bf7a5cb09a3e376a84a80ae224df66372aa1687cd5db23b7c7088972d439bf68

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08-04-2024 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_17afb6d7a9328490f1748c060baa1c10_goldeneye.exe
Size

168KB
MD5

17afb6d7a9328490f1748c060baa1c10
SHA1

1837cd71a415e90c3e879da73306ff5d3aef8754
SHA256

bf7a5cb09a3e376a84a80ae224df66372aa1687cd5db23b7c7088972d439bf68
SHA512

9285a38dc947f68224be2c47c6a965c5179bd44bffda83b780ec4607206d2f3aad0d3b38211eca60654ee0f989364f84a799bca7ef444b2bc362c4aaf9620e35
SSDEEP

1536:1EGh0o3lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o3lqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023214-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001200000002320f-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002321b-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001300000002320f-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021fa2-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021fa3-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021fa2-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000705-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000703-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000705-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000072b-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABC104DD-5DDA-4242-B280-80E1D51BC242}\stubpath = "C:\\Windows\\{ABC104DD-5DDA-4242-B280-80E1D51BC242}.exe"	{E5B74E19-5467-4c88-B7C7-795FE3506292}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4649F27-1685-41aa-BEAC-1A46698AF66A}\stubpath = "C:\\Windows\\{D4649F27-1685-41aa-BEAC-1A46698AF66A}.exe"	{ABC104DD-5DDA-4242-B280-80E1D51BC242}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC3BD5CD-FA56-4967-971A-EC83962A5D60}\stubpath = "C:\\Windows\\{AC3BD5CD-FA56-4967-971A-EC83962A5D60}.exe"	{D4649F27-1685-41aa-BEAC-1A46698AF66A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2687D012-3773-421b-AC9F-348E6D6E2BDA}	{44D16EC3-3156-48a3-839B-6A5AE9E9919F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86F7399B-36A7-405f-8721-0C8C49F97E13}	{9772BA69-1682-454b-A75D-F79DCEFF725C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3C171F5-D53A-4ea4-A3C8-4DA14E79DAA2}\stubpath = "C:\\Windows\\{E3C171F5-D53A-4ea4-A3C8-4DA14E79DAA2}.exe"	{70E940F5-5BFB-41c0-A285-867C87588668}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5B74E19-5467-4c88-B7C7-795FE3506292}	{4CA871BE-3C20-4148-99E9-FA447B71A4C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABC104DD-5DDA-4242-B280-80E1D51BC242}	{E5B74E19-5467-4c88-B7C7-795FE3506292}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44D16EC3-3156-48a3-839B-6A5AE9E9919F}	2024-04-08_17afb6d7a9328490f1748c060baa1c10_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2687D012-3773-421b-AC9F-348E6D6E2BDA}\stubpath = "C:\\Windows\\{2687D012-3773-421b-AC9F-348E6D6E2BDA}.exe"	{44D16EC3-3156-48a3-839B-6A5AE9E9919F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9772BA69-1682-454b-A75D-F79DCEFF725C}	{EFBBDE0B-3D82-4497-9899-1EF08EF58F5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70E940F5-5BFB-41c0-A285-867C87588668}	{86F7399B-36A7-405f-8721-0C8C49F97E13}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4CA871BE-3C20-4148-99E9-FA447B71A4C2}\stubpath = "C:\\Windows\\{4CA871BE-3C20-4148-99E9-FA447B71A4C2}.exe"	{E3C171F5-D53A-4ea4-A3C8-4DA14E79DAA2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5B74E19-5467-4c88-B7C7-795FE3506292}\stubpath = "C:\\Windows\\{E5B74E19-5467-4c88-B7C7-795FE3506292}.exe"	{4CA871BE-3C20-4148-99E9-FA447B71A4C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4649F27-1685-41aa-BEAC-1A46698AF66A}	{ABC104DD-5DDA-4242-B280-80E1D51BC242}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC3BD5CD-FA56-4967-971A-EC83962A5D60}	{D4649F27-1685-41aa-BEAC-1A46698AF66A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFBBDE0B-3D82-4497-9899-1EF08EF58F5F}\stubpath = "C:\\Windows\\{EFBBDE0B-3D82-4497-9899-1EF08EF58F5F}.exe"	{2687D012-3773-421b-AC9F-348E6D6E2BDA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86F7399B-36A7-405f-8721-0C8C49F97E13}\stubpath = "C:\\Windows\\{86F7399B-36A7-405f-8721-0C8C49F97E13}.exe"	{9772BA69-1682-454b-A75D-F79DCEFF725C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70E940F5-5BFB-41c0-A285-867C87588668}\stubpath = "C:\\Windows\\{70E940F5-5BFB-41c0-A285-867C87588668}.exe"	{86F7399B-36A7-405f-8721-0C8C49F97E13}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4CA871BE-3C20-4148-99E9-FA447B71A4C2}	{E3C171F5-D53A-4ea4-A3C8-4DA14E79DAA2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44D16EC3-3156-48a3-839B-6A5AE9E9919F}\stubpath = "C:\\Windows\\{44D16EC3-3156-48a3-839B-6A5AE9E9919F}.exe"	2024-04-08_17afb6d7a9328490f1748c060baa1c10_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFBBDE0B-3D82-4497-9899-1EF08EF58F5F}	{2687D012-3773-421b-AC9F-348E6D6E2BDA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9772BA69-1682-454b-A75D-F79DCEFF725C}\stubpath = "C:\\Windows\\{9772BA69-1682-454b-A75D-F79DCEFF725C}.exe"	{EFBBDE0B-3D82-4497-9899-1EF08EF58F5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3C171F5-D53A-4ea4-A3C8-4DA14E79DAA2}	{70E940F5-5BFB-41c0-A285-867C87588668}.exe

Executes dropped EXE 11 IoCs

pid	Process
3672	{44D16EC3-3156-48a3-839B-6A5AE9E9919F}.exe
1312	{2687D012-3773-421b-AC9F-348E6D6E2BDA}.exe
1908	{EFBBDE0B-3D82-4497-9899-1EF08EF58F5F}.exe
3468	{9772BA69-1682-454b-A75D-F79DCEFF725C}.exe
1928	{86F7399B-36A7-405f-8721-0C8C49F97E13}.exe
3552	{70E940F5-5BFB-41c0-A285-867C87588668}.exe
2240	{E3C171F5-D53A-4ea4-A3C8-4DA14E79DAA2}.exe
1272	{E5B74E19-5467-4c88-B7C7-795FE3506292}.exe
4164	{ABC104DD-5DDA-4242-B280-80E1D51BC242}.exe
3924	{D4649F27-1685-41aa-BEAC-1A46698AF66A}.exe
3512	{AC3BD5CD-FA56-4967-971A-EC83962A5D60}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2687D012-3773-421b-AC9F-348E6D6E2BDA}.exe	{44D16EC3-3156-48a3-839B-6A5AE9E9919F}.exe
File created	C:\Windows\{EFBBDE0B-3D82-4497-9899-1EF08EF58F5F}.exe	{2687D012-3773-421b-AC9F-348E6D6E2BDA}.exe
File created	C:\Windows\{9772BA69-1682-454b-A75D-F79DCEFF725C}.exe	{EFBBDE0B-3D82-4497-9899-1EF08EF58F5F}.exe
File created	C:\Windows\{86F7399B-36A7-405f-8721-0C8C49F97E13}.exe	{9772BA69-1682-454b-A75D-F79DCEFF725C}.exe
File created	C:\Windows\{70E940F5-5BFB-41c0-A285-867C87588668}.exe	{86F7399B-36A7-405f-8721-0C8C49F97E13}.exe
File created	C:\Windows\{E5B74E19-5467-4c88-B7C7-795FE3506292}.exe	{4CA871BE-3C20-4148-99E9-FA447B71A4C2}.exe
File created	C:\Windows\{ABC104DD-5DDA-4242-B280-80E1D51BC242}.exe	{E5B74E19-5467-4c88-B7C7-795FE3506292}.exe
File created	C:\Windows\{44D16EC3-3156-48a3-839B-6A5AE9E9919F}.exe	2024-04-08_17afb6d7a9328490f1748c060baa1c10_goldeneye.exe
File created	C:\Windows\{D4649F27-1685-41aa-BEAC-1A46698AF66A}.exe	{ABC104DD-5DDA-4242-B280-80E1D51BC242}.exe
File created	C:\Windows\{AC3BD5CD-FA56-4967-971A-EC83962A5D60}.exe	{D4649F27-1685-41aa-BEAC-1A46698AF66A}.exe
File created	C:\Windows\{E3C171F5-D53A-4ea4-A3C8-4DA14E79DAA2}.exe	{70E940F5-5BFB-41c0-A285-867C87588668}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1780	2024-04-08_17afb6d7a9328490f1748c060baa1c10_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3672	{44D16EC3-3156-48a3-839B-6A5AE9E9919F}.exe
Token: SeIncBasePriorityPrivilege	1312	{2687D012-3773-421b-AC9F-348E6D6E2BDA}.exe
Token: SeIncBasePriorityPrivilege	1908	{EFBBDE0B-3D82-4497-9899-1EF08EF58F5F}.exe
Token: SeIncBasePriorityPrivilege	3468	{9772BA69-1682-454b-A75D-F79DCEFF725C}.exe
Token: SeIncBasePriorityPrivilege	1928	{86F7399B-36A7-405f-8721-0C8C49F97E13}.exe
Token: SeIncBasePriorityPrivilege	3552	{70E940F5-5BFB-41c0-A285-867C87588668}.exe
Token: SeIncBasePriorityPrivilege	1796	{4CA871BE-3C20-4148-99E9-FA447B71A4C2}.exe
Token: SeIncBasePriorityPrivilege	1272	{E5B74E19-5467-4c88-B7C7-795FE3506292}.exe
Token: SeIncBasePriorityPrivilege	4164	{ABC104DD-5DDA-4242-B280-80E1D51BC242}.exe
Token: SeIncBasePriorityPrivilege	3924	{D4649F27-1685-41aa-BEAC-1A46698AF66A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 3672	1780	2024-04-08_17afb6d7a9328490f1748c060baa1c10_goldeneye.exe	96
PID 1780 wrote to memory of 3672	1780	2024-04-08_17afb6d7a9328490f1748c060baa1c10_goldeneye.exe	96
PID 1780 wrote to memory of 3672	1780	2024-04-08_17afb6d7a9328490f1748c060baa1c10_goldeneye.exe	96
PID 1780 wrote to memory of 4572	1780	2024-04-08_17afb6d7a9328490f1748c060baa1c10_goldeneye.exe	97
PID 1780 wrote to memory of 4572	1780	2024-04-08_17afb6d7a9328490f1748c060baa1c10_goldeneye.exe	97
PID 1780 wrote to memory of 4572	1780	2024-04-08_17afb6d7a9328490f1748c060baa1c10_goldeneye.exe	97
PID 3672 wrote to memory of 1312	3672	{44D16EC3-3156-48a3-839B-6A5AE9E9919F}.exe	98
PID 3672 wrote to memory of 1312	3672	{44D16EC3-3156-48a3-839B-6A5AE9E9919F}.exe	98
PID 3672 wrote to memory of 1312	3672	{44D16EC3-3156-48a3-839B-6A5AE9E9919F}.exe	98
PID 3672 wrote to memory of 2852	3672	{44D16EC3-3156-48a3-839B-6A5AE9E9919F}.exe	99
PID 3672 wrote to memory of 2852	3672	{44D16EC3-3156-48a3-839B-6A5AE9E9919F}.exe	99
PID 3672 wrote to memory of 2852	3672	{44D16EC3-3156-48a3-839B-6A5AE9E9919F}.exe	99
PID 1312 wrote to memory of 1908	1312	{2687D012-3773-421b-AC9F-348E6D6E2BDA}.exe	101
PID 1312 wrote to memory of 1908	1312	{2687D012-3773-421b-AC9F-348E6D6E2BDA}.exe	101
PID 1312 wrote to memory of 1908	1312	{2687D012-3773-421b-AC9F-348E6D6E2BDA}.exe	101
PID 1312 wrote to memory of 4176	1312	{2687D012-3773-421b-AC9F-348E6D6E2BDA}.exe	102
PID 1312 wrote to memory of 4176	1312	{2687D012-3773-421b-AC9F-348E6D6E2BDA}.exe	102
PID 1312 wrote to memory of 4176	1312	{2687D012-3773-421b-AC9F-348E6D6E2BDA}.exe	102
PID 1908 wrote to memory of 3468	1908	{EFBBDE0B-3D82-4497-9899-1EF08EF58F5F}.exe	103
PID 1908 wrote to memory of 3468	1908	{EFBBDE0B-3D82-4497-9899-1EF08EF58F5F}.exe	103
PID 1908 wrote to memory of 3468	1908	{EFBBDE0B-3D82-4497-9899-1EF08EF58F5F}.exe	103
PID 1908 wrote to memory of 4152	1908	{EFBBDE0B-3D82-4497-9899-1EF08EF58F5F}.exe	104
PID 1908 wrote to memory of 4152	1908	{EFBBDE0B-3D82-4497-9899-1EF08EF58F5F}.exe	104
PID 1908 wrote to memory of 4152	1908	{EFBBDE0B-3D82-4497-9899-1EF08EF58F5F}.exe	104
PID 3468 wrote to memory of 1928	3468	{9772BA69-1682-454b-A75D-F79DCEFF725C}.exe	105
PID 3468 wrote to memory of 1928	3468	{9772BA69-1682-454b-A75D-F79DCEFF725C}.exe	105
PID 3468 wrote to memory of 1928	3468	{9772BA69-1682-454b-A75D-F79DCEFF725C}.exe	105
PID 3468 wrote to memory of 4360	3468	{9772BA69-1682-454b-A75D-F79DCEFF725C}.exe	106
PID 3468 wrote to memory of 4360	3468	{9772BA69-1682-454b-A75D-F79DCEFF725C}.exe	106
PID 3468 wrote to memory of 4360	3468	{9772BA69-1682-454b-A75D-F79DCEFF725C}.exe	106
PID 1928 wrote to memory of 3552	1928	{86F7399B-36A7-405f-8721-0C8C49F97E13}.exe	107
PID 1928 wrote to memory of 3552	1928	{86F7399B-36A7-405f-8721-0C8C49F97E13}.exe	107
PID 1928 wrote to memory of 3552	1928	{86F7399B-36A7-405f-8721-0C8C49F97E13}.exe	107
PID 1928 wrote to memory of 1816	1928	{86F7399B-36A7-405f-8721-0C8C49F97E13}.exe	108
PID 1928 wrote to memory of 1816	1928	{86F7399B-36A7-405f-8721-0C8C49F97E13}.exe	108
PID 1928 wrote to memory of 1816	1928	{86F7399B-36A7-405f-8721-0C8C49F97E13}.exe	108
PID 3552 wrote to memory of 2240	3552	{70E940F5-5BFB-41c0-A285-867C87588668}.exe	109
PID 3552 wrote to memory of 2240	3552	{70E940F5-5BFB-41c0-A285-867C87588668}.exe	109
PID 3552 wrote to memory of 2240	3552	{70E940F5-5BFB-41c0-A285-867C87588668}.exe	109
PID 3552 wrote to memory of 4308	3552	{70E940F5-5BFB-41c0-A285-867C87588668}.exe	110
PID 3552 wrote to memory of 4308	3552	{70E940F5-5BFB-41c0-A285-867C87588668}.exe	110
PID 3552 wrote to memory of 4308	3552	{70E940F5-5BFB-41c0-A285-867C87588668}.exe	110
PID 1796 wrote to memory of 1272	1796	{4CA871BE-3C20-4148-99E9-FA447B71A4C2}.exe	113
PID 1796 wrote to memory of 1272	1796	{4CA871BE-3C20-4148-99E9-FA447B71A4C2}.exe	113
PID 1796 wrote to memory of 1272	1796	{4CA871BE-3C20-4148-99E9-FA447B71A4C2}.exe	113
PID 1796 wrote to memory of 704	1796	{4CA871BE-3C20-4148-99E9-FA447B71A4C2}.exe	114
PID 1796 wrote to memory of 704	1796	{4CA871BE-3C20-4148-99E9-FA447B71A4C2}.exe	114
PID 1796 wrote to memory of 704	1796	{4CA871BE-3C20-4148-99E9-FA447B71A4C2}.exe	114
PID 1272 wrote to memory of 4164	1272	{E5B74E19-5467-4c88-B7C7-795FE3506292}.exe	115
PID 1272 wrote to memory of 4164	1272	{E5B74E19-5467-4c88-B7C7-795FE3506292}.exe	115
PID 1272 wrote to memory of 4164	1272	{E5B74E19-5467-4c88-B7C7-795FE3506292}.exe	115
PID 1272 wrote to memory of 1676	1272	{E5B74E19-5467-4c88-B7C7-795FE3506292}.exe	116
PID 1272 wrote to memory of 1676	1272	{E5B74E19-5467-4c88-B7C7-795FE3506292}.exe	116
PID 1272 wrote to memory of 1676	1272	{E5B74E19-5467-4c88-B7C7-795FE3506292}.exe	116
PID 4164 wrote to memory of 3924	4164	{ABC104DD-5DDA-4242-B280-80E1D51BC242}.exe	117
PID 4164 wrote to memory of 3924	4164	{ABC104DD-5DDA-4242-B280-80E1D51BC242}.exe	117
PID 4164 wrote to memory of 3924	4164	{ABC104DD-5DDA-4242-B280-80E1D51BC242}.exe	117
PID 4164 wrote to memory of 4608	4164	{ABC104DD-5DDA-4242-B280-80E1D51BC242}.exe	118
PID 4164 wrote to memory of 4608	4164	{ABC104DD-5DDA-4242-B280-80E1D51BC242}.exe	118
PID 4164 wrote to memory of 4608	4164	{ABC104DD-5DDA-4242-B280-80E1D51BC242}.exe	118
PID 3924 wrote to memory of 3512	3924	{D4649F27-1685-41aa-BEAC-1A46698AF66A}.exe	119
PID 3924 wrote to memory of 3512	3924	{D4649F27-1685-41aa-BEAC-1A46698AF66A}.exe	119
PID 3924 wrote to memory of 3512	3924	{D4649F27-1685-41aa-BEAC-1A46698AF66A}.exe	119
PID 3924 wrote to memory of 2028	3924	{D4649F27-1685-41aa-BEAC-1A46698AF66A}.exe	120

C:\Users\Admin\AppData\Local\Temp\2024-04-08_17afb6d7a9328490f1748c060baa1c10_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_17afb6d7a9328490f1748c060baa1c10_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Windows\{44D16EC3-3156-48a3-839B-6A5AE9E9919F}.exe
  C:\Windows\{44D16EC3-3156-48a3-839B-6A5AE9E9919F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3672
- - C:\Windows\{2687D012-3773-421b-AC9F-348E6D6E2BDA}.exe
    C:\Windows\{2687D012-3773-421b-AC9F-348E6D6E2BDA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1312
  - - C:\Windows\{EFBBDE0B-3D82-4497-9899-1EF08EF58F5F}.exe
      C:\Windows\{EFBBDE0B-3D82-4497-9899-1EF08EF58F5F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1908
    - - C:\Windows\{9772BA69-1682-454b-A75D-F79DCEFF725C}.exe
        
        C:\Windows\{9772BA69-1682-454b-A75D-F79DCEFF725C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3468
      - C:\Windows\{86F7399B-36A7-405f-8721-0C8C49F97E13}.exe
        
        C:\Windows\{86F7399B-36A7-405f-8721-0C8C49F97E13}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\{70E940F5-5BFB-41c0-A285-867C87588668}.exe
        
        C:\Windows\{70E940F5-5BFB-41c0-A285-867C87588668}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\{E3C171F5-D53A-4ea4-A3C8-4DA14E79DAA2}.exe
        
        C:\Windows\{E3C171F5-D53A-4ea4-A3C8-4DA14E79DAA2}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        
        PID:2240
        
        C:\Windows\{4CA871BE-3C20-4148-99E9-FA447B71A4C2}.exe
        
        C:\Windows\{4CA871BE-3C20-4148-99E9-FA447B71A4C2}.exe
        9⤵
        Modifies Installed Components in the registry
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\{E5B74E19-5467-4c88-B7C7-795FE3506292}.exe
        
        C:\Windows\{E5B74E19-5467-4c88-B7C7-795FE3506292}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Windows\{ABC104DD-5DDA-4242-B280-80E1D51BC242}.exe
        
        C:\Windows\{ABC104DD-5DDA-4242-B280-80E1D51BC242}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4164
        
        C:\Windows\{D4649F27-1685-41aa-BEAC-1A46698AF66A}.exe
        
        C:\Windows\{D4649F27-1685-41aa-BEAC-1A46698AF66A}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\{AC3BD5CD-FA56-4967-971A-EC83962A5D60}.exe
        
        C:\Windows\{AC3BD5CD-FA56-4967-971A-EC83962A5D60}.exe
        13⤵
        Executes dropped EXE
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4649~1.EXE > nul
        13⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ABC10~1.EXE > nul
        12⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5B74~1.EXE > nul
        11⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4CA87~1.EXE > nul
        10⤵
        
        PID:704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E3C17~1.EXE > nul
        9⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70E94~1.EXE > nul
        8⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86F73~1.EXE > nul
        7⤵
        
        PID:1816
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9772B~1.EXE > nul
        6⤵
        
        PID:4360
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EFBBD~1.EXE > nul
        5⤵
        
        PID:4152
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2687D~1.EXE > nul
      4⤵
      PID:4176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{44D16~1.EXE > nul
    3⤵
    PID:2852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2687D012-3773-421b-AC9F-348E6D6E2BDA}.exe

Filesize
168KB

MD5
dd92910a5bf9a35928992e88d064cc9b

SHA1
126ba1b7ec14a71ad2c99b58786c6d1385ba6459

SHA256
9ba08cc58946636a392b4a3f8accc90d2791613302eef8cd4e0c5c3dfce69ad4

SHA512
ab69478b5f0db6cae2f7e50b2297b2ec301afb26499319718eec1732e3ac713a39130eab22b7e69c81c91d55771644fd726790b3d130ba87dd7239535530fbcc

Download Submit
C:\Windows\{44D16EC3-3156-48a3-839B-6A5AE9E9919F}.exe

Filesize
168KB

MD5
9848f6252907a3ca7ba34de9f3d1085c

SHA1
679399b301f4dd75efe1228250a648e80e6c004f

SHA256
0b59faa8e5c8e08579165ab3889ec33750332088bb376f89814d175fc36acfa0

SHA512
547ffb8a078e513b5231969d2bf0ac4aecebd455307a74e85420da7e246208570333527d66c9cc06fb3185d729d955aa363767451df700f00ae2ec9963ff9c0c

Download Submit
C:\Windows\{70E940F5-5BFB-41c0-A285-867C87588668}.exe

Filesize
168KB

MD5
bf222b2325315fcbe205f736c07dd347

SHA1
58cccbd1ad843954599cec5f9b2ab3f8b762b729

SHA256
4f9e43ff030a0c7a566c1f7a02b0368f2902b9ec6c3596f1d84ee584acc6db7d

SHA512
4c3ace2eaa7d9360807b23358f3a4c83168bba52b04f5a13193091525229a9a4f461f12d3c4a95dff05c96f305ba68225bdca38a628e6e9aad8ba8bc337b06c9

Download Submit
C:\Windows\{86F7399B-36A7-405f-8721-0C8C49F97E13}.exe

Filesize
168KB

MD5
ce29821d88ff8e255a5161a4a19cff24

SHA1
824da81ff3c87f5626f240e9b70d296e913036b6

SHA256
89f406d1ed90050d32ac25577f08345fa9fa0ee5704d7b8b7447253693e8a7ee

SHA512
15859766a15a84cd6e4a12481ddf859d0c024fd43e7bfa932715e1797854d3ac526bfbeb14aa6d7fffa56a0486fd26d40103cda0b0d66323eead5319a2fe2c55

Download Submit
C:\Windows\{9772BA69-1682-454b-A75D-F79DCEFF725C}.exe

Filesize
168KB

MD5
5411cfb3546cdb23f402c5616432c4c3

SHA1
049aa6f869b53a7ed717e2709913c0a3b3dc0639

SHA256
22e09c880d267308ee60196015e4f9fc4f841cb1e1abe82ed04c0b15ee1b56a7

SHA512
574c8ae52e9291659168d6e455db7b00e245f6bdf9428afcfd45650bf820e92a5212c8bf6dd3c198edbd62fcfe59319be465edf4ed6d098b260b499463a4a0ab

Download Submit
C:\Windows\{ABC104DD-5DDA-4242-B280-80E1D51BC242}.exe

Filesize
168KB

MD5
894f1deaea4eb43495d4377348c0b06d

SHA1
9a12ac9e8d967528b51b9d42b3e9cfd7f9387974

SHA256
9d98eb6e155f28272d28c35b833a4dc6196ea551d296629b8f37dfc511611603

SHA512
b0c57b4d1e0d8faf8b93c08a57bfe3da2d5f5ed77debeeb94deb65ab531b68c4a269112372a05729a041e0d18830f3638810fe67320de4dc7a4fb37999495fa2

Download Submit
C:\Windows\{AC3BD5CD-FA56-4967-971A-EC83962A5D60}.exe

Filesize
168KB

MD5
feb9e07bb52885787c476de5a12c9f86

SHA1
3698fa326d833cbc21729003559a546bfd1b5b14

SHA256
a85239219d0146ba21bb76b559fa49390be0b553ea93a87cba8e3aa0cf57194c

SHA512
1725cf8dd01e433569e843519d3d0dd854fce722ba5c9f5584e3307ebbc6f7f4686ab3ab71767a799b9b651ae54eb2b70370351013c0b69ffd64cbe3ed579fff

Download Submit
C:\Windows\{D4649F27-1685-41aa-BEAC-1A46698AF66A}.exe

Filesize
168KB

MD5
7837ddca7935bb54f60a538c9caa67ec

SHA1
c0d9b97398d6df5a74792019707ae37e7745c75f

SHA256
82e4bb11c67d94fd144809002a318ce7cfdcbebaf0c68c459f0453866a6bc1db

SHA512
0ddb118b38b6db74fbac7c3e7c444c6f3561c0bad86a4840675582f4430ca1a7406d5ae4f7a773422595eca4b4a666884f8ed3ad839f4f4c7109bb4b90a8c144

Download Submit
C:\Windows\{E3C171F5-D53A-4ea4-A3C8-4DA14E79DAA2}.exe

Filesize
168KB

MD5
4f870b4ed94e317091c170dbba29e8a8

SHA1
8eee3d2a8beb2d512306bc0664871d0918b64eff

SHA256
c3bd83888d0306f8da189219530f9dc4fd6aa2fca4075ecf7925b7abd52ecae9

SHA512
72402e099ff883b2dfe408d8632220e37b38dd5b88a6aff55a29936e6378201ee3402d354f53ddd688aca0ae74ff65daa34c83478139e624a8dc5eb1c15ab4f6

Download Submit
C:\Windows\{E5B74E19-5467-4c88-B7C7-795FE3506292}.exe

Filesize
168KB

MD5
07f21a28a9815d24599f400fde6a7e99

SHA1
4c1641ae352c6f9680f53e82deabd21adf27d730

SHA256
6831cf749719c4148252ad99d7f14d66701e7cab480393b620a725712ad5256b

SHA512
e604cfa9de9945bc4db2ee9d846355feb973e638a4cc6c232ec1ab1352e2985224cf162bb1349a6065117af215d40a50ae6187fc63a7e9227b5919eb2d00b04c

Download Submit
C:\Windows\{EFBBDE0B-3D82-4497-9899-1EF08EF58F5F}.exe

Filesize
168KB

MD5
696de6b3cbaee21df0d81fa24e0a33f6

SHA1
04016afdf58ff69e647f0eb06260d75ec7fef98e

SHA256
c33401fc3b9a1e48c25b36446dc1adee09bd085824aefd15e802a8064c64cc5b

SHA512
dfe77c449c974dbf317dbc69e8531d56a3520a8e32bf4dbcbd4c50e805e058c18f4927a5dc2060470db8532f4028ca9952257dcb8b8feaf3eb0441e1252b006a

Download Submit
memory/2240-28-0x00000000039B0000-0x0000000003A8B000-memory.dmp

Filesize
876KB

Download
memory/2240-27-0x00000000038D0000-0x00000000039AB000-memory.dmp

Filesize
876KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads