3bf79ec06fcf9f697541032bdd5dc7d1828ee15b8a0a6d70bf2b502b1e15b2c6

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-03-2024 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-11_835f9ba9f9bd88a6ccda4d6036214afc_goldeneye.exe
Size

344KB
MD5

835f9ba9f9bd88a6ccda4d6036214afc
SHA1

7796dc26a9b50bf56684a450cf80d1e65d95f526
SHA256

3bf79ec06fcf9f697541032bdd5dc7d1828ee15b8a0a6d70bf2b502b1e15b2c6
SHA512

c8c43e8197092d28178e791fc407b28ace06f227c9b3a1e94c20cf2e5ca6b863d7dc5471981ab94ffd456cca1c45e2a0ff3fcf44f70eefa0907cc77ebdcee038
SSDEEP

3072:mEGh0oKlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGwlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023214-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002321c-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023122-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002322b-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000001e80c-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002322b-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002331a-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023386-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002331a-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000233cf-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023147-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233cf-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{360EDF25-8B12-4613-9E86-63257948E822}	{B3547798-7566-4803-AA15-44FF7C46E1E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58781D49-081F-470d-8A67-7F67825C8B61}\stubpath = "C:\\Windows\\{58781D49-081F-470d-8A67-7F67825C8B61}.exe"	{08F1F5D1-1416-4591-BC05-4A8ADA117487}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56338851-1B63-4c89-9131-17FE1D4F86CF}	{1917DA2D-E140-4085-BC9F-07AAC9FBC70D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8646A93F-BF25-4d10-862F-C2E34C37893F}\stubpath = "C:\\Windows\\{8646A93F-BF25-4d10-862F-C2E34C37893F}.exe"	{6892873B-09F2-43dc-BEBC-86A4D34AD420}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3547798-7566-4803-AA15-44FF7C46E1E0}	2024-03-11_835f9ba9f9bd88a6ccda4d6036214afc_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C20FE031-6E65-459a-8C56-723E3D1D8D3A}\stubpath = "C:\\Windows\\{C20FE031-6E65-459a-8C56-723E3D1D8D3A}.exe"	{58781D49-081F-470d-8A67-7F67825C8B61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1917DA2D-E140-4085-BC9F-07AAC9FBC70D}	{C20FE031-6E65-459a-8C56-723E3D1D8D3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F1ECD29-EB99-4645-941B-4DD52A1551FF}	{16FCFC6E-B626-4358-9A02-DE32101016EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6892873B-09F2-43dc-BEBC-86A4D34AD420}	{F3ABF86A-8E16-4b15-B377-465823C7A095}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6892873B-09F2-43dc-BEBC-86A4D34AD420}\stubpath = "C:\\Windows\\{6892873B-09F2-43dc-BEBC-86A4D34AD420}.exe"	{F3ABF86A-8E16-4b15-B377-465823C7A095}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3547798-7566-4803-AA15-44FF7C46E1E0}\stubpath = "C:\\Windows\\{B3547798-7566-4803-AA15-44FF7C46E1E0}.exe"	2024-03-11_835f9ba9f9bd88a6ccda4d6036214afc_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08F1F5D1-1416-4591-BC05-4A8ADA117487}\stubpath = "C:\\Windows\\{08F1F5D1-1416-4591-BC05-4A8ADA117487}.exe"	{360EDF25-8B12-4613-9E86-63257948E822}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C20FE031-6E65-459a-8C56-723E3D1D8D3A}	{58781D49-081F-470d-8A67-7F67825C8B61}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1917DA2D-E140-4085-BC9F-07AAC9FBC70D}\stubpath = "C:\\Windows\\{1917DA2D-E140-4085-BC9F-07AAC9FBC70D}.exe"	{C20FE031-6E65-459a-8C56-723E3D1D8D3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56338851-1B63-4c89-9131-17FE1D4F86CF}\stubpath = "C:\\Windows\\{56338851-1B63-4c89-9131-17FE1D4F86CF}.exe"	{1917DA2D-E140-4085-BC9F-07AAC9FBC70D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3ABF86A-8E16-4b15-B377-465823C7A095}\stubpath = "C:\\Windows\\{F3ABF86A-8E16-4b15-B377-465823C7A095}.exe"	{56338851-1B63-4c89-9131-17FE1D4F86CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16FCFC6E-B626-4358-9A02-DE32101016EC}\stubpath = "C:\\Windows\\{16FCFC6E-B626-4358-9A02-DE32101016EC}.exe"	{8646A93F-BF25-4d10-862F-C2E34C37893F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F1ECD29-EB99-4645-941B-4DD52A1551FF}\stubpath = "C:\\Windows\\{1F1ECD29-EB99-4645-941B-4DD52A1551FF}.exe"	{16FCFC6E-B626-4358-9A02-DE32101016EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{360EDF25-8B12-4613-9E86-63257948E822}\stubpath = "C:\\Windows\\{360EDF25-8B12-4613-9E86-63257948E822}.exe"	{B3547798-7566-4803-AA15-44FF7C46E1E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08F1F5D1-1416-4591-BC05-4A8ADA117487}	{360EDF25-8B12-4613-9E86-63257948E822}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58781D49-081F-470d-8A67-7F67825C8B61}	{08F1F5D1-1416-4591-BC05-4A8ADA117487}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3ABF86A-8E16-4b15-B377-465823C7A095}	{56338851-1B63-4c89-9131-17FE1D4F86CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8646A93F-BF25-4d10-862F-C2E34C37893F}	{6892873B-09F2-43dc-BEBC-86A4D34AD420}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16FCFC6E-B626-4358-9A02-DE32101016EC}	{8646A93F-BF25-4d10-862F-C2E34C37893F}.exe

Executes dropped EXE 12 IoCs

pid	Process
4092	{B3547798-7566-4803-AA15-44FF7C46E1E0}.exe
2920	{360EDF25-8B12-4613-9E86-63257948E822}.exe
1604	{08F1F5D1-1416-4591-BC05-4A8ADA117487}.exe
4568	{58781D49-081F-470d-8A67-7F67825C8B61}.exe
4628	{C20FE031-6E65-459a-8C56-723E3D1D8D3A}.exe
3460	{1917DA2D-E140-4085-BC9F-07AAC9FBC70D}.exe
4552	{56338851-1B63-4c89-9131-17FE1D4F86CF}.exe
4432	{F3ABF86A-8E16-4b15-B377-465823C7A095}.exe
2352	{6892873B-09F2-43dc-BEBC-86A4D34AD420}.exe
4912	{8646A93F-BF25-4d10-862F-C2E34C37893F}.exe
2084	{16FCFC6E-B626-4358-9A02-DE32101016EC}.exe
1552	{1F1ECD29-EB99-4645-941B-4DD52A1551FF}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{1F1ECD29-EB99-4645-941B-4DD52A1551FF}.exe	{16FCFC6E-B626-4358-9A02-DE32101016EC}.exe
File created	C:\Windows\{B3547798-7566-4803-AA15-44FF7C46E1E0}.exe	2024-03-11_835f9ba9f9bd88a6ccda4d6036214afc_goldeneye.exe
File created	C:\Windows\{08F1F5D1-1416-4591-BC05-4A8ADA117487}.exe	{360EDF25-8B12-4613-9E86-63257948E822}.exe
File created	C:\Windows\{58781D49-081F-470d-8A67-7F67825C8B61}.exe	{08F1F5D1-1416-4591-BC05-4A8ADA117487}.exe
File created	C:\Windows\{56338851-1B63-4c89-9131-17FE1D4F86CF}.exe	{1917DA2D-E140-4085-BC9F-07AAC9FBC70D}.exe
File created	C:\Windows\{16FCFC6E-B626-4358-9A02-DE32101016EC}.exe	{8646A93F-BF25-4d10-862F-C2E34C37893F}.exe
File created	C:\Windows\{8646A93F-BF25-4d10-862F-C2E34C37893F}.exe	{6892873B-09F2-43dc-BEBC-86A4D34AD420}.exe
File created	C:\Windows\{360EDF25-8B12-4613-9E86-63257948E822}.exe	{B3547798-7566-4803-AA15-44FF7C46E1E0}.exe
File created	C:\Windows\{C20FE031-6E65-459a-8C56-723E3D1D8D3A}.exe	{58781D49-081F-470d-8A67-7F67825C8B61}.exe
File created	C:\Windows\{1917DA2D-E140-4085-BC9F-07AAC9FBC70D}.exe	{C20FE031-6E65-459a-8C56-723E3D1D8D3A}.exe
File created	C:\Windows\{F3ABF86A-8E16-4b15-B377-465823C7A095}.exe	{56338851-1B63-4c89-9131-17FE1D4F86CF}.exe
File created	C:\Windows\{6892873B-09F2-43dc-BEBC-86A4D34AD420}.exe	{F3ABF86A-8E16-4b15-B377-465823C7A095}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1492	2024-03-11_835f9ba9f9bd88a6ccda4d6036214afc_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4092	{B3547798-7566-4803-AA15-44FF7C46E1E0}.exe
Token: SeIncBasePriorityPrivilege	2920	{360EDF25-8B12-4613-9E86-63257948E822}.exe
Token: SeIncBasePriorityPrivilege	1604	{08F1F5D1-1416-4591-BC05-4A8ADA117487}.exe
Token: SeIncBasePriorityPrivilege	4568	{58781D49-081F-470d-8A67-7F67825C8B61}.exe
Token: SeIncBasePriorityPrivilege	4628	{C20FE031-6E65-459a-8C56-723E3D1D8D3A}.exe
Token: SeIncBasePriorityPrivilege	3460	{1917DA2D-E140-4085-BC9F-07AAC9FBC70D}.exe
Token: SeIncBasePriorityPrivilege	4552	{56338851-1B63-4c89-9131-17FE1D4F86CF}.exe
Token: SeIncBasePriorityPrivilege	4432	{F3ABF86A-8E16-4b15-B377-465823C7A095}.exe
Token: SeIncBasePriorityPrivilege	2352	{6892873B-09F2-43dc-BEBC-86A4D34AD420}.exe
Token: SeIncBasePriorityPrivilege	4912	{8646A93F-BF25-4d10-862F-C2E34C37893F}.exe
Token: SeIncBasePriorityPrivilege	2084	{16FCFC6E-B626-4358-9A02-DE32101016EC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 4092	1492	2024-03-11_835f9ba9f9bd88a6ccda4d6036214afc_goldeneye.exe	97
PID 1492 wrote to memory of 4092	1492	2024-03-11_835f9ba9f9bd88a6ccda4d6036214afc_goldeneye.exe	97
PID 1492 wrote to memory of 4092	1492	2024-03-11_835f9ba9f9bd88a6ccda4d6036214afc_goldeneye.exe	97
PID 1492 wrote to memory of 1788	1492	2024-03-11_835f9ba9f9bd88a6ccda4d6036214afc_goldeneye.exe	98
PID 1492 wrote to memory of 1788	1492	2024-03-11_835f9ba9f9bd88a6ccda4d6036214afc_goldeneye.exe	98
PID 1492 wrote to memory of 1788	1492	2024-03-11_835f9ba9f9bd88a6ccda4d6036214afc_goldeneye.exe	98
PID 4092 wrote to memory of 2920	4092	{B3547798-7566-4803-AA15-44FF7C46E1E0}.exe	101
PID 4092 wrote to memory of 2920	4092	{B3547798-7566-4803-AA15-44FF7C46E1E0}.exe	101
PID 4092 wrote to memory of 2920	4092	{B3547798-7566-4803-AA15-44FF7C46E1E0}.exe	101
PID 4092 wrote to memory of 4552	4092	{B3547798-7566-4803-AA15-44FF7C46E1E0}.exe	102
PID 4092 wrote to memory of 4552	4092	{B3547798-7566-4803-AA15-44FF7C46E1E0}.exe	102
PID 4092 wrote to memory of 4552	4092	{B3547798-7566-4803-AA15-44FF7C46E1E0}.exe	102
PID 2920 wrote to memory of 1604	2920	{360EDF25-8B12-4613-9E86-63257948E822}.exe	106
PID 2920 wrote to memory of 1604	2920	{360EDF25-8B12-4613-9E86-63257948E822}.exe	106
PID 2920 wrote to memory of 1604	2920	{360EDF25-8B12-4613-9E86-63257948E822}.exe	106
PID 2920 wrote to memory of 3600	2920	{360EDF25-8B12-4613-9E86-63257948E822}.exe	107
PID 2920 wrote to memory of 3600	2920	{360EDF25-8B12-4613-9E86-63257948E822}.exe	107
PID 2920 wrote to memory of 3600	2920	{360EDF25-8B12-4613-9E86-63257948E822}.exe	107
PID 1604 wrote to memory of 4568	1604	{08F1F5D1-1416-4591-BC05-4A8ADA117487}.exe	109
PID 1604 wrote to memory of 4568	1604	{08F1F5D1-1416-4591-BC05-4A8ADA117487}.exe	109
PID 1604 wrote to memory of 4568	1604	{08F1F5D1-1416-4591-BC05-4A8ADA117487}.exe	109
PID 1604 wrote to memory of 4784	1604	{08F1F5D1-1416-4591-BC05-4A8ADA117487}.exe	110
PID 1604 wrote to memory of 4784	1604	{08F1F5D1-1416-4591-BC05-4A8ADA117487}.exe	110
PID 1604 wrote to memory of 4784	1604	{08F1F5D1-1416-4591-BC05-4A8ADA117487}.exe	110
PID 4568 wrote to memory of 4628	4568	{58781D49-081F-470d-8A67-7F67825C8B61}.exe	112
PID 4568 wrote to memory of 4628	4568	{58781D49-081F-470d-8A67-7F67825C8B61}.exe	112
PID 4568 wrote to memory of 4628	4568	{58781D49-081F-470d-8A67-7F67825C8B61}.exe	112
PID 4568 wrote to memory of 1888	4568	{58781D49-081F-470d-8A67-7F67825C8B61}.exe	113
PID 4568 wrote to memory of 1888	4568	{58781D49-081F-470d-8A67-7F67825C8B61}.exe	113
PID 4568 wrote to memory of 1888	4568	{58781D49-081F-470d-8A67-7F67825C8B61}.exe	113
PID 4628 wrote to memory of 3460	4628	{C20FE031-6E65-459a-8C56-723E3D1D8D3A}.exe	114
PID 4628 wrote to memory of 3460	4628	{C20FE031-6E65-459a-8C56-723E3D1D8D3A}.exe	114
PID 4628 wrote to memory of 3460	4628	{C20FE031-6E65-459a-8C56-723E3D1D8D3A}.exe	114
PID 4628 wrote to memory of 4200	4628	{C20FE031-6E65-459a-8C56-723E3D1D8D3A}.exe	115
PID 4628 wrote to memory of 4200	4628	{C20FE031-6E65-459a-8C56-723E3D1D8D3A}.exe	115
PID 4628 wrote to memory of 4200	4628	{C20FE031-6E65-459a-8C56-723E3D1D8D3A}.exe	115
PID 3460 wrote to memory of 4552	3460	{1917DA2D-E140-4085-BC9F-07AAC9FBC70D}.exe	116
PID 3460 wrote to memory of 4552	3460	{1917DA2D-E140-4085-BC9F-07AAC9FBC70D}.exe	116
PID 3460 wrote to memory of 4552	3460	{1917DA2D-E140-4085-BC9F-07AAC9FBC70D}.exe	116
PID 3460 wrote to memory of 2188	3460	{1917DA2D-E140-4085-BC9F-07AAC9FBC70D}.exe	117
PID 3460 wrote to memory of 2188	3460	{1917DA2D-E140-4085-BC9F-07AAC9FBC70D}.exe	117
PID 3460 wrote to memory of 2188	3460	{1917DA2D-E140-4085-BC9F-07AAC9FBC70D}.exe	117
PID 4552 wrote to memory of 4432	4552	{56338851-1B63-4c89-9131-17FE1D4F86CF}.exe	124
PID 4552 wrote to memory of 4432	4552	{56338851-1B63-4c89-9131-17FE1D4F86CF}.exe	124
PID 4552 wrote to memory of 4432	4552	{56338851-1B63-4c89-9131-17FE1D4F86CF}.exe	124
PID 4552 wrote to memory of 2748	4552	{56338851-1B63-4c89-9131-17FE1D4F86CF}.exe	125
PID 4552 wrote to memory of 2748	4552	{56338851-1B63-4c89-9131-17FE1D4F86CF}.exe	125
PID 4552 wrote to memory of 2748	4552	{56338851-1B63-4c89-9131-17FE1D4F86CF}.exe	125
PID 4432 wrote to memory of 2352	4432	{F3ABF86A-8E16-4b15-B377-465823C7A095}.exe	127
PID 4432 wrote to memory of 2352	4432	{F3ABF86A-8E16-4b15-B377-465823C7A095}.exe	127
PID 4432 wrote to memory of 2352	4432	{F3ABF86A-8E16-4b15-B377-465823C7A095}.exe	127
PID 4432 wrote to memory of 2324	4432	{F3ABF86A-8E16-4b15-B377-465823C7A095}.exe	128
PID 4432 wrote to memory of 2324	4432	{F3ABF86A-8E16-4b15-B377-465823C7A095}.exe	128
PID 4432 wrote to memory of 2324	4432	{F3ABF86A-8E16-4b15-B377-465823C7A095}.exe	128
PID 2352 wrote to memory of 4912	2352	{6892873B-09F2-43dc-BEBC-86A4D34AD420}.exe	129
PID 2352 wrote to memory of 4912	2352	{6892873B-09F2-43dc-BEBC-86A4D34AD420}.exe	129
PID 2352 wrote to memory of 4912	2352	{6892873B-09F2-43dc-BEBC-86A4D34AD420}.exe	129
PID 2352 wrote to memory of 3752	2352	{6892873B-09F2-43dc-BEBC-86A4D34AD420}.exe	130
PID 2352 wrote to memory of 3752	2352	{6892873B-09F2-43dc-BEBC-86A4D34AD420}.exe	130
PID 2352 wrote to memory of 3752	2352	{6892873B-09F2-43dc-BEBC-86A4D34AD420}.exe	130
PID 4912 wrote to memory of 2084	4912	{8646A93F-BF25-4d10-862F-C2E34C37893F}.exe	134
PID 4912 wrote to memory of 2084	4912	{8646A93F-BF25-4d10-862F-C2E34C37893F}.exe	134
PID 4912 wrote to memory of 2084	4912	{8646A93F-BF25-4d10-862F-C2E34C37893F}.exe	134
PID 4912 wrote to memory of 2852	4912	{8646A93F-BF25-4d10-862F-C2E34C37893F}.exe	135

C:\Users\Admin\AppData\Local\Temp\2024-03-11_835f9ba9f9bd88a6ccda4d6036214afc_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-11_835f9ba9f9bd88a6ccda4d6036214afc_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Windows\{B3547798-7566-4803-AA15-44FF7C46E1E0}.exe
  C:\Windows\{B3547798-7566-4803-AA15-44FF7C46E1E0}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4092
- - C:\Windows\{360EDF25-8B12-4613-9E86-63257948E822}.exe
    C:\Windows\{360EDF25-8B12-4613-9E86-63257948E822}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\{08F1F5D1-1416-4591-BC05-4A8ADA117487}.exe
      C:\Windows\{08F1F5D1-1416-4591-BC05-4A8ADA117487}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1604
    - - C:\Windows\{58781D49-081F-470d-8A67-7F67825C8B61}.exe
        
        C:\Windows\{58781D49-081F-470d-8A67-7F67825C8B61}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4568
      - C:\Windows\{C20FE031-6E65-459a-8C56-723E3D1D8D3A}.exe
        
        C:\Windows\{C20FE031-6E65-459a-8C56-723E3D1D8D3A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\{1917DA2D-E140-4085-BC9F-07AAC9FBC70D}.exe
        
        C:\Windows\{1917DA2D-E140-4085-BC9F-07AAC9FBC70D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\{56338851-1B63-4c89-9131-17FE1D4F86CF}.exe
        
        C:\Windows\{56338851-1B63-4c89-9131-17FE1D4F86CF}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\{F3ABF86A-8E16-4b15-B377-465823C7A095}.exe
        
        C:\Windows\{F3ABF86A-8E16-4b15-B377-465823C7A095}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\{6892873B-09F2-43dc-BEBC-86A4D34AD420}.exe
        
        C:\Windows\{6892873B-09F2-43dc-BEBC-86A4D34AD420}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\{8646A93F-BF25-4d10-862F-C2E34C37893F}.exe
        
        C:\Windows\{8646A93F-BF25-4d10-862F-C2E34C37893F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\{16FCFC6E-B626-4358-9A02-DE32101016EC}.exe
        
        C:\Windows\{16FCFC6E-B626-4358-9A02-DE32101016EC}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
        
        C:\Windows\{1F1ECD29-EB99-4645-941B-4DD52A1551FF}.exe
        
        C:\Windows\{1F1ECD29-EB99-4645-941B-4DD52A1551FF}.exe
        13⤵
        Executes dropped EXE
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16FCF~1.EXE > nul
        13⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8646A~1.EXE > nul
        12⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68928~1.EXE > nul
        11⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F3ABF~1.EXE > nul
        10⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{56338~1.EXE > nul
        9⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1917D~1.EXE > nul
        8⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C20FE~1.EXE > nul
        7⤵
        
        PID:4200
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58781~1.EXE > nul
        6⤵
        
        PID:1888
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08F1F~1.EXE > nul
        5⤵
        
        PID:4784
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{360ED~1.EXE > nul
      4⤵
      PID:3600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B3547~1.EXE > nul
    3⤵
    PID:4552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08F1F5D1-1416-4591-BC05-4A8ADA117487}.exe

Filesize
344KB

MD5
015dbc5d9514b521f2fc2111e063563f

SHA1
a65c2ae90654c76c37253f2f789e5d521ea4ccfd

SHA256
506f3d42c94adbe86f907043596c12ded1b7fea7f6edbc69439d80212acb7ec6

SHA512
c1db42cf5771d284d787d4a955225667d897d806d30ce12329e5d7726db1b61f5284db5f9e07995fb2dcd2e938e434fbc634a87ef01a03ff94d9003492392d9c

Download Submit
C:\Windows\{16FCFC6E-B626-4358-9A02-DE32101016EC}.exe

Filesize
344KB

MD5
6e9fa6399ca8feb010a5b77025e8a9cf

SHA1
ef300114f646bc59bfb79f7e6ab72066a44e0fa7

SHA256
f04391f2b300eb693ea07c854bd827aa5f221753d323fccbfde95c1709d59c2e

SHA512
76540638af9e23cc64a70ce56ee3b9bf4dc0dd482723d57762d303d5f7bc7e8d87e5e499db8231b2ff8b800f5d38514362fdb6d63073836d70fc261c306b7758

Download Submit
C:\Windows\{1917DA2D-E140-4085-BC9F-07AAC9FBC70D}.exe

Filesize
344KB

MD5
b4c3d4b85fad487b4f277f16d1c4e528

SHA1
5c147d80a92cf15e2b1fd637b2dbf1ffbb4b6872

SHA256
b2fdd3f98a9f9aa21bb3bac0d576e4776fb014bed13ca908df8d63b71b808726

SHA512
8f5af3044b417e87989e0ca0f865f66ea6abc45d951de3ea9cbe2ca45ce8dd0e2f2592dc787554469beed08bc9a47f0298df03484ee6e439e787e6a2def505ae

Download Submit
C:\Windows\{1F1ECD29-EB99-4645-941B-4DD52A1551FF}.exe

Filesize
344KB

MD5
53750ffb547a3ade2eebc367ae7c3f33

SHA1
ca45bd2d430c23c7a559966ae164f149988e3c87

SHA256
f14a2fe4d48ff559415435016457ece4fe1bc2426b3acecb4899e2c1ea400141

SHA512
acb76187ea3deb3a34d5d2cf028baedd5a38b5fb43e7bff1203d6bf9690e3a48992c770367cbb63dd041efbeb65cb867089bd00e04d5c2e8c23dd2b756575d2c

Download Submit
C:\Windows\{360EDF25-8B12-4613-9E86-63257948E822}.exe

Filesize
344KB

MD5
4a9edf810b7f0716a277f99181f20488

SHA1
1813e848b4634a903efaac0580bf3d5bb309e288

SHA256
e4ffa37f6d6245b769bf11d1cec1c32b6b2eaf948e3c8f94ec6763c095944455

SHA512
5e995237de0d86091ce032edb34bf65e7fd1bbcdf7be075b7dd68e9a653d75768e9acbfd88af673bb0d1bc21b24a77e62b5c5b99c5d567a2e2f464c51cdcbedc

Download Submit
C:\Windows\{56338851-1B63-4c89-9131-17FE1D4F86CF}.exe

Filesize
344KB

MD5
0de24a21fd31c20a65f3826c3a2d2dd0

SHA1
5763319d490f2d3a94bbd7cd7dfac996c890f1bd

SHA256
bdda22c3710a0e862b1cfad59f593eaf0557556226d13df4269d3c198a0fb5a7

SHA512
7cdf38f2533a7642a05135086895417e6149ea88c006fcf008799baffce063d8313bc704123017bd5a796e4f9349d1cb45d03e9b9bd5b643b8f72f9443cf2a25

Download Submit
C:\Windows\{58781D49-081F-470d-8A67-7F67825C8B61}.exe

Filesize
344KB

MD5
be4149615ecd48a60e4451ab86508fe4

SHA1
b1dec334855fcbb37c6f9de5e76eaf416ad28ace

SHA256
ba40a18040af1a316ba1fb18092b508d35144f34635735d03bc0fdda1d265a99

SHA512
981b1c0c337cfa2d2b6c6d635ec6e740a18df86196ea32e733a3bb00e2595709e256db04ad2d8a031c5e66b423fff0adf14402060cb882dcc85a167ff2d6d81f

Download Submit
C:\Windows\{6892873B-09F2-43dc-BEBC-86A4D34AD420}.exe

Filesize
344KB

MD5
dc624d44dc9a98d6c79b798fb49bc4b3

SHA1
b94bccd2af44d858df8c267735344768cef4cb44

SHA256
42027d8eeec67e025cd6e7ef3a9fe7a2d6d53bd69d2c698b08f7e6385aecc0ef

SHA512
7c3408720a3d97f59397e619d181d2965829d7abffa6b52078e7aa7433cad3ce2235b20ad45012a452ba43bd072f61d82a4c0f2bbb62aaba3eb5120e3fef7312

Download Submit
C:\Windows\{8646A93F-BF25-4d10-862F-C2E34C37893F}.exe

Filesize
344KB

MD5
410bc2fa2f66476428022bb1777b3d5e

SHA1
e4b622d46b3dacf6ecbf474a40978d7e64eb7264

SHA256
6b5ada69b0875f919f1a8fadbfd4d134968c6749b8bb139e1de33cf0080475fe

SHA512
bd86f23d6c71f43a0a8984737f2a6f77a39f0db60630e3fc935904e3d4b2b7b7b9d92cfee9d067a9fe8bd06b7538daa02606c0614110fc197dab902210b84bfb

Download Submit
C:\Windows\{B3547798-7566-4803-AA15-44FF7C46E1E0}.exe

Filesize
344KB

MD5
a905edc25e0c869f86b8ca4845738af7

SHA1
0eafbe72888ba1462eb93e718b71350c1c3c30d2

SHA256
16f949c2b2c5afe9fc172935c89aea772df90b003009db3521577395e5ec68c7

SHA512
4f0a7bca734f9fff744bdc3a2f067f70a3fdb9773e6378df488f9cfab2edd626f5a9df93fbc7c374715e0c59a855716cf0ac6368af816362617ddfe9826ae734

Download Submit
C:\Windows\{C20FE031-6E65-459a-8C56-723E3D1D8D3A}.exe

Filesize
344KB

MD5
02948951f24c279f7da7146592119e26

SHA1
f65aeca9fd794ad113fcee45666ab4783b415026

SHA256
f19178bdae57e8b343229ec591928e084e56132fac6c9e6ece79cfb9ccd39fe7

SHA512
fe86b010093f80ac8a3461c33c62ace83097bac6de45f2bde44b2394f176232242305c44ecbef14909bdc8ac7b3214d237ff652752c0f959aef4f7f32275b764

Download Submit
C:\Windows\{F3ABF86A-8E16-4b15-B377-465823C7A095}.exe

Filesize
344KB

MD5
a71ef58faa2f938a7c7b1b8a02fd8806

SHA1
1291732c4c6ab2a7c4c74cde469b39ffb068be1b

SHA256
f001e51f8bd0af7d5a953eb363a63f3e8924f062510e3cb5aea1a3c481678386

SHA512
e843d7b733d37c74f6837656ec3b1b5172d3e1b64e63688ad0a84c830f39403c5a092fd4767826cd83ce226fa27e11eed6641d4ccb08563da01530570f892077

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads