-BBD8-EA99D4C8277E}.exe	105
PID 3912 wrote to memory of 2912	3912	{EF871099-EA64-41d1-A098-9B07926D465B}.exe	106
PID 3912 wrote to memory of 2912	3912	{EF871099-EA64-41d1-A098-9B07926D465B}.exe	106
PID 3912 wrote to memory of 2912	3912	{EF871099-EA64-41d1-A098-9B07926D465B}.exe	106
PID 3912 wrote to memory of 1512	3912	{EF871099-EA64-41d1-A098-9B07926D465B}.exe	107
PID 3912 wrote to memory of 1512	3912	{EF871099-EA64-41d1-A098-9B07926D465B}.exe	107
PID 3912 wrote to memory of 1512	3912	{EF871099-EA64-41d1-A098-9B07926D465B}.exe	107
PID 2912 wrote to memory of 220	2912	{CF323F85-EFE7-4620-AF8F-18005869F75F}.exe	109
PID 2912 wrote to memory of 220	2912	{CF323F85-EFE7-4620-AF8F-18005869F75F}.exe	109
PID 2912 wrote to memory of 220	2912	{CF323F85-EFE7-4620-AF8F-18005869F75F}.exe	109
PID 2912 wrote to memory of 1552	2912	{CF323F85-EFE7-4620-AF8F-18005869F75F}.exe	108
PID 2912 wrote to memory of 1552	2912	{CF323F85-EFE7-4620-AF8F-18005869F75F}.exe	108
PID 2912 wrote to memory of 1552	2912	{CF323F85-EFE7-4620-AF8F-18005869F75F}.exe	108
PID 220 wrote to memory of 4272	220	{AB38B916-4FAB-49ec-A767-2A430D7B2F31}.exe	110
PID 220 wrote to memory of 4272	220	{AB38B916-4FAB-49ec-A767-2A430D7B2F31}.exe	110
PID 220 wrote to memory of 4272	220	{AB38B916-4FAB-49ec-A767-2A430D7B2F31}.exe	110
PID 220 wrote to memory of 1600	220	{AB38B916-4FAB-49ec-A767-2A430D7B2F31}.exe	111
PID 220 wrote to memory of 1600	220	{AB38B916-4FAB-49ec-A767-2A430D7B2F31}.exe	111
PID 220 wrote to memory of 1600	220	{AB38B916-4FAB-49ec-A767-2A430D7B2F31}.exe	111
PID 4272 wrote to memory of 4132	4272	{80E5C4E7-433F-48fe-A8F5-53A32D25BCB5}.exe	112
PID 4272 wrote to memory of 4132	4272	{80E5C4E7-433F-48fe-A8F5-53A32D25BCB5}.exe	112
PID 4272 wrote to memory of 4132	4272	{80E5C4E7-433F-48fe-A8F5-53A32D25BCB5}.exe	112
PID 4272 wrote to memory of 3064	4272	{80E5C4E7-433F-48fe-A8F5-53A32D25BCB5}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-19_9ef909d3ba51979af295941d9948ecdc_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_9ef909d3ba51979af295941d9948ecdc_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:932
- C:\Windows\{52C5B0D7-6AA1-483d-BEF4-EA97827811BA}.exe
  C:\Windows\{52C5B0D7-6AA1-483d-BEF4-EA97827811BA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4864
- - C:\Windows\{2195563D-3218-476b-BCAA-2385F26D2B7E}.exe
    C:\Windows\{2195563D-3218-476b-BCAA-2385F26D2B7E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Windows\{9112A8E9-0B8F-42d7-ABA3-CD74C63E07BC}.exe
      C:\Windows\{9112A8E9-0B8F-42d7-ABA3-CD74C63E07BC}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1092
    - - C:\Windows\{DD61787C-942E-4958-B775-234572CC36F0}.exe
        
        C:\Windows\{DD61787C-942E-4958-B775-234572CC36F0}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1032
      - C:\Windows\{863DF561-769B-45ef-9449-8D62089D7D5B}.exe
        
        C:\Windows\{863DF561-769B-45ef-9449-8D62089D7D5B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\{91B8026D-D3E2-427d-BBD8-EA99D4C8277E}.exe
        
        C:\Windows\{91B8026D-D3E2-427d-BBD8-EA99D4C8277E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\{EF871099-EA64-41d1-A098-9B07926D465B}.exe
        
        C:\Windows\{EF871099-EA64-41d1-A098-9B07926D465B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Windows\{CF323F85-EFE7-4620-AF8F-18005869F75F}.exe
        
        C:\Windows\{CF323F85-EFE7-4620-AF8F-18005869F75F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF323~1.EXE > nul
        10⤵
        
        PID:1552
        
        C:\Windows\{AB38B916-4FAB-49ec-A767-2A430D7B2F31}.exe
        
        C:\Windows\{AB38B916-4FAB-49ec-A767-2A430D7B2F31}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\{80E5C4E7-433F-48fe-A8F5-53A32D25BCB5}.exe
        
        C:\Windows\{80E5C4E7-433F-48fe-A8F5-53A32D25BCB5}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\{B41A9455-AF3C-41b1-8851-3E5F156B4B45}.exe
        
        C:\Windows\{B41A9455-AF3C-41b1-8851-3E5F156B4B45}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4132
        
        C:\Windows\{9F781176-54D6-4773-B73D-DCCC0EECBBF5}.exe
        
        C:\Windows\{9F781176-54D6-4773-B73D-DCCC0EECBBF5}.exe
        13⤵
        Executes dropped EXE
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B41A9~1.EXE > nul
        13⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80E5C~1.EXE > nul
        12⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB38B~1.EXE > nul
        11⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF871~1.EXE > nul
        9⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91B80~1.EXE > nul
        8⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{863DF~1.EXE > nul
        7⤵
        
        PID:4344
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD617~1.EXE > nul
        6⤵
        
        PID:2652
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9112A~1.EXE > nul
        5⤵
        
        PID:1676
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{21955~1.EXE > nul
      4⤵
      PID:4704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{52C5B~1.EXE > nul
    3⤵
    PID:4792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2195563D-3218-476b-BCAA-2385F26D2B7E}.exe

Filesize
197KB

MD5
83d9544e3c08f9427c5f8eb044131282

SHA1
5463d5c761732a15caeac6322d7f2d6847795c7d

SHA256
d21ea84b24bb9fa902b008e19a4551c659d0c458f35024b5b8026549c0da1648

SHA512
98604406e57868d2040a0e22a620949394513fee9520c03ac18216623fc11f539de665f5f1778f9a1d9e98704f29459ebb00999eb9209ac40009973e067b3657

Download Submit
C:\Windows\{52C5B0D7-6AA1-483d-BEF4-EA97827811BA}.exe

Filesize
197KB

MD5
d0102e32d44833bb2e211eed6f822c03

SHA1
6014a5e90e0e104901471fbe4099f64014b13375

SHA256
46dd1c433f4413761d5eaec61067a99c048d72427cf7b3c6fc0316f9eea208d3

SHA512
82d012885926e4ad3ef42af733c2edac81989d338c1dbba74f8d1a67a35183fb3661ab7197b7b3f1e244a6d876f8da7ad10314ccd2893b95600eac63bd4a049e

Download Submit
C:\Windows\{80E5C4E7-433F-48fe-A8F5-53A32D25BCB5}.exe

Filesize
197KB

MD5
0119d88ad13d42a79fa05893a0a4707f

SHA1
21760a94484559a512fbd4606163cbcbb34dcefc

SHA256
27b5b8233b2a085417184225ba23d673204c9e5139ca960e335b4362ecbc6680

SHA512
6d2504d6489d7d83fc5a79b29aadced1454a6009ac35bdaec159358317361e9c0e01f9d4e15074b3f1278fe6c5d3296faaf54bd9c635e968808da2fb093dae3d

Download Submit
C:\Windows\{863DF561-769B-45ef-9449-8D62089D7D5B}.exe

Filesize
197KB

MD5
c08276f283e6ea069ecbc3f9d0abe87e

SHA1
2d254f2f10250e5cbbd505cebed1fd1fb682d28d

SHA256
fc232dca8fc5c2ca763b236782f2c21b48e09fa5c4d49e9b7c706aaf5bb08001

SHA512
dc9708b25ec4179fe171d7a8dbd2fe92f43c1bbd07ee6b75cedaa1eb47c5f9504d9d338ed0fbfa480760c11032204bc1bdb7f2e589e433c391e3c83d9fc65266

Download Submit
C:\Windows\{9112A8E9-0B8F-42d7-ABA3-CD74C63E07BC}.exe

Filesize
197KB

MD5
8f2e936be3fa68603bc66d80d1ab97fe

SHA1
b432977fcf8355636b34341c05351fa6f35a3ada

SHA256
23b6b0c35b5258ef0c19e999e926893569fc13fbadbf7e156638000e0ac1e576

SHA512
5c620af9b769649d1467733778167bf2b5312710fdd3d3a562700b7770ee7ec37e6c3810ac13f99d76e714aa5279b494f21dda460ef96c531ed88092e6b15ba3

Download Submit
C:\Windows\{91B8026D-D3E2-427d-BBD8-EA99D4C8277E}.exe

Filesize
197KB

MD5
d70348512a3e38bce24736fe62ce9490

SHA1
724e2532e095357a452f98fcbb6211e9eeb548a0

SHA256
bd9c359d81a76c17c8d2e712a2e6fc1b5ee818a0e5cece5f08ee99643a3247ac

SHA512
400edc7220c396fecb8ad5a62448143aceda08fd19be9d2d36abfb4126852c36f2939f40464a45c68c8778a72fcb6044bd38d4d628dc2ff7b9723e13b9ad9d76

Download Submit
C:\Windows\{9F781176-54D6-4773-B73D-DCCC0EECBBF5}.exe

Filesize
197KB

MD5
b644b38b569c28c49b65e1c1e708e5f7

SHA1
f580794513563c5690916f7adb0221387f75614f

SHA256
83ad5aba50256227ec8ea9ad9d4cff1a35fa3862c1ac4abbe728215190a7abe1

SHA512
2f31218271af292a17d4207422851d874513169d252c5b2f764060a65a1d3f62af5c76136e871785bac66cd428a732da80d9d9d772def55fdc0e3aca9d6c8aa0

Download Submit
C:\Windows\{AB38B916-4FAB-49ec-A767-2A430D7B2F31}.exe

Filesize
197KB

MD5
9bd96898f66e495f232089713de21997

SHA1
cfa70788471031a3f1944cee9a3f90f4f9145979

SHA256
15ae86a226dade3bb3ed0c07ddb967adaa51dceb5fb4b0e4887d514191993ba4

SHA512
8eae3a7917b17c7042afa32a0c556a8915c2022e2360cb75f239c10a6ade44aca2bd9265060d816518d1618b8c3ecb85e8b82394cd4efbbdf6461c9527136de6

Download Submit
C:\Windows\{B41A9455-AF3C-41b1-8851-3E5F156B4B45}.exe

Filesize
197KB

MD5
5ea334b76b58b21a8c4236521165bb1a

SHA1
a2487e404d5649e85646c9a3269f10e2cb454360

SHA256
1ce64dfa77a2793c0850549c41c993e55b1c052cf50a796aa1ba7e2b0003ee51

SHA512
1b25e5e2d4e2b9bf00a8fa4bfe4a606b56f9e9f65cede692e722622d0271d408c5377ebc987fc7543deb72ac2c4f543e669c3709c035841f1c8bee0e4bbebbc7

Download Submit
C:\Windows\{CF323F85-EFE7-4620-AF8F-18005869F75F}.exe

Filesize
197KB

MD5
b5b20e6daf05e64d735996fc925e2309

SHA1
2b192f48c2f0ec7884c8bde54ce6624bfcef750e

SHA256
5fbb7617b075cd4722345da0d634e473bbc746afac82ec1cd98c9b208dd9685e

SHA512
c39ded0d2a2f3040173dd09ad085d1be2164343432153d9c59768f9dbc9f390e12cf230d173f649e2d07349e4ceb9c3fa6a7da3b4840c816908a0a7fdd849179

Download Submit
C:\Windows\{DD61787C-942E-4958-B775-234572CC36F0}.exe

Filesize
197KB

MD5
fa2d776aea1d48b9959d902a8b561667

SHA1
6562167f4d1652d61ef6d046e1f0137ff9a63a65

SHA256
29d0540fc0ea4dba538706b3a7171f5e8618ae2030345a104d2d5a6784c9ef2c

SHA512
2e50de859f14ed49ca5a61bbf0d41e0fc2d0ce0ef33418b380678039c7c2fe87226e10e18411f3331357ba5d6b2b4cbd76638669ba71c776ded43b129d57f265

Download Submit
C:\Windows\{EF871099-EA64-41d1-A098-9B07926D465B}.exe

Filesize
197KB

MD5
5d87a8e2f50bf8296f8e9e8b003dbfd3

SHA1
cdb2982e2b90b5c7cb2a737b82e33caacb8ca939

SHA256
cdadbdd170e4413f6f43b5c4a2a178e1bbc0a5d4248295cfb556dc343b7dda78

SHA512
8316870bf9a0c125dd246f9b52bea1d17c20d6f516c66edee486f8481d5bffa6e734e3ef5eafc91ad8282a0cadb8656cf00fca3c1bccf690aa2afca7d205f57f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads