b181a530096c98c8933c97b7b427f908254415eaf1b09736e8fd25eb35c65d1d

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/04/2024, 00:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b181a530096c98c8933c97b7b427f908254415eaf1b09736e8fd25eb35c65d1d.exe
Size

168KB
MD5

0b202b461c8f84b2286ad3d1ef892bc7
SHA1

4dfe25a1cb3497d46ae64a266b3e2d98572f190d
SHA256

b181a530096c98c8933c97b7b427f908254415eaf1b09736e8fd25eb35c65d1d
SHA512

c022c671471bbbbf710c8e07985dbfa8690f86aae58f925ba44f6278dee668f3bf2d97520c1b92e87a33d12b83d8ef5aa7b585d5a909b0f9889ced1b9ae677f1
SSDEEP

1536:1EGh0o0li5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o0liOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00020000000228bc-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00020000000228bf-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023227-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023228-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002322f-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023228-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002322f-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023228-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002322f-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023228-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002322f-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023228-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA9D095B-1386-4b38-94BA-F1BECD8364FD}	{432D0CF0-EFC8-4b7c-AE2A-4806DF1870FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C7E776A-D14A-4e58-BF32-29A5714838DB}	{95561774-2484-4d0b-A94D-C3420423717F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{272D7494-FC77-4021-B351-0C2F84CDEA4B}\stubpath = "C:\\Windows\\{272D7494-FC77-4021-B351-0C2F84CDEA4B}.exe"	{2C7E776A-D14A-4e58-BF32-29A5714838DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCC2D614-753E-4ba3-AD5B-B96280DFF2EF}\stubpath = "C:\\Windows\\{BCC2D614-753E-4ba3-AD5B-B96280DFF2EF}.exe"	{272D7494-FC77-4021-B351-0C2F84CDEA4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB272200-B25A-46cd-988A-C5B93485CFAE}	{79DBB20B-D152-466a-B5E6-22E74A110F41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{432D0CF0-EFC8-4b7c-AE2A-4806DF1870FA}	{9E96ECCA-F366-4557-A56E-8EE01785FE8A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC106E90-FA7B-4632-9E3B-E98762737E78}\stubpath = "C:\\Windows\\{AC106E90-FA7B-4632-9E3B-E98762737E78}.exe"	b181a530096c98c8933c97b7b427f908254415eaf1b09736e8fd25eb35c65d1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95561774-2484-4d0b-A94D-C3420423717F}\stubpath = "C:\\Windows\\{95561774-2484-4d0b-A94D-C3420423717F}.exe"	{AC106E90-FA7B-4632-9E3B-E98762737E78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79DBB20B-D152-466a-B5E6-22E74A110F41}\stubpath = "C:\\Windows\\{79DBB20B-D152-466a-B5E6-22E74A110F41}.exe"	{BCC2D614-753E-4ba3-AD5B-B96280DFF2EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B60D9037-EF06-456c-ADD2-87F3301BF68B}\stubpath = "C:\\Windows\\{B60D9037-EF06-456c-ADD2-87F3301BF68B}.exe"	{AB272200-B25A-46cd-988A-C5B93485CFAE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{636F2234-8410-418e-A954-1D98AD045D1B}\stubpath = "C:\\Windows\\{636F2234-8410-418e-A954-1D98AD045D1B}.exe"	{B60D9037-EF06-456c-ADD2-87F3301BF68B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{272D7494-FC77-4021-B351-0C2F84CDEA4B}	{2C7E776A-D14A-4e58-BF32-29A5714838DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B60D9037-EF06-456c-ADD2-87F3301BF68B}	{AB272200-B25A-46cd-988A-C5B93485CFAE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E96ECCA-F366-4557-A56E-8EE01785FE8A}	{636F2234-8410-418e-A954-1D98AD045D1B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9E96ECCA-F366-4557-A56E-8EE01785FE8A}\stubpath = "C:\\Windows\\{9E96ECCA-F366-4557-A56E-8EE01785FE8A}.exe"	{636F2234-8410-418e-A954-1D98AD045D1B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{432D0CF0-EFC8-4b7c-AE2A-4806DF1870FA}\stubpath = "C:\\Windows\\{432D0CF0-EFC8-4b7c-AE2A-4806DF1870FA}.exe"	{9E96ECCA-F366-4557-A56E-8EE01785FE8A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB272200-B25A-46cd-988A-C5B93485CFAE}\stubpath = "C:\\Windows\\{AB272200-B25A-46cd-988A-C5B93485CFAE}.exe"	{79DBB20B-D152-466a-B5E6-22E74A110F41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{636F2234-8410-418e-A954-1D98AD045D1B}	{B60D9037-EF06-456c-ADD2-87F3301BF68B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA9D095B-1386-4b38-94BA-F1BECD8364FD}\stubpath = "C:\\Windows\\{FA9D095B-1386-4b38-94BA-F1BECD8364FD}.exe"	{432D0CF0-EFC8-4b7c-AE2A-4806DF1870FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC106E90-FA7B-4632-9E3B-E98762737E78}	b181a530096c98c8933c97b7b427f908254415eaf1b09736e8fd25eb35c65d1d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95561774-2484-4d0b-A94D-C3420423717F}	{AC106E90-FA7B-4632-9E3B-E98762737E78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C7E776A-D14A-4e58-BF32-29A5714838DB}\stubpath = "C:\\Windows\\{2C7E776A-D14A-4e58-BF32-29A5714838DB}.exe"	{95561774-2484-4d0b-A94D-C3420423717F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCC2D614-753E-4ba3-AD5B-B96280DFF2EF}	{272D7494-FC77-4021-B351-0C2F84CDEA4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{79DBB20B-D152-466a-B5E6-22E74A110F41}	{BCC2D614-753E-4ba3-AD5B-B96280DFF2EF}.exe

Executes dropped EXE 12 IoCs

pid	Process
2520	{AC106E90-FA7B-4632-9E3B-E98762737E78}.exe
2004	{95561774-2484-4d0b-A94D-C3420423717F}.exe
1512	{2C7E776A-D14A-4e58-BF32-29A5714838DB}.exe
4400	{272D7494-FC77-4021-B351-0C2F84CDEA4B}.exe
3908	{BCC2D614-753E-4ba3-AD5B-B96280DFF2EF}.exe
844	{79DBB20B-D152-466a-B5E6-22E74A110F41}.exe
4572	{AB272200-B25A-46cd-988A-C5B93485CFAE}.exe
2852	{B60D9037-EF06-456c-ADD2-87F3301BF68B}.exe
4204	{636F2234-8410-418e-A954-1D98AD045D1B}.exe
216	{9E96ECCA-F366-4557-A56E-8EE01785FE8A}.exe
3780	{432D0CF0-EFC8-4b7c-AE2A-4806DF1870FA}.exe
4456	{FA9D095B-1386-4b38-94BA-F1BECD8364FD}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B60D9037-EF06-456c-ADD2-87F3301BF68B}.exe	{AB272200-B25A-46cd-988A-C5B93485CFAE}.exe
File created	C:\Windows\{9E96ECCA-F366-4557-A56E-8EE01785FE8A}.exe	{636F2234-8410-418e-A954-1D98AD045D1B}.exe
File created	C:\Windows\{FA9D095B-1386-4b38-94BA-F1BECD8364FD}.exe	{432D0CF0-EFC8-4b7c-AE2A-4806DF1870FA}.exe
File created	C:\Windows\{95561774-2484-4d0b-A94D-C3420423717F}.exe	{AC106E90-FA7B-4632-9E3B-E98762737E78}.exe
File created	C:\Windows\{272D7494-FC77-4021-B351-0C2F84CDEA4B}.exe	{2C7E776A-D14A-4e58-BF32-29A5714838DB}.exe
File created	C:\Windows\{BCC2D614-753E-4ba3-AD5B-B96280DFF2EF}.exe	{272D7494-FC77-4021-B351-0C2F84CDEA4B}.exe
File created	C:\Windows\{79DBB20B-D152-466a-B5E6-22E74A110F41}.exe	{BCC2D614-753E-4ba3-AD5B-B96280DFF2EF}.exe
File created	C:\Windows\{AB272200-B25A-46cd-988A-C5B93485CFAE}.exe	{79DBB20B-D152-466a-B5E6-22E74A110F41}.exe
File created	C:\Windows\{636F2234-8410-418e-A954-1D98AD045D1B}.exe	{B60D9037-EF06-456c-ADD2-87F3301BF68B}.exe
File created	C:\Windows\{432D0CF0-EFC8-4b7c-AE2A-4806DF1870FA}.exe	{9E96ECCA-F366-4557-A56E-8EE01785FE8A}.exe
File created	C:\Windows\{AC106E90-FA7B-4632-9E3B-E98762737E78}.exe	b181a530096c98c8933c97b7b427f908254415eaf1b09736e8fd25eb35c65d1d.exe
File created	C:\Windows\{2C7E776A-D14A-4e58-BF32-29A5714838DB}.exe	{95561774-2484-4d0b-A94D-C3420423717F}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1332	b181a530096c98c8933c97b7b427f908254415eaf1b09736e8fd25eb35c65d1d.exe
Token: SeIncBasePriorityPrivilege	2520	{AC106E90-FA7B-4632-9E3B-E98762737E78}.exe
Token: SeIncBasePriorityPrivilege	2004	{95561774-2484-4d0b-A94D-C3420423717F}.exe
Token: SeIncBasePriorityPrivilege	1512	{2C7E776A-D14A-4e58-BF32-29A5714838DB}.exe
Token: SeIncBasePriorityPrivilege	4400	{272D7494-FC77-4021-B351-0C2F84CDEA4B}.exe
Token: SeIncBasePriorityPrivilege	3908	{BCC2D614-753E-4ba3-AD5B-B96280DFF2EF}.exe
Token: SeIncBasePriorityPrivilege	844	{79DBB20B-D152-466a-B5E6-22E74A110F41}.exe
Token: SeIncBasePriorityPrivilege	4572	{AB272200-B25A-46cd-988A-C5B93485CFAE}.exe
Token: SeIncBasePriorityPrivilege	2852	{B60D9037-EF06-456c-ADD2-87F3301BF68B}.exe
Token: SeIncBasePriorityPrivilege	4204	{636F2234-8410-418e-A954-1D98AD045D1B}.exe
Token: SeIncBasePriorityPrivilege	216	{9E96ECCA-F366-4557-A56E-8EE01785FE8A}.exe
Token: SeIncBasePriorityPrivilege	3780	{432D0CF0-EFC8-4b7c-AE2A-4806DF1870FA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1332 wrote to memory of 2520	1332	b181a530096c98c8933c97b7b427f908254415eaf1b09736e8fd25eb35c65d1d.exe	89
PID 1332 wrote to memory of 2520	1332	b181a530096c98c8933c97b7b427f908254415eaf1b09736e8fd25eb35c65d1d.exe	89
PID 1332 wrote to memory of 2520	1332	b181a530096c98c8933c97b7b427f908254415eaf1b09736e8fd25eb35c65d1d.exe	89
PID 1332 wrote to memory of 4472	1332	b181a530096c98c8933c97b7b427f908254415eaf1b09736e8fd25eb35c65d1d.exe	90
PID 1332 wrote to memory of 4472	1332	b181a530096c98c8933c97b7b427f908254415eaf1b09736e8fd25eb35c65d1d.exe	90
PID 1332 wrote to memory of 4472	1332	b181a530096c98c8933c97b7b427f908254415eaf1b09736e8fd25eb35c65d1d.exe	90
PID 2520 wrote to memory of 2004	2520	{AC106E90-FA7B-4632-9E3B-E98762737E78}.exe	91
PID 2520 wrote to memory of 2004	2520	{AC106E90-FA7B-4632-9E3B-E98762737E78}.exe	91
PID 2520 wrote to memory of 2004	2520	{AC106E90-FA7B-4632-9E3B-E98762737E78}.exe	91
PID 2520 wrote to memory of 4368	2520	{AC106E90-FA7B-4632-9E3B-E98762737E78}.exe	92
PID 2520 wrote to memory of 4368	2520	{AC106E90-FA7B-4632-9E3B-E98762737E78}.exe	92
PID 2520 wrote to memory of 4368	2520	{AC106E90-FA7B-4632-9E3B-E98762737E78}.exe	92
PID 2004 wrote to memory of 1512	2004	{95561774-2484-4d0b-A94D-C3420423717F}.exe	95
PID 2004 wrote to memory of 1512	2004	{95561774-2484-4d0b-A94D-C3420423717F}.exe	95
PID 2004 wrote to memory of 1512	2004	{95561774-2484-4d0b-A94D-C3420423717F}.exe	95
PID 2004 wrote to memory of 2636	2004	{95561774-2484-4d0b-A94D-C3420423717F}.exe	96
PID 2004 wrote to memory of 2636	2004	{95561774-2484-4d0b-A94D-C3420423717F}.exe	96
PID 2004 wrote to memory of 2636	2004	{95561774-2484-4d0b-A94D-C3420423717F}.exe	96
PID 1512 wrote to memory of 4400	1512	{2C7E776A-D14A-4e58-BF32-29A5714838DB}.exe	100
PID 1512 wrote to memory of 4400	1512	{2C7E776A-D14A-4e58-BF32-29A5714838DB}.exe	100
PID 1512 wrote to memory of 4400	1512	{2C7E776A-D14A-4e58-BF32-29A5714838DB}.exe	100
PID 1512 wrote to memory of 3572	1512	{2C7E776A-D14A-4e58-BF32-29A5714838DB}.exe	101
PID 1512 wrote to memory of 3572	1512	{2C7E776A-D14A-4e58-BF32-29A5714838DB}.exe	101
PID 1512 wrote to memory of 3572	1512	{2C7E776A-D14A-4e58-BF32-29A5714838DB}.exe	101
PID 4400 wrote to memory of 3908	4400	{272D7494-FC77-4021-B351-0C2F84CDEA4B}.exe	104
PID 4400 wrote to memory of 3908	4400	{272D7494-FC77-4021-B351-0C2F84CDEA4B}.exe	104
PID 4400 wrote to memory of 3908	4400	{272D7494-FC77-4021-B351-0C2F84CDEA4B}.exe	104
PID 4400 wrote to memory of 1232	4400	{272D7494-FC77-4021-B351-0C2F84CDEA4B}.exe	105
PID 4400 wrote to memory of 1232	4400	{272D7494-FC77-4021-B351-0C2F84CDEA4B}.exe	105
PID 4400 wrote to memory of 1232	4400	{272D7494-FC77-4021-B351-0C2F84CDEA4B}.exe	105
PID 3908 wrote to memory of 844	3908	{BCC2D614-753E-4ba3-AD5B-B96280DFF2EF}.exe	106
PID 3908 wrote to memory of 844	3908	{BCC2D614-753E-4ba3-AD5B-B96280DFF2EF}.exe	106
PID 3908 wrote to memory of 844	3908	{BCC2D614-753E-4ba3-AD5B-B96280DFF2EF}.exe	106
PID 3908 wrote to memory of 4960	3908	{BCC2D614-753E-4ba3-AD5B-B96280DFF2EF}.exe	107
PID 3908 wrote to memory of 4960	3908	{BCC2D614-753E-4ba3-AD5B-B96280DFF2EF}.exe	107
PID 3908 wrote to memory of 4960	3908	{BCC2D614-753E-4ba3-AD5B-B96280DFF2EF}.exe	107
PID 844 wrote to memory of 4572	844	{79DBB20B-D152-466a-B5E6-22E74A110F41}.exe	108
PID 844 wrote to memory of 4572	844	{79DBB20B-D152-466a-B5E6-22E74A110F41}.exe	108
PID 844 wrote to memory of 4572	844	{79DBB20B-D152-466a-B5E6-22E74A110F41}.exe	108
PID 844 wrote to memory of 4504	844	{79DBB20B-D152-466a-B5E6-22E74A110F41}.exe	109
PID 844 wrote to memory of 4504	844	{79DBB20B-D152-466a-B5E6-22E74A110F41}.exe	109
PID 844 wrote to memory of 4504	844	{79DBB20B-D152-466a-B5E6-22E74A110F41}.exe	109
PID 4572 wrote to memory of 2852	4572	{AB272200-B25A-46cd-988A-C5B93485CFAE}.exe	110
PID 4572 wrote to memory of 2852	4572	{AB272200-B25A-46cd-988A-C5B93485CFAE}.exe	110
PID 4572 wrote to memory of 2852	4572	{AB272200-B25A-46cd-988A-C5B93485CFAE}.exe	110
PID 4572 wrote to memory of 2028	4572	{AB272200-B25A-46cd-988A-C5B93485CFAE}.exe	111
PID 4572 wrote to memory of 2028	4572	{AB272200-B25A-46cd-988A-C5B93485CFAE}.exe	111
PID 4572 wrote to memory of 2028	4572	{AB272200-B25A-46cd-988A-C5B93485CFAE}.exe	111
PID 2852 wrote to memory of 4204	2852	{B60D9037-EF06-456c-ADD2-87F3301BF68B}.exe	112
PID 2852 wrote to memory of 4204	2852	{B60D9037-EF06-456c-ADD2-87F3301BF68B}.exe	112
PID 2852 wrote to memory of 4204	2852	{B60D9037-EF06-456c-ADD2-87F3301BF68B}.exe	112
PID 2852 wrote to memory of 4840	2852	{B60D9037-EF06-456c-ADD2-87F3301BF68B}.exe	113
PID 2852 wrote to memory of 4840	2852	{B60D9037-EF06-456c-ADD2-87F3301BF68B}.exe	113
PID 2852 wrote to memory of 4840	2852	{B60D9037-EF06-456c-ADD2-87F3301BF68B}.exe	113
PID 4204 wrote to memory of 216	4204	{636F2234-8410-418e-A954-1D98AD045D1B}.exe	114
PID 4204 wrote to memory of 216	4204	{636F2234-8410-418e-A954-1D98AD045D1B}.exe	114
PID 4204 wrote to memory of 216	4204	{636F2234-8410-418e-A954-1D98AD045D1B}.exe	114
PID 4204 wrote to memory of 1588	4204	{636F2234-8410-418e-A954-1D98AD045D1B}.exe	115
PID 4204 wrote to memory of 1588	4204	{636F2234-8410-418e-A954-1D98AD045D1B}.exe	115
PID 4204 wrote to memory of 1588	4204	{636F2234-8410-418e-A954-1D98AD045D1B}.exe	115
PID 216 wrote to memory of 3780	216	{9E96ECCA-F366-4557-A56E-8EE01785FE8A}.exe	116
PID 216 wrote to memory of 3780	216	{9E96ECCA-F366-4557-A56E-8EE01785FE8A}.exe	116
PID 216 wrote to memory of 3780	216	{9E96ECCA-F366-4557-A56E-8EE01785FE8A}.exe	116
PID 216 wrote to memory of 3084	216	{9E96ECCA-F366-4557-A56E-8EE01785FE8A}.exe	117

C:\Users\Admin\AppData\Local\Temp\b181a530096c98c8933c97b7b427f908254415eaf1b09736e8fd25eb35c65d1d.exe
"C:\Users\Admin\AppData\Local\Temp\b181a530096c98c8933c97b7b427f908254415eaf1b09736e8fd25eb35c65d1d.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Windows\{AC106E90-FA7B-4632-9E3B-E98762737E78}.exe
  C:\Windows\{AC106E90-FA7B-4632-9E3B-E98762737E78}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\{95561774-2484-4d0b-A94D-C3420423717F}.exe
    C:\Windows\{95561774-2484-4d0b-A94D-C3420423717F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Windows\{2C7E776A-D14A-4e58-BF32-29A5714838DB}.exe
      C:\Windows\{2C7E776A-D14A-4e58-BF32-29A5714838DB}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1512
    - - C:\Windows\{272D7494-FC77-4021-B351-0C2F84CDEA4B}.exe
        
        C:\Windows\{272D7494-FC77-4021-B351-0C2F84CDEA4B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4400
      - C:\Windows\{BCC2D614-753E-4ba3-AD5B-B96280DFF2EF}.exe
        
        C:\Windows\{BCC2D614-753E-4ba3-AD5B-B96280DFF2EF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Windows\{79DBB20B-D152-466a-B5E6-22E74A110F41}.exe
        
        C:\Windows\{79DBB20B-D152-466a-B5E6-22E74A110F41}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Windows\{AB272200-B25A-46cd-988A-C5B93485CFAE}.exe
        
        C:\Windows\{AB272200-B25A-46cd-988A-C5B93485CFAE}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\{B60D9037-EF06-456c-ADD2-87F3301BF68B}.exe
        
        C:\Windows\{B60D9037-EF06-456c-ADD2-87F3301BF68B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\{636F2234-8410-418e-A954-1D98AD045D1B}.exe
        
        C:\Windows\{636F2234-8410-418e-A954-1D98AD045D1B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\{9E96ECCA-F366-4557-A56E-8EE01785FE8A}.exe
        
        C:\Windows\{9E96ECCA-F366-4557-A56E-8EE01785FE8A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\{432D0CF0-EFC8-4b7c-AE2A-4806DF1870FA}.exe
        
        C:\Windows\{432D0CF0-EFC8-4b7c-AE2A-4806DF1870FA}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3780
        
        C:\Windows\{FA9D095B-1386-4b38-94BA-F1BECD8364FD}.exe
        
        C:\Windows\{FA9D095B-1386-4b38-94BA-F1BECD8364FD}.exe
        13⤵
        Executes dropped EXE
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{432D0~1.EXE > nul
        13⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E96E~1.EXE > nul
        12⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{636F2~1.EXE > nul
        11⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B60D9~1.EXE > nul
        10⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB272~1.EXE > nul
        9⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79DBB~1.EXE > nul
        8⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCC2D~1.EXE > nul
        7⤵
        
        PID:4960
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{272D7~1.EXE > nul
        6⤵
        
        PID:1232
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C7E7~1.EXE > nul
        5⤵
        
        PID:3572
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{95561~1.EXE > nul
      4⤵
      PID:2636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{AC106~1.EXE > nul
    3⤵
    PID:4368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B181A5~1.EXE > nul
  2⤵
  PID:4472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{272D7494-FC77-4021-B351-0C2F84CDEA4B}.exe

Filesize
168KB

MD5
2fa58df53c6a6e8c3aec5d77f5524e1e

SHA1
03aed9f918cc219fa3d252c7e56448c148deec43

SHA256
ee7fdb313b40f717c8a8527b6ed920d6b04c7d4258adeb2f581763b9d832550f

SHA512
551a0eaeaa3dc108faeb03ec4b5989c3a355c5f514398be4b9b7c3d91617d1632e8f3933a572c705b36e6f6979fb234b39a65f735ae22985d96273c7ae901ae0

Download Submit
C:\Windows\{2C7E776A-D14A-4e58-BF32-29A5714838DB}.exe

Filesize
168KB

MD5
e6b35e09e1e26bbe0010fbb817ad537b

SHA1
56f34f356e538bbfd9da390bc0fc0e0dfdc6d71e

SHA256
aca6bd7d8186f9f4319687aa19a3f58727b7e377561cceb946a902ca8db6fe1a

SHA512
0fb9e025639aea248bbd71874eda7a302cb12a6b84e520c083e7961bfd81aa1b267496edda70602fe4e1041e3dea27f066ba1a52a3bab669177dd30ae4d47339

Download Submit
C:\Windows\{432D0CF0-EFC8-4b7c-AE2A-4806DF1870FA}.exe

Filesize
168KB

MD5
afc8e0e77d2bfb49eaa5ba169ca6178f

SHA1
a1ded85940ff3b528ef6d10df4c3833764bebf1f

SHA256
6427bec53c56b35bacfd5e09a9ab1272f8d6aaa8ba5a9d5e31cb938e8643639a

SHA512
74fc2cc2e5c793f5771698be793e3661eefa2bd65bc250edd4ae3fc7b847e8f2d838df18f4e5f71b8368d135c622b1f87da9bb462d8d232f9daa9e6723500771

Download Submit
C:\Windows\{636F2234-8410-418e-A954-1D98AD045D1B}.exe

Filesize
168KB

MD5
88ac53302319a1b4c85903aa7e6104c2

SHA1
4b940a66d984a5c3df8625c4116380d425c6d54a

SHA256
730c7f5a48849606356351a70a65a8d39332159d88714dac887f9b818c2f26d9

SHA512
aa44fe8203755f7a82af90c2def99fd85f64b07a98210132c82c37aecb934a3981abd1c65c6daef44905cd902fe3a2a7575a9abcfc89886912dd3feb493b0cd8

Download Submit
C:\Windows\{79DBB20B-D152-466a-B5E6-22E74A110F41}.exe

Filesize
168KB

MD5
ef8b27f51b296dff4ccdcf739736ebd6

SHA1
d85f31c7b169b0c8711d04620b46082962c02e2d

SHA256
ffeef3b7824ba1f23530f4737ade941cc6bf13f8c0cb603358d929b45404b0bb

SHA512
2499ead6213dddae2b5267ce854e1330f5a82c3ec28bf71942c59212e2db1e4273c43729ba045c6e3cc320fda7cf36083d58e96190b17f91231e00db8bde1be0

Download Submit
C:\Windows\{95561774-2484-4d0b-A94D-C3420423717F}.exe

Filesize
168KB

MD5
fdca91ade0d76bd39eca913cab261b44

SHA1
0de77fa23c4531f5f4b360364a6e2699efe0ef24

SHA256
fe8fab51e3537824e0ac791c3d51d4bd32537303062a34d4ccffa24f47f62505

SHA512
eb87091d94161a69cc53738d8a9bd3289fb90b52db2ab556604316ee239d793f12ce46aaf169775d15d07e2277cf45317b1c04acb94b6dc2b206d321f8cb72eb

Download Submit
C:\Windows\{9E96ECCA-F366-4557-A56E-8EE01785FE8A}.exe

Filesize
168KB

MD5
10bf9eb30b1aed4e04f8d22dc63533a2

SHA1
2a9caa558928641ddc7996c1b21581aace38711a

SHA256
2f8f8b6ac14ebe76b4b652eba2b94e68cbaa4ea4f1660c93d4c9e956910fe6f0

SHA512
91711cf71a90030b926e81e15f968f67ce2fea793f551cd21ad0c4b5db70ebb62195cb31048a28e7601402c01487b788919316c62eb48d47ca52fcb979e3baf7

Download Submit
C:\Windows\{AB272200-B25A-46cd-988A-C5B93485CFAE}.exe

Filesize
168KB

MD5
39b9d8659f7b0b760007950ff52a832a

SHA1
c8c4b209ca262eed97867bc68551367112c4e579

SHA256
20d2b35f6a518a9c9dd6ca6eba0b7f9a95853322a5500800ca45855b5cb00381

SHA512
83e40e971197504bc9655e8d544da7aed19b90d11fe8b1db25d07b1324e9a28d3d44bb2d84ff413da4b1ba687ead6304b45366c1f6e2b1df99cff8e407d5ab42

Download Submit
C:\Windows\{AC106E90-FA7B-4632-9E3B-E98762737E78}.exe

Filesize
168KB

MD5
f929491ee8b7995448f621d569a3d8e5

SHA1
b38688e815a8c70d358c79871cb3c3e8c3d81c9e

SHA256
82c9e31c50eefb015f31a3e7dc5d12c8f443ea1deeb0525005b9dbe9df3e6774

SHA512
55b49621c09f2f438d279b0324e548c511a16922e0fed7918cc7121ef9a098ad444523f3599cd191487f65973e3c5abf2b3a9bb9bb1ba16178d4523ef89dc4a8

Download Submit
C:\Windows\{B60D9037-EF06-456c-ADD2-87F3301BF68B}.exe

Filesize
168KB

MD5
bd1e0db1f2e793ccb2ffeea7b8cc3a90

SHA1
958d6fcb2725aa8ee8ea826c1536b4bab708f203

SHA256
b3fab091f4e32ac5120f8488e19e2c9580fca5fb8948704cccb38aea195bca81

SHA512
136f555224ba6873d09701092479836e9011f6cd8766b8fe2f16cb26ad1affbeee2cb0aff154207bc5ff43a48890fdf95148c7745f79026ae14fbd9a2dd5db06

Download Submit
C:\Windows\{BCC2D614-753E-4ba3-AD5B-B96280DFF2EF}.exe

Filesize
168KB

MD5
9aeb85db0dced80d4f4b529241892858

SHA1
26f416511ad8f8ae3b9a2966692e688c6c3ff5c1

SHA256
3d9a7dce666d43f24339aa93451bf7c805d1f30c246522230d14d06368c7fe71

SHA512
3aea5d0479c20f675c36364793d5d4257930f82531fc72cd93f59a0e2ed14e062a9e6d17e11b2927d12f7bb245df622d73a1587547b76c19e910c52f40e0e236

Download Submit
C:\Windows\{FA9D095B-1386-4b38-94BA-F1BECD8364FD}.exe

Filesize
168KB

MD5
e37f0cd70f2bf37da0fe0222dafd582a

SHA1
9c7a917a3256069f0f2f6f1a66e0bf71585787d5

SHA256
6b599241c733dd23bcd2182913fcc7033acde1fccef4f38792f90372e62e9b8f

SHA512
a5c3a6d050964035ed1d8c3ea32720dae8695747dcedcc6474d668a9c2196d7bf29d9f8d9cec3ef4cbc03523104b178873794e09cedac9a8cec59aba267c1ede

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads