d4d2fb6e231c6f83e064446e07806b4921f6d26501752bdca3e772d54050f9c1

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2024 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-16_595ea1f9356b2f635345febd729cc2be_goldeneye.exe
Size

216KB
MD5

595ea1f9356b2f635345febd729cc2be
SHA1

35f01408d19bc12cb00116d1b0e41cf2128cb9f1
SHA256

d4d2fb6e231c6f83e064446e07806b4921f6d26501752bdca3e772d54050f9c1
SHA512

2060667b58328a2cb209cf33b70e4f880200c8cb506f4db082e5fd37d3d51cbaf2da4b66b857d8677b8f641945db2ebce3534a4d223c1aca656627b311aeb71b
SSDEEP

3072:jEGh0oTl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG9lEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000d00000001e093-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e5a7-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000001e823-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000001e748-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001e823-17.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001e748-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e823-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000001e748-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e823-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000001e748-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e823-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001e748-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84FD2BDF-D4D4-454b-9E26-732BBDABEBDB}\stubpath = "C:\\Windows\\{84FD2BDF-D4D4-454b-9E26-732BBDABEBDB}.exe"	2024-04-16_595ea1f9356b2f635345febd729cc2be_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00C778F3-95E9-4033-A062-569AF488253F}\stubpath = "C:\\Windows\\{00C778F3-95E9-4033-A062-569AF488253F}.exe"	{84FD2BDF-D4D4-454b-9E26-732BBDABEBDB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7650471-96CF-4739-8ABB-E628A9955845}	{00C778F3-95E9-4033-A062-569AF488253F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D57EF53D-90B3-47dc-8DFC-F8A286650175}\stubpath = "C:\\Windows\\{D57EF53D-90B3-47dc-8DFC-F8A286650175}.exe"	{D7650471-96CF-4739-8ABB-E628A9955845}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B43D5F07-FA2C-43b3-B385-46E94DFBD870}	{AFB962D7-9DE4-470b-BA44-5F59EDF5E447}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35796A09-7B78-4800-95BA-642AA5AFEE3C}\stubpath = "C:\\Windows\\{35796A09-7B78-4800-95BA-642AA5AFEE3C}.exe"	{FF19B288-7E26-492f-AD83-9584C9D71915}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B282720B-3C14-413f-BCD1-3A8501225758}\stubpath = "C:\\Windows\\{B282720B-3C14-413f-BCD1-3A8501225758}.exe"	{35796A09-7B78-4800-95BA-642AA5AFEE3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84FD2BDF-D4D4-454b-9E26-732BBDABEBDB}	2024-04-16_595ea1f9356b2f635345febd729cc2be_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7415BD7E-F8AA-4842-AFAC-A8FBC6CE09A6}	{222EC5CD-E035-4bbe-9F66-DAED34CBCCC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7415BD7E-F8AA-4842-AFAC-A8FBC6CE09A6}\stubpath = "C:\\Windows\\{7415BD7E-F8AA-4842-AFAC-A8FBC6CE09A6}.exe"	{222EC5CD-E035-4bbe-9F66-DAED34CBCCC9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{222EC5CD-E035-4bbe-9F66-DAED34CBCCC9}	{B282720B-3C14-413f-BCD1-3A8501225758}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF19B288-7E26-492f-AD83-9584C9D71915}	{B43D5F07-FA2C-43b3-B385-46E94DFBD870}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B282720B-3C14-413f-BCD1-3A8501225758}	{35796A09-7B78-4800-95BA-642AA5AFEE3C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B46C9612-C59D-4cd9-A683-ADD15BA265CD}\stubpath = "C:\\Windows\\{B46C9612-C59D-4cd9-A683-ADD15BA265CD}.exe"	{D57EF53D-90B3-47dc-8DFC-F8A286650175}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B46C9612-C59D-4cd9-A683-ADD15BA265CD}	{D57EF53D-90B3-47dc-8DFC-F8A286650175}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFB962D7-9DE4-470b-BA44-5F59EDF5E447}\stubpath = "C:\\Windows\\{AFB962D7-9DE4-470b-BA44-5F59EDF5E447}.exe"	{B46C9612-C59D-4cd9-A683-ADD15BA265CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B43D5F07-FA2C-43b3-B385-46E94DFBD870}\stubpath = "C:\\Windows\\{B43D5F07-FA2C-43b3-B385-46E94DFBD870}.exe"	{AFB962D7-9DE4-470b-BA44-5F59EDF5E447}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF19B288-7E26-492f-AD83-9584C9D71915}\stubpath = "C:\\Windows\\{FF19B288-7E26-492f-AD83-9584C9D71915}.exe"	{B43D5F07-FA2C-43b3-B385-46E94DFBD870}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35796A09-7B78-4800-95BA-642AA5AFEE3C}	{FF19B288-7E26-492f-AD83-9584C9D71915}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{222EC5CD-E035-4bbe-9F66-DAED34CBCCC9}\stubpath = "C:\\Windows\\{222EC5CD-E035-4bbe-9F66-DAED34CBCCC9}.exe"	{B282720B-3C14-413f-BCD1-3A8501225758}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7650471-96CF-4739-8ABB-E628A9955845}\stubpath = "C:\\Windows\\{D7650471-96CF-4739-8ABB-E628A9955845}.exe"	{00C778F3-95E9-4033-A062-569AF488253F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D57EF53D-90B3-47dc-8DFC-F8A286650175}	{D7650471-96CF-4739-8ABB-E628A9955845}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFB962D7-9DE4-470b-BA44-5F59EDF5E447}	{B46C9612-C59D-4cd9-A683-ADD15BA265CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00C778F3-95E9-4033-A062-569AF488253F}	{84FD2BDF-D4D4-454b-9E26-732BBDABEBDB}.exe

Executes dropped EXE 12 IoCs

pid	Process
2972	{84FD2BDF-D4D4-454b-9E26-732BBDABEBDB}.exe
3660	{00C778F3-95E9-4033-A062-569AF488253F}.exe
5112	{D7650471-96CF-4739-8ABB-E628A9955845}.exe
1924	{D57EF53D-90B3-47dc-8DFC-F8A286650175}.exe
4876	{B46C9612-C59D-4cd9-A683-ADD15BA265CD}.exe
2328	{AFB962D7-9DE4-470b-BA44-5F59EDF5E447}.exe
4992	{B43D5F07-FA2C-43b3-B385-46E94DFBD870}.exe
2884	{FF19B288-7E26-492f-AD83-9584C9D71915}.exe
4956	{35796A09-7B78-4800-95BA-642AA5AFEE3C}.exe
2628	{B282720B-3C14-413f-BCD1-3A8501225758}.exe
4124	{222EC5CD-E035-4bbe-9F66-DAED34CBCCC9}.exe
632	{7415BD7E-F8AA-4842-AFAC-A8FBC6CE09A6}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{00C778F3-95E9-4033-A062-569AF488253F}.exe	{84FD2BDF-D4D4-454b-9E26-732BBDABEBDB}.exe
File created	C:\Windows\{D7650471-96CF-4739-8ABB-E628A9955845}.exe	{00C778F3-95E9-4033-A062-569AF488253F}.exe
File created	C:\Windows\{D57EF53D-90B3-47dc-8DFC-F8A286650175}.exe	{D7650471-96CF-4739-8ABB-E628A9955845}.exe
File created	C:\Windows\{B46C9612-C59D-4cd9-A683-ADD15BA265CD}.exe	{D57EF53D-90B3-47dc-8DFC-F8A286650175}.exe
File created	C:\Windows\{AFB962D7-9DE4-470b-BA44-5F59EDF5E447}.exe	{B46C9612-C59D-4cd9-A683-ADD15BA265CD}.exe
File created	C:\Windows\{B43D5F07-FA2C-43b3-B385-46E94DFBD870}.exe	{AFB962D7-9DE4-470b-BA44-5F59EDF5E447}.exe
File created	C:\Windows\{FF19B288-7E26-492f-AD83-9584C9D71915}.exe	{B43D5F07-FA2C-43b3-B385-46E94DFBD870}.exe
File created	C:\Windows\{35796A09-7B78-4800-95BA-642AA5AFEE3C}.exe	{FF19B288-7E26-492f-AD83-9584C9D71915}.exe
File created	C:\Windows\{B282720B-3C14-413f-BCD1-3A8501225758}.exe	{35796A09-7B78-4800-95BA-642AA5AFEE3C}.exe
File created	C:\Windows\{7415BD7E-F8AA-4842-AFAC-A8FBC6CE09A6}.exe	{222EC5CD-E035-4bbe-9F66-DAED34CBCCC9}.exe
File created	C:\Windows\{84FD2BDF-D4D4-454b-9E26-732BBDABEBDB}.exe	2024-04-16_595ea1f9356b2f635345febd729cc2be_goldeneye.exe
File created	C:\Windows\{222EC5CD-E035-4bbe-9F66-DAED34CBCCC9}.exe	{B282720B-3C14-413f-BCD1-3A8501225758}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	224	2024-04-16_595ea1f9356b2f635345febd729cc2be_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2972	{84FD2BDF-D4D4-454b-9E26-732BBDABEBDB}.exe
Token: SeIncBasePriorityPrivilege	3660	{00C778F3-95E9-4033-A062-569AF488253F}.exe
Token: SeIncBasePriorityPrivilege	5112	{D7650471-96CF-4739-8ABB-E628A9955845}.exe
Token: SeIncBasePriorityPrivilege	1924	{D57EF53D-90B3-47dc-8DFC-F8A286650175}.exe
Token: SeIncBasePriorityPrivilege	4876	{B46C9612-C59D-4cd9-A683-ADD15BA265CD}.exe
Token: SeIncBasePriorityPrivilege	2328	{AFB962D7-9DE4-470b-BA44-5F59EDF5E447}.exe
Token: SeIncBasePriorityPrivilege	4992	{B43D5F07-FA2C-43b3-B385-46E94DFBD870}.exe
Token: SeIncBasePriorityPrivilege	2884	{FF19B288-7E26-492f-AD83-9584C9D71915}.exe
Token: SeIncBasePriorityPrivilege	4956	{35796A09-7B78-4800-95BA-642AA5AFEE3C}.exe
Token: SeIncBasePriorityPrivilege	2628	{B282720B-3C14-413f-BCD1-3A8501225758}.exe
Token: SeIncBasePriorityPrivilege	4124	{222EC5CD-E035-4bbe-9F66-DAED34CBCCC9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 2972	224	2024-04-16_595ea1f9356b2f635345febd729cc2be_goldeneye.exe	84
PID 224 wrote to memory of 2972	224	2024-04-16_595ea1f9356b2f635345febd729cc2be_goldeneye.exe	84
PID 224 wrote to memory of 2972	224	2024-04-16_595ea1f9356b2f635345febd729cc2be_goldeneye.exe	84
PID 224 wrote to memory of 2760	224	2024-04-16_595ea1f9356b2f635345febd729cc2be_goldeneye.exe	85
PID 224 wrote to memory of 2760	224	2024-04-16_595ea1f9356b2f635345febd729cc2be_goldeneye.exe	85
PID 224 wrote to memory of 2760	224	2024-04-16_595ea1f9356b2f635345febd729cc2be_goldeneye.exe	85
PID 2972 wrote to memory of 3660	2972	{84FD2BDF-D4D4-454b-9E26-732BBDABEBDB}.exe	86
PID 2972 wrote to memory of 3660	2972	{84FD2BDF-D4D4-454b-9E26-732BBDABEBDB}.exe	86
PID 2972 wrote to memory of 3660	2972	{84FD2BDF-D4D4-454b-9E26-732BBDABEBDB}.exe	86
PID 2972 wrote to memory of 1720	2972	{84FD2BDF-D4D4-454b-9E26-732BBDABEBDB}.exe	87
PID 2972 wrote to memory of 1720	2972	{84FD2BDF-D4D4-454b-9E26-732BBDABEBDB}.exe	87
PID 2972 wrote to memory of 1720	2972	{84FD2BDF-D4D4-454b-9E26-732BBDABEBDB}.exe	87
PID 3660 wrote to memory of 5112	3660	{00C778F3-95E9-4033-A062-569AF488253F}.exe	90
PID 3660 wrote to memory of 5112	3660	{00C778F3-95E9-4033-A062-569AF488253F}.exe	90
PID 3660 wrote to memory of 5112	3660	{00C778F3-95E9-4033-A062-569AF488253F}.exe	90
PID 3660 wrote to memory of 2472	3660	{00C778F3-95E9-4033-A062-569AF488253F}.exe	91
PID 3660 wrote to memory of 2472	3660	{00C778F3-95E9-4033-A062-569AF488253F}.exe	91
PID 3660 wrote to memory of 2472	3660	{00C778F3-95E9-4033-A062-569AF488253F}.exe	91
PID 5112 wrote to memory of 1924	5112	{D7650471-96CF-4739-8ABB-E628A9955845}.exe	93
PID 5112 wrote to memory of 1924	5112	{D7650471-96CF-4739-8ABB-E628A9955845}.exe	93
PID 5112 wrote to memory of 1924	5112	{D7650471-96CF-4739-8ABB-E628A9955845}.exe	93
PID 5112 wrote to memory of 1592	5112	{D7650471-96CF-4739-8ABB-E628A9955845}.exe	94
PID 5112 wrote to memory of 1592	5112	{D7650471-96CF-4739-8ABB-E628A9955845}.exe	94
PID 5112 wrote to memory of 1592	5112	{D7650471-96CF-4739-8ABB-E628A9955845}.exe	94
PID 1924 wrote to memory of 4876	1924	{D57EF53D-90B3-47dc-8DFC-F8A286650175}.exe	95
PID 1924 wrote to memory of 4876	1924	{D57EF53D-90B3-47dc-8DFC-F8A286650175}.exe	95
PID 1924 wrote to memory of 4876	1924	{D57EF53D-90B3-47dc-8DFC-F8A286650175}.exe	95
PID 1924 wrote to memory of 1152	1924	{D57EF53D-90B3-47dc-8DFC-F8A286650175}.exe	96
PID 1924 wrote to memory of 1152	1924	{D57EF53D-90B3-47dc-8DFC-F8A286650175}.exe	96
PID 1924 wrote to memory of 1152	1924	{D57EF53D-90B3-47dc-8DFC-F8A286650175}.exe	96
PID 4876 wrote to memory of 2328	4876	{B46C9612-C59D-4cd9-A683-ADD15BA265CD}.exe	97
PID 4876 wrote to memory of 2328	4876	{B46C9612-C59D-4cd9-A683-ADD15BA265CD}.exe	97
PID 4876 wrote to memory of 2328	4876	{B46C9612-C59D-4cd9-A683-ADD15BA265CD}.exe	97
PID 4876 wrote to memory of 3536	4876	{B46C9612-C59D-4cd9-A683-ADD15BA265CD}.exe	98
PID 4876 wrote to memory of 3536	4876	{B46C9612-C59D-4cd9-A683-ADD15BA265CD}.exe	98
PID 4876 wrote to memory of 3536	4876	{B46C9612-C59D-4cd9-A683-ADD15BA265CD}.exe	98
PID 2328 wrote to memory of 4992	2328	{AFB962D7-9DE4-470b-BA44-5F59EDF5E447}.exe	99
PID 2328 wrote to memory of 4992	2328	{AFB962D7-9DE4-470b-BA44-5F59EDF5E447}.exe	99
PID 2328 wrote to memory of 4992	2328	{AFB962D7-9DE4-470b-BA44-5F59EDF5E447}.exe	99
PID 2328 wrote to memory of 4680	2328	{AFB962D7-9DE4-470b-BA44-5F59EDF5E447}.exe	100
PID 2328 wrote to memory of 4680	2328	{AFB962D7-9DE4-470b-BA44-5F59EDF5E447}.exe	100
PID 2328 wrote to memory of 4680	2328	{AFB962D7-9DE4-470b-BA44-5F59EDF5E447}.exe	100
PID 4992 wrote to memory of 2884	4992	{B43D5F07-FA2C-43b3-B385-46E94DFBD870}.exe	101
PID 4992 wrote to memory of 2884	4992	{B43D5F07-FA2C-43b3-B385-46E94DFBD870}.exe	101
PID 4992 wrote to memory of 2884	4992	{B43D5F07-FA2C-43b3-B385-46E94DFBD870}.exe	101
PID 4992 wrote to memory of 3276	4992	{B43D5F07-FA2C-43b3-B385-46E94DFBD870}.exe	102
PID 4992 wrote to memory of 3276	4992	{B43D5F07-FA2C-43b3-B385-46E94DFBD870}.exe	102
PID 4992 wrote to memory of 3276	4992	{B43D5F07-FA2C-43b3-B385-46E94DFBD870}.exe	102
PID 2884 wrote to memory of 4956	2884	{FF19B288-7E26-492f-AD83-9584C9D71915}.exe	103
PID 2884 wrote to memory of 4956	2884	{FF19B288-7E26-492f-AD83-9584C9D71915}.exe	103
PID 2884 wrote to memory of 4956	2884	{FF19B288-7E26-492f-AD83-9584C9D71915}.exe	103
PID 2884 wrote to memory of 3636	2884	{FF19B288-7E26-492f-AD83-9584C9D71915}.exe	104
PID 2884 wrote to memory of 3636	2884	{FF19B288-7E26-492f-AD83-9584C9D71915}.exe	104
PID 2884 wrote to memory of 3636	2884	{FF19B288-7E26-492f-AD83-9584C9D71915}.exe	104
PID 4956 wrote to memory of 2628	4956	{35796A09-7B78-4800-95BA-642AA5AFEE3C}.exe	105
PID 4956 wrote to memory of 2628	4956	{35796A09-7B78-4800-95BA-642AA5AFEE3C}.exe	105
PID 4956 wrote to memory of 2628	4956	{35796A09-7B78-4800-95BA-642AA5AFEE3C}.exe	105
PID 4956 wrote to memory of 4452	4956	{35796A09-7B78-4800-95BA-642AA5AFEE3C}.exe	106
PID 4956 wrote to memory of 4452	4956	{35796A09-7B78-4800-95BA-642AA5AFEE3C}.exe	106
PID 4956 wrote to memory of 4452	4956	{35796A09-7B78-4800-95BA-642AA5AFEE3C}.exe	106
PID 2628 wrote to memory of 4124	2628	{B282720B-3C14-413f-BCD1-3A8501225758}.exe	107
PID 2628 wrote to memory of 4124	2628	{B282720B-3C14-413f-BCD1-3A8501225758}.exe	107
PID 2628 wrote to memory of 4124	2628	{B282720B-3C14-413f-BCD1-3A8501225758}.exe	107
PID 2628 wrote to memory of 5064	2628	{B282720B-3C14-413f-BCD1-3A8501225758}.exe	108

C:\Users\Admin\AppData\Local\Temp\2024-04-16_595ea1f9356b2f635345febd729cc2be_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-16_595ea1f9356b2f635345febd729cc2be_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:224
- C:\Windows\{84FD2BDF-D4D4-454b-9E26-732BBDABEBDB}.exe
  C:\Windows\{84FD2BDF-D4D4-454b-9E26-732BBDABEBDB}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\{00C778F3-95E9-4033-A062-569AF488253F}.exe
    C:\Windows\{00C778F3-95E9-4033-A062-569AF488253F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3660
  - - C:\Windows\{D7650471-96CF-4739-8ABB-E628A9955845}.exe
      C:\Windows\{D7650471-96CF-4739-8ABB-E628A9955845}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5112
    - - C:\Windows\{D57EF53D-90B3-47dc-8DFC-F8A286650175}.exe
        
        C:\Windows\{D57EF53D-90B3-47dc-8DFC-F8A286650175}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1924
      - C:\Windows\{B46C9612-C59D-4cd9-A683-ADD15BA265CD}.exe
        
        C:\Windows\{B46C9612-C59D-4cd9-A683-ADD15BA265CD}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\{AFB962D7-9DE4-470b-BA44-5F59EDF5E447}.exe
        
        C:\Windows\{AFB962D7-9DE4-470b-BA44-5F59EDF5E447}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\{B43D5F07-FA2C-43b3-B385-46E94DFBD870}.exe
        
        C:\Windows\{B43D5F07-FA2C-43b3-B385-46E94DFBD870}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\{FF19B288-7E26-492f-AD83-9584C9D71915}.exe
        
        C:\Windows\{FF19B288-7E26-492f-AD83-9584C9D71915}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\{35796A09-7B78-4800-95BA-642AA5AFEE3C}.exe
        
        C:\Windows\{35796A09-7B78-4800-95BA-642AA5AFEE3C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\{B282720B-3C14-413f-BCD1-3A8501225758}.exe
        
        C:\Windows\{B282720B-3C14-413f-BCD1-3A8501225758}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\{222EC5CD-E035-4bbe-9F66-DAED34CBCCC9}.exe
        
        C:\Windows\{222EC5CD-E035-4bbe-9F66-DAED34CBCCC9}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4124
        
        C:\Windows\{7415BD7E-F8AA-4842-AFAC-A8FBC6CE09A6}.exe
        
        C:\Windows\{7415BD7E-F8AA-4842-AFAC-A8FBC6CE09A6}.exe
        13⤵
        Executes dropped EXE
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{222EC~1.EXE > nul
        13⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2827~1.EXE > nul
        12⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35796~1.EXE > nul
        11⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF19B~1.EXE > nul
        10⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B43D5~1.EXE > nul
        9⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AFB96~1.EXE > nul
        8⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B46C9~1.EXE > nul
        7⤵
        
        PID:3536
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D57EF~1.EXE > nul
        6⤵
        
        PID:1152
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7650~1.EXE > nul
        5⤵
        
        PID:1592
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{00C77~1.EXE > nul
      4⤵
      PID:2472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{84FD2~1.EXE > nul
    3⤵
    PID:1720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00C778F3-95E9-4033-A062-569AF488253F}.exe

Filesize
216KB

MD5
6d1b51126975dc95c52c3b3546c7fc9f

SHA1
0d497767cdb70460b6e728225439f21390d988f8

SHA256
864e916a1510e9c6665ca1641d63bb0cd8bb419b85821de4add83624d1debec1

SHA512
8fe8b5b2a69ea3691f7695f9dea8e97c8a57b93ef448cee43e2679132be7147c9b73831eee1bf86dba78e01436a95cefdf1a3381601113ca583529650f940527

Download Submit
C:\Windows\{222EC5CD-E035-4bbe-9F66-DAED34CBCCC9}.exe

Filesize
216KB

MD5
395f9b10c09b0ea9805c960f0b545edd

SHA1
d641c3b0daeddb795494670a225858e4c516eae6

SHA256
2cba84fc599bc20f0d3a6bc3bac098124836c74e1a61a0b7709dd5362f89cf95

SHA512
339c33ab0f450c0c8ef7009ee54699578992194b94982ca88bff133ad926281c432f27ae99156e4937541dfca26ec823a3255785a63c82ef4692474eef5106a3

Download Submit
C:\Windows\{35796A09-7B78-4800-95BA-642AA5AFEE3C}.exe

Filesize
216KB

MD5
087916fba77c56687f631d0d019a539d

SHA1
53157ef3f63bcc1301ea9233c039a976642ba053

SHA256
ede11180ed28fe64ade246b0fcef7bc38c9ef783f61cde51821b1db15186f11e

SHA512
1bdb248fd73655aa75db7dc957cc20f5263c6b6a412162cd262f04cc24123812c1eee752f9fc25525d69a52c30300f3f20759b3848996324247e13c503d3465b

Download Submit
C:\Windows\{7415BD7E-F8AA-4842-AFAC-A8FBC6CE09A6}.exe

Filesize
216KB

MD5
9903c19b1435b48493277feebd2c3c04

SHA1
7ad3b909a80842fc3db4d35ea9e2f5e96bb0323e

SHA256
b322a13b9cafbb7f8666723499bc9b99fcb633899ea79420c8ecdb216e2943a8

SHA512
bcbc054b20fe52b8720fa948bef5a8928caae9c403569b4594b193216144a182b1e64a8a867615509459b0b6acf16decf0f2d3789760bdc11bab5df25da3f6d9

Download Submit
C:\Windows\{84FD2BDF-D4D4-454b-9E26-732BBDABEBDB}.exe

Filesize
216KB

MD5
f2e4add8c72fd490f0a82ca3b39d1a4c

SHA1
a75a9e0f3d4f775d35aeb461a74532b7f6236729

SHA256
f950381ae2fc8f5602418631ea810971ca975193809fed2a2de82c6939dd5ea9

SHA512
66f0a000860b5d0c663d8ae9dc6f4b8c4afeaa9ea09da2ef86ea57114c35b459c67cbceec0784e96f2a7f038ab2e9f5f13194b4f4bec7c8d73001daead8006db

Download Submit
C:\Windows\{AFB962D7-9DE4-470b-BA44-5F59EDF5E447}.exe

Filesize
216KB

MD5
9aa75b160b7b23710550bd23d8d9815a

SHA1
19c74ca76de38539a5e4c151335f57611e571cc2

SHA256
4f41e23699817ec55be1ba79e823d7d79933c37ce5a19caa151d60667e818af5

SHA512
42de91c4f606da0b84988ce3ae3e2ac6498e6e4d75f7f331fea915449cd6d36e5f4001edfac5f9e8f8b82e71835ffb474c8dad9a8e5ca49dac99cbf021138b92

Download Submit
C:\Windows\{B282720B-3C14-413f-BCD1-3A8501225758}.exe

Filesize
216KB

MD5
acd1e21ea6590a215517d00f2a6e0d96

SHA1
0e41846487b0089af95dc2c39a86eafa3bcd303c

SHA256
19c773b19e4f7a46e446432c3a643fedd1553006bb08f52148bc1d44b93c98c1

SHA512
b9cc7732da7d492ac9cfa5c2a82535301215add931a0c78323184f1723c1d979d7c01fa9425704c88132cfdf286d1de31d18225637f3aa7bad0183fab0a2e5df

Download Submit
C:\Windows\{B43D5F07-FA2C-43b3-B385-46E94DFBD870}.exe

Filesize
216KB

MD5
47c147ee41038bf53c7e416ec5beece0

SHA1
6b79191d5242db6cb349a80631f73b11b0f438ea

SHA256
1e03a987741f6d5130f4e99c81d309f976162a6f52bf3fe994c4efb6fed6c126

SHA512
a81960de6001d1be658a4f8bae3144130b8dc744a87cceb7facaeecb23a1390e80ad2cf797c24aa995f300a6eec83579238ad3de11cc49ee2b836837e5813375

Download Submit
C:\Windows\{B46C9612-C59D-4cd9-A683-ADD15BA265CD}.exe

Filesize
216KB

MD5
20f888adf3e3b7cea614404d9da38c67

SHA1
b3d5602aad45b9abe38a1c152c05bac254bb356a

SHA256
d14c1cb76e7d9c068c60d5ea00ae9f5aa5d468aff9159da9c17c985ec1fb39d7

SHA512
f340092a0307fec2449ebc6a5b694353c211817de4be31ca341ab93c417102a8a6f8025e7c8924ca9e9e0456d73f3c69c4ca825f19b8560aeb5b9adc3c2ac4f9

Download Submit
C:\Windows\{D57EF53D-90B3-47dc-8DFC-F8A286650175}.exe

Filesize
216KB

MD5
967ff4916debdd74ad5f11c7420fe18a

SHA1
08ccad7ebcdf0d8de6174209fcbc60085d4096ca

SHA256
e8b5b3e1041bd9d4529cfde290b2b470c2130fe8524545990155b861fb96c9e9

SHA512
261936debf6e1fb15db1a57aaf9d29fbb85b950485098ffa5fa3beb17ae9f00fda16b5b5b56e72f31af42776e41b47b10e01420219b0dca080fe00ad239c1e6e

Download Submit
C:\Windows\{D7650471-96CF-4739-8ABB-E628A9955845}.exe

Filesize
216KB

MD5
98b5f5cf20f4e7917b45ce66d70682dd

SHA1
4081b3877e6f4ed02db0d3b47803772fa587245f

SHA256
ae9b688d10ce5502df1525254bb1e7daa510adee72c0dc35585aaecce89018de

SHA512
02b8bb945ae106f4e450db990cbf87bcaedbc21bd9639ec3585a72344b51e6f440adeb1431e9d74d785a2505b94d7307a64f97ba466559e9885aeab4ad1030ed

Download Submit
C:\Windows\{FF19B288-7E26-492f-AD83-9584C9D71915}.exe

Filesize
216KB

MD5
72a873ebc3222e1c5461c67e7f5e4025

SHA1
1206f01ff6e6b6e37f0a5bbef6e6effc1a606c04

SHA256
425bf3ef032f2a3d1ffe3357bd5f5b2763a1c3cdda76c1a3bac05b9d7cffc0cd

SHA512
66d211a7e49d0a3929a3f8edeef350541442277c5ff4dc5f42fcbdca4b8c4d404aa0af8ffcd288f03d0408ff33a5fa64f0ff140ba844328b0aabf085a3bed0d6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads