140febedf25166ce19b341d75d62c53f3a722e3b902fa247c046f1d5e54c6a3f

Analysis

max time kernel
149s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08-03-2024 15:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-08_e07453753d988bf18d2505afe99f7c04_goldeneye.exe
Size

197KB
MD5

e07453753d988bf18d2505afe99f7c04
SHA1

181123766f071eb00d80d1128d78e7b644081a78
SHA256

140febedf25166ce19b341d75d62c53f3a722e3b902fa247c046f1d5e54c6a3f
SHA512

fd66caa74ad096fed435e44ca04bf183758f080e565f75a6175fad7296f52f5d5c3f27c41e748747157755241c7d269331c61d197701aafb5d5cc0079e72d2f3
SSDEEP

3072:jEGh0osl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGelEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000b00000002310c-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000231f6-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023205-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000231f6-13.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023206-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000231f6-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023204-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023206-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001100000001695d-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023105-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001200000001695d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023105-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7903C17-1D3F-4c60-957E-86601810DC63}	{D6FF4338-E8B8-4fab-8CF6-6FEC47E8DDF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40240952-B804-4f30-8A21-6A2F7AC7B450}\stubpath = "C:\\Windows\\{40240952-B804-4f30-8A21-6A2F7AC7B450}.exe"	{C9E5E242-DB08-4c74-8426-8EA558CFAC73}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68B9DC31-BC21-4813-8846-1F66384E0AC9}\stubpath = "C:\\Windows\\{68B9DC31-BC21-4813-8846-1F66384E0AC9}.exe"	{D91A805A-006B-4f0f-98DA-C7A7A6915FCA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A80AD825-00D8-4755-8D6D-5A29F1B8D932}	2024-03-08_e07453753d988bf18d2505afe99f7c04_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6FF4338-E8B8-4fab-8CF6-6FEC47E8DDF6}	{7E694C99-938F-441f-AC37-55DD029E416C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6FF4338-E8B8-4fab-8CF6-6FEC47E8DDF6}\stubpath = "C:\\Windows\\{D6FF4338-E8B8-4fab-8CF6-6FEC47E8DDF6}.exe"	{7E694C99-938F-441f-AC37-55DD029E416C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E694C99-938F-441f-AC37-55DD029E416C}	{FD3D78FD-B787-452f-BF0F-853300C139AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7903C17-1D3F-4c60-957E-86601810DC63}\stubpath = "C:\\Windows\\{E7903C17-1D3F-4c60-957E-86601810DC63}.exe"	{D6FF4338-E8B8-4fab-8CF6-6FEC47E8DDF6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{389B2771-5BFA-414e-A226-C612F51EF7ED}	{68B9DC31-BC21-4813-8846-1F66384E0AC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A80AD825-00D8-4755-8D6D-5A29F1B8D932}\stubpath = "C:\\Windows\\{A80AD825-00D8-4755-8D6D-5A29F1B8D932}.exe"	2024-03-08_e07453753d988bf18d2505afe99f7c04_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC52B756-69B9-4344-8B72-4E66519EA08D}	{A80AD825-00D8-4755-8D6D-5A29F1B8D932}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68B9DC31-BC21-4813-8846-1F66384E0AC9}	{D91A805A-006B-4f0f-98DA-C7A7A6915FCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E694C99-938F-441f-AC37-55DD029E416C}\stubpath = "C:\\Windows\\{7E694C99-938F-441f-AC37-55DD029E416C}.exe"	{FD3D78FD-B787-452f-BF0F-853300C139AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E5E242-DB08-4c74-8426-8EA558CFAC73}	{E7903C17-1D3F-4c60-957E-86601810DC63}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E5E242-DB08-4c74-8426-8EA558CFAC73}\stubpath = "C:\\Windows\\{C9E5E242-DB08-4c74-8426-8EA558CFAC73}.exe"	{E7903C17-1D3F-4c60-957E-86601810DC63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40240952-B804-4f30-8A21-6A2F7AC7B450}	{C9E5E242-DB08-4c74-8426-8EA558CFAC73}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A22C0E5E-ECF4-402a-B67A-669466070F50}	{40240952-B804-4f30-8A21-6A2F7AC7B450}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC52B756-69B9-4344-8B72-4E66519EA08D}\stubpath = "C:\\Windows\\{DC52B756-69B9-4344-8B72-4E66519EA08D}.exe"	{A80AD825-00D8-4755-8D6D-5A29F1B8D932}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD3D78FD-B787-452f-BF0F-853300C139AD}	{DC52B756-69B9-4344-8B72-4E66519EA08D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD3D78FD-B787-452f-BF0F-853300C139AD}\stubpath = "C:\\Windows\\{FD3D78FD-B787-452f-BF0F-853300C139AD}.exe"	{DC52B756-69B9-4344-8B72-4E66519EA08D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{389B2771-5BFA-414e-A226-C612F51EF7ED}\stubpath = "C:\\Windows\\{389B2771-5BFA-414e-A226-C612F51EF7ED}.exe"	{68B9DC31-BC21-4813-8846-1F66384E0AC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A22C0E5E-ECF4-402a-B67A-669466070F50}\stubpath = "C:\\Windows\\{A22C0E5E-ECF4-402a-B67A-669466070F50}.exe"	{40240952-B804-4f30-8A21-6A2F7AC7B450}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D91A805A-006B-4f0f-98DA-C7A7A6915FCA}	{A22C0E5E-ECF4-402a-B67A-669466070F50}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D91A805A-006B-4f0f-98DA-C7A7A6915FCA}\stubpath = "C:\\Windows\\{D91A805A-006B-4f0f-98DA-C7A7A6915FCA}.exe"	{A22C0E5E-ECF4-402a-B67A-669466070F50}.exe

Executes dropped EXE 12 IoCs

pid	Process
2328	{A80AD825-00D8-4755-8D6D-5A29F1B8D932}.exe
5068	{DC52B756-69B9-4344-8B72-4E66519EA08D}.exe
5060	{FD3D78FD-B787-452f-BF0F-853300C139AD}.exe
2228	{7E694C99-938F-441f-AC37-55DD029E416C}.exe
2100	{D6FF4338-E8B8-4fab-8CF6-6FEC47E8DDF6}.exe
4796	{E7903C17-1D3F-4c60-957E-86601810DC63}.exe
4040	{C9E5E242-DB08-4c74-8426-8EA558CFAC73}.exe
4528	{40240952-B804-4f30-8A21-6A2F7AC7B450}.exe
4572	{A22C0E5E-ECF4-402a-B67A-669466070F50}.exe
5016	{D91A805A-006B-4f0f-98DA-C7A7A6915FCA}.exe
4544	{68B9DC31-BC21-4813-8846-1F66384E0AC9}.exe
2532	{389B2771-5BFA-414e-A226-C612F51EF7ED}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{D6FF4338-E8B8-4fab-8CF6-6FEC47E8DDF6}.exe	{7E694C99-938F-441f-AC37-55DD029E416C}.exe
File created	C:\Windows\{C9E5E242-DB08-4c74-8426-8EA558CFAC73}.exe	{E7903C17-1D3F-4c60-957E-86601810DC63}.exe
File created	C:\Windows\{D91A805A-006B-4f0f-98DA-C7A7A6915FCA}.exe	{A22C0E5E-ECF4-402a-B67A-669466070F50}.exe
File created	C:\Windows\{68B9DC31-BC21-4813-8846-1F66384E0AC9}.exe	{D91A805A-006B-4f0f-98DA-C7A7A6915FCA}.exe
File created	C:\Windows\{389B2771-5BFA-414e-A226-C612F51EF7ED}.exe	{68B9DC31-BC21-4813-8846-1F66384E0AC9}.exe
File created	C:\Windows\{A80AD825-00D8-4755-8D6D-5A29F1B8D932}.exe	2024-03-08_e07453753d988bf18d2505afe99f7c04_goldeneye.exe
File created	C:\Windows\{DC52B756-69B9-4344-8B72-4E66519EA08D}.exe	{A80AD825-00D8-4755-8D6D-5A29F1B8D932}.exe
File created	C:\Windows\{FD3D78FD-B787-452f-BF0F-853300C139AD}.exe	{DC52B756-69B9-4344-8B72-4E66519EA08D}.exe
File created	C:\Windows\{A22C0E5E-ECF4-402a-B67A-669466070F50}.exe	{40240952-B804-4f30-8A21-6A2F7AC7B450}.exe
File created	C:\Windows\{7E694C99-938F-441f-AC37-55DD029E416C}.exe	{FD3D78FD-B787-452f-BF0F-853300C139AD}.exe
File created	C:\Windows\{E7903C17-1D3F-4c60-957E-86601810DC63}.exe	{D6FF4338-E8B8-4fab-8CF6-6FEC47E8DDF6}.exe
File created	C:\Windows\{40240952-B804-4f30-8A21-6A2F7AC7B450}.exe	{C9E5E242-DB08-4c74-8426-8EA558CFAC73}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4472	2024-03-08_e07453753d988bf18d2505afe99f7c04_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2328	{A80AD825-00D8-4755-8D6D-5A29F1B8D932}.exe
Token: SeIncBasePriorityPrivilege	5068	{DC52B756-69B9-4344-8B72-4E66519EA08D}.exe
Token: SeIncBasePriorityPrivilege	5060	{FD3D78FD-B787-452f-BF0F-853300C139AD}.exe
Token: SeIncBasePriorityPrivilege	2228	{7E694C99-938F-441f-AC37-55DD029E416C}.exe
Token: SeIncBasePriorityPrivilege	2100	{D6FF4338-E8B8-4fab-8CF6-6FEC47E8DDF6}.exe
Token: SeIncBasePriorityPrivilege	4796	{E7903C17-1D3F-4c60-957E-86601810DC63}.exe
Token: SeIncBasePriorityPrivilege	4040	{C9E5E242-DB08-4c74-8426-8EA558CFAC73}.exe
Token: SeIncBasePriorityPrivilege	4528	{40240952-B804-4f30-8A21-6A2F7AC7B450}.exe
Token: SeIncBasePriorityPrivilege	4572	{A22C0E5E-ECF4-402a-B67A-669466070F50}.exe
Token: SeIncBasePriorityPrivilege	5016	{D91A805A-006B-4f0f-98DA-C7A7A6915FCA}.exe
Token: SeIncBasePriorityPrivilege	4544	{68B9DC31-BC21-4813-8846-1F66384E0AC9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4472 wrote to memory of 2328	4472	2024-03-08_e07453753d988bf18d2505afe99f7c04_goldeneye.exe	91
PID 4472 wrote to memory of 2328	4472	2024-03-08_e07453753d988bf18d2505afe99f7c04_goldeneye.exe	91
PID 4472 wrote to memory of 2328	4472	2024-03-08_e07453753d988bf18d2505afe99f7c04_goldeneye.exe	91
PID 4472 wrote to memory of 3200	4472	2024-03-08_e07453753d988bf18d2505afe99f7c04_goldeneye.exe	92
PID 4472 wrote to memory of 3200	4472	2024-03-08_e07453753d988bf18d2505afe99f7c04_goldeneye.exe	92
PID 4472 wrote to memory of 3200	4472	2024-03-08_e07453753d988bf18d2505afe99f7c04_goldeneye.exe	92
PID 2328 wrote to memory of 5068	2328	{A80AD825-00D8-4755-8D6D-5A29F1B8D932}.exe	100
PID 2328 wrote to memory of 5068	2328	{A80AD825-00D8-4755-8D6D-5A29F1B8D932}.exe	100
PID 2328 wrote to memory of 5068	2328	{A80AD825-00D8-4755-8D6D-5A29F1B8D932}.exe	100
PID 2328 wrote to memory of 984	2328	{A80AD825-00D8-4755-8D6D-5A29F1B8D932}.exe	101
PID 2328 wrote to memory of 984	2328	{A80AD825-00D8-4755-8D6D-5A29F1B8D932}.exe	101
PID 2328 wrote to memory of 984	2328	{A80AD825-00D8-4755-8D6D-5A29F1B8D932}.exe	101
PID 5068 wrote to memory of 5060	5068	{DC52B756-69B9-4344-8B72-4E66519EA08D}.exe	104
PID 5068 wrote to memory of 5060	5068	{DC52B756-69B9-4344-8B72-4E66519EA08D}.exe	104
PID 5068 wrote to memory of 5060	5068	{DC52B756-69B9-4344-8B72-4E66519EA08D}.exe	104
PID 5068 wrote to memory of 1800	5068	{DC52B756-69B9-4344-8B72-4E66519EA08D}.exe	105
PID 5068 wrote to memory of 1800	5068	{DC52B756-69B9-4344-8B72-4E66519EA08D}.exe	105
PID 5068 wrote to memory of 1800	5068	{DC52B756-69B9-4344-8B72-4E66519EA08D}.exe	105
PID 5060 wrote to memory of 2228	5060	{FD3D78FD-B787-452f-BF0F-853300C139AD}.exe	106
PID 5060 wrote to memory of 2228	5060	{FD3D78FD-B787-452f-BF0F-853300C139AD}.exe	106
PID 5060 wrote to memory of 2228	5060	{FD3D78FD-B787-452f-BF0F-853300C139AD}.exe	106
PID 5060 wrote to memory of 4428	5060	{FD3D78FD-B787-452f-BF0F-853300C139AD}.exe	107
PID 5060 wrote to memory of 4428	5060	{FD3D78FD-B787-452f-BF0F-853300C139AD}.exe	107
PID 5060 wrote to memory of 4428	5060	{FD3D78FD-B787-452f-BF0F-853300C139AD}.exe	107
PID 2228 wrote to memory of 2100	2228	{7E694C99-938F-441f-AC37-55DD029E416C}.exe	108
PID 2228 wrote to memory of 2100	2228	{7E694C99-938F-441f-AC37-55DD029E416C}.exe	108
PID 2228 wrote to memory of 2100	2228	{7E694C99-938F-441f-AC37-55DD029E416C}.exe	108
PID 2228 wrote to memory of 432	2228	{7E694C99-938F-441f-AC37-55DD029E416C}.exe	109
PID 2228 wrote to memory of 432	2228	{7E694C99-938F-441f-AC37-55DD029E416C}.exe	109
PID 2228 wrote to memory of 432	2228	{7E694C99-938F-441f-AC37-55DD029E416C}.exe	109
PID 2100 wrote to memory of 4796	2100	{D6FF4338-E8B8-4fab-8CF6-6FEC47E8DDF6}.exe	112
PID 2100 wrote to memory of 4796	2100	{D6FF4338-E8B8-4fab-8CF6-6FEC47E8DDF6}.exe	112
PID 2100 wrote to memory of 4796	2100	{D6FF4338-E8B8-4fab-8CF6-6FEC47E8DDF6}.exe	112
PID 2100 wrote to memory of 2240	2100	{D6FF4338-E8B8-4fab-8CF6-6FEC47E8DDF6}.exe	113
PID 2100 wrote to memory of 2240	2100	{D6FF4338-E8B8-4fab-8CF6-6FEC47E8DDF6}.exe	113
PID 2100 wrote to memory of 2240	2100	{D6FF4338-E8B8-4fab-8CF6-6FEC47E8DDF6}.exe	113
PID 4796 wrote to memory of 4040	4796	{E7903C17-1D3F-4c60-957E-86601810DC63}.exe	114
PID 4796 wrote to memory of 4040	4796	{E7903C17-1D3F-4c60-957E-86601810DC63}.exe	114
PID 4796 wrote to memory of 4040	4796	{E7903C17-1D3F-4c60-957E-86601810DC63}.exe	114
PID 4796 wrote to memory of 4024	4796	{E7903C17-1D3F-4c60-957E-86601810DC63}.exe	115
PID 4796 wrote to memory of 4024	4796	{E7903C17-1D3F-4c60-957E-86601810DC63}.exe	115
PID 4796 wrote to memory of 4024	4796	{E7903C17-1D3F-4c60-957E-86601810DC63}.exe	115
PID 4040 wrote to memory of 4528	4040	{C9E5E242-DB08-4c74-8426-8EA558CFAC73}.exe	118
PID 4040 wrote to memory of 4528	4040	{C9E5E242-DB08-4c74-8426-8EA558CFAC73}.exe	118
PID 4040 wrote to memory of 4528	4040	{C9E5E242-DB08-4c74-8426-8EA558CFAC73}.exe	118
PID 4040 wrote to memory of 3132	4040	{C9E5E242-DB08-4c74-8426-8EA558CFAC73}.exe	119
PID 4040 wrote to memory of 3132	4040	{C9E5E242-DB08-4c74-8426-8EA558CFAC73}.exe	119
PID 4040 wrote to memory of 3132	4040	{C9E5E242-DB08-4c74-8426-8EA558CFAC73}.exe	119
PID 4528 wrote to memory of 4572	4528	{40240952-B804-4f30-8A21-6A2F7AC7B450}.exe	125
PID 4528 wrote to memory of 4572	4528	{40240952-B804-4f30-8A21-6A2F7AC7B450}.exe	125
PID 4528 wrote to memory of 4572	4528	{40240952-B804-4f30-8A21-6A2F7AC7B450}.exe	125
PID 4528 wrote to memory of 1084	4528	{40240952-B804-4f30-8A21-6A2F7AC7B450}.exe	126
PID 4528 wrote to memory of 1084	4528	{40240952-B804-4f30-8A21-6A2F7AC7B450}.exe	126
PID 4528 wrote to memory of 1084	4528	{40240952-B804-4f30-8A21-6A2F7AC7B450}.exe	126
PID 4572 wrote to memory of 5016	4572	{A22C0E5E-ECF4-402a-B67A-669466070F50}.exe	127
PID 4572 wrote to memory of 5016	4572	{A22C0E5E-ECF4-402a-B67A-669466070F50}.exe	127
PID 4572 wrote to memory of 5016	4572	{A22C0E5E-ECF4-402a-B67A-669466070F50}.exe	127
PID 4572 wrote to memory of 2144	4572	{A22C0E5E-ECF4-402a-B67A-669466070F50}.exe	128
PID 4572 wrote to memory of 2144	4572	{A22C0E5E-ECF4-402a-B67A-669466070F50}.exe	128
PID 4572 wrote to memory of 2144	4572	{A22C0E5E-ECF4-402a-B67A-669466070F50}.exe	128
PID 5016 wrote to memory of 4544	5016	{D91A805A-006B-4f0f-98DA-C7A7A6915FCA}.exe	129
PID 5016 wrote to memory of 4544	5016	{D91A805A-006B-4f0f-98DA-C7A7A6915FCA}.exe	129
PID 5016 wrote to memory of 4544	5016	{D91A805A-006B-4f0f-98DA-C7A7A6915FCA}.exe	129
PID 5016 wrote to memory of 4104	5016	{D91A805A-006B-4f0f-98DA-C7A7A6915FCA}.exe	130

C:\Users\Admin\AppData\Local\Temp\2024-03-08_e07453753d988bf18d2505afe99f7c04_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-08_e07453753d988bf18d2505afe99f7c04_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Windows\{A80AD825-00D8-4755-8D6D-5A29F1B8D932}.exe
  C:\Windows\{A80AD825-00D8-4755-8D6D-5A29F1B8D932}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\{DC52B756-69B9-4344-8B72-4E66519EA08D}.exe
    C:\Windows\{DC52B756-69B9-4344-8B72-4E66519EA08D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5068
  - - C:\Windows\{FD3D78FD-B787-452f-BF0F-853300C139AD}.exe
      C:\Windows\{FD3D78FD-B787-452f-BF0F-853300C139AD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5060
    - - C:\Windows\{7E694C99-938F-441f-AC37-55DD029E416C}.exe
        
        C:\Windows\{7E694C99-938F-441f-AC37-55DD029E416C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2228
      - C:\Windows\{D6FF4338-E8B8-4fab-8CF6-6FEC47E8DDF6}.exe
        
        C:\Windows\{D6FF4338-E8B8-4fab-8CF6-6FEC47E8DDF6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\{E7903C17-1D3F-4c60-957E-86601810DC63}.exe
        
        C:\Windows\{E7903C17-1D3F-4c60-957E-86601810DC63}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\{C9E5E242-DB08-4c74-8426-8EA558CFAC73}.exe
        
        C:\Windows\{C9E5E242-DB08-4c74-8426-8EA558CFAC73}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\{40240952-B804-4f30-8A21-6A2F7AC7B450}.exe
        
        C:\Windows\{40240952-B804-4f30-8A21-6A2F7AC7B450}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\{A22C0E5E-ECF4-402a-B67A-669466070F50}.exe
        
        C:\Windows\{A22C0E5E-ECF4-402a-B67A-669466070F50}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\{D91A805A-006B-4f0f-98DA-C7A7A6915FCA}.exe
        
        C:\Windows\{D91A805A-006B-4f0f-98DA-C7A7A6915FCA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\{68B9DC31-BC21-4813-8846-1F66384E0AC9}.exe
        
        C:\Windows\{68B9DC31-BC21-4813-8846-1F66384E0AC9}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4544
        
        C:\Windows\{389B2771-5BFA-414e-A226-C612F51EF7ED}.exe
        
        C:\Windows\{389B2771-5BFA-414e-A226-C612F51EF7ED}.exe
        13⤵
        Executes dropped EXE
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68B9D~1.EXE > nul
        13⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D91A8~1.EXE > nul
        12⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A22C0~1.EXE > nul
        11⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40240~1.EXE > nul
        10⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9E5E~1.EXE > nul
        9⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7903~1.EXE > nul
        8⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6FF4~1.EXE > nul
        7⤵
        
        PID:2240
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E694~1.EXE > nul
        6⤵
        
        PID:432
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD3D7~1.EXE > nul
        5⤵
        
        PID:4428
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DC52B~1.EXE > nul
      4⤵
      PID:1800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A80AD~1.EXE > nul
    3⤵
    PID:984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{389B2771-5BFA-414e-A226-C612F51EF7ED}.exe

Filesize
197KB

MD5
c96300363025443ec51efa41e86f22ff

SHA1
b5fa6776b5b29a12f3ff5f1c00bb5b00b93149af

SHA256
0be4342a07ad6e72639de7ed33004a9ce43f8103b9d2e5af7d8be63f229b5285

SHA512
4d6d0b18aa87d31fdfe92a8bfc61ea1fb51c155b51a48dc9c94abff25942f85a7240f76a715d7cc2a4a2bf432113a5f52fa4ade3090808bbfd704c55f8fad879

Download Submit
C:\Windows\{40240952-B804-4f30-8A21-6A2F7AC7B450}.exe

Filesize
197KB

MD5
a512aaf7d5cd72cc6622f8a72595088f

SHA1
d11f10a23dcb9dbd5fb90027726bb73aef5454f6

SHA256
57ffc941249226a8498b58e40ab2780bd9af877ac167b57af840482418eb2361

SHA512
c5ab2a9f71853a7864a9178656710ace3549134d39265f5dbcd6214eeb9b19d09089bf9b53ecd1debb6bff901d2c25b3d2ef451218cb1c14d8f9e164827dd665

Download Submit
C:\Windows\{68B9DC31-BC21-4813-8846-1F66384E0AC9}.exe

Filesize
197KB

MD5
c862b48150e8bd0647c06ec5c2c22b17

SHA1
8ce64cb9350d3d628e77f4c18cf8fc38c5e52bd0

SHA256
fbc75578a6b0627d8d96551eb6ab46ce330ace6b4483640d7034249d125b55ae

SHA512
ef1e30614a8c36e172761eb58531340fd4430118bbb61940e37395b69237883f31eb5d84cc8bf472f6d86584106de950ff881f5707a63c30ec5df4e10c526a27

Download Submit
C:\Windows\{7E694C99-938F-441f-AC37-55DD029E416C}.exe

Filesize
197KB

MD5
bdb6170d8f24a052a6fe924b4b95d6ac

SHA1
cc1dcec50829a492a491db909c78c77264d85a44

SHA256
9f93607e96ac54965f4704568eb66322bd03619b3f9734f027fb0bb0cf4394c5

SHA512
2ff9d9dc9092665e3b5d4dc146132151edb58f1e7b3b3f28ceede1897804f876539df96b9a769df76e5d55c1c3054f9b0754e0236e42197fa515fd05e08348f7

Download Submit
C:\Windows\{A22C0E5E-ECF4-402a-B67A-669466070F50}.exe

Filesize
197KB

MD5
d0499cdf30c3ae991c75d3a23ea17de8

SHA1
af97a4942c3515cd91f081f79e04b304f0bfdbe5

SHA256
5c77a60aeb74286927f07c73cd2f9d1210ef622ca63e8c6109fb573114cd5d8c

SHA512
b1b3e3c726b6f9caab7fcdc18d56865503255685a34c216e85718cfb957860e1f0c469982bbdd640cedc6d63bfa34f7615c6f754e6184bfb5407171f3f6f2f89

Download Submit
C:\Windows\{A80AD825-00D8-4755-8D6D-5A29F1B8D932}.exe

Filesize
197KB

MD5
e59914a52f1ef421538e86fe6a6192e0

SHA1
521b86ec8921b0e077ee5e9505c2a18739a5ab23

SHA256
88d9b07441a28da796f339860d4fcae1e93984dcc4413249a2891b30096a495d

SHA512
47bf4a4f3677d17694f708f0ded82a88b7a384b93fecf9bcad0c4d301abf0f903a1b0cb85556609e190f08a56bbcf46ebeeecb0ba115adff9f967c2941d7b5a1

Download Submit
C:\Windows\{C9E5E242-DB08-4c74-8426-8EA558CFAC73}.exe

Filesize
197KB

MD5
6ddafd790dd43ee53f6e2308494ab7be

SHA1
aba8c0ecdf1d8ff45512fca742727b3468cd6a0b

SHA256
142c612db49cc3ed6207334963374947482488982fef9950d4295193025d48be

SHA512
d25da04dcb6abf7e2c3a02dbedd7a61ab5e19eec23783c3258fc4d3b66c6812ea429a805cf5ab764b2698673eb32f9b2e8c191b0d3c5707ca8af60d13ad567ef

Download Submit
C:\Windows\{D6FF4338-E8B8-4fab-8CF6-6FEC47E8DDF6}.exe

Filesize
197KB

MD5
cb604502068175e11b677da22f2f1647

SHA1
1fce78e1c019230c034082ce591082846fce502b

SHA256
e99fb4f32f218a47a4a59ac227596478a41e30d8c4e4f95249baf3a1d3776e01

SHA512
e516f15c68e526efcef3b1a7b025ca03b1db4802b48851f6777e26063e859982f510cd1b8d2d038ae1b4721d9f794d7c9ef01cdd347bd6e5fae3e2974c6b46ff

Download Submit
C:\Windows\{D91A805A-006B-4f0f-98DA-C7A7A6915FCA}.exe

Filesize
197KB

MD5
c070a7bc9a6d95bb21bad6322bb64021

SHA1
1fff2ef0f2e6d82c54e80cf42f6853a6d5113d69

SHA256
5d403d76d47860a9f33efb81e3856fc94244c0d87a143693e3608d4632387d1f

SHA512
cf5148b4fe7406ee5088bfcfaadfd8ef36254838ad5bbab1c533cd77c1f0746f81ad661e589a06953914c8a000307604bde2616789bcf7691408b2e609f9e2a1

Download Submit
C:\Windows\{DC52B756-69B9-4344-8B72-4E66519EA08D}.exe

Filesize
197KB

MD5
aa8b1cf56b01f162e7fee55ec9ec6dad

SHA1
1c2e22dbdf8bc08c190b87ce972f948abb62e4c5

SHA256
2e8c9dcd321e1a868330e6ebc9e534614d817ec7cf615e1ad11d0b982161915f

SHA512
33172d26eff5125547de4a6e0235a795bd9d8d1240870785074f93c2c28a619194467b5b9dd0f342d3c33a535e13d02fce884a22af0038f076ab48e0bf02dbec

Download Submit
C:\Windows\{E7903C17-1D3F-4c60-957E-86601810DC63}.exe

Filesize
197KB

MD5
69b92e4eaf37fd12b2f3ddb7ca702078

SHA1
8c916b6ac01af6958b7d4c06182718956e4e7ca8

SHA256
24862fc5caf2054eaa20c452fc81b6f17eecb7c44adc4aed6a6da2b34c76a6cb

SHA512
062cd1898df10bb280f968a1fda1e162efbee256209a4b7b88a577eca09889e4fa83b170aab115c28e9ca3f8c29feb3511b8aa050fa37397642d9e73726eec39

Download Submit
C:\Windows\{FD3D78FD-B787-452f-BF0F-853300C139AD}.exe

Filesize
197KB

MD5
92f5284bfb0a088ce204b4bb2c3f28b7

SHA1
7754238f32fcceb5a3ed326a701d1d51a20955ab

SHA256
4264a80c151ad0f72abb4b2c4382301ff696aa0a4e6f4701d16ef23f66fc58b5

SHA512
f45bd9355fff19d5babc5d810ce44eb54bf8308f94eeb0f4530bd7fe94bc0a29a157e169854e0e76e5171c9dd5f84354628572f20505757fb667742e4c77108d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads