6238eb1fa499270e786624d44452013e6f8f1e0f797751926b2abb441a1cbed8

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/04/2024, 00:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-05_a4c266cc954c77f25d03766ddc0020d6_goldeneye.exe
Size

197KB
MD5

a4c266cc954c77f25d03766ddc0020d6
SHA1

d2747f60cd9717c6cd5bc96a5979e7d8ecde906c
SHA256

6238eb1fa499270e786624d44452013e6f8f1e0f797751926b2abb441a1cbed8
SHA512

22ee60ba5519a0a88139b379e2ad0ef10e35d2572c7f0b4734e5bf1360d4cca132ecaf7cc15448eead6360749a422bf81f5a3324c21d0962a30c40ab496cf6ae
SSDEEP

3072:jEGh0o5l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGblEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00090000000231f1-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0010000000023196-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000231f8-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0011000000023196-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021d41-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000006cf-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021d41-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000006cf-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000006cf-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000072d-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23042659-81EF-471e-8EA1-67E0A301BBB2}	{379CF499-F8AA-4868-96FB-3EDAECEC4CE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{636836EC-FA97-4b2b-9EB1-CF444F3DA5DB}	{23042659-81EF-471e-8EA1-67E0A301BBB2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{636836EC-FA97-4b2b-9EB1-CF444F3DA5DB}\stubpath = "C:\\Windows\\{636836EC-FA97-4b2b-9EB1-CF444F3DA5DB}.exe"	{23042659-81EF-471e-8EA1-67E0A301BBB2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3235B5C2-A461-402b-A07C-B413E240D4A0}\stubpath = "C:\\Windows\\{3235B5C2-A461-402b-A07C-B413E240D4A0}.exe"	{636836EC-FA97-4b2b-9EB1-CF444F3DA5DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6DB9591-873F-4a6b-9111-DD4AA48325D1}	{BD179887-D542-4fe1-9B43-8DB9FC566A6B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{285F97DE-531B-41e9-9BDE-0C465A762042}\stubpath = "C:\\Windows\\{285F97DE-531B-41e9-9BDE-0C465A762042}.exe"	{B6DB9591-873F-4a6b-9111-DD4AA48325D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{379CF499-F8AA-4868-96FB-3EDAECEC4CE7}\stubpath = "C:\\Windows\\{379CF499-F8AA-4868-96FB-3EDAECEC4CE7}.exe"	{6BC10304-49E5-4b73-A72F-6FD24ED54C7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D32019F-83D0-4d57-B0BA-91C4E60A20D8}\stubpath = "C:\\Windows\\{4D32019F-83D0-4d57-B0BA-91C4E60A20D8}.exe"	{EF319017-98D5-4b6e-9A85-310AF822D074}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD179887-D542-4fe1-9B43-8DB9FC566A6B}	{B20CEFA4-E10D-48bd-9996-289706613799}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD179887-D542-4fe1-9B43-8DB9FC566A6B}\stubpath = "C:\\Windows\\{BD179887-D542-4fe1-9B43-8DB9FC566A6B}.exe"	{B20CEFA4-E10D-48bd-9996-289706613799}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1838EE5-00FF-4968-9050-EA242D4CFF34}	{285F97DE-531B-41e9-9BDE-0C465A762042}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BC10304-49E5-4b73-A72F-6FD24ED54C7B}\stubpath = "C:\\Windows\\{6BC10304-49E5-4b73-A72F-6FD24ED54C7B}.exe"	2024-04-05_a4c266cc954c77f25d03766ddc0020d6_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF319017-98D5-4b6e-9A85-310AF822D074}	{3235B5C2-A461-402b-A07C-B413E240D4A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF319017-98D5-4b6e-9A85-310AF822D074}\stubpath = "C:\\Windows\\{EF319017-98D5-4b6e-9A85-310AF822D074}.exe"	{3235B5C2-A461-402b-A07C-B413E240D4A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D32019F-83D0-4d57-B0BA-91C4E60A20D8}	{EF319017-98D5-4b6e-9A85-310AF822D074}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B20CEFA4-E10D-48bd-9996-289706613799}	{4D32019F-83D0-4d57-B0BA-91C4E60A20D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6DB9591-873F-4a6b-9111-DD4AA48325D1}\stubpath = "C:\\Windows\\{B6DB9591-873F-4a6b-9111-DD4AA48325D1}.exe"	{BD179887-D542-4fe1-9B43-8DB9FC566A6B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1838EE5-00FF-4968-9050-EA242D4CFF34}\stubpath = "C:\\Windows\\{A1838EE5-00FF-4968-9050-EA242D4CFF34}.exe"	{285F97DE-531B-41e9-9BDE-0C465A762042}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{379CF499-F8AA-4868-96FB-3EDAECEC4CE7}	{6BC10304-49E5-4b73-A72F-6FD24ED54C7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23042659-81EF-471e-8EA1-67E0A301BBB2}\stubpath = "C:\\Windows\\{23042659-81EF-471e-8EA1-67E0A301BBB2}.exe"	{379CF499-F8AA-4868-96FB-3EDAECEC4CE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3235B5C2-A461-402b-A07C-B413E240D4A0}	{636836EC-FA97-4b2b-9EB1-CF444F3DA5DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B20CEFA4-E10D-48bd-9996-289706613799}\stubpath = "C:\\Windows\\{B20CEFA4-E10D-48bd-9996-289706613799}.exe"	{4D32019F-83D0-4d57-B0BA-91C4E60A20D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{285F97DE-531B-41e9-9BDE-0C465A762042}	{B6DB9591-873F-4a6b-9111-DD4AA48325D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BC10304-49E5-4b73-A72F-6FD24ED54C7B}	2024-04-05_a4c266cc954c77f25d03766ddc0020d6_goldeneye.exe

Executes dropped EXE 12 IoCs

pid	Process
2684	{6BC10304-49E5-4b73-A72F-6FD24ED54C7B}.exe
2860	{379CF499-F8AA-4868-96FB-3EDAECEC4CE7}.exe
1912	{23042659-81EF-471e-8EA1-67E0A301BBB2}.exe
3624	{636836EC-FA97-4b2b-9EB1-CF444F3DA5DB}.exe
1264	{3235B5C2-A461-402b-A07C-B413E240D4A0}.exe
3232	{EF319017-98D5-4b6e-9A85-310AF822D074}.exe
452	{4D32019F-83D0-4d57-B0BA-91C4E60A20D8}.exe
4060	{B20CEFA4-E10D-48bd-9996-289706613799}.exe
212	{BD179887-D542-4fe1-9B43-8DB9FC566A6B}.exe
3728	{B6DB9591-873F-4a6b-9111-DD4AA48325D1}.exe
4316	{285F97DE-531B-41e9-9BDE-0C465A762042}.exe
1628	{A1838EE5-00FF-4968-9050-EA242D4CFF34}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{636836EC-FA97-4b2b-9EB1-CF444F3DA5DB}.exe	{23042659-81EF-471e-8EA1-67E0A301BBB2}.exe
File created	C:\Windows\{3235B5C2-A461-402b-A07C-B413E240D4A0}.exe	{636836EC-FA97-4b2b-9EB1-CF444F3DA5DB}.exe
File created	C:\Windows\{EF319017-98D5-4b6e-9A85-310AF822D074}.exe	{3235B5C2-A461-402b-A07C-B413E240D4A0}.exe
File created	C:\Windows\{4D32019F-83D0-4d57-B0BA-91C4E60A20D8}.exe	{EF319017-98D5-4b6e-9A85-310AF822D074}.exe
File created	C:\Windows\{B20CEFA4-E10D-48bd-9996-289706613799}.exe	{4D32019F-83D0-4d57-B0BA-91C4E60A20D8}.exe
File created	C:\Windows\{B6DB9591-873F-4a6b-9111-DD4AA48325D1}.exe	{BD179887-D542-4fe1-9B43-8DB9FC566A6B}.exe
File created	C:\Windows\{6BC10304-49E5-4b73-A72F-6FD24ED54C7B}.exe	2024-04-05_a4c266cc954c77f25d03766ddc0020d6_goldeneye.exe
File created	C:\Windows\{379CF499-F8AA-4868-96FB-3EDAECEC4CE7}.exe	{6BC10304-49E5-4b73-A72F-6FD24ED54C7B}.exe
File created	C:\Windows\{285F97DE-531B-41e9-9BDE-0C465A762042}.exe	{B6DB9591-873F-4a6b-9111-DD4AA48325D1}.exe
File created	C:\Windows\{A1838EE5-00FF-4968-9050-EA242D4CFF34}.exe	{285F97DE-531B-41e9-9BDE-0C465A762042}.exe
File created	C:\Windows\{23042659-81EF-471e-8EA1-67E0A301BBB2}.exe	{379CF499-F8AA-4868-96FB-3EDAECEC4CE7}.exe
File created	C:\Windows\{BD179887-D542-4fe1-9B43-8DB9FC566A6B}.exe	{B20CEFA4-E10D-48bd-9996-289706613799}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	876	2024-04-05_a4c266cc954c77f25d03766ddc0020d6_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2684	{6BC10304-49E5-4b73-A72F-6FD24ED54C7B}.exe
Token: SeIncBasePriorityPrivilege	2860	{379CF499-F8AA-4868-96FB-3EDAECEC4CE7}.exe
Token: SeIncBasePriorityPrivilege	1912	{23042659-81EF-471e-8EA1-67E0A301BBB2}.exe
Token: SeIncBasePriorityPrivilege	3624	{636836EC-FA97-4b2b-9EB1-CF444F3DA5DB}.exe
Token: SeIncBasePriorityPrivilege	1264	{3235B5C2-A461-402b-A07C-B413E240D4A0}.exe
Token: SeIncBasePriorityPrivilege	3232	{EF319017-98D5-4b6e-9A85-310AF822D074}.exe
Token: SeIncBasePriorityPrivilege	452	{4D32019F-83D0-4d57-B0BA-91C4E60A20D8}.exe
Token: SeIncBasePriorityPrivilege	4060	{B20CEFA4-E10D-48bd-9996-289706613799}.exe
Token: SeIncBasePriorityPrivilege	212	{BD179887-D542-4fe1-9B43-8DB9FC566A6B}.exe
Token: SeIncBasePriorityPrivilege	3728	{B6DB9591-873F-4a6b-9111-DD4AA48325D1}.exe
Token: SeIncBasePriorityPrivilege	4316	{285F97DE-531B-41e9-9BDE-0C465A762042}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 876 wrote to memory of 2684	876	2024-04-05_a4c266cc954c77f25d03766ddc0020d6_goldeneye.exe	96
PID 876 wrote to memory of 2684	876	2024-04-05_a4c266cc954c77f25d03766ddc0020d6_goldeneye.exe	96
PID 876 wrote to memory of 2684	876	2024-04-05_a4c266cc954c77f25d03766ddc0020d6_goldeneye.exe	96
PID 876 wrote to memory of 428	876	2024-04-05_a4c266cc954c77f25d03766ddc0020d6_goldeneye.exe	97
PID 876 wrote to memory of 428	876	2024-04-05_a4c266cc954c77f25d03766ddc0020d6_goldeneye.exe	97
PID 876 wrote to memory of 428	876	2024-04-05_a4c266cc954c77f25d03766ddc0020d6_goldeneye.exe	97
PID 2684 wrote to memory of 2860	2684	{6BC10304-49E5-4b73-A72F-6FD24ED54C7B}.exe	98
PID 2684 wrote to memory of 2860	2684	{6BC10304-49E5-4b73-A72F-6FD24ED54C7B}.exe	98
PID 2684 wrote to memory of 2860	2684	{6BC10304-49E5-4b73-A72F-6FD24ED54C7B}.exe	98
PID 2684 wrote to memory of 768	2684	{6BC10304-49E5-4b73-A72F-6FD24ED54C7B}.exe	99
PID 2684 wrote to memory of 768	2684	{6BC10304-49E5-4b73-A72F-6FD24ED54C7B}.exe	99
PID 2684 wrote to memory of 768	2684	{6BC10304-49E5-4b73-A72F-6FD24ED54C7B}.exe	99
PID 2860 wrote to memory of 1912	2860	{379CF499-F8AA-4868-96FB-3EDAECEC4CE7}.exe	101
PID 2860 wrote to memory of 1912	2860	{379CF499-F8AA-4868-96FB-3EDAECEC4CE7}.exe	101
PID 2860 wrote to memory of 1912	2860	{379CF499-F8AA-4868-96FB-3EDAECEC4CE7}.exe	101
PID 2860 wrote to memory of 3480	2860	{379CF499-F8AA-4868-96FB-3EDAECEC4CE7}.exe	102
PID 2860 wrote to memory of 3480	2860	{379CF499-F8AA-4868-96FB-3EDAECEC4CE7}.exe	102
PID 2860 wrote to memory of 3480	2860	{379CF499-F8AA-4868-96FB-3EDAECEC4CE7}.exe	102
PID 1912 wrote to memory of 3624	1912	{23042659-81EF-471e-8EA1-67E0A301BBB2}.exe	103
PID 1912 wrote to memory of 3624	1912	{23042659-81EF-471e-8EA1-67E0A301BBB2}.exe	103
PID 1912 wrote to memory of 3624	1912	{23042659-81EF-471e-8EA1-67E0A301BBB2}.exe	103
PID 1912 wrote to memory of 2932	1912	{23042659-81EF-471e-8EA1-67E0A301BBB2}.exe	104
PID 1912 wrote to memory of 2932	1912	{23042659-81EF-471e-8EA1-67E0A301BBB2}.exe	104
PID 1912 wrote to memory of 2932	1912	{23042659-81EF-471e-8EA1-67E0A301BBB2}.exe	104
PID 3624 wrote to memory of 1264	3624	{636836EC-FA97-4b2b-9EB1-CF444F3DA5DB}.exe	105
PID 3624 wrote to memory of 1264	3624	{636836EC-FA97-4b2b-9EB1-CF444F3DA5DB}.exe	105
PID 3624 wrote to memory of 1264	3624	{636836EC-FA97-4b2b-9EB1-CF444F3DA5DB}.exe	105
PID 3624 wrote to memory of 1276	3624	{636836EC-FA97-4b2b-9EB1-CF444F3DA5DB}.exe	106
PID 3624 wrote to memory of 1276	3624	{636836EC-FA97-4b2b-9EB1-CF444F3DA5DB}.exe	106
PID 3624 wrote to memory of 1276	3624	{636836EC-FA97-4b2b-9EB1-CF444F3DA5DB}.exe	106
PID 1264 wrote to memory of 3232	1264	{3235B5C2-A461-402b-A07C-B413E240D4A0}.exe	107
PID 1264 wrote to memory of 3232	1264	{3235B5C2-A461-402b-A07C-B413E240D4A0}.exe	107
PID 1264 wrote to memory of 3232	1264	{3235B5C2-A461-402b-A07C-B413E240D4A0}.exe	107
PID 1264 wrote to memory of 208	1264	{3235B5C2-A461-402b-A07C-B413E240D4A0}.exe	108
PID 1264 wrote to memory of 208	1264	{3235B5C2-A461-402b-A07C-B413E240D4A0}.exe	108
PID 1264 wrote to memory of 208	1264	{3235B5C2-A461-402b-A07C-B413E240D4A0}.exe	108
PID 3232 wrote to memory of 452	3232	{EF319017-98D5-4b6e-9A85-310AF822D074}.exe	109
PID 3232 wrote to memory of 452	3232	{EF319017-98D5-4b6e-9A85-310AF822D074}.exe	109
PID 3232 wrote to memory of 452	3232	{EF319017-98D5-4b6e-9A85-310AF822D074}.exe	109
PID 3232 wrote to memory of 3664	3232	{EF319017-98D5-4b6e-9A85-310AF822D074}.exe	110
PID 3232 wrote to memory of 3664	3232	{EF319017-98D5-4b6e-9A85-310AF822D074}.exe	110
PID 3232 wrote to memory of 3664	3232	{EF319017-98D5-4b6e-9A85-310AF822D074}.exe	110
PID 452 wrote to memory of 4060	452	{4D32019F-83D0-4d57-B0BA-91C4E60A20D8}.exe	111
PID 452 wrote to memory of 4060	452	{4D32019F-83D0-4d57-B0BA-91C4E60A20D8}.exe	111
PID 452 wrote to memory of 4060	452	{4D32019F-83D0-4d57-B0BA-91C4E60A20D8}.exe	111
PID 452 wrote to memory of 4064	452	{4D32019F-83D0-4d57-B0BA-91C4E60A20D8}.exe	112
PID 452 wrote to memory of 4064	452	{4D32019F-83D0-4d57-B0BA-91C4E60A20D8}.exe	112
PID 452 wrote to memory of 4064	452	{4D32019F-83D0-4d57-B0BA-91C4E60A20D8}.exe	112
PID 4060 wrote to memory of 212	4060	{B20CEFA4-E10D-48bd-9996-289706613799}.exe	113
PID 4060 wrote to memory of 212	4060	{B20CEFA4-E10D-48bd-9996-289706613799}.exe	113
PID 4060 wrote to memory of 212	4060	{B20CEFA4-E10D-48bd-9996-289706613799}.exe	113
PID 4060 wrote to memory of 4652	4060	{B20CEFA4-E10D-48bd-9996-289706613799}.exe	114
PID 4060 wrote to memory of 4652	4060	{B20CEFA4-E10D-48bd-9996-289706613799}.exe	114
PID 4060 wrote to memory of 4652	4060	{B20CEFA4-E10D-48bd-9996-289706613799}.exe	114
PID 212 wrote to memory of 3728	212	{BD179887-D542-4fe1-9B43-8DB9FC566A6B}.exe	115
PID 212 wrote to memory of 3728	212	{BD179887-D542-4fe1-9B43-8DB9FC566A6B}.exe	115
PID 212 wrote to memory of 3728	212	{BD179887-D542-4fe1-9B43-8DB9FC566A6B}.exe	115
PID 212 wrote to memory of 4356	212	{BD179887-D542-4fe1-9B43-8DB9FC566A6B}.exe	116
PID 212 wrote to memory of 4356	212	{BD179887-D542-4fe1-9B43-8DB9FC566A6B}.exe	116
PID 212 wrote to memory of 4356	212	{BD179887-D542-4fe1-9B43-8DB9FC566A6B}.exe	116
PID 3728 wrote to memory of 4316	3728	{B6DB9591-873F-4a6b-9111-DD4AA48325D1}.exe	117
PID 3728 wrote to memory of 4316	3728	{B6DB9591-873F-4a6b-9111-DD4AA48325D1}.exe	117
PID 3728 wrote to memory of 4316	3728	{B6DB9591-873F-4a6b-9111-DD4AA48325D1}.exe	117
PID 3728 wrote to memory of 4488	3728	{B6DB9591-873F-4a6b-9111-DD4AA48325D1}.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-04-05_a4c266cc954c77f25d03766ddc0020d6_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-05_a4c266cc954c77f25d03766ddc0020d6_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:876
- C:\Windows\{6BC10304-49E5-4b73-A72F-6FD24ED54C7B}.exe
  C:\Windows\{6BC10304-49E5-4b73-A72F-6FD24ED54C7B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\{379CF499-F8AA-4868-96FB-3EDAECEC4CE7}.exe
    C:\Windows\{379CF499-F8AA-4868-96FB-3EDAECEC4CE7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Windows\{23042659-81EF-471e-8EA1-67E0A301BBB2}.exe
      C:\Windows\{23042659-81EF-471e-8EA1-67E0A301BBB2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1912
    - - C:\Windows\{636836EC-FA97-4b2b-9EB1-CF444F3DA5DB}.exe
        
        C:\Windows\{636836EC-FA97-4b2b-9EB1-CF444F3DA5DB}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3624
      - C:\Windows\{3235B5C2-A461-402b-A07C-B413E240D4A0}.exe
        
        C:\Windows\{3235B5C2-A461-402b-A07C-B413E240D4A0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\{EF319017-98D5-4b6e-9A85-310AF822D074}.exe
        
        C:\Windows\{EF319017-98D5-4b6e-9A85-310AF822D074}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\{4D32019F-83D0-4d57-B0BA-91C4E60A20D8}.exe
        
        C:\Windows\{4D32019F-83D0-4d57-B0BA-91C4E60A20D8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\{B20CEFA4-E10D-48bd-9996-289706613799}.exe
        
        C:\Windows\{B20CEFA4-E10D-48bd-9996-289706613799}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\{BD179887-D542-4fe1-9B43-8DB9FC566A6B}.exe
        
        C:\Windows\{BD179887-D542-4fe1-9B43-8DB9FC566A6B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\{B6DB9591-873F-4a6b-9111-DD4AA48325D1}.exe
        
        C:\Windows\{B6DB9591-873F-4a6b-9111-DD4AA48325D1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\{285F97DE-531B-41e9-9BDE-0C465A762042}.exe
        
        C:\Windows\{285F97DE-531B-41e9-9BDE-0C465A762042}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4316
        
        C:\Windows\{A1838EE5-00FF-4968-9050-EA242D4CFF34}.exe
        
        C:\Windows\{A1838EE5-00FF-4968-9050-EA242D4CFF34}.exe
        13⤵
        Executes dropped EXE
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{285F9~1.EXE > nul
        13⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6DB9~1.EXE > nul
        12⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD179~1.EXE > nul
        11⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B20CE~1.EXE > nul
        10⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D320~1.EXE > nul
        9⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF319~1.EXE > nul
        8⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3235B~1.EXE > nul
        7⤵
        
        PID:208
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63683~1.EXE > nul
        6⤵
        
        PID:1276
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23042~1.EXE > nul
        5⤵
        
        PID:2932
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{379CF~1.EXE > nul
      4⤵
      PID:3480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6BC10~1.EXE > nul
    3⤵
    PID:768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{23042659-81EF-471e-8EA1-67E0A301BBB2}.exe

Filesize
197KB

MD5
3c2cf350ad535ef007826279d96f0cff

SHA1
8c3817885418e942961ec56d96d1ad6960484399

SHA256
7ffc43b4a4c19a9cd1517817fefe8055cced5f6d4bdc66488bdbde414dfbb389

SHA512
d969045702a12ebf592303c52358c31e779f87e2a6546d0b1dd2fae8f97a64ad9970776104a66ea7a407f38c42376b0d547b07da40f7af235ea1351ba6bb3dfe

Download Submit
C:\Windows\{285F97DE-531B-41e9-9BDE-0C465A762042}.exe

Filesize
197KB

MD5
ae1134489c39485cb28afcc7ea416144

SHA1
1a4fccbcb0e608eec05faa0f4560b1027e6742e8

SHA256
a66d78187d99ee1605f44a31fe4b2cde69474ca82016645f9c7277cde6d8f373

SHA512
6290f3475a5c3fef05fbddbaa6d411f56d2f4ce76b48915eaf75c5ce574be89d7d989d576d6a88eb6a258c1d8f1c39440ebdae8defcd2027d3fc85f870c5a725

Download Submit
C:\Windows\{3235B5C2-A461-402b-A07C-B413E240D4A0}.exe

Filesize
197KB

MD5
864ff89001597f1171cef19d218cf541

SHA1
51a990c4122dcba79df1bd8a305756c4fcc28d1c

SHA256
be65563db2deadc3efe439e1499220c360e6f18e5b11fdec5a927fd3a7718ade

SHA512
b4f0fe9fdd7c3a2d1bd8852e0ea8bfdf5adaafad62a8af416c7dbf174cef5b24816180c34504ffc7e6a421735bcf2204f6cacbaf19ee1f1bbaf8239634cf438f

Download Submit
C:\Windows\{379CF499-F8AA-4868-96FB-3EDAECEC4CE7}.exe

Filesize
197KB

MD5
56ed4529187be8d54279e1db51c75239

SHA1
82af034af9ab0ae54f32cbbb3f996de952b1fa13

SHA256
09b6d97c6e6177e098b3b234654e96ecf70a560f6b9db7e036edc6527e48b3c8

SHA512
bbdb97e3389954e214432d4c7204bc41ab53f80dac8390e5416eef20ce3b78cc35718fdc2782284c8df66e4da34722134ca94b08a5610b9d35b2cacfa14f70b1

Download Submit
C:\Windows\{4D32019F-83D0-4d57-B0BA-91C4E60A20D8}.exe

Filesize
197KB

MD5
64a37773f8daccb3ffb53778934d4217

SHA1
e1177881347a8217b4cbc6444602e05526851266

SHA256
759956ccdd5d3958bea1239b70d605b3a8b60b6e430c755311c5fbf8a4e55272

SHA512
1ea972075b450ce08090025ba243d91df68858b79860e33481a3076d1f831d6093792c164c4fb2205e470e01aabc2d6d2a40469fb379b2962b375cc929d43316

Download Submit
C:\Windows\{636836EC-FA97-4b2b-9EB1-CF444F3DA5DB}.exe

Filesize
197KB

MD5
77a8d2e6ffc6938015c341aff056a11d

SHA1
124d0c3c06a2d2a6ba13c1c8761fe739075908d8

SHA256
4bb00b6db2f3cafd49f4e6724a57beb297c90a3458611cb818602644a890cdfc

SHA512
2c1420a8924644b29ff117a19f020135d9ec8dc58c751e6ceedeb28f04e90ea32a34573e2ebbdcde06f6b2110bd15f9a05dc9a3c3ad77b80a161e7508c690aaa

Download Submit
C:\Windows\{6BC10304-49E5-4b73-A72F-6FD24ED54C7B}.exe

Filesize
197KB

MD5
52554f44537081b6f42c655df2527e8d

SHA1
866f55afdfa39d7a50b5f0d64bf67f790f72495e

SHA256
4d0bb8b275536f3eddee6e2e33a006ce03a5d15bccf0ccf29c7ee1fafeade9aa

SHA512
e6f0d6095b0bceddbbfc16c00ada4ff168444b11e09bba14b9ed594e3b4165bb969f23870085e5454ccd6ae4b3fa74a5b87d59260464619fdd1ad17d053f0cc2

Download Submit
C:\Windows\{A1838EE5-00FF-4968-9050-EA242D4CFF34}.exe

Filesize
197KB

MD5
de1c2556c192bfec2eccbbecd6f5c253

SHA1
439f9fe402d0ec07bf50d0d678618afd71ac81f0

SHA256
39c7786df735eed3657a521ba245ea7c4d76a7418d7e0c9c12ec2757a059319c

SHA512
56826d62270d8d5eb6e44322de1138a885aa2580cb43e7c29e5b71e963c72270c263175255526494ee46b530a81b4991c288dbd241c35ea6fa324ec170ff8a2d

Download Submit
C:\Windows\{B20CEFA4-E10D-48bd-9996-289706613799}.exe

Filesize
197KB

MD5
d3f26ae8906eca2a39f1ccbcea066681

SHA1
5c04300388c6e459b15c128c63f9f89857070640

SHA256
2614eb1414a0121b10044bc719818a94bdfe4fa1b46862060a108dc77d540630

SHA512
694c8d0385cca60ae0d4fed1cc2301de502fb44407424c8b3159f0090810b7c9659d4042e075ab9f14d5aa5398fb9a2feed57c64fd2951ad4afd3b9316b0aa8d

Download Submit
C:\Windows\{B6DB9591-873F-4a6b-9111-DD4AA48325D1}.exe

Filesize
197KB

MD5
de140db460b40db8ab741a27aaf8fccb

SHA1
bb884c4424326caa52d90e89f16bf9088f404b5b

SHA256
402a77e1909cd08bd147702a0bf5e360e0309f7663ee319cb2b730a12b3e115a

SHA512
285e84b89dacbc288c7d0f987646a6012c7849aedfeb79d62df844063bd15e3492001c6421ab3d1b6ebe46c8124f656c9b4d87d4d7765d8d6b39617bb52667e0

Download Submit
C:\Windows\{BD179887-D542-4fe1-9B43-8DB9FC566A6B}.exe

Filesize
197KB

MD5
101517b1ad142735f09738311d6d1584

SHA1
498ce3122f7a09d6c3c852dd6ad19d0c14891084

SHA256
e40dca20367e80fc4fdd85cbeb9a27d3012f190160d4ace94060e5701ba33d11

SHA512
322cd4f4307e6bdc997571dad0aa5f69ca0f1cc12b823bd9cae1e12098634302d3e142f343e755e26b7abede037d0ba391a98f4bca0b26ac562f621828a39b5d

Download Submit
C:\Windows\{EF319017-98D5-4b6e-9A85-310AF822D074}.exe

Filesize
197KB

MD5
abdfae49d3695b4ab04c234e33342a0d

SHA1
d6c6d8e0fa4d65e96097eefc7c8bbce7bba37aa4

SHA256
51ea6a8cdfd23aa0367c366470c348cd4d492d0b65d64153082027b3c1f2064a

SHA512
9c605a8dc9a3c11ebd69311872cc68d6be777e2e1d71ccb71e3ae6e79ec116e9fc1bf4c9ed6363874b665d2e5884c83383620de4c8561962696e3d173398901b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads