532d2caf92465c4227983236236146db1f89379f2ea02f8e32cdd0d3a76961f8

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
23-02-2024 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-23_e989b546a95541c29f914f9edf154be6_goldeneye.exe
Size

204KB
MD5

e989b546a95541c29f914f9edf154be6
SHA1

9c5a86ee9139db94839f40e4459a93a4db74b3b5
SHA256

532d2caf92465c4227983236236146db1f89379f2ea02f8e32cdd0d3a76961f8
SHA512

60099902d8f5a6852b8e8798a4b97ae7cafd0a42988ebd60994f1dd6959f2b3c5b8a92331f4923f2ceb3e7e8a8ecea38472537726d3aa440a2b28ceb0c136eab
SSDEEP

1536:1EGh0oNl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oNl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023132-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002323a-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0006000000016927-11.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002323a-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000016927-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002323a-21.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000016927-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002323a-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000016927-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002323a-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000016927-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e00000002323a-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24D18669-CB3A-4ba9-82C9-9562419437A7}	{BDE9B467-839B-4da9-8BAE-1448AE447F40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E17A538-A9FC-40ba-A39A-9711C1CAD696}	{0F3E4994-1219-4417-A322-FB71AE987F70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F8118E6-9E2F-41de-80AB-7AA15CBD6175}	{E122EC3C-74E0-4de8-B902-E2C8F5A0B7EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F8118E6-9E2F-41de-80AB-7AA15CBD6175}\stubpath = "C:\\Windows\\{5F8118E6-9E2F-41de-80AB-7AA15CBD6175}.exe"	{E122EC3C-74E0-4de8-B902-E2C8F5A0B7EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{923889DA-FC8D-4693-B3CE-CF79F9B14501}\stubpath = "C:\\Windows\\{923889DA-FC8D-4693-B3CE-CF79F9B14501}.exe"	{5F8118E6-9E2F-41de-80AB-7AA15CBD6175}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8B92D4E-DF13-4205-BDAB-8256C85E6415}\stubpath = "C:\\Windows\\{F8B92D4E-DF13-4205-BDAB-8256C85E6415}.exe"	{FAF9523F-8AFF-46aa-90C6-4BCCB71C2074}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDE9B467-839B-4da9-8BAE-1448AE447F40}	2024-02-23_e989b546a95541c29f914f9edf154be6_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F3E4994-1219-4417-A322-FB71AE987F70}	{8177BA67-28F0-465b-9090-FABDCFA119BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F3E4994-1219-4417-A322-FB71AE987F70}\stubpath = "C:\\Windows\\{0F3E4994-1219-4417-A322-FB71AE987F70}.exe"	{8177BA67-28F0-465b-9090-FABDCFA119BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E122EC3C-74E0-4de8-B902-E2C8F5A0B7EB}	{8E17A538-A9FC-40ba-A39A-9711C1CAD696}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{923889DA-FC8D-4693-B3CE-CF79F9B14501}	{5F8118E6-9E2F-41de-80AB-7AA15CBD6175}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FAF9523F-8AFF-46aa-90C6-4BCCB71C2074}	{AD8A3175-1960-43c6-ABA3-19FDDBC550AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDE9B467-839B-4da9-8BAE-1448AE447F40}\stubpath = "C:\\Windows\\{BDE9B467-839B-4da9-8BAE-1448AE447F40}.exe"	2024-02-23_e989b546a95541c29f914f9edf154be6_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9DDC8C3-533B-4556-B406-728889175330}	{24D18669-CB3A-4ba9-82C9-9562419437A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8177BA67-28F0-465b-9090-FABDCFA119BE}	{E9DDC8C3-533B-4556-B406-728889175330}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8177BA67-28F0-465b-9090-FABDCFA119BE}\stubpath = "C:\\Windows\\{8177BA67-28F0-465b-9090-FABDCFA119BE}.exe"	{E9DDC8C3-533B-4556-B406-728889175330}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD8A3175-1960-43c6-ABA3-19FDDBC550AE}	{923889DA-FC8D-4693-B3CE-CF79F9B14501}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FAF9523F-8AFF-46aa-90C6-4BCCB71C2074}\stubpath = "C:\\Windows\\{FAF9523F-8AFF-46aa-90C6-4BCCB71C2074}.exe"	{AD8A3175-1960-43c6-ABA3-19FDDBC550AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8B92D4E-DF13-4205-BDAB-8256C85E6415}	{FAF9523F-8AFF-46aa-90C6-4BCCB71C2074}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24D18669-CB3A-4ba9-82C9-9562419437A7}\stubpath = "C:\\Windows\\{24D18669-CB3A-4ba9-82C9-9562419437A7}.exe"	{BDE9B467-839B-4da9-8BAE-1448AE447F40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9DDC8C3-533B-4556-B406-728889175330}\stubpath = "C:\\Windows\\{E9DDC8C3-533B-4556-B406-728889175330}.exe"	{24D18669-CB3A-4ba9-82C9-9562419437A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E17A538-A9FC-40ba-A39A-9711C1CAD696}\stubpath = "C:\\Windows\\{8E17A538-A9FC-40ba-A39A-9711C1CAD696}.exe"	{0F3E4994-1219-4417-A322-FB71AE987F70}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E122EC3C-74E0-4de8-B902-E2C8F5A0B7EB}\stubpath = "C:\\Windows\\{E122EC3C-74E0-4de8-B902-E2C8F5A0B7EB}.exe"	{8E17A538-A9FC-40ba-A39A-9711C1CAD696}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD8A3175-1960-43c6-ABA3-19FDDBC550AE}\stubpath = "C:\\Windows\\{AD8A3175-1960-43c6-ABA3-19FDDBC550AE}.exe"	{923889DA-FC8D-4693-B3CE-CF79F9B14501}.exe

Executes dropped EXE 12 IoCs

pid	Process
2252	{BDE9B467-839B-4da9-8BAE-1448AE447F40}.exe
4300	{24D18669-CB3A-4ba9-82C9-9562419437A7}.exe
2672	{E9DDC8C3-533B-4556-B406-728889175330}.exe
3172	{8177BA67-28F0-465b-9090-FABDCFA119BE}.exe
2072	{0F3E4994-1219-4417-A322-FB71AE987F70}.exe
3884	{8E17A538-A9FC-40ba-A39A-9711C1CAD696}.exe
3588	{E122EC3C-74E0-4de8-B902-E2C8F5A0B7EB}.exe
4480	{5F8118E6-9E2F-41de-80AB-7AA15CBD6175}.exe
932	{923889DA-FC8D-4693-B3CE-CF79F9B14501}.exe
748	{AD8A3175-1960-43c6-ABA3-19FDDBC550AE}.exe
2808	{FAF9523F-8AFF-46aa-90C6-4BCCB71C2074}.exe
216	{F8B92D4E-DF13-4205-BDAB-8256C85E6415}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F8B92D4E-DF13-4205-BDAB-8256C85E6415}.exe	{FAF9523F-8AFF-46aa-90C6-4BCCB71C2074}.exe
File created	C:\Windows\{BDE9B467-839B-4da9-8BAE-1448AE447F40}.exe	2024-02-23_e989b546a95541c29f914f9edf154be6_goldeneye.exe
File created	C:\Windows\{24D18669-CB3A-4ba9-82C9-9562419437A7}.exe	{BDE9B467-839B-4da9-8BAE-1448AE447F40}.exe
File created	C:\Windows\{0F3E4994-1219-4417-A322-FB71AE987F70}.exe	{8177BA67-28F0-465b-9090-FABDCFA119BE}.exe
File created	C:\Windows\{E122EC3C-74E0-4de8-B902-E2C8F5A0B7EB}.exe	{8E17A538-A9FC-40ba-A39A-9711C1CAD696}.exe
File created	C:\Windows\{5F8118E6-9E2F-41de-80AB-7AA15CBD6175}.exe	{E122EC3C-74E0-4de8-B902-E2C8F5A0B7EB}.exe
File created	C:\Windows\{923889DA-FC8D-4693-B3CE-CF79F9B14501}.exe	{5F8118E6-9E2F-41de-80AB-7AA15CBD6175}.exe
File created	C:\Windows\{E9DDC8C3-533B-4556-B406-728889175330}.exe	{24D18669-CB3A-4ba9-82C9-9562419437A7}.exe
File created	C:\Windows\{8177BA67-28F0-465b-9090-FABDCFA119BE}.exe	{E9DDC8C3-533B-4556-B406-728889175330}.exe
File created	C:\Windows\{8E17A538-A9FC-40ba-A39A-9711C1CAD696}.exe	{0F3E4994-1219-4417-A322-FB71AE987F70}.exe
File created	C:\Windows\{AD8A3175-1960-43c6-ABA3-19FDDBC550AE}.exe	{923889DA-FC8D-4693-B3CE-CF79F9B14501}.exe
File created	C:\Windows\{FAF9523F-8AFF-46aa-90C6-4BCCB71C2074}.exe	{AD8A3175-1960-43c6-ABA3-19FDDBC550AE}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3920	2024-02-23_e989b546a95541c29f914f9edf154be6_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2252	{BDE9B467-839B-4da9-8BAE-1448AE447F40}.exe
Token: SeIncBasePriorityPrivilege	4300	{24D18669-CB3A-4ba9-82C9-9562419437A7}.exe
Token: SeIncBasePriorityPrivilege	2672	{E9DDC8C3-533B-4556-B406-728889175330}.exe
Token: SeIncBasePriorityPrivilege	3172	{8177BA67-28F0-465b-9090-FABDCFA119BE}.exe
Token: SeIncBasePriorityPrivilege	2072	{0F3E4994-1219-4417-A322-FB71AE987F70}.exe
Token: SeIncBasePriorityPrivilege	3884	{8E17A538-A9FC-40ba-A39A-9711C1CAD696}.exe
Token: SeIncBasePriorityPrivilege	3588	{E122EC3C-74E0-4de8-B902-E2C8F5A0B7EB}.exe
Token: SeIncBasePriorityPrivilege	4480	{5F8118E6-9E2F-41de-80AB-7AA15CBD6175}.exe
Token: SeIncBasePriorityPrivilege	932	{923889DA-FC8D-4693-B3CE-CF79F9B14501}.exe
Token: SeIncBasePriorityPrivilege	748	{AD8A3175-1960-43c6-ABA3-19FDDBC550AE}.exe
Token: SeIncBasePriorityPrivilege	2808	{FAF9523F-8AFF-46aa-90C6-4BCCB71C2074}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 2252	3920	2024-02-23_e989b546a95541c29f914f9edf154be6_goldeneye.exe	88
PID 3920 wrote to memory of 2252	3920	2024-02-23_e989b546a95541c29f914f9edf154be6_goldeneye.exe	88
PID 3920 wrote to memory of 2252	3920	2024-02-23_e989b546a95541c29f914f9edf154be6_goldeneye.exe	88
PID 3920 wrote to memory of 2632	3920	2024-02-23_e989b546a95541c29f914f9edf154be6_goldeneye.exe	89
PID 3920 wrote to memory of 2632	3920	2024-02-23_e989b546a95541c29f914f9edf154be6_goldeneye.exe	89
PID 3920 wrote to memory of 2632	3920	2024-02-23_e989b546a95541c29f914f9edf154be6_goldeneye.exe	89
PID 2252 wrote to memory of 4300	2252	{BDE9B467-839B-4da9-8BAE-1448AE447F40}.exe	90
PID 2252 wrote to memory of 4300	2252	{BDE9B467-839B-4da9-8BAE-1448AE447F40}.exe	90
PID 2252 wrote to memory of 4300	2252	{BDE9B467-839B-4da9-8BAE-1448AE447F40}.exe	90
PID 2252 wrote to memory of 4792	2252	{BDE9B467-839B-4da9-8BAE-1448AE447F40}.exe	91
PID 2252 wrote to memory of 4792	2252	{BDE9B467-839B-4da9-8BAE-1448AE447F40}.exe	91
PID 2252 wrote to memory of 4792	2252	{BDE9B467-839B-4da9-8BAE-1448AE447F40}.exe	91
PID 4300 wrote to memory of 2672	4300	{24D18669-CB3A-4ba9-82C9-9562419437A7}.exe	95
PID 4300 wrote to memory of 2672	4300	{24D18669-CB3A-4ba9-82C9-9562419437A7}.exe	95
PID 4300 wrote to memory of 2672	4300	{24D18669-CB3A-4ba9-82C9-9562419437A7}.exe	95
PID 4300 wrote to memory of 1300	4300	{24D18669-CB3A-4ba9-82C9-9562419437A7}.exe	96
PID 4300 wrote to memory of 1300	4300	{24D18669-CB3A-4ba9-82C9-9562419437A7}.exe	96
PID 4300 wrote to memory of 1300	4300	{24D18669-CB3A-4ba9-82C9-9562419437A7}.exe	96
PID 2672 wrote to memory of 3172	2672	{E9DDC8C3-533B-4556-B406-728889175330}.exe	97
PID 2672 wrote to memory of 3172	2672	{E9DDC8C3-533B-4556-B406-728889175330}.exe	97
PID 2672 wrote to memory of 3172	2672	{E9DDC8C3-533B-4556-B406-728889175330}.exe	97
PID 2672 wrote to memory of 4288	2672	{E9DDC8C3-533B-4556-B406-728889175330}.exe	98
PID 2672 wrote to memory of 4288	2672	{E9DDC8C3-533B-4556-B406-728889175330}.exe	98
PID 2672 wrote to memory of 4288	2672	{E9DDC8C3-533B-4556-B406-728889175330}.exe	98
PID 3172 wrote to memory of 2072	3172	{8177BA67-28F0-465b-9090-FABDCFA119BE}.exe	99
PID 3172 wrote to memory of 2072	3172	{8177BA67-28F0-465b-9090-FABDCFA119BE}.exe	99
PID 3172 wrote to memory of 2072	3172	{8177BA67-28F0-465b-9090-FABDCFA119BE}.exe	99
PID 3172 wrote to memory of 3480	3172	{8177BA67-28F0-465b-9090-FABDCFA119BE}.exe	100
PID 3172 wrote to memory of 3480	3172	{8177BA67-28F0-465b-9090-FABDCFA119BE}.exe	100
PID 3172 wrote to memory of 3480	3172	{8177BA67-28F0-465b-9090-FABDCFA119BE}.exe	100
PID 2072 wrote to memory of 3884	2072	{0F3E4994-1219-4417-A322-FB71AE987F70}.exe	101
PID 2072 wrote to memory of 3884	2072	{0F3E4994-1219-4417-A322-FB71AE987F70}.exe	101
PID 2072 wrote to memory of 3884	2072	{0F3E4994-1219-4417-A322-FB71AE987F70}.exe	101
PID 2072 wrote to memory of 4324	2072	{0F3E4994-1219-4417-A322-FB71AE987F70}.exe	102
PID 2072 wrote to memory of 4324	2072	{0F3E4994-1219-4417-A322-FB71AE987F70}.exe	102
PID 2072 wrote to memory of 4324	2072	{0F3E4994-1219-4417-A322-FB71AE987F70}.exe	102
PID 3884 wrote to memory of 3588	3884	{8E17A538-A9FC-40ba-A39A-9711C1CAD696}.exe	103
PID 3884 wrote to memory of 3588	3884	{8E17A538-A9FC-40ba-A39A-9711C1CAD696}.exe	103
PID 3884 wrote to memory of 3588	3884	{8E17A538-A9FC-40ba-A39A-9711C1CAD696}.exe	103
PID 3884 wrote to memory of 2696	3884	{8E17A538-A9FC-40ba-A39A-9711C1CAD696}.exe	104
PID 3884 wrote to memory of 2696	3884	{8E17A538-A9FC-40ba-A39A-9711C1CAD696}.exe	104
PID 3884 wrote to memory of 2696	3884	{8E17A538-A9FC-40ba-A39A-9711C1CAD696}.exe	104
PID 3588 wrote to memory of 4480	3588	{E122EC3C-74E0-4de8-B902-E2C8F5A0B7EB}.exe	105
PID 3588 wrote to memory of 4480	3588	{E122EC3C-74E0-4de8-B902-E2C8F5A0B7EB}.exe	105
PID 3588 wrote to memory of 4480	3588	{E122EC3C-74E0-4de8-B902-E2C8F5A0B7EB}.exe	105
PID 3588 wrote to memory of 1776	3588	{E122EC3C-74E0-4de8-B902-E2C8F5A0B7EB}.exe	106
PID 3588 wrote to memory of 1776	3588	{E122EC3C-74E0-4de8-B902-E2C8F5A0B7EB}.exe	106
PID 3588 wrote to memory of 1776	3588	{E122EC3C-74E0-4de8-B902-E2C8F5A0B7EB}.exe	106
PID 4480 wrote to memory of 932	4480	{5F8118E6-9E2F-41de-80AB-7AA15CBD6175}.exe	107
PID 4480 wrote to memory of 932	4480	{5F8118E6-9E2F-41de-80AB-7AA15CBD6175}.exe	107
PID 4480 wrote to memory of 932	4480	{5F8118E6-9E2F-41de-80AB-7AA15CBD6175}.exe	107
PID 4480 wrote to memory of 2024	4480	{5F8118E6-9E2F-41de-80AB-7AA15CBD6175}.exe	108
PID 4480 wrote to memory of 2024	4480	{5F8118E6-9E2F-41de-80AB-7AA15CBD6175}.exe	108
PID 4480 wrote to memory of 2024	4480	{5F8118E6-9E2F-41de-80AB-7AA15CBD6175}.exe	108
PID 932 wrote to memory of 748	932	{923889DA-FC8D-4693-B3CE-CF79F9B14501}.exe	109
PID 932 wrote to memory of 748	932	{923889DA-FC8D-4693-B3CE-CF79F9B14501}.exe	109
PID 932 wrote to memory of 748	932	{923889DA-FC8D-4693-B3CE-CF79F9B14501}.exe	109
PID 932 wrote to memory of 2692	932	{923889DA-FC8D-4693-B3CE-CF79F9B14501}.exe	110
PID 932 wrote to memory of 2692	932	{923889DA-FC8D-4693-B3CE-CF79F9B14501}.exe	110
PID 932 wrote to memory of 2692	932	{923889DA-FC8D-4693-B3CE-CF79F9B14501}.exe	110
PID 748 wrote to memory of 2808	748	{AD8A3175-1960-43c6-ABA3-19FDDBC550AE}.exe	111
PID 748 wrote to memory of 2808	748	{AD8A3175-1960-43c6-ABA3-19FDDBC550AE}.exe	111
PID 748 wrote to memory of 2808	748	{AD8A3175-1960-43c6-ABA3-19FDDBC550AE}.exe	111
PID 748 wrote to memory of 3664	748	{AD8A3175-1960-43c6-ABA3-19FDDBC550AE}.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-02-23_e989b546a95541c29f914f9edf154be6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-23_e989b546a95541c29f914f9edf154be6_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Windows\{BDE9B467-839B-4da9-8BAE-1448AE447F40}.exe
  C:\Windows\{BDE9B467-839B-4da9-8BAE-1448AE447F40}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Windows\{24D18669-CB3A-4ba9-82C9-9562419437A7}.exe
    C:\Windows\{24D18669-CB3A-4ba9-82C9-9562419437A7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4300
  - - C:\Windows\{E9DDC8C3-533B-4556-B406-728889175330}.exe
      C:\Windows\{E9DDC8C3-533B-4556-B406-728889175330}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Windows\{8177BA67-28F0-465b-9090-FABDCFA119BE}.exe
        
        C:\Windows\{8177BA67-28F0-465b-9090-FABDCFA119BE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3172
      - C:\Windows\{0F3E4994-1219-4417-A322-FB71AE987F70}.exe
        
        C:\Windows\{0F3E4994-1219-4417-A322-FB71AE987F70}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\{8E17A538-A9FC-40ba-A39A-9711C1CAD696}.exe
        
        C:\Windows\{8E17A538-A9FC-40ba-A39A-9711C1CAD696}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\{E122EC3C-74E0-4de8-B902-E2C8F5A0B7EB}.exe
        
        C:\Windows\{E122EC3C-74E0-4de8-B902-E2C8F5A0B7EB}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\{5F8118E6-9E2F-41de-80AB-7AA15CBD6175}.exe
        
        C:\Windows\{5F8118E6-9E2F-41de-80AB-7AA15CBD6175}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\{923889DA-FC8D-4693-B3CE-CF79F9B14501}.exe
        
        C:\Windows\{923889DA-FC8D-4693-B3CE-CF79F9B14501}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\{AD8A3175-1960-43c6-ABA3-19FDDBC550AE}.exe
        
        C:\Windows\{AD8A3175-1960-43c6-ABA3-19FDDBC550AE}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\{FAF9523F-8AFF-46aa-90C6-4BCCB71C2074}.exe
        
        C:\Windows\{FAF9523F-8AFF-46aa-90C6-4BCCB71C2074}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Windows\{F8B92D4E-DF13-4205-BDAB-8256C85E6415}.exe
        
        C:\Windows\{F8B92D4E-DF13-4205-BDAB-8256C85E6415}.exe
        13⤵
        Executes dropped EXE
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FAF95~1.EXE > nul
        13⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD8A3~1.EXE > nul
        12⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92388~1.EXE > nul
        11⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F811~1.EXE > nul
        10⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E122E~1.EXE > nul
        9⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E17A~1.EXE > nul
        8⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F3E4~1.EXE > nul
        7⤵
        
        PID:4324
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8177B~1.EXE > nul
        6⤵
        
        PID:3480
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9DDC~1.EXE > nul
        5⤵
        
        PID:4288
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{24D18~1.EXE > nul
      4⤵
      PID:1300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BDE9B~1.EXE > nul
    3⤵
    PID:4792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F3E4994-1219-4417-A322-FB71AE987F70}.exe

Filesize
204KB

MD5
7a5f1424d27569d17656a4ffe3a601d6

SHA1
fffd8c4f37181ba8a57dfc5931a76b7e0ec76a34

SHA256
6e623044ad5ee625621c39d784b886024a6770681d1a24453a33e45d68c07e41

SHA512
30fd581daed2af6d1e57a20e7cd7c906530e4ec58c9887fb1fe795c5ece55e5c6a7bb2e4ee70ed0d7bcf2a4e751cd24b7fda9b495b6770976b9e7ed3eeea092b

Download Submit
C:\Windows\{24D18669-CB3A-4ba9-82C9-9562419437A7}.exe

Filesize
204KB

MD5
c7a7c03261f584ca8fd314d4348af256

SHA1
f2feeccdf18c601a249142147e6ca6df25d90b3e

SHA256
f57f6b04cb3f44cd07e005bc9762812f4befb1fd86e7a5f25d078820a7b00d1b

SHA512
1bb3f09c565a898c7b4ddd0770726b8d743cb89946313aab6648623c859bcb4b58fd7944163a18c7a715f3e93352ce368b929f92da189c246da5ce2bfcae6b5e

Download Submit
C:\Windows\{5F8118E6-9E2F-41de-80AB-7AA15CBD6175}.exe

Filesize
204KB

MD5
eed29bd360b8c262e9e6cce400c34033

SHA1
0b171bb1b4430a0890f942479a0d64b3b15fbdf2

SHA256
3cd38f058ac4b994a0fbea5c2797c2257bfe4c822a55a3060049c0b91adbcb29

SHA512
3c08e96e5a091db540218406c4e1f2f746a2f1bf3064fc3e16797af709d29cf886de25ee262d18f566199d20d25be1f4768294f44e1549f7b29886aaa56c40fa

Download Submit
C:\Windows\{8177BA67-28F0-465b-9090-FABDCFA119BE}.exe

Filesize
204KB

MD5
9410dd3e79d3e85725eda1e5f90ee5bc

SHA1
2d3679ec0e230eeb2230b2f493d257720a59ea9b

SHA256
11cc04f9d3147bfcc48379559810df669baa84755c882209f0188b643003d7c5

SHA512
7b31e13d5e94538b8ae3629429b4b1641281ddc57220d4befbd3660e78a1e84c8756f14132911f52b6239f61ceac16a5f8c2de400d6f64fd88edd6f8183343fe

Download Submit
C:\Windows\{8E17A538-A9FC-40ba-A39A-9711C1CAD696}.exe

Filesize
204KB

MD5
af355bbc26c1ba9d42874a2b48c87261

SHA1
44d670e343fddf2b1221cc1c0c6153c362176a30

SHA256
46fa4f68bc074361693760d1034f4ec1df4d72bdc5a95c53d461dcd96fc1281e

SHA512
b93f8dbf95876651e45f1a831a17af53e3ef4114b09a9ba544c937d66eac276034d229799ebe9a6e2d55a5580308a6ea3f36927ccf1fcabf92f3ca1de0ed1c7d

Download Submit
C:\Windows\{923889DA-FC8D-4693-B3CE-CF79F9B14501}.exe

Filesize
204KB

MD5
0acd6aa06cda9ade6a06dcef4c95cddc

SHA1
fe3b34107aa09e2e90f26df58fba01bd399c52b8

SHA256
ae8afbfbbee603cdeb6eee35cabb582f8dbf56f9358f9a70a4425f6d2c1d4417

SHA512
bdcc4ddf744cea8cfa646d5e86b611b52f7f84ee29317f07428ff5866f62b44f4eea5d07b16df3600e01537fb9b34f0617e9e239f4a1a71f28f7d066e6d342ae

Download Submit
C:\Windows\{AD8A3175-1960-43c6-ABA3-19FDDBC550AE}.exe

Filesize
204KB

MD5
c5f7f707ba8f92f0a263d6b16226dc8d

SHA1
b917fd219adb466845bd89a9c272020407c77381

SHA256
8297069dc8231e93da117c3035e02090c7b9ff57cd84140ecac8a4781e2de413

SHA512
8854d3792026e887e67f2bbd6d8bada6fb3ff9b22ab378f052dc77acd59facb0f034fbb7569146a3d36e75e237ca1f0407cccd82e8ae9a2a45ca341075f09d08

Download Submit
C:\Windows\{BDE9B467-839B-4da9-8BAE-1448AE447F40}.exe

Filesize
204KB

MD5
027bafade0dc98f312ffaa227d4adb7b

SHA1
d1819e08b92cbc91cecbad4dc7637881f692a2d5

SHA256
10dc1f9f0d536dcd04a37a8db900499d0e972ef9b82240d9f3abc4d8b0b738e2

SHA512
2a72e6551724f7993062cf7d5eb2e6a6e6aef43d161fc21156cbe7c411fbec0e0240f87a3795d775c102901e801a54d260250eeff2f0ca601bedf41169689812

Download Submit
C:\Windows\{E122EC3C-74E0-4de8-B902-E2C8F5A0B7EB}.exe

Filesize
204KB

MD5
1ee343ca810ef71315e3c49d544fd82a

SHA1
08a68f503d9a5134772ea13d2667faf8a3687047

SHA256
72962f4a6db1daa27485d0988ffaf85c0b96cdbf2d0c49523d764817ba4bf7b2

SHA512
e0d0b8cd75342909c51cad489300d8aa878d964bc88016a83bbbb780ca9f843ea0b0f648798805bf9141a20afe63dc6269acaf5d07edbc96ad35fb12961d30b4

Download Submit
C:\Windows\{E9DDC8C3-533B-4556-B406-728889175330}.exe

Filesize
204KB

MD5
f9b82585ed6e9de09af04ed9ba334766

SHA1
6cd1c799c86516531c772d1db4065a38e2534cb2

SHA256
39f65eebdfd55a05ea62767599e0a706f12a501ee992c643dd8cc10124d1c05c

SHA512
6dbdee24d5ceffb1a73d8f83c397ab5663c9367f4656e7622e735b2f61649ca85d03c8fe43cc7211d451d23d473771a49ef348a183baa169b9ea876d9ddd6ec9

Download Submit
C:\Windows\{F8B92D4E-DF13-4205-BDAB-8256C85E6415}.exe

Filesize
204KB

MD5
b6ce5e5e5428db716ab0419d4f65b096

SHA1
f4eb56f3078f7ac7395b36fa024ef3a7fa82a0bd

SHA256
bd21d09a94244f3002c56c1890ac9a6a907aa8ce47ea94b0bbcaf536e9fc8925

SHA512
28075d26d246ea53c3c44120c432f4126793785cab6460387d6a743d2dc06a477c1b1f6373c9619abf3312efbcffdbd491444104a5d77c99755333d6f44915ba

Download Submit
C:\Windows\{FAF9523F-8AFF-46aa-90C6-4BCCB71C2074}.exe

Filesize
204KB

MD5
257699d6566e05af1d892b689198fb03

SHA1
a85a6a7535115649e536d0bfc6d40fc2d0b4a6b5

SHA256
83c2f9ef2808624cc112b94c1ee6dc9cf01225b4d067fd2cebc5ca55f3a9480f

SHA512
6ed4dd20aeed190bceefd9c4c7649e1cbf0c6ca8691ae31bc05307f9128f69fff8eafa1bf01b6e01d0b64ddab1aca039aa047bee2ab0f227e0a8ee77ac31fe2e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads