ddff43abb5114f099634268016e100b16f24a3be0a45b8f951378303cb67d0c4

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
25-02-2024 00:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-25_65beb50930bc3dd7dcfc323ee53d315e_goldeneye.exe
Size

408KB
MD5

65beb50930bc3dd7dcfc323ee53d315e
SHA1

721a04fe3670b824b368bc9dfa134489e46ab254
SHA256

ddff43abb5114f099634268016e100b16f24a3be0a45b8f951378303cb67d0c4
SHA512

32efc01c1c9eee183e2ea6e1f8b9b6e45774792af135a6c955d93c2111b3770394349ae5a1bf3543bd6ce096a39ebf7098e76db335d01018bdf0cfa513f4a33e
SSDEEP

3072:CEGh0o0l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGOldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000600000001e6f6-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e6f9-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000001e7d6-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000001e75b-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001e7d6-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001e75b-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e7d6-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e75b-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e7d6-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e75b-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e7cc-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e75b-45.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{542205E7-2256-4db2-B4C8-48960375C856}	{DD30AD37-B783-424c-B154-02D7FC8694F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D26C2374-BA84-4be3-9ED9-DBD286113248}	{542205E7-2256-4db2-B4C8-48960375C856}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C4E3A5A-0932-465b-8238-DE57C3BB8B04}	{79D11F21-1484-40c7-B28D-94036DA201E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{320F395C-A778-44e1-8462-1931BFEF154C}	{884366E7-C1BA-4106-8D2A-5D4FAA24549C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F3D89F2-62AE-45c2-A398-72D5A778FE19}\stubpath = "C:\\Windows\\{8F3D89F2-62AE-45c2-A398-72D5A778FE19}.exe"	{320F395C-A778-44e1-8462-1931BFEF154C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD30AD37-B783-424c-B154-02D7FC8694F0}	{D878813C-2BF3-4c2a-979C-394FB8619E3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD30AD37-B783-424c-B154-02D7FC8694F0}\stubpath = "C:\\Windows\\{DD30AD37-B783-424c-B154-02D7FC8694F0}.exe"	{D878813C-2BF3-4c2a-979C-394FB8619E3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{884366E7-C1BA-4106-8D2A-5D4FAA24549C}	{9C4E3A5A-0932-465b-8238-DE57C3BB8B04}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{884366E7-C1BA-4106-8D2A-5D4FAA24549C}\stubpath = "C:\\Windows\\{884366E7-C1BA-4106-8D2A-5D4FAA24549C}.exe"	{9C4E3A5A-0932-465b-8238-DE57C3BB8B04}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{320F395C-A778-44e1-8462-1931BFEF154C}\stubpath = "C:\\Windows\\{320F395C-A778-44e1-8462-1931BFEF154C}.exe"	{884366E7-C1BA-4106-8D2A-5D4FAA24549C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F3D89F2-62AE-45c2-A398-72D5A778FE19}	{320F395C-A778-44e1-8462-1931BFEF154C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{699A9FFF-4B92-4d46-B78D-8E0A69625BBB}	{8F3D89F2-62AE-45c2-A398-72D5A778FE19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{699A9FFF-4B92-4d46-B78D-8E0A69625BBB}\stubpath = "C:\\Windows\\{699A9FFF-4B92-4d46-B78D-8E0A69625BBB}.exe"	{8F3D89F2-62AE-45c2-A398-72D5A778FE19}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D878813C-2BF3-4c2a-979C-394FB8619E3A}	{2AB99B5C-1E15-4a81-AD5E-99869C044089}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D878813C-2BF3-4c2a-979C-394FB8619E3A}\stubpath = "C:\\Windows\\{D878813C-2BF3-4c2a-979C-394FB8619E3A}.exe"	{2AB99B5C-1E15-4a81-AD5E-99869C044089}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79D11F21-1484-40c7-B28D-94036DA201E7}	{E4E03546-8BAC-4440-B677-389CDCB1A15C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C4E3A5A-0932-465b-8238-DE57C3BB8B04}\stubpath = "C:\\Windows\\{9C4E3A5A-0932-465b-8238-DE57C3BB8B04}.exe"	{79D11F21-1484-40c7-B28D-94036DA201E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4E03546-8BAC-4440-B677-389CDCB1A15C}	{D26C2374-BA84-4be3-9ED9-DBD286113248}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4E03546-8BAC-4440-B677-389CDCB1A15C}\stubpath = "C:\\Windows\\{E4E03546-8BAC-4440-B677-389CDCB1A15C}.exe"	{D26C2374-BA84-4be3-9ED9-DBD286113248}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79D11F21-1484-40c7-B28D-94036DA201E7}\stubpath = "C:\\Windows\\{79D11F21-1484-40c7-B28D-94036DA201E7}.exe"	{E4E03546-8BAC-4440-B677-389CDCB1A15C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AB99B5C-1E15-4a81-AD5E-99869C044089}	2024-02-25_65beb50930bc3dd7dcfc323ee53d315e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AB99B5C-1E15-4a81-AD5E-99869C044089}\stubpath = "C:\\Windows\\{2AB99B5C-1E15-4a81-AD5E-99869C044089}.exe"	2024-02-25_65beb50930bc3dd7dcfc323ee53d315e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{542205E7-2256-4db2-B4C8-48960375C856}\stubpath = "C:\\Windows\\{542205E7-2256-4db2-B4C8-48960375C856}.exe"	{DD30AD37-B783-424c-B154-02D7FC8694F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D26C2374-BA84-4be3-9ED9-DBD286113248}\stubpath = "C:\\Windows\\{D26C2374-BA84-4be3-9ED9-DBD286113248}.exe"	{542205E7-2256-4db2-B4C8-48960375C856}.exe

Executes dropped EXE 12 IoCs

pid	Process
3232	{2AB99B5C-1E15-4a81-AD5E-99869C044089}.exe
1896	{D878813C-2BF3-4c2a-979C-394FB8619E3A}.exe
2620	{DD30AD37-B783-424c-B154-02D7FC8694F0}.exe
1236	{542205E7-2256-4db2-B4C8-48960375C856}.exe
3340	{D26C2374-BA84-4be3-9ED9-DBD286113248}.exe
2996	{E4E03546-8BAC-4440-B677-389CDCB1A15C}.exe
1580	{79D11F21-1484-40c7-B28D-94036DA201E7}.exe
524	{9C4E3A5A-0932-465b-8238-DE57C3BB8B04}.exe
3788	{884366E7-C1BA-4106-8D2A-5D4FAA24549C}.exe
4400	{320F395C-A778-44e1-8462-1931BFEF154C}.exe
2472	{8F3D89F2-62AE-45c2-A398-72D5A778FE19}.exe
1160	{699A9FFF-4B92-4d46-B78D-8E0A69625BBB}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{79D11F21-1484-40c7-B28D-94036DA201E7}.exe	{E4E03546-8BAC-4440-B677-389CDCB1A15C}.exe
File created	C:\Windows\{9C4E3A5A-0932-465b-8238-DE57C3BB8B04}.exe	{79D11F21-1484-40c7-B28D-94036DA201E7}.exe
File created	C:\Windows\{884366E7-C1BA-4106-8D2A-5D4FAA24549C}.exe	{9C4E3A5A-0932-465b-8238-DE57C3BB8B04}.exe
File created	C:\Windows\{320F395C-A778-44e1-8462-1931BFEF154C}.exe	{884366E7-C1BA-4106-8D2A-5D4FAA24549C}.exe
File created	C:\Windows\{8F3D89F2-62AE-45c2-A398-72D5A778FE19}.exe	{320F395C-A778-44e1-8462-1931BFEF154C}.exe
File created	C:\Windows\{2AB99B5C-1E15-4a81-AD5E-99869C044089}.exe	2024-02-25_65beb50930bc3dd7dcfc323ee53d315e_goldeneye.exe
File created	C:\Windows\{D878813C-2BF3-4c2a-979C-394FB8619E3A}.exe	{2AB99B5C-1E15-4a81-AD5E-99869C044089}.exe
File created	C:\Windows\{E4E03546-8BAC-4440-B677-389CDCB1A15C}.exe	{D26C2374-BA84-4be3-9ED9-DBD286113248}.exe
File created	C:\Windows\{699A9FFF-4B92-4d46-B78D-8E0A69625BBB}.exe	{8F3D89F2-62AE-45c2-A398-72D5A778FE19}.exe
File created	C:\Windows\{DD30AD37-B783-424c-B154-02D7FC8694F0}.exe	{D878813C-2BF3-4c2a-979C-394FB8619E3A}.exe
File created	C:\Windows\{542205E7-2256-4db2-B4C8-48960375C856}.exe	{DD30AD37-B783-424c-B154-02D7FC8694F0}.exe
File created	C:\Windows\{D26C2374-BA84-4be3-9ED9-DBD286113248}.exe	{542205E7-2256-4db2-B4C8-48960375C856}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3556	2024-02-25_65beb50930bc3dd7dcfc323ee53d315e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3232	{2AB99B5C-1E15-4a81-AD5E-99869C044089}.exe
Token: SeIncBasePriorityPrivilege	1896	{D878813C-2BF3-4c2a-979C-394FB8619E3A}.exe
Token: SeIncBasePriorityPrivilege	2620	{DD30AD37-B783-424c-B154-02D7FC8694F0}.exe
Token: SeIncBasePriorityPrivilege	1236	{542205E7-2256-4db2-B4C8-48960375C856}.exe
Token: SeIncBasePriorityPrivilege	3340	{D26C2374-BA84-4be3-9ED9-DBD286113248}.exe
Token: SeIncBasePriorityPrivilege	2996	{E4E03546-8BAC-4440-B677-389CDCB1A15C}.exe
Token: SeIncBasePriorityPrivilege	1580	{79D11F21-1484-40c7-B28D-94036DA201E7}.exe
Token: SeIncBasePriorityPrivilege	524	{9C4E3A5A-0932-465b-8238-DE57C3BB8B04}.exe
Token: SeIncBasePriorityPrivilege	3788	{884366E7-C1BA-4106-8D2A-5D4FAA24549C}.exe
Token: SeIncBasePriorityPrivilege	4400	{320F395C-A778-44e1-8462-1931BFEF154C}.exe
Token: SeIncBasePriorityPrivilege	2472	{8F3D89F2-62AE-45c2-A398-72D5A778FE19}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3556 wrote to memory of 3232	3556	2024-02-25_65beb50930bc3dd7dcfc323ee53d315e_goldeneye.exe	93
PID 3556 wrote to memory of 3232	3556	2024-02-25_65beb50930bc3dd7dcfc323ee53d315e_goldeneye.exe	93
PID 3556 wrote to memory of 3232	3556	2024-02-25_65beb50930bc3dd7dcfc323ee53d315e_goldeneye.exe	93
PID 3556 wrote to memory of 2052	3556	2024-02-25_65beb50930bc3dd7dcfc323ee53d315e_goldeneye.exe	94
PID 3556 wrote to memory of 2052	3556	2024-02-25_65beb50930bc3dd7dcfc323ee53d315e_goldeneye.exe	94
PID 3556 wrote to memory of 2052	3556	2024-02-25_65beb50930bc3dd7dcfc323ee53d315e_goldeneye.exe	94
PID 3232 wrote to memory of 1896	3232	{2AB99B5C-1E15-4a81-AD5E-99869C044089}.exe	95
PID 3232 wrote to memory of 1896	3232	{2AB99B5C-1E15-4a81-AD5E-99869C044089}.exe	95
PID 3232 wrote to memory of 1896	3232	{2AB99B5C-1E15-4a81-AD5E-99869C044089}.exe	95
PID 3232 wrote to memory of 1712	3232	{2AB99B5C-1E15-4a81-AD5E-99869C044089}.exe	96
PID 3232 wrote to memory of 1712	3232	{2AB99B5C-1E15-4a81-AD5E-99869C044089}.exe	96
PID 3232 wrote to memory of 1712	3232	{2AB99B5C-1E15-4a81-AD5E-99869C044089}.exe	96
PID 1896 wrote to memory of 2620	1896	{D878813C-2BF3-4c2a-979C-394FB8619E3A}.exe	100
PID 1896 wrote to memory of 2620	1896	{D878813C-2BF3-4c2a-979C-394FB8619E3A}.exe	100
PID 1896 wrote to memory of 2620	1896	{D878813C-2BF3-4c2a-979C-394FB8619E3A}.exe	100
PID 1896 wrote to memory of 4016	1896	{D878813C-2BF3-4c2a-979C-394FB8619E3A}.exe	99
PID 1896 wrote to memory of 4016	1896	{D878813C-2BF3-4c2a-979C-394FB8619E3A}.exe	99
PID 1896 wrote to memory of 4016	1896	{D878813C-2BF3-4c2a-979C-394FB8619E3A}.exe	99
PID 2620 wrote to memory of 1236	2620	{DD30AD37-B783-424c-B154-02D7FC8694F0}.exe	102
PID 2620 wrote to memory of 1236	2620	{DD30AD37-B783-424c-B154-02D7FC8694F0}.exe	102
PID 2620 wrote to memory of 1236	2620	{DD30AD37-B783-424c-B154-02D7FC8694F0}.exe	102
PID 2620 wrote to memory of 552	2620	{DD30AD37-B783-424c-B154-02D7FC8694F0}.exe	103
PID 2620 wrote to memory of 552	2620	{DD30AD37-B783-424c-B154-02D7FC8694F0}.exe	103
PID 2620 wrote to memory of 552	2620	{DD30AD37-B783-424c-B154-02D7FC8694F0}.exe	103
PID 1236 wrote to memory of 3340	1236	{542205E7-2256-4db2-B4C8-48960375C856}.exe	104
PID 1236 wrote to memory of 3340	1236	{542205E7-2256-4db2-B4C8-48960375C856}.exe	104
PID 1236 wrote to memory of 3340	1236	{542205E7-2256-4db2-B4C8-48960375C856}.exe	104
PID 1236 wrote to memory of 2392	1236	{542205E7-2256-4db2-B4C8-48960375C856}.exe	105
PID 1236 wrote to memory of 2392	1236	{542205E7-2256-4db2-B4C8-48960375C856}.exe	105
PID 1236 wrote to memory of 2392	1236	{542205E7-2256-4db2-B4C8-48960375C856}.exe	105
PID 3340 wrote to memory of 2996	3340	{D26C2374-BA84-4be3-9ED9-DBD286113248}.exe	106
PID 3340 wrote to memory of 2996	3340	{D26C2374-BA84-4be3-9ED9-DBD286113248}.exe	106
PID 3340 wrote to memory of 2996	3340	{D26C2374-BA84-4be3-9ED9-DBD286113248}.exe	106
PID 3340 wrote to memory of 2616	3340	{D26C2374-BA84-4be3-9ED9-DBD286113248}.exe	107
PID 3340 wrote to memory of 2616	3340	{D26C2374-BA84-4be3-9ED9-DBD286113248}.exe	107
PID 3340 wrote to memory of 2616	3340	{D26C2374-BA84-4be3-9ED9-DBD286113248}.exe	107
PID 2996 wrote to memory of 1580	2996	{E4E03546-8BAC-4440-B677-389CDCB1A15C}.exe	108
PID 2996 wrote to memory of 1580	2996	{E4E03546-8BAC-4440-B677-389CDCB1A15C}.exe	108
PID 2996 wrote to memory of 1580	2996	{E4E03546-8BAC-4440-B677-389CDCB1A15C}.exe	108
PID 2996 wrote to memory of 1428	2996	{E4E03546-8BAC-4440-B677-389CDCB1A15C}.exe	109
PID 2996 wrote to memory of 1428	2996	{E4E03546-8BAC-4440-B677-389CDCB1A15C}.exe	109
PID 2996 wrote to memory of 1428	2996	{E4E03546-8BAC-4440-B677-389CDCB1A15C}.exe	109
PID 1580 wrote to memory of 524	1580	{79D11F21-1484-40c7-B28D-94036DA201E7}.exe	110
PID 1580 wrote to memory of 524	1580	{79D11F21-1484-40c7-B28D-94036DA201E7}.exe	110
PID 1580 wrote to memory of 524	1580	{79D11F21-1484-40c7-B28D-94036DA201E7}.exe	110
PID 1580 wrote to memory of 1164	1580	{79D11F21-1484-40c7-B28D-94036DA201E7}.exe	111
PID 1580 wrote to memory of 1164	1580	{79D11F21-1484-40c7-B28D-94036DA201E7}.exe	111
PID 1580 wrote to memory of 1164	1580	{79D11F21-1484-40c7-B28D-94036DA201E7}.exe	111
PID 524 wrote to memory of 3788	524	{9C4E3A5A-0932-465b-8238-DE57C3BB8B04}.exe	112
PID 524 wrote to memory of 3788	524	{9C4E3A5A-0932-465b-8238-DE57C3BB8B04}.exe	112
PID 524 wrote to memory of 3788	524	{9C4E3A5A-0932-465b-8238-DE57C3BB8B04}.exe	112
PID 524 wrote to memory of 4308	524	{9C4E3A5A-0932-465b-8238-DE57C3BB8B04}.exe	113
PID 524 wrote to memory of 4308	524	{9C4E3A5A-0932-465b-8238-DE57C3BB8B04}.exe	113
PID 524 wrote to memory of 4308	524	{9C4E3A5A-0932-465b-8238-DE57C3BB8B04}.exe	113
PID 3788 wrote to memory of 4400	3788	{884366E7-C1BA-4106-8D2A-5D4FAA24549C}.exe	114
PID 3788 wrote to memory of 4400	3788	{884366E7-C1BA-4106-8D2A-5D4FAA24549C}.exe	114
PID 3788 wrote to memory of 4400	3788	{884366E7-C1BA-4106-8D2A-5D4FAA24549C}.exe	114
PID 3788 wrote to memory of 4244	3788	{884366E7-C1BA-4106-8D2A-5D4FAA24549C}.exe	115
PID 3788 wrote to memory of 4244	3788	{884366E7-C1BA-4106-8D2A-5D4FAA24549C}.exe	115
PID 3788 wrote to memory of 4244	3788	{884366E7-C1BA-4106-8D2A-5D4FAA24549C}.exe	115
PID 4400 wrote to memory of 2472	4400	{320F395C-A778-44e1-8462-1931BFEF154C}.exe	116
PID 4400 wrote to memory of 2472	4400	{320F395C-A778-44e1-8462-1931BFEF154C}.exe	116
PID 4400 wrote to memory of 2472	4400	{320F395C-A778-44e1-8462-1931BFEF154C}.exe	116
PID 4400 wrote to memory of 3556	4400	{320F395C-A778-44e1-8462-1931BFEF154C}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-02-25_65beb50930bc3dd7dcfc323ee53d315e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-25_65beb50930bc3dd7dcfc323ee53d315e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3556
- C:\Windows\{2AB99B5C-1E15-4a81-AD5E-99869C044089}.exe
  C:\Windows\{2AB99B5C-1E15-4a81-AD5E-99869C044089}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3232
- - C:\Windows\{D878813C-2BF3-4c2a-979C-394FB8619E3A}.exe
    C:\Windows\{D878813C-2BF3-4c2a-979C-394FB8619E3A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D8788~1.EXE > nul
      4⤵
      PID:4016
  - - C:\Windows\{DD30AD37-B783-424c-B154-02D7FC8694F0}.exe
      C:\Windows\{DD30AD37-B783-424c-B154-02D7FC8694F0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Windows\{542205E7-2256-4db2-B4C8-48960375C856}.exe
        
        C:\Windows\{542205E7-2256-4db2-B4C8-48960375C856}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1236
      - C:\Windows\{D26C2374-BA84-4be3-9ED9-DBD286113248}.exe
        
        C:\Windows\{D26C2374-BA84-4be3-9ED9-DBD286113248}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\{E4E03546-8BAC-4440-B677-389CDCB1A15C}.exe
        
        C:\Windows\{E4E03546-8BAC-4440-B677-389CDCB1A15C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\{79D11F21-1484-40c7-B28D-94036DA201E7}.exe
        
        C:\Windows\{79D11F21-1484-40c7-B28D-94036DA201E7}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\{9C4E3A5A-0932-465b-8238-DE57C3BB8B04}.exe
        
        C:\Windows\{9C4E3A5A-0932-465b-8238-DE57C3BB8B04}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:524
        
        C:\Windows\{884366E7-C1BA-4106-8D2A-5D4FAA24549C}.exe
        
        C:\Windows\{884366E7-C1BA-4106-8D2A-5D4FAA24549C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\{320F395C-A778-44e1-8462-1931BFEF154C}.exe
        
        C:\Windows\{320F395C-A778-44e1-8462-1931BFEF154C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\{8F3D89F2-62AE-45c2-A398-72D5A778FE19}.exe
        
        C:\Windows\{8F3D89F2-62AE-45c2-A398-72D5A778FE19}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
        
        C:\Windows\{699A9FFF-4B92-4d46-B78D-8E0A69625BBB}.exe
        
        C:\Windows\{699A9FFF-4B92-4d46-B78D-8E0A69625BBB}.exe
        13⤵
        Executes dropped EXE
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F3D8~1.EXE > nul
        13⤵
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{320F3~1.EXE > nul
        12⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88436~1.EXE > nul
        11⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C4E3~1.EXE > nul
        10⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79D11~1.EXE > nul
        9⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4E03~1.EXE > nul
        8⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D26C2~1.EXE > nul
        7⤵
        
        PID:2616
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54220~1.EXE > nul
        6⤵
        
        PID:2392
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD30A~1.EXE > nul
        5⤵
        
        PID:552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2AB99~1.EXE > nul
    3⤵
    PID:1712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2AB99B5C-1E15-4a81-AD5E-99869C044089}.exe

Filesize
408KB

MD5
52b730a6cf12be24b5600227663fbfb7

SHA1
73a65d2e3b665ddc28cf4f52167826ec28f5b9a0

SHA256
77b657d4a66b943e8dafb1d5a53fe2a0b718bb6de95934c91f1675a65119c742

SHA512
81b46803bfae7a74748e300884fab993abb042c7836abd81c11df4ba1bb683c9d5e990e393ad9c6836cc2982fd2e1cad85ec0fa07c7b4a14d8ee29ac9ec4cdad

Download Submit
C:\Windows\{320F395C-A778-44e1-8462-1931BFEF154C}.exe

Filesize
408KB

MD5
08ec8b5498de22373974b7409b8d42da

SHA1
b844b4ced79bd271bfbbf4b890c1654e1d8d0b1e

SHA256
e48082497b800bf3b443e1b22ab39d13f339dc43fdf8e32e7b5e58bb3fd4ba69

SHA512
88cb73b331fb4aeac4f42e9ef2eb958a2f1937b8526d5627bf3f537dff04abeafd169174571e6fe515237e14a2588496bf1ebe90b60f94f13be9c27bad580fa2

Download Submit
C:\Windows\{542205E7-2256-4db2-B4C8-48960375C856}.exe

Filesize
408KB

MD5
0179b60b43ee5a8dda8bd937308c9744

SHA1
2f58758489508daa7b6270ffe6155e0c3ff155ec

SHA256
1ef8c29a8d8810f5865de1fe8d6da4fc8fc74e5db9d61170cfd633b761c864c5

SHA512
76724412d3fcf8c8d53c401e41030b8de7adbcb392cb181e1c16e9e02d589d8072b336ad917ffbd1cd18f2b1e01e5afa1b5daaa3bc742a79ffbb708fe92084b5

Download Submit
C:\Windows\{699A9FFF-4B92-4d46-B78D-8E0A69625BBB}.exe

Filesize
408KB

MD5
f2d19bc0bea6d2ee2766f563f4a8b90c

SHA1
381de56324b03dcd592809d5c1ae7e9a4faf9e74

SHA256
ca05e12a9edecae3ecbfba21cb2f98776da1e3943a6b2d7a4543a5b342495790

SHA512
3c86ff171fb3af55202dad88d324a80ce6139028e8171995460abd7031f5aec20cadd8b6abc911cbb8527340dd3c85a6139e848b17199556f4dfe1ce3f2dfa85

Download Submit
C:\Windows\{79D11F21-1484-40c7-B28D-94036DA201E7}.exe

Filesize
408KB

MD5
40c768ea7296606144e3b9fe1a88cc65

SHA1
85a479550d183f5fa8e0ed3ef274f9f11166c8bf

SHA256
14b8db3ded61a6017f8fd67d42249edfdc1c72acc3cc621a7e7821a66ca55d3a

SHA512
bd5ce7dedc87c23021aa0ba20bb601cecc6ab84adb191e2f45ef82ff7db30d0d56b02ec059b5a84d11d2f08327873ab7f1981c632a076baeefd8ff83066db5c9

Download Submit
C:\Windows\{884366E7-C1BA-4106-8D2A-5D4FAA24549C}.exe

Filesize
408KB

MD5
366f28b7208f874f9b26b151168e4ed1

SHA1
593815f639802e30407ff4ba3ca6584f0a204019

SHA256
273ba033dc9df51fc9a3cf9016ad51b961ce8a44b3929616e9b31aaca7bf4636

SHA512
6da85e0d328372fc0c67d013084234a9912feb08ff54016e834b80af9a5f0a1fdd4456b845174f2048ec3c9844b8514fdc64a9654aaeeb205ace0a752fce693a

Download Submit
C:\Windows\{8F3D89F2-62AE-45c2-A398-72D5A778FE19}.exe

Filesize
408KB

MD5
a12686d01bf3a0da23c8dbe443fd05c6

SHA1
db494ff40a61220972ff7bbffe0586375920b0c8

SHA256
d082f7261dc42760b67d9751d0db6d98663752af26c456adb5d692d7e0762f4c

SHA512
8f07826d8846aa99001d4eb7e86d741566bf57854f042111b5999d8d2bd37e135a2e8bf132a48454a006a51fb622ff3816cfc139d08b5055c4392493f2fc2b09

Download Submit
C:\Windows\{9C4E3A5A-0932-465b-8238-DE57C3BB8B04}.exe

Filesize
408KB

MD5
f115f8691cbc8d4326e5b0cb0c8f9c0c

SHA1
4255c29ed7306114a1be55c44cf84031bdc2d52e

SHA256
90420b4d37d8542f3a00c8ccbe69ee6d9073b0f69867966ecc6c697f66737a23

SHA512
89591c4b1d4b864370cb4db91a435c44511f5ba774a9ae11a3bb9ade18bd185c7e574280a0e32d2eb723ba5c9b3069484ca1a5f27d22fed0a0c0dffea5efcf67

Download Submit
C:\Windows\{D26C2374-BA84-4be3-9ED9-DBD286113248}.exe

Filesize
408KB

MD5
51f0687c02db809e9676cfdb3ff05539

SHA1
256816b33b32734398e6a227b30b7a18eb9d28a8

SHA256
9815e90b1b118a7ab80b552299887584e6eab554ac8ee8c65f1d1ff4187f2da9

SHA512
cbd7e3827a0e9b01dbfd4275bfc8c776992798ee23f00de132bbf795535d43bc8aa1abbe9abd1edb8ba6f7007dc6a34216b8efdba7b8bfe624fca5be0ef87b54

Download Submit
C:\Windows\{D878813C-2BF3-4c2a-979C-394FB8619E3A}.exe

Filesize
408KB

MD5
c875952cb731845eba797d1d9c0b0183

SHA1
9dd9c9ba7f4ed2620b0a4b110745f02d06caca5e

SHA256
2832013cda5dc4466b3b48c937aa88d0147555ca60f49a5b7bf1a3df4985c5bb

SHA512
05fb42e509e186953063582986f7e511e31d78084b38cb0ee535da7c10fd18f448436b069da4200a1c56e64b0ae28187dea7b483caade17ec3d89ef38a9e54ae

Download Submit
C:\Windows\{DD30AD37-B783-424c-B154-02D7FC8694F0}.exe

Filesize
408KB

MD5
007575856b453ad1d843d336d591c324

SHA1
ab8a296f4a45789a964dd75b5f9db59a45d11c5c

SHA256
bde2fdcb5338777a39ac59df564cd86d7b17bdb304275bca50abba4079dcdd8d

SHA512
a823c1773992e81e3bb8c337816973ee0dcbe4fddc2d2eb1d615f2399a01f229f90fda7dd2c9d9f63fc8532f15a1a1fb5b2ea8d65b3e89c892a76cb412adeb27

Download Submit
C:\Windows\{E4E03546-8BAC-4440-B677-389CDCB1A15C}.exe

Filesize
408KB

MD5
02f8c51a12c3d49d994fc518066bb8ad

SHA1
350e07e8afd010f6b05bfb052cf8ec8fd005073c

SHA256
29f80dd83f832c4ccddf852cfd5a034c319371acc24246b0e9f3a253b0219493

SHA512
b5989bab3db25607414442053c5290ac6142f6ac45dea6aca6d84a787a1c2fa789bcff7de06752c63da7be31da25de2d9060c9bcec4480079228f65f78432cc1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads