9fbd9b621f101618233442b3c1ff0a8ff7aa0fbe507f90c4f64776f725f5049a

Analysis

max time kernel
149s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-10_7c766384d8f3d127f2c2918fdf079539_goldeneye.exe
Size

168KB
MD5

7c766384d8f3d127f2c2918fdf079539
SHA1

e7f2f59c63332527ba66cf1df8a79d4c738d56ac
SHA256

9fbd9b621f101618233442b3c1ff0a8ff7aa0fbe507f90c4f64776f725f5049a
SHA512

a1b789ed9fb84d133573407709c7b826f36ccb78e54d7e949bf8f10f5d97520c12abda142e8271244325478f709ff90db9221171ee364867e162b796685ed386
SSDEEP

1536:1EGh0owlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0owlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023204-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00140000000231f4-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023209-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002320b-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021d41-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021d42-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021d41-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000000707-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5C823DD-9E12-44aa-8439-6C58F9879024}\stubpath = "C:\\Windows\\{D5C823DD-9E12-44aa-8439-6C58F9879024}.exe"	{515B28FD-AAE4-4651-9036-C213A1912E82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4E1A4FA-34D0-4839-A858-926D04C5E8A5}	{53A37DD8-F483-43f9-90D6-E9210E6FAB39}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB086FA3-82AE-40ea-8E7C-49E3A5225967}	{D4E1A4FA-34D0-4839-A858-926D04C5E8A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4995A8D9-749B-4112-9FA4-6550DF4EE279}\stubpath = "C:\\Windows\\{4995A8D9-749B-4112-9FA4-6550DF4EE279}.exe"	{DB086FA3-82AE-40ea-8E7C-49E3A5225967}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A53187F5-2F38-438a-82FD-BF2D66FF503F}	{FD8A1AA2-FFAA-4034-BCC7-854BFF40494D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A53187F5-2F38-438a-82FD-BF2D66FF503F}\stubpath = "C:\\Windows\\{A53187F5-2F38-438a-82FD-BF2D66FF503F}.exe"	{FD8A1AA2-FFAA-4034-BCC7-854BFF40494D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{515B28FD-AAE4-4651-9036-C213A1912E82}\stubpath = "C:\\Windows\\{515B28FD-AAE4-4651-9036-C213A1912E82}.exe"	{C0667436-96AE-4733-9B4A-C2882E924389}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{975DFAA0-6827-4917-AAC7-92EEF5592729}	{D5C823DD-9E12-44aa-8439-6C58F9879024}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53A37DD8-F483-43f9-90D6-E9210E6FAB39}\stubpath = "C:\\Windows\\{53A37DD8-F483-43f9-90D6-E9210E6FAB39}.exe"	{975DFAA0-6827-4917-AAC7-92EEF5592729}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4E1A4FA-34D0-4839-A858-926D04C5E8A5}\stubpath = "C:\\Windows\\{D4E1A4FA-34D0-4839-A858-926D04C5E8A5}.exe"	{53A37DD8-F483-43f9-90D6-E9210E6FAB39}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB086FA3-82AE-40ea-8E7C-49E3A5225967}\stubpath = "C:\\Windows\\{DB086FA3-82AE-40ea-8E7C-49E3A5225967}.exe"	{D4E1A4FA-34D0-4839-A858-926D04C5E8A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4995A8D9-749B-4112-9FA4-6550DF4EE279}	{DB086FA3-82AE-40ea-8E7C-49E3A5225967}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0880D859-4A6B-423c-874B-10C8B9DDD2D7}	2024-04-10_7c766384d8f3d127f2c2918fdf079539_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0667436-96AE-4733-9B4A-C2882E924389}\stubpath = "C:\\Windows\\{C0667436-96AE-4733-9B4A-C2882E924389}.exe"	{0880D859-4A6B-423c-874B-10C8B9DDD2D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{515B28FD-AAE4-4651-9036-C213A1912E82}	{C0667436-96AE-4733-9B4A-C2882E924389}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5C823DD-9E12-44aa-8439-6C58F9879024}	{515B28FD-AAE4-4651-9036-C213A1912E82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53A37DD8-F483-43f9-90D6-E9210E6FAB39}	{975DFAA0-6827-4917-AAC7-92EEF5592729}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD8A1AA2-FFAA-4034-BCC7-854BFF40494D}\stubpath = "C:\\Windows\\{FD8A1AA2-FFAA-4034-BCC7-854BFF40494D}.exe"	{DF74C082-36E9-43c0-9CF2-A14F094EE7AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0880D859-4A6B-423c-874B-10C8B9DDD2D7}\stubpath = "C:\\Windows\\{0880D859-4A6B-423c-874B-10C8B9DDD2D7}.exe"	2024-04-10_7c766384d8f3d127f2c2918fdf079539_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0667436-96AE-4733-9B4A-C2882E924389}	{0880D859-4A6B-423c-874B-10C8B9DDD2D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{975DFAA0-6827-4917-AAC7-92EEF5592729}\stubpath = "C:\\Windows\\{975DFAA0-6827-4917-AAC7-92EEF5592729}.exe"	{D5C823DD-9E12-44aa-8439-6C58F9879024}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF74C082-36E9-43c0-9CF2-A14F094EE7AC}	{4995A8D9-749B-4112-9FA4-6550DF4EE279}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF74C082-36E9-43c0-9CF2-A14F094EE7AC}\stubpath = "C:\\Windows\\{DF74C082-36E9-43c0-9CF2-A14F094EE7AC}.exe"	{4995A8D9-749B-4112-9FA4-6550DF4EE279}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD8A1AA2-FFAA-4034-BCC7-854BFF40494D}	{DF74C082-36E9-43c0-9CF2-A14F094EE7AC}.exe

Executes dropped EXE 12 IoCs

pid	Process
3900	{0880D859-4A6B-423c-874B-10C8B9DDD2D7}.exe
3172	{C0667436-96AE-4733-9B4A-C2882E924389}.exe
4784	{515B28FD-AAE4-4651-9036-C213A1912E82}.exe
872	{D5C823DD-9E12-44aa-8439-6C58F9879024}.exe
3456	{975DFAA0-6827-4917-AAC7-92EEF5592729}.exe
2760	{53A37DD8-F483-43f9-90D6-E9210E6FAB39}.exe
3980	{D4E1A4FA-34D0-4839-A858-926D04C5E8A5}.exe
2788	{DB086FA3-82AE-40ea-8E7C-49E3A5225967}.exe
764	{4995A8D9-749B-4112-9FA4-6550DF4EE279}.exe
2736	{DF74C082-36E9-43c0-9CF2-A14F094EE7AC}.exe
3460	{FD8A1AA2-FFAA-4034-BCC7-854BFF40494D}.exe
3184	{A53187F5-2F38-438a-82FD-BF2D66FF503F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{515B28FD-AAE4-4651-9036-C213A1912E82}.exe	{C0667436-96AE-4733-9B4A-C2882E924389}.exe
File created	C:\Windows\{975DFAA0-6827-4917-AAC7-92EEF5592729}.exe	{D5C823DD-9E12-44aa-8439-6C58F9879024}.exe
File created	C:\Windows\{53A37DD8-F483-43f9-90D6-E9210E6FAB39}.exe	{975DFAA0-6827-4917-AAC7-92EEF5592729}.exe
File created	C:\Windows\{4995A8D9-749B-4112-9FA4-6550DF4EE279}.exe	{DB086FA3-82AE-40ea-8E7C-49E3A5225967}.exe
File created	C:\Windows\{DF74C082-36E9-43c0-9CF2-A14F094EE7AC}.exe	{4995A8D9-749B-4112-9FA4-6550DF4EE279}.exe
File created	C:\Windows\{C0667436-96AE-4733-9B4A-C2882E924389}.exe	{0880D859-4A6B-423c-874B-10C8B9DDD2D7}.exe
File created	C:\Windows\{D5C823DD-9E12-44aa-8439-6C58F9879024}.exe	{515B28FD-AAE4-4651-9036-C213A1912E82}.exe
File created	C:\Windows\{D4E1A4FA-34D0-4839-A858-926D04C5E8A5}.exe	{53A37DD8-F483-43f9-90D6-E9210E6FAB39}.exe
File created	C:\Windows\{DB086FA3-82AE-40ea-8E7C-49E3A5225967}.exe	{D4E1A4FA-34D0-4839-A858-926D04C5E8A5}.exe
File created	C:\Windows\{FD8A1AA2-FFAA-4034-BCC7-854BFF40494D}.exe	{DF74C082-36E9-43c0-9CF2-A14F094EE7AC}.exe
File created	C:\Windows\{A53187F5-2F38-438a-82FD-BF2D66FF503F}.exe	{FD8A1AA2-FFAA-4034-BCC7-854BFF40494D}.exe
File created	C:\Windows\{0880D859-4A6B-423c-874B-10C8B9DDD2D7}.exe	2024-04-10_7c766384d8f3d127f2c2918fdf079539_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3984	2024-04-10_7c766384d8f3d127f2c2918fdf079539_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3900	{0880D859-4A6B-423c-874B-10C8B9DDD2D7}.exe
Token: SeIncBasePriorityPrivilege	3172	{C0667436-96AE-4733-9B4A-C2882E924389}.exe
Token: SeIncBasePriorityPrivilege	4784	{515B28FD-AAE4-4651-9036-C213A1912E82}.exe
Token: SeIncBasePriorityPrivilege	872	{D5C823DD-9E12-44aa-8439-6C58F9879024}.exe
Token: SeIncBasePriorityPrivilege	3456	{975DFAA0-6827-4917-AAC7-92EEF5592729}.exe
Token: SeIncBasePriorityPrivilege	2760	{53A37DD8-F483-43f9-90D6-E9210E6FAB39}.exe
Token: SeIncBasePriorityPrivilege	3980	{D4E1A4FA-34D0-4839-A858-926D04C5E8A5}.exe
Token: SeIncBasePriorityPrivilege	2788	{DB086FA3-82AE-40ea-8E7C-49E3A5225967}.exe
Token: SeIncBasePriorityPrivilege	764	{4995A8D9-749B-4112-9FA4-6550DF4EE279}.exe
Token: SeIncBasePriorityPrivilege	2736	{DF74C082-36E9-43c0-9CF2-A14F094EE7AC}.exe
Token: SeIncBasePriorityPrivilege	3460	{FD8A1AA2-FFAA-4034-BCC7-854BFF40494D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3984 wrote to memory of 3900	3984	2024-04-10_7c766384d8f3d127f2c2918fdf079539_goldeneye.exe	95
PID 3984 wrote to memory of 3900	3984	2024-04-10_7c766384d8f3d127f2c2918fdf079539_goldeneye.exe	95
PID 3984 wrote to memory of 3900	3984	2024-04-10_7c766384d8f3d127f2c2918fdf079539_goldeneye.exe	95
PID 3984 wrote to memory of 1036	3984	2024-04-10_7c766384d8f3d127f2c2918fdf079539_goldeneye.exe	96
PID 3984 wrote to memory of 1036	3984	2024-04-10_7c766384d8f3d127f2c2918fdf079539_goldeneye.exe	96
PID 3984 wrote to memory of 1036	3984	2024-04-10_7c766384d8f3d127f2c2918fdf079539_goldeneye.exe	96
PID 3900 wrote to memory of 3172	3900	{0880D859-4A6B-423c-874B-10C8B9DDD2D7}.exe	97
PID 3900 wrote to memory of 3172	3900	{0880D859-4A6B-423c-874B-10C8B9DDD2D7}.exe	97
PID 3900 wrote to memory of 3172	3900	{0880D859-4A6B-423c-874B-10C8B9DDD2D7}.exe	97
PID 3900 wrote to memory of 4536	3900	{0880D859-4A6B-423c-874B-10C8B9DDD2D7}.exe	98
PID 3900 wrote to memory of 4536	3900	{0880D859-4A6B-423c-874B-10C8B9DDD2D7}.exe	98
PID 3900 wrote to memory of 4536	3900	{0880D859-4A6B-423c-874B-10C8B9DDD2D7}.exe	98
PID 3172 wrote to memory of 4784	3172	{C0667436-96AE-4733-9B4A-C2882E924389}.exe	100
PID 3172 wrote to memory of 4784	3172	{C0667436-96AE-4733-9B4A-C2882E924389}.exe	100
PID 3172 wrote to memory of 4784	3172	{C0667436-96AE-4733-9B4A-C2882E924389}.exe	100
PID 3172 wrote to memory of 1012	3172	{C0667436-96AE-4733-9B4A-C2882E924389}.exe	101
PID 3172 wrote to memory of 1012	3172	{C0667436-96AE-4733-9B4A-C2882E924389}.exe	101
PID 3172 wrote to memory of 1012	3172	{C0667436-96AE-4733-9B4A-C2882E924389}.exe	101
PID 4784 wrote to memory of 872	4784	{515B28FD-AAE4-4651-9036-C213A1912E82}.exe	102
PID 4784 wrote to memory of 872	4784	{515B28FD-AAE4-4651-9036-C213A1912E82}.exe	102
PID 4784 wrote to memory of 872	4784	{515B28FD-AAE4-4651-9036-C213A1912E82}.exe	102
PID 4784 wrote to memory of 4984	4784	{515B28FD-AAE4-4651-9036-C213A1912E82}.exe	103
PID 4784 wrote to memory of 4984	4784	{515B28FD-AAE4-4651-9036-C213A1912E82}.exe	103
PID 4784 wrote to memory of 4984	4784	{515B28FD-AAE4-4651-9036-C213A1912E82}.exe	103
PID 872 wrote to memory of 3456	872	{D5C823DD-9E12-44aa-8439-6C58F9879024}.exe	104
PID 872 wrote to memory of 3456	872	{D5C823DD-9E12-44aa-8439-6C58F9879024}.exe	104
PID 872 wrote to memory of 3456	872	{D5C823DD-9E12-44aa-8439-6C58F9879024}.exe	104
PID 872 wrote to memory of 1616	872	{D5C823DD-9E12-44aa-8439-6C58F9879024}.exe	105
PID 872 wrote to memory of 1616	872	{D5C823DD-9E12-44aa-8439-6C58F9879024}.exe	105
PID 872 wrote to memory of 1616	872	{D5C823DD-9E12-44aa-8439-6C58F9879024}.exe	105
PID 3456 wrote to memory of 2760	3456	{975DFAA0-6827-4917-AAC7-92EEF5592729}.exe	106
PID 3456 wrote to memory of 2760	3456	{975DFAA0-6827-4917-AAC7-92EEF5592729}.exe	106
PID 3456 wrote to memory of 2760	3456	{975DFAA0-6827-4917-AAC7-92EEF5592729}.exe	106
PID 3456 wrote to memory of 2248	3456	{975DFAA0-6827-4917-AAC7-92EEF5592729}.exe	107
PID 3456 wrote to memory of 2248	3456	{975DFAA0-6827-4917-AAC7-92EEF5592729}.exe	107
PID 3456 wrote to memory of 2248	3456	{975DFAA0-6827-4917-AAC7-92EEF5592729}.exe	107
PID 2760 wrote to memory of 3980	2760	{53A37DD8-F483-43f9-90D6-E9210E6FAB39}.exe	108
PID 2760 wrote to memory of 3980	2760	{53A37DD8-F483-43f9-90D6-E9210E6FAB39}.exe	108
PID 2760 wrote to memory of 3980	2760	{53A37DD8-F483-43f9-90D6-E9210E6FAB39}.exe	108
PID 2760 wrote to memory of 3128	2760	{53A37DD8-F483-43f9-90D6-E9210E6FAB39}.exe	109
PID 2760 wrote to memory of 3128	2760	{53A37DD8-F483-43f9-90D6-E9210E6FAB39}.exe	109
PID 2760 wrote to memory of 3128	2760	{53A37DD8-F483-43f9-90D6-E9210E6FAB39}.exe	109
PID 3980 wrote to memory of 2788	3980	{D4E1A4FA-34D0-4839-A858-926D04C5E8A5}.exe	110
PID 3980 wrote to memory of 2788	3980	{D4E1A4FA-34D0-4839-A858-926D04C5E8A5}.exe	110
PID 3980 wrote to memory of 2788	3980	{D4E1A4FA-34D0-4839-A858-926D04C5E8A5}.exe	110
PID 3980 wrote to memory of 3620	3980	{D4E1A4FA-34D0-4839-A858-926D04C5E8A5}.exe	111
PID 3980 wrote to memory of 3620	3980	{D4E1A4FA-34D0-4839-A858-926D04C5E8A5}.exe	111
PID 3980 wrote to memory of 3620	3980	{D4E1A4FA-34D0-4839-A858-926D04C5E8A5}.exe	111
PID 2788 wrote to memory of 764	2788	{DB086FA3-82AE-40ea-8E7C-49E3A5225967}.exe	112
PID 2788 wrote to memory of 764	2788	{DB086FA3-82AE-40ea-8E7C-49E3A5225967}.exe	112
PID 2788 wrote to memory of 764	2788	{DB086FA3-82AE-40ea-8E7C-49E3A5225967}.exe	112
PID 2788 wrote to memory of 4212	2788	{DB086FA3-82AE-40ea-8E7C-49E3A5225967}.exe	113
PID 2788 wrote to memory of 4212	2788	{DB086FA3-82AE-40ea-8E7C-49E3A5225967}.exe	113
PID 2788 wrote to memory of 4212	2788	{DB086FA3-82AE-40ea-8E7C-49E3A5225967}.exe	113
PID 764 wrote to memory of 2736	764	{4995A8D9-749B-4112-9FA4-6550DF4EE279}.exe	114
PID 764 wrote to memory of 2736	764	{4995A8D9-749B-4112-9FA4-6550DF4EE279}.exe	114
PID 764 wrote to memory of 2736	764	{4995A8D9-749B-4112-9FA4-6550DF4EE279}.exe	114
PID 764 wrote to memory of 1732	764	{4995A8D9-749B-4112-9FA4-6550DF4EE279}.exe	115
PID 764 wrote to memory of 1732	764	{4995A8D9-749B-4112-9FA4-6550DF4EE279}.exe	115
PID 764 wrote to memory of 1732	764	{4995A8D9-749B-4112-9FA4-6550DF4EE279}.exe	115
PID 2736 wrote to memory of 3460	2736	{DF74C082-36E9-43c0-9CF2-A14F094EE7AC}.exe	116
PID 2736 wrote to memory of 3460	2736	{DF74C082-36E9-43c0-9CF2-A14F094EE7AC}.exe	116
PID 2736 wrote to memory of 3460	2736	{DF74C082-36E9-43c0-9CF2-A14F094EE7AC}.exe	116
PID 2736 wrote to memory of 2284	2736	{DF74C082-36E9-43c0-9CF2-A14F094EE7AC}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-04-10_7c766384d8f3d127f2c2918fdf079539_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-10_7c766384d8f3d127f2c2918fdf079539_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Windows\{0880D859-4A6B-423c-874B-10C8B9DDD2D7}.exe
  C:\Windows\{0880D859-4A6B-423c-874B-10C8B9DDD2D7}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3900
- - C:\Windows\{C0667436-96AE-4733-9B4A-C2882E924389}.exe
    C:\Windows\{C0667436-96AE-4733-9B4A-C2882E924389}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3172
  - - C:\Windows\{515B28FD-AAE4-4651-9036-C213A1912E82}.exe
      C:\Windows\{515B28FD-AAE4-4651-9036-C213A1912E82}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4784
    - - C:\Windows\{D5C823DD-9E12-44aa-8439-6C58F9879024}.exe
        
        C:\Windows\{D5C823DD-9E12-44aa-8439-6C58F9879024}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:872
      - C:\Windows\{975DFAA0-6827-4917-AAC7-92EEF5592729}.exe
        
        C:\Windows\{975DFAA0-6827-4917-AAC7-92EEF5592729}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\{53A37DD8-F483-43f9-90D6-E9210E6FAB39}.exe
        
        C:\Windows\{53A37DD8-F483-43f9-90D6-E9210E6FAB39}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\{D4E1A4FA-34D0-4839-A858-926D04C5E8A5}.exe
        
        C:\Windows\{D4E1A4FA-34D0-4839-A858-926D04C5E8A5}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\{DB086FA3-82AE-40ea-8E7C-49E3A5225967}.exe
        
        C:\Windows\{DB086FA3-82AE-40ea-8E7C-49E3A5225967}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\{4995A8D9-749B-4112-9FA4-6550DF4EE279}.exe
        
        C:\Windows\{4995A8D9-749B-4112-9FA4-6550DF4EE279}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\{DF74C082-36E9-43c0-9CF2-A14F094EE7AC}.exe
        
        C:\Windows\{DF74C082-36E9-43c0-9CF2-A14F094EE7AC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\{FD8A1AA2-FFAA-4034-BCC7-854BFF40494D}.exe
        
        C:\Windows\{FD8A1AA2-FFAA-4034-BCC7-854BFF40494D}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3460
        
        C:\Windows\{A53187F5-2F38-438a-82FD-BF2D66FF503F}.exe
        
        C:\Windows\{A53187F5-2F38-438a-82FD-BF2D66FF503F}.exe
        13⤵
        Executes dropped EXE
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD8A1~1.EXE > nul
        13⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF74C~1.EXE > nul
        12⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4995A~1.EXE > nul
        11⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB086~1.EXE > nul
        10⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4E1A~1.EXE > nul
        9⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53A37~1.EXE > nul
        8⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{975DF~1.EXE > nul
        7⤵
        
        PID:2248
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5C82~1.EXE > nul
        6⤵
        
        PID:1616
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{515B2~1.EXE > nul
        5⤵
        
        PID:4984
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C0667~1.EXE > nul
      4⤵
      PID:1012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0880D~1.EXE > nul
    3⤵
    PID:4536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0880D859-4A6B-423c-874B-10C8B9DDD2D7}.exe

Filesize
168KB

MD5
8a70bcf28e8f1d93110657d9d2acd390

SHA1
e7173eb85d9808643f38586787b2c73eae2cfcce

SHA256
2392f4cf9a6c7d12a80720d062a1bcffaceff130764eb90f0c58d77ae5041cfb

SHA512
89dcee3d377a5090c0e9f43fce761bee92a64b26720cd498f90c9bbada741864281d24d9a53b8ab0fae2214862de79cedc59deef0ccc074a4d1430e2ba5ab720

Download Submit
C:\Windows\{4995A8D9-749B-4112-9FA4-6550DF4EE279}.exe

Filesize
168KB

MD5
ec64641ea7ebfc6ddaa16cc1e42f42a2

SHA1
0a017e11389875c1f653f516879f5aef9244d52b

SHA256
f388b13683293b24dbad345608fa07011d8d17c40abd0255c751463f07f3880e

SHA512
fe4a8d591401fd7e93ae16d7272c086c347e058bb550bd21c8d9d71daf80e8ec16a8c0d47d86ee467b6765c80b1060e83a980855613aa330148ec873e9e36830

Download Submit
C:\Windows\{515B28FD-AAE4-4651-9036-C213A1912E82}.exe

Filesize
168KB

MD5
084343e8c7b371598f7871b90487f1d6

SHA1
f0e22992b8bfacd52767ace121dbe001445af45d

SHA256
2e5bbb4c007392feb19735db92cebe0ae1bfad75d886f09bf3319f7450f31923

SHA512
8784853ba641157f04f6ff41e2b523b07f30e03133efce4460062f203942791617df13558ae6f9545ef81b7ba09797db017f9dd7929ce0d289008892b4af0934

Download Submit
C:\Windows\{53A37DD8-F483-43f9-90D6-E9210E6FAB39}.exe

Filesize
168KB

MD5
3f56c1fa074e7fc34baaa916c3f26638

SHA1
31bb637aac54d6480748be129f7d0609b946f1a7

SHA256
e75e2798611c788cb75aaaf5afd7994c45925bdc3ef08d0e2c41d586ace38d85

SHA512
7885cebf407b2cb16c784933aafb748c885a88f832319fc3fbf3b72b038e03a123024d32a30914fae17bc2d560afe542cd0a6aeb39818d4db03efe997907b364

Download Submit
C:\Windows\{975DFAA0-6827-4917-AAC7-92EEF5592729}.exe

Filesize
168KB

MD5
21590b32d1dd2b050efdd8fce899f750

SHA1
26156da81b4c3cb5cf947175ee1b3063545b4655

SHA256
0d341c60350fef64f0e2cc121cdba9b883f0ec2381e16997431ad3bdeb72faf9

SHA512
33430ea57e20a9e1ab3f18eef2cbbad6b41abe9aaf5b8265f1a58f70aeab29c3419a7e5bef1639f21c5288f54847128452f41439db6bac8854a5ebfa8cf6b0b9

Download Submit
C:\Windows\{A53187F5-2F38-438a-82FD-BF2D66FF503F}.exe

Filesize
168KB

MD5
4cc9684a7f6a13148f6e597ba95cba9b

SHA1
8a62060279d2d178db8de9a8b7fc782908db12dc

SHA256
fc4a2d3b1872745e98c63afa677ed929046c59aeb9076c691897266f703da755

SHA512
c4b453e526b2d7ca0eaec9e55e7af8f021ff6aaa1a585f9db8510fa5404d31b2ae81bcf3524c944a5e846210da0cedfd00b54c389ed49aa68f4d8331cba580f2

Download Submit
C:\Windows\{C0667436-96AE-4733-9B4A-C2882E924389}.exe

Filesize
168KB

MD5
357600cc591bd0a0c4676245130480e3

SHA1
5cde4a1770b2f85cd63c9cd62bd84f3132f3126b

SHA256
9af2af7847aeb3bb5ea41a0ea7f47e978054d623978621ce3f728d7f332f07c2

SHA512
e55147ae0e3ed49b7f63bff9ab8a7473dea2288fa2ce04061b81879994d7f7ee6f3669d3e407b9ac3d8ce48d421e303b675c85d9feda43d62794c934dd2950a6

Download Submit
C:\Windows\{D4E1A4FA-34D0-4839-A858-926D04C5E8A5}.exe

Filesize
168KB

MD5
efe3397039675181ebe66361b928b11c

SHA1
16cd345931d4d9e72ab3d6689e4add452b4f0a22

SHA256
94b50ed927d2f624a7b334d427eab6ad3588696956fd36f18e6e0dd2a7e829d7

SHA512
6955d4846d360983f288aed276dd24d69c60a22edea503e30df2cb1855154ae62904c589eb382013817dc6c277a0e4091c21ab7d88ccb7d11f6284b79bb01a56

Download Submit
C:\Windows\{D5C823DD-9E12-44aa-8439-6C58F9879024}.exe

Filesize
168KB

MD5
0c191f9ef3ea03ab23b53ff9155d014f

SHA1
2521426ec42e09ec289379181cac2a6f349646f7

SHA256
ffe6a78bb4c68e5dd69093fc832d1623d3b612b638e0e924a879892b1c2257ca

SHA512
f4c8acadbfadf15f2626881dabebb95b18f287fcd3f5a17030054d0cf8eb5cd3423baea190fe9c2f5dda1e5cbb06c59097ff38aacf4d70f5d1dcd34a55e6f769

Download Submit
C:\Windows\{DB086FA3-82AE-40ea-8E7C-49E3A5225967}.exe

Filesize
168KB

MD5
e82e551f659e6650c9d747abcd0810be

SHA1
3c1b6dc4dd87b32f42c5638507cf50f054229ec5

SHA256
623a319cdcd9ded743b8b79daf152bc4a0f771cd6d0b772c1d35f0390950a811

SHA512
27361efdae57c4adac3ec05e58ca7ee5149200ba4f4a7821c2d600d711df27d712dcb806c7f8f2102d152a46a9d192f7c5085533a4e5958bb3b5deb489dec5a2

Download Submit
C:\Windows\{DF74C082-36E9-43c0-9CF2-A14F094EE7AC}.exe

Filesize
168KB

MD5
20faebad9d9c36ae699ee1ea0edb0914

SHA1
d44d3e5d26483ec15cc21de6b6f541a739b60be4

SHA256
d97e427813c957bbee77763b5ffb3cde449226379813b422c0b134c05c6f7d34

SHA512
46f9d9ff15937557cf2ea77e339bc81af3ceb36737da761a0267c23960c419eba44e54b198845eb19aad90d75bbd59bdb8b4a53c227f8564e9107f3513e1f350

Download Submit
C:\Windows\{FD8A1AA2-FFAA-4034-BCC7-854BFF40494D}.exe

Filesize
168KB

MD5
592e7bc4e126ebffa2afbb34cf5923c8

SHA1
93ed296bbbe0f6a797ed7e6f2354ce8d7adbf232

SHA256
996dff9178c4db762e3a0ac5cd3959cc612675a515a4d4a88ff5696f4a3cddb7

SHA512
07571d139e628a11f6e32891e1eb7449a1eee925f1952586b7000a60330555ea0c7eb8c3922c8350d245cfc1aad6dd74db09d20a012f419a51e231d44313b543

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads