26794a04f5ff300a9c17b60c9a2e8d04e1026d6c3bf3a8ef4ee57dd1eb3ade5f

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26794a04f5ff300a9c17b60c9a2e8d04e1026d6c3bf3a8ef4ee57dd1eb3ade5f.exe
Size

204KB
MD5

89b565ae54683fd4686b90f98a0736d3
SHA1

dbe785ba300339552b4e2aa28f05d7121190931c
SHA256

26794a04f5ff300a9c17b60c9a2e8d04e1026d6c3bf3a8ef4ee57dd1eb3ade5f
SHA512

dc726b33abf6812bfc990d0b74e0808e7769c7eaf8467cc9afdea2e806865d485bc3c9eb8d8ae35af850566234656c8b265d626530436341461dd1630fac4ccf
SSDEEP

1536:1EGh0o/l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o/l1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00070000000233cf-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00120000000233d6-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000233ec-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00040000000229b4-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00130000000233d6-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000229b4-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000022fc4-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023349-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023350-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000006d9-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023350-43.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000022fb4-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10F339F7-A396-4d65-B996-FA46D01309ED}\stubpath = "C:\\Windows\\{10F339F7-A396-4d65-B996-FA46D01309ED}.exe"	{1296352B-26E8-4cb0-8589-1499AE45048F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C28CAF41-1737-426c-9A84-404C8377C50D}	{C98664C1-0F97-4fbf-A234-7D54B794470B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E9C1941-1373-40c6-AE29-6769BBF0B40E}	{C6BF61A3-6E34-4a8d-B652-AA21FA2F5AED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E9C1941-1373-40c6-AE29-6769BBF0B40E}\stubpath = "C:\\Windows\\{0E9C1941-1373-40c6-AE29-6769BBF0B40E}.exe"	{C6BF61A3-6E34-4a8d-B652-AA21FA2F5AED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6358B25E-706A-45bf-8738-12BD6EDC8428}	{60530639-E345-4e53-AAC0-9B2C49DCF691}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10F339F7-A396-4d65-B996-FA46D01309ED}	{1296352B-26E8-4cb0-8589-1499AE45048F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6BF61A3-6E34-4a8d-B652-AA21FA2F5AED}	26794a04f5ff300a9c17b60c9a2e8d04e1026d6c3bf3a8ef4ee57dd1eb3ade5f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C98664C1-0F97-4fbf-A234-7D54B794470B}\stubpath = "C:\\Windows\\{C98664C1-0F97-4fbf-A234-7D54B794470B}.exe"	{0FA5A4A7-2188-4ea2-AA09-710370B459C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B852A78-57EE-4ff7-94A1-806F7ADEDA52}	{0EF3EC7B-0060-4f3d-B89A-8ECA097E776C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B852A78-57EE-4ff7-94A1-806F7ADEDA52}\stubpath = "C:\\Windows\\{8B852A78-57EE-4ff7-94A1-806F7ADEDA52}.exe"	{0EF3EC7B-0060-4f3d-B89A-8ECA097E776C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C98664C1-0F97-4fbf-A234-7D54B794470B}	{0FA5A4A7-2188-4ea2-AA09-710370B459C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C28CAF41-1737-426c-9A84-404C8377C50D}\stubpath = "C:\\Windows\\{C28CAF41-1737-426c-9A84-404C8377C50D}.exe"	{C98664C1-0F97-4fbf-A234-7D54B794470B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6BF61A3-6E34-4a8d-B652-AA21FA2F5AED}\stubpath = "C:\\Windows\\{C6BF61A3-6E34-4a8d-B652-AA21FA2F5AED}.exe"	26794a04f5ff300a9c17b60c9a2e8d04e1026d6c3bf3a8ef4ee57dd1eb3ade5f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60530639-E345-4e53-AAC0-9B2C49DCF691}	{65D5CF72-25A9-49e5-8FBF-A2473DF78D77}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1296352B-26E8-4cb0-8589-1499AE45048F}	{6358B25E-706A-45bf-8738-12BD6EDC8428}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FA5A4A7-2188-4ea2-AA09-710370B459C9}	{10F339F7-A396-4d65-B996-FA46D01309ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1296352B-26E8-4cb0-8589-1499AE45048F}\stubpath = "C:\\Windows\\{1296352B-26E8-4cb0-8589-1499AE45048F}.exe"	{6358B25E-706A-45bf-8738-12BD6EDC8428}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FA5A4A7-2188-4ea2-AA09-710370B459C9}\stubpath = "C:\\Windows\\{0FA5A4A7-2188-4ea2-AA09-710370B459C9}.exe"	{10F339F7-A396-4d65-B996-FA46D01309ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0EF3EC7B-0060-4f3d-B89A-8ECA097E776C}	{C28CAF41-1737-426c-9A84-404C8377C50D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0EF3EC7B-0060-4f3d-B89A-8ECA097E776C}\stubpath = "C:\\Windows\\{0EF3EC7B-0060-4f3d-B89A-8ECA097E776C}.exe"	{C28CAF41-1737-426c-9A84-404C8377C50D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65D5CF72-25A9-49e5-8FBF-A2473DF78D77}	{0E9C1941-1373-40c6-AE29-6769BBF0B40E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65D5CF72-25A9-49e5-8FBF-A2473DF78D77}\stubpath = "C:\\Windows\\{65D5CF72-25A9-49e5-8FBF-A2473DF78D77}.exe"	{0E9C1941-1373-40c6-AE29-6769BBF0B40E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60530639-E345-4e53-AAC0-9B2C49DCF691}\stubpath = "C:\\Windows\\{60530639-E345-4e53-AAC0-9B2C49DCF691}.exe"	{65D5CF72-25A9-49e5-8FBF-A2473DF78D77}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6358B25E-706A-45bf-8738-12BD6EDC8428}\stubpath = "C:\\Windows\\{6358B25E-706A-45bf-8738-12BD6EDC8428}.exe"	{60530639-E345-4e53-AAC0-9B2C49DCF691}.exe

Executes dropped EXE 12 IoCs

pid	Process
1760	{C6BF61A3-6E34-4a8d-B652-AA21FA2F5AED}.exe
4008	{0E9C1941-1373-40c6-AE29-6769BBF0B40E}.exe
428	{65D5CF72-25A9-49e5-8FBF-A2473DF78D77}.exe
3816	{60530639-E345-4e53-AAC0-9B2C49DCF691}.exe
540	{6358B25E-706A-45bf-8738-12BD6EDC8428}.exe
1972	{1296352B-26E8-4cb0-8589-1499AE45048F}.exe
3404	{10F339F7-A396-4d65-B996-FA46D01309ED}.exe
4100	{0FA5A4A7-2188-4ea2-AA09-710370B459C9}.exe
1392	{C98664C1-0F97-4fbf-A234-7D54B794470B}.exe
4908	{C28CAF41-1737-426c-9A84-404C8377C50D}.exe
4768	{0EF3EC7B-0060-4f3d-B89A-8ECA097E776C}.exe
3552	{8B852A78-57EE-4ff7-94A1-806F7ADEDA52}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C28CAF41-1737-426c-9A84-404C8377C50D}.exe	{C98664C1-0F97-4fbf-A234-7D54B794470B}.exe
File created	C:\Windows\{0E9C1941-1373-40c6-AE29-6769BBF0B40E}.exe	{C6BF61A3-6E34-4a8d-B652-AA21FA2F5AED}.exe
File created	C:\Windows\{60530639-E345-4e53-AAC0-9B2C49DCF691}.exe	{65D5CF72-25A9-49e5-8FBF-A2473DF78D77}.exe
File created	C:\Windows\{0FA5A4A7-2188-4ea2-AA09-710370B459C9}.exe	{10F339F7-A396-4d65-B996-FA46D01309ED}.exe
File created	C:\Windows\{C98664C1-0F97-4fbf-A234-7D54B794470B}.exe	{0FA5A4A7-2188-4ea2-AA09-710370B459C9}.exe
File created	C:\Windows\{10F339F7-A396-4d65-B996-FA46D01309ED}.exe	{1296352B-26E8-4cb0-8589-1499AE45048F}.exe
File created	C:\Windows\{0EF3EC7B-0060-4f3d-B89A-8ECA097E776C}.exe	{C28CAF41-1737-426c-9A84-404C8377C50D}.exe
File created	C:\Windows\{8B852A78-57EE-4ff7-94A1-806F7ADEDA52}.exe	{0EF3EC7B-0060-4f3d-B89A-8ECA097E776C}.exe
File created	C:\Windows\{C6BF61A3-6E34-4a8d-B652-AA21FA2F5AED}.exe	26794a04f5ff300a9c17b60c9a2e8d04e1026d6c3bf3a8ef4ee57dd1eb3ade5f.exe
File created	C:\Windows\{65D5CF72-25A9-49e5-8FBF-A2473DF78D77}.exe	{0E9C1941-1373-40c6-AE29-6769BBF0B40E}.exe
File created	C:\Windows\{6358B25E-706A-45bf-8738-12BD6EDC8428}.exe	{60530639-E345-4e53-AAC0-9B2C49DCF691}.exe
File created	C:\Windows\{1296352B-26E8-4cb0-8589-1499AE45048F}.exe	{6358B25E-706A-45bf-8738-12BD6EDC8428}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4648	26794a04f5ff300a9c17b60c9a2e8d04e1026d6c3bf3a8ef4ee57dd1eb3ade5f.exe
Token: SeIncBasePriorityPrivilege	1760	{C6BF61A3-6E34-4a8d-B652-AA21FA2F5AED}.exe
Token: SeIncBasePriorityPrivilege	4008	{0E9C1941-1373-40c6-AE29-6769BBF0B40E}.exe
Token: SeIncBasePriorityPrivilege	428	{65D5CF72-25A9-49e5-8FBF-A2473DF78D77}.exe
Token: SeIncBasePriorityPrivilege	3816	{60530639-E345-4e53-AAC0-9B2C49DCF691}.exe
Token: SeIncBasePriorityPrivilege	540	{6358B25E-706A-45bf-8738-12BD6EDC8428}.exe
Token: SeIncBasePriorityPrivilege	1972	{1296352B-26E8-4cb0-8589-1499AE45048F}.exe
Token: SeIncBasePriorityPrivilege	3404	{10F339F7-A396-4d65-B996-FA46D01309ED}.exe
Token: SeIncBasePriorityPrivilege	4100	{0FA5A4A7-2188-4ea2-AA09-710370B459C9}.exe
Token: SeIncBasePriorityPrivilege	1392	{C98664C1-0F97-4fbf-A234-7D54B794470B}.exe
Token: SeIncBasePriorityPrivilege	4908	{C28CAF41-1737-426c-9A84-404C8377C50D}.exe
Token: SeIncBasePriorityPrivilege	4768	{0EF3EC7B-0060-4f3d-B89A-8ECA097E776C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4648 wrote to memory of 1760	4648	26794a04f5ff300a9c17b60c9a2e8d04e1026d6c3bf3a8ef4ee57dd1eb3ade5f.exe	97
PID 4648 wrote to memory of 1760	4648	26794a04f5ff300a9c17b60c9a2e8d04e1026d6c3bf3a8ef4ee57dd1eb3ade5f.exe	97
PID 4648 wrote to memory of 1760	4648	26794a04f5ff300a9c17b60c9a2e8d04e1026d6c3bf3a8ef4ee57dd1eb3ade5f.exe	97
PID 4648 wrote to memory of 4168	4648	26794a04f5ff300a9c17b60c9a2e8d04e1026d6c3bf3a8ef4ee57dd1eb3ade5f.exe	98
PID 4648 wrote to memory of 4168	4648	26794a04f5ff300a9c17b60c9a2e8d04e1026d6c3bf3a8ef4ee57dd1eb3ade5f.exe	98
PID 4648 wrote to memory of 4168	4648	26794a04f5ff300a9c17b60c9a2e8d04e1026d6c3bf3a8ef4ee57dd1eb3ade5f.exe	98
PID 1760 wrote to memory of 4008	1760	{C6BF61A3-6E34-4a8d-B652-AA21FA2F5AED}.exe	100
PID 1760 wrote to memory of 4008	1760	{C6BF61A3-6E34-4a8d-B652-AA21FA2F5AED}.exe	100
PID 1760 wrote to memory of 4008	1760	{C6BF61A3-6E34-4a8d-B652-AA21FA2F5AED}.exe	100
PID 1760 wrote to memory of 3788	1760	{C6BF61A3-6E34-4a8d-B652-AA21FA2F5AED}.exe	101
PID 1760 wrote to memory of 3788	1760	{C6BF61A3-6E34-4a8d-B652-AA21FA2F5AED}.exe	101
PID 1760 wrote to memory of 3788	1760	{C6BF61A3-6E34-4a8d-B652-AA21FA2F5AED}.exe	101
PID 4008 wrote to memory of 428	4008	{0E9C1941-1373-40c6-AE29-6769BBF0B40E}.exe	105
PID 4008 wrote to memory of 428	4008	{0E9C1941-1373-40c6-AE29-6769BBF0B40E}.exe	105
PID 4008 wrote to memory of 428	4008	{0E9C1941-1373-40c6-AE29-6769BBF0B40E}.exe	105
PID 4008 wrote to memory of 1424	4008	{0E9C1941-1373-40c6-AE29-6769BBF0B40E}.exe	106
PID 4008 wrote to memory of 1424	4008	{0E9C1941-1373-40c6-AE29-6769BBF0B40E}.exe	106
PID 4008 wrote to memory of 1424	4008	{0E9C1941-1373-40c6-AE29-6769BBF0B40E}.exe	106
PID 428 wrote to memory of 3816	428	{65D5CF72-25A9-49e5-8FBF-A2473DF78D77}.exe	107
PID 428 wrote to memory of 3816	428	{65D5CF72-25A9-49e5-8FBF-A2473DF78D77}.exe	107
PID 428 wrote to memory of 3816	428	{65D5CF72-25A9-49e5-8FBF-A2473DF78D77}.exe	107
PID 428 wrote to memory of 4364	428	{65D5CF72-25A9-49e5-8FBF-A2473DF78D77}.exe	108
PID 428 wrote to memory of 4364	428	{65D5CF72-25A9-49e5-8FBF-A2473DF78D77}.exe	108
PID 428 wrote to memory of 4364	428	{65D5CF72-25A9-49e5-8FBF-A2473DF78D77}.exe	108
PID 3816 wrote to memory of 540	3816	{60530639-E345-4e53-AAC0-9B2C49DCF691}.exe	109
PID 3816 wrote to memory of 540	3816	{60530639-E345-4e53-AAC0-9B2C49DCF691}.exe	109
PID 3816 wrote to memory of 540	3816	{60530639-E345-4e53-AAC0-9B2C49DCF691}.exe	109
PID 3816 wrote to memory of 3252	3816	{60530639-E345-4e53-AAC0-9B2C49DCF691}.exe	110
PID 3816 wrote to memory of 3252	3816	{60530639-E345-4e53-AAC0-9B2C49DCF691}.exe	110
PID 3816 wrote to memory of 3252	3816	{60530639-E345-4e53-AAC0-9B2C49DCF691}.exe	110
PID 540 wrote to memory of 1972	540	{6358B25E-706A-45bf-8738-12BD6EDC8428}.exe	115
PID 540 wrote to memory of 1972	540	{6358B25E-706A-45bf-8738-12BD6EDC8428}.exe	115
PID 540 wrote to memory of 1972	540	{6358B25E-706A-45bf-8738-12BD6EDC8428}.exe	115
PID 540 wrote to memory of 4552	540	{6358B25E-706A-45bf-8738-12BD6EDC8428}.exe	116
PID 540 wrote to memory of 4552	540	{6358B25E-706A-45bf-8738-12BD6EDC8428}.exe	116
PID 540 wrote to memory of 4552	540	{6358B25E-706A-45bf-8738-12BD6EDC8428}.exe	116
PID 1972 wrote to memory of 3404	1972	{1296352B-26E8-4cb0-8589-1499AE45048F}.exe	117
PID 1972 wrote to memory of 3404	1972	{1296352B-26E8-4cb0-8589-1499AE45048F}.exe	117
PID 1972 wrote to memory of 3404	1972	{1296352B-26E8-4cb0-8589-1499AE45048F}.exe	117
PID 1972 wrote to memory of 3196	1972	{1296352B-26E8-4cb0-8589-1499AE45048F}.exe	118
PID 1972 wrote to memory of 3196	1972	{1296352B-26E8-4cb0-8589-1499AE45048F}.exe	118
PID 1972 wrote to memory of 3196	1972	{1296352B-26E8-4cb0-8589-1499AE45048F}.exe	118
PID 3404 wrote to memory of 4100	3404	{10F339F7-A396-4d65-B996-FA46D01309ED}.exe	121
PID 3404 wrote to memory of 4100	3404	{10F339F7-A396-4d65-B996-FA46D01309ED}.exe	121
PID 3404 wrote to memory of 4100	3404	{10F339F7-A396-4d65-B996-FA46D01309ED}.exe	121
PID 3404 wrote to memory of 4648	3404	{10F339F7-A396-4d65-B996-FA46D01309ED}.exe	122
PID 3404 wrote to memory of 4648	3404	{10F339F7-A396-4d65-B996-FA46D01309ED}.exe	122
PID 3404 wrote to memory of 4648	3404	{10F339F7-A396-4d65-B996-FA46D01309ED}.exe	122
PID 4100 wrote to memory of 1392	4100	{0FA5A4A7-2188-4ea2-AA09-710370B459C9}.exe	127
PID 4100 wrote to memory of 1392	4100	{0FA5A4A7-2188-4ea2-AA09-710370B459C9}.exe	127
PID 4100 wrote to memory of 1392	4100	{0FA5A4A7-2188-4ea2-AA09-710370B459C9}.exe	127
PID 4100 wrote to memory of 2484	4100	{0FA5A4A7-2188-4ea2-AA09-710370B459C9}.exe	128
PID 4100 wrote to memory of 2484	4100	{0FA5A4A7-2188-4ea2-AA09-710370B459C9}.exe	128
PID 4100 wrote to memory of 2484	4100	{0FA5A4A7-2188-4ea2-AA09-710370B459C9}.exe	128
PID 1392 wrote to memory of 4908	1392	{C98664C1-0F97-4fbf-A234-7D54B794470B}.exe	129
PID 1392 wrote to memory of 4908	1392	{C98664C1-0F97-4fbf-A234-7D54B794470B}.exe	129
PID 1392 wrote to memory of 4908	1392	{C98664C1-0F97-4fbf-A234-7D54B794470B}.exe	129
PID 1392 wrote to memory of 4992	1392	{C98664C1-0F97-4fbf-A234-7D54B794470B}.exe	130
PID 1392 wrote to memory of 4992	1392	{C98664C1-0F97-4fbf-A234-7D54B794470B}.exe	130
PID 1392 wrote to memory of 4992	1392	{C98664C1-0F97-4fbf-A234-7D54B794470B}.exe	130
PID 4908 wrote to memory of 4768	4908	{C28CAF41-1737-426c-9A84-404C8377C50D}.exe	131
PID 4908 wrote to memory of 4768	4908	{C28CAF41-1737-426c-9A84-404C8377C50D}.exe	131
PID 4908 wrote to memory of 4768	4908	{C28CAF41-1737-426c-9A84-404C8377C50D}.exe	131
PID 4908 wrote to memory of 540	4908	{C28CAF41-1737-426c-9A84-404C8377C50D}.exe	132

C:\Users\Admin\AppData\Local\Temp\26794a04f5ff300a9c17b60c9a2e8d04e1026d6c3bf3a8ef4ee57dd1eb3ade5f.exe
"C:\Users\Admin\AppData\Local\Temp\26794a04f5ff300a9c17b60c9a2e8d04e1026d6c3bf3a8ef4ee57dd1eb3ade5f.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Windows\{C6BF61A3-6E34-4a8d-B652-AA21FA2F5AED}.exe
  C:\Windows\{C6BF61A3-6E34-4a8d-B652-AA21FA2F5AED}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\{0E9C1941-1373-40c6-AE29-6769BBF0B40E}.exe
    C:\Windows\{0E9C1941-1373-40c6-AE29-6769BBF0B40E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4008
  - - C:\Windows\{65D5CF72-25A9-49e5-8FBF-A2473DF78D77}.exe
      C:\Windows\{65D5CF72-25A9-49e5-8FBF-A2473DF78D77}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:428
    - - C:\Windows\{60530639-E345-4e53-AAC0-9B2C49DCF691}.exe
        
        C:\Windows\{60530639-E345-4e53-AAC0-9B2C49DCF691}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3816
      - C:\Windows\{6358B25E-706A-45bf-8738-12BD6EDC8428}.exe
        
        C:\Windows\{6358B25E-706A-45bf-8738-12BD6EDC8428}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\{1296352B-26E8-4cb0-8589-1499AE45048F}.exe
        
        C:\Windows\{1296352B-26E8-4cb0-8589-1499AE45048F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\{10F339F7-A396-4d65-B996-FA46D01309ED}.exe
        
        C:\Windows\{10F339F7-A396-4d65-B996-FA46D01309ED}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3404
        
        C:\Windows\{0FA5A4A7-2188-4ea2-AA09-710370B459C9}.exe
        
        C:\Windows\{0FA5A4A7-2188-4ea2-AA09-710370B459C9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Windows\{C98664C1-0F97-4fbf-A234-7D54B794470B}.exe
        
        C:\Windows\{C98664C1-0F97-4fbf-A234-7D54B794470B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\{C28CAF41-1737-426c-9A84-404C8377C50D}.exe
        
        C:\Windows\{C28CAF41-1737-426c-9A84-404C8377C50D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\{0EF3EC7B-0060-4f3d-B89A-8ECA097E776C}.exe
        
        C:\Windows\{0EF3EC7B-0060-4f3d-B89A-8ECA097E776C}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4768
        
        C:\Windows\{8B852A78-57EE-4ff7-94A1-806F7ADEDA52}.exe
        
        C:\Windows\{8B852A78-57EE-4ff7-94A1-806F7ADEDA52}.exe
        13⤵
        Executes dropped EXE
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0EF3E~1.EXE > nul
        13⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C28CA~1.EXE > nul
        12⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9866~1.EXE > nul
        11⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0FA5A~1.EXE > nul
        10⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10F33~1.EXE > nul
        9⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12963~1.EXE > nul
        8⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6358B~1.EXE > nul
        7⤵
        
        PID:4552
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60530~1.EXE > nul
        6⤵
        
        PID:3252
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65D5C~1.EXE > nul
        5⤵
        
        PID:4364
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0E9C1~1.EXE > nul
      4⤵
      PID:1424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C6BF6~1.EXE > nul
    3⤵
    PID:3788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\26794A~1.EXE > nul
  2⤵
  PID:4168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0E9C1941-1373-40c6-AE29-6769BBF0B40E}.exe

Filesize
204KB

MD5
baaf1f62a62750da24ce8d475ce8852a

SHA1
eb2fca386ea3f6b84330ed55b24b17ed222b8ad2

SHA256
774b17a1eeccce06b5cc23240fe02a41a43d573e1027efac313e507a8fbebecb

SHA512
63731f0c935815f086ebe588add176e64d40701f55d7c376e553c96611a2442814d0ff2c82c94cf63d25cfc442598727905a12642e81a744eb104da4c95d4699

Download Submit
C:\Windows\{0EF3EC7B-0060-4f3d-B89A-8ECA097E776C}.exe

Filesize
204KB

MD5
1697115d3242bbf63c5832cb146b7dd2

SHA1
cfd86419e447721bfc1afd3d979f5ac67f8371c5

SHA256
1105bb177d3dd8183d3aaca5ec570f4773c07f47724509dff0e2b5f4f05a6cee

SHA512
ab2343d43a10c46689949f15d75d6095d7f1de93df16ee590d8242318a1fbfe5b66f73fe17539bfe8c7de12f6bf5a738ca9d247b3ac873b50bb6ac55d640c4a6

Download Submit
C:\Windows\{0FA5A4A7-2188-4ea2-AA09-710370B459C9}.exe

Filesize
204KB

MD5
5dbf0b3940432354f890c4b5160901b8

SHA1
ec5e0c73588259d8b3b0e7751cc9ff9c5182ad72

SHA256
12d0b4d8f14bab2740ea9f7759c6a26976bf9634a7472e37e60d1614bb68f492

SHA512
7b7b69531cd7eca991627cf7b479465652abd8ec5e306f070e65200b5adc532ff8b0733b412eaf62c7b1995e13cfb308b99899a1c4446159f2959afd7d0188c9

Download Submit
C:\Windows\{10F339F7-A396-4d65-B996-FA46D01309ED}.exe

Filesize
204KB

MD5
3c355939d3c91cd807f7a911829eaf15

SHA1
e831f52466b58c552f04aa06a6d356360d8948f6

SHA256
c470529e7609e96a7eaa93f4500fd5324001449f8cb502d3b13868c3ccea34e9

SHA512
371f8d47846ab4be6295d8887b52e28fb0b16a6124fbc451eadcfcb3275a107f86f2dd4f4f43ea8399522f1eda04751b8186f364190b65c10f3a9123b49521ac

Download Submit
C:\Windows\{1296352B-26E8-4cb0-8589-1499AE45048F}.exe

Filesize
204KB

MD5
ef153808288113b3f9a59e8c32afd592

SHA1
85598457da10e6faac43d702608db45d6ba8aaff

SHA256
a356ebdbeaf9f823f2d39687f55c13fbc4c0b7ba59ff22b4f8eacb8a1ab68c5a

SHA512
2de54760f9495e52a2628eb34d9e8f85fb0da97432063e4ce4c0e6e8b007700db662a8a20cbb0030318b59e278a479fa76721ac72311a9f05538c88229f75d3e

Download Submit
C:\Windows\{60530639-E345-4e53-AAC0-9B2C49DCF691}.exe

Filesize
204KB

MD5
91207fb4582c6c6e705924e9daabe8c5

SHA1
22d43568d05e7b967352e0050b0df6323484ba20

SHA256
5338b74bab3393fac843033090b564c4f0ab37f2f0e0fff738d232721131d471

SHA512
3b533a411e043b60ae6d203eb81ed84a7b6eec039016e6c4596e0f7667af59e1c56730d6785bed948278b8ead1977a07e5483b005335baad9bad017d01ad20a3

Download Submit
C:\Windows\{6358B25E-706A-45bf-8738-12BD6EDC8428}.exe

Filesize
204KB

MD5
942bca43143ad3c8ae6dc920e9cd491f

SHA1
8a110e529e2bf54d0f2715bbbaa6f18954004e6f

SHA256
5ce7a67eae83be2ec0542bb82fb541b2c0ac3796c45ac0aa960d631098f91515

SHA512
00ab8c1c2dd9073fbad1096b6e9d05075a23d8d318c3183d816c7d46427c2c3e1854640ac00b4e7deab82e4067e1f379306fcd0e84e34bc295b3307af9318e45

Download Submit
C:\Windows\{65D5CF72-25A9-49e5-8FBF-A2473DF78D77}.exe

Filesize
204KB

MD5
a8700a4e0338909becee3cd7a06df55b

SHA1
bfca300f480a4314bf50818e3945492e623e121d

SHA256
487e962b0e8dacb4775a5459691f3dcfec08cde94f577b376afc610bf380bb2f

SHA512
9ecea59e28f03fc8a9370b2f2a1713880f655eb6dc46996bf56dbc8b9f90afb0dd0b2ebca0f022bd584478c2574bad4486b95ed4f46ca7dc774b7c409bf4fdea

Download Submit
C:\Windows\{8B852A78-57EE-4ff7-94A1-806F7ADEDA52}.exe

Filesize
204KB

MD5
ebcf390009655a9e68ce7800c583618c

SHA1
eaf65e9ad363d632d0922cd6ae58ccbc5332f219

SHA256
f634a5321c9fe868ec5430e34401763d6fec51ac42652d11c2fee62a5ebb4094

SHA512
fd912f44c4b1e9031e42bcbb1ed800013195fe51e2a4f1e53528ff02cfded44caa18f957d653d03d6b6f98af414878e18ca1dec9f17487f49097c80bccebd278

Download Submit
C:\Windows\{C28CAF41-1737-426c-9A84-404C8377C50D}.exe

Filesize
204KB

MD5
a7865e2a6a392c60e1e25aaaaf97cf45

SHA1
f70ac43468153009e42ff243519696613c6a5bf6

SHA256
7f4bedfa56e6f97a2f26f275bed2b6be1b32202002c0b271b7dd4ef04e68614b

SHA512
f6a90d48d61348db689f3dbac29e2bcb5c7b28822abb9d6f934d4b8723e800a9c65ff891f283017b7f6c51a7b627169616c86be5528ffabbdfd3c555b3fd7c3c

Download Submit
C:\Windows\{C6BF61A3-6E34-4a8d-B652-AA21FA2F5AED}.exe

Filesize
204KB

MD5
2be828fcb9220d86f4239815bdfa6aa2

SHA1
fcc0d1e81a89a3bdb35a0f879a17e0eaa0ee49b5

SHA256
7b965efd5a80afc8b1fd640a3fa34ee877e4bae73d78040d7e5ada0904caafbb

SHA512
e79428aeea26d3b91483f46bd8fcbd03944edec7a4ac4a94c81b08e4201b4283ab26365039cc5dda175dc6bb1e20c6f958e3867fc759b68c80b28123ff666fad

Download Submit
C:\Windows\{C98664C1-0F97-4fbf-A234-7D54B794470B}.exe

Filesize
204KB

MD5
42031d29504f486579401f3f5d16ec68

SHA1
cf88edad24f8ea2f1b1f68d512666c42f83839ef

SHA256
ed84bcc06e00472a9be1a5e1f04795279e40b73c0b6b452c15207bc452366d01

SHA512
04ae12502ffc8aee4ad43a9064158aeaac5920048c5dde069fd742adbefdbe22a3e61908632b053abc527539840d018b182a9aa377fd6b4c1b0a0571c655e347

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads