aac3ca9e9ceea7a87d0a621b7111a22eb0789705ef45efb01fa8e5bcd5a39d60

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20/02/2024, 15:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-20_ba2c75d2f5a5890eae7e81ddc4f57d02_goldeneye.exe
Size

197KB
MD5

ba2c75d2f5a5890eae7e81ddc4f57d02
SHA1

d4ba26631dc142e5c8ab6704717b992acdf130c3
SHA256

aac3ca9e9ceea7a87d0a621b7111a22eb0789705ef45efb01fa8e5bcd5a39d60
SHA512

4e2433629739c1c4811e261a85375a078fd3304c3b785c9f8d107ea00b688ad3aca8cb7fecff9a2132616802fa00e6614710315090ae7866423527642310e243
SSDEEP

3072:jEGh0o2l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGIlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x000600000002312a-1.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000002312f-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023141-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002300b-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002312f-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002300b-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-29.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000070b-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AA284CF-514B-4790-AD80-A25F252E5062}\stubpath = "C:\\Windows\\{1AA284CF-514B-4790-AD80-A25F252E5062}.exe"	{28CADE95-129A-4484-922A-8726D6E34BF6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC2EA467-1E09-436c-B4DA-E95D01AF627A}	{1AA284CF-514B-4790-AD80-A25F252E5062}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5E0B3E2-7282-4a59-A1C2-1A652CB827B0}	{AC2EA467-1E09-436c-B4DA-E95D01AF627A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE477DC6-D7AD-4a95-BCB9-B7DD11D8B91C}	{C5E0B3E2-7282-4a59-A1C2-1A652CB827B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE477DC6-D7AD-4a95-BCB9-B7DD11D8B91C}\stubpath = "C:\\Windows\\{CE477DC6-D7AD-4a95-BCB9-B7DD11D8B91C}.exe"	{C5E0B3E2-7282-4a59-A1C2-1A652CB827B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9FB8D1C-8DB7-4f42-A948-2599945F4847}	{FE44B848-AFDE-4dff-8D7E-FEB3F27AD7F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93A05DC8-1A9D-4cfa-8097-19DBD9634B18}\stubpath = "C:\\Windows\\{93A05DC8-1A9D-4cfa-8097-19DBD9634B18}.exe"	{A9FB8D1C-8DB7-4f42-A948-2599945F4847}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1D69487-C0E1-4546-BBC5-BC24C4052BF2}\stubpath = "C:\\Windows\\{A1D69487-C0E1-4546-BBC5-BC24C4052BF2}.exe"	{89B90750-0BCC-4aca-AFC6-C3664BFD817F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D3AD137-966E-42ae-92CB-A25A585DBA1D}	2024-02-20_ba2c75d2f5a5890eae7e81ddc4f57d02_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D3AD137-966E-42ae-92CB-A25A585DBA1D}\stubpath = "C:\\Windows\\{3D3AD137-966E-42ae-92CB-A25A585DBA1D}.exe"	2024-02-20_ba2c75d2f5a5890eae7e81ddc4f57d02_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28CADE95-129A-4484-922A-8726D6E34BF6}	{3D3AD137-966E-42ae-92CB-A25A585DBA1D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28CADE95-129A-4484-922A-8726D6E34BF6}\stubpath = "C:\\Windows\\{28CADE95-129A-4484-922A-8726D6E34BF6}.exe"	{3D3AD137-966E-42ae-92CB-A25A585DBA1D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AA284CF-514B-4790-AD80-A25F252E5062}	{28CADE95-129A-4484-922A-8726D6E34BF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9FB8D1C-8DB7-4f42-A948-2599945F4847}\stubpath = "C:\\Windows\\{A9FB8D1C-8DB7-4f42-A948-2599945F4847}.exe"	{FE44B848-AFDE-4dff-8D7E-FEB3F27AD7F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC2EA467-1E09-436c-B4DA-E95D01AF627A}\stubpath = "C:\\Windows\\{AC2EA467-1E09-436c-B4DA-E95D01AF627A}.exe"	{1AA284CF-514B-4790-AD80-A25F252E5062}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C5E0B3E2-7282-4a59-A1C2-1A652CB827B0}\stubpath = "C:\\Windows\\{C5E0B3E2-7282-4a59-A1C2-1A652CB827B0}.exe"	{AC2EA467-1E09-436c-B4DA-E95D01AF627A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89B90750-0BCC-4aca-AFC6-C3664BFD817F}	{93A05DC8-1A9D-4cfa-8097-19DBD9634B18}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89B90750-0BCC-4aca-AFC6-C3664BFD817F}\stubpath = "C:\\Windows\\{89B90750-0BCC-4aca-AFC6-C3664BFD817F}.exe"	{93A05DC8-1A9D-4cfa-8097-19DBD9634B18}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1D69487-C0E1-4546-BBC5-BC24C4052BF2}	{89B90750-0BCC-4aca-AFC6-C3664BFD817F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE44B848-AFDE-4dff-8D7E-FEB3F27AD7F1}	{CE477DC6-D7AD-4a95-BCB9-B7DD11D8B91C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE44B848-AFDE-4dff-8D7E-FEB3F27AD7F1}\stubpath = "C:\\Windows\\{FE44B848-AFDE-4dff-8D7E-FEB3F27AD7F1}.exe"	{CE477DC6-D7AD-4a95-BCB9-B7DD11D8B91C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93A05DC8-1A9D-4cfa-8097-19DBD9634B18}	{A9FB8D1C-8DB7-4f42-A948-2599945F4847}.exe

Executes dropped EXE 11 IoCs

pid	Process
3540	{3D3AD137-966E-42ae-92CB-A25A585DBA1D}.exe
1340	{28CADE95-129A-4484-922A-8726D6E34BF6}.exe
5008	{1AA284CF-514B-4790-AD80-A25F252E5062}.exe
4680	{AC2EA467-1E09-436c-B4DA-E95D01AF627A}.exe
2984	{C5E0B3E2-7282-4a59-A1C2-1A652CB827B0}.exe
4464	{CE477DC6-D7AD-4a95-BCB9-B7DD11D8B91C}.exe
2940	{FE44B848-AFDE-4dff-8D7E-FEB3F27AD7F1}.exe
5012	{A9FB8D1C-8DB7-4f42-A948-2599945F4847}.exe
1284	{93A05DC8-1A9D-4cfa-8097-19DBD9634B18}.exe
456	{89B90750-0BCC-4aca-AFC6-C3664BFD817F}.exe
5084	{A1D69487-C0E1-4546-BBC5-BC24C4052BF2}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{CE477DC6-D7AD-4a95-BCB9-B7DD11D8B91C}.exe	{C5E0B3E2-7282-4a59-A1C2-1A652CB827B0}.exe
File created	C:\Windows\{FE44B848-AFDE-4dff-8D7E-FEB3F27AD7F1}.exe	{CE477DC6-D7AD-4a95-BCB9-B7DD11D8B91C}.exe
File created	C:\Windows\{A9FB8D1C-8DB7-4f42-A948-2599945F4847}.exe	{FE44B848-AFDE-4dff-8D7E-FEB3F27AD7F1}.exe
File created	C:\Windows\{93A05DC8-1A9D-4cfa-8097-19DBD9634B18}.exe	{A9FB8D1C-8DB7-4f42-A948-2599945F4847}.exe
File created	C:\Windows\{3D3AD137-966E-42ae-92CB-A25A585DBA1D}.exe	2024-02-20_ba2c75d2f5a5890eae7e81ddc4f57d02_goldeneye.exe
File created	C:\Windows\{28CADE95-129A-4484-922A-8726D6E34BF6}.exe	{3D3AD137-966E-42ae-92CB-A25A585DBA1D}.exe
File created	C:\Windows\{C5E0B3E2-7282-4a59-A1C2-1A652CB827B0}.exe	{AC2EA467-1E09-436c-B4DA-E95D01AF627A}.exe
File created	C:\Windows\{A1D69487-C0E1-4546-BBC5-BC24C4052BF2}.exe	{89B90750-0BCC-4aca-AFC6-C3664BFD817F}.exe
File created	C:\Windows\{1AA284CF-514B-4790-AD80-A25F252E5062}.exe	{28CADE95-129A-4484-922A-8726D6E34BF6}.exe
File created	C:\Windows\{AC2EA467-1E09-436c-B4DA-E95D01AF627A}.exe	{1AA284CF-514B-4790-AD80-A25F252E5062}.exe
File created	C:\Windows\{89B90750-0BCC-4aca-AFC6-C3664BFD817F}.exe	{93A05DC8-1A9D-4cfa-8097-19DBD9634B18}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2868	2024-02-20_ba2c75d2f5a5890eae7e81ddc4f57d02_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3540	{3D3AD137-966E-42ae-92CB-A25A585DBA1D}.exe
Token: SeIncBasePriorityPrivilege	1340	{28CADE95-129A-4484-922A-8726D6E34BF6}.exe
Token: SeIncBasePriorityPrivilege	5008	{1AA284CF-514B-4790-AD80-A25F252E5062}.exe
Token: SeIncBasePriorityPrivilege	4680	{AC2EA467-1E09-436c-B4DA-E95D01AF627A}.exe
Token: SeIncBasePriorityPrivilege	2984	{C5E0B3E2-7282-4a59-A1C2-1A652CB827B0}.exe
Token: SeIncBasePriorityPrivilege	4464	{CE477DC6-D7AD-4a95-BCB9-B7DD11D8B91C}.exe
Token: SeIncBasePriorityPrivilege	2940	{FE44B848-AFDE-4dff-8D7E-FEB3F27AD7F1}.exe
Token: SeIncBasePriorityPrivilege	5012	{A9FB8D1C-8DB7-4f42-A948-2599945F4847}.exe
Token: SeIncBasePriorityPrivilege	1284	{93A05DC8-1A9D-4cfa-8097-19DBD9634B18}.exe
Token: SeIncBasePriorityPrivilege	456	{89B90750-0BCC-4aca-AFC6-C3664BFD817F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 3540	2868	2024-02-20_ba2c75d2f5a5890eae7e81ddc4f57d02_goldeneye.exe	84
PID 2868 wrote to memory of 3540	2868	2024-02-20_ba2c75d2f5a5890eae7e81ddc4f57d02_goldeneye.exe	84
PID 2868 wrote to memory of 3540	2868	2024-02-20_ba2c75d2f5a5890eae7e81ddc4f57d02_goldeneye.exe	84
PID 2868 wrote to memory of 3128	2868	2024-02-20_ba2c75d2f5a5890eae7e81ddc4f57d02_goldeneye.exe	85
PID 2868 wrote to memory of 3128	2868	2024-02-20_ba2c75d2f5a5890eae7e81ddc4f57d02_goldeneye.exe	85
PID 2868 wrote to memory of 3128	2868	2024-02-20_ba2c75d2f5a5890eae7e81ddc4f57d02_goldeneye.exe	85
PID 3540 wrote to memory of 1340	3540	{3D3AD137-966E-42ae-92CB-A25A585DBA1D}.exe	90
PID 3540 wrote to memory of 1340	3540	{3D3AD137-966E-42ae-92CB-A25A585DBA1D}.exe	90
PID 3540 wrote to memory of 1340	3540	{3D3AD137-966E-42ae-92CB-A25A585DBA1D}.exe	90
PID 3540 wrote to memory of 2992	3540	{3D3AD137-966E-42ae-92CB-A25A585DBA1D}.exe	91
PID 3540 wrote to memory of 2992	3540	{3D3AD137-966E-42ae-92CB-A25A585DBA1D}.exe	91
PID 3540 wrote to memory of 2992	3540	{3D3AD137-966E-42ae-92CB-A25A585DBA1D}.exe	91
PID 1340 wrote to memory of 5008	1340	{28CADE95-129A-4484-922A-8726D6E34BF6}.exe	96
PID 1340 wrote to memory of 5008	1340	{28CADE95-129A-4484-922A-8726D6E34BF6}.exe	96
PID 1340 wrote to memory of 5008	1340	{28CADE95-129A-4484-922A-8726D6E34BF6}.exe	96
PID 1340 wrote to memory of 4628	1340	{28CADE95-129A-4484-922A-8726D6E34BF6}.exe	97
PID 1340 wrote to memory of 4628	1340	{28CADE95-129A-4484-922A-8726D6E34BF6}.exe	97
PID 1340 wrote to memory of 4628	1340	{28CADE95-129A-4484-922A-8726D6E34BF6}.exe	97
PID 5008 wrote to memory of 4680	5008	{1AA284CF-514B-4790-AD80-A25F252E5062}.exe	98
PID 5008 wrote to memory of 4680	5008	{1AA284CF-514B-4790-AD80-A25F252E5062}.exe	98
PID 5008 wrote to memory of 4680	5008	{1AA284CF-514B-4790-AD80-A25F252E5062}.exe	98
PID 5008 wrote to memory of 5032	5008	{1AA284CF-514B-4790-AD80-A25F252E5062}.exe	99
PID 5008 wrote to memory of 5032	5008	{1AA284CF-514B-4790-AD80-A25F252E5062}.exe	99
PID 5008 wrote to memory of 5032	5008	{1AA284CF-514B-4790-AD80-A25F252E5062}.exe	99
PID 4680 wrote to memory of 2984	4680	{AC2EA467-1E09-436c-B4DA-E95D01AF627A}.exe	100
PID 4680 wrote to memory of 2984	4680	{AC2EA467-1E09-436c-B4DA-E95D01AF627A}.exe	100
PID 4680 wrote to memory of 2984	4680	{AC2EA467-1E09-436c-B4DA-E95D01AF627A}.exe	100
PID 4680 wrote to memory of 2112	4680	{AC2EA467-1E09-436c-B4DA-E95D01AF627A}.exe	101
PID 4680 wrote to memory of 2112	4680	{AC2EA467-1E09-436c-B4DA-E95D01AF627A}.exe	101
PID 4680 wrote to memory of 2112	4680	{AC2EA467-1E09-436c-B4DA-E95D01AF627A}.exe	101
PID 2984 wrote to memory of 4464	2984	{C5E0B3E2-7282-4a59-A1C2-1A652CB827B0}.exe	102
PID 2984 wrote to memory of 4464	2984	{C5E0B3E2-7282-4a59-A1C2-1A652CB827B0}.exe	102
PID 2984 wrote to memory of 4464	2984	{C5E0B3E2-7282-4a59-A1C2-1A652CB827B0}.exe	102
PID 2984 wrote to memory of 2432	2984	{C5E0B3E2-7282-4a59-A1C2-1A652CB827B0}.exe	103
PID 2984 wrote to memory of 2432	2984	{C5E0B3E2-7282-4a59-A1C2-1A652CB827B0}.exe	103
PID 2984 wrote to memory of 2432	2984	{C5E0B3E2-7282-4a59-A1C2-1A652CB827B0}.exe	103
PID 4464 wrote to memory of 2940	4464	{CE477DC6-D7AD-4a95-BCB9-B7DD11D8B91C}.exe	104
PID 4464 wrote to memory of 2940	4464	{CE477DC6-D7AD-4a95-BCB9-B7DD11D8B91C}.exe	104
PID 4464 wrote to memory of 2940	4464	{CE477DC6-D7AD-4a95-BCB9-B7DD11D8B91C}.exe	104
PID 4464 wrote to memory of 1076	4464	{CE477DC6-D7AD-4a95-BCB9-B7DD11D8B91C}.exe	105
PID 4464 wrote to memory of 1076	4464	{CE477DC6-D7AD-4a95-BCB9-B7DD11D8B91C}.exe	105
PID 4464 wrote to memory of 1076	4464	{CE477DC6-D7AD-4a95-BCB9-B7DD11D8B91C}.exe	105
PID 2940 wrote to memory of 5012	2940	{FE44B848-AFDE-4dff-8D7E-FEB3F27AD7F1}.exe	106
PID 2940 wrote to memory of 5012	2940	{FE44B848-AFDE-4dff-8D7E-FEB3F27AD7F1}.exe	106
PID 2940 wrote to memory of 5012	2940	{FE44B848-AFDE-4dff-8D7E-FEB3F27AD7F1}.exe	106
PID 2940 wrote to memory of 1976	2940	{FE44B848-AFDE-4dff-8D7E-FEB3F27AD7F1}.exe	107
PID 2940 wrote to memory of 1976	2940	{FE44B848-AFDE-4dff-8D7E-FEB3F27AD7F1}.exe	107
PID 2940 wrote to memory of 1976	2940	{FE44B848-AFDE-4dff-8D7E-FEB3F27AD7F1}.exe	107
PID 5012 wrote to memory of 1284	5012	{A9FB8D1C-8DB7-4f42-A948-2599945F4847}.exe	108
PID 5012 wrote to memory of 1284	5012	{A9FB8D1C-8DB7-4f42-A948-2599945F4847}.exe	108
PID 5012 wrote to memory of 1284	5012	{A9FB8D1C-8DB7-4f42-A948-2599945F4847}.exe	108
PID 5012 wrote to memory of 5068	5012	{A9FB8D1C-8DB7-4f42-A948-2599945F4847}.exe	109
PID 5012 wrote to memory of 5068	5012	{A9FB8D1C-8DB7-4f42-A948-2599945F4847}.exe	109
PID 5012 wrote to memory of 5068	5012	{A9FB8D1C-8DB7-4f42-A948-2599945F4847}.exe	109
PID 1284 wrote to memory of 456	1284	{93A05DC8-1A9D-4cfa-8097-19DBD9634B18}.exe	110
PID 1284 wrote to memory of 456	1284	{93A05DC8-1A9D-4cfa-8097-19DBD9634B18}.exe	110
PID 1284 wrote to memory of 456	1284	{93A05DC8-1A9D-4cfa-8097-19DBD9634B18}.exe	110
PID 1284 wrote to memory of 1008	1284	{93A05DC8-1A9D-4cfa-8097-19DBD9634B18}.exe	111
PID 1284 wrote to memory of 1008	1284	{93A05DC8-1A9D-4cfa-8097-19DBD9634B18}.exe	111
PID 1284 wrote to memory of 1008	1284	{93A05DC8-1A9D-4cfa-8097-19DBD9634B18}.exe	111
PID 456 wrote to memory of 5084	456	{89B90750-0BCC-4aca-AFC6-C3664BFD817F}.exe	112
PID 456 wrote to memory of 5084	456	{89B90750-0BCC-4aca-AFC6-C3664BFD817F}.exe	112
PID 456 wrote to memory of 5084	456	{89B90750-0BCC-4aca-AFC6-C3664BFD817F}.exe	112
PID 456 wrote to memory of 4156	456	{89B90750-0BCC-4aca-AFC6-C3664BFD817F}.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-02-20_ba2c75d2f5a5890eae7e81ddc4f57d02_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-20_ba2c75d2f5a5890eae7e81ddc4f57d02_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\{3D3AD137-966E-42ae-92CB-A25A585DBA1D}.exe
  C:\Windows\{3D3AD137-966E-42ae-92CB-A25A585DBA1D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3540
- - C:\Windows\{28CADE95-129A-4484-922A-8726D6E34BF6}.exe
    C:\Windows\{28CADE95-129A-4484-922A-8726D6E34BF6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1340
  - - C:\Windows\{1AA284CF-514B-4790-AD80-A25F252E5062}.exe
      C:\Windows\{1AA284CF-514B-4790-AD80-A25F252E5062}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5008
    - - C:\Windows\{AC2EA467-1E09-436c-B4DA-E95D01AF627A}.exe
        
        C:\Windows\{AC2EA467-1E09-436c-B4DA-E95D01AF627A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4680
      - C:\Windows\{C5E0B3E2-7282-4a59-A1C2-1A652CB827B0}.exe
        
        C:\Windows\{C5E0B3E2-7282-4a59-A1C2-1A652CB827B0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\{CE477DC6-D7AD-4a95-BCB9-B7DD11D8B91C}.exe
        
        C:\Windows\{CE477DC6-D7AD-4a95-BCB9-B7DD11D8B91C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\{FE44B848-AFDE-4dff-8D7E-FEB3F27AD7F1}.exe
        
        C:\Windows\{FE44B848-AFDE-4dff-8D7E-FEB3F27AD7F1}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\{A9FB8D1C-8DB7-4f42-A948-2599945F4847}.exe
        
        C:\Windows\{A9FB8D1C-8DB7-4f42-A948-2599945F4847}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\{93A05DC8-1A9D-4cfa-8097-19DBD9634B18}.exe
        
        C:\Windows\{93A05DC8-1A9D-4cfa-8097-19DBD9634B18}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\{89B90750-0BCC-4aca-AFC6-C3664BFD817F}.exe
        
        C:\Windows\{89B90750-0BCC-4aca-AFC6-C3664BFD817F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\{A1D69487-C0E1-4546-BBC5-BC24C4052BF2}.exe
        
        C:\Windows\{A1D69487-C0E1-4546-BBC5-BC24C4052BF2}.exe
        12⤵
        Executes dropped EXE
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89B90~1.EXE > nul
        12⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93A05~1.EXE > nul
        11⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A9FB8~1.EXE > nul
        10⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE44B~1.EXE > nul
        9⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE477~1.EXE > nul
        8⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5E0B~1.EXE > nul
        7⤵
        
        PID:2432
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AC2EA~1.EXE > nul
        6⤵
        
        PID:2112
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1AA28~1.EXE > nul
        5⤵
        
        PID:5032
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{28CAD~1.EXE > nul
      4⤵
      PID:4628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3D3AD~1.EXE > nul
    3⤵
    PID:2992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1AA284CF-514B-4790-AD80-A25F252E5062}.exe

Filesize
197KB

MD5
144adbf72cdfc3f61bdac8d8615d1a00

SHA1
788b4d5f25a8b8055fff93c8b9d1c9e48459b7a0

SHA256
5b4de3629c760a3d3542367652d56adfd8fc36203f475303a5af7452ba774f41

SHA512
1816936dfb484558cc5538c5a27c5b098015995c282c42f87cde2ed8388c050a156e3e4055f6c77bbc8b4411c750d187dd4c36c7927d114de5715d4c16d34dea

Download Submit
C:\Windows\{28CADE95-129A-4484-922A-8726D6E34BF6}.exe

Filesize
197KB

MD5
f125c0a9d40c9b506e3f875274164c62

SHA1
d47a39886ccd3be2b7d499f6b9a68bea268808bd

SHA256
dcd66b52a1f01433d6363eb2fa3e2cde17ad16f56e005f0bdb7d8f3447a92135

SHA512
3c013850ad2b348be468208c8220c03a4558ef85c825482cc389367bcb18609336fc02926849be84706c0056e7bdd5a055d788b319049392c342f587bc321697

Download Submit
C:\Windows\{3D3AD137-966E-42ae-92CB-A25A585DBA1D}.exe

Filesize
197KB

MD5
937f3dcc1e2c9fe6cb7025422ecb9610

SHA1
840e2bf403820ccd50fac0fccb207f3bf69ef0f7

SHA256
cb6ceab9574a7a644922bbdfde16bc65a4cf466331a6d97b0523acc60c8cccd9

SHA512
a9f8343912e6740269861ccd0e86395e8199134baf3d8b03d18b26a90fe0992ded92301b5f9767545850e9b883392761d028bb6589e12aa144b7102f9555c517

Download Submit
C:\Windows\{89B90750-0BCC-4aca-AFC6-C3664BFD817F}.exe

Filesize
197KB

MD5
e91eeb62cdc5b011a5efba648fe90454

SHA1
bac257eb251c263ec1afa1ab459d077436d9a188

SHA256
0a91b2ba83796209ee1d3167eb9aa34c5f09d3eea5951f110ab5658c605d5509

SHA512
1ce1e872c0e03ac7edc8a4a19847c28ba40c404aee86ef719cfc5346861618a021fdde3f891d25f7f185483384e4978a288627e471bbab93817778c2fc576e04

Download Submit
C:\Windows\{93A05DC8-1A9D-4cfa-8097-19DBD9634B18}.exe

Filesize
197KB

MD5
85690575f1f40080cded7ae032a53739

SHA1
880d64581f91fc7c0c2b847edd1ff65d5bd0d60b

SHA256
37d4a41f497e472b8c62a5fac6580f273a66f1500f9d3ebead3a60b2cdcccc6a

SHA512
1f923c249a60ca4cc4a4c15f2310c528d738e3824da66c94fa6f1c5cfe4b450961545a222bd47b342a1fb268593202d52c1e4c821f38183f4bb0c702ff924118

Download Submit
C:\Windows\{A1D69487-C0E1-4546-BBC5-BC24C4052BF2}.exe

Filesize
197KB

MD5
7f1f0773e35d57cf3284318407a4d8c4

SHA1
30d92367ae3150a19752a151d5c778d0dc93e676

SHA256
07ecab4fe08bafed3242f996ae8d5f1b12955bce32462a36ac3e864a88d67afd

SHA512
ec091efa4726b47f983433656bf66bd36b7a2d468ccb3410ee273f39c72e1f842e72b68b37cb5b63d2af26472852851374cca4f8a03d6e4396e144f88c916607

Download Submit
C:\Windows\{A9FB8D1C-8DB7-4f42-A948-2599945F4847}.exe

Filesize
197KB

MD5
3e1438b458fed811ec8c955625382bca

SHA1
87982c1c3c81bc0f6353836a05f606188266c296

SHA256
4b4444c1ca9b445c437cf82d66109567305dac828603623f50a0c1acf591522d

SHA512
86d4e5642577d6758bf9c6f4c3a575266263603a355293976988018d2d572177ac7a518a0a9a55c833be779d009907fd7d2ff9e7105e9645daaf8bccf18b81ca

Download Submit
C:\Windows\{AC2EA467-1E09-436c-B4DA-E95D01AF627A}.exe

Filesize
197KB

MD5
6136b5691eeef69d4ec86607376cf697

SHA1
8e175960ada117ba7e605121180e3795221a798e

SHA256
1d96944c86cdc108298ba7fbdd5d3e81b1ee515a59a2afdef44e7dedaeb4cbec

SHA512
4ef476686064028c1b35138a7a1605e04e4fe7adfb50bf13c8731154dac04575feca447e6d64804f9de273ad7ef80168c204e9a296c8e90a19669ee71e99675a

Download Submit
C:\Windows\{C5E0B3E2-7282-4a59-A1C2-1A652CB827B0}.exe

Filesize
197KB

MD5
1d6d27d44ea4316b47ada46e15a3568b

SHA1
9c27632b67cb84f98e4101cd79681bc361adc199

SHA256
d3b769607025be7ddf2301a684be2357392d114cb970ab31e12a0901378b53b6

SHA512
43b3b2812fffdb6a535766db9aa21697d8fde9bbdde34df7ec08c1e39e7cb75485ea37ece8c3e6fd6730016ed315e1cd8f4e4039618c335d9afc264bdf7cfcbb

Download Submit
C:\Windows\{CE477DC6-D7AD-4a95-BCB9-B7DD11D8B91C}.exe

Filesize
197KB

MD5
d50fb161629944069f3cbf439e416b14

SHA1
5044e72dcca90c5bb71bf0e4d1c5e0461d518cce

SHA256
2cc2348d0c72aab6ba3397156b998478e90012b324dfe9187a343557500342d2

SHA512
80f5c7103595b38d05a98296afd1d960608c255bb5ac5a5f2c50c9ffda87fdc9801de4dbfbfd77d3fbfd1f783ca25822c8f87fdae83b3f1446448c993913be40

Download Submit
C:\Windows\{FE44B848-AFDE-4dff-8D7E-FEB3F27AD7F1}.exe

Filesize
197KB

MD5
ceccbf7bad55a3dea54f5cff249f8a46

SHA1
1babd5d5a27fa66c9edd7fcaf90991e1b755f0ad

SHA256
0e6f46bb4d6f5e3ec2dc6ee129a76c2aec0cad37d418ce63e639ed1830f77425

SHA512
90e93086ef714d23d32e9e237ed38044109f59b0e2adb8a6fa07fea60dfdb6f57069ae06b5c64a23881ccf939fab150ad6d24f83024ada1de142034f3287b04e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads