1a895688bfa2cad861ee295aa02e1de7a487739d848c8c62e9477aa43b79e55b

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2024 04:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-31_085463c90b4bb4e02632734fa032b375_goldeneye.exe
Size

180KB
MD5

085463c90b4bb4e02632734fa032b375
SHA1

a66184275f1c3b8f6e917efe0943aa3401f37280
SHA256

1a895688bfa2cad861ee295aa02e1de7a487739d848c8c62e9477aa43b79e55b
SHA512

6cb053ac438d8033b129155c4d04bade4c1f9afede207739e40296877f0f75beb3d1b9dadadc38534d2d6ea6c4864cb877a28066bcb87643bbad7258395a8ff7
SSDEEP

3072:jEGh0o0klfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGTl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023443-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001200000002343c-7.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023449-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x001300000002343c-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00070000000006eb-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000200000002219f-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00080000000006eb-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000006eb-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-38.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a0000000006eb-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000713-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3647EB2-0496-49bb-8937-F87C51F2BE47}\stubpath = "C:\\Windows\\{B3647EB2-0496-49bb-8937-F87C51F2BE47}.exe"	2024-05-31_085463c90b4bb4e02632734fa032b375_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8067F0C3-EEEF-44ff-9F40-DD6794D5045B}\stubpath = "C:\\Windows\\{8067F0C3-EEEF-44ff-9F40-DD6794D5045B}.exe"	{C4B4696F-F47C-4dcf-B8DA-956395157FDF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCABA219-A86F-48fc-8F69-755705370D97}\stubpath = "C:\\Windows\\{CCABA219-A86F-48fc-8F69-755705370D97}.exe"	{C8B5331E-08CB-45f1-B1FC-A930A31EA469}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32717797-0977-4d54-81D2-B4484D378102}	{CCABA219-A86F-48fc-8F69-755705370D97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C047C09B-1761-46cd-B94B-B93B19395730}	{32717797-0977-4d54-81D2-B4484D378102}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6311CE12-0E83-4d5b-9586-CF82483F79E4}	{35631F37-7A00-4069-B48E-FFB286ADA57B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D083A9E6-4707-44dc-A227-7A378DB8EF05}\stubpath = "C:\\Windows\\{D083A9E6-4707-44dc-A227-7A378DB8EF05}.exe"	{B3647EB2-0496-49bb-8937-F87C51F2BE47}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0602A59-556B-463b-9488-40A224A1655E}\stubpath = "C:\\Windows\\{F0602A59-556B-463b-9488-40A224A1655E}.exe"	{D083A9E6-4707-44dc-A227-7A378DB8EF05}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8B5331E-08CB-45f1-B1FC-A930A31EA469}	{1CAC384C-0C79-41ae-9F39-800C4B3BE6C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32717797-0977-4d54-81D2-B4484D378102}\stubpath = "C:\\Windows\\{32717797-0977-4d54-81D2-B4484D378102}.exe"	{CCABA219-A86F-48fc-8F69-755705370D97}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35631F37-7A00-4069-B48E-FFB286ADA57B}\stubpath = "C:\\Windows\\{35631F37-7A00-4069-B48E-FFB286ADA57B}.exe"	{C047C09B-1761-46cd-B94B-B93B19395730}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3647EB2-0496-49bb-8937-F87C51F2BE47}	2024-05-31_085463c90b4bb4e02632734fa032b375_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D083A9E6-4707-44dc-A227-7A378DB8EF05}	{B3647EB2-0496-49bb-8937-F87C51F2BE47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0602A59-556B-463b-9488-40A224A1655E}	{D083A9E6-4707-44dc-A227-7A378DB8EF05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4B4696F-F47C-4dcf-B8DA-956395157FDF}\stubpath = "C:\\Windows\\{C4B4696F-F47C-4dcf-B8DA-956395157FDF}.exe"	{F0602A59-556B-463b-9488-40A224A1655E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8B5331E-08CB-45f1-B1FC-A930A31EA469}\stubpath = "C:\\Windows\\{C8B5331E-08CB-45f1-B1FC-A930A31EA469}.exe"	{1CAC384C-0C79-41ae-9F39-800C4B3BE6C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C047C09B-1761-46cd-B94B-B93B19395730}\stubpath = "C:\\Windows\\{C047C09B-1761-46cd-B94B-B93B19395730}.exe"	{32717797-0977-4d54-81D2-B4484D378102}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6311CE12-0E83-4d5b-9586-CF82483F79E4}\stubpath = "C:\\Windows\\{6311CE12-0E83-4d5b-9586-CF82483F79E4}.exe"	{35631F37-7A00-4069-B48E-FFB286ADA57B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4B4696F-F47C-4dcf-B8DA-956395157FDF}	{F0602A59-556B-463b-9488-40A224A1655E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8067F0C3-EEEF-44ff-9F40-DD6794D5045B}	{C4B4696F-F47C-4dcf-B8DA-956395157FDF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CAC384C-0C79-41ae-9F39-800C4B3BE6C1}	{8067F0C3-EEEF-44ff-9F40-DD6794D5045B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CAC384C-0C79-41ae-9F39-800C4B3BE6C1}\stubpath = "C:\\Windows\\{1CAC384C-0C79-41ae-9F39-800C4B3BE6C1}.exe"	{8067F0C3-EEEF-44ff-9F40-DD6794D5045B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCABA219-A86F-48fc-8F69-755705370D97}	{C8B5331E-08CB-45f1-B1FC-A930A31EA469}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35631F37-7A00-4069-B48E-FFB286ADA57B}	{C047C09B-1761-46cd-B94B-B93B19395730}.exe

Executes dropped EXE 12 IoCs

pid	Process
4676	{B3647EB2-0496-49bb-8937-F87C51F2BE47}.exe
512	{D083A9E6-4707-44dc-A227-7A378DB8EF05}.exe
1652	{F0602A59-556B-463b-9488-40A224A1655E}.exe
1264	{C4B4696F-F47C-4dcf-B8DA-956395157FDF}.exe
5028	{8067F0C3-EEEF-44ff-9F40-DD6794D5045B}.exe
2768	{1CAC384C-0C79-41ae-9F39-800C4B3BE6C1}.exe
5036	{C8B5331E-08CB-45f1-B1FC-A930A31EA469}.exe
216	{CCABA219-A86F-48fc-8F69-755705370D97}.exe
1672	{32717797-0977-4d54-81D2-B4484D378102}.exe
2240	{C047C09B-1761-46cd-B94B-B93B19395730}.exe
5060	{35631F37-7A00-4069-B48E-FFB286ADA57B}.exe
3972	{6311CE12-0E83-4d5b-9586-CF82483F79E4}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{D083A9E6-4707-44dc-A227-7A378DB8EF05}.exe	{B3647EB2-0496-49bb-8937-F87C51F2BE47}.exe
File created	C:\Windows\{F0602A59-556B-463b-9488-40A224A1655E}.exe	{D083A9E6-4707-44dc-A227-7A378DB8EF05}.exe
File created	C:\Windows\{C4B4696F-F47C-4dcf-B8DA-956395157FDF}.exe	{F0602A59-556B-463b-9488-40A224A1655E}.exe
File created	C:\Windows\{8067F0C3-EEEF-44ff-9F40-DD6794D5045B}.exe	{C4B4696F-F47C-4dcf-B8DA-956395157FDF}.exe
File created	C:\Windows\{CCABA219-A86F-48fc-8F69-755705370D97}.exe	{C8B5331E-08CB-45f1-B1FC-A930A31EA469}.exe
File created	C:\Windows\{C047C09B-1761-46cd-B94B-B93B19395730}.exe	{32717797-0977-4d54-81D2-B4484D378102}.exe
File created	C:\Windows\{6311CE12-0E83-4d5b-9586-CF82483F79E4}.exe	{35631F37-7A00-4069-B48E-FFB286ADA57B}.exe
File created	C:\Windows\{B3647EB2-0496-49bb-8937-F87C51F2BE47}.exe	2024-05-31_085463c90b4bb4e02632734fa032b375_goldeneye.exe
File created	C:\Windows\{1CAC384C-0C79-41ae-9F39-800C4B3BE6C1}.exe	{8067F0C3-EEEF-44ff-9F40-DD6794D5045B}.exe
File created	C:\Windows\{C8B5331E-08CB-45f1-B1FC-A930A31EA469}.exe	{1CAC384C-0C79-41ae-9F39-800C4B3BE6C1}.exe
File created	C:\Windows\{32717797-0977-4d54-81D2-B4484D378102}.exe	{CCABA219-A86F-48fc-8F69-755705370D97}.exe
File created	C:\Windows\{35631F37-7A00-4069-B48E-FFB286ADA57B}.exe	{C047C09B-1761-46cd-B94B-B93B19395730}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3992	2024-05-31_085463c90b4bb4e02632734fa032b375_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4676	{B3647EB2-0496-49bb-8937-F87C51F2BE47}.exe
Token: SeIncBasePriorityPrivilege	512	{D083A9E6-4707-44dc-A227-7A378DB8EF05}.exe
Token: SeIncBasePriorityPrivilege	1652	{F0602A59-556B-463b-9488-40A224A1655E}.exe
Token: SeIncBasePriorityPrivilege	1264	{C4B4696F-F47C-4dcf-B8DA-956395157FDF}.exe
Token: SeIncBasePriorityPrivilege	5028	{8067F0C3-EEEF-44ff-9F40-DD6794D5045B}.exe
Token: SeIncBasePriorityPrivilege	2768	{1CAC384C-0C79-41ae-9F39-800C4B3BE6C1}.exe
Token: SeIncBasePriorityPrivilege	5036	{C8B5331E-08CB-45f1-B1FC-A930A31EA469}.exe
Token: SeIncBasePriorityPrivilege	216	{CCABA219-A86F-48fc-8F69-755705370D97}.exe
Token: SeIncBasePriorityPrivilege	1672	{32717797-0977-4d54-81D2-B4484D378102}.exe
Token: SeIncBasePriorityPrivilege	2240	{C047C09B-1761-46cd-B94B-B93B19395730}.exe
Token: SeIncBasePriorityPrivilege	5060	{35631F37-7A00-4069-B48E-FFB286ADA57B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3992 wrote to memory of 4676	3992	2024-05-31_085463c90b4bb4e02632734fa032b375_goldeneye.exe	92
PID 3992 wrote to memory of 4676	3992	2024-05-31_085463c90b4bb4e02632734fa032b375_goldeneye.exe	92
PID 3992 wrote to memory of 4676	3992	2024-05-31_085463c90b4bb4e02632734fa032b375_goldeneye.exe	92
PID 3992 wrote to memory of 1952	3992	2024-05-31_085463c90b4bb4e02632734fa032b375_goldeneye.exe	93
PID 3992 wrote to memory of 1952	3992	2024-05-31_085463c90b4bb4e02632734fa032b375_goldeneye.exe	93
PID 3992 wrote to memory of 1952	3992	2024-05-31_085463c90b4bb4e02632734fa032b375_goldeneye.exe	93
PID 4676 wrote to memory of 512	4676	{B3647EB2-0496-49bb-8937-F87C51F2BE47}.exe	94
PID 4676 wrote to memory of 512	4676	{B3647EB2-0496-49bb-8937-F87C51F2BE47}.exe	94
PID 4676 wrote to memory of 512	4676	{B3647EB2-0496-49bb-8937-F87C51F2BE47}.exe	94
PID 4676 wrote to memory of 4752	4676	{B3647EB2-0496-49bb-8937-F87C51F2BE47}.exe	95
PID 4676 wrote to memory of 4752	4676	{B3647EB2-0496-49bb-8937-F87C51F2BE47}.exe	95
PID 4676 wrote to memory of 4752	4676	{B3647EB2-0496-49bb-8937-F87C51F2BE47}.exe	95
PID 512 wrote to memory of 1652	512	{D083A9E6-4707-44dc-A227-7A378DB8EF05}.exe	97
PID 512 wrote to memory of 1652	512	{D083A9E6-4707-44dc-A227-7A378DB8EF05}.exe	97
PID 512 wrote to memory of 1652	512	{D083A9E6-4707-44dc-A227-7A378DB8EF05}.exe	97
PID 512 wrote to memory of 868	512	{D083A9E6-4707-44dc-A227-7A378DB8EF05}.exe	98
PID 512 wrote to memory of 868	512	{D083A9E6-4707-44dc-A227-7A378DB8EF05}.exe	98
PID 512 wrote to memory of 868	512	{D083A9E6-4707-44dc-A227-7A378DB8EF05}.exe	98
PID 1652 wrote to memory of 1264	1652	{F0602A59-556B-463b-9488-40A224A1655E}.exe	99
PID 1652 wrote to memory of 1264	1652	{F0602A59-556B-463b-9488-40A224A1655E}.exe	99
PID 1652 wrote to memory of 1264	1652	{F0602A59-556B-463b-9488-40A224A1655E}.exe	99
PID 1652 wrote to memory of 4968	1652	{F0602A59-556B-463b-9488-40A224A1655E}.exe	100
PID 1652 wrote to memory of 4968	1652	{F0602A59-556B-463b-9488-40A224A1655E}.exe	100
PID 1652 wrote to memory of 4968	1652	{F0602A59-556B-463b-9488-40A224A1655E}.exe	100
PID 1264 wrote to memory of 5028	1264	{C4B4696F-F47C-4dcf-B8DA-956395157FDF}.exe	101
PID 1264 wrote to memory of 5028	1264	{C4B4696F-F47C-4dcf-B8DA-956395157FDF}.exe	101
PID 1264 wrote to memory of 5028	1264	{C4B4696F-F47C-4dcf-B8DA-956395157FDF}.exe	101
PID 1264 wrote to memory of 1816	1264	{C4B4696F-F47C-4dcf-B8DA-956395157FDF}.exe	102
PID 1264 wrote to memory of 1816	1264	{C4B4696F-F47C-4dcf-B8DA-956395157FDF}.exe	102
PID 1264 wrote to memory of 1816	1264	{C4B4696F-F47C-4dcf-B8DA-956395157FDF}.exe	102
PID 5028 wrote to memory of 2768	5028	{8067F0C3-EEEF-44ff-9F40-DD6794D5045B}.exe	103
PID 5028 wrote to memory of 2768	5028	{8067F0C3-EEEF-44ff-9F40-DD6794D5045B}.exe	103
PID 5028 wrote to memory of 2768	5028	{8067F0C3-EEEF-44ff-9F40-DD6794D5045B}.exe	103
PID 5028 wrote to memory of 4884	5028	{8067F0C3-EEEF-44ff-9F40-DD6794D5045B}.exe	104
PID 5028 wrote to memory of 4884	5028	{8067F0C3-EEEF-44ff-9F40-DD6794D5045B}.exe	104
PID 5028 wrote to memory of 4884	5028	{8067F0C3-EEEF-44ff-9F40-DD6794D5045B}.exe	104
PID 2768 wrote to memory of 5036	2768	{1CAC384C-0C79-41ae-9F39-800C4B3BE6C1}.exe	105
PID 2768 wrote to memory of 5036	2768	{1CAC384C-0C79-41ae-9F39-800C4B3BE6C1}.exe	105
PID 2768 wrote to memory of 5036	2768	{1CAC384C-0C79-41ae-9F39-800C4B3BE6C1}.exe	105
PID 2768 wrote to memory of 3640	2768	{1CAC384C-0C79-41ae-9F39-800C4B3BE6C1}.exe	106
PID 2768 wrote to memory of 3640	2768	{1CAC384C-0C79-41ae-9F39-800C4B3BE6C1}.exe	106
PID 2768 wrote to memory of 3640	2768	{1CAC384C-0C79-41ae-9F39-800C4B3BE6C1}.exe	106
PID 5036 wrote to memory of 216	5036	{C8B5331E-08CB-45f1-B1FC-A930A31EA469}.exe	107
PID 5036 wrote to memory of 216	5036	{C8B5331E-08CB-45f1-B1FC-A930A31EA469}.exe	107
PID 5036 wrote to memory of 216	5036	{C8B5331E-08CB-45f1-B1FC-A930A31EA469}.exe	107
PID 5036 wrote to memory of 1464	5036	{C8B5331E-08CB-45f1-B1FC-A930A31EA469}.exe	108
PID 5036 wrote to memory of 1464	5036	{C8B5331E-08CB-45f1-B1FC-A930A31EA469}.exe	108
PID 5036 wrote to memory of 1464	5036	{C8B5331E-08CB-45f1-B1FC-A930A31EA469}.exe	108
PID 216 wrote to memory of 1672	216	{CCABA219-A86F-48fc-8F69-755705370D97}.exe	109
PID 216 wrote to memory of 1672	216	{CCABA219-A86F-48fc-8F69-755705370D97}.exe	109
PID 216 wrote to memory of 1672	216	{CCABA219-A86F-48fc-8F69-755705370D97}.exe	109
PID 216 wrote to memory of 1252	216	{CCABA219-A86F-48fc-8F69-755705370D97}.exe	110
PID 216 wrote to memory of 1252	216	{CCABA219-A86F-48fc-8F69-755705370D97}.exe	110
PID 216 wrote to memory of 1252	216	{CCABA219-A86F-48fc-8F69-755705370D97}.exe	110
PID 1672 wrote to memory of 2240	1672	{32717797-0977-4d54-81D2-B4484D378102}.exe	111
PID 1672 wrote to memory of 2240	1672	{32717797-0977-4d54-81D2-B4484D378102}.exe	111
PID 1672 wrote to memory of 2240	1672	{32717797-0977-4d54-81D2-B4484D378102}.exe	111
PID 1672 wrote to memory of 1052	1672	{32717797-0977-4d54-81D2-B4484D378102}.exe	112
PID 1672 wrote to memory of 1052	1672	{32717797-0977-4d54-81D2-B4484D378102}.exe	112
PID 1672 wrote to memory of 1052	1672	{32717797-0977-4d54-81D2-B4484D378102}.exe	112
PID 2240 wrote to memory of 5060	2240	{C047C09B-1761-46cd-B94B-B93B19395730}.exe	113
PID 2240 wrote to memory of 5060	2240	{C047C09B-1761-46cd-B94B-B93B19395730}.exe	113
PID 2240 wrote to memory of 5060	2240	{C047C09B-1761-46cd-B94B-B93B19395730}.exe	113
PID 2240 wrote to memory of 1012	2240	{C047C09B-1761-46cd-B94B-B93B19395730}.exe	114

C:\Users\Admin\AppData\Local\Temp\2024-05-31_085463c90b4bb4e02632734fa032b375_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-31_085463c90b4bb4e02632734fa032b375_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Windows\{B3647EB2-0496-49bb-8937-F87C51F2BE47}.exe
  C:\Windows\{B3647EB2-0496-49bb-8937-F87C51F2BE47}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Windows\{D083A9E6-4707-44dc-A227-7A378DB8EF05}.exe
    C:\Windows\{D083A9E6-4707-44dc-A227-7A378DB8EF05}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:512
  - - C:\Windows\{F0602A59-556B-463b-9488-40A224A1655E}.exe
      C:\Windows\{F0602A59-556B-463b-9488-40A224A1655E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1652
    - - C:\Windows\{C4B4696F-F47C-4dcf-B8DA-956395157FDF}.exe
        
        C:\Windows\{C4B4696F-F47C-4dcf-B8DA-956395157FDF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1264
      - C:\Windows\{8067F0C3-EEEF-44ff-9F40-DD6794D5045B}.exe
        
        C:\Windows\{8067F0C3-EEEF-44ff-9F40-DD6794D5045B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\{1CAC384C-0C79-41ae-9F39-800C4B3BE6C1}.exe
        
        C:\Windows\{1CAC384C-0C79-41ae-9F39-800C4B3BE6C1}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\{C8B5331E-08CB-45f1-B1FC-A930A31EA469}.exe
        
        C:\Windows\{C8B5331E-08CB-45f1-B1FC-A930A31EA469}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\{CCABA219-A86F-48fc-8F69-755705370D97}.exe
        
        C:\Windows\{CCABA219-A86F-48fc-8F69-755705370D97}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\{32717797-0977-4d54-81D2-B4484D378102}.exe
        
        C:\Windows\{32717797-0977-4d54-81D2-B4484D378102}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\{C047C09B-1761-46cd-B94B-B93B19395730}.exe
        
        C:\Windows\{C047C09B-1761-46cd-B94B-B93B19395730}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\{35631F37-7A00-4069-B48E-FFB286ADA57B}.exe
        
        C:\Windows\{35631F37-7A00-4069-B48E-FFB286ADA57B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5060
        
        C:\Windows\{6311CE12-0E83-4d5b-9586-CF82483F79E4}.exe
        
        C:\Windows\{6311CE12-0E83-4d5b-9586-CF82483F79E4}.exe
        13⤵
        Executes dropped EXE
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35631~1.EXE > nul
        13⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C047C~1.EXE > nul
        12⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32717~1.EXE > nul
        11⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CCABA~1.EXE > nul
        10⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8B53~1.EXE > nul
        9⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1CAC3~1.EXE > nul
        8⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8067F~1.EXE > nul
        7⤵
        
        PID:4884
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4B46~1.EXE > nul
        6⤵
        
        PID:1816
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0602~1.EXE > nul
        5⤵
        
        PID:4968
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D083A~1.EXE > nul
      4⤵
      PID:868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B3647~1.EXE > nul
    3⤵
    PID:4752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1CAC384C-0C79-41ae-9F39-800C4B3BE6C1}.exe

Filesize
180KB

MD5
cdfaa483831d575664f81149484dd718

SHA1
3fb6150802f903de24fd009eccc0de090a298f2a

SHA256
686c83aeae861acae7edb065841369f830a6cd50142c68b9a5bde217fe995b1c

SHA512
e53c184874b6caf4b83fc207c4f71ed72ba8229211560de3367258787cd759375487f3a2d274f084e15670003a19b32bc2fd8e7775878f9b445d0f69eee5146a

Download Submit
C:\Windows\{32717797-0977-4d54-81D2-B4484D378102}.exe

Filesize
180KB

MD5
b31337f19f375f622d98646698cfba45

SHA1
64710da6de46c00a5eddd63e62b93935515ea14c

SHA256
1d40c1fecfb7ab73bae846a8d30e963db0e6ba453691a73ddbc1c7bf222913dd

SHA512
db48d8c42b3c792df57a800766cbcb812efe0a53d37691ec0756501072af24505c1ecb921b21dc1e719d7a46794571a6f4c031b09994966806e0861a422b47ac

Download Submit
C:\Windows\{35631F37-7A00-4069-B48E-FFB286ADA57B}.exe

Filesize
180KB

MD5
14d7da7f447092434e084fd797ae5c6d

SHA1
d134df74079e78f2dbcc0093fa5913149b0a0ed6

SHA256
abb98ca2b7b0d7113e036fc9f96de4eace23e7128815ff5a02ffaeae1735036f

SHA512
0b0f12523c52673fcb86dfcb90984363c5cc6ebc18f618e1514ca2a0cca1c9fb1ef872320477e0315e6f7396607e0239657ef782ab62831f206a10ad02303eaa

Download Submit
C:\Windows\{6311CE12-0E83-4d5b-9586-CF82483F79E4}.exe

Filesize
180KB

MD5
c87e13a7b9fb647189428bd8f5d2e05a

SHA1
a6f89fed9d9b5800acb379efb4574cec3c02ef00

SHA256
180fb986e3b66a7dddd76072872dedf2e981e8bfd9e6616fcc744090458c3c5e

SHA512
5b4ca804c06f5bfb82b01d62be3a2f4f335f970ceb951a68d370d55af180fffb0daedca4dd0bb8f1890fe7c319236e5fff0bb79a6f5541f8453c1bb769dbccf0

Download Submit
C:\Windows\{8067F0C3-EEEF-44ff-9F40-DD6794D5045B}.exe

Filesize
180KB

MD5
fd402504f9228e78b4bb10afc2a6558c

SHA1
5eff06b293c4ed026e14736fb099b4f979e29b9e

SHA256
fa764f38d98046a94f5fadfebb142c07a3edc918d5901b0230911bb33a06b1aa

SHA512
1ccfc08aeab4de3cb447c167c7c01b5568ef10b5dc247376526157693594ea04e541ce8595f9d024d5323aee4f436ce02f2b6473a866962a3cd1f9b7f0c5b3e2

Download Submit
C:\Windows\{B3647EB2-0496-49bb-8937-F87C51F2BE47}.exe

Filesize
180KB

MD5
5efa71bb2259174852f361c0cecefbfa

SHA1
9fb31eaa57163b413ef2542a61d4a2051612a251

SHA256
ceb85cf94c52a71a385d002c5d3927f30d8d46f60435a82caf66446d99204d2d

SHA512
e793492540628c4aaa24e8e216da300eb20d8cfd4c977b296bebec7cea3d16c3bbf9cfeae1fcf65af9b5c9299d721f53123fe215b624878709cb0df6efe645e2

Download Submit
C:\Windows\{C047C09B-1761-46cd-B94B-B93B19395730}.exe

Filesize
180KB

MD5
aca8a919cb809a44f32cc281eb8accd4

SHA1
8e14cc2c86e7c007a33921121c7e6a563162b642

SHA256
4373a914eadcc9e318640a8d2067e3ff65cb704f13b8a8f3922c59086ee2ba85

SHA512
cd3a3839bcc5cd37392361c97a1f4a0cc65244ff6ed6625ee20c52c95386367b9838fec324d0644e77efea5658efafb5c31ac20b49a9830b6b47acde5cb2a7f7

Download Submit
C:\Windows\{C4B4696F-F47C-4dcf-B8DA-956395157FDF}.exe

Filesize
180KB

MD5
3fae4abd94d5dacb6024092f3a705540

SHA1
5781fbdfd0ece1a5681674c811141d1681a72e44

SHA256
0371c05aaaf1549668bd1fc3a1e0415408949a7188503d07864428e4bcc6f6c0

SHA512
e7db6710b0c5036ee02c8ac5f910e17f2701538cc6cba72ca808c008fd41a1a5aab19cbb1302c3586002424da9a06a4ebd7cfc8f0529d1b5b06532c1b62be800

Download Submit
C:\Windows\{C8B5331E-08CB-45f1-B1FC-A930A31EA469}.exe

Filesize
180KB

MD5
a21b71519c6a8a13e07dab1bfed702e5

SHA1
d702234d77c0d8a08b67e4f1f3e5d716f207a53b

SHA256
33b389a276adb7780b9922dd3cdf367734b3aaf976b4827a42f56f31039eeca6

SHA512
6a43d480737645ee899628f509f643705ecddad381c90fc85e558af70a38e2ce4d6565f8fca80ee9434c7a89d366412df8a61a1a342d658381db6e64f78ac488

Download Submit
C:\Windows\{CCABA219-A86F-48fc-8F69-755705370D97}.exe

Filesize
180KB

MD5
1304736050f7490a8927b395c505d49c

SHA1
be6b71bfe3ac2741a9642df07a61fcde391259a8

SHA256
e3171faacfa10243811b4a68635576f33578fa090fed6805c1f6785a979a453e

SHA512
b8f5fead95aa70a3eba70e15f2dbaff3175ca7b69cb9a023cc25647c777473ce035465d9c045fffeb5a59204fc8b03d013b0985cf2891ef6c1572496a4a1be85

Download Submit
C:\Windows\{D083A9E6-4707-44dc-A227-7A378DB8EF05}.exe

Filesize
180KB

MD5
6d9fb0011f71b0308cfd707ad72e7a98

SHA1
ceac661cf874ba2a56679cd64597a7407621ed87

SHA256
0c8dc9db0c3db6d3173dec50e9b47643742bb78f62610f5589f44fedb053ac49

SHA512
3780a86fdfcb6e9e81561020fe6aee1a96f871338f4c9ef6ba707db2c8e1a4c0961df5193029859de8182801b2a86ab791870a20be953f652a9ade010152d28a

Download Submit
C:\Windows\{F0602A59-556B-463b-9488-40A224A1655E}.exe

Filesize
180KB

MD5
efc4f3f983c05a27f03e9a89d24609ef

SHA1
82b4e75c7d811d682a804d0c3cdf848c4d2d3ae3

SHA256
f2eec06c03441393dc02a967be672be4028b21f26f70e6f83d27fc58390adb2e

SHA512
f5166c83ef8580db29d23973d9d3917e3faef9119ac6c0a17b6487a21c9818e87adedadeb18ff87a2698a0cf52a6485fdad1131be2521677249fffea454a0068

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads