bac3dc51765d9c6b82315c5424934ed12354ce3c40b95b183778fd536953592e

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
26/04/2024, 07:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-26_d18d30b76493ee5d1827d0eac5e2706f_goldeneye.exe
Size

344KB
MD5

d18d30b76493ee5d1827d0eac5e2706f
SHA1

c7148cc22484524ece7848c57ce2e240d5cbdaa8
SHA256

bac3dc51765d9c6b82315c5424934ed12354ce3c40b95b183778fd536953592e
SHA512

db0d19920f1f88520521f9a23500216ccb3de1d70ec5b529a0518958781431bc462666df94594d85a086e3414baf7b7314ce6294bd642e137d735076a9e3898b
SSDEEP

3072:mEGh0o/lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGBlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023423-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002342d-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002343d-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023449-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00040000000229d6-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000900000002353b-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00050000000229d6-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000001db28-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023555-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002355b-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000001db28-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002353b-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08FCB9C4-1030-41e9-98BB-3FE63E519C51}	{ACEB6E1F-5E5C-40a6-932F-C6BEF99F3820}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6060234C-8269-4607-B614-1A0650562838}\stubpath = "C:\\Windows\\{6060234C-8269-4607-B614-1A0650562838}.exe"	{1C144617-1583-480a-9EDC-8591B5FCF679}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05678422-C1F2-4453-8889-113F3060BD4B}\stubpath = "C:\\Windows\\{05678422-C1F2-4453-8889-113F3060BD4B}.exe"	{D795A3F1-BCEB-4431-903A-783503FCF247}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E50BF5E0-C775-4d0a-87CD-2C218BDB8160}\stubpath = "C:\\Windows\\{E50BF5E0-C775-4d0a-87CD-2C218BDB8160}.exe"	{97A05672-8CCA-400e-ACFE-78902C24B598}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACEB6E1F-5E5C-40a6-932F-C6BEF99F3820}\stubpath = "C:\\Windows\\{ACEB6E1F-5E5C-40a6-932F-C6BEF99F3820}.exe"	{E50BF5E0-C775-4d0a-87CD-2C218BDB8160}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28687A77-43AB-4d8d-8C74-D63ED31B2967}	{DD2AB933-2AA9-48ea-94D2-A1A84D3B03D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97A05672-8CCA-400e-ACFE-78902C24B598}	{D1EBBFA6-43D7-4b41-99E9-916AA868FE65}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97A05672-8CCA-400e-ACFE-78902C24B598}\stubpath = "C:\\Windows\\{97A05672-8CCA-400e-ACFE-78902C24B598}.exe"	{D1EBBFA6-43D7-4b41-99E9-916AA868FE65}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E50BF5E0-C775-4d0a-87CD-2C218BDB8160}	{97A05672-8CCA-400e-ACFE-78902C24B598}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C144617-1583-480a-9EDC-8591B5FCF679}	2024-04-26_d18d30b76493ee5d1827d0eac5e2706f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C144617-1583-480a-9EDC-8591B5FCF679}\stubpath = "C:\\Windows\\{1C144617-1583-480a-9EDC-8591B5FCF679}.exe"	2024-04-26_d18d30b76493ee5d1827d0eac5e2706f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6060234C-8269-4607-B614-1A0650562838}	{1C144617-1583-480a-9EDC-8591B5FCF679}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD2AB933-2AA9-48ea-94D2-A1A84D3B03D3}\stubpath = "C:\\Windows\\{DD2AB933-2AA9-48ea-94D2-A1A84D3B03D3}.exe"	{6060234C-8269-4607-B614-1A0650562838}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACEB6E1F-5E5C-40a6-932F-C6BEF99F3820}	{E50BF5E0-C775-4d0a-87CD-2C218BDB8160}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28687A77-43AB-4d8d-8C74-D63ED31B2967}\stubpath = "C:\\Windows\\{28687A77-43AB-4d8d-8C74-D63ED31B2967}.exe"	{DD2AB933-2AA9-48ea-94D2-A1A84D3B03D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{05678422-C1F2-4453-8889-113F3060BD4B}	{D795A3F1-BCEB-4431-903A-783503FCF247}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{176E47DB-0408-45c5-BFE2-AEFABA1B2E92}	{05678422-C1F2-4453-8889-113F3060BD4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1EBBFA6-43D7-4b41-99E9-916AA868FE65}\stubpath = "C:\\Windows\\{D1EBBFA6-43D7-4b41-99E9-916AA868FE65}.exe"	{176E47DB-0408-45c5-BFE2-AEFABA1B2E92}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1EBBFA6-43D7-4b41-99E9-916AA868FE65}	{176E47DB-0408-45c5-BFE2-AEFABA1B2E92}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08FCB9C4-1030-41e9-98BB-3FE63E519C51}\stubpath = "C:\\Windows\\{08FCB9C4-1030-41e9-98BB-3FE63E519C51}.exe"	{ACEB6E1F-5E5C-40a6-932F-C6BEF99F3820}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD2AB933-2AA9-48ea-94D2-A1A84D3B03D3}	{6060234C-8269-4607-B614-1A0650562838}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D795A3F1-BCEB-4431-903A-783503FCF247}	{28687A77-43AB-4d8d-8C74-D63ED31B2967}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D795A3F1-BCEB-4431-903A-783503FCF247}\stubpath = "C:\\Windows\\{D795A3F1-BCEB-4431-903A-783503FCF247}.exe"	{28687A77-43AB-4d8d-8C74-D63ED31B2967}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{176E47DB-0408-45c5-BFE2-AEFABA1B2E92}\stubpath = "C:\\Windows\\{176E47DB-0408-45c5-BFE2-AEFABA1B2E92}.exe"	{05678422-C1F2-4453-8889-113F3060BD4B}.exe

Executes dropped EXE 12 IoCs

pid	Process
2896	{1C144617-1583-480a-9EDC-8591B5FCF679}.exe
4484	{6060234C-8269-4607-B614-1A0650562838}.exe
1596	{DD2AB933-2AA9-48ea-94D2-A1A84D3B03D3}.exe
4948	{28687A77-43AB-4d8d-8C74-D63ED31B2967}.exe
1640	{D795A3F1-BCEB-4431-903A-783503FCF247}.exe
4920	{05678422-C1F2-4453-8889-113F3060BD4B}.exe
4892	{176E47DB-0408-45c5-BFE2-AEFABA1B2E92}.exe
4948	{D1EBBFA6-43D7-4b41-99E9-916AA868FE65}.exe
3672	{97A05672-8CCA-400e-ACFE-78902C24B598}.exe
4788	{E50BF5E0-C775-4d0a-87CD-2C218BDB8160}.exe
4380	{ACEB6E1F-5E5C-40a6-932F-C6BEF99F3820}.exe
3384	{08FCB9C4-1030-41e9-98BB-3FE63E519C51}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{176E47DB-0408-45c5-BFE2-AEFABA1B2E92}.exe	{05678422-C1F2-4453-8889-113F3060BD4B}.exe
File created	C:\Windows\{D1EBBFA6-43D7-4b41-99E9-916AA868FE65}.exe	{176E47DB-0408-45c5-BFE2-AEFABA1B2E92}.exe
File created	C:\Windows\{97A05672-8CCA-400e-ACFE-78902C24B598}.exe	{D1EBBFA6-43D7-4b41-99E9-916AA868FE65}.exe
File created	C:\Windows\{E50BF5E0-C775-4d0a-87CD-2C218BDB8160}.exe	{97A05672-8CCA-400e-ACFE-78902C24B598}.exe
File created	C:\Windows\{08FCB9C4-1030-41e9-98BB-3FE63E519C51}.exe	{ACEB6E1F-5E5C-40a6-932F-C6BEF99F3820}.exe
File created	C:\Windows\{1C144617-1583-480a-9EDC-8591B5FCF679}.exe	2024-04-26_d18d30b76493ee5d1827d0eac5e2706f_goldeneye.exe
File created	C:\Windows\{28687A77-43AB-4d8d-8C74-D63ED31B2967}.exe	{DD2AB933-2AA9-48ea-94D2-A1A84D3B03D3}.exe
File created	C:\Windows\{05678422-C1F2-4453-8889-113F3060BD4B}.exe	{D795A3F1-BCEB-4431-903A-783503FCF247}.exe
File created	C:\Windows\{ACEB6E1F-5E5C-40a6-932F-C6BEF99F3820}.exe	{E50BF5E0-C775-4d0a-87CD-2C218BDB8160}.exe
File created	C:\Windows\{6060234C-8269-4607-B614-1A0650562838}.exe	{1C144617-1583-480a-9EDC-8591B5FCF679}.exe
File created	C:\Windows\{DD2AB933-2AA9-48ea-94D2-A1A84D3B03D3}.exe	{6060234C-8269-4607-B614-1A0650562838}.exe
File created	C:\Windows\{D795A3F1-BCEB-4431-903A-783503FCF247}.exe	{28687A77-43AB-4d8d-8C74-D63ED31B2967}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2972	2024-04-26_d18d30b76493ee5d1827d0eac5e2706f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2896	{1C144617-1583-480a-9EDC-8591B5FCF679}.exe
Token: SeIncBasePriorityPrivilege	4484	{6060234C-8269-4607-B614-1A0650562838}.exe
Token: SeIncBasePriorityPrivilege	1596	{DD2AB933-2AA9-48ea-94D2-A1A84D3B03D3}.exe
Token: SeIncBasePriorityPrivilege	4948	{28687A77-43AB-4d8d-8C74-D63ED31B2967}.exe
Token: SeIncBasePriorityPrivilege	1640	{D795A3F1-BCEB-4431-903A-783503FCF247}.exe
Token: SeIncBasePriorityPrivilege	4920	{05678422-C1F2-4453-8889-113F3060BD4B}.exe
Token: SeIncBasePriorityPrivilege	4892	{176E47DB-0408-45c5-BFE2-AEFABA1B2E92}.exe
Token: SeIncBasePriorityPrivilege	4948	{D1EBBFA6-43D7-4b41-99E9-916AA868FE65}.exe
Token: SeIncBasePriorityPrivilege	3672	{97A05672-8CCA-400e-ACFE-78902C24B598}.exe
Token: SeIncBasePriorityPrivilege	4788	{E50BF5E0-C775-4d0a-87CD-2C218BDB8160}.exe
Token: SeIncBasePriorityPrivilege	4380	{ACEB6E1F-5E5C-40a6-932F-C6BEF99F3820}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2896	2972	2024-04-26_d18d30b76493ee5d1827d0eac5e2706f_goldeneye.exe	98
PID 2972 wrote to memory of 2896	2972	2024-04-26_d18d30b76493ee5d1827d0eac5e2706f_goldeneye.exe	98
PID 2972 wrote to memory of 2896	2972	2024-04-26_d18d30b76493ee5d1827d0eac5e2706f_goldeneye.exe	98
PID 2972 wrote to memory of 1728	2972	2024-04-26_d18d30b76493ee5d1827d0eac5e2706f_goldeneye.exe	99
PID 2972 wrote to memory of 1728	2972	2024-04-26_d18d30b76493ee5d1827d0eac5e2706f_goldeneye.exe	99
PID 2972 wrote to memory of 1728	2972	2024-04-26_d18d30b76493ee5d1827d0eac5e2706f_goldeneye.exe	99
PID 2896 wrote to memory of 4484	2896	{1C144617-1583-480a-9EDC-8591B5FCF679}.exe	101
PID 2896 wrote to memory of 4484	2896	{1C144617-1583-480a-9EDC-8591B5FCF679}.exe	101
PID 2896 wrote to memory of 4484	2896	{1C144617-1583-480a-9EDC-8591B5FCF679}.exe	101
PID 2896 wrote to memory of 3236	2896	{1C144617-1583-480a-9EDC-8591B5FCF679}.exe	102
PID 2896 wrote to memory of 3236	2896	{1C144617-1583-480a-9EDC-8591B5FCF679}.exe	102
PID 2896 wrote to memory of 3236	2896	{1C144617-1583-480a-9EDC-8591B5FCF679}.exe	102
PID 4484 wrote to memory of 1596	4484	{6060234C-8269-4607-B614-1A0650562838}.exe	105
PID 4484 wrote to memory of 1596	4484	{6060234C-8269-4607-B614-1A0650562838}.exe	105
PID 4484 wrote to memory of 1596	4484	{6060234C-8269-4607-B614-1A0650562838}.exe	105
PID 4484 wrote to memory of 3084	4484	{6060234C-8269-4607-B614-1A0650562838}.exe	106
PID 4484 wrote to memory of 3084	4484	{6060234C-8269-4607-B614-1A0650562838}.exe	106
PID 4484 wrote to memory of 3084	4484	{6060234C-8269-4607-B614-1A0650562838}.exe	106
PID 1596 wrote to memory of 4948	1596	{DD2AB933-2AA9-48ea-94D2-A1A84D3B03D3}.exe	108
PID 1596 wrote to memory of 4948	1596	{DD2AB933-2AA9-48ea-94D2-A1A84D3B03D3}.exe	108
PID 1596 wrote to memory of 4948	1596	{DD2AB933-2AA9-48ea-94D2-A1A84D3B03D3}.exe	108
PID 1596 wrote to memory of 2276	1596	{DD2AB933-2AA9-48ea-94D2-A1A84D3B03D3}.exe	109
PID 1596 wrote to memory of 2276	1596	{DD2AB933-2AA9-48ea-94D2-A1A84D3B03D3}.exe	109
PID 1596 wrote to memory of 2276	1596	{DD2AB933-2AA9-48ea-94D2-A1A84D3B03D3}.exe	109
PID 4948 wrote to memory of 1640	4948	{28687A77-43AB-4d8d-8C74-D63ED31B2967}.exe	110
PID 4948 wrote to memory of 1640	4948	{28687A77-43AB-4d8d-8C74-D63ED31B2967}.exe	110
PID 4948 wrote to memory of 1640	4948	{28687A77-43AB-4d8d-8C74-D63ED31B2967}.exe	110
PID 4948 wrote to memory of 3404	4948	{28687A77-43AB-4d8d-8C74-D63ED31B2967}.exe	111
PID 4948 wrote to memory of 3404	4948	{28687A77-43AB-4d8d-8C74-D63ED31B2967}.exe	111
PID 4948 wrote to memory of 3404	4948	{28687A77-43AB-4d8d-8C74-D63ED31B2967}.exe	111
PID 1640 wrote to memory of 4920	1640	{D795A3F1-BCEB-4431-903A-783503FCF247}.exe	117
PID 1640 wrote to memory of 4920	1640	{D795A3F1-BCEB-4431-903A-783503FCF247}.exe	117
PID 1640 wrote to memory of 4920	1640	{D795A3F1-BCEB-4431-903A-783503FCF247}.exe	117
PID 1640 wrote to memory of 1748	1640	{D795A3F1-BCEB-4431-903A-783503FCF247}.exe	118
PID 1640 wrote to memory of 1748	1640	{D795A3F1-BCEB-4431-903A-783503FCF247}.exe	118
PID 1640 wrote to memory of 1748	1640	{D795A3F1-BCEB-4431-903A-783503FCF247}.exe	118
PID 4920 wrote to memory of 4892	4920	{05678422-C1F2-4453-8889-113F3060BD4B}.exe	119
PID 4920 wrote to memory of 4892	4920	{05678422-C1F2-4453-8889-113F3060BD4B}.exe	119
PID 4920 wrote to memory of 4892	4920	{05678422-C1F2-4453-8889-113F3060BD4B}.exe	119
PID 4920 wrote to memory of 4272	4920	{05678422-C1F2-4453-8889-113F3060BD4B}.exe	120
PID 4920 wrote to memory of 4272	4920	{05678422-C1F2-4453-8889-113F3060BD4B}.exe	120
PID 4920 wrote to memory of 4272	4920	{05678422-C1F2-4453-8889-113F3060BD4B}.exe	120
PID 4892 wrote to memory of 4948	4892	{176E47DB-0408-45c5-BFE2-AEFABA1B2E92}.exe	121
PID 4892 wrote to memory of 4948	4892	{176E47DB-0408-45c5-BFE2-AEFABA1B2E92}.exe	121
PID 4892 wrote to memory of 4948	4892	{176E47DB-0408-45c5-BFE2-AEFABA1B2E92}.exe	121
PID 4892 wrote to memory of 1900	4892	{176E47DB-0408-45c5-BFE2-AEFABA1B2E92}.exe	122
PID 4892 wrote to memory of 1900	4892	{176E47DB-0408-45c5-BFE2-AEFABA1B2E92}.exe	122
PID 4892 wrote to memory of 1900	4892	{176E47DB-0408-45c5-BFE2-AEFABA1B2E92}.exe	122
PID 4948 wrote to memory of 3672	4948	{D1EBBFA6-43D7-4b41-99E9-916AA868FE65}.exe	127
PID 4948 wrote to memory of 3672	4948	{D1EBBFA6-43D7-4b41-99E9-916AA868FE65}.exe	127
PID 4948 wrote to memory of 3672	4948	{D1EBBFA6-43D7-4b41-99E9-916AA868FE65}.exe	127
PID 4948 wrote to memory of 1040	4948	{D1EBBFA6-43D7-4b41-99E9-916AA868FE65}.exe	128
PID 4948 wrote to memory of 1040	4948	{D1EBBFA6-43D7-4b41-99E9-916AA868FE65}.exe	128
PID 4948 wrote to memory of 1040	4948	{D1EBBFA6-43D7-4b41-99E9-916AA868FE65}.exe	128
PID 3672 wrote to memory of 4788	3672	{97A05672-8CCA-400e-ACFE-78902C24B598}.exe	129
PID 3672 wrote to memory of 4788	3672	{97A05672-8CCA-400e-ACFE-78902C24B598}.exe	129
PID 3672 wrote to memory of 4788	3672	{97A05672-8CCA-400e-ACFE-78902C24B598}.exe	129
PID 3672 wrote to memory of 3744	3672	{97A05672-8CCA-400e-ACFE-78902C24B598}.exe	130
PID 3672 wrote to memory of 3744	3672	{97A05672-8CCA-400e-ACFE-78902C24B598}.exe	130
PID 3672 wrote to memory of 3744	3672	{97A05672-8CCA-400e-ACFE-78902C24B598}.exe	130
PID 4788 wrote to memory of 4380	4788	{E50BF5E0-C775-4d0a-87CD-2C218BDB8160}.exe	135
PID 4788 wrote to memory of 4380	4788	{E50BF5E0-C775-4d0a-87CD-2C218BDB8160}.exe	135
PID 4788 wrote to memory of 4380	4788	{E50BF5E0-C775-4d0a-87CD-2C218BDB8160}.exe	135
PID 4788 wrote to memory of 2136	4788	{E50BF5E0-C775-4d0a-87CD-2C218BDB8160}.exe	136

C:\Users\Admin\AppData\Local\Temp\2024-04-26_d18d30b76493ee5d1827d0eac5e2706f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-26_d18d30b76493ee5d1827d0eac5e2706f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\{1C144617-1583-480a-9EDC-8591B5FCF679}.exe
  C:\Windows\{1C144617-1583-480a-9EDC-8591B5FCF679}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\{6060234C-8269-4607-B614-1A0650562838}.exe
    C:\Windows\{6060234C-8269-4607-B614-1A0650562838}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4484
  - - C:\Windows\{DD2AB933-2AA9-48ea-94D2-A1A84D3B03D3}.exe
      C:\Windows\{DD2AB933-2AA9-48ea-94D2-A1A84D3B03D3}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1596
    - - C:\Windows\{28687A77-43AB-4d8d-8C74-D63ED31B2967}.exe
        
        C:\Windows\{28687A77-43AB-4d8d-8C74-D63ED31B2967}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4948
      - C:\Windows\{D795A3F1-BCEB-4431-903A-783503FCF247}.exe
        
        C:\Windows\{D795A3F1-BCEB-4431-903A-783503FCF247}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\{05678422-C1F2-4453-8889-113F3060BD4B}.exe
        
        C:\Windows\{05678422-C1F2-4453-8889-113F3060BD4B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\{176E47DB-0408-45c5-BFE2-AEFABA1B2E92}.exe
        
        C:\Windows\{176E47DB-0408-45c5-BFE2-AEFABA1B2E92}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\{D1EBBFA6-43D7-4b41-99E9-916AA868FE65}.exe
        
        C:\Windows\{D1EBBFA6-43D7-4b41-99E9-916AA868FE65}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\{97A05672-8CCA-400e-ACFE-78902C24B598}.exe
        
        C:\Windows\{97A05672-8CCA-400e-ACFE-78902C24B598}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\{E50BF5E0-C775-4d0a-87CD-2C218BDB8160}.exe
        
        C:\Windows\{E50BF5E0-C775-4d0a-87CD-2C218BDB8160}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\{ACEB6E1F-5E5C-40a6-932F-C6BEF99F3820}.exe
        
        C:\Windows\{ACEB6E1F-5E5C-40a6-932F-C6BEF99F3820}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4380
        
        C:\Windows\{08FCB9C4-1030-41e9-98BB-3FE63E519C51}.exe
        
        C:\Windows\{08FCB9C4-1030-41e9-98BB-3FE63E519C51}.exe
        13⤵
        Executes dropped EXE
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ACEB6~1.EXE > nul
        13⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E50BF~1.EXE > nul
        12⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97A05~1.EXE > nul
        11⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D1EBB~1.EXE > nul
        10⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{176E4~1.EXE > nul
        9⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05678~1.EXE > nul
        8⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D795A~1.EXE > nul
        7⤵
        
        PID:1748
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28687~1.EXE > nul
        6⤵
        
        PID:3404
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD2AB~1.EXE > nul
        5⤵
        
        PID:2276
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{60602~1.EXE > nul
      4⤵
      PID:3084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1C144~1.EXE > nul
    3⤵
    PID:3236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05678422-C1F2-4453-8889-113F3060BD4B}.exe

Filesize
344KB

MD5
f524b67f3d16c63dffa44a4845a8daa2

SHA1
59a662f1fd67933607bf5288888cd86d37e58a5f

SHA256
dbced970410bef4d1c5a5484f7be37c941bc8455b4e64c501a789055d9364233

SHA512
53edab658e7609021944132ab9f56002d56ebe4b648f164dfae47c099b230a80e577a4037b12ca0440038862380e7c265632fca46f2e39222dd9614f614e8ae6

Download Submit
C:\Windows\{08FCB9C4-1030-41e9-98BB-3FE63E519C51}.exe

Filesize
344KB

MD5
75854ebbd29dac905deb9b0ef846e6c3

SHA1
0f08f2573642abf2bb7516f71c0e254175a6f787

SHA256
1fe803aeed0c0e55b807023e4ad8df9f4776a58ecf7050cb795776d0a3697af0

SHA512
9ec3de7945a4461e369c55741f5c7d13dbf3ff25ac73b64ce586ff398c910f97d33e30861337b444ce18a9f6a515d86373f2eec3bc3df4b2b10bd23d1092c7e5

Download Submit
C:\Windows\{176E47DB-0408-45c5-BFE2-AEFABA1B2E92}.exe

Filesize
344KB

MD5
d0fa92e8d8202b07d9be53f7cdd96fdb

SHA1
04b472bbce65c087ad198141ed111be512945a72

SHA256
9cd7dddf6f4731f2a0b89c4f758ca5322a476e7eb3ad1ec77e2d21f8e3c7b707

SHA512
d23fafa5921cdd9ce5ea946a2e7c33d3e94125c63c163db9d983dbb4181f045c939c6865d405b0ac276b28f66b6dabcb19b75e2946642b20e93406871c797071

Download Submit
C:\Windows\{1C144617-1583-480a-9EDC-8591B5FCF679}.exe

Filesize
344KB

MD5
efcbf9a18e59c00487ed3120c986bcb5

SHA1
e6a0248b32f8db5b0a39b54c06ba72c26b552fab

SHA256
b8d5ab0effb62f36fc49d445e5864d5d338dd53eb218f6c0e465f9bbb67ddb26

SHA512
0f26041c4b8dbdd5f54c04f3788bb73265c7fb5900f264c3411eafffe596889d514ece2d577d2d927bcd0c34493e414b4d4e5f1ff201b44afe523b01193f0b8a

Download Submit
C:\Windows\{28687A77-43AB-4d8d-8C74-D63ED31B2967}.exe

Filesize
344KB

MD5
bcd164a8fce6ce0196be829819dffc90

SHA1
6a5cf7b1e45de9b8f1630a22f1926212004920d2

SHA256
ec17df119853dd5f343adbaa6dc50fe2c2f00e54e53f9c3877c56e221ab3e5ff

SHA512
d4edcb80df1aa0b0356720687d8b60e905ebc543b00802b57193ac8d79c599b8f4aae6049caafe06bbc0229a5dde6c452cc548c50584125202758709b11d1c17

Download Submit
C:\Windows\{6060234C-8269-4607-B614-1A0650562838}.exe

Filesize
344KB

MD5
7c04801526b5cb72220d639a16d74e6b

SHA1
09a8b2fa80477535e081459f349b7a6da35866ec

SHA256
1380b673555e77d1a191f959090afca5eb081c12e61e0eaf19443f88d6b41a3e

SHA512
bbcece461fb763f88d144b7a6410ed244be1ef245f1e615cb02592981aa676e9722c48015be060cd38b13f7163b091015f8a5ca2d76a61945790f68b2d7ea964

Download Submit
C:\Windows\{97A05672-8CCA-400e-ACFE-78902C24B598}.exe

Filesize
344KB

MD5
ddabaeb51a0c90389dae7f62e8278e8b

SHA1
baa41a12d54989dd3b80ac4a16e5ae93ab1a58c7

SHA256
ceaf0b25e55565f5534c40663d3cdc91cf99adaf66bdcef0f98c97df91786229

SHA512
5e6d6800ba6e49de982ee62be00ddf18656a7480c6f07c3f42899fcd5c07f4a6e4fcb668489f5ebb532c3c44cb3784f3e53b6f0bb53c8f495cb3e6423ee61ef0

Download Submit
C:\Windows\{ACEB6E1F-5E5C-40a6-932F-C6BEF99F3820}.exe

Filesize
344KB

MD5
11d1593583cc365366aa4d7757ab5e7a

SHA1
b41cdd68cb3dd478596b12ac7ac797be92eae246

SHA256
2ce06479414d83e33a1612dcdb7b5b2e16e1de88e5e6a483fc368efb85d73045

SHA512
e3c086e9f8c8a12da5ce01aeb5a8cb3cb11a85e7bc63d65cafe40303a7777aea21b976d744bffb15046a6c6d36cbc5bd7c7c2e43bb2d5b08fed90ede4d61d429

Download Submit
C:\Windows\{D1EBBFA6-43D7-4b41-99E9-916AA868FE65}.exe

Filesize
344KB

MD5
36cfd6eea18236cc648ce21c654d1480

SHA1
199bbc878965c3ecb387db0e4558deb74ac7e4e5

SHA256
ba552ac17e509a5acf1cac8954fdcbf9def17d9a2fc6b6626ecc4722317a0fda

SHA512
5a8d95f502518e257a8e744d52ff36063f236af25b56515702f784fe5006b5b48aacb2171d4f115b14db86cd08c6f8155a90e48b8ead8cfbb57c92922410e7dc

Download Submit
C:\Windows\{D795A3F1-BCEB-4431-903A-783503FCF247}.exe

Filesize
344KB

MD5
20a537bc756979a6119106cd02935065

SHA1
c594a16049a42f18a2fbc8cc09ba0ee60b2b0781

SHA256
a468b960de2d6e94580ced5df0b5d5fac9bad6c46e2ac0aa1e65652493b5cf3e

SHA512
b4f07fcff6757bde3db87ce377b8b8397c0d3fc14a132d260e0f9ccf9b03ee22e8980c2ae762b90c2ff1115ae9977ff837e20ad5d0c402b4e8ffe125737e0a4f

Download Submit
C:\Windows\{DD2AB933-2AA9-48ea-94D2-A1A84D3B03D3}.exe

Filesize
344KB

MD5
9a7961d0c67a93004fc02b7c015562a9

SHA1
f66c4fed22f1d57481fb2f3e174a9d36601c460b

SHA256
22b7e37c711b59b8fb7a6c420f662dd2c75a2302ceabdbf4aef815e9d987cdb0

SHA512
c72ade719a1e4c653e435eea13922b44a71609123659d7b234707b859e9d581bed130fc98914e8187d34cbdca864af0c6153bec0332cef4452627482f6a47b42

Download Submit
C:\Windows\{E50BF5E0-C775-4d0a-87CD-2C218BDB8160}.exe

Filesize
344KB

MD5
c75748b848deb9ec3248c889aa1e1d6e

SHA1
e52ebcec77fda9715b8841ffa1be6e1b71ac839a

SHA256
164cf13cfc3da617d1afdc87469ee093dfd35e7ee62deef46dbb181926a26012

SHA512
66e68a74fb6f45e32b3ff437ce3f594b52db08580697a3b67a3d02c96c91bce6a1c61c17492f920ae6afe9fc8eb150ed28d3e41e5f731dd6b2d3a69cf058c835

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads