7641003b0f757d4e3f72f1095d125dfb7bb16f07e7c570acf357045679c16b07

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-03-2024 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-29_f4fe7a45c944baad6e917002adc1de6e_goldeneye.exe
Size

344KB
MD5

f4fe7a45c944baad6e917002adc1de6e
SHA1

2b2da970b4c16975d644cc128fbc87c4e2d5b98c
SHA256

7641003b0f757d4e3f72f1095d125dfb7bb16f07e7c570acf357045679c16b07
SHA512

509c9a84ed09efa80e44826b6a3ed32d71965f271edd85f179d99d51b5cf38fa88cfbe2dc873ada41a1b2f70ed86e866c4f4ac0b1b36f9b67a187c2d7dbb911f
SSDEEP

3072:mEGh0oOlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEG4lqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000d000000023194-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023203-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002320a-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0012000000023203-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002320a-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0013000000023203-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002320a-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000072b-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000072d-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000072b-37.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000072d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000000072b-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77FC0D70-167F-4a9b-BC85-ADBE94802913}\stubpath = "C:\\Windows\\{77FC0D70-167F-4a9b-BC85-ADBE94802913}.exe"	{09515B38-60FC-4085-9796-DED3086F49B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{120945B7-F847-4034-9EFC-EC280B09780E}	{5042948E-D307-4bf3-BC62-55245A9C2E68}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A5F614F-7E94-406e-B104-6F80A90E9F58}	{120945B7-F847-4034-9EFC-EC280B09780E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14790800-EE55-4afd-B527-5D0486CF43B4}	{4D015DCD-E290-493c-9F3B-8276AFB94C06}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B4BDDC2-EBBB-4b02-B085-93C4C294A1B6}	{DA0B8146-C0DF-4d4b-989F-A6543F967922}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{912B9E46-E919-4412-AD7F-9699C4DDFB9E}\stubpath = "C:\\Windows\\{912B9E46-E919-4412-AD7F-9699C4DDFB9E}.exe"	{6957BB49-D600-4d14-90E1-6357ABF5CDDF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6957BB49-D600-4d14-90E1-6357ABF5CDDF}\stubpath = "C:\\Windows\\{6957BB49-D600-4d14-90E1-6357ABF5CDDF}.exe"	{6B4BDDC2-EBBB-4b02-B085-93C4C294A1B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E72E0405-2292-4644-902B-F3E14A21A254}\stubpath = "C:\\Windows\\{E72E0405-2292-4644-902B-F3E14A21A254}.exe"	{912B9E46-E919-4412-AD7F-9699C4DDFB9E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D015DCD-E290-493c-9F3B-8276AFB94C06}	{6A5F614F-7E94-406e-B104-6F80A90E9F58}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D015DCD-E290-493c-9F3B-8276AFB94C06}\stubpath = "C:\\Windows\\{4D015DCD-E290-493c-9F3B-8276AFB94C06}.exe"	{6A5F614F-7E94-406e-B104-6F80A90E9F58}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14790800-EE55-4afd-B527-5D0486CF43B4}\stubpath = "C:\\Windows\\{14790800-EE55-4afd-B527-5D0486CF43B4}.exe"	{4D015DCD-E290-493c-9F3B-8276AFB94C06}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA0B8146-C0DF-4d4b-989F-A6543F967922}	2024-03-29_f4fe7a45c944baad6e917002adc1de6e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6957BB49-D600-4d14-90E1-6357ABF5CDDF}	{6B4BDDC2-EBBB-4b02-B085-93C4C294A1B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77FC0D70-167F-4a9b-BC85-ADBE94802913}	{09515B38-60FC-4085-9796-DED3086F49B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5042948E-D307-4bf3-BC62-55245A9C2E68}	{77FC0D70-167F-4a9b-BC85-ADBE94802913}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A5F614F-7E94-406e-B104-6F80A90E9F58}\stubpath = "C:\\Windows\\{6A5F614F-7E94-406e-B104-6F80A90E9F58}.exe"	{120945B7-F847-4034-9EFC-EC280B09780E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B4BDDC2-EBBB-4b02-B085-93C4C294A1B6}\stubpath = "C:\\Windows\\{6B4BDDC2-EBBB-4b02-B085-93C4C294A1B6}.exe"	{DA0B8146-C0DF-4d4b-989F-A6543F967922}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09515B38-60FC-4085-9796-DED3086F49B6}\stubpath = "C:\\Windows\\{09515B38-60FC-4085-9796-DED3086F49B6}.exe"	{E72E0405-2292-4644-902B-F3E14A21A254}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E72E0405-2292-4644-902B-F3E14A21A254}	{912B9E46-E919-4412-AD7F-9699C4DDFB9E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09515B38-60FC-4085-9796-DED3086F49B6}	{E72E0405-2292-4644-902B-F3E14A21A254}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5042948E-D307-4bf3-BC62-55245A9C2E68}\stubpath = "C:\\Windows\\{5042948E-D307-4bf3-BC62-55245A9C2E68}.exe"	{77FC0D70-167F-4a9b-BC85-ADBE94802913}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{120945B7-F847-4034-9EFC-EC280B09780E}\stubpath = "C:\\Windows\\{120945B7-F847-4034-9EFC-EC280B09780E}.exe"	{5042948E-D307-4bf3-BC62-55245A9C2E68}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA0B8146-C0DF-4d4b-989F-A6543F967922}\stubpath = "C:\\Windows\\{DA0B8146-C0DF-4d4b-989F-A6543F967922}.exe"	2024-03-29_f4fe7a45c944baad6e917002adc1de6e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{912B9E46-E919-4412-AD7F-9699C4DDFB9E}	{6957BB49-D600-4d14-90E1-6357ABF5CDDF}.exe

Executes dropped EXE 12 IoCs

pid	Process
2812	{DA0B8146-C0DF-4d4b-989F-A6543F967922}.exe
1028	{6B4BDDC2-EBBB-4b02-B085-93C4C294A1B6}.exe
2400	{6957BB49-D600-4d14-90E1-6357ABF5CDDF}.exe
3376	{912B9E46-E919-4412-AD7F-9699C4DDFB9E}.exe
4700	{E72E0405-2292-4644-902B-F3E14A21A254}.exe
3308	{09515B38-60FC-4085-9796-DED3086F49B6}.exe
2788	{77FC0D70-167F-4a9b-BC85-ADBE94802913}.exe
3060	{5042948E-D307-4bf3-BC62-55245A9C2E68}.exe
2712	{120945B7-F847-4034-9EFC-EC280B09780E}.exe
2852	{6A5F614F-7E94-406e-B104-6F80A90E9F58}.exe
2316	{4D015DCD-E290-493c-9F3B-8276AFB94C06}.exe
4744	{14790800-EE55-4afd-B527-5D0486CF43B4}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{5042948E-D307-4bf3-BC62-55245A9C2E68}.exe	{77FC0D70-167F-4a9b-BC85-ADBE94802913}.exe
File created	C:\Windows\{120945B7-F847-4034-9EFC-EC280B09780E}.exe	{5042948E-D307-4bf3-BC62-55245A9C2E68}.exe
File created	C:\Windows\{4D015DCD-E290-493c-9F3B-8276AFB94C06}.exe	{6A5F614F-7E94-406e-B104-6F80A90E9F58}.exe
File created	C:\Windows\{77FC0D70-167F-4a9b-BC85-ADBE94802913}.exe	{09515B38-60FC-4085-9796-DED3086F49B6}.exe
File created	C:\Windows\{6B4BDDC2-EBBB-4b02-B085-93C4C294A1B6}.exe	{DA0B8146-C0DF-4d4b-989F-A6543F967922}.exe
File created	C:\Windows\{6957BB49-D600-4d14-90E1-6357ABF5CDDF}.exe	{6B4BDDC2-EBBB-4b02-B085-93C4C294A1B6}.exe
File created	C:\Windows\{912B9E46-E919-4412-AD7F-9699C4DDFB9E}.exe	{6957BB49-D600-4d14-90E1-6357ABF5CDDF}.exe
File created	C:\Windows\{E72E0405-2292-4644-902B-F3E14A21A254}.exe	{912B9E46-E919-4412-AD7F-9699C4DDFB9E}.exe
File created	C:\Windows\{09515B38-60FC-4085-9796-DED3086F49B6}.exe	{E72E0405-2292-4644-902B-F3E14A21A254}.exe
File created	C:\Windows\{6A5F614F-7E94-406e-B104-6F80A90E9F58}.exe	{120945B7-F847-4034-9EFC-EC280B09780E}.exe
File created	C:\Windows\{14790800-EE55-4afd-B527-5D0486CF43B4}.exe	{4D015DCD-E290-493c-9F3B-8276AFB94C06}.exe
File created	C:\Windows\{DA0B8146-C0DF-4d4b-989F-A6543F967922}.exe	2024-03-29_f4fe7a45c944baad6e917002adc1de6e_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1676	2024-03-29_f4fe7a45c944baad6e917002adc1de6e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2812	{DA0B8146-C0DF-4d4b-989F-A6543F967922}.exe
Token: SeIncBasePriorityPrivilege	1028	{6B4BDDC2-EBBB-4b02-B085-93C4C294A1B6}.exe
Token: SeIncBasePriorityPrivilege	2400	{6957BB49-D600-4d14-90E1-6357ABF5CDDF}.exe
Token: SeIncBasePriorityPrivilege	3376	{912B9E46-E919-4412-AD7F-9699C4DDFB9E}.exe
Token: SeIncBasePriorityPrivilege	4700	{E72E0405-2292-4644-902B-F3E14A21A254}.exe
Token: SeIncBasePriorityPrivilege	3308	{09515B38-60FC-4085-9796-DED3086F49B6}.exe
Token: SeIncBasePriorityPrivilege	2788	{77FC0D70-167F-4a9b-BC85-ADBE94802913}.exe
Token: SeIncBasePriorityPrivilege	3060	{5042948E-D307-4bf3-BC62-55245A9C2E68}.exe
Token: SeIncBasePriorityPrivilege	2712	{120945B7-F847-4034-9EFC-EC280B09780E}.exe
Token: SeIncBasePriorityPrivilege	2852	{6A5F614F-7E94-406e-B104-6F80A90E9F58}.exe
Token: SeIncBasePriorityPrivilege	2316	{4D015DCD-E290-493c-9F3B-8276AFB94C06}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 2812	1676	2024-03-29_f4fe7a45c944baad6e917002adc1de6e_goldeneye.exe	97
PID 1676 wrote to memory of 2812	1676	2024-03-29_f4fe7a45c944baad6e917002adc1de6e_goldeneye.exe	97
PID 1676 wrote to memory of 2812	1676	2024-03-29_f4fe7a45c944baad6e917002adc1de6e_goldeneye.exe	97
PID 1676 wrote to memory of 3164	1676	2024-03-29_f4fe7a45c944baad6e917002adc1de6e_goldeneye.exe	98
PID 1676 wrote to memory of 3164	1676	2024-03-29_f4fe7a45c944baad6e917002adc1de6e_goldeneye.exe	98
PID 1676 wrote to memory of 3164	1676	2024-03-29_f4fe7a45c944baad6e917002adc1de6e_goldeneye.exe	98
PID 2812 wrote to memory of 1028	2812	{DA0B8146-C0DF-4d4b-989F-A6543F967922}.exe	99
PID 2812 wrote to memory of 1028	2812	{DA0B8146-C0DF-4d4b-989F-A6543F967922}.exe	99
PID 2812 wrote to memory of 1028	2812	{DA0B8146-C0DF-4d4b-989F-A6543F967922}.exe	99
PID 2812 wrote to memory of 944	2812	{DA0B8146-C0DF-4d4b-989F-A6543F967922}.exe	100
PID 2812 wrote to memory of 944	2812	{DA0B8146-C0DF-4d4b-989F-A6543F967922}.exe	100
PID 2812 wrote to memory of 944	2812	{DA0B8146-C0DF-4d4b-989F-A6543F967922}.exe	100
PID 1028 wrote to memory of 2400	1028	{6B4BDDC2-EBBB-4b02-B085-93C4C294A1B6}.exe	102
PID 1028 wrote to memory of 2400	1028	{6B4BDDC2-EBBB-4b02-B085-93C4C294A1B6}.exe	102
PID 1028 wrote to memory of 2400	1028	{6B4BDDC2-EBBB-4b02-B085-93C4C294A1B6}.exe	102
PID 1028 wrote to memory of 2260	1028	{6B4BDDC2-EBBB-4b02-B085-93C4C294A1B6}.exe	103
PID 1028 wrote to memory of 2260	1028	{6B4BDDC2-EBBB-4b02-B085-93C4C294A1B6}.exe	103
PID 1028 wrote to memory of 2260	1028	{6B4BDDC2-EBBB-4b02-B085-93C4C294A1B6}.exe	103
PID 2400 wrote to memory of 3376	2400	{6957BB49-D600-4d14-90E1-6357ABF5CDDF}.exe	104
PID 2400 wrote to memory of 3376	2400	{6957BB49-D600-4d14-90E1-6357ABF5CDDF}.exe	104
PID 2400 wrote to memory of 3376	2400	{6957BB49-D600-4d14-90E1-6357ABF5CDDF}.exe	104
PID 2400 wrote to memory of 2732	2400	{6957BB49-D600-4d14-90E1-6357ABF5CDDF}.exe	105
PID 2400 wrote to memory of 2732	2400	{6957BB49-D600-4d14-90E1-6357ABF5CDDF}.exe	105
PID 2400 wrote to memory of 2732	2400	{6957BB49-D600-4d14-90E1-6357ABF5CDDF}.exe	105
PID 3376 wrote to memory of 4700	3376	{912B9E46-E919-4412-AD7F-9699C4DDFB9E}.exe	106
PID 3376 wrote to memory of 4700	3376	{912B9E46-E919-4412-AD7F-9699C4DDFB9E}.exe	106
PID 3376 wrote to memory of 4700	3376	{912B9E46-E919-4412-AD7F-9699C4DDFB9E}.exe	106
PID 3376 wrote to memory of 5072	3376	{912B9E46-E919-4412-AD7F-9699C4DDFB9E}.exe	107
PID 3376 wrote to memory of 5072	3376	{912B9E46-E919-4412-AD7F-9699C4DDFB9E}.exe	107
PID 3376 wrote to memory of 5072	3376	{912B9E46-E919-4412-AD7F-9699C4DDFB9E}.exe	107
PID 4700 wrote to memory of 3308	4700	{E72E0405-2292-4644-902B-F3E14A21A254}.exe	108
PID 4700 wrote to memory of 3308	4700	{E72E0405-2292-4644-902B-F3E14A21A254}.exe	108
PID 4700 wrote to memory of 3308	4700	{E72E0405-2292-4644-902B-F3E14A21A254}.exe	108
PID 4700 wrote to memory of 2640	4700	{E72E0405-2292-4644-902B-F3E14A21A254}.exe	109
PID 4700 wrote to memory of 2640	4700	{E72E0405-2292-4644-902B-F3E14A21A254}.exe	109
PID 4700 wrote to memory of 2640	4700	{E72E0405-2292-4644-902B-F3E14A21A254}.exe	109
PID 3308 wrote to memory of 2788	3308	{09515B38-60FC-4085-9796-DED3086F49B6}.exe	110
PID 3308 wrote to memory of 2788	3308	{09515B38-60FC-4085-9796-DED3086F49B6}.exe	110
PID 3308 wrote to memory of 2788	3308	{09515B38-60FC-4085-9796-DED3086F49B6}.exe	110
PID 3308 wrote to memory of 2452	3308	{09515B38-60FC-4085-9796-DED3086F49B6}.exe	111
PID 3308 wrote to memory of 2452	3308	{09515B38-60FC-4085-9796-DED3086F49B6}.exe	111
PID 3308 wrote to memory of 2452	3308	{09515B38-60FC-4085-9796-DED3086F49B6}.exe	111
PID 2788 wrote to memory of 3060	2788	{77FC0D70-167F-4a9b-BC85-ADBE94802913}.exe	112
PID 2788 wrote to memory of 3060	2788	{77FC0D70-167F-4a9b-BC85-ADBE94802913}.exe	112
PID 2788 wrote to memory of 3060	2788	{77FC0D70-167F-4a9b-BC85-ADBE94802913}.exe	112
PID 2788 wrote to memory of 536	2788	{77FC0D70-167F-4a9b-BC85-ADBE94802913}.exe	113
PID 2788 wrote to memory of 536	2788	{77FC0D70-167F-4a9b-BC85-ADBE94802913}.exe	113
PID 2788 wrote to memory of 536	2788	{77FC0D70-167F-4a9b-BC85-ADBE94802913}.exe	113
PID 3060 wrote to memory of 2712	3060	{5042948E-D307-4bf3-BC62-55245A9C2E68}.exe	114
PID 3060 wrote to memory of 2712	3060	{5042948E-D307-4bf3-BC62-55245A9C2E68}.exe	114
PID 3060 wrote to memory of 2712	3060	{5042948E-D307-4bf3-BC62-55245A9C2E68}.exe	114
PID 3060 wrote to memory of 640	3060	{5042948E-D307-4bf3-BC62-55245A9C2E68}.exe	115
PID 3060 wrote to memory of 640	3060	{5042948E-D307-4bf3-BC62-55245A9C2E68}.exe	115
PID 3060 wrote to memory of 640	3060	{5042948E-D307-4bf3-BC62-55245A9C2E68}.exe	115
PID 2712 wrote to memory of 2852	2712	{120945B7-F847-4034-9EFC-EC280B09780E}.exe	116
PID 2712 wrote to memory of 2852	2712	{120945B7-F847-4034-9EFC-EC280B09780E}.exe	116
PID 2712 wrote to memory of 2852	2712	{120945B7-F847-4034-9EFC-EC280B09780E}.exe	116
PID 2712 wrote to memory of 4552	2712	{120945B7-F847-4034-9EFC-EC280B09780E}.exe	117
PID 2712 wrote to memory of 4552	2712	{120945B7-F847-4034-9EFC-EC280B09780E}.exe	117
PID 2712 wrote to memory of 4552	2712	{120945B7-F847-4034-9EFC-EC280B09780E}.exe	117
PID 2852 wrote to memory of 2316	2852	{6A5F614F-7E94-406e-B104-6F80A90E9F58}.exe	118
PID 2852 wrote to memory of 2316	2852	{6A5F614F-7E94-406e-B104-6F80A90E9F58}.exe	118
PID 2852 wrote to memory of 2316	2852	{6A5F614F-7E94-406e-B104-6F80A90E9F58}.exe	118
PID 2852 wrote to memory of 1208	2852	{6A5F614F-7E94-406e-B104-6F80A90E9F58}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-03-29_f4fe7a45c944baad6e917002adc1de6e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-29_f4fe7a45c944baad6e917002adc1de6e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\{DA0B8146-C0DF-4d4b-989F-A6543F967922}.exe
  C:\Windows\{DA0B8146-C0DF-4d4b-989F-A6543F967922}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\{6B4BDDC2-EBBB-4b02-B085-93C4C294A1B6}.exe
    C:\Windows\{6B4BDDC2-EBBB-4b02-B085-93C4C294A1B6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1028
  - - C:\Windows\{6957BB49-D600-4d14-90E1-6357ABF5CDDF}.exe
      C:\Windows\{6957BB49-D600-4d14-90E1-6357ABF5CDDF}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2400
    - - C:\Windows\{912B9E46-E919-4412-AD7F-9699C4DDFB9E}.exe
        
        C:\Windows\{912B9E46-E919-4412-AD7F-9699C4DDFB9E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3376
      - C:\Windows\{E72E0405-2292-4644-902B-F3E14A21A254}.exe
        
        C:\Windows\{E72E0405-2292-4644-902B-F3E14A21A254}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\{09515B38-60FC-4085-9796-DED3086F49B6}.exe
        
        C:\Windows\{09515B38-60FC-4085-9796-DED3086F49B6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\{77FC0D70-167F-4a9b-BC85-ADBE94802913}.exe
        
        C:\Windows\{77FC0D70-167F-4a9b-BC85-ADBE94802913}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\{5042948E-D307-4bf3-BC62-55245A9C2E68}.exe
        
        C:\Windows\{5042948E-D307-4bf3-BC62-55245A9C2E68}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\{120945B7-F847-4034-9EFC-EC280B09780E}.exe
        
        C:\Windows\{120945B7-F847-4034-9EFC-EC280B09780E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\{6A5F614F-7E94-406e-B104-6F80A90E9F58}.exe
        
        C:\Windows\{6A5F614F-7E94-406e-B104-6F80A90E9F58}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\{4D015DCD-E290-493c-9F3B-8276AFB94C06}.exe
        
        C:\Windows\{4D015DCD-E290-493c-9F3B-8276AFB94C06}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Windows\{14790800-EE55-4afd-B527-5D0486CF43B4}.exe
        
        C:\Windows\{14790800-EE55-4afd-B527-5D0486CF43B4}.exe
        13⤵
        Executes dropped EXE
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D015~1.EXE > nul
        13⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A5F6~1.EXE > nul
        12⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12094~1.EXE > nul
        11⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50429~1.EXE > nul
        10⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77FC0~1.EXE > nul
        9⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09515~1.EXE > nul
        8⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E72E0~1.EXE > nul
        7⤵
        
        PID:2640
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{912B9~1.EXE > nul
        6⤵
        
        PID:5072
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6957B~1.EXE > nul
        5⤵
        
        PID:2732
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6B4BD~1.EXE > nul
      4⤵
      PID:2260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DA0B8~1.EXE > nul
    3⤵
    PID:944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:3164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09515B38-60FC-4085-9796-DED3086F49B6}.exe

Filesize
344KB

MD5
d0c7f36e864ea8b4898922d1364fd6f0

SHA1
699b545b4aca972fea73bd3ae2e3c1fd32cf39ea

SHA256
13ffc67c906ec2372c47eddde7fae9b225b68af210f55115d9b1f4115c7a3c54

SHA512
31cb921e0804324f8eb05eea23f74a71deffaeef751ed6b979f40422bf6caf3a7ea088d913c6d1abacee89ee8425e749a8a252f2c9907189bfbb1881bff43f42

Download Submit
C:\Windows\{120945B7-F847-4034-9EFC-EC280B09780E}.exe

Filesize
344KB

MD5
b6edc4770807a50d6a14b0e3eb7ae7ad

SHA1
dc1ce6ae231895cc36f294623f533606e052623f

SHA256
18267ca9854a46b015e5e86b8babcc6611f08d9f8c4051437c1acbfa800eaa03

SHA512
ac0ef206e8cad12b4168eaffda6a67d5fc48f1b7af426cbf2a0c8f071704ca46738f7c8c24894e5ab5dab29a956d293e35906d12394811719c3fd0dfd49aabe7

Download Submit
C:\Windows\{14790800-EE55-4afd-B527-5D0486CF43B4}.exe

Filesize
344KB

MD5
01400e5e5e6d989ac05c864ca4f5430a

SHA1
356f1bb10e18cb946ada85439ff901c5c10f3fa5

SHA256
5e31fa343e511382e2720f7ecba62aa9d616d9430219ee3f99014aabd3389013

SHA512
627d3beb90f2a377eba5f59d843e854e85b752fcdaa81b2f4a9cff8770c96e8b82a3acf64daf0788009b8d4cc19965c2d36c5576fd9acd697f44e81efd722efb

Download Submit
C:\Windows\{4D015DCD-E290-493c-9F3B-8276AFB94C06}.exe

Filesize
344KB

MD5
fb2b1ad08b4e2681a3e14d52fb7c9e89

SHA1
4aefb494fc2bf1c9cd3369ab54aee452e0ae5f7f

SHA256
7afb9f582dd907b0438283ab4b4cdb6b3474cdf59369ddd1e6b86f01705433af

SHA512
6efefbb51fe402520fb39954ddbe718098ddd32e05328e1af65362d445ddfdd2b1d9acf94231759c402f64d469035dc71350ef03cea33f60c9613c3a612740aa

Download Submit
C:\Windows\{5042948E-D307-4bf3-BC62-55245A9C2E68}.exe

Filesize
344KB

MD5
3c94fed5762a691a2b5c5b51f1839b59

SHA1
88b69945bf48b70315e19beb7efe8eb0bd516e58

SHA256
5e8c262afb0042841a8fd14773e5050153d3d5825c56be219bcd6ad19c7a9df8

SHA512
360d55bfca2106fd6c626d156d01c9c3e15be631c1d24326e1d3b8e4b365d93f000afca12e4e07c65dfa4566988c6fa057237f4ac7d43a53eb9a73c7893536a0

Download Submit
C:\Windows\{6957BB49-D600-4d14-90E1-6357ABF5CDDF}.exe

Filesize
344KB

MD5
47241a3d129a43bd80f733e11c93cc00

SHA1
ab90f5516cb118fdd7da00854b48647f09f932da

SHA256
b423b94c258f65b514a8e40e574b04a700bebc36f5324e00fdd9d447ac4f6693

SHA512
6cbb320b07c2c3da0eb8454dd8dc5775af74d9d7460bcc24250d99e66d45579a74a22537df226c6c16339973a937e5072e76604b4948f734abdd8c28d045b5e3

Download Submit
C:\Windows\{6A5F614F-7E94-406e-B104-6F80A90E9F58}.exe

Filesize
344KB

MD5
466c6111e2073f996b9e883c8ff58395

SHA1
f9bad8d537f0055ce4913148252402ced28fa392

SHA256
ec85b0925a5e3d99318dcc304b7b1777b2a81eeeea0fed1dff6e3bb986740ef7

SHA512
78514e7280098e2e622fa30fcdf10784f73890ec60b15e0983c6526c403717d63b23ce72f6776f47fe9b15819f6d950d0d3f985c6ca22878c18232419bceb546

Download Submit
C:\Windows\{6B4BDDC2-EBBB-4b02-B085-93C4C294A1B6}.exe

Filesize
344KB

MD5
644806e209e361cc59aaaa2b97092e28

SHA1
3bdd87c5cefbef848f99f4acce406fabb4471778

SHA256
b8e1da66f01aacabd5f45de47078f3d0c22e70f7149e50ef0cd49e28dd4f780c

SHA512
81b0f76fb42cec497ad14c292b7c8831c97508b591f934f9320129015148edc2e6a5a2f5c1546dc75fd82880c74c05738d6d649082fe5b3d6db0ad8219421c72

Download Submit
C:\Windows\{77FC0D70-167F-4a9b-BC85-ADBE94802913}.exe

Filesize
344KB

MD5
3e3154ae69c6662d8bf1a0543550810c

SHA1
bcc0066cc6564bc55c87e4bb682519826c96bee5

SHA256
b60504e9d23f305b4d6ebe9df401b8382f07058ab3f780001b955bbd67f10338

SHA512
93137dfa45e2d4f7ad311c4989beae350ad099a5451ffdbc76ac105d6c8a4972a91f76ac681d4d400e61136c91636a277520174a20d4bced018330945a68574a

Download Submit
C:\Windows\{912B9E46-E919-4412-AD7F-9699C4DDFB9E}.exe

Filesize
344KB

MD5
52d331a04bba8ce79a238e65e98255f4

SHA1
465ce7571493c4b0bae843745ba6efc578af4d6a

SHA256
141fa3aa29e1802002dad6571813623f40019113ae9da459ae91c03974d882b1

SHA512
a336c8393d4788ded8c6a26e93df98652645e2ed8e504402fc1a9f226076f62cadc590e2adaccb7630201df85d6d337f99a37eeacccf64f9f21308d8b70aff0b

Download Submit
C:\Windows\{DA0B8146-C0DF-4d4b-989F-A6543F967922}.exe

Filesize
344KB

MD5
8e0bb191a9e84cbe8c2a2c62141df792

SHA1
3d977b7edc3b49b685f1134ca7e25ac58a92a590

SHA256
6544db951f1555dbcd8411f386be3c592f07abd57b9f2ba943e8600eed57c383

SHA512
a1638427cb7fbdb731f2d801f55a6b6c10d8295a6b0874d3e303d906a907ac79a7560cc3f2edfc555628f70669b58d3ba567ceb891555a4cc81cc872eb1256bc

Download Submit
C:\Windows\{E72E0405-2292-4644-902B-F3E14A21A254}.exe

Filesize
344KB

MD5
5c3595412752616e3e63337fb4e7ccf2

SHA1
d7dafbfcece81206f709e8b9c62c013aa1f96ff8

SHA256
a341a156aace500f33cc44799a12747fa2c226e26ee7ba1f9cbc959cd687c66d

SHA512
c7e88c90e37cdcaf4408e7312fbb43c994533d3ae88b989a9398c0928e47e57e20ea927363d02ade2fd70079e56e260a4da0d0f970e32bd7ae47e838ae70c5bd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads