238abc117a0479481424865fa47ce3141b062bca539db5113e515508aea7802b

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
26/04/2024, 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-26_fbb99ef155747fcd5a35d4a595f7b4b3_goldeneye.exe
Size

180KB
MD5

fbb99ef155747fcd5a35d4a595f7b4b3
SHA1

5d57f9fe9331737f71c64500a075896f21844dfd
SHA256

238abc117a0479481424865fa47ce3141b062bca539db5113e515508aea7802b
SHA512

9cd1338343fde2c24b1634e7fcb308a78c812b65cc67453342c0ef34de7281a8d9e80fd9504ad3e355addf72cc5c76c69c6040c11dac18ba25e3d99adde76206
SSDEEP

3072:jEGh0oAlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGWl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00070000000233fe-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00120000000233f6-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023408-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00130000000233f6-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d000000023408-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002340c-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000e000000023408-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002342d-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00180000000233f6-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000233f5-37.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00190000000233f6-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023369-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA61249F-26C0-4fdf-B937-671058963B01}	{38D25BF6-7B26-4e8d-9715-34F2D9EBE884}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28848D22-71A5-451c-B14D-296677A3E05E}	{30A24F6D-8295-47e1-B84F-82FF8A543CC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5050663C-93DA-4301-9C6C-45430D339B02}\stubpath = "C:\\Windows\\{5050663C-93DA-4301-9C6C-45430D339B02}.exe"	{28848D22-71A5-451c-B14D-296677A3E05E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B22EEB4-3CBA-4791-B750-20E35A8039D2}	{5050663C-93DA-4301-9C6C-45430D339B02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2BDEF23-496C-4a13-B241-0A3A4E654563}	{8B22EEB4-3CBA-4791-B750-20E35A8039D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B22EEB4-3CBA-4791-B750-20E35A8039D2}\stubpath = "C:\\Windows\\{8B22EEB4-3CBA-4791-B750-20E35A8039D2}.exe"	{5050663C-93DA-4301-9C6C-45430D339B02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA61249F-26C0-4fdf-B937-671058963B01}\stubpath = "C:\\Windows\\{EA61249F-26C0-4fdf-B937-671058963B01}.exe"	{38D25BF6-7B26-4e8d-9715-34F2D9EBE884}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D4F4F06-8AB6-4571-A9D6-1729905829E1}	2024-04-26_fbb99ef155747fcd5a35d4a595f7b4b3_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93FBB75A-417C-459b-BACC-2584D71EEC31}\stubpath = "C:\\Windows\\{93FBB75A-417C-459b-BACC-2584D71EEC31}.exe"	{363B22FF-4DBC-497f-A013-F669AE41B5E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{367A9B0C-D4F8-4c89-9CCD-1982C5B4819F}	{93FBB75A-417C-459b-BACC-2584D71EEC31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5050663C-93DA-4301-9C6C-45430D339B02}	{28848D22-71A5-451c-B14D-296677A3E05E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30A24F6D-8295-47e1-B84F-82FF8A543CC7}\stubpath = "C:\\Windows\\{30A24F6D-8295-47e1-B84F-82FF8A543CC7}.exe"	{367A9B0C-D4F8-4c89-9CCD-1982C5B4819F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38D25BF6-7B26-4e8d-9715-34F2D9EBE884}\stubpath = "C:\\Windows\\{38D25BF6-7B26-4e8d-9715-34F2D9EBE884}.exe"	{B2BDEF23-496C-4a13-B241-0A3A4E654563}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2EFE32C-D934-4135-9402-8DC8ACF24C46}	{EA61249F-26C0-4fdf-B937-671058963B01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D4F4F06-8AB6-4571-A9D6-1729905829E1}\stubpath = "C:\\Windows\\{2D4F4F06-8AB6-4571-A9D6-1729905829E1}.exe"	2024-04-26_fbb99ef155747fcd5a35d4a595f7b4b3_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{363B22FF-4DBC-497f-A013-F669AE41B5E6}	{2D4F4F06-8AB6-4571-A9D6-1729905829E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93FBB75A-417C-459b-BACC-2584D71EEC31}	{363B22FF-4DBC-497f-A013-F669AE41B5E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30A24F6D-8295-47e1-B84F-82FF8A543CC7}	{367A9B0C-D4F8-4c89-9CCD-1982C5B4819F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38D25BF6-7B26-4e8d-9715-34F2D9EBE884}	{B2BDEF23-496C-4a13-B241-0A3A4E654563}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2EFE32C-D934-4135-9402-8DC8ACF24C46}\stubpath = "C:\\Windows\\{F2EFE32C-D934-4135-9402-8DC8ACF24C46}.exe"	{EA61249F-26C0-4fdf-B937-671058963B01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{363B22FF-4DBC-497f-A013-F669AE41B5E6}\stubpath = "C:\\Windows\\{363B22FF-4DBC-497f-A013-F669AE41B5E6}.exe"	{2D4F4F06-8AB6-4571-A9D6-1729905829E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{367A9B0C-D4F8-4c89-9CCD-1982C5B4819F}\stubpath = "C:\\Windows\\{367A9B0C-D4F8-4c89-9CCD-1982C5B4819F}.exe"	{93FBB75A-417C-459b-BACC-2584D71EEC31}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28848D22-71A5-451c-B14D-296677A3E05E}\stubpath = "C:\\Windows\\{28848D22-71A5-451c-B14D-296677A3E05E}.exe"	{30A24F6D-8295-47e1-B84F-82FF8A543CC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2BDEF23-496C-4a13-B241-0A3A4E654563}\stubpath = "C:\\Windows\\{B2BDEF23-496C-4a13-B241-0A3A4E654563}.exe"	{8B22EEB4-3CBA-4791-B750-20E35A8039D2}.exe

Executes dropped EXE 12 IoCs

pid	Process
900	{2D4F4F06-8AB6-4571-A9D6-1729905829E1}.exe
1608	{363B22FF-4DBC-497f-A013-F669AE41B5E6}.exe
4424	{93FBB75A-417C-459b-BACC-2584D71EEC31}.exe
404	{367A9B0C-D4F8-4c89-9CCD-1982C5B4819F}.exe
1152	{30A24F6D-8295-47e1-B84F-82FF8A543CC7}.exe
3900	{28848D22-71A5-451c-B14D-296677A3E05E}.exe
4328	{5050663C-93DA-4301-9C6C-45430D339B02}.exe
1936	{8B22EEB4-3CBA-4791-B750-20E35A8039D2}.exe
4340	{B2BDEF23-496C-4a13-B241-0A3A4E654563}.exe
464	{38D25BF6-7B26-4e8d-9715-34F2D9EBE884}.exe
5028	{EA61249F-26C0-4fdf-B937-671058963B01}.exe
3328	{F2EFE32C-D934-4135-9402-8DC8ACF24C46}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{367A9B0C-D4F8-4c89-9CCD-1982C5B4819F}.exe	{93FBB75A-417C-459b-BACC-2584D71EEC31}.exe
File created	C:\Windows\{5050663C-93DA-4301-9C6C-45430D339B02}.exe	{28848D22-71A5-451c-B14D-296677A3E05E}.exe
File created	C:\Windows\{8B22EEB4-3CBA-4791-B750-20E35A8039D2}.exe	{5050663C-93DA-4301-9C6C-45430D339B02}.exe
File created	C:\Windows\{B2BDEF23-496C-4a13-B241-0A3A4E654563}.exe	{8B22EEB4-3CBA-4791-B750-20E35A8039D2}.exe
File created	C:\Windows\{F2EFE32C-D934-4135-9402-8DC8ACF24C46}.exe	{EA61249F-26C0-4fdf-B937-671058963B01}.exe
File created	C:\Windows\{2D4F4F06-8AB6-4571-A9D6-1729905829E1}.exe	2024-04-26_fbb99ef155747fcd5a35d4a595f7b4b3_goldeneye.exe
File created	C:\Windows\{93FBB75A-417C-459b-BACC-2584D71EEC31}.exe	{363B22FF-4DBC-497f-A013-F669AE41B5E6}.exe
File created	C:\Windows\{28848D22-71A5-451c-B14D-296677A3E05E}.exe	{30A24F6D-8295-47e1-B84F-82FF8A543CC7}.exe
File created	C:\Windows\{38D25BF6-7B26-4e8d-9715-34F2D9EBE884}.exe	{B2BDEF23-496C-4a13-B241-0A3A4E654563}.exe
File created	C:\Windows\{EA61249F-26C0-4fdf-B937-671058963B01}.exe	{38D25BF6-7B26-4e8d-9715-34F2D9EBE884}.exe
File created	C:\Windows\{363B22FF-4DBC-497f-A013-F669AE41B5E6}.exe	{2D4F4F06-8AB6-4571-A9D6-1729905829E1}.exe
File created	C:\Windows\{30A24F6D-8295-47e1-B84F-82FF8A543CC7}.exe	{367A9B0C-D4F8-4c89-9CCD-1982C5B4819F}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5016	2024-04-26_fbb99ef155747fcd5a35d4a595f7b4b3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	900	{2D4F4F06-8AB6-4571-A9D6-1729905829E1}.exe
Token: SeIncBasePriorityPrivilege	1608	{363B22FF-4DBC-497f-A013-F669AE41B5E6}.exe
Token: SeIncBasePriorityPrivilege	4424	{93FBB75A-417C-459b-BACC-2584D71EEC31}.exe
Token: SeIncBasePriorityPrivilege	404	{367A9B0C-D4F8-4c89-9CCD-1982C5B4819F}.exe
Token: SeIncBasePriorityPrivilege	1152	{30A24F6D-8295-47e1-B84F-82FF8A543CC7}.exe
Token: SeIncBasePriorityPrivilege	3900	{28848D22-71A5-451c-B14D-296677A3E05E}.exe
Token: SeIncBasePriorityPrivilege	4328	{5050663C-93DA-4301-9C6C-45430D339B02}.exe
Token: SeIncBasePriorityPrivilege	1936	{8B22EEB4-3CBA-4791-B750-20E35A8039D2}.exe
Token: SeIncBasePriorityPrivilege	4340	{B2BDEF23-496C-4a13-B241-0A3A4E654563}.exe
Token: SeIncBasePriorityPrivilege	464	{38D25BF6-7B26-4e8d-9715-34F2D9EBE884}.exe
Token: SeIncBasePriorityPrivilege	5028	{EA61249F-26C0-4fdf-B937-671058963B01}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 900	5016	2024-04-26_fbb99ef155747fcd5a35d4a595f7b4b3_goldeneye.exe	100
PID 5016 wrote to memory of 900	5016	2024-04-26_fbb99ef155747fcd5a35d4a595f7b4b3_goldeneye.exe	100
PID 5016 wrote to memory of 900	5016	2024-04-26_fbb99ef155747fcd5a35d4a595f7b4b3_goldeneye.exe	100
PID 5016 wrote to memory of 936	5016	2024-04-26_fbb99ef155747fcd5a35d4a595f7b4b3_goldeneye.exe	101
PID 5016 wrote to memory of 936	5016	2024-04-26_fbb99ef155747fcd5a35d4a595f7b4b3_goldeneye.exe	101
PID 5016 wrote to memory of 936	5016	2024-04-26_fbb99ef155747fcd5a35d4a595f7b4b3_goldeneye.exe	101
PID 900 wrote to memory of 1608	900	{2D4F4F06-8AB6-4571-A9D6-1729905829E1}.exe	102
PID 900 wrote to memory of 1608	900	{2D4F4F06-8AB6-4571-A9D6-1729905829E1}.exe	102
PID 900 wrote to memory of 1608	900	{2D4F4F06-8AB6-4571-A9D6-1729905829E1}.exe	102
PID 900 wrote to memory of 2720	900	{2D4F4F06-8AB6-4571-A9D6-1729905829E1}.exe	103
PID 900 wrote to memory of 2720	900	{2D4F4F06-8AB6-4571-A9D6-1729905829E1}.exe	103
PID 900 wrote to memory of 2720	900	{2D4F4F06-8AB6-4571-A9D6-1729905829E1}.exe	103
PID 1608 wrote to memory of 4424	1608	{363B22FF-4DBC-497f-A013-F669AE41B5E6}.exe	106
PID 1608 wrote to memory of 4424	1608	{363B22FF-4DBC-497f-A013-F669AE41B5E6}.exe	106
PID 1608 wrote to memory of 4424	1608	{363B22FF-4DBC-497f-A013-F669AE41B5E6}.exe	106
PID 1608 wrote to memory of 4588	1608	{363B22FF-4DBC-497f-A013-F669AE41B5E6}.exe	107
PID 1608 wrote to memory of 4588	1608	{363B22FF-4DBC-497f-A013-F669AE41B5E6}.exe	107
PID 1608 wrote to memory of 4588	1608	{363B22FF-4DBC-497f-A013-F669AE41B5E6}.exe	107
PID 4424 wrote to memory of 404	4424	{93FBB75A-417C-459b-BACC-2584D71EEC31}.exe	108
PID 4424 wrote to memory of 404	4424	{93FBB75A-417C-459b-BACC-2584D71EEC31}.exe	108
PID 4424 wrote to memory of 404	4424	{93FBB75A-417C-459b-BACC-2584D71EEC31}.exe	108
PID 4424 wrote to memory of 1948	4424	{93FBB75A-417C-459b-BACC-2584D71EEC31}.exe	109
PID 4424 wrote to memory of 1948	4424	{93FBB75A-417C-459b-BACC-2584D71EEC31}.exe	109
PID 4424 wrote to memory of 1948	4424	{93FBB75A-417C-459b-BACC-2584D71EEC31}.exe	109
PID 404 wrote to memory of 1152	404	{367A9B0C-D4F8-4c89-9CCD-1982C5B4819F}.exe	110
PID 404 wrote to memory of 1152	404	{367A9B0C-D4F8-4c89-9CCD-1982C5B4819F}.exe	110
PID 404 wrote to memory of 1152	404	{367A9B0C-D4F8-4c89-9CCD-1982C5B4819F}.exe	110
PID 404 wrote to memory of 4436	404	{367A9B0C-D4F8-4c89-9CCD-1982C5B4819F}.exe	111
PID 404 wrote to memory of 4436	404	{367A9B0C-D4F8-4c89-9CCD-1982C5B4819F}.exe	111
PID 404 wrote to memory of 4436	404	{367A9B0C-D4F8-4c89-9CCD-1982C5B4819F}.exe	111
PID 1152 wrote to memory of 3900	1152	{30A24F6D-8295-47e1-B84F-82FF8A543CC7}.exe	116
PID 1152 wrote to memory of 3900	1152	{30A24F6D-8295-47e1-B84F-82FF8A543CC7}.exe	116
PID 1152 wrote to memory of 3900	1152	{30A24F6D-8295-47e1-B84F-82FF8A543CC7}.exe	116
PID 1152 wrote to memory of 4108	1152	{30A24F6D-8295-47e1-B84F-82FF8A543CC7}.exe	117
PID 1152 wrote to memory of 4108	1152	{30A24F6D-8295-47e1-B84F-82FF8A543CC7}.exe	117
PID 1152 wrote to memory of 4108	1152	{30A24F6D-8295-47e1-B84F-82FF8A543CC7}.exe	117
PID 3900 wrote to memory of 4328	3900	{28848D22-71A5-451c-B14D-296677A3E05E}.exe	118
PID 3900 wrote to memory of 4328	3900	{28848D22-71A5-451c-B14D-296677A3E05E}.exe	118
PID 3900 wrote to memory of 4328	3900	{28848D22-71A5-451c-B14D-296677A3E05E}.exe	118
PID 3900 wrote to memory of 3328	3900	{28848D22-71A5-451c-B14D-296677A3E05E}.exe	119
PID 3900 wrote to memory of 3328	3900	{28848D22-71A5-451c-B14D-296677A3E05E}.exe	119
PID 3900 wrote to memory of 3328	3900	{28848D22-71A5-451c-B14D-296677A3E05E}.exe	119
PID 4328 wrote to memory of 1936	4328	{5050663C-93DA-4301-9C6C-45430D339B02}.exe	124
PID 4328 wrote to memory of 1936	4328	{5050663C-93DA-4301-9C6C-45430D339B02}.exe	124
PID 4328 wrote to memory of 1936	4328	{5050663C-93DA-4301-9C6C-45430D339B02}.exe	124
PID 4328 wrote to memory of 2460	4328	{5050663C-93DA-4301-9C6C-45430D339B02}.exe	125
PID 4328 wrote to memory of 2460	4328	{5050663C-93DA-4301-9C6C-45430D339B02}.exe	125
PID 4328 wrote to memory of 2460	4328	{5050663C-93DA-4301-9C6C-45430D339B02}.exe	125
PID 1936 wrote to memory of 4340	1936	{8B22EEB4-3CBA-4791-B750-20E35A8039D2}.exe	130
PID 1936 wrote to memory of 4340	1936	{8B22EEB4-3CBA-4791-B750-20E35A8039D2}.exe	130
PID 1936 wrote to memory of 4340	1936	{8B22EEB4-3CBA-4791-B750-20E35A8039D2}.exe	130
PID 1936 wrote to memory of 2948	1936	{8B22EEB4-3CBA-4791-B750-20E35A8039D2}.exe	131
PID 1936 wrote to memory of 2948	1936	{8B22EEB4-3CBA-4791-B750-20E35A8039D2}.exe	131
PID 1936 wrote to memory of 2948	1936	{8B22EEB4-3CBA-4791-B750-20E35A8039D2}.exe	131
PID 4340 wrote to memory of 464	4340	{B2BDEF23-496C-4a13-B241-0A3A4E654563}.exe	132
PID 4340 wrote to memory of 464	4340	{B2BDEF23-496C-4a13-B241-0A3A4E654563}.exe	132
PID 4340 wrote to memory of 464	4340	{B2BDEF23-496C-4a13-B241-0A3A4E654563}.exe	132
PID 4340 wrote to memory of 2096	4340	{B2BDEF23-496C-4a13-B241-0A3A4E654563}.exe	133
PID 4340 wrote to memory of 2096	4340	{B2BDEF23-496C-4a13-B241-0A3A4E654563}.exe	133
PID 4340 wrote to memory of 2096	4340	{B2BDEF23-496C-4a13-B241-0A3A4E654563}.exe	133
PID 464 wrote to memory of 5028	464	{38D25BF6-7B26-4e8d-9715-34F2D9EBE884}.exe	134
PID 464 wrote to memory of 5028	464	{38D25BF6-7B26-4e8d-9715-34F2D9EBE884}.exe	134
PID 464 wrote to memory of 5028	464	{38D25BF6-7B26-4e8d-9715-34F2D9EBE884}.exe	134
PID 464 wrote to memory of 4488	464	{38D25BF6-7B26-4e8d-9715-34F2D9EBE884}.exe	135

C:\Users\Admin\AppData\Local\Temp\2024-04-26_fbb99ef155747fcd5a35d4a595f7b4b3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-26_fbb99ef155747fcd5a35d4a595f7b4b3_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Windows\{2D4F4F06-8AB6-4571-A9D6-1729905829E1}.exe
  C:\Windows\{2D4F4F06-8AB6-4571-A9D6-1729905829E1}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Windows\{363B22FF-4DBC-497f-A013-F669AE41B5E6}.exe
    C:\Windows\{363B22FF-4DBC-497f-A013-F669AE41B5E6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\Windows\{93FBB75A-417C-459b-BACC-2584D71EEC31}.exe
      C:\Windows\{93FBB75A-417C-459b-BACC-2584D71EEC31}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4424
    - - C:\Windows\{367A9B0C-D4F8-4c89-9CCD-1982C5B4819F}.exe
        
        C:\Windows\{367A9B0C-D4F8-4c89-9CCD-1982C5B4819F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:404
      - C:\Windows\{30A24F6D-8295-47e1-B84F-82FF8A543CC7}.exe
        
        C:\Windows\{30A24F6D-8295-47e1-B84F-82FF8A543CC7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\{28848D22-71A5-451c-B14D-296677A3E05E}.exe
        
        C:\Windows\{28848D22-71A5-451c-B14D-296677A3E05E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\{5050663C-93DA-4301-9C6C-45430D339B02}.exe
        
        C:\Windows\{5050663C-93DA-4301-9C6C-45430D339B02}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\{8B22EEB4-3CBA-4791-B750-20E35A8039D2}.exe
        
        C:\Windows\{8B22EEB4-3CBA-4791-B750-20E35A8039D2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\{B2BDEF23-496C-4a13-B241-0A3A4E654563}.exe
        
        C:\Windows\{B2BDEF23-496C-4a13-B241-0A3A4E654563}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\{38D25BF6-7B26-4e8d-9715-34F2D9EBE884}.exe
        
        C:\Windows\{38D25BF6-7B26-4e8d-9715-34F2D9EBE884}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\{EA61249F-26C0-4fdf-B937-671058963B01}.exe
        
        C:\Windows\{EA61249F-26C0-4fdf-B937-671058963B01}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5028
        
        C:\Windows\{F2EFE32C-D934-4135-9402-8DC8ACF24C46}.exe
        
        C:\Windows\{F2EFE32C-D934-4135-9402-8DC8ACF24C46}.exe
        13⤵
        Executes dropped EXE
        
        PID:3328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA612~1.EXE > nul
        13⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38D25~1.EXE > nul
        12⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2BDE~1.EXE > nul
        11⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B22E~1.EXE > nul
        10⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50506~1.EXE > nul
        9⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28848~1.EXE > nul
        8⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30A24~1.EXE > nul
        7⤵
        
        PID:4108
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{367A9~1.EXE > nul
        6⤵
        
        PID:4436
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93FBB~1.EXE > nul
        5⤵
        
        PID:1948
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{363B2~1.EXE > nul
      4⤵
      PID:4588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2D4F4~1.EXE > nul
    3⤵
    PID:2720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{28848D22-71A5-451c-B14D-296677A3E05E}.exe

Filesize
180KB

MD5
b476d26992595981413f280754fa7ac8

SHA1
100c09ef1a5faac73253783a4f46dc60b21ec719

SHA256
630114d14f3bfa290f9689651b23f07a1dca8eb9b3b61430fdeb4ee0796cd505

SHA512
3253cfff00e6bf43f344d01e489c4a1ea974063b636d5ea640ed75ed179aaa949b3cb9fb140cce5c978cefafdc466a619c7e564edcfe1d875b279d85c4bf1db0

Download Submit
C:\Windows\{2D4F4F06-8AB6-4571-A9D6-1729905829E1}.exe

Filesize
180KB

MD5
91e93081e3594a4ece573d4d01e4e9ab

SHA1
cf3857151e4b9f42455dbb5409d70556b15b1628

SHA256
97ea27f44f04faab1a5a5beb9e09cb3bf0fb079bbce37b93f016d4f0d250ec3d

SHA512
9b3cac0a951e84a84f91e0c85532899cd3d3d6b3d8cc854daa27d811c8309e77a3a41fce5ea40f8dea221d91ef073ab47d4618677d721d80ede64bb5efc7d17f

Download Submit
C:\Windows\{30A24F6D-8295-47e1-B84F-82FF8A543CC7}.exe

Filesize
180KB

MD5
693da5b2c2518abeee09a08841c43511

SHA1
442c89c875dca88fc303aa5833782d7357e82d4c

SHA256
041ee02511e5088f8d165b1c146c7e2c15e2545328c00ce907e3531387039a19

SHA512
236a3bb63546b92111882e7ce4d79c3d076bb86a2064519a80f6373ca2921db8af5a073b04aec077eb0cd5e1f5ac30eae730a0956873c29a37eab60032d6cf4d

Download Submit
C:\Windows\{363B22FF-4DBC-497f-A013-F669AE41B5E6}.exe

Filesize
180KB

MD5
fa6ba8d888ac6eae166d9c9cf8a9002f

SHA1
a883462051079f4e81086fafca5f70910b8bc0f3

SHA256
94cd040276bd5057713ff1591884b5d03d338af7edc4e75d0262d532fa817343

SHA512
7e57abba28279bd9b6d750f527c6f2ba3054ff0538ac3569f58128aa9b9ad3c6cb3a52af3015acc81d1781ec75a22b998ce783cb6efa8bf3cdce3f2dcd5cb8a1

Download Submit
C:\Windows\{367A9B0C-D4F8-4c89-9CCD-1982C5B4819F}.exe

Filesize
180KB

MD5
66633f7d24e569efbc046a001f7562c6

SHA1
23ca6184d6934827ad35f65a3f6205b6a4098952

SHA256
6bfcae6a8510b573364156fe1a8710e57e7782c879b8c491c3904309c3605f58

SHA512
d0f4c55f57a25dbb1dd065e912d96b2e27f2dadd59d42378ac509f032edf65a5a834c7444e82864680fd4f6892ac0d5df8c5734f191dfbf62317ed3707fa8e1b

Download Submit
C:\Windows\{38D25BF6-7B26-4e8d-9715-34F2D9EBE884}.exe

Filesize
180KB

MD5
622434ea435dedc6da4512d86b8652f6

SHA1
34efbfc598f017f6ab69095fecd6e311c9828b2d

SHA256
80681f0c0cfb938b72b4b72cd01793ffce8b907fd08a8dac7d83d876d1087cf4

SHA512
a2416ac41aeef7b7eff59b1ece24e21722d0fc04ae1403d27fbcd802424e099632a7a04491252ab9d9a69c6637f4d4a58f9347138ad592c77ce2b1f7c1533188

Download Submit
C:\Windows\{5050663C-93DA-4301-9C6C-45430D339B02}.exe

Filesize
180KB

MD5
14134ce155274ab4cf6ebe6fad97d9b6

SHA1
094bd07bfa5d1e3f5d63c76440ea9a8ee991d3e6

SHA256
9daac0c6121d7a7c360b97889c3b231a92617283385a1a221f1874dcc0c2c8db

SHA512
969cc945ee455eebe9b7220dcd17edaf86dccb1756e916781497f8801919739740eac66372e90b0fc61ff10bc033e31e985d239419c5a226272ed33c12928f83

Download Submit
C:\Windows\{8B22EEB4-3CBA-4791-B750-20E35A8039D2}.exe

Filesize
180KB

MD5
db2bf01c7643cc55087dd93c8efeaaa9

SHA1
ff3e183f95734d2376157f74bf1bba5fddc28412

SHA256
32729eb5704c7922477db067741bc6937e7cd0e8873b3032cd9b2020c45745fe

SHA512
0f2e4ad0723646196f8aac4e6c19fbe62093c1fac5cb5207038ec0371e569f8668c57093879c02ca04f08bd440c1673eb4c3664747bd14b916288aa18a292a40

Download Submit
C:\Windows\{93FBB75A-417C-459b-BACC-2584D71EEC31}.exe

Filesize
180KB

MD5
1815a53a9f7ce1ca9a3a3bf66ff12139

SHA1
d5fe7210c22e1adb2e5f4285058ff89fd89e3e87

SHA256
a2df40bf8a81ea58df7ef12dea9bc1b1149a71d54903a11f3ac3cd0b66ffb570

SHA512
ac1b548613ffba7ffb247a07e15ce8302b39c68811aaedfd2908aa6ee4479f5cd88528965899136699c33f0e54fc89800345ada288af538009003b926a1fd828

Download Submit
C:\Windows\{B2BDEF23-496C-4a13-B241-0A3A4E654563}.exe

Filesize
180KB

MD5
fdc04150c9c1bbb7c001bfe77b2225e1

SHA1
55857f1c10e961964613a30cf5634d963826e59d

SHA256
5e6976cead7ad19b6be836b241761d05789ca16d238525e2f4d9af70a6b411fe

SHA512
5ff0eaf60c76d6fd9736ad4cf4bdafb2938ad473cef4d67d3b92c9f7705490a79b2c722f3774beb56ab1b4aaacf5fcb2a8af8e0cec4a7694b61c7f808871fcd8

Download Submit
C:\Windows\{EA61249F-26C0-4fdf-B937-671058963B01}.exe

Filesize
180KB

MD5
59bee4402c45c1f8bcc381db59b82456

SHA1
70de32ce0bd77d3175086b0355a16b62383426ce

SHA256
72f4e9cf94ddd416d9689a1b5f368c54e1751d98b54b80c22e21aebbe4bf9771

SHA512
ac7b727e353052a580a94ed64c5d3e9adb97db4cde911fbe47bce48b06b619bce8a9f7e5528f5f967c8f74e1e0f523e0748660970cb7b1e9f976b9e95aac0df9

Download Submit
C:\Windows\{F2EFE32C-D934-4135-9402-8DC8ACF24C46}.exe

Filesize
180KB

MD5
ded8a3317ac01088b609a05be25000df

SHA1
541be92b9b9c10106ffe43c81d7d62631a5de9b1

SHA256
83da1f29142fd88e0cce68acc614b19fbed135a58d2acdaccdb55b7546cb1d85

SHA512
9bb6871aeebee65c6b9462f36ea0ce070bd2175f4595bcb1dc0d1d0d9034a7fa0718bf0a72b7fc29607487882ca6db9968fac5935cdfd6b343a50a84c293b73a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads