3c5853fbb95c789d503579b036366c36082084bac5227e9339089973996aa365

Analysis

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 04:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-18_7b5e497afbd69b2c570fbbd78086c62c_goldeneye.exe
Size

408KB
MD5

7b5e497afbd69b2c570fbbd78086c62c
SHA1

38ea6589e54ec6f76a74621c09784f437cede600
SHA256

3c5853fbb95c789d503579b036366c36082084bac5227e9339089973996aa365
SHA512

c158c5a0bc4d380054a5245fd99698777288ff75fe7a09464a65fa81cf59afb83987a2892ff6b7221836e8b3b5bc2a6539493d20ef05e1cf66c4434a0391c4a8
SSDEEP

3072:CEGh0ool3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGKldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023363-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002337b-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002337e-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d0000000233fa-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002337e-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e0000000233fa-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002337e-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f0000000233fa-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e00000002337e-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00100000000233fa-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f00000002337e-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3239348D-6AEF-486f-A1E2-D83E221EDAB5}\stubpath = "C:\\Windows\\{3239348D-6AEF-486f-A1E2-D83E221EDAB5}.exe"	2024-04-18_7b5e497afbd69b2c570fbbd78086c62c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21B19F58-5CB2-4ec5-9C85-9F017F2643D9}\stubpath = "C:\\Windows\\{21B19F58-5CB2-4ec5-9C85-9F017F2643D9}.exe"	{3239348D-6AEF-486f-A1E2-D83E221EDAB5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5EDA5C2-FB9C-4c1d-BA89-9F71CE7F29D9}	{F8AA58B8-CA7B-467f-8F5A-A36868C3C565}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77DB149B-2762-4b3b-8BD8-D2B141DD0AB5}\stubpath = "C:\\Windows\\{77DB149B-2762-4b3b-8BD8-D2B141DD0AB5}.exe"	{613A24E6-02CC-49dc-AF7E-25333C008914}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8B649FC-1321-4030-8EC3-D74D977CC238}	{77DB149B-2762-4b3b-8BD8-D2B141DD0AB5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21B19F58-5CB2-4ec5-9C85-9F017F2643D9}	{3239348D-6AEF-486f-A1E2-D83E221EDAB5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77DB149B-2762-4b3b-8BD8-D2B141DD0AB5}	{613A24E6-02CC-49dc-AF7E-25333C008914}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8B649FC-1321-4030-8EC3-D74D977CC238}\stubpath = "C:\\Windows\\{D8B649FC-1321-4030-8EC3-D74D977CC238}.exe"	{77DB149B-2762-4b3b-8BD8-D2B141DD0AB5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88D4230E-8E45-450e-9282-E7D76725D0E8}	{D8B649FC-1321-4030-8EC3-D74D977CC238}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88D4230E-8E45-450e-9282-E7D76725D0E8}\stubpath = "C:\\Windows\\{88D4230E-8E45-450e-9282-E7D76725D0E8}.exe"	{D8B649FC-1321-4030-8EC3-D74D977CC238}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A21A96C5-7EF2-40f6-A851-4BE69D8BEC62}	{21B19F58-5CB2-4ec5-9C85-9F017F2643D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A21A96C5-7EF2-40f6-A851-4BE69D8BEC62}\stubpath = "C:\\Windows\\{A21A96C5-7EF2-40f6-A851-4BE69D8BEC62}.exe"	{21B19F58-5CB2-4ec5-9C85-9F017F2643D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0EFB4D2F-B175-4489-8DEC-F94542FAC10A}\stubpath = "C:\\Windows\\{0EFB4D2F-B175-4489-8DEC-F94542FAC10A}.exe"	{A21A96C5-7EF2-40f6-A851-4BE69D8BEC62}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8AA58B8-CA7B-467f-8F5A-A36868C3C565}\stubpath = "C:\\Windows\\{F8AA58B8-CA7B-467f-8F5A-A36868C3C565}.exe"	{0EFB4D2F-B175-4489-8DEC-F94542FAC10A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBA73DA9-E82D-4b03-928E-409625AFEBB1}\stubpath = "C:\\Windows\\{EBA73DA9-E82D-4b03-928E-409625AFEBB1}.exe"	{B5EDA5C2-FB9C-4c1d-BA89-9F71CE7F29D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{613A24E6-02CC-49dc-AF7E-25333C008914}	{EBA73DA9-E82D-4b03-928E-409625AFEBB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{613A24E6-02CC-49dc-AF7E-25333C008914}\stubpath = "C:\\Windows\\{613A24E6-02CC-49dc-AF7E-25333C008914}.exe"	{EBA73DA9-E82D-4b03-928E-409625AFEBB1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3239348D-6AEF-486f-A1E2-D83E221EDAB5}	2024-04-18_7b5e497afbd69b2c570fbbd78086c62c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0EFB4D2F-B175-4489-8DEC-F94542FAC10A}	{A21A96C5-7EF2-40f6-A851-4BE69D8BEC62}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8AA58B8-CA7B-467f-8F5A-A36868C3C565}	{0EFB4D2F-B175-4489-8DEC-F94542FAC10A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5EDA5C2-FB9C-4c1d-BA89-9F71CE7F29D9}\stubpath = "C:\\Windows\\{B5EDA5C2-FB9C-4c1d-BA89-9F71CE7F29D9}.exe"	{F8AA58B8-CA7B-467f-8F5A-A36868C3C565}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBA73DA9-E82D-4b03-928E-409625AFEBB1}	{B5EDA5C2-FB9C-4c1d-BA89-9F71CE7F29D9}.exe

Executes dropped EXE 11 IoCs

pid	Process
740	{3239348D-6AEF-486f-A1E2-D83E221EDAB5}.exe
2008	{21B19F58-5CB2-4ec5-9C85-9F017F2643D9}.exe
1848	{A21A96C5-7EF2-40f6-A851-4BE69D8BEC62}.exe
4376	{0EFB4D2F-B175-4489-8DEC-F94542FAC10A}.exe
3924	{F8AA58B8-CA7B-467f-8F5A-A36868C3C565}.exe
884	{B5EDA5C2-FB9C-4c1d-BA89-9F71CE7F29D9}.exe
3568	{EBA73DA9-E82D-4b03-928E-409625AFEBB1}.exe
3340	{613A24E6-02CC-49dc-AF7E-25333C008914}.exe
4832	{77DB149B-2762-4b3b-8BD8-D2B141DD0AB5}.exe
4032	{D8B649FC-1321-4030-8EC3-D74D977CC238}.exe
1700	{88D4230E-8E45-450e-9282-E7D76725D0E8}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{3239348D-6AEF-486f-A1E2-D83E221EDAB5}.exe	2024-04-18_7b5e497afbd69b2c570fbbd78086c62c_goldeneye.exe
File created	C:\Windows\{A21A96C5-7EF2-40f6-A851-4BE69D8BEC62}.exe	{21B19F58-5CB2-4ec5-9C85-9F017F2643D9}.exe
File created	C:\Windows\{F8AA58B8-CA7B-467f-8F5A-A36868C3C565}.exe	{0EFB4D2F-B175-4489-8DEC-F94542FAC10A}.exe
File created	C:\Windows\{EBA73DA9-E82D-4b03-928E-409625AFEBB1}.exe	{B5EDA5C2-FB9C-4c1d-BA89-9F71CE7F29D9}.exe
File created	C:\Windows\{88D4230E-8E45-450e-9282-E7D76725D0E8}.exe	{D8B649FC-1321-4030-8EC3-D74D977CC238}.exe
File created	C:\Windows\{21B19F58-5CB2-4ec5-9C85-9F017F2643D9}.exe	{3239348D-6AEF-486f-A1E2-D83E221EDAB5}.exe
File created	C:\Windows\{0EFB4D2F-B175-4489-8DEC-F94542FAC10A}.exe	{A21A96C5-7EF2-40f6-A851-4BE69D8BEC62}.exe
File created	C:\Windows\{B5EDA5C2-FB9C-4c1d-BA89-9F71CE7F29D9}.exe	{F8AA58B8-CA7B-467f-8F5A-A36868C3C565}.exe
File created	C:\Windows\{613A24E6-02CC-49dc-AF7E-25333C008914}.exe	{EBA73DA9-E82D-4b03-928E-409625AFEBB1}.exe
File created	C:\Windows\{77DB149B-2762-4b3b-8BD8-D2B141DD0AB5}.exe	{613A24E6-02CC-49dc-AF7E-25333C008914}.exe
File created	C:\Windows\{D8B649FC-1321-4030-8EC3-D74D977CC238}.exe	{77DB149B-2762-4b3b-8BD8-D2B141DD0AB5}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3032	2024-04-18_7b5e497afbd69b2c570fbbd78086c62c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	740	{3239348D-6AEF-486f-A1E2-D83E221EDAB5}.exe
Token: SeIncBasePriorityPrivilege	2008	{21B19F58-5CB2-4ec5-9C85-9F017F2643D9}.exe
Token: SeIncBasePriorityPrivilege	1848	{A21A96C5-7EF2-40f6-A851-4BE69D8BEC62}.exe
Token: SeIncBasePriorityPrivilege	4376	{0EFB4D2F-B175-4489-8DEC-F94542FAC10A}.exe
Token: SeIncBasePriorityPrivilege	3924	{F8AA58B8-CA7B-467f-8F5A-A36868C3C565}.exe
Token: SeIncBasePriorityPrivilege	884	{B5EDA5C2-FB9C-4c1d-BA89-9F71CE7F29D9}.exe
Token: SeIncBasePriorityPrivilege	3568	{EBA73DA9-E82D-4b03-928E-409625AFEBB1}.exe
Token: SeIncBasePriorityPrivilege	3340	{613A24E6-02CC-49dc-AF7E-25333C008914}.exe
Token: SeIncBasePriorityPrivilege	4832	{77DB149B-2762-4b3b-8BD8-D2B141DD0AB5}.exe
Token: SeIncBasePriorityPrivilege	4032	{D8B649FC-1321-4030-8EC3-D74D977CC238}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 740	3032	2024-04-18_7b5e497afbd69b2c570fbbd78086c62c_goldeneye.exe	93
PID 3032 wrote to memory of 740	3032	2024-04-18_7b5e497afbd69b2c570fbbd78086c62c_goldeneye.exe	93
PID 3032 wrote to memory of 740	3032	2024-04-18_7b5e497afbd69b2c570fbbd78086c62c_goldeneye.exe	93
PID 3032 wrote to memory of 1000	3032	2024-04-18_7b5e497afbd69b2c570fbbd78086c62c_goldeneye.exe	94
PID 3032 wrote to memory of 1000	3032	2024-04-18_7b5e497afbd69b2c570fbbd78086c62c_goldeneye.exe	94
PID 3032 wrote to memory of 1000	3032	2024-04-18_7b5e497afbd69b2c570fbbd78086c62c_goldeneye.exe	94
PID 740 wrote to memory of 2008	740	{3239348D-6AEF-486f-A1E2-D83E221EDAB5}.exe	97
PID 740 wrote to memory of 2008	740	{3239348D-6AEF-486f-A1E2-D83E221EDAB5}.exe	97
PID 740 wrote to memory of 2008	740	{3239348D-6AEF-486f-A1E2-D83E221EDAB5}.exe	97
PID 740 wrote to memory of 4688	740	{3239348D-6AEF-486f-A1E2-D83E221EDAB5}.exe	98
PID 740 wrote to memory of 4688	740	{3239348D-6AEF-486f-A1E2-D83E221EDAB5}.exe	98
PID 740 wrote to memory of 4688	740	{3239348D-6AEF-486f-A1E2-D83E221EDAB5}.exe	98
PID 2008 wrote to memory of 1848	2008	{21B19F58-5CB2-4ec5-9C85-9F017F2643D9}.exe	99
PID 2008 wrote to memory of 1848	2008	{21B19F58-5CB2-4ec5-9C85-9F017F2643D9}.exe	99
PID 2008 wrote to memory of 1848	2008	{21B19F58-5CB2-4ec5-9C85-9F017F2643D9}.exe	99
PID 2008 wrote to memory of 4924	2008	{21B19F58-5CB2-4ec5-9C85-9F017F2643D9}.exe	100
PID 2008 wrote to memory of 4924	2008	{21B19F58-5CB2-4ec5-9C85-9F017F2643D9}.exe	100
PID 2008 wrote to memory of 4924	2008	{21B19F58-5CB2-4ec5-9C85-9F017F2643D9}.exe	100
PID 1848 wrote to memory of 4376	1848	{A21A96C5-7EF2-40f6-A851-4BE69D8BEC62}.exe	102
PID 1848 wrote to memory of 4376	1848	{A21A96C5-7EF2-40f6-A851-4BE69D8BEC62}.exe	102
PID 1848 wrote to memory of 4376	1848	{A21A96C5-7EF2-40f6-A851-4BE69D8BEC62}.exe	102
PID 1848 wrote to memory of 2832	1848	{A21A96C5-7EF2-40f6-A851-4BE69D8BEC62}.exe	103
PID 1848 wrote to memory of 2832	1848	{A21A96C5-7EF2-40f6-A851-4BE69D8BEC62}.exe	103
PID 1848 wrote to memory of 2832	1848	{A21A96C5-7EF2-40f6-A851-4BE69D8BEC62}.exe	103
PID 4376 wrote to memory of 3924	4376	{0EFB4D2F-B175-4489-8DEC-F94542FAC10A}.exe	104
PID 4376 wrote to memory of 3924	4376	{0EFB4D2F-B175-4489-8DEC-F94542FAC10A}.exe	104
PID 4376 wrote to memory of 3924	4376	{0EFB4D2F-B175-4489-8DEC-F94542FAC10A}.exe	104
PID 4376 wrote to memory of 4048	4376	{0EFB4D2F-B175-4489-8DEC-F94542FAC10A}.exe	105
PID 4376 wrote to memory of 4048	4376	{0EFB4D2F-B175-4489-8DEC-F94542FAC10A}.exe	105
PID 4376 wrote to memory of 4048	4376	{0EFB4D2F-B175-4489-8DEC-F94542FAC10A}.exe	105
PID 3924 wrote to memory of 884	3924	{F8AA58B8-CA7B-467f-8F5A-A36868C3C565}.exe	106
PID 3924 wrote to memory of 884	3924	{F8AA58B8-CA7B-467f-8F5A-A36868C3C565}.exe	106
PID 3924 wrote to memory of 884	3924	{F8AA58B8-CA7B-467f-8F5A-A36868C3C565}.exe	106
PID 3924 wrote to memory of 4396	3924	{F8AA58B8-CA7B-467f-8F5A-A36868C3C565}.exe	107
PID 3924 wrote to memory of 4396	3924	{F8AA58B8-CA7B-467f-8F5A-A36868C3C565}.exe	107
PID 3924 wrote to memory of 4396	3924	{F8AA58B8-CA7B-467f-8F5A-A36868C3C565}.exe	107
PID 884 wrote to memory of 3568	884	{B5EDA5C2-FB9C-4c1d-BA89-9F71CE7F29D9}.exe	108
PID 884 wrote to memory of 3568	884	{B5EDA5C2-FB9C-4c1d-BA89-9F71CE7F29D9}.exe	108
PID 884 wrote to memory of 3568	884	{B5EDA5C2-FB9C-4c1d-BA89-9F71CE7F29D9}.exe	108
PID 884 wrote to memory of 4700	884	{B5EDA5C2-FB9C-4c1d-BA89-9F71CE7F29D9}.exe	109
PID 884 wrote to memory of 4700	884	{B5EDA5C2-FB9C-4c1d-BA89-9F71CE7F29D9}.exe	109
PID 884 wrote to memory of 4700	884	{B5EDA5C2-FB9C-4c1d-BA89-9F71CE7F29D9}.exe	109
PID 3568 wrote to memory of 3340	3568	{EBA73DA9-E82D-4b03-928E-409625AFEBB1}.exe	110
PID 3568 wrote to memory of 3340	3568	{EBA73DA9-E82D-4b03-928E-409625AFEBB1}.exe	110
PID 3568 wrote to memory of 3340	3568	{EBA73DA9-E82D-4b03-928E-409625AFEBB1}.exe	110
PID 3568 wrote to memory of 4284	3568	{EBA73DA9-E82D-4b03-928E-409625AFEBB1}.exe	111
PID 3568 wrote to memory of 4284	3568	{EBA73DA9-E82D-4b03-928E-409625AFEBB1}.exe	111
PID 3568 wrote to memory of 4284	3568	{EBA73DA9-E82D-4b03-928E-409625AFEBB1}.exe	111
PID 3340 wrote to memory of 4832	3340	{613A24E6-02CC-49dc-AF7E-25333C008914}.exe	112
PID 3340 wrote to memory of 4832	3340	{613A24E6-02CC-49dc-AF7E-25333C008914}.exe	112
PID 3340 wrote to memory of 4832	3340	{613A24E6-02CC-49dc-AF7E-25333C008914}.exe	112
PID 3340 wrote to memory of 1204	3340	{613A24E6-02CC-49dc-AF7E-25333C008914}.exe	113
PID 3340 wrote to memory of 1204	3340	{613A24E6-02CC-49dc-AF7E-25333C008914}.exe	113
PID 3340 wrote to memory of 1204	3340	{613A24E6-02CC-49dc-AF7E-25333C008914}.exe	113
PID 4832 wrote to memory of 4032	4832	{77DB149B-2762-4b3b-8BD8-D2B141DD0AB5}.exe	114
PID 4832 wrote to memory of 4032	4832	{77DB149B-2762-4b3b-8BD8-D2B141DD0AB5}.exe	114
PID 4832 wrote to memory of 4032	4832	{77DB149B-2762-4b3b-8BD8-D2B141DD0AB5}.exe	114
PID 4832 wrote to memory of 2744	4832	{77DB149B-2762-4b3b-8BD8-D2B141DD0AB5}.exe	115
PID 4832 wrote to memory of 2744	4832	{77DB149B-2762-4b3b-8BD8-D2B141DD0AB5}.exe	115
PID 4832 wrote to memory of 2744	4832	{77DB149B-2762-4b3b-8BD8-D2B141DD0AB5}.exe	115
PID 4032 wrote to memory of 1700	4032	{D8B649FC-1321-4030-8EC3-D74D977CC238}.exe	116
PID 4032 wrote to memory of 1700	4032	{D8B649FC-1321-4030-8EC3-D74D977CC238}.exe	116
PID 4032 wrote to memory of 1700	4032	{D8B649FC-1321-4030-8EC3-D74D977CC238}.exe	116
PID 4032 wrote to memory of 4024	4032	{D8B649FC-1321-4030-8EC3-D74D977CC238}.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-04-18_7b5e497afbd69b2c570fbbd78086c62c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-18_7b5e497afbd69b2c570fbbd78086c62c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\{3239348D-6AEF-486f-A1E2-D83E221EDAB5}.exe
  C:\Windows\{3239348D-6AEF-486f-A1E2-D83E221EDAB5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Windows\{21B19F58-5CB2-4ec5-9C85-9F017F2643D9}.exe
    C:\Windows\{21B19F58-5CB2-4ec5-9C85-9F017F2643D9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Windows\{A21A96C5-7EF2-40f6-A851-4BE69D8BEC62}.exe
      C:\Windows\{A21A96C5-7EF2-40f6-A851-4BE69D8BEC62}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1848
    - - C:\Windows\{0EFB4D2F-B175-4489-8DEC-F94542FAC10A}.exe
        
        C:\Windows\{0EFB4D2F-B175-4489-8DEC-F94542FAC10A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4376
      - C:\Windows\{F8AA58B8-CA7B-467f-8F5A-A36868C3C565}.exe
        
        C:\Windows\{F8AA58B8-CA7B-467f-8F5A-A36868C3C565}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\{B5EDA5C2-FB9C-4c1d-BA89-9F71CE7F29D9}.exe
        
        C:\Windows\{B5EDA5C2-FB9C-4c1d-BA89-9F71CE7F29D9}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\{EBA73DA9-E82D-4b03-928E-409625AFEBB1}.exe
        
        C:\Windows\{EBA73DA9-E82D-4b03-928E-409625AFEBB1}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\{613A24E6-02CC-49dc-AF7E-25333C008914}.exe
        
        C:\Windows\{613A24E6-02CC-49dc-AF7E-25333C008914}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\{77DB149B-2762-4b3b-8BD8-D2B141DD0AB5}.exe
        
        C:\Windows\{77DB149B-2762-4b3b-8BD8-D2B141DD0AB5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\{D8B649FC-1321-4030-8EC3-D74D977CC238}.exe
        
        C:\Windows\{D8B649FC-1321-4030-8EC3-D74D977CC238}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\{88D4230E-8E45-450e-9282-E7D76725D0E8}.exe
        
        C:\Windows\{88D4230E-8E45-450e-9282-E7D76725D0E8}.exe
        12⤵
        Executes dropped EXE
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8B64~1.EXE > nul
        12⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77DB1~1.EXE > nul
        11⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{613A2~1.EXE > nul
        10⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EBA73~1.EXE > nul
        9⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5EDA~1.EXE > nul
        8⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F8AA5~1.EXE > nul
        7⤵
        
        PID:4396
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0EFB4~1.EXE > nul
        6⤵
        
        PID:4048
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A21A9~1.EXE > nul
        5⤵
        
        PID:2832
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{21B19~1.EXE > nul
      4⤵
      PID:4924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{32393~1.EXE > nul
    3⤵
    PID:4688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0EFB4D2F-B175-4489-8DEC-F94542FAC10A}.exe

Filesize
408KB

MD5
6c85f150fd395fbc0748239676230100

SHA1
7bed43815d2ade40b223ed6b331bca20fa9f0f2f

SHA256
014b7d577296b7d3576a9c3dd515e4ca9787f28389a1bb1093561b873334a07d

SHA512
d1d895723a04eb0d954201310acc48acb18a1965bfb6e3bb69894c87425ba93171b7ed8bd60c239ebf455c1706630c55de590ea977d9db2e6027bbf54199f1ad

Download Submit
C:\Windows\{21B19F58-5CB2-4ec5-9C85-9F017F2643D9}.exe

Filesize
408KB

MD5
aad0fec6e4e9aa2c6cc8393e90a00da0

SHA1
74217b63ff2a2818544641f74560f4566d302980

SHA256
8c4ce028e878f6fa5055a6825f201c7cea574c3936966e8239621eb56c14ec59

SHA512
7e731d59efe77cbb7b84bb72e82b4661e90dd21383d7e424c55c48b86385e7db2b84cce588f7d006a7eb9f1ae618beb04e84664fb9a4b18df81fb303a72c510f

Download Submit
C:\Windows\{3239348D-6AEF-486f-A1E2-D83E221EDAB5}.exe

Filesize
408KB

MD5
83013aeda36095af45896f3ada23caa5

SHA1
a70f35f21369f44a5cb9204308cba7258195ea39

SHA256
f346442cb59375385e10a10153a973f31a64a4d5f26628115dae5808471b28cd

SHA512
b21ae5e7d059b91f7c0da021e326568bf1921d43a760bd399c1c71348a4a0b2623787eec0399d37c0d264f865105f90e1a6ec8deb60393031f96d3c16a282fc8

Download Submit
C:\Windows\{613A24E6-02CC-49dc-AF7E-25333C008914}.exe

Filesize
408KB

MD5
156ba13fe968f589e04e1219c3bee2df

SHA1
f1405ae55ef96161fa15e412a979aa67b82e5585

SHA256
a207c556309c238cdc41e4c4bb7e854b21ba835e2ac6186bd49ef0d4af99b34e

SHA512
df71f9c67ace32ec0128163613c685090a2feea63855f37e7585bcb7a62d7197e0ca50435699da5de28366f445f65fc891e4322b3c9917a63583d56a47629c4d

Download Submit
C:\Windows\{77DB149B-2762-4b3b-8BD8-D2B141DD0AB5}.exe

Filesize
408KB

MD5
a05df58329b54ec2970444a6914e2c37

SHA1
0bdb3183ecd7953c6a97117b375636672855a7f9

SHA256
c636da1497f7156483c34b9d45e9980334f14fc270a4c8a3b55afb689c5c827f

SHA512
0644aa69dca0a477d4d67d061bcd8ff19fa253c0e79466f08997cdc932f9a32f5d0006955758913f5a23c70c20e67969b3ae306a4f50563c57d2f867173d4fe7

Download Submit
C:\Windows\{88D4230E-8E45-450e-9282-E7D76725D0E8}.exe

Filesize
408KB

MD5
e3dd4fbe757fec7f3bcfb42616f57d8c

SHA1
bfd0a9914b7eaac797db266b193f1341b5f17c98

SHA256
904c1e15be6b82d0baf8f9f082f3023c3d0537a6721cad51cd19e2ff7c98edf2

SHA512
b07448ebcec68ebd2d75607c71a8e147363bcfe590fd4f1362c39ab5431587b04141011c01d3708f57f74213975cf7146b952212182a3dbb48d015d5fcd1c3e6

Download Submit
C:\Windows\{A21A96C5-7EF2-40f6-A851-4BE69D8BEC62}.exe

Filesize
408KB

MD5
aee3b4977b92fdf16546da79d8f81350

SHA1
3a85908a1236ba8b47b81b0a66f4afb0c235d13f

SHA256
f45954d825c071243bd8901cea1871723c1e4816602229700263bf2487a75682

SHA512
cd1f670c15622c24e0cb14ab027d0b1d4a604d9e44d9585da22312054a9acf8ce518252f06c350ee2afdd72d7265de805984fae1b5a842dbbf08869ebaad7ca5

Download Submit
C:\Windows\{B5EDA5C2-FB9C-4c1d-BA89-9F71CE7F29D9}.exe

Filesize
408KB

MD5
55ada80390e284fd6ad08e7877a379d3

SHA1
519503ccd037b477f91ee484f791754e42c2c171

SHA256
4fa62a7ae5cb39cb3b0240b112ca47a9e3ef95282d6f141f512b5c9a9a4baff4

SHA512
efcbb0401d809873856c7fa3c3ce6b8f47d3fc3ed48ce1000d3511f1cc2b99662edb07ad1991d27c6b35f7c1f656a7f8b3f3d895b1b8e098e319fa829b22f8b8

Download Submit
C:\Windows\{D8B649FC-1321-4030-8EC3-D74D977CC238}.exe

Filesize
408KB

MD5
14d1d3551e900acae12ffe0a8dc8eb15

SHA1
8454d2f89964f4488122160d3dc0eaedd9ae0581

SHA256
06b6df174564a100315dcff5d6aeca21392a9b921ba4a23e95518e8c4bce8e7a

SHA512
51397139707630ce282f3cef4c083d5666d1fbaf503a7596cf3c3fbbdb4ea80d69e781b622ee1fa3b68e02c5e65716e098e78924f6fe00415287fa343f5b9380

Download Submit
C:\Windows\{EBA73DA9-E82D-4b03-928E-409625AFEBB1}.exe

Filesize
408KB

MD5
37706754eb0567a85d079af068b5d94c

SHA1
ab580f0fc88c51462bfa467270c33907b32da4a8

SHA256
eb284defc955c6574bacb2bec8b0aa05340e97100bfb4f7c8c6334858fdfb71d

SHA512
d5695468600a41d4d06c9e9d39768a422ab7a43461aa40d018f381b7b071eff12b2d9e22deae7020cf0f295dab8bff84c09005fa6b4e8df99ab8a055a3129ad9

Download Submit
C:\Windows\{F8AA58B8-CA7B-467f-8F5A-A36868C3C565}.exe

Filesize
408KB

MD5
cab76ad822ec0586ef1923768e3fdd20

SHA1
0aebd3304b6b1ff172380260090eff193b13888f

SHA256
37810d92ca65a194ebdee3d2d929e7b46ff8ab5edc5c69c6f19fb87a682ffdaf

SHA512
52250300c1aa34b2391282a757831d39588406e3054f4991cf06d8b06b75f9cbf0b01bf7893e7d4244b11088d0719da3e926569e43efa5b20cbab04ebe957893

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads