655372c34b139d1bb2a8ff365896a8e93ccbd0ceb8cb6eaff3724a616aa457ac

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22/02/2024, 05:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-22_ea76e1a1498b2b3ec513911914620492_goldeneye.exe
Size

204KB
MD5

ea76e1a1498b2b3ec513911914620492
SHA1

d9c76ed59ef5dc4ee04d00a2df6a59645e207e40
SHA256

655372c34b139d1bb2a8ff365896a8e93ccbd0ceb8cb6eaff3724a616aa457ac
SHA512

0702fc173d99333fa06eaeb76afa018f24f6f69504b83819cd0b7bdd9d30874f9f95eb3e88bcac3505b7ec7188cd9f1f5768613417ec58ca961f3c13c87ce349
SSDEEP

1536:1EGh0oAl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oAl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x000800000002320a-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023204-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002320a-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023204-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002320a-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023204-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002320a-25.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023204-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002320a-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023204-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002320a-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34CC943A-B199-4ca2-8D67-51CE5811C132}\stubpath = "C:\\Windows\\{34CC943A-B199-4ca2-8D67-51CE5811C132}.exe"	2024-02-22_ea76e1a1498b2b3ec513911914620492_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59805A20-6DAD-45ad-930C-617A7019E966}\stubpath = "C:\\Windows\\{59805A20-6DAD-45ad-930C-617A7019E966}.exe"	{A0944CBF-9246-47c2-B243-19156F38B032}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EE35AE8-5933-4aec-BBE2-1138242BD70E}\stubpath = "C:\\Windows\\{9EE35AE8-5933-4aec-BBE2-1138242BD70E}.exe"	{FCBAEBB9-A77C-4072-A7F2-B68BAC87DFF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{956B4DFA-F975-4214-ABB6-A3C421FC7F89}\stubpath = "C:\\Windows\\{956B4DFA-F975-4214-ABB6-A3C421FC7F89}.exe"	{9EE35AE8-5933-4aec-BBE2-1138242BD70E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FCBAEBB9-A77C-4072-A7F2-B68BAC87DFF8}\stubpath = "C:\\Windows\\{FCBAEBB9-A77C-4072-A7F2-B68BAC87DFF8}.exe"	{59805A20-6DAD-45ad-930C-617A7019E966}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{956B4DFA-F975-4214-ABB6-A3C421FC7F89}	{9EE35AE8-5933-4aec-BBE2-1138242BD70E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61A3A689-FB6C-48e1-8303-72E8F39D3B36}	{34CC943A-B199-4ca2-8D67-51CE5811C132}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D28B311-71C7-43a0-9A0F-6A118C03CD3F}	{967ED44A-413F-4952-9E78-DB53256BE746}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D28B311-71C7-43a0-9A0F-6A118C03CD3F}\stubpath = "C:\\Windows\\{2D28B311-71C7-43a0-9A0F-6A118C03CD3F}.exe"	{967ED44A-413F-4952-9E78-DB53256BE746}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{124728E5-CD1A-46bf-B0AB-A645BD5FD839}	{2D28B311-71C7-43a0-9A0F-6A118C03CD3F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0944CBF-9246-47c2-B243-19156F38B032}	{4FDEAFC4-EC37-4a15-9412-0DEF9A14651E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59805A20-6DAD-45ad-930C-617A7019E966}	{A0944CBF-9246-47c2-B243-19156F38B032}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FCBAEBB9-A77C-4072-A7F2-B68BAC87DFF8}	{59805A20-6DAD-45ad-930C-617A7019E966}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB6518C4-F339-47e5-85A3-04D39151F207}	{956B4DFA-F975-4214-ABB6-A3C421FC7F89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34CC943A-B199-4ca2-8D67-51CE5811C132}	2024-02-22_ea76e1a1498b2b3ec513911914620492_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61A3A689-FB6C-48e1-8303-72E8F39D3B36}\stubpath = "C:\\Windows\\{61A3A689-FB6C-48e1-8303-72E8F39D3B36}.exe"	{34CC943A-B199-4ca2-8D67-51CE5811C132}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{967ED44A-413F-4952-9E78-DB53256BE746}\stubpath = "C:\\Windows\\{967ED44A-413F-4952-9E78-DB53256BE746}.exe"	{61A3A689-FB6C-48e1-8303-72E8F39D3B36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{124728E5-CD1A-46bf-B0AB-A645BD5FD839}\stubpath = "C:\\Windows\\{124728E5-CD1A-46bf-B0AB-A645BD5FD839}.exe"	{2D28B311-71C7-43a0-9A0F-6A118C03CD3F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FDEAFC4-EC37-4a15-9412-0DEF9A14651E}	{124728E5-CD1A-46bf-B0AB-A645BD5FD839}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FDEAFC4-EC37-4a15-9412-0DEF9A14651E}\stubpath = "C:\\Windows\\{4FDEAFC4-EC37-4a15-9412-0DEF9A14651E}.exe"	{124728E5-CD1A-46bf-B0AB-A645BD5FD839}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB6518C4-F339-47e5-85A3-04D39151F207}\stubpath = "C:\\Windows\\{AB6518C4-F339-47e5-85A3-04D39151F207}.exe"	{956B4DFA-F975-4214-ABB6-A3C421FC7F89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{967ED44A-413F-4952-9E78-DB53256BE746}	{61A3A689-FB6C-48e1-8303-72E8F39D3B36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0944CBF-9246-47c2-B243-19156F38B032}\stubpath = "C:\\Windows\\{A0944CBF-9246-47c2-B243-19156F38B032}.exe"	{4FDEAFC4-EC37-4a15-9412-0DEF9A14651E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9EE35AE8-5933-4aec-BBE2-1138242BD70E}	{FCBAEBB9-A77C-4072-A7F2-B68BAC87DFF8}.exe

Executes dropped EXE 11 IoCs

pid	Process
3584	{34CC943A-B199-4ca2-8D67-51CE5811C132}.exe
3412	{61A3A689-FB6C-48e1-8303-72E8F39D3B36}.exe
4256	{967ED44A-413F-4952-9E78-DB53256BE746}.exe
3736	{2D28B311-71C7-43a0-9A0F-6A118C03CD3F}.exe
2908	{124728E5-CD1A-46bf-B0AB-A645BD5FD839}.exe
1864	{4FDEAFC4-EC37-4a15-9412-0DEF9A14651E}.exe
3880	{A0944CBF-9246-47c2-B243-19156F38B032}.exe
460	{59805A20-6DAD-45ad-930C-617A7019E966}.exe
2164	{FCBAEBB9-A77C-4072-A7F2-B68BAC87DFF8}.exe
336	{9EE35AE8-5933-4aec-BBE2-1138242BD70E}.exe
4980	{956B4DFA-F975-4214-ABB6-A3C421FC7F89}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2D28B311-71C7-43a0-9A0F-6A118C03CD3F}.exe	{967ED44A-413F-4952-9E78-DB53256BE746}.exe
File created	C:\Windows\{A0944CBF-9246-47c2-B243-19156F38B032}.exe	{4FDEAFC4-EC37-4a15-9412-0DEF9A14651E}.exe
File created	C:\Windows\{FCBAEBB9-A77C-4072-A7F2-B68BAC87DFF8}.exe	{59805A20-6DAD-45ad-930C-617A7019E966}.exe
File created	C:\Windows\{9EE35AE8-5933-4aec-BBE2-1138242BD70E}.exe	{FCBAEBB9-A77C-4072-A7F2-B68BAC87DFF8}.exe
File created	C:\Windows\{34CC943A-B199-4ca2-8D67-51CE5811C132}.exe	2024-02-22_ea76e1a1498b2b3ec513911914620492_goldeneye.exe
File created	C:\Windows\{967ED44A-413F-4952-9E78-DB53256BE746}.exe	{61A3A689-FB6C-48e1-8303-72E8F39D3B36}.exe
File created	C:\Windows\{4FDEAFC4-EC37-4a15-9412-0DEF9A14651E}.exe	{124728E5-CD1A-46bf-B0AB-A645BD5FD839}.exe
File created	C:\Windows\{59805A20-6DAD-45ad-930C-617A7019E966}.exe	{A0944CBF-9246-47c2-B243-19156F38B032}.exe
File created	C:\Windows\{956B4DFA-F975-4214-ABB6-A3C421FC7F89}.exe	{9EE35AE8-5933-4aec-BBE2-1138242BD70E}.exe
File created	C:\Windows\{61A3A689-FB6C-48e1-8303-72E8F39D3B36}.exe	{34CC943A-B199-4ca2-8D67-51CE5811C132}.exe
File created	C:\Windows\{124728E5-CD1A-46bf-B0AB-A645BD5FD839}.exe	{2D28B311-71C7-43a0-9A0F-6A118C03CD3F}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1584	2024-02-22_ea76e1a1498b2b3ec513911914620492_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3584	{34CC943A-B199-4ca2-8D67-51CE5811C132}.exe
Token: SeIncBasePriorityPrivilege	3412	{61A3A689-FB6C-48e1-8303-72E8F39D3B36}.exe
Token: SeIncBasePriorityPrivilege	4256	{967ED44A-413F-4952-9E78-DB53256BE746}.exe
Token: SeIncBasePriorityPrivilege	3736	{2D28B311-71C7-43a0-9A0F-6A118C03CD3F}.exe
Token: SeIncBasePriorityPrivilege	2908	{124728E5-CD1A-46bf-B0AB-A645BD5FD839}.exe
Token: SeIncBasePriorityPrivilege	1864	{4FDEAFC4-EC37-4a15-9412-0DEF9A14651E}.exe
Token: SeIncBasePriorityPrivilege	3880	{A0944CBF-9246-47c2-B243-19156F38B032}.exe
Token: SeIncBasePriorityPrivilege	460	{59805A20-6DAD-45ad-930C-617A7019E966}.exe
Token: SeIncBasePriorityPrivilege	2164	{FCBAEBB9-A77C-4072-A7F2-B68BAC87DFF8}.exe
Token: SeIncBasePriorityPrivilege	336	{9EE35AE8-5933-4aec-BBE2-1138242BD70E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 3584	1584	2024-02-22_ea76e1a1498b2b3ec513911914620492_goldeneye.exe	89
PID 1584 wrote to memory of 3584	1584	2024-02-22_ea76e1a1498b2b3ec513911914620492_goldeneye.exe	89
PID 1584 wrote to memory of 3584	1584	2024-02-22_ea76e1a1498b2b3ec513911914620492_goldeneye.exe	89
PID 1584 wrote to memory of 1020	1584	2024-02-22_ea76e1a1498b2b3ec513911914620492_goldeneye.exe	90
PID 1584 wrote to memory of 1020	1584	2024-02-22_ea76e1a1498b2b3ec513911914620492_goldeneye.exe	90
PID 1584 wrote to memory of 1020	1584	2024-02-22_ea76e1a1498b2b3ec513911914620492_goldeneye.exe	90
PID 3584 wrote to memory of 3412	3584	{34CC943A-B199-4ca2-8D67-51CE5811C132}.exe	91
PID 3584 wrote to memory of 3412	3584	{34CC943A-B199-4ca2-8D67-51CE5811C132}.exe	91
PID 3584 wrote to memory of 3412	3584	{34CC943A-B199-4ca2-8D67-51CE5811C132}.exe	91
PID 3584 wrote to memory of 1392	3584	{34CC943A-B199-4ca2-8D67-51CE5811C132}.exe	92
PID 3584 wrote to memory of 1392	3584	{34CC943A-B199-4ca2-8D67-51CE5811C132}.exe	92
PID 3584 wrote to memory of 1392	3584	{34CC943A-B199-4ca2-8D67-51CE5811C132}.exe	92
PID 3412 wrote to memory of 4256	3412	{61A3A689-FB6C-48e1-8303-72E8F39D3B36}.exe	94
PID 3412 wrote to memory of 4256	3412	{61A3A689-FB6C-48e1-8303-72E8F39D3B36}.exe	94
PID 3412 wrote to memory of 4256	3412	{61A3A689-FB6C-48e1-8303-72E8F39D3B36}.exe	94
PID 3412 wrote to memory of 4168	3412	{61A3A689-FB6C-48e1-8303-72E8F39D3B36}.exe	95
PID 3412 wrote to memory of 4168	3412	{61A3A689-FB6C-48e1-8303-72E8F39D3B36}.exe	95
PID 3412 wrote to memory of 4168	3412	{61A3A689-FB6C-48e1-8303-72E8F39D3B36}.exe	95
PID 4256 wrote to memory of 3736	4256	{967ED44A-413F-4952-9E78-DB53256BE746}.exe	96
PID 4256 wrote to memory of 3736	4256	{967ED44A-413F-4952-9E78-DB53256BE746}.exe	96
PID 4256 wrote to memory of 3736	4256	{967ED44A-413F-4952-9E78-DB53256BE746}.exe	96
PID 4256 wrote to memory of 4448	4256	{967ED44A-413F-4952-9E78-DB53256BE746}.exe	97
PID 4256 wrote to memory of 4448	4256	{967ED44A-413F-4952-9E78-DB53256BE746}.exe	97
PID 4256 wrote to memory of 4448	4256	{967ED44A-413F-4952-9E78-DB53256BE746}.exe	97
PID 3736 wrote to memory of 2908	3736	{2D28B311-71C7-43a0-9A0F-6A118C03CD3F}.exe	98
PID 3736 wrote to memory of 2908	3736	{2D28B311-71C7-43a0-9A0F-6A118C03CD3F}.exe	98
PID 3736 wrote to memory of 2908	3736	{2D28B311-71C7-43a0-9A0F-6A118C03CD3F}.exe	98
PID 3736 wrote to memory of 4752	3736	{2D28B311-71C7-43a0-9A0F-6A118C03CD3F}.exe	99
PID 3736 wrote to memory of 4752	3736	{2D28B311-71C7-43a0-9A0F-6A118C03CD3F}.exe	99
PID 3736 wrote to memory of 4752	3736	{2D28B311-71C7-43a0-9A0F-6A118C03CD3F}.exe	99
PID 2908 wrote to memory of 1864	2908	{124728E5-CD1A-46bf-B0AB-A645BD5FD839}.exe	100
PID 2908 wrote to memory of 1864	2908	{124728E5-CD1A-46bf-B0AB-A645BD5FD839}.exe	100
PID 2908 wrote to memory of 1864	2908	{124728E5-CD1A-46bf-B0AB-A645BD5FD839}.exe	100
PID 2908 wrote to memory of 2540	2908	{124728E5-CD1A-46bf-B0AB-A645BD5FD839}.exe	101
PID 2908 wrote to memory of 2540	2908	{124728E5-CD1A-46bf-B0AB-A645BD5FD839}.exe	101
PID 2908 wrote to memory of 2540	2908	{124728E5-CD1A-46bf-B0AB-A645BD5FD839}.exe	101
PID 1864 wrote to memory of 3880	1864	{4FDEAFC4-EC37-4a15-9412-0DEF9A14651E}.exe	102
PID 1864 wrote to memory of 3880	1864	{4FDEAFC4-EC37-4a15-9412-0DEF9A14651E}.exe	102
PID 1864 wrote to memory of 3880	1864	{4FDEAFC4-EC37-4a15-9412-0DEF9A14651E}.exe	102
PID 1864 wrote to memory of 916	1864	{4FDEAFC4-EC37-4a15-9412-0DEF9A14651E}.exe	103
PID 1864 wrote to memory of 916	1864	{4FDEAFC4-EC37-4a15-9412-0DEF9A14651E}.exe	103
PID 1864 wrote to memory of 916	1864	{4FDEAFC4-EC37-4a15-9412-0DEF9A14651E}.exe	103
PID 3880 wrote to memory of 460	3880	{A0944CBF-9246-47c2-B243-19156F38B032}.exe	104
PID 3880 wrote to memory of 460	3880	{A0944CBF-9246-47c2-B243-19156F38B032}.exe	104
PID 3880 wrote to memory of 460	3880	{A0944CBF-9246-47c2-B243-19156F38B032}.exe	104
PID 3880 wrote to memory of 4672	3880	{A0944CBF-9246-47c2-B243-19156F38B032}.exe	105
PID 3880 wrote to memory of 4672	3880	{A0944CBF-9246-47c2-B243-19156F38B032}.exe	105
PID 3880 wrote to memory of 4672	3880	{A0944CBF-9246-47c2-B243-19156F38B032}.exe	105
PID 460 wrote to memory of 2164	460	{59805A20-6DAD-45ad-930C-617A7019E966}.exe	106
PID 460 wrote to memory of 2164	460	{59805A20-6DAD-45ad-930C-617A7019E966}.exe	106
PID 460 wrote to memory of 2164	460	{59805A20-6DAD-45ad-930C-617A7019E966}.exe	106
PID 460 wrote to memory of 2600	460	{59805A20-6DAD-45ad-930C-617A7019E966}.exe	107
PID 460 wrote to memory of 2600	460	{59805A20-6DAD-45ad-930C-617A7019E966}.exe	107
PID 460 wrote to memory of 2600	460	{59805A20-6DAD-45ad-930C-617A7019E966}.exe	107
PID 2164 wrote to memory of 336	2164	{FCBAEBB9-A77C-4072-A7F2-B68BAC87DFF8}.exe	108
PID 2164 wrote to memory of 336	2164	{FCBAEBB9-A77C-4072-A7F2-B68BAC87DFF8}.exe	108
PID 2164 wrote to memory of 336	2164	{FCBAEBB9-A77C-4072-A7F2-B68BAC87DFF8}.exe	108
PID 2164 wrote to memory of 4144	2164	{FCBAEBB9-A77C-4072-A7F2-B68BAC87DFF8}.exe	109
PID 2164 wrote to memory of 4144	2164	{FCBAEBB9-A77C-4072-A7F2-B68BAC87DFF8}.exe	109
PID 2164 wrote to memory of 4144	2164	{FCBAEBB9-A77C-4072-A7F2-B68BAC87DFF8}.exe	109
PID 336 wrote to memory of 4980	336	{9EE35AE8-5933-4aec-BBE2-1138242BD70E}.exe	110
PID 336 wrote to memory of 4980	336	{9EE35AE8-5933-4aec-BBE2-1138242BD70E}.exe	110
PID 336 wrote to memory of 4980	336	{9EE35AE8-5933-4aec-BBE2-1138242BD70E}.exe	110
PID 336 wrote to memory of 4376	336	{9EE35AE8-5933-4aec-BBE2-1138242BD70E}.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-02-22_ea76e1a1498b2b3ec513911914620492_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-22_ea76e1a1498b2b3ec513911914620492_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Windows\{34CC943A-B199-4ca2-8D67-51CE5811C132}.exe
  C:\Windows\{34CC943A-B199-4ca2-8D67-51CE5811C132}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Windows\{61A3A689-FB6C-48e1-8303-72E8F39D3B36}.exe
    C:\Windows\{61A3A689-FB6C-48e1-8303-72E8F39D3B36}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3412
  - - C:\Windows\{967ED44A-413F-4952-9E78-DB53256BE746}.exe
      C:\Windows\{967ED44A-413F-4952-9E78-DB53256BE746}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4256
    - - C:\Windows\{2D28B311-71C7-43a0-9A0F-6A118C03CD3F}.exe
        
        C:\Windows\{2D28B311-71C7-43a0-9A0F-6A118C03CD3F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3736
      - C:\Windows\{124728E5-CD1A-46bf-B0AB-A645BD5FD839}.exe
        
        C:\Windows\{124728E5-CD1A-46bf-B0AB-A645BD5FD839}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\{4FDEAFC4-EC37-4a15-9412-0DEF9A14651E}.exe
        
        C:\Windows\{4FDEAFC4-EC37-4a15-9412-0DEF9A14651E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\{A0944CBF-9246-47c2-B243-19156F38B032}.exe
        
        C:\Windows\{A0944CBF-9246-47c2-B243-19156F38B032}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\{59805A20-6DAD-45ad-930C-617A7019E966}.exe
        
        C:\Windows\{59805A20-6DAD-45ad-930C-617A7019E966}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:460
        
        C:\Windows\{FCBAEBB9-A77C-4072-A7F2-B68BAC87DFF8}.exe
        
        C:\Windows\{FCBAEBB9-A77C-4072-A7F2-B68BAC87DFF8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\{9EE35AE8-5933-4aec-BBE2-1138242BD70E}.exe
        
        C:\Windows\{9EE35AE8-5933-4aec-BBE2-1138242BD70E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:336
        
        C:\Windows\{956B4DFA-F975-4214-ABB6-A3C421FC7F89}.exe
        
        C:\Windows\{956B4DFA-F975-4214-ABB6-A3C421FC7F89}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        
        PID:4980
        
        C:\Windows\{AB6518C4-F339-47e5-85A3-04D39151F207}.exe
        
        C:\Windows\{AB6518C4-F339-47e5-85A3-04D39151F207}.exe
        13⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{956B4~1.EXE > nul
        13⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9EE35~1.EXE > nul
        12⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FCBAE~1.EXE > nul
        11⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59805~1.EXE > nul
        10⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0944~1.EXE > nul
        9⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4FDEA~1.EXE > nul
        8⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12472~1.EXE > nul
        7⤵
        
        PID:2540
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D28B~1.EXE > nul
        6⤵
        
        PID:4752
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{967ED~1.EXE > nul
        5⤵
        
        PID:4448
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{61A3A~1.EXE > nul
      4⤵
      PID:4168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{34CC9~1.EXE > nul
    3⤵
    PID:1392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{124728E5-CD1A-46bf-B0AB-A645BD5FD839}.exe

Filesize
204KB

MD5
ea76aa9c0734632f47c59ddd3dbea45e

SHA1
08abc2c3b75b1707ec67786ed202c408b2b50fc8

SHA256
d9635a1f9c2e519bb17003f3373697d967b9ef68e0927f0becd6fa65780368ae

SHA512
f45cd445e34a3e5bf6805af4cdc57c87858147089bbbf21f6eef88a2553e07a59cac552cff55dfa873cd419fffebd2efd420961dff4aadff1752afb41a4531bf

Download Submit
C:\Windows\{2D28B311-71C7-43a0-9A0F-6A118C03CD3F}.exe

Filesize
204KB

MD5
ae60a4f4c4866324472d98dbceda1359

SHA1
80671a6a7d27d16f5187dc2a540835262e398f04

SHA256
d4ed94184f1bc471234f6bc7470858e67af78b74c7fee0647829a4b14469c595

SHA512
f05756861341d3a7fefe1b1faefed3acc7843bee7c582ec7795e8a7743e95c6c8558db3aafd7ae27bbc70f21112d776946a2f00f6b1fb00238cae5d114424ff7

Download Submit
C:\Windows\{34CC943A-B199-4ca2-8D67-51CE5811C132}.exe

Filesize
204KB

MD5
8a696185d2eb6cd5380fecde84939444

SHA1
3f624ee73405bf5b20f47c20b68164bbd86faecf

SHA256
6fe79d9f10d0ef463673cd8af6acc42f04451ef80a0dca2d9b83ed10d096a7da

SHA512
e11446d70bc70b2059201bef1f150db17b4ab4bea6c5ace03c47a0c093f65930d9e5a1bc2a4e577f1acb80e2f38f88d3e8b1bd767e276102aa4b7dd5cd51b7e0

Download Submit
C:\Windows\{4FDEAFC4-EC37-4a15-9412-0DEF9A14651E}.exe

Filesize
204KB

MD5
ab39b88527056d0e159dc2065785bcc4

SHA1
332a8f66cbf83b4b06169a29e32d0ebeacf3fba1

SHA256
853bc54a7b01b0d5e439f3310591e7e1b0fa6fd0f7e20e337554792c10bc812c

SHA512
5e09c63d4e7a4affbe7d3813853e43863108c7713eabea9e371c0c02ba0e1c010c027a25d6b32446a4472274b235478ea52336d9b5ceabc275620e64ce2bca37

Download Submit
C:\Windows\{59805A20-6DAD-45ad-930C-617A7019E966}.exe

Filesize
204KB

MD5
9989f06f44e4dfd5e89358c9c957b927

SHA1
7bd01ab43d579ca789831cadec5e4f8ce0e22828

SHA256
7e730c9ffce66e5af292bca76f7430328ca17a89600e8a1cd811a22191c1bdbe

SHA512
2a9f867ed59b4844d11ab6b77043fe1d3efbdc488bd133215ef6a9ab0670dd1652b59d133a870a2cc49502e8fc047a4b6d1cce2d392f0c16453eb914d1eb2e3b

Download Submit
C:\Windows\{61A3A689-FB6C-48e1-8303-72E8F39D3B36}.exe

Filesize
204KB

MD5
0d3b866a7c5c75993bc5b436e665210f

SHA1
778b223366d225758a4b0e2401c38d358c6c2668

SHA256
9f213e9c6622099ca6839c7a6a4c74dc4ac322e4a624a61bc4cdb1044b4b10c1

SHA512
c11acf768c4544fe57258ec688bb3307a695dc1f40c45dc9fe1803fff7f3084a5fa563d6d8d0f95ca5b22b052b7c347d380d7bbda870727f9cfe1fced029d5fe

Download Submit
C:\Windows\{956B4DFA-F975-4214-ABB6-A3C421FC7F89}.exe

Filesize
204KB

MD5
f1f2adc35fb7964a176bb0f992e1f3da

SHA1
9597992e9452b34382f017a90165f5db1fe389c8

SHA256
70175d0e587f3d5f978070c0ea81f280bf6d35a1bea4901305971ac4c025f05f

SHA512
ca51876d289240bf7053f41adfbda818197919c62ce1284e57644c7112eea867344b3ea8310645ec01506fecdcdeb5bee6d1ea00e17f936731b96cb2a13196b2

Download Submit
C:\Windows\{967ED44A-413F-4952-9E78-DB53256BE746}.exe

Filesize
204KB

MD5
e90568a2a3d44c056317aea718c12874

SHA1
377b2c0286ed8e9fea06ea04173c1c87326800d2

SHA256
cf7a5501970f47708dc0ec82d2e2e45c9a9548a5b0b67452315074ec746f7dad

SHA512
0a87da378550affd6020b319990f156c990fcdba98d96e1053fc95997c11ea8887e411cdadeb156edb20f44d7bf4f998297dd809e0388620c6e2eb70b9743426

Download Submit
C:\Windows\{9EE35AE8-5933-4aec-BBE2-1138242BD70E}.exe

Filesize
204KB

MD5
f08ca3e8d419be105478e1ec8ec7656e

SHA1
98d2a0de5f581f4afa79e68993bab0a122e77147

SHA256
87838ce79d2976e51d2b32b49bc9f74c1d4a8abf6dbc6cd65ef768dcf2c91384

SHA512
943e1cb957c088c860626e849221a950550690ec50503482786dcc96240875a4dd7d230f8de331307a0117a1cb65fa893ca5173602a83db32330ee99accf0504

Download Submit
C:\Windows\{A0944CBF-9246-47c2-B243-19156F38B032}.exe

Filesize
204KB

MD5
511d944a9ab5ec51fdc2fa65f73d9eca

SHA1
dc61df3a41d58386c9294b52e46a0ac974937d1e

SHA256
b7c29e4439e932fc054d4d252d9f07db5ab3577e2fdfdd42162686d940f60c3f

SHA512
9c8b27ab74a5e4c9ca2775ca21bf233b06b4a22f1b2f4d51365217e5b297daccd8a208c925a9677fda2baa8844b27a9d98adb12161d5e04a58cb9030607683bf

Download Submit
C:\Windows\{FCBAEBB9-A77C-4072-A7F2-B68BAC87DFF8}.exe

Filesize
204KB

MD5
ce0868940a9d7c2a1b160845446ea7ad

SHA1
46ec9a4566975ef397c2ae77ada8ee9aa9d8f8d5

SHA256
3c4567b6f3fc24e73270faac6b57bce017967ccbed56a1de303968d801f0727d

SHA512
084c86c85c80a42405e1cc2fc28356f6c618681d8614524a4b64734a5795d53e1e5d97c6a23de67f21d1d431e46bd371be5c28fd9058521cef039d7a729b22c6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads