19975872d0267d8105ab52d0d7be888383fdb14bcdc805a68943ff652bce6d1b

Analysis

max time kernel
149s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2024 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-09_b296bd4ce1594bb94c79728ed286031e_goldeneye.exe
Size

168KB
MD5

b296bd4ce1594bb94c79728ed286031e
SHA1

8718116e6749231e24612ee28b16208760620d03
SHA256

19975872d0267d8105ab52d0d7be888383fdb14bcdc805a68943ff652bce6d1b
SHA512

a14c8c70a11be89da22c3685dd8f13f79b3125d5fe3b296bb6177ebc06164115bc9c83a62a6e38657cd39f71c067c9ec923f60fa72b0281e9aea83f90f75e263
SSDEEP

1536:1EGh0oLli5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oLliOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023211-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001200000002320b-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023218-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001300000002320b-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021cfa-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021cfb-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021cfa-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000707-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D1EC92A-FDE9-4059-AB58-660F6A7C25AB}\stubpath = "C:\\Windows\\{1D1EC92A-FDE9-4059-AB58-660F6A7C25AB}.exe"	{FD82273C-F839-4b65-9995-418A16DA4783}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFAD9EB5-20B7-4608-9DC6-1C7C6273B6C1}\stubpath = "C:\\Windows\\{AFAD9EB5-20B7-4608-9DC6-1C7C6273B6C1}.exe"	{DD6A6302-8A66-4860-AD13-76347B5D0B62}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5648152E-7170-4a95-A701-C6F326892779}	{8A48B444-3814-4e4a-B4D8-766A26472E69}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5648152E-7170-4a95-A701-C6F326892779}\stubpath = "C:\\Windows\\{5648152E-7170-4a95-A701-C6F326892779}.exe"	{8A48B444-3814-4e4a-B4D8-766A26472E69}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{555C310B-781A-4cb7-931C-628D9D187EAB}\stubpath = "C:\\Windows\\{555C310B-781A-4cb7-931C-628D9D187EAB}.exe"	{F1E4784E-33C2-42c9-9F42-F19A22FFB87E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BA1195E-6CCE-4262-BE18-571340D1CF22}	{555C310B-781A-4cb7-931C-628D9D187EAB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53B45BD5-4E59-4de5-BA6B-958D24F3DD25}	2024-04-09_b296bd4ce1594bb94c79728ed286031e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD6A6302-8A66-4860-AD13-76347B5D0B62}\stubpath = "C:\\Windows\\{DD6A6302-8A66-4860-AD13-76347B5D0B62}.exe"	{53B45BD5-4E59-4de5-BA6B-958D24F3DD25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A48B444-3814-4e4a-B4D8-766A26472E69}	{0CE3B277-6CC2-4272-8E94-E9FADB712218}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C99A02F-5D47-451f-A4BF-0AA7A870912B}	{5648152E-7170-4a95-A701-C6F326892779}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1E4784E-33C2-42c9-9F42-F19A22FFB87E}	{7C99A02F-5D47-451f-A4BF-0AA7A870912B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD82273C-F839-4b65-9995-418A16DA4783}\stubpath = "C:\\Windows\\{FD82273C-F839-4b65-9995-418A16DA4783}.exe"	{2BA1195E-6CCE-4262-BE18-571340D1CF22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D1EC92A-FDE9-4059-AB58-660F6A7C25AB}	{FD82273C-F839-4b65-9995-418A16DA4783}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53B45BD5-4E59-4de5-BA6B-958D24F3DD25}\stubpath = "C:\\Windows\\{53B45BD5-4E59-4de5-BA6B-958D24F3DD25}.exe"	2024-04-09_b296bd4ce1594bb94c79728ed286031e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD6A6302-8A66-4860-AD13-76347B5D0B62}	{53B45BD5-4E59-4de5-BA6B-958D24F3DD25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFAD9EB5-20B7-4608-9DC6-1C7C6273B6C1}	{DD6A6302-8A66-4860-AD13-76347B5D0B62}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CE3B277-6CC2-4272-8E94-E9FADB712218}	{AFAD9EB5-20B7-4608-9DC6-1C7C6273B6C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{555C310B-781A-4cb7-931C-628D9D187EAB}	{F1E4784E-33C2-42c9-9F42-F19A22FFB87E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD82273C-F839-4b65-9995-418A16DA4783}	{2BA1195E-6CCE-4262-BE18-571340D1CF22}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0CE3B277-6CC2-4272-8E94-E9FADB712218}\stubpath = "C:\\Windows\\{0CE3B277-6CC2-4272-8E94-E9FADB712218}.exe"	{AFAD9EB5-20B7-4608-9DC6-1C7C6273B6C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A48B444-3814-4e4a-B4D8-766A26472E69}\stubpath = "C:\\Windows\\{8A48B444-3814-4e4a-B4D8-766A26472E69}.exe"	{0CE3B277-6CC2-4272-8E94-E9FADB712218}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C99A02F-5D47-451f-A4BF-0AA7A870912B}\stubpath = "C:\\Windows\\{7C99A02F-5D47-451f-A4BF-0AA7A870912B}.exe"	{5648152E-7170-4a95-A701-C6F326892779}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1E4784E-33C2-42c9-9F42-F19A22FFB87E}\stubpath = "C:\\Windows\\{F1E4784E-33C2-42c9-9F42-F19A22FFB87E}.exe"	{7C99A02F-5D47-451f-A4BF-0AA7A870912B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BA1195E-6CCE-4262-BE18-571340D1CF22}\stubpath = "C:\\Windows\\{2BA1195E-6CCE-4262-BE18-571340D1CF22}.exe"	{555C310B-781A-4cb7-931C-628D9D187EAB}.exe

Executes dropped EXE 12 IoCs

pid	Process
2804	{53B45BD5-4E59-4de5-BA6B-958D24F3DD25}.exe
3248	{DD6A6302-8A66-4860-AD13-76347B5D0B62}.exe
2540	{AFAD9EB5-20B7-4608-9DC6-1C7C6273B6C1}.exe
1980	{0CE3B277-6CC2-4272-8E94-E9FADB712218}.exe
4636	{8A48B444-3814-4e4a-B4D8-766A26472E69}.exe
2640	{5648152E-7170-4a95-A701-C6F326892779}.exe
2644	{7C99A02F-5D47-451f-A4BF-0AA7A870912B}.exe
4540	{F1E4784E-33C2-42c9-9F42-F19A22FFB87E}.exe
4616	{555C310B-781A-4cb7-931C-628D9D187EAB}.exe
556	{2BA1195E-6CCE-4262-BE18-571340D1CF22}.exe
2560	{FD82273C-F839-4b65-9995-418A16DA4783}.exe
688	{1D1EC92A-FDE9-4059-AB58-660F6A7C25AB}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{0CE3B277-6CC2-4272-8E94-E9FADB712218}.exe	{AFAD9EB5-20B7-4608-9DC6-1C7C6273B6C1}.exe
File created	C:\Windows\{8A48B444-3814-4e4a-B4D8-766A26472E69}.exe	{0CE3B277-6CC2-4272-8E94-E9FADB712218}.exe
File created	C:\Windows\{F1E4784E-33C2-42c9-9F42-F19A22FFB87E}.exe	{7C99A02F-5D47-451f-A4BF-0AA7A870912B}.exe
File created	C:\Windows\{555C310B-781A-4cb7-931C-628D9D187EAB}.exe	{F1E4784E-33C2-42c9-9F42-F19A22FFB87E}.exe
File created	C:\Windows\{1D1EC92A-FDE9-4059-AB58-660F6A7C25AB}.exe	{FD82273C-F839-4b65-9995-418A16DA4783}.exe
File created	C:\Windows\{53B45BD5-4E59-4de5-BA6B-958D24F3DD25}.exe	2024-04-09_b296bd4ce1594bb94c79728ed286031e_goldeneye.exe
File created	C:\Windows\{DD6A6302-8A66-4860-AD13-76347B5D0B62}.exe	{53B45BD5-4E59-4de5-BA6B-958D24F3DD25}.exe
File created	C:\Windows\{AFAD9EB5-20B7-4608-9DC6-1C7C6273B6C1}.exe	{DD6A6302-8A66-4860-AD13-76347B5D0B62}.exe
File created	C:\Windows\{FD82273C-F839-4b65-9995-418A16DA4783}.exe	{2BA1195E-6CCE-4262-BE18-571340D1CF22}.exe
File created	C:\Windows\{5648152E-7170-4a95-A701-C6F326892779}.exe	{8A48B444-3814-4e4a-B4D8-766A26472E69}.exe
File created	C:\Windows\{7C99A02F-5D47-451f-A4BF-0AA7A870912B}.exe	{5648152E-7170-4a95-A701-C6F326892779}.exe
File created	C:\Windows\{2BA1195E-6CCE-4262-BE18-571340D1CF22}.exe	{555C310B-781A-4cb7-931C-628D9D187EAB}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3840	2024-04-09_b296bd4ce1594bb94c79728ed286031e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2804	{53B45BD5-4E59-4de5-BA6B-958D24F3DD25}.exe
Token: SeIncBasePriorityPrivilege	3248	{DD6A6302-8A66-4860-AD13-76347B5D0B62}.exe
Token: SeIncBasePriorityPrivilege	2540	{AFAD9EB5-20B7-4608-9DC6-1C7C6273B6C1}.exe
Token: SeIncBasePriorityPrivilege	1980	{0CE3B277-6CC2-4272-8E94-E9FADB712218}.exe
Token: SeIncBasePriorityPrivilege	4636	{8A48B444-3814-4e4a-B4D8-766A26472E69}.exe
Token: SeIncBasePriorityPrivilege	2640	{5648152E-7170-4a95-A701-C6F326892779}.exe
Token: SeIncBasePriorityPrivilege	2644	{7C99A02F-5D47-451f-A4BF-0AA7A870912B}.exe
Token: SeIncBasePriorityPrivilege	4540	{F1E4784E-33C2-42c9-9F42-F19A22FFB87E}.exe
Token: SeIncBasePriorityPrivilege	4616	{555C310B-781A-4cb7-931C-628D9D187EAB}.exe
Token: SeIncBasePriorityPrivilege	556	{2BA1195E-6CCE-4262-BE18-571340D1CF22}.exe
Token: SeIncBasePriorityPrivilege	2560	{FD82273C-F839-4b65-9995-418A16DA4783}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3840 wrote to memory of 2804	3840	2024-04-09_b296bd4ce1594bb94c79728ed286031e_goldeneye.exe	97
PID 3840 wrote to memory of 2804	3840	2024-04-09_b296bd4ce1594bb94c79728ed286031e_goldeneye.exe	97
PID 3840 wrote to memory of 2804	3840	2024-04-09_b296bd4ce1594bb94c79728ed286031e_goldeneye.exe	97
PID 3840 wrote to memory of 4028	3840	2024-04-09_b296bd4ce1594bb94c79728ed286031e_goldeneye.exe	98
PID 3840 wrote to memory of 4028	3840	2024-04-09_b296bd4ce1594bb94c79728ed286031e_goldeneye.exe	98
PID 3840 wrote to memory of 4028	3840	2024-04-09_b296bd4ce1594bb94c79728ed286031e_goldeneye.exe	98
PID 2804 wrote to memory of 3248	2804	{53B45BD5-4E59-4de5-BA6B-958D24F3DD25}.exe	99
PID 2804 wrote to memory of 3248	2804	{53B45BD5-4E59-4de5-BA6B-958D24F3DD25}.exe	99
PID 2804 wrote to memory of 3248	2804	{53B45BD5-4E59-4de5-BA6B-958D24F3DD25}.exe	99
PID 2804 wrote to memory of 3628	2804	{53B45BD5-4E59-4de5-BA6B-958D24F3DD25}.exe	100
PID 2804 wrote to memory of 3628	2804	{53B45BD5-4E59-4de5-BA6B-958D24F3DD25}.exe	100
PID 2804 wrote to memory of 3628	2804	{53B45BD5-4E59-4de5-BA6B-958D24F3DD25}.exe	100
PID 3248 wrote to memory of 2540	3248	{DD6A6302-8A66-4860-AD13-76347B5D0B62}.exe	102
PID 3248 wrote to memory of 2540	3248	{DD6A6302-8A66-4860-AD13-76347B5D0B62}.exe	102
PID 3248 wrote to memory of 2540	3248	{DD6A6302-8A66-4860-AD13-76347B5D0B62}.exe	102
PID 3248 wrote to memory of 1488	3248	{DD6A6302-8A66-4860-AD13-76347B5D0B62}.exe	103
PID 3248 wrote to memory of 1488	3248	{DD6A6302-8A66-4860-AD13-76347B5D0B62}.exe	103
PID 3248 wrote to memory of 1488	3248	{DD6A6302-8A66-4860-AD13-76347B5D0B62}.exe	103
PID 2540 wrote to memory of 1980	2540	{AFAD9EB5-20B7-4608-9DC6-1C7C6273B6C1}.exe	104
PID 2540 wrote to memory of 1980	2540	{AFAD9EB5-20B7-4608-9DC6-1C7C6273B6C1}.exe	104
PID 2540 wrote to memory of 1980	2540	{AFAD9EB5-20B7-4608-9DC6-1C7C6273B6C1}.exe	104
PID 2540 wrote to memory of 4312	2540	{AFAD9EB5-20B7-4608-9DC6-1C7C6273B6C1}.exe	105
PID 2540 wrote to memory of 4312	2540	{AFAD9EB5-20B7-4608-9DC6-1C7C6273B6C1}.exe	105
PID 2540 wrote to memory of 4312	2540	{AFAD9EB5-20B7-4608-9DC6-1C7C6273B6C1}.exe	105
PID 1980 wrote to memory of 4636	1980	{0CE3B277-6CC2-4272-8E94-E9FADB712218}.exe	106
PID 1980 wrote to memory of 4636	1980	{0CE3B277-6CC2-4272-8E94-E9FADB712218}.exe	106
PID 1980 wrote to memory of 4636	1980	{0CE3B277-6CC2-4272-8E94-E9FADB712218}.exe	106
PID 1980 wrote to memory of 2704	1980	{0CE3B277-6CC2-4272-8E94-E9FADB712218}.exe	107
PID 1980 wrote to memory of 2704	1980	{0CE3B277-6CC2-4272-8E94-E9FADB712218}.exe	107
PID 1980 wrote to memory of 2704	1980	{0CE3B277-6CC2-4272-8E94-E9FADB712218}.exe	107
PID 4636 wrote to memory of 2640	4636	{8A48B444-3814-4e4a-B4D8-766A26472E69}.exe	108
PID 4636 wrote to memory of 2640	4636	{8A48B444-3814-4e4a-B4D8-766A26472E69}.exe	108
PID 4636 wrote to memory of 2640	4636	{8A48B444-3814-4e4a-B4D8-766A26472E69}.exe	108
PID 4636 wrote to memory of 1276	4636	{8A48B444-3814-4e4a-B4D8-766A26472E69}.exe	109
PID 4636 wrote to memory of 1276	4636	{8A48B444-3814-4e4a-B4D8-766A26472E69}.exe	109
PID 4636 wrote to memory of 1276	4636	{8A48B444-3814-4e4a-B4D8-766A26472E69}.exe	109
PID 2640 wrote to memory of 2644	2640	{5648152E-7170-4a95-A701-C6F326892779}.exe	110
PID 2640 wrote to memory of 2644	2640	{5648152E-7170-4a95-A701-C6F326892779}.exe	110
PID 2640 wrote to memory of 2644	2640	{5648152E-7170-4a95-A701-C6F326892779}.exe	110
PID 2640 wrote to memory of 2620	2640	{5648152E-7170-4a95-A701-C6F326892779}.exe	111
PID 2640 wrote to memory of 2620	2640	{5648152E-7170-4a95-A701-C6F326892779}.exe	111
PID 2640 wrote to memory of 2620	2640	{5648152E-7170-4a95-A701-C6F326892779}.exe	111
PID 2644 wrote to memory of 4540	2644	{7C99A02F-5D47-451f-A4BF-0AA7A870912B}.exe	112
PID 2644 wrote to memory of 4540	2644	{7C99A02F-5D47-451f-A4BF-0AA7A870912B}.exe	112
PID 2644 wrote to memory of 4540	2644	{7C99A02F-5D47-451f-A4BF-0AA7A870912B}.exe	112
PID 2644 wrote to memory of 1088	2644	{7C99A02F-5D47-451f-A4BF-0AA7A870912B}.exe	113
PID 2644 wrote to memory of 1088	2644	{7C99A02F-5D47-451f-A4BF-0AA7A870912B}.exe	113
PID 2644 wrote to memory of 1088	2644	{7C99A02F-5D47-451f-A4BF-0AA7A870912B}.exe	113
PID 4540 wrote to memory of 4616	4540	{F1E4784E-33C2-42c9-9F42-F19A22FFB87E}.exe	114
PID 4540 wrote to memory of 4616	4540	{F1E4784E-33C2-42c9-9F42-F19A22FFB87E}.exe	114
PID 4540 wrote to memory of 4616	4540	{F1E4784E-33C2-42c9-9F42-F19A22FFB87E}.exe	114
PID 4540 wrote to memory of 4064	4540	{F1E4784E-33C2-42c9-9F42-F19A22FFB87E}.exe	115
PID 4540 wrote to memory of 4064	4540	{F1E4784E-33C2-42c9-9F42-F19A22FFB87E}.exe	115
PID 4540 wrote to memory of 4064	4540	{F1E4784E-33C2-42c9-9F42-F19A22FFB87E}.exe	115
PID 4616 wrote to memory of 556	4616	{555C310B-781A-4cb7-931C-628D9D187EAB}.exe	116
PID 4616 wrote to memory of 556	4616	{555C310B-781A-4cb7-931C-628D9D187EAB}.exe	116
PID 4616 wrote to memory of 556	4616	{555C310B-781A-4cb7-931C-628D9D187EAB}.exe	116
PID 4616 wrote to memory of 1916	4616	{555C310B-781A-4cb7-931C-628D9D187EAB}.exe	117
PID 4616 wrote to memory of 1916	4616	{555C310B-781A-4cb7-931C-628D9D187EAB}.exe	117
PID 4616 wrote to memory of 1916	4616	{555C310B-781A-4cb7-931C-628D9D187EAB}.exe	117
PID 556 wrote to memory of 2560	556	{2BA1195E-6CCE-4262-BE18-571340D1CF22}.exe	118
PID 556 wrote to memory of 2560	556	{2BA1195E-6CCE-4262-BE18-571340D1CF22}.exe	118
PID 556 wrote to memory of 2560	556	{2BA1195E-6CCE-4262-BE18-571340D1CF22}.exe	118
PID 556 wrote to memory of 4784	556	{2BA1195E-6CCE-4262-BE18-571340D1CF22}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-04-09_b296bd4ce1594bb94c79728ed286031e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-09_b296bd4ce1594bb94c79728ed286031e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3840
- C:\Windows\{53B45BD5-4E59-4de5-BA6B-958D24F3DD25}.exe
  C:\Windows\{53B45BD5-4E59-4de5-BA6B-958D24F3DD25}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\{DD6A6302-8A66-4860-AD13-76347B5D0B62}.exe
    C:\Windows\{DD6A6302-8A66-4860-AD13-76347B5D0B62}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3248
  - - C:\Windows\{AFAD9EB5-20B7-4608-9DC6-1C7C6273B6C1}.exe
      C:\Windows\{AFAD9EB5-20B7-4608-9DC6-1C7C6273B6C1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Windows\{0CE3B277-6CC2-4272-8E94-E9FADB712218}.exe
        
        C:\Windows\{0CE3B277-6CC2-4272-8E94-E9FADB712218}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1980
      - C:\Windows\{8A48B444-3814-4e4a-B4D8-766A26472E69}.exe
        
        C:\Windows\{8A48B444-3814-4e4a-B4D8-766A26472E69}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\{5648152E-7170-4a95-A701-C6F326892779}.exe
        
        C:\Windows\{5648152E-7170-4a95-A701-C6F326892779}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\{7C99A02F-5D47-451f-A4BF-0AA7A870912B}.exe
        
        C:\Windows\{7C99A02F-5D47-451f-A4BF-0AA7A870912B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\{F1E4784E-33C2-42c9-9F42-F19A22FFB87E}.exe
        
        C:\Windows\{F1E4784E-33C2-42c9-9F42-F19A22FFB87E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\{555C310B-781A-4cb7-931C-628D9D187EAB}.exe
        
        C:\Windows\{555C310B-781A-4cb7-931C-628D9D187EAB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\{2BA1195E-6CCE-4262-BE18-571340D1CF22}.exe
        
        C:\Windows\{2BA1195E-6CCE-4262-BE18-571340D1CF22}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\{FD82273C-F839-4b65-9995-418A16DA4783}.exe
        
        C:\Windows\{FD82273C-F839-4b65-9995-418A16DA4783}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
        
        C:\Windows\{1D1EC92A-FDE9-4059-AB58-660F6A7C25AB}.exe
        
        C:\Windows\{1D1EC92A-FDE9-4059-AB58-660F6A7C25AB}.exe
        13⤵
        Executes dropped EXE
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD822~1.EXE > nul
        13⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2BA11~1.EXE > nul
        12⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{555C3~1.EXE > nul
        11⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1E47~1.EXE > nul
        10⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C99A~1.EXE > nul
        9⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{56481~1.EXE > nul
        8⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A48B~1.EXE > nul
        7⤵
        
        PID:1276
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0CE3B~1.EXE > nul
        6⤵
        
        PID:2704
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AFAD9~1.EXE > nul
        5⤵
        
        PID:4312
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DD6A6~1.EXE > nul
      4⤵
      PID:1488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{53B45~1.EXE > nul
    3⤵
    PID:3628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0CE3B277-6CC2-4272-8E94-E9FADB712218}.exe

Filesize
168KB

MD5
e8da507c2b7cadd5385de6ea15d3765b

SHA1
a4ccc281048f4f6be896731a512f0a414cb9a149

SHA256
3c1e64779520ad46ff38ccb6062f11e570c2a461432abdb83b927c372b3241dd

SHA512
4ad196c1764d236d1fa3d892a9b7904c973f9534aa63292396b7ecd7215dca629367cdd067c8d21ecdbb38df09d73ad91a591e01cb0cc9876f5999b130c32666

Download Submit
C:\Windows\{1D1EC92A-FDE9-4059-AB58-660F6A7C25AB}.exe

Filesize
168KB

MD5
41d243879e8103bb8e2f40adf0ba967b

SHA1
b1079569a867dca8a40ce9aeb183455bd8c56d71

SHA256
05657c6e59685da6cbb240e8a3ce11331ae92565e9e95a9bda8fde58eb583022

SHA512
e5ec99766580eb3fef8d3665c6c323e929658661a678fded6f9fdd96f7f911f7d617badda04d63d78e9cacf317195db1222923f28849e9bed6f4116bfbd14cec

Download Submit
C:\Windows\{2BA1195E-6CCE-4262-BE18-571340D1CF22}.exe

Filesize
168KB

MD5
7f368ce74722c9294851219389d4df32

SHA1
288057b5bc9bc13f0f655a48b43b56a5a6ec2733

SHA256
eecabe093dcb895cca622a36bc9d04c4a8240af951ca44a1114b93ef2ef4069e

SHA512
791d7b875032979df4fe5a6f4b287e1fba48a6470387f3ca96a157840582c649f69b8078923f7273fae62230b94a226a941ed7de0da8dfc858c769e13f88c856

Download Submit
C:\Windows\{53B45BD5-4E59-4de5-BA6B-958D24F3DD25}.exe

Filesize
168KB

MD5
5f9ffa84a665bca44cb7a1afc1311ddb

SHA1
bab2ddf85dce5fe305dc2bb56af617ec8ed45f70

SHA256
222a46527824f974ec775de635c4ad05c1e6deb38c78a2f9ccb4bd219923b595

SHA512
617bdd4d967153f596e654144b44a301c5a6cd871d747f201d9ac12d62081c4c40436a459100c2f403a412296e3e5a98bb0debf90feb1bb413cd474c1eae8e3f

Download Submit
C:\Windows\{555C310B-781A-4cb7-931C-628D9D187EAB}.exe

Filesize
168KB

MD5
fce097a34a510d294638c198e9494469

SHA1
5d53ad619c921968e1754c7304d3ef227b651409

SHA256
10c2a4c289eef231535f1052a52343bf04bd6a1f093b58544b001fb76ec81526

SHA512
b22857108fb3e9221f281b936bde5a9d3f7fd1035a939455610224e849d9eb2e31c26cd119583aa61bb37362366fef24ff0db84f1b9d607537f22b343b9e91a2

Download Submit
C:\Windows\{5648152E-7170-4a95-A701-C6F326892779}.exe

Filesize
168KB

MD5
ea2c83f270867eae9565454a3d2357f3

SHA1
0cd80f0b62729c7255638a5155387565d6ac0f78

SHA256
0ca0792845a00028e6bd4432182127ef39e3d027efd62f7a997ae21391ca2038

SHA512
247935bcdc8f33d81d525af88539749df54bf200f95ff6fc1788b832a6f33bfa00b45114bf6e30d514339bdc5b4e5745560481bed6f38da5650b7b4e65322614

Download Submit
C:\Windows\{7C99A02F-5D47-451f-A4BF-0AA7A870912B}.exe

Filesize
168KB

MD5
17313b7f474422573a09f1fe9a48aead

SHA1
114318cfcf5d7dc9bdab6816f4cec18a307dd700

SHA256
aba99e2e8f5955b587d8cc19743dbb1094a04b3de32c5f590373d3da619dc94f

SHA512
1ffb8f320f6e068045f8898cfdcacafebbe314f04d563714a88044b6fc0aad500779c4f030d3946f337b9a6667ff899520a26caa912619316a78e93e30323a79

Download Submit
C:\Windows\{8A48B444-3814-4e4a-B4D8-766A26472E69}.exe

Filesize
168KB

MD5
62109154de8d7fd7f0d8618f0450e7a5

SHA1
c431c7d0b1af7214a92595afeb084fb4979676da

SHA256
ec034589d8ce5bc45a95e124593b4cfccad36bc5416a6083b81f8975bc28c0a4

SHA512
5c9cfb9355853d3e325b6b902388c4a379f4b16a61480d80f6344c367e5c42f7712bf1660b2a9b2c1a713a8b70aae7de285d4bc41cac97655750492fa741e2ea

Download Submit
C:\Windows\{AFAD9EB5-20B7-4608-9DC6-1C7C6273B6C1}.exe

Filesize
168KB

MD5
661d1a364ce31c461ef0d1081c5dfd53

SHA1
3a7db37adf2e53d2f0e3933c4c77e92b8eb31c32

SHA256
9a861dd8388d0b6f1df86f12d447c2b425b16d8dd37578a5133f737adfb02dac

SHA512
d9038d23f879a63cc9a340fe42e90039d40bc5dab5c61996a919e6f7882482f2c2b315b3320e4968b7b7b8e86440f251bc3094f41bc44d07f9dd7a3cb2c9e076

Download Submit
C:\Windows\{DD6A6302-8A66-4860-AD13-76347B5D0B62}.exe

Filesize
168KB

MD5
c777b7336ac688caa0118c072d9c3c37

SHA1
2dc46a3a3bf9e7b21ca3192563abb07c21e380d7

SHA256
230bf48c9de6b5f0a1dc7b688b421420c4277c369e197b4dab1308e676e9567e

SHA512
4be4923b8912aeddbf40cacf9e94b3c63a9062fcfaff916cfda50062cf2c7d15393e8df00d3361f463af92eff15e945b01c1a52943166764236a860a7fe5b812

Download Submit
C:\Windows\{F1E4784E-33C2-42c9-9F42-F19A22FFB87E}.exe

Filesize
168KB

MD5
e3a0dcde891e13321660326598ae3d8a

SHA1
0fc81b21888c3e6d36747d03a589b30279f52ded

SHA256
81997e835e4ce5e7787d44f0a490195ecec98ac9c7ba363db6fb6a8c9e9b16cb

SHA512
e62d41c03322136525259c0413bd155951f6e46db9a606d42e52277a007e393c217476845f829a99ec7d055e3900840809527966ae139365c58dc9812b688337

Download Submit
C:\Windows\{FD82273C-F839-4b65-9995-418A16DA4783}.exe

Filesize
168KB

MD5
1569e8723ab9c970c4d2f29f95d397c7

SHA1
dce78bae22c2fd4340dc6f9b86e3e91ed5729972

SHA256
c3656eae1839f957cbbc68339dc03b0ea0d09c0cb58c585f89419f53f978a956

SHA512
4996f38f705d8631f27d150b90121b33d2eb83a5a0672908470fdfdc305fb675d60ab07886685acb767cce9bd62e23c1c9e0e4a9bc804998fe9ebad2a80c09d6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads