7a77316e0f9da3c4700bc23bcd1de87615ff74a5032e981ae584013e65c8e27a

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-22_a875ba70957756537d41de15f7a8b369_goldeneye.exe
Size

180KB
MD5

a875ba70957756537d41de15f7a8b369
SHA1

271003a53953078c14d79e77c0867f1345d8c2c1
SHA256

7a77316e0f9da3c4700bc23bcd1de87615ff74a5032e981ae584013e65c8e27a
SHA512

ae477b2115d610a581b64fe797a65e6f342b3bc5b53160a8c051dad7afa759447b9df78dc4b2e3c5f024fb1ace3e49018d21e80b7b7d3198db9935d9989c9e5a
SSDEEP

3072:jEGh0oGlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGol5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00070000000233eb-3.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000234de-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000f00000002333c-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000016956-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000016963-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000001e4e7-23.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0005000000016963-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000001e4e7-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002351a-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023614-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002367c-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e00000002333d-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0D83714-5A70-4241-8FE6-B170C05914D8}	{D0EC9D57-EE4F-4d19-AF43-274D65C52B5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D451818-AA3C-4a03-B607-0C20AA69F68D}	{A0D83714-5A70-4241-8FE6-B170C05914D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98536696-EBD1-471a-BBDF-39D8AD88B11B}	{3400A57B-F726-47ff-B211-22DADCA265E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3638CA54-455F-49ac-A17E-3055F7402885}	{98536696-EBD1-471a-BBDF-39D8AD88B11B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A705AA45-CFE1-452f-909A-2D603A05972C}	{FC9DF494-B62E-4e8e-A731-45CACCC724AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A705AA45-CFE1-452f-909A-2D603A05972C}\stubpath = "C:\\Windows\\{A705AA45-CFE1-452f-909A-2D603A05972C}.exe"	{FC9DF494-B62E-4e8e-A731-45CACCC724AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0EC9D57-EE4F-4d19-AF43-274D65C52B5D}	{A705AA45-CFE1-452f-909A-2D603A05972C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0D83714-5A70-4241-8FE6-B170C05914D8}\stubpath = "C:\\Windows\\{A0D83714-5A70-4241-8FE6-B170C05914D8}.exe"	{D0EC9D57-EE4F-4d19-AF43-274D65C52B5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CF91301-F315-42b0-BD13-037D32267210}	{7D451818-AA3C-4a03-B607-0C20AA69F68D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CF91301-F315-42b0-BD13-037D32267210}\stubpath = "C:\\Windows\\{7CF91301-F315-42b0-BD13-037D32267210}.exe"	{7D451818-AA3C-4a03-B607-0C20AA69F68D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B87E0A1-A3EF-476c-9ABF-07DF401CB947}	2024-04-22_a875ba70957756537d41de15f7a8b369_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98536696-EBD1-471a-BBDF-39D8AD88B11B}\stubpath = "C:\\Windows\\{98536696-EBD1-471a-BBDF-39D8AD88B11B}.exe"	{3400A57B-F726-47ff-B211-22DADCA265E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86F61C0C-A568-478a-8AD6-87CD79FC6912}\stubpath = "C:\\Windows\\{86F61C0C-A568-478a-8AD6-87CD79FC6912}.exe"	{3638CA54-455F-49ac-A17E-3055F7402885}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF0B24D7-2E69-4bb3-8AA5-3C935F36CB62}	{86F61C0C-A568-478a-8AD6-87CD79FC6912}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC9DF494-B62E-4e8e-A731-45CACCC724AE}	{EF0B24D7-2E69-4bb3-8AA5-3C935F36CB62}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC9DF494-B62E-4e8e-A731-45CACCC724AE}\stubpath = "C:\\Windows\\{FC9DF494-B62E-4e8e-A731-45CACCC724AE}.exe"	{EF0B24D7-2E69-4bb3-8AA5-3C935F36CB62}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B87E0A1-A3EF-476c-9ABF-07DF401CB947}\stubpath = "C:\\Windows\\{1B87E0A1-A3EF-476c-9ABF-07DF401CB947}.exe"	2024-04-22_a875ba70957756537d41de15f7a8b369_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3400A57B-F726-47ff-B211-22DADCA265E6}	{1B87E0A1-A3EF-476c-9ABF-07DF401CB947}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3400A57B-F726-47ff-B211-22DADCA265E6}\stubpath = "C:\\Windows\\{3400A57B-F726-47ff-B211-22DADCA265E6}.exe"	{1B87E0A1-A3EF-476c-9ABF-07DF401CB947}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF0B24D7-2E69-4bb3-8AA5-3C935F36CB62}\stubpath = "C:\\Windows\\{EF0B24D7-2E69-4bb3-8AA5-3C935F36CB62}.exe"	{86F61C0C-A568-478a-8AD6-87CD79FC6912}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3638CA54-455F-49ac-A17E-3055F7402885}\stubpath = "C:\\Windows\\{3638CA54-455F-49ac-A17E-3055F7402885}.exe"	{98536696-EBD1-471a-BBDF-39D8AD88B11B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86F61C0C-A568-478a-8AD6-87CD79FC6912}	{3638CA54-455F-49ac-A17E-3055F7402885}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D0EC9D57-EE4F-4d19-AF43-274D65C52B5D}\stubpath = "C:\\Windows\\{D0EC9D57-EE4F-4d19-AF43-274D65C52B5D}.exe"	{A705AA45-CFE1-452f-909A-2D603A05972C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D451818-AA3C-4a03-B607-0C20AA69F68D}\stubpath = "C:\\Windows\\{7D451818-AA3C-4a03-B607-0C20AA69F68D}.exe"	{A0D83714-5A70-4241-8FE6-B170C05914D8}.exe

Executes dropped EXE 12 IoCs

pid	Process
4116	{1B87E0A1-A3EF-476c-9ABF-07DF401CB947}.exe
2784	{3400A57B-F726-47ff-B211-22DADCA265E6}.exe
4024	{98536696-EBD1-471a-BBDF-39D8AD88B11B}.exe
1060	{3638CA54-455F-49ac-A17E-3055F7402885}.exe
3696	{86F61C0C-A568-478a-8AD6-87CD79FC6912}.exe
1196	{EF0B24D7-2E69-4bb3-8AA5-3C935F36CB62}.exe
1612	{FC9DF494-B62E-4e8e-A731-45CACCC724AE}.exe
1008	{A705AA45-CFE1-452f-909A-2D603A05972C}.exe
1464	{D0EC9D57-EE4F-4d19-AF43-274D65C52B5D}.exe
3516	{A0D83714-5A70-4241-8FE6-B170C05914D8}.exe
3280	{7D451818-AA3C-4a03-B607-0C20AA69F68D}.exe
4540	{7CF91301-F315-42b0-BD13-037D32267210}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{7CF91301-F315-42b0-BD13-037D32267210}.exe	{7D451818-AA3C-4a03-B607-0C20AA69F68D}.exe
File created	C:\Windows\{3400A57B-F726-47ff-B211-22DADCA265E6}.exe	{1B87E0A1-A3EF-476c-9ABF-07DF401CB947}.exe
File created	C:\Windows\{98536696-EBD1-471a-BBDF-39D8AD88B11B}.exe	{3400A57B-F726-47ff-B211-22DADCA265E6}.exe
File created	C:\Windows\{86F61C0C-A568-478a-8AD6-87CD79FC6912}.exe	{3638CA54-455F-49ac-A17E-3055F7402885}.exe
File created	C:\Windows\{EF0B24D7-2E69-4bb3-8AA5-3C935F36CB62}.exe	{86F61C0C-A568-478a-8AD6-87CD79FC6912}.exe
File created	C:\Windows\{A705AA45-CFE1-452f-909A-2D603A05972C}.exe	{FC9DF494-B62E-4e8e-A731-45CACCC724AE}.exe
File created	C:\Windows\{D0EC9D57-EE4F-4d19-AF43-274D65C52B5D}.exe	{A705AA45-CFE1-452f-909A-2D603A05972C}.exe
File created	C:\Windows\{7D451818-AA3C-4a03-B607-0C20AA69F68D}.exe	{A0D83714-5A70-4241-8FE6-B170C05914D8}.exe
File created	C:\Windows\{1B87E0A1-A3EF-476c-9ABF-07DF401CB947}.exe	2024-04-22_a875ba70957756537d41de15f7a8b369_goldeneye.exe
File created	C:\Windows\{3638CA54-455F-49ac-A17E-3055F7402885}.exe	{98536696-EBD1-471a-BBDF-39D8AD88B11B}.exe
File created	C:\Windows\{FC9DF494-B62E-4e8e-A731-45CACCC724AE}.exe	{EF0B24D7-2E69-4bb3-8AA5-3C935F36CB62}.exe
File created	C:\Windows\{A0D83714-5A70-4241-8FE6-B170C05914D8}.exe	{D0EC9D57-EE4F-4d19-AF43-274D65C52B5D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4088	2024-04-22_a875ba70957756537d41de15f7a8b369_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4116	{1B87E0A1-A3EF-476c-9ABF-07DF401CB947}.exe
Token: SeIncBasePriorityPrivilege	2784	{3400A57B-F726-47ff-B211-22DADCA265E6}.exe
Token: SeIncBasePriorityPrivilege	4024	{98536696-EBD1-471a-BBDF-39D8AD88B11B}.exe
Token: SeIncBasePriorityPrivilege	1060	{3638CA54-455F-49ac-A17E-3055F7402885}.exe
Token: SeIncBasePriorityPrivilege	3696	{86F61C0C-A568-478a-8AD6-87CD79FC6912}.exe
Token: SeIncBasePriorityPrivilege	1196	{EF0B24D7-2E69-4bb3-8AA5-3C935F36CB62}.exe
Token: SeIncBasePriorityPrivilege	1612	{FC9DF494-B62E-4e8e-A731-45CACCC724AE}.exe
Token: SeIncBasePriorityPrivilege	1008	{A705AA45-CFE1-452f-909A-2D603A05972C}.exe
Token: SeIncBasePriorityPrivilege	1464	{D0EC9D57-EE4F-4d19-AF43-274D65C52B5D}.exe
Token: SeIncBasePriorityPrivilege	3516	{A0D83714-5A70-4241-8FE6-B170C05914D8}.exe
Token: SeIncBasePriorityPrivilege	3280	{7D451818-AA3C-4a03-B607-0C20AA69F68D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4088 wrote to memory of 4116	4088	2024-04-22_a875ba70957756537d41de15f7a8b369_goldeneye.exe	97
PID 4088 wrote to memory of 4116	4088	2024-04-22_a875ba70957756537d41de15f7a8b369_goldeneye.exe	97
PID 4088 wrote to memory of 4116	4088	2024-04-22_a875ba70957756537d41de15f7a8b369_goldeneye.exe	97
PID 4088 wrote to memory of 2632	4088	2024-04-22_a875ba70957756537d41de15f7a8b369_goldeneye.exe	98
PID 4088 wrote to memory of 2632	4088	2024-04-22_a875ba70957756537d41de15f7a8b369_goldeneye.exe	98
PID 4088 wrote to memory of 2632	4088	2024-04-22_a875ba70957756537d41de15f7a8b369_goldeneye.exe	98
PID 4116 wrote to memory of 2784	4116	{1B87E0A1-A3EF-476c-9ABF-07DF401CB947}.exe	99
PID 4116 wrote to memory of 2784	4116	{1B87E0A1-A3EF-476c-9ABF-07DF401CB947}.exe	99
PID 4116 wrote to memory of 2784	4116	{1B87E0A1-A3EF-476c-9ABF-07DF401CB947}.exe	99
PID 4116 wrote to memory of 3732	4116	{1B87E0A1-A3EF-476c-9ABF-07DF401CB947}.exe	100
PID 4116 wrote to memory of 3732	4116	{1B87E0A1-A3EF-476c-9ABF-07DF401CB947}.exe	100
PID 4116 wrote to memory of 3732	4116	{1B87E0A1-A3EF-476c-9ABF-07DF401CB947}.exe	100
PID 2784 wrote to memory of 4024	2784	{3400A57B-F726-47ff-B211-22DADCA265E6}.exe	103
PID 2784 wrote to memory of 4024	2784	{3400A57B-F726-47ff-B211-22DADCA265E6}.exe	103
PID 2784 wrote to memory of 4024	2784	{3400A57B-F726-47ff-B211-22DADCA265E6}.exe	103
PID 2784 wrote to memory of 3684	2784	{3400A57B-F726-47ff-B211-22DADCA265E6}.exe	104
PID 2784 wrote to memory of 3684	2784	{3400A57B-F726-47ff-B211-22DADCA265E6}.exe	104
PID 2784 wrote to memory of 3684	2784	{3400A57B-F726-47ff-B211-22DADCA265E6}.exe	104
PID 4024 wrote to memory of 1060	4024	{98536696-EBD1-471a-BBDF-39D8AD88B11B}.exe	105
PID 4024 wrote to memory of 1060	4024	{98536696-EBD1-471a-BBDF-39D8AD88B11B}.exe	105
PID 4024 wrote to memory of 1060	4024	{98536696-EBD1-471a-BBDF-39D8AD88B11B}.exe	105
PID 4024 wrote to memory of 1484	4024	{98536696-EBD1-471a-BBDF-39D8AD88B11B}.exe	106
PID 4024 wrote to memory of 1484	4024	{98536696-EBD1-471a-BBDF-39D8AD88B11B}.exe	106
PID 4024 wrote to memory of 1484	4024	{98536696-EBD1-471a-BBDF-39D8AD88B11B}.exe	106
PID 1060 wrote to memory of 3696	1060	{3638CA54-455F-49ac-A17E-3055F7402885}.exe	107
PID 1060 wrote to memory of 3696	1060	{3638CA54-455F-49ac-A17E-3055F7402885}.exe	107
PID 1060 wrote to memory of 3696	1060	{3638CA54-455F-49ac-A17E-3055F7402885}.exe	107
PID 1060 wrote to memory of 4316	1060	{3638CA54-455F-49ac-A17E-3055F7402885}.exe	108
PID 1060 wrote to memory of 4316	1060	{3638CA54-455F-49ac-A17E-3055F7402885}.exe	108
PID 1060 wrote to memory of 4316	1060	{3638CA54-455F-49ac-A17E-3055F7402885}.exe	108
PID 3696 wrote to memory of 1196	3696	{86F61C0C-A568-478a-8AD6-87CD79FC6912}.exe	114
PID 3696 wrote to memory of 1196	3696	{86F61C0C-A568-478a-8AD6-87CD79FC6912}.exe	114
PID 3696 wrote to memory of 1196	3696	{86F61C0C-A568-478a-8AD6-87CD79FC6912}.exe	114
PID 3696 wrote to memory of 4328	3696	{86F61C0C-A568-478a-8AD6-87CD79FC6912}.exe	115
PID 3696 wrote to memory of 4328	3696	{86F61C0C-A568-478a-8AD6-87CD79FC6912}.exe	115
PID 3696 wrote to memory of 4328	3696	{86F61C0C-A568-478a-8AD6-87CD79FC6912}.exe	115
PID 1196 wrote to memory of 1612	1196	{EF0B24D7-2E69-4bb3-8AA5-3C935F36CB62}.exe	116
PID 1196 wrote to memory of 1612	1196	{EF0B24D7-2E69-4bb3-8AA5-3C935F36CB62}.exe	116
PID 1196 wrote to memory of 1612	1196	{EF0B24D7-2E69-4bb3-8AA5-3C935F36CB62}.exe	116
PID 1196 wrote to memory of 548	1196	{EF0B24D7-2E69-4bb3-8AA5-3C935F36CB62}.exe	117
PID 1196 wrote to memory of 548	1196	{EF0B24D7-2E69-4bb3-8AA5-3C935F36CB62}.exe	117
PID 1196 wrote to memory of 548	1196	{EF0B24D7-2E69-4bb3-8AA5-3C935F36CB62}.exe	117
PID 1612 wrote to memory of 1008	1612	{FC9DF494-B62E-4e8e-A731-45CACCC724AE}.exe	119
PID 1612 wrote to memory of 1008	1612	{FC9DF494-B62E-4e8e-A731-45CACCC724AE}.exe	119
PID 1612 wrote to memory of 1008	1612	{FC9DF494-B62E-4e8e-A731-45CACCC724AE}.exe	119
PID 1612 wrote to memory of 2784	1612	{FC9DF494-B62E-4e8e-A731-45CACCC724AE}.exe	120
PID 1612 wrote to memory of 2784	1612	{FC9DF494-B62E-4e8e-A731-45CACCC724AE}.exe	120
PID 1612 wrote to memory of 2784	1612	{FC9DF494-B62E-4e8e-A731-45CACCC724AE}.exe	120
PID 1008 wrote to memory of 1464	1008	{A705AA45-CFE1-452f-909A-2D603A05972C}.exe	128
PID 1008 wrote to memory of 1464	1008	{A705AA45-CFE1-452f-909A-2D603A05972C}.exe	128
PID 1008 wrote to memory of 1464	1008	{A705AA45-CFE1-452f-909A-2D603A05972C}.exe	128
PID 1008 wrote to memory of 2416	1008	{A705AA45-CFE1-452f-909A-2D603A05972C}.exe	129
PID 1008 wrote to memory of 2416	1008	{A705AA45-CFE1-452f-909A-2D603A05972C}.exe	129
PID 1008 wrote to memory of 2416	1008	{A705AA45-CFE1-452f-909A-2D603A05972C}.exe	129
PID 1464 wrote to memory of 3516	1464	{D0EC9D57-EE4F-4d19-AF43-274D65C52B5D}.exe	130
PID 1464 wrote to memory of 3516	1464	{D0EC9D57-EE4F-4d19-AF43-274D65C52B5D}.exe	130
PID 1464 wrote to memory of 3516	1464	{D0EC9D57-EE4F-4d19-AF43-274D65C52B5D}.exe	130
PID 1464 wrote to memory of 3608	1464	{D0EC9D57-EE4F-4d19-AF43-274D65C52B5D}.exe	131
PID 1464 wrote to memory of 3608	1464	{D0EC9D57-EE4F-4d19-AF43-274D65C52B5D}.exe	131
PID 1464 wrote to memory of 3608	1464	{D0EC9D57-EE4F-4d19-AF43-274D65C52B5D}.exe	131
PID 3516 wrote to memory of 3280	3516	{A0D83714-5A70-4241-8FE6-B170C05914D8}.exe	132
PID 3516 wrote to memory of 3280	3516	{A0D83714-5A70-4241-8FE6-B170C05914D8}.exe	132
PID 3516 wrote to memory of 3280	3516	{A0D83714-5A70-4241-8FE6-B170C05914D8}.exe	132
PID 3516 wrote to memory of 1688	3516	{A0D83714-5A70-4241-8FE6-B170C05914D8}.exe	133

C:\Users\Admin\AppData\Local\Temp\2024-04-22_a875ba70957756537d41de15f7a8b369_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_a875ba70957756537d41de15f7a8b369_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Windows\{1B87E0A1-A3EF-476c-9ABF-07DF401CB947}.exe
  C:\Windows\{1B87E0A1-A3EF-476c-9ABF-07DF401CB947}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4116
- - C:\Windows\{3400A57B-F726-47ff-B211-22DADCA265E6}.exe
    C:\Windows\{3400A57B-F726-47ff-B211-22DADCA265E6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\{98536696-EBD1-471a-BBDF-39D8AD88B11B}.exe
      C:\Windows\{98536696-EBD1-471a-BBDF-39D8AD88B11B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4024
    - - C:\Windows\{3638CA54-455F-49ac-A17E-3055F7402885}.exe
        
        C:\Windows\{3638CA54-455F-49ac-A17E-3055F7402885}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1060
      - C:\Windows\{86F61C0C-A568-478a-8AD6-87CD79FC6912}.exe
        
        C:\Windows\{86F61C0C-A568-478a-8AD6-87CD79FC6912}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\{EF0B24D7-2E69-4bb3-8AA5-3C935F36CB62}.exe
        
        C:\Windows\{EF0B24D7-2E69-4bb3-8AA5-3C935F36CB62}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\{FC9DF494-B62E-4e8e-A731-45CACCC724AE}.exe
        
        C:\Windows\{FC9DF494-B62E-4e8e-A731-45CACCC724AE}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\{A705AA45-CFE1-452f-909A-2D603A05972C}.exe
        
        C:\Windows\{A705AA45-CFE1-452f-909A-2D603A05972C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\{D0EC9D57-EE4F-4d19-AF43-274D65C52B5D}.exe
        
        C:\Windows\{D0EC9D57-EE4F-4d19-AF43-274D65C52B5D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\{A0D83714-5A70-4241-8FE6-B170C05914D8}.exe
        
        C:\Windows\{A0D83714-5A70-4241-8FE6-B170C05914D8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\{7D451818-AA3C-4a03-B607-0C20AA69F68D}.exe
        
        C:\Windows\{7D451818-AA3C-4a03-B607-0C20AA69F68D}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3280
        
        C:\Windows\{7CF91301-F315-42b0-BD13-037D32267210}.exe
        
        C:\Windows\{7CF91301-F315-42b0-BD13-037D32267210}.exe
        13⤵
        Executes dropped EXE
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D451~1.EXE > nul
        13⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0D83~1.EXE > nul
        12⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0EC9~1.EXE > nul
        11⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A705A~1.EXE > nul
        10⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC9DF~1.EXE > nul
        9⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF0B2~1.EXE > nul
        8⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86F61~1.EXE > nul
        7⤵
        
        PID:4328
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3638C~1.EXE > nul
        6⤵
        
        PID:4316
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98536~1.EXE > nul
        5⤵
        
        PID:1484
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3400A~1.EXE > nul
      4⤵
      PID:3684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1B87E~1.EXE > nul
    3⤵
    PID:3732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1B87E0A1-A3EF-476c-9ABF-07DF401CB947}.exe

Filesize
180KB

MD5
da4ba6ed2b86162aeca6ccb5dd203d3a

SHA1
d154d9108f0c7a02e6d0f4c576ba7ebaa954252a

SHA256
0154a91e925150f2095a031536095aebd42f29939cab786a5cf3a15309defb2d

SHA512
710f27ceff2d210faac7c41bb2f7141faeaa6193dbe3b8d7ef3a72987ed8ce2b8c4436c1574014ab4a24f4dca0a63ea4154afea1de557b2a9976665a86a9b18c

Download Submit
C:\Windows\{3400A57B-F726-47ff-B211-22DADCA265E6}.exe

Filesize
180KB

MD5
d77dac8d72bdd55cd0a4b71c304fc82a

SHA1
ed28ad80c59d893286c0c64d4f1e6fe8a03f23e4

SHA256
7dcd1c243312a59132cd556b11b9ec69422090b74cb640622978c21a889193fc

SHA512
35fc7629d9fa228e206386b2838275c2db39952dbc30e545ccfbd417fd5e9af79559e7db7ee16e63f79199dcff96255dee52438f5fb673cff0ab9044e99a2b34

Download Submit
C:\Windows\{3638CA54-455F-49ac-A17E-3055F7402885}.exe

Filesize
180KB

MD5
0303544c1615df200901c29e8e3492a4

SHA1
ec838523b2a1b7f99c6fa30f48d3d1388c5079f2

SHA256
94edf13d9e8d3bc67e5113228480461f9b21d6a6e7e23430835d107b713b2a3f

SHA512
ae15ed00b6ef84179fd0cbdfa272b749ef2d1d7e091893f018a843e401995cd84f8dbcf5a3734f54f9b9c9f97110e6af398d4ccde57adbc1f0a6bd461929e2d8

Download Submit
C:\Windows\{7CF91301-F315-42b0-BD13-037D32267210}.exe

Filesize
180KB

MD5
7f03a4aafcb7b649a50d3894d90466c5

SHA1
71de86d242b9d75f1d4afd88b4989c4073cf6c77

SHA256
755d8dae21e731c20ccddbc1341bb7996fabc8660d59c07316a81625579fc41f

SHA512
a9ff7ca0dded6f5f331e310f16384641d57283d6dce70867fa92b3f1a0abd455328047e1c2e7d30bef914676a7f9fda0729e8490c99257fa18b64de7a4344cda

Download Submit
C:\Windows\{7D451818-AA3C-4a03-B607-0C20AA69F68D}.exe

Filesize
180KB

MD5
834128e139e12754ac25589c6b39bdb5

SHA1
4a7cc121a209eac66fa673a34d8f628068ea6eb0

SHA256
f0b687877e93de3c73a1f9403002664ba2d7e957bc20bfe29eace5d7b1db334e

SHA512
292ea521071c8618d62a209e17c20045c87c57c94124ea8140625dc473dbbc9534406e7ba9d2b145e8519f5a0de6745f15daade4a27604a45ef2dabd325901eb

Download Submit
C:\Windows\{86F61C0C-A568-478a-8AD6-87CD79FC6912}.exe

Filesize
180KB

MD5
f37d5e834f2b2196340ce973bef8506f

SHA1
5148068737c84c998799392f6d8f9a960956a836

SHA256
82c4c38bfffa0cec4ff7e878ca88bd6fc0396f0e6f23270360ea0a47a5e0e68a

SHA512
f4ae5c81058b5091c535de5e55d0a4ee6dfc77a9c589166721ebb8979268da6d71aa5a7ef3f755ee65cfc93a7581caa861ed7612b81aadfca32d1023f0a5a7e1

Download Submit
C:\Windows\{98536696-EBD1-471a-BBDF-39D8AD88B11B}.exe

Filesize
180KB

MD5
9b77aeb82b4bbf7db08f65ab6a170454

SHA1
fda5696dfb195056d3a2f672b3f63141bc1ebdf7

SHA256
04d4fd07accdf9359e44a1dc61a9be8dcffea4b20faa99a88d1d091e5dd06fe0

SHA512
93eaaf3090406114eec52b743ec4ce512f858bd0c58b65a175938b6fa44aafc9ba7ff130312a137817261fe538cb841879425b1c5e066a5c68f9b38488038959

Download Submit
C:\Windows\{A0D83714-5A70-4241-8FE6-B170C05914D8}.exe

Filesize
180KB

MD5
05a893f8ea4799b3dc34543b3838a2af

SHA1
021b4dd6268a7d0eff538d6f0ff9f02056777d83

SHA256
8091cb8622cafb0744e236b44a3984bcf86dc95d50ffa0b4c246397d5b937c8a

SHA512
f5b02ea548515c24c3e21cfce6b636e89ba24ba2abc5cbc374c0d28e9abeaa85ad5eef873403f92de974dcacbf9f449ad6bbefadd45e258e735af7c3334152b9

Download Submit
C:\Windows\{A705AA45-CFE1-452f-909A-2D603A05972C}.exe

Filesize
180KB

MD5
a5999d09b10fb5f903a75a58be44c973

SHA1
70fdf328f965aed9d1a6f34a578c85a7583985c3

SHA256
563d319d43fbb88e882cd6d0f271e5fdd3311d3a33b6d01aebbe970466cff2ba

SHA512
33d73ecf93d19490bb3aca7d76e5388f5663a278ffda4c918fbc7388117f8d7b3cff9fae919c2aaa8a354da2bdb627503bf2deb3c6be049ca1722dbf9398e398

Download Submit
C:\Windows\{D0EC9D57-EE4F-4d19-AF43-274D65C52B5D}.exe

Filesize
180KB

MD5
7e344f4cc49d319544d096a783732458

SHA1
be55ab5855b302a8d8aaa76d65f421a0e0eee424

SHA256
e902951adbbbf8e38ecba45e77e98c72ad954a924652bdb9890dc54fa23432b9

SHA512
097213c42c35d91209bb5bdae1844dd239d4bed57c1b8054079c2ef568db6c64b276fe4ef5b31d4eddc89274e5bc33c5e6409f06bffc0945a0f9f8a7ef6d9787

Download Submit
C:\Windows\{EF0B24D7-2E69-4bb3-8AA5-3C935F36CB62}.exe

Filesize
180KB

MD5
f6851fbe3fbeb7d38e5d8301206c0a3f

SHA1
933481c2d96ee256f71d242b5b7edfbf35c4ed3b

SHA256
30906cac4ceae5ac73a22bdb232ea3fdc1c15b9f027d1b49a5dccd30922c3402

SHA512
a9de780f9a2b5a4bc9b201202dcf94a73cde63ff6116fd672a13fb24ef1bec0ed1f70076f30ac5d091a9ea15a2bc03c1c1d1dd7cec52547cacba023bc87182a5

Download Submit
C:\Windows\{FC9DF494-B62E-4e8e-A731-45CACCC724AE}.exe

Filesize
180KB

MD5
2f2193cc5d9ac191215e0e4b6905743e

SHA1
19b47b4d6d8e785647eea375dc09f4e41b526322

SHA256
90a2a7321f087bcc9e0b420880a86615ae3252c1f88f9bcb799fdf692af4d6e1

SHA512
4e2c49bb329d842b05c3eb32ca82d216412d8a1d8edcd5861d29af9dbdc0b1bd449ffe0fa04bff214aa5f250ca3859adeb549fc917c3113e7c4b4ed594d8eb82

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads