d50a6a7f742cec3861fdfd0f55ff62c0327050e441dc34768ab2e452912789e6

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-06_ef5175dae48b2d844e19da082ae65980_goldeneye.exe
Size

408KB
MD5

ef5175dae48b2d844e19da082ae65980
SHA1

3a0f186b58fe79478cb3c9d3753ee7cf97d25fd2
SHA256

d50a6a7f742cec3861fdfd0f55ff62c0327050e441dc34768ab2e452912789e6
SHA512

01c1e656e11e5ebba9da934b0dc9fb6728739993fe189ab70b697f684239068db89f927814f558f599fcf0845120d681ee0cb72a149bb45bff27dcf875c0eee8
SSDEEP

3072:CEGh0okl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGOldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023237-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023240-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023257-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023158-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e302-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233ca-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023149-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233e8-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f000000023149-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000234e5-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023149-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000234e5-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE6647CA-CDD6-4786-87C3-5D572CA25046}	{7623D14B-496E-4ad5-B004-F976533B8DF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B408F93A-44D5-4129-B363-A0497635EC60}\stubpath = "C:\\Windows\\{B408F93A-44D5-4129-B363-A0497635EC60}.exe"	{DE6647CA-CDD6-4786-87C3-5D572CA25046}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D816856D-5DB6-48a4-895E-19EEBAC67C44}	{B408F93A-44D5-4129-B363-A0497635EC60}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7265263-7B49-4d10-920A-A4F8591FFA81}\stubpath = "C:\\Windows\\{D7265263-7B49-4d10-920A-A4F8591FFA81}.exe"	{D816856D-5DB6-48a4-895E-19EEBAC67C44}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC5AB68A-A75B-4d75-AB24-BAB958A7A8B4}\stubpath = "C:\\Windows\\{DC5AB68A-A75B-4d75-AB24-BAB958A7A8B4}.exe"	2024-03-06_ef5175dae48b2d844e19da082ae65980_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CF6045E-3A85-46d9-AF08-F67C344660C0}	{DC5AB68A-A75B-4d75-AB24-BAB958A7A8B4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CF6045E-3A85-46d9-AF08-F67C344660C0}\stubpath = "C:\\Windows\\{1CF6045E-3A85-46d9-AF08-F67C344660C0}.exe"	{DC5AB68A-A75B-4d75-AB24-BAB958A7A8B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADD27400-B338-471a-B649-5970E298040F}	{F4BCE4FE-E600-43bf-AC44-DA66D76BBCFE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F17D1B0-CFFC-484d-9A46-FF7F5DE5E930}\stubpath = "C:\\Windows\\{6F17D1B0-CFFC-484d-9A46-FF7F5DE5E930}.exe"	{30D8F138-6A48-4ebb-BAF8-4437E4FFC63B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30D8F138-6A48-4ebb-BAF8-4437E4FFC63B}	{D7265263-7B49-4d10-920A-A4F8591FFA81}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F17D1B0-CFFC-484d-9A46-FF7F5DE5E930}	{30D8F138-6A48-4ebb-BAF8-4437E4FFC63B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADD27400-B338-471a-B649-5970E298040F}\stubpath = "C:\\Windows\\{ADD27400-B338-471a-B649-5970E298040F}.exe"	{F4BCE4FE-E600-43bf-AC44-DA66D76BBCFE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2054ACC-5AA8-448a-8C27-B8532237789F}\stubpath = "C:\\Windows\\{F2054ACC-5AA8-448a-8C27-B8532237789F}.exe"	{ADD27400-B338-471a-B649-5970E298040F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7623D14B-496E-4ad5-B004-F976533B8DF8}\stubpath = "C:\\Windows\\{7623D14B-496E-4ad5-B004-F976533B8DF8}.exe"	{F2054ACC-5AA8-448a-8C27-B8532237789F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B408F93A-44D5-4129-B363-A0497635EC60}	{DE6647CA-CDD6-4786-87C3-5D572CA25046}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4BCE4FE-E600-43bf-AC44-DA66D76BBCFE}	{1CF6045E-3A85-46d9-AF08-F67C344660C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2054ACC-5AA8-448a-8C27-B8532237789F}	{ADD27400-B338-471a-B649-5970E298040F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7623D14B-496E-4ad5-B004-F976533B8DF8}	{F2054ACC-5AA8-448a-8C27-B8532237789F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30D8F138-6A48-4ebb-BAF8-4437E4FFC63B}\stubpath = "C:\\Windows\\{30D8F138-6A48-4ebb-BAF8-4437E4FFC63B}.exe"	{D7265263-7B49-4d10-920A-A4F8591FFA81}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7265263-7B49-4d10-920A-A4F8591FFA81}	{D816856D-5DB6-48a4-895E-19EEBAC67C44}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC5AB68A-A75B-4d75-AB24-BAB958A7A8B4}	2024-03-06_ef5175dae48b2d844e19da082ae65980_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4BCE4FE-E600-43bf-AC44-DA66D76BBCFE}\stubpath = "C:\\Windows\\{F4BCE4FE-E600-43bf-AC44-DA66D76BBCFE}.exe"	{1CF6045E-3A85-46d9-AF08-F67C344660C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE6647CA-CDD6-4786-87C3-5D572CA25046}\stubpath = "C:\\Windows\\{DE6647CA-CDD6-4786-87C3-5D572CA25046}.exe"	{7623D14B-496E-4ad5-B004-F976533B8DF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D816856D-5DB6-48a4-895E-19EEBAC67C44}\stubpath = "C:\\Windows\\{D816856D-5DB6-48a4-895E-19EEBAC67C44}.exe"	{B408F93A-44D5-4129-B363-A0497635EC60}.exe

Executes dropped EXE 12 IoCs

pid	Process
1292	{DC5AB68A-A75B-4d75-AB24-BAB958A7A8B4}.exe
4840	{1CF6045E-3A85-46d9-AF08-F67C344660C0}.exe
4288	{F4BCE4FE-E600-43bf-AC44-DA66D76BBCFE}.exe
2816	{ADD27400-B338-471a-B649-5970E298040F}.exe
1940	{F2054ACC-5AA8-448a-8C27-B8532237789F}.exe
5008	{7623D14B-496E-4ad5-B004-F976533B8DF8}.exe
3056	{DE6647CA-CDD6-4786-87C3-5D572CA25046}.exe
5100	{B408F93A-44D5-4129-B363-A0497635EC60}.exe
1832	{D816856D-5DB6-48a4-895E-19EEBAC67C44}.exe
508	{D7265263-7B49-4d10-920A-A4F8591FFA81}.exe
732	{30D8F138-6A48-4ebb-BAF8-4437E4FFC63B}.exe
1752	{6F17D1B0-CFFC-484d-9A46-FF7F5DE5E930}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B408F93A-44D5-4129-B363-A0497635EC60}.exe	{DE6647CA-CDD6-4786-87C3-5D572CA25046}.exe
File created	C:\Windows\{30D8F138-6A48-4ebb-BAF8-4437E4FFC63B}.exe	{D7265263-7B49-4d10-920A-A4F8591FFA81}.exe
File created	C:\Windows\{6F17D1B0-CFFC-484d-9A46-FF7F5DE5E930}.exe	{30D8F138-6A48-4ebb-BAF8-4437E4FFC63B}.exe
File created	C:\Windows\{DC5AB68A-A75B-4d75-AB24-BAB958A7A8B4}.exe	2024-03-06_ef5175dae48b2d844e19da082ae65980_goldeneye.exe
File created	C:\Windows\{F4BCE4FE-E600-43bf-AC44-DA66D76BBCFE}.exe	{1CF6045E-3A85-46d9-AF08-F67C344660C0}.exe
File created	C:\Windows\{F2054ACC-5AA8-448a-8C27-B8532237789F}.exe	{ADD27400-B338-471a-B649-5970E298040F}.exe
File created	C:\Windows\{DE6647CA-CDD6-4786-87C3-5D572CA25046}.exe	{7623D14B-496E-4ad5-B004-F976533B8DF8}.exe
File created	C:\Windows\{D816856D-5DB6-48a4-895E-19EEBAC67C44}.exe	{B408F93A-44D5-4129-B363-A0497635EC60}.exe
File created	C:\Windows\{D7265263-7B49-4d10-920A-A4F8591FFA81}.exe	{D816856D-5DB6-48a4-895E-19EEBAC67C44}.exe
File created	C:\Windows\{1CF6045E-3A85-46d9-AF08-F67C344660C0}.exe	{DC5AB68A-A75B-4d75-AB24-BAB958A7A8B4}.exe
File created	C:\Windows\{ADD27400-B338-471a-B649-5970E298040F}.exe	{F4BCE4FE-E600-43bf-AC44-DA66D76BBCFE}.exe
File created	C:\Windows\{7623D14B-496E-4ad5-B004-F976533B8DF8}.exe	{F2054ACC-5AA8-448a-8C27-B8532237789F}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3288	2024-03-06_ef5175dae48b2d844e19da082ae65980_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1292	{DC5AB68A-A75B-4d75-AB24-BAB958A7A8B4}.exe
Token: SeIncBasePriorityPrivilege	4840	{1CF6045E-3A85-46d9-AF08-F67C344660C0}.exe
Token: SeIncBasePriorityPrivilege	4288	{F4BCE4FE-E600-43bf-AC44-DA66D76BBCFE}.exe
Token: SeIncBasePriorityPrivilege	2816	{ADD27400-B338-471a-B649-5970E298040F}.exe
Token: SeIncBasePriorityPrivilege	1940	{F2054ACC-5AA8-448a-8C27-B8532237789F}.exe
Token: SeIncBasePriorityPrivilege	5008	{7623D14B-496E-4ad5-B004-F976533B8DF8}.exe
Token: SeIncBasePriorityPrivilege	3056	{DE6647CA-CDD6-4786-87C3-5D572CA25046}.exe
Token: SeIncBasePriorityPrivilege	5100	{B408F93A-44D5-4129-B363-A0497635EC60}.exe
Token: SeIncBasePriorityPrivilege	1832	{D816856D-5DB6-48a4-895E-19EEBAC67C44}.exe
Token: SeIncBasePriorityPrivilege	508	{D7265263-7B49-4d10-920A-A4F8591FFA81}.exe
Token: SeIncBasePriorityPrivilege	732	{30D8F138-6A48-4ebb-BAF8-4437E4FFC63B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3288 wrote to memory of 1292	3288	2024-03-06_ef5175dae48b2d844e19da082ae65980_goldeneye.exe	97
PID 3288 wrote to memory of 1292	3288	2024-03-06_ef5175dae48b2d844e19da082ae65980_goldeneye.exe	97
PID 3288 wrote to memory of 1292	3288	2024-03-06_ef5175dae48b2d844e19da082ae65980_goldeneye.exe	97
PID 3288 wrote to memory of 4280	3288	2024-03-06_ef5175dae48b2d844e19da082ae65980_goldeneye.exe	98
PID 3288 wrote to memory of 4280	3288	2024-03-06_ef5175dae48b2d844e19da082ae65980_goldeneye.exe	98
PID 3288 wrote to memory of 4280	3288	2024-03-06_ef5175dae48b2d844e19da082ae65980_goldeneye.exe	98
PID 1292 wrote to memory of 4840	1292	{DC5AB68A-A75B-4d75-AB24-BAB958A7A8B4}.exe	100
PID 1292 wrote to memory of 4840	1292	{DC5AB68A-A75B-4d75-AB24-BAB958A7A8B4}.exe	100
PID 1292 wrote to memory of 4840	1292	{DC5AB68A-A75B-4d75-AB24-BAB958A7A8B4}.exe	100
PID 1292 wrote to memory of 3684	1292	{DC5AB68A-A75B-4d75-AB24-BAB958A7A8B4}.exe	101
PID 1292 wrote to memory of 3684	1292	{DC5AB68A-A75B-4d75-AB24-BAB958A7A8B4}.exe	101
PID 1292 wrote to memory of 3684	1292	{DC5AB68A-A75B-4d75-AB24-BAB958A7A8B4}.exe	101
PID 4840 wrote to memory of 4288	4840	{1CF6045E-3A85-46d9-AF08-F67C344660C0}.exe	105
PID 4840 wrote to memory of 4288	4840	{1CF6045E-3A85-46d9-AF08-F67C344660C0}.exe	105
PID 4840 wrote to memory of 4288	4840	{1CF6045E-3A85-46d9-AF08-F67C344660C0}.exe	105
PID 4840 wrote to memory of 3936	4840	{1CF6045E-3A85-46d9-AF08-F67C344660C0}.exe	106
PID 4840 wrote to memory of 3936	4840	{1CF6045E-3A85-46d9-AF08-F67C344660C0}.exe	106
PID 4840 wrote to memory of 3936	4840	{1CF6045E-3A85-46d9-AF08-F67C344660C0}.exe	106
PID 4288 wrote to memory of 2816	4288	{F4BCE4FE-E600-43bf-AC44-DA66D76BBCFE}.exe	114
PID 4288 wrote to memory of 2816	4288	{F4BCE4FE-E600-43bf-AC44-DA66D76BBCFE}.exe	114
PID 4288 wrote to memory of 2816	4288	{F4BCE4FE-E600-43bf-AC44-DA66D76BBCFE}.exe	114
PID 4288 wrote to memory of 1300	4288	{F4BCE4FE-E600-43bf-AC44-DA66D76BBCFE}.exe	115
PID 4288 wrote to memory of 1300	4288	{F4BCE4FE-E600-43bf-AC44-DA66D76BBCFE}.exe	115
PID 4288 wrote to memory of 1300	4288	{F4BCE4FE-E600-43bf-AC44-DA66D76BBCFE}.exe	115
PID 2816 wrote to memory of 1940	2816	{ADD27400-B338-471a-B649-5970E298040F}.exe	116
PID 2816 wrote to memory of 1940	2816	{ADD27400-B338-471a-B649-5970E298040F}.exe	116
PID 2816 wrote to memory of 1940	2816	{ADD27400-B338-471a-B649-5970E298040F}.exe	116
PID 2816 wrote to memory of 4076	2816	{ADD27400-B338-471a-B649-5970E298040F}.exe	117
PID 2816 wrote to memory of 4076	2816	{ADD27400-B338-471a-B649-5970E298040F}.exe	117
PID 2816 wrote to memory of 4076	2816	{ADD27400-B338-471a-B649-5970E298040F}.exe	117
PID 1940 wrote to memory of 5008	1940	{F2054ACC-5AA8-448a-8C27-B8532237789F}.exe	118
PID 1940 wrote to memory of 5008	1940	{F2054ACC-5AA8-448a-8C27-B8532237789F}.exe	118
PID 1940 wrote to memory of 5008	1940	{F2054ACC-5AA8-448a-8C27-B8532237789F}.exe	118
PID 1940 wrote to memory of 4080	1940	{F2054ACC-5AA8-448a-8C27-B8532237789F}.exe	119
PID 1940 wrote to memory of 4080	1940	{F2054ACC-5AA8-448a-8C27-B8532237789F}.exe	119
PID 1940 wrote to memory of 4080	1940	{F2054ACC-5AA8-448a-8C27-B8532237789F}.exe	119
PID 5008 wrote to memory of 3056	5008	{7623D14B-496E-4ad5-B004-F976533B8DF8}.exe	121
PID 5008 wrote to memory of 3056	5008	{7623D14B-496E-4ad5-B004-F976533B8DF8}.exe	121
PID 5008 wrote to memory of 3056	5008	{7623D14B-496E-4ad5-B004-F976533B8DF8}.exe	121
PID 5008 wrote to memory of 4272	5008	{7623D14B-496E-4ad5-B004-F976533B8DF8}.exe	122
PID 5008 wrote to memory of 4272	5008	{7623D14B-496E-4ad5-B004-F976533B8DF8}.exe	122
PID 5008 wrote to memory of 4272	5008	{7623D14B-496E-4ad5-B004-F976533B8DF8}.exe	122
PID 3056 wrote to memory of 5100	3056	{DE6647CA-CDD6-4786-87C3-5D572CA25046}.exe	123
PID 3056 wrote to memory of 5100	3056	{DE6647CA-CDD6-4786-87C3-5D572CA25046}.exe	123
PID 3056 wrote to memory of 5100	3056	{DE6647CA-CDD6-4786-87C3-5D572CA25046}.exe	123
PID 3056 wrote to memory of 4868	3056	{DE6647CA-CDD6-4786-87C3-5D572CA25046}.exe	124
PID 3056 wrote to memory of 4868	3056	{DE6647CA-CDD6-4786-87C3-5D572CA25046}.exe	124
PID 3056 wrote to memory of 4868	3056	{DE6647CA-CDD6-4786-87C3-5D572CA25046}.exe	124
PID 5100 wrote to memory of 1832	5100	{B408F93A-44D5-4129-B363-A0497635EC60}.exe	125
PID 5100 wrote to memory of 1832	5100	{B408F93A-44D5-4129-B363-A0497635EC60}.exe	125
PID 5100 wrote to memory of 1832	5100	{B408F93A-44D5-4129-B363-A0497635EC60}.exe	125
PID 5100 wrote to memory of 1040	5100	{B408F93A-44D5-4129-B363-A0497635EC60}.exe	126
PID 5100 wrote to memory of 1040	5100	{B408F93A-44D5-4129-B363-A0497635EC60}.exe	126
PID 5100 wrote to memory of 1040	5100	{B408F93A-44D5-4129-B363-A0497635EC60}.exe	126
PID 1832 wrote to memory of 508	1832	{D816856D-5DB6-48a4-895E-19EEBAC67C44}.exe	127
PID 1832 wrote to memory of 508	1832	{D816856D-5DB6-48a4-895E-19EEBAC67C44}.exe	127
PID 1832 wrote to memory of 508	1832	{D816856D-5DB6-48a4-895E-19EEBAC67C44}.exe	127
PID 1832 wrote to memory of 4940	1832	{D816856D-5DB6-48a4-895E-19EEBAC67C44}.exe	128
PID 1832 wrote to memory of 4940	1832	{D816856D-5DB6-48a4-895E-19EEBAC67C44}.exe	128
PID 1832 wrote to memory of 4940	1832	{D816856D-5DB6-48a4-895E-19EEBAC67C44}.exe	128
PID 508 wrote to memory of 732	508	{D7265263-7B49-4d10-920A-A4F8591FFA81}.exe	129
PID 508 wrote to memory of 732	508	{D7265263-7B49-4d10-920A-A4F8591FFA81}.exe	129
PID 508 wrote to memory of 732	508	{D7265263-7B49-4d10-920A-A4F8591FFA81}.exe	129
PID 508 wrote to memory of 1896	508	{D7265263-7B49-4d10-920A-A4F8591FFA81}.exe	130

C:\Users\Admin\AppData\Local\Temp\2024-03-06_ef5175dae48b2d844e19da082ae65980_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-06_ef5175dae48b2d844e19da082ae65980_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3288
- C:\Windows\{DC5AB68A-A75B-4d75-AB24-BAB958A7A8B4}.exe
  C:\Windows\{DC5AB68A-A75B-4d75-AB24-BAB958A7A8B4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Windows\{1CF6045E-3A85-46d9-AF08-F67C344660C0}.exe
    C:\Windows\{1CF6045E-3A85-46d9-AF08-F67C344660C0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4840
  - - C:\Windows\{F4BCE4FE-E600-43bf-AC44-DA66D76BBCFE}.exe
      C:\Windows\{F4BCE4FE-E600-43bf-AC44-DA66D76BBCFE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4288
    - - C:\Windows\{ADD27400-B338-471a-B649-5970E298040F}.exe
        
        C:\Windows\{ADD27400-B338-471a-B649-5970E298040F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2816
      - C:\Windows\{F2054ACC-5AA8-448a-8C27-B8532237789F}.exe
        
        C:\Windows\{F2054ACC-5AA8-448a-8C27-B8532237789F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\{7623D14B-496E-4ad5-B004-F976533B8DF8}.exe
        
        C:\Windows\{7623D14B-496E-4ad5-B004-F976533B8DF8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\{DE6647CA-CDD6-4786-87C3-5D572CA25046}.exe
        
        C:\Windows\{DE6647CA-CDD6-4786-87C3-5D572CA25046}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\{B408F93A-44D5-4129-B363-A0497635EC60}.exe
        
        C:\Windows\{B408F93A-44D5-4129-B363-A0497635EC60}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\{D816856D-5DB6-48a4-895E-19EEBAC67C44}.exe
        
        C:\Windows\{D816856D-5DB6-48a4-895E-19EEBAC67C44}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\{D7265263-7B49-4d10-920A-A4F8591FFA81}.exe
        
        C:\Windows\{D7265263-7B49-4d10-920A-A4F8591FFA81}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:508
        
        C:\Windows\{30D8F138-6A48-4ebb-BAF8-4437E4FFC63B}.exe
        
        C:\Windows\{30D8F138-6A48-4ebb-BAF8-4437E4FFC63B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:732
        
        C:\Windows\{6F17D1B0-CFFC-484d-9A46-FF7F5DE5E930}.exe
        
        C:\Windows\{6F17D1B0-CFFC-484d-9A46-FF7F5DE5E930}.exe
        13⤵
        Executes dropped EXE
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30D8F~1.EXE > nul
        13⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7265~1.EXE > nul
        12⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8168~1.EXE > nul
        11⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B408F~1.EXE > nul
        10⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DE664~1.EXE > nul
        9⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7623D~1.EXE > nul
        8⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2054~1.EXE > nul
        7⤵
        
        PID:4080
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ADD27~1.EXE > nul
        6⤵
        
        PID:4076
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F4BCE~1.EXE > nul
        5⤵
        
        PID:1300
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1CF60~1.EXE > nul
      4⤵
      PID:3936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DC5AB~1.EXE > nul
    3⤵
    PID:3684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1CF6045E-3A85-46d9-AF08-F67C344660C0}.exe

Filesize
408KB

MD5
6d4e0d63133d3865df0d29957704321d

SHA1
4d8b8f070ac1e7988fffd60a2ebfea2f881e59f7

SHA256
e3dccf2364a9763f647d7063693649fda7352ad7bde8cbe0da54a92eadb858a6

SHA512
b64dee3c497ce9d2e41becd24279105f29242e79e8f2f5eb8d689def1700e8d73c46348b55926d649ad83299d3da9850543551383c05563cf16cbf97abe9bad5

Download Submit
C:\Windows\{30D8F138-6A48-4ebb-BAF8-4437E4FFC63B}.exe

Filesize
408KB

MD5
bb80ecc4c8fcef5685143195721604e9

SHA1
9be1137940b6259479434a641a6a55a94ec3adbc

SHA256
d76768f8d7f65688c6ab0a4134c59a78af457a23a75438f3bcf20780c48b5cdf

SHA512
b20abd681f46931fbea02fdfd28c75395d45ff1233a2b81b2b8a9e4868f6e18232de170d4c231d2a0c6a62850ff3d129a94489454df4a7255dd53a3aafd4b21c

Download Submit
C:\Windows\{6F17D1B0-CFFC-484d-9A46-FF7F5DE5E930}.exe

Filesize
408KB

MD5
18eb33b9420f70e5752ffc872e20b5df

SHA1
98f95a153b4d193a2dbfde724adf0c3d46f6e3da

SHA256
1b19fa9339af12aba2ad8fc7fb61d8d5c655fba7aadc9f072620f5a6b15d3130

SHA512
d3ac83510a5709477060d9af1bcaeeb304284abf8722b8d631eca522cb4847bb620d793df3640bb2e4076a1d7538ef4ebb95ee58fd225567959c41229c794fca

Download Submit
C:\Windows\{7623D14B-496E-4ad5-B004-F976533B8DF8}.exe

Filesize
408KB

MD5
7121c52265ab4e75fdb4486693503dcc

SHA1
75f5f3e65a31b6a03f818b10f268cf63ff0c0299

SHA256
7a580deb8532947afc58984649dcee657660f0972e33fed327921465ae9f5925

SHA512
6fd6a43ad16a22372bd663b31be36b14afb15d9aed46eea58955c6be3c6d038c616032052bce661677c25b3883c9d0e0cfba4115b8e13f42e1bc11c6357b38ed

Download Submit
C:\Windows\{ADD27400-B338-471a-B649-5970E298040F}.exe

Filesize
408KB

MD5
28123ab01583aa6374fd54355b0a5b80

SHA1
a14595d65b54dbaf17d0f994d55dcd1777a19c42

SHA256
b292ccf4c47a49f271c17bac069f14ca89b70ccbdd730ab4341bfc7a26918754

SHA512
4635f5d1e0d4fd8f7fe5d19cddd4ef94e8481ed6945a90982a97c92187011a6e85335f076a80ae37a0eb7940144a85061a100c59d01c6b26ca0859a77f01d9fb

Download Submit
C:\Windows\{B408F93A-44D5-4129-B363-A0497635EC60}.exe

Filesize
408KB

MD5
66ea163afac396edbea047c1cdd7b479

SHA1
e69528f1bc607a0c0d4453bd980015e3e98d9f89

SHA256
fcd1af987c1d982ab5d98d34c97d2d7b932490fb620cc35f3a30ff522cc737b5

SHA512
ebc80677a621e7c6382a3e51075e9d9009c1539059a1a0e3a0eb410e74f05cb51b338841394ef0a4253b8cc52ea73be5435b9624c5ac37b9922025030027cbe0

Download Submit
C:\Windows\{D7265263-7B49-4d10-920A-A4F8591FFA81}.exe

Filesize
408KB

MD5
beaa93709f87aaf35e7c829d1219d2da

SHA1
2d887b11c74c91fe3f4d72ca3ab8b2fb1df33f88

SHA256
82daff13dffd0ead6254647c934c05658a6c4c22ee6ada57d20d89313d404a08

SHA512
a7041d0150551f747f48b861694b0038976bdae351da0657d8ab2a3b914bf6919c930ed7bf904da6943b58fa8aa81e06c6b1fa0539b115591dd7319ebbfb9740

Download Submit
C:\Windows\{D816856D-5DB6-48a4-895E-19EEBAC67C44}.exe

Filesize
408KB

MD5
2bde7b03ae1db5bfd5e9908b45ccb1da

SHA1
730ba75ed33deb3550c50c1600713a0b7546c1fe

SHA256
444c992832fa4aeeee1980ea32e15e66ad1cdf71eeb67bbe1a354f190ad70d5b

SHA512
1321667b1d33f0a5699056176a99c2bc56e5d1db0d868f4be2800c0dd7563d4c19e23b4e169f355978132deeb3344cbaa1ef77e7f38b40312c73555027c5b7dc

Download Submit
C:\Windows\{DC5AB68A-A75B-4d75-AB24-BAB958A7A8B4}.exe

Filesize
408KB

MD5
434b5ec42c04cbb7aff5aa01207ebd2e

SHA1
e362530d529ca3a9e833587af6b88f9ee1f82179

SHA256
ced897362679cc0c26480b5e65d3c335a9d14644c3902236ef540823547cf1c4

SHA512
a5d23cb6153d437ea9e1c6adbc4d83d7e357ba0f7167e0261ecb70bb67036a66af2e0118717b37408438d25a3dc4aa905ac53974f1fb5d15829a487d1e0e5abb

Download Submit
C:\Windows\{DE6647CA-CDD6-4786-87C3-5D572CA25046}.exe

Filesize
408KB

MD5
8aa179acbf639a683aada2cf5543c564

SHA1
bf9190045c27f21679df1227676c3dbdf760663b

SHA256
fdd4f2920de655f5b760b89c8fe1c52d6b6e436f51d319f3c11aa7b20c5b22f5

SHA512
873d63c2e24d93d8892c05376ec7fbcba19778b65261a844433bc78f0643567b357e2c76da84e6d8199d53ffbca9001473dee4f86483ec9a872936c4b0a2e9e8

Download Submit
C:\Windows\{F2054ACC-5AA8-448a-8C27-B8532237789F}.exe

Filesize
408KB

MD5
5a62f3266cd14e9c83802c80b47bd047

SHA1
eb75cb5049f96f6e5ae8d0e1cb65a66309606f7f

SHA256
4f3d8570ed74d9745307751914590efadfbcc0ae8799e3d6eed1fd1291eabb1a

SHA512
1bc70a551a4bd889e8c76e0a5573f29357e23d2a90fe815716119a2ebacd8111ceec1757af42f3edc8bc72971c543ed625d7e78382fced58d0d25825e140ab5c

Download Submit
C:\Windows\{F4BCE4FE-E600-43bf-AC44-DA66D76BBCFE}.exe

Filesize
408KB

MD5
bb3bcc6b26dd2fadf886e4cce68605e2

SHA1
165213a389847e31be506a11716891d5abd740d2

SHA256
e156ee6db66d724384288f3fa66d75404e593ace7278e1838b0845a641ebcfb1

SHA512
eda9c44005d444913b69f1c6e382b52945c2d4d0f0f112f4f069000e29360f1a5dc71aa3206eb09a4ccc3c356f520d8961508e78bba4d013eaf9b776c46a6686

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads