097385457d8c06ee9398b7c19f872594fef65933f3cc726edd83eff0113957af

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 10:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-16_3923d665a50984f7139755c76625ea32_goldeneye.exe
Size

344KB
MD5

3923d665a50984f7139755c76625ea32
SHA1

98b1fe0bd3f1c0eb492dafb757603b282ce340e6
SHA256

097385457d8c06ee9398b7c19f872594fef65933f3cc726edd83eff0113957af
SHA512

9935714602b23fc1d108719ae990ffa9120abf4a6f65661475f3733b8a4e3434bc92d0fb407385c1209ab39a9c84980b4b69e7bfc83f676562d282e077a914ab
SSDEEP

3072:mEGh0o1lEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGHlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000d000000023352-1.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001200000002336c-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002295f-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001300000002336c-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b00000002295f-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001600000002336c-21.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002295f-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000233f6-29.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000233fd-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b0000000233f6-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023406-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c0000000233f6-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3AF7728-FED7-48a8-A2BB-E196EB223EDC}\stubpath = "C:\\Windows\\{D3AF7728-FED7-48a8-A2BB-E196EB223EDC}.exe"	{5A229C38-4F6E-43ac-99EE-2254949A5496}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D23E277-CAD7-4518-8909-F3DA8E1FEF6B}\stubpath = "C:\\Windows\\{7D23E277-CAD7-4518-8909-F3DA8E1FEF6B}.exe"	{E5DA7112-83B3-455e-8C81-4B04E4CEF349}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00015661-324B-44ff-B00E-175271D266B8}	{7D23E277-CAD7-4518-8909-F3DA8E1FEF6B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA291C92-4EBC-49b2-AAC4-65CCD69BE057}	2024-05-16_3923d665a50984f7139755c76625ea32_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96F07C4B-C70E-41e8-A8EC-88CB8D8F29B8}	{0A901079-966F-41d8-BA62-D00EC94E1426}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD592DE2-21C4-49f0-8187-D9563E79566D}\stubpath = "C:\\Windows\\{BD592DE2-21C4-49f0-8187-D9563E79566D}.exe"	{999D05D8-7FC5-430b-B3C5-F336AFD4765E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D119D408-953B-4994-B44A-452940E096EE}	{96F07C4B-C70E-41e8-A8EC-88CB8D8F29B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A229C38-4F6E-43ac-99EE-2254949A5496}	{D119D408-953B-4994-B44A-452940E096EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5DA7112-83B3-455e-8C81-4B04E4CEF349}\stubpath = "C:\\Windows\\{E5DA7112-83B3-455e-8C81-4B04E4CEF349}.exe"	{D3AF7728-FED7-48a8-A2BB-E196EB223EDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D88B5CB3-8457-4557-88C2-A950E7D06B18}	{EA291C92-4EBC-49b2-AAC4-65CCD69BE057}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D88B5CB3-8457-4557-88C2-A950E7D06B18}\stubpath = "C:\\Windows\\{D88B5CB3-8457-4557-88C2-A950E7D06B18}.exe"	{EA291C92-4EBC-49b2-AAC4-65CCD69BE057}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A901079-966F-41d8-BA62-D00EC94E1426}\stubpath = "C:\\Windows\\{0A901079-966F-41d8-BA62-D00EC94E1426}.exe"	{BD592DE2-21C4-49f0-8187-D9563E79566D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96F07C4B-C70E-41e8-A8EC-88CB8D8F29B8}\stubpath = "C:\\Windows\\{96F07C4B-C70E-41e8-A8EC-88CB8D8F29B8}.exe"	{0A901079-966F-41d8-BA62-D00EC94E1426}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A229C38-4F6E-43ac-99EE-2254949A5496}\stubpath = "C:\\Windows\\{5A229C38-4F6E-43ac-99EE-2254949A5496}.exe"	{D119D408-953B-4994-B44A-452940E096EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3AF7728-FED7-48a8-A2BB-E196EB223EDC}	{5A229C38-4F6E-43ac-99EE-2254949A5496}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{999D05D8-7FC5-430b-B3C5-F336AFD4765E}	{D88B5CB3-8457-4557-88C2-A950E7D06B18}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A901079-966F-41d8-BA62-D00EC94E1426}	{BD592DE2-21C4-49f0-8187-D9563E79566D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD592DE2-21C4-49f0-8187-D9563E79566D}	{999D05D8-7FC5-430b-B3C5-F336AFD4765E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D119D408-953B-4994-B44A-452940E096EE}\stubpath = "C:\\Windows\\{D119D408-953B-4994-B44A-452940E096EE}.exe"	{96F07C4B-C70E-41e8-A8EC-88CB8D8F29B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5DA7112-83B3-455e-8C81-4B04E4CEF349}	{D3AF7728-FED7-48a8-A2BB-E196EB223EDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D23E277-CAD7-4518-8909-F3DA8E1FEF6B}	{E5DA7112-83B3-455e-8C81-4B04E4CEF349}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00015661-324B-44ff-B00E-175271D266B8}\stubpath = "C:\\Windows\\{00015661-324B-44ff-B00E-175271D266B8}.exe"	{7D23E277-CAD7-4518-8909-F3DA8E1FEF6B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA291C92-4EBC-49b2-AAC4-65CCD69BE057}\stubpath = "C:\\Windows\\{EA291C92-4EBC-49b2-AAC4-65CCD69BE057}.exe"	2024-05-16_3923d665a50984f7139755c76625ea32_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{999D05D8-7FC5-430b-B3C5-F336AFD4765E}\stubpath = "C:\\Windows\\{999D05D8-7FC5-430b-B3C5-F336AFD4765E}.exe"	{D88B5CB3-8457-4557-88C2-A950E7D06B18}.exe

Executes dropped EXE 12 IoCs

pid	Process
4024	{EA291C92-4EBC-49b2-AAC4-65CCD69BE057}.exe
1420	{D88B5CB3-8457-4557-88C2-A950E7D06B18}.exe
3884	{999D05D8-7FC5-430b-B3C5-F336AFD4765E}.exe
4028	{BD592DE2-21C4-49f0-8187-D9563E79566D}.exe
5064	{0A901079-966F-41d8-BA62-D00EC94E1426}.exe
2548	{96F07C4B-C70E-41e8-A8EC-88CB8D8F29B8}.exe
1068	{D119D408-953B-4994-B44A-452940E096EE}.exe
488	{5A229C38-4F6E-43ac-99EE-2254949A5496}.exe
4324	{D3AF7728-FED7-48a8-A2BB-E196EB223EDC}.exe
3700	{E5DA7112-83B3-455e-8C81-4B04E4CEF349}.exe
3644	{7D23E277-CAD7-4518-8909-F3DA8E1FEF6B}.exe
4464	{00015661-324B-44ff-B00E-175271D266B8}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{D88B5CB3-8457-4557-88C2-A950E7D06B18}.exe	{EA291C92-4EBC-49b2-AAC4-65CCD69BE057}.exe
File created	C:\Windows\{BD592DE2-21C4-49f0-8187-D9563E79566D}.exe	{999D05D8-7FC5-430b-B3C5-F336AFD4765E}.exe
File created	C:\Windows\{D119D408-953B-4994-B44A-452940E096EE}.exe	{96F07C4B-C70E-41e8-A8EC-88CB8D8F29B8}.exe
File created	C:\Windows\{7D23E277-CAD7-4518-8909-F3DA8E1FEF6B}.exe	{E5DA7112-83B3-455e-8C81-4B04E4CEF349}.exe
File created	C:\Windows\{D3AF7728-FED7-48a8-A2BB-E196EB223EDC}.exe	{5A229C38-4F6E-43ac-99EE-2254949A5496}.exe
File created	C:\Windows\{E5DA7112-83B3-455e-8C81-4B04E4CEF349}.exe	{D3AF7728-FED7-48a8-A2BB-E196EB223EDC}.exe
File created	C:\Windows\{00015661-324B-44ff-B00E-175271D266B8}.exe	{7D23E277-CAD7-4518-8909-F3DA8E1FEF6B}.exe
File created	C:\Windows\{EA291C92-4EBC-49b2-AAC4-65CCD69BE057}.exe	2024-05-16_3923d665a50984f7139755c76625ea32_goldeneye.exe
File created	C:\Windows\{999D05D8-7FC5-430b-B3C5-F336AFD4765E}.exe	{D88B5CB3-8457-4557-88C2-A950E7D06B18}.exe
File created	C:\Windows\{0A901079-966F-41d8-BA62-D00EC94E1426}.exe	{BD592DE2-21C4-49f0-8187-D9563E79566D}.exe
File created	C:\Windows\{96F07C4B-C70E-41e8-A8EC-88CB8D8F29B8}.exe	{0A901079-966F-41d8-BA62-D00EC94E1426}.exe
File created	C:\Windows\{5A229C38-4F6E-43ac-99EE-2254949A5496}.exe	{D119D408-953B-4994-B44A-452940E096EE}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4316	2024-05-16_3923d665a50984f7139755c76625ea32_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4024	{EA291C92-4EBC-49b2-AAC4-65CCD69BE057}.exe
Token: SeIncBasePriorityPrivilege	1420	{D88B5CB3-8457-4557-88C2-A950E7D06B18}.exe
Token: SeIncBasePriorityPrivilege	3884	{999D05D8-7FC5-430b-B3C5-F336AFD4765E}.exe
Token: SeIncBasePriorityPrivilege	4028	{BD592DE2-21C4-49f0-8187-D9563E79566D}.exe
Token: SeIncBasePriorityPrivilege	5064	{0A901079-966F-41d8-BA62-D00EC94E1426}.exe
Token: SeIncBasePriorityPrivilege	2548	{96F07C4B-C70E-41e8-A8EC-88CB8D8F29B8}.exe
Token: SeIncBasePriorityPrivilege	1068	{D119D408-953B-4994-B44A-452940E096EE}.exe
Token: SeIncBasePriorityPrivilege	488	{5A229C38-4F6E-43ac-99EE-2254949A5496}.exe
Token: SeIncBasePriorityPrivilege	4324	{D3AF7728-FED7-48a8-A2BB-E196EB223EDC}.exe
Token: SeIncBasePriorityPrivilege	3700	{E5DA7112-83B3-455e-8C81-4B04E4CEF349}.exe
Token: SeIncBasePriorityPrivilege	3644	{7D23E277-CAD7-4518-8909-F3DA8E1FEF6B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4316 wrote to memory of 4024	4316	2024-05-16_3923d665a50984f7139755c76625ea32_goldeneye.exe	95
PID 4316 wrote to memory of 4024	4316	2024-05-16_3923d665a50984f7139755c76625ea32_goldeneye.exe	95
PID 4316 wrote to memory of 4024	4316	2024-05-16_3923d665a50984f7139755c76625ea32_goldeneye.exe	95
PID 4316 wrote to memory of 1536	4316	2024-05-16_3923d665a50984f7139755c76625ea32_goldeneye.exe	96
PID 4316 wrote to memory of 1536	4316	2024-05-16_3923d665a50984f7139755c76625ea32_goldeneye.exe	96
PID 4316 wrote to memory of 1536	4316	2024-05-16_3923d665a50984f7139755c76625ea32_goldeneye.exe	96
PID 4024 wrote to memory of 1420	4024	{EA291C92-4EBC-49b2-AAC4-65CCD69BE057}.exe	97
PID 4024 wrote to memory of 1420	4024	{EA291C92-4EBC-49b2-AAC4-65CCD69BE057}.exe	97
PID 4024 wrote to memory of 1420	4024	{EA291C92-4EBC-49b2-AAC4-65CCD69BE057}.exe	97
PID 4024 wrote to memory of 3100	4024	{EA291C92-4EBC-49b2-AAC4-65CCD69BE057}.exe	98
PID 4024 wrote to memory of 3100	4024	{EA291C92-4EBC-49b2-AAC4-65CCD69BE057}.exe	98
PID 4024 wrote to memory of 3100	4024	{EA291C92-4EBC-49b2-AAC4-65CCD69BE057}.exe	98
PID 1420 wrote to memory of 3884	1420	{D88B5CB3-8457-4557-88C2-A950E7D06B18}.exe	101
PID 1420 wrote to memory of 3884	1420	{D88B5CB3-8457-4557-88C2-A950E7D06B18}.exe	101
PID 1420 wrote to memory of 3884	1420	{D88B5CB3-8457-4557-88C2-A950E7D06B18}.exe	101
PID 1420 wrote to memory of 3216	1420	{D88B5CB3-8457-4557-88C2-A950E7D06B18}.exe	102
PID 1420 wrote to memory of 3216	1420	{D88B5CB3-8457-4557-88C2-A950E7D06B18}.exe	102
PID 1420 wrote to memory of 3216	1420	{D88B5CB3-8457-4557-88C2-A950E7D06B18}.exe	102
PID 3884 wrote to memory of 4028	3884	{999D05D8-7FC5-430b-B3C5-F336AFD4765E}.exe	103
PID 3884 wrote to memory of 4028	3884	{999D05D8-7FC5-430b-B3C5-F336AFD4765E}.exe	103
PID 3884 wrote to memory of 4028	3884	{999D05D8-7FC5-430b-B3C5-F336AFD4765E}.exe	103
PID 3884 wrote to memory of 2676	3884	{999D05D8-7FC5-430b-B3C5-F336AFD4765E}.exe	104
PID 3884 wrote to memory of 2676	3884	{999D05D8-7FC5-430b-B3C5-F336AFD4765E}.exe	104
PID 3884 wrote to memory of 2676	3884	{999D05D8-7FC5-430b-B3C5-F336AFD4765E}.exe	104
PID 4028 wrote to memory of 5064	4028	{BD592DE2-21C4-49f0-8187-D9563E79566D}.exe	105
PID 4028 wrote to memory of 5064	4028	{BD592DE2-21C4-49f0-8187-D9563E79566D}.exe	105
PID 4028 wrote to memory of 5064	4028	{BD592DE2-21C4-49f0-8187-D9563E79566D}.exe	105
PID 4028 wrote to memory of 1972	4028	{BD592DE2-21C4-49f0-8187-D9563E79566D}.exe	106
PID 4028 wrote to memory of 1972	4028	{BD592DE2-21C4-49f0-8187-D9563E79566D}.exe	106
PID 4028 wrote to memory of 1972	4028	{BD592DE2-21C4-49f0-8187-D9563E79566D}.exe	106
PID 5064 wrote to memory of 2548	5064	{0A901079-966F-41d8-BA62-D00EC94E1426}.exe	108
PID 5064 wrote to memory of 2548	5064	{0A901079-966F-41d8-BA62-D00EC94E1426}.exe	108
PID 5064 wrote to memory of 2548	5064	{0A901079-966F-41d8-BA62-D00EC94E1426}.exe	108
PID 5064 wrote to memory of 5076	5064	{0A901079-966F-41d8-BA62-D00EC94E1426}.exe	109
PID 5064 wrote to memory of 5076	5064	{0A901079-966F-41d8-BA62-D00EC94E1426}.exe	109
PID 5064 wrote to memory of 5076	5064	{0A901079-966F-41d8-BA62-D00EC94E1426}.exe	109
PID 2548 wrote to memory of 1068	2548	{96F07C4B-C70E-41e8-A8EC-88CB8D8F29B8}.exe	110
PID 2548 wrote to memory of 1068	2548	{96F07C4B-C70E-41e8-A8EC-88CB8D8F29B8}.exe	110
PID 2548 wrote to memory of 1068	2548	{96F07C4B-C70E-41e8-A8EC-88CB8D8F29B8}.exe	110
PID 2548 wrote to memory of 2776	2548	{96F07C4B-C70E-41e8-A8EC-88CB8D8F29B8}.exe	111
PID 2548 wrote to memory of 2776	2548	{96F07C4B-C70E-41e8-A8EC-88CB8D8F29B8}.exe	111
PID 2548 wrote to memory of 2776	2548	{96F07C4B-C70E-41e8-A8EC-88CB8D8F29B8}.exe	111
PID 1068 wrote to memory of 488	1068	{D119D408-953B-4994-B44A-452940E096EE}.exe	113
PID 1068 wrote to memory of 488	1068	{D119D408-953B-4994-B44A-452940E096EE}.exe	113
PID 1068 wrote to memory of 488	1068	{D119D408-953B-4994-B44A-452940E096EE}.exe	113
PID 1068 wrote to memory of 3808	1068	{D119D408-953B-4994-B44A-452940E096EE}.exe	114
PID 1068 wrote to memory of 3808	1068	{D119D408-953B-4994-B44A-452940E096EE}.exe	114
PID 1068 wrote to memory of 3808	1068	{D119D408-953B-4994-B44A-452940E096EE}.exe	114
PID 488 wrote to memory of 4324	488	{5A229C38-4F6E-43ac-99EE-2254949A5496}.exe	120
PID 488 wrote to memory of 4324	488	{5A229C38-4F6E-43ac-99EE-2254949A5496}.exe	120
PID 488 wrote to memory of 4324	488	{5A229C38-4F6E-43ac-99EE-2254949A5496}.exe	120
PID 488 wrote to memory of 4332	488	{5A229C38-4F6E-43ac-99EE-2254949A5496}.exe	121
PID 488 wrote to memory of 4332	488	{5A229C38-4F6E-43ac-99EE-2254949A5496}.exe	121
PID 488 wrote to memory of 4332	488	{5A229C38-4F6E-43ac-99EE-2254949A5496}.exe	121
PID 4324 wrote to memory of 3700	4324	{D3AF7728-FED7-48a8-A2BB-E196EB223EDC}.exe	122
PID 4324 wrote to memory of 3700	4324	{D3AF7728-FED7-48a8-A2BB-E196EB223EDC}.exe	122
PID 4324 wrote to memory of 3700	4324	{D3AF7728-FED7-48a8-A2BB-E196EB223EDC}.exe	122
PID 4324 wrote to memory of 1184	4324	{D3AF7728-FED7-48a8-A2BB-E196EB223EDC}.exe	123
PID 4324 wrote to memory of 1184	4324	{D3AF7728-FED7-48a8-A2BB-E196EB223EDC}.exe	123
PID 4324 wrote to memory of 1184	4324	{D3AF7728-FED7-48a8-A2BB-E196EB223EDC}.exe	123
PID 3700 wrote to memory of 3644	3700	{E5DA7112-83B3-455e-8C81-4B04E4CEF349}.exe	126
PID 3700 wrote to memory of 3644	3700	{E5DA7112-83B3-455e-8C81-4B04E4CEF349}.exe	126
PID 3700 wrote to memory of 3644	3700	{E5DA7112-83B3-455e-8C81-4B04E4CEF349}.exe	126
PID 3700 wrote to memory of 4804	3700	{E5DA7112-83B3-455e-8C81-4B04E4CEF349}.exe	127

C:\Users\Admin\AppData\Local\Temp\2024-05-16_3923d665a50984f7139755c76625ea32_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-16_3923d665a50984f7139755c76625ea32_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Windows\{EA291C92-4EBC-49b2-AAC4-65CCD69BE057}.exe
  C:\Windows\{EA291C92-4EBC-49b2-AAC4-65CCD69BE057}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4024
- - C:\Windows\{D88B5CB3-8457-4557-88C2-A950E7D06B18}.exe
    C:\Windows\{D88B5CB3-8457-4557-88C2-A950E7D06B18}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1420
  - - C:\Windows\{999D05D8-7FC5-430b-B3C5-F336AFD4765E}.exe
      C:\Windows\{999D05D8-7FC5-430b-B3C5-F336AFD4765E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3884
    - - C:\Windows\{BD592DE2-21C4-49f0-8187-D9563E79566D}.exe
        
        C:\Windows\{BD592DE2-21C4-49f0-8187-D9563E79566D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4028
      - C:\Windows\{0A901079-966F-41d8-BA62-D00EC94E1426}.exe
        
        C:\Windows\{0A901079-966F-41d8-BA62-D00EC94E1426}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\{96F07C4B-C70E-41e8-A8EC-88CB8D8F29B8}.exe
        
        C:\Windows\{96F07C4B-C70E-41e8-A8EC-88CB8D8F29B8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\{D119D408-953B-4994-B44A-452940E096EE}.exe
        
        C:\Windows\{D119D408-953B-4994-B44A-452940E096EE}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\{5A229C38-4F6E-43ac-99EE-2254949A5496}.exe
        
        C:\Windows\{5A229C38-4F6E-43ac-99EE-2254949A5496}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:488
        
        C:\Windows\{D3AF7728-FED7-48a8-A2BB-E196EB223EDC}.exe
        
        C:\Windows\{D3AF7728-FED7-48a8-A2BB-E196EB223EDC}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\{E5DA7112-83B3-455e-8C81-4B04E4CEF349}.exe
        
        C:\Windows\{E5DA7112-83B3-455e-8C81-4B04E4CEF349}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\{7D23E277-CAD7-4518-8909-F3DA8E1FEF6B}.exe
        
        C:\Windows\{7D23E277-CAD7-4518-8909-F3DA8E1FEF6B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3644
        
        C:\Windows\{00015661-324B-44ff-B00E-175271D266B8}.exe
        
        C:\Windows\{00015661-324B-44ff-B00E-175271D266B8}.exe
        13⤵
        Executes dropped EXE
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D23E~1.EXE > nul
        13⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5DA7~1.EXE > nul
        12⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3AF7~1.EXE > nul
        11⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A229~1.EXE > nul
        10⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D119D~1.EXE > nul
        9⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96F07~1.EXE > nul
        8⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A901~1.EXE > nul
        7⤵
        
        PID:5076
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD592~1.EXE > nul
        6⤵
        
        PID:1972
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{999D0~1.EXE > nul
        5⤵
        
        PID:2676
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D88B5~1.EXE > nul
      4⤵
      PID:3216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EA291~1.EXE > nul
    3⤵
    PID:3100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00015661-324B-44ff-B00E-175271D266B8}.exe

Filesize
344KB

MD5
9123b2c5bfa92fe6b17fea85947cbac4

SHA1
c7ca53becc0f8e0de27373c496f9b3a54fa3cf8a

SHA256
697dadd10d4fc31a9437d300594b3d6c96a392c6acea7b25750795cabfa88488

SHA512
53b4bfb11371bc5dd5f38d864548ff7e54bda4ed023cec837f1a76e0c15ae44732fb620555d449ab1f4e6c00f1e0cbca0c192f4b2d6173e69dd056b1c3890839

Download Submit
C:\Windows\{0A901079-966F-41d8-BA62-D00EC94E1426}.exe

Filesize
344KB

MD5
9f9c6d8ac94d28868089c87019204424

SHA1
f60969cccb2b34931ccf616b79640cf314b8e11b

SHA256
bf4835d2b8bed985fe24e3e2aaed3f99cb094af1c6459d426f23ac37e4e725c8

SHA512
81f397ed34d4f38773e4b4f8c1a140432476af3323447b326e70492a6ad8173c795df0ff0bcd8d6156809f570f8bf0e530ee14db56ed96101a72756921e9f346

Download Submit
C:\Windows\{5A229C38-4F6E-43ac-99EE-2254949A5496}.exe

Filesize
344KB

MD5
b49044ede3b9034952a9e87872caf5a0

SHA1
64344965d315f7168a53f50b9276c520903765b4

SHA256
8cd2a4e5230f28f4f238ec34d25be055c3a085133447837879b0c9cf7fc0f7c0

SHA512
f029c1c581efcda0c542ff03be5bd5e16b99890f79359399da31c0ab8aa434098207fb24f14720dbd6ca082883c61bb17331c5962d5fdbbcd40df9f6dcdc3504

Download Submit
C:\Windows\{7D23E277-CAD7-4518-8909-F3DA8E1FEF6B}.exe

Filesize
344KB

MD5
895a83a175271ef151438d5adf83b909

SHA1
f5c3b0f390bf97c5f216d9f99c2c7f773874c289

SHA256
9d69882b9b2ee1b0b707af4aa244b2de34b22868e55a2d0d862246b936d98e5a

SHA512
70fdc459d0abcc730f64d60bdac71a5366f1b41487c214e894a04469b2e08709a3bbff155130df9d375884339d2a833aed77c4ef7aef04ed568c91f9959123c8

Download Submit
C:\Windows\{96F07C4B-C70E-41e8-A8EC-88CB8D8F29B8}.exe

Filesize
344KB

MD5
e7b953a1ddfcaad74703eb70607b709d

SHA1
7200b4e4970bad96968b41aaccae7f3c62068437

SHA256
c36e20d0db541219babb1085234531b4b065b4b85f6dfa9c83212d00e8a5b1cd

SHA512
ea381050a452698f507903fbf3f966848307689a5359993b5e9bb8690f96a8f47a329a9497a763f62186bb11132336982677a382c7ef95b59d8dba35be7e71d9

Download Submit
C:\Windows\{999D05D8-7FC5-430b-B3C5-F336AFD4765E}.exe

Filesize
344KB

MD5
ee7ee07d9e21605d03c1b82bbfaa3c6d

SHA1
f7d623d2ce3948545e27e3d6812ca84af42dc9bd

SHA256
ec97d5e25a1bb275c90e265905e64edbe3340b11fdc118832729abeb81a7a4c0

SHA512
0cf94b987de93a564b6e157e97c5580a2d6d4be7f8e527652c597c93fc457dd936bdc19059374bf8da242125c1c6d450ed0dd7cb9b55d4863c50358eb5fe529c

Download Submit
C:\Windows\{BD592DE2-21C4-49f0-8187-D9563E79566D}.exe

Filesize
344KB

MD5
01a4f73ab987bc23b30ef7b0b097adf7

SHA1
93eb7ae417acd532d2f7494fadd8e38606182db5

SHA256
a0885ad87dfc5660259b99d5eef17f334b2a2c7ffc07d3737cfe1b03292f0e37

SHA512
c000a5b86f9eabd3a4d655a81904a8f686104af73b5142d10b1c381969b6884008159a91b6e8dd0597bfc0a56bb7f5e13f54ee0b116c5d13544b8ac1d6da4881

Download Submit
C:\Windows\{D119D408-953B-4994-B44A-452940E096EE}.exe

Filesize
344KB

MD5
1af62da352458750f4845bfff5a72762

SHA1
86d1e83d43911ea41a990ef5243dcd67d959028f

SHA256
67b232427fafee7c3c08bee3c5ea37955db8b8e92df4045ba6fae1332fb34a0f

SHA512
39a14db2a9ad2f34b44c21a8d3fa6f5ae31bf66ed4be73f6a1ca28e078599afd64143d2f2feff5e4652fa00d1917b0e52b75e0edf7c8e951dad2cfe51ebbdb93

Download Submit
C:\Windows\{D3AF7728-FED7-48a8-A2BB-E196EB223EDC}.exe

Filesize
344KB

MD5
f15d6166d2ada09f17b452704204d4c4

SHA1
c77b97fc6aae4582edfb77f19fb1fd6ea57da9dd

SHA256
d8540a1b3f2893ec5cb526cac1736d49b3d8846fad17de875cef2e01a25a1749

SHA512
1f32bffb7a49f151d23082fd6827e8a97c8423fb7bdc3bf390400c354a1429cc7937eb9235f0ad96b2cff3fd214c7634c469849b6527765496b25fcbbc07bda6

Download Submit
C:\Windows\{D88B5CB3-8457-4557-88C2-A950E7D06B18}.exe

Filesize
344KB

MD5
022e88d5df1e3fc83dc1ff99144ddb51

SHA1
3ed9eb028ca3bd0fe02eb6bbf13baecc5e057894

SHA256
c5a0accb3db31737a81c5bcefea4d2a9d405d0d961bf750027e0a127b26feadb

SHA512
54153f16cb0e4631ad3fecb229dd3d02572217ad598756b2396da06e212eaab668b2dec6842e62a8c48315c76f1331c5a7458dd239533e2a0564c992caa3e6a1

Download Submit
C:\Windows\{E5DA7112-83B3-455e-8C81-4B04E4CEF349}.exe

Filesize
344KB

MD5
669f6d738b0a4e815058f59d3af183fd

SHA1
0db2600b8dbd58c071304179ef7aaaa526509002

SHA256
50fb7c2393b111d3dd6ed914d7c501f87f0812640ffe9018cb8a1f5dd825df35

SHA512
c216767b8035d9d16af1cae79f44a1a661496321b42df3f6970d8dd456100f9636eeba97dcdd97bd266114d478b2747cee049940bc516100a02192644d823534

Download Submit
C:\Windows\{EA291C92-4EBC-49b2-AAC4-65CCD69BE057}.exe

Filesize
344KB

MD5
7cb2af0bf5268a39d156549bb934b139

SHA1
5b57673e195be5829ab561c1ee2a81ec2a961e12

SHA256
ec5a13684a5070fcee7ce5beb8d22e6543c2292504f616dcab69cffdf5c41a2d

SHA512
33b5992e53d26402bd12556c1ce0ddd11d1bca7f225d78737aeb381ff91a1f5378231b4a67bf998a60ad3e094e2ec5716db34bda9c60195f57bd0100776a83fc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads