e7f44ca2e2b667c4028c7b783dbbe402b768051eab6396318f057cfd7d6f0360

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
07/06/2024, 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-07_f3741bca08a664227f2437f039d7dd2c_goldeneye.exe
Size

180KB
MD5

f3741bca08a664227f2437f039d7dd2c
SHA1

5c5e4b7d12fd0eca38003009060469747874cc63
SHA256

e7f44ca2e2b667c4028c7b783dbbe402b768051eab6396318f057cfd7d6f0360
SHA512

6fb6741c34d2ce0bb26c2fff13d8877f7936fcfa752f7e6039373ff4c076658bb5a1358c5d9ffa603511832a3ebc4d921afaf4bb667613fee93f61146d11c95b
SSDEEP

3072:jEGh0orlfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEG9l5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023389-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00120000000233a0-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00090000000233ad-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x00130000000233a0-15.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000072d-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000000072f-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000400000000072d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a000000023383-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000500000000072d-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000b000000023383-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002341a-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c000000023383-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46BFDD8D-BE64-4963-A645-FEA9A0B08CDD}\stubpath = "C:\\Windows\\{46BFDD8D-BE64-4963-A645-FEA9A0B08CDD}.exe"	{4C635363-8BA2-4890-90CB-EBB5B85367B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98C97121-056D-487d-A6A7-49FD0487C147}	{46BFDD8D-BE64-4963-A645-FEA9A0B08CDD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98C97121-056D-487d-A6A7-49FD0487C147}\stubpath = "C:\\Windows\\{98C97121-056D-487d-A6A7-49FD0487C147}.exe"	{46BFDD8D-BE64-4963-A645-FEA9A0B08CDD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B7471BF-D03B-4d69-8345-37487F36107B}\stubpath = "C:\\Windows\\{1B7471BF-D03B-4d69-8345-37487F36107B}.exe"	{2712D95D-9365-42c8-9BE1-754184595D2A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{170EA1E2-4FAC-4bbb-AE78-4DBC324A8530}	{A9CFDCAF-B321-48f4-898A-90CEDA1F3968}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B7471BF-D03B-4d69-8345-37487F36107B}	{2712D95D-9365-42c8-9BE1-754184595D2A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC561C15-2A37-4571-9316-E3BD17767CFC}\stubpath = "C:\\Windows\\{BC561C15-2A37-4571-9316-E3BD17767CFC}.exe"	{1B7471BF-D03B-4d69-8345-37487F36107B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C684CEDA-1764-4998-B932-5210022232C9}\stubpath = "C:\\Windows\\{C684CEDA-1764-4998-B932-5210022232C9}.exe"	2024-06-07_f3741bca08a664227f2437f039d7dd2c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C635363-8BA2-4890-90CB-EBB5B85367B4}\stubpath = "C:\\Windows\\{4C635363-8BA2-4890-90CB-EBB5B85367B4}.exe"	{C684CEDA-1764-4998-B932-5210022232C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46BFDD8D-BE64-4963-A645-FEA9A0B08CDD}	{4C635363-8BA2-4890-90CB-EBB5B85367B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2712D95D-9365-42c8-9BE1-754184595D2A}	{98C97121-056D-487d-A6A7-49FD0487C147}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2712D95D-9365-42c8-9BE1-754184595D2A}\stubpath = "C:\\Windows\\{2712D95D-9365-42c8-9BE1-754184595D2A}.exe"	{98C97121-056D-487d-A6A7-49FD0487C147}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C684CEDA-1764-4998-B932-5210022232C9}	2024-06-07_f3741bca08a664227f2437f039d7dd2c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9CFDCAF-B321-48f4-898A-90CEDA1F3968}	{8DC95A31-2E7F-46c9-80FE-EEA15C037343}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{170EA1E2-4FAC-4bbb-AE78-4DBC324A8530}\stubpath = "C:\\Windows\\{170EA1E2-4FAC-4bbb-AE78-4DBC324A8530}.exe"	{A9CFDCAF-B321-48f4-898A-90CEDA1F3968}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00539CEE-F1E3-4d97-A8C0-75C2A61BB438}\stubpath = "C:\\Windows\\{00539CEE-F1E3-4d97-A8C0-75C2A61BB438}.exe"	{533CDE1B-8567-439a-ABE7-37C50BFEFAAB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DC95A31-2E7F-46c9-80FE-EEA15C037343}	{00539CEE-F1E3-4d97-A8C0-75C2A61BB438}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DC95A31-2E7F-46c9-80FE-EEA15C037343}\stubpath = "C:\\Windows\\{8DC95A31-2E7F-46c9-80FE-EEA15C037343}.exe"	{00539CEE-F1E3-4d97-A8C0-75C2A61BB438}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C635363-8BA2-4890-90CB-EBB5B85367B4}	{C684CEDA-1764-4998-B932-5210022232C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC561C15-2A37-4571-9316-E3BD17767CFC}	{1B7471BF-D03B-4d69-8345-37487F36107B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{533CDE1B-8567-439a-ABE7-37C50BFEFAAB}	{BC561C15-2A37-4571-9316-E3BD17767CFC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{533CDE1B-8567-439a-ABE7-37C50BFEFAAB}\stubpath = "C:\\Windows\\{533CDE1B-8567-439a-ABE7-37C50BFEFAAB}.exe"	{BC561C15-2A37-4571-9316-E3BD17767CFC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00539CEE-F1E3-4d97-A8C0-75C2A61BB438}	{533CDE1B-8567-439a-ABE7-37C50BFEFAAB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9CFDCAF-B321-48f4-898A-90CEDA1F3968}\stubpath = "C:\\Windows\\{A9CFDCAF-B321-48f4-898A-90CEDA1F3968}.exe"	{8DC95A31-2E7F-46c9-80FE-EEA15C037343}.exe

Executes dropped EXE 12 IoCs

pid	Process
4064	{C684CEDA-1764-4998-B932-5210022232C9}.exe
4692	{4C635363-8BA2-4890-90CB-EBB5B85367B4}.exe
4676	{46BFDD8D-BE64-4963-A645-FEA9A0B08CDD}.exe
4312	{98C97121-056D-487d-A6A7-49FD0487C147}.exe
3516	{2712D95D-9365-42c8-9BE1-754184595D2A}.exe
3396	{1B7471BF-D03B-4d69-8345-37487F36107B}.exe
1996	{BC561C15-2A37-4571-9316-E3BD17767CFC}.exe
1560	{533CDE1B-8567-439a-ABE7-37C50BFEFAAB}.exe
2436	{00539CEE-F1E3-4d97-A8C0-75C2A61BB438}.exe
1440	{8DC95A31-2E7F-46c9-80FE-EEA15C037343}.exe
1688	{A9CFDCAF-B321-48f4-898A-90CEDA1F3968}.exe
5104	{170EA1E2-4FAC-4bbb-AE78-4DBC324A8530}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C684CEDA-1764-4998-B932-5210022232C9}.exe	2024-06-07_f3741bca08a664227f2437f039d7dd2c_goldeneye.exe
File created	C:\Windows\{46BFDD8D-BE64-4963-A645-FEA9A0B08CDD}.exe	{4C635363-8BA2-4890-90CB-EBB5B85367B4}.exe
File created	C:\Windows\{00539CEE-F1E3-4d97-A8C0-75C2A61BB438}.exe	{533CDE1B-8567-439a-ABE7-37C50BFEFAAB}.exe
File created	C:\Windows\{1B7471BF-D03B-4d69-8345-37487F36107B}.exe	{2712D95D-9365-42c8-9BE1-754184595D2A}.exe
File created	C:\Windows\{BC561C15-2A37-4571-9316-E3BD17767CFC}.exe	{1B7471BF-D03B-4d69-8345-37487F36107B}.exe
File created	C:\Windows\{533CDE1B-8567-439a-ABE7-37C50BFEFAAB}.exe	{BC561C15-2A37-4571-9316-E3BD17767CFC}.exe
File created	C:\Windows\{8DC95A31-2E7F-46c9-80FE-EEA15C037343}.exe	{00539CEE-F1E3-4d97-A8C0-75C2A61BB438}.exe
File created	C:\Windows\{A9CFDCAF-B321-48f4-898A-90CEDA1F3968}.exe	{8DC95A31-2E7F-46c9-80FE-EEA15C037343}.exe
File created	C:\Windows\{4C635363-8BA2-4890-90CB-EBB5B85367B4}.exe	{C684CEDA-1764-4998-B932-5210022232C9}.exe
File created	C:\Windows\{98C97121-056D-487d-A6A7-49FD0487C147}.exe	{46BFDD8D-BE64-4963-A645-FEA9A0B08CDD}.exe
File created	C:\Windows\{2712D95D-9365-42c8-9BE1-754184595D2A}.exe	{98C97121-056D-487d-A6A7-49FD0487C147}.exe
File created	C:\Windows\{170EA1E2-4FAC-4bbb-AE78-4DBC324A8530}.exe	{A9CFDCAF-B321-48f4-898A-90CEDA1F3968}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4880	2024-06-07_f3741bca08a664227f2437f039d7dd2c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4064	{C684CEDA-1764-4998-B932-5210022232C9}.exe
Token: SeIncBasePriorityPrivilege	4692	{4C635363-8BA2-4890-90CB-EBB5B85367B4}.exe
Token: SeIncBasePriorityPrivilege	4676	{46BFDD8D-BE64-4963-A645-FEA9A0B08CDD}.exe
Token: SeIncBasePriorityPrivilege	4312	{98C97121-056D-487d-A6A7-49FD0487C147}.exe
Token: SeIncBasePriorityPrivilege	3516	{2712D95D-9365-42c8-9BE1-754184595D2A}.exe
Token: SeIncBasePriorityPrivilege	3396	{1B7471BF-D03B-4d69-8345-37487F36107B}.exe
Token: SeIncBasePriorityPrivilege	1996	{BC561C15-2A37-4571-9316-E3BD17767CFC}.exe
Token: SeIncBasePriorityPrivilege	1560	{533CDE1B-8567-439a-ABE7-37C50BFEFAAB}.exe
Token: SeIncBasePriorityPrivilege	2436	{00539CEE-F1E3-4d97-A8C0-75C2A61BB438}.exe
Token: SeIncBasePriorityPrivilege	1440	{8DC95A31-2E7F-46c9-80FE-EEA15C037343}.exe
Token: SeIncBasePriorityPrivilege	1688	{A9CFDCAF-B321-48f4-898A-90CEDA1F3968}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 4064	4880	2024-06-07_f3741bca08a664227f2437f039d7dd2c_goldeneye.exe	97
PID 4880 wrote to memory of 4064	4880	2024-06-07_f3741bca08a664227f2437f039d7dd2c_goldeneye.exe	97
PID 4880 wrote to memory of 4064	4880	2024-06-07_f3741bca08a664227f2437f039d7dd2c_goldeneye.exe	97
PID 4880 wrote to memory of 2368	4880	2024-06-07_f3741bca08a664227f2437f039d7dd2c_goldeneye.exe	98
PID 4880 wrote to memory of 2368	4880	2024-06-07_f3741bca08a664227f2437f039d7dd2c_goldeneye.exe	98
PID 4880 wrote to memory of 2368	4880	2024-06-07_f3741bca08a664227f2437f039d7dd2c_goldeneye.exe	98
PID 4064 wrote to memory of 4692	4064	{C684CEDA-1764-4998-B932-5210022232C9}.exe	99
PID 4064 wrote to memory of 4692	4064	{C684CEDA-1764-4998-B932-5210022232C9}.exe	99
PID 4064 wrote to memory of 4692	4064	{C684CEDA-1764-4998-B932-5210022232C9}.exe	99
PID 4064 wrote to memory of 2040	4064	{C684CEDA-1764-4998-B932-5210022232C9}.exe	100
PID 4064 wrote to memory of 2040	4064	{C684CEDA-1764-4998-B932-5210022232C9}.exe	100
PID 4064 wrote to memory of 2040	4064	{C684CEDA-1764-4998-B932-5210022232C9}.exe	100
PID 4692 wrote to memory of 4676	4692	{4C635363-8BA2-4890-90CB-EBB5B85367B4}.exe	103
PID 4692 wrote to memory of 4676	4692	{4C635363-8BA2-4890-90CB-EBB5B85367B4}.exe	103
PID 4692 wrote to memory of 4676	4692	{4C635363-8BA2-4890-90CB-EBB5B85367B4}.exe	103
PID 4692 wrote to memory of 2876	4692	{4C635363-8BA2-4890-90CB-EBB5B85367B4}.exe	104
PID 4692 wrote to memory of 2876	4692	{4C635363-8BA2-4890-90CB-EBB5B85367B4}.exe	104
PID 4692 wrote to memory of 2876	4692	{4C635363-8BA2-4890-90CB-EBB5B85367B4}.exe	104
PID 4676 wrote to memory of 4312	4676	{46BFDD8D-BE64-4963-A645-FEA9A0B08CDD}.exe	105
PID 4676 wrote to memory of 4312	4676	{46BFDD8D-BE64-4963-A645-FEA9A0B08CDD}.exe	105
PID 4676 wrote to memory of 4312	4676	{46BFDD8D-BE64-4963-A645-FEA9A0B08CDD}.exe	105
PID 4676 wrote to memory of 4524	4676	{46BFDD8D-BE64-4963-A645-FEA9A0B08CDD}.exe	106
PID 4676 wrote to memory of 4524	4676	{46BFDD8D-BE64-4963-A645-FEA9A0B08CDD}.exe	106
PID 4676 wrote to memory of 4524	4676	{46BFDD8D-BE64-4963-A645-FEA9A0B08CDD}.exe	106
PID 4312 wrote to memory of 3516	4312	{98C97121-056D-487d-A6A7-49FD0487C147}.exe	108
PID 4312 wrote to memory of 3516	4312	{98C97121-056D-487d-A6A7-49FD0487C147}.exe	108
PID 4312 wrote to memory of 3516	4312	{98C97121-056D-487d-A6A7-49FD0487C147}.exe	108
PID 4312 wrote to memory of 3672	4312	{98C97121-056D-487d-A6A7-49FD0487C147}.exe	109
PID 4312 wrote to memory of 3672	4312	{98C97121-056D-487d-A6A7-49FD0487C147}.exe	109
PID 4312 wrote to memory of 3672	4312	{98C97121-056D-487d-A6A7-49FD0487C147}.exe	109
PID 3516 wrote to memory of 3396	3516	{2712D95D-9365-42c8-9BE1-754184595D2A}.exe	110
PID 3516 wrote to memory of 3396	3516	{2712D95D-9365-42c8-9BE1-754184595D2A}.exe	110
PID 3516 wrote to memory of 3396	3516	{2712D95D-9365-42c8-9BE1-754184595D2A}.exe	110
PID 3516 wrote to memory of 4708	3516	{2712D95D-9365-42c8-9BE1-754184595D2A}.exe	111
PID 3516 wrote to memory of 4708	3516	{2712D95D-9365-42c8-9BE1-754184595D2A}.exe	111
PID 3516 wrote to memory of 4708	3516	{2712D95D-9365-42c8-9BE1-754184595D2A}.exe	111
PID 3396 wrote to memory of 1996	3396	{1B7471BF-D03B-4d69-8345-37487F36107B}.exe	112
PID 3396 wrote to memory of 1996	3396	{1B7471BF-D03B-4d69-8345-37487F36107B}.exe	112
PID 3396 wrote to memory of 1996	3396	{1B7471BF-D03B-4d69-8345-37487F36107B}.exe	112
PID 3396 wrote to memory of 3020	3396	{1B7471BF-D03B-4d69-8345-37487F36107B}.exe	113
PID 3396 wrote to memory of 3020	3396	{1B7471BF-D03B-4d69-8345-37487F36107B}.exe	113
PID 3396 wrote to memory of 3020	3396	{1B7471BF-D03B-4d69-8345-37487F36107B}.exe	113
PID 1996 wrote to memory of 1560	1996	{BC561C15-2A37-4571-9316-E3BD17767CFC}.exe	121
PID 1996 wrote to memory of 1560	1996	{BC561C15-2A37-4571-9316-E3BD17767CFC}.exe	121
PID 1996 wrote to memory of 1560	1996	{BC561C15-2A37-4571-9316-E3BD17767CFC}.exe	121
PID 1996 wrote to memory of 3360	1996	{BC561C15-2A37-4571-9316-E3BD17767CFC}.exe	122
PID 1996 wrote to memory of 3360	1996	{BC561C15-2A37-4571-9316-E3BD17767CFC}.exe	122
PID 1996 wrote to memory of 3360	1996	{BC561C15-2A37-4571-9316-E3BD17767CFC}.exe	122
PID 1560 wrote to memory of 2436	1560	{533CDE1B-8567-439a-ABE7-37C50BFEFAAB}.exe	123
PID 1560 wrote to memory of 2436	1560	{533CDE1B-8567-439a-ABE7-37C50BFEFAAB}.exe	123
PID 1560 wrote to memory of 2436	1560	{533CDE1B-8567-439a-ABE7-37C50BFEFAAB}.exe	123
PID 1560 wrote to memory of 4144	1560	{533CDE1B-8567-439a-ABE7-37C50BFEFAAB}.exe	124
PID 1560 wrote to memory of 4144	1560	{533CDE1B-8567-439a-ABE7-37C50BFEFAAB}.exe	124
PID 1560 wrote to memory of 4144	1560	{533CDE1B-8567-439a-ABE7-37C50BFEFAAB}.exe	124
PID 2436 wrote to memory of 1440	2436	{00539CEE-F1E3-4d97-A8C0-75C2A61BB438}.exe	125
PID 2436 wrote to memory of 1440	2436	{00539CEE-F1E3-4d97-A8C0-75C2A61BB438}.exe	125
PID 2436 wrote to memory of 1440	2436	{00539CEE-F1E3-4d97-A8C0-75C2A61BB438}.exe	125
PID 2436 wrote to memory of 3980	2436	{00539CEE-F1E3-4d97-A8C0-75C2A61BB438}.exe	126
PID 2436 wrote to memory of 3980	2436	{00539CEE-F1E3-4d97-A8C0-75C2A61BB438}.exe	126
PID 2436 wrote to memory of 3980	2436	{00539CEE-F1E3-4d97-A8C0-75C2A61BB438}.exe	126
PID 1440 wrote to memory of 1688	1440	{8DC95A31-2E7F-46c9-80FE-EEA15C037343}.exe	129
PID 1440 wrote to memory of 1688	1440	{8DC95A31-2E7F-46c9-80FE-EEA15C037343}.exe	129
PID 1440 wrote to memory of 1688	1440	{8DC95A31-2E7F-46c9-80FE-EEA15C037343}.exe	129
PID 1440 wrote to memory of 4188	1440	{8DC95A31-2E7F-46c9-80FE-EEA15C037343}.exe	130

C:\Users\Admin\AppData\Local\Temp\2024-06-07_f3741bca08a664227f2437f039d7dd2c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_f3741bca08a664227f2437f039d7dd2c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Windows\{C684CEDA-1764-4998-B932-5210022232C9}.exe
  C:\Windows\{C684CEDA-1764-4998-B932-5210022232C9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4064
- - C:\Windows\{4C635363-8BA2-4890-90CB-EBB5B85367B4}.exe
    C:\Windows\{4C635363-8BA2-4890-90CB-EBB5B85367B4}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4692
  - - C:\Windows\{46BFDD8D-BE64-4963-A645-FEA9A0B08CDD}.exe
      C:\Windows\{46BFDD8D-BE64-4963-A645-FEA9A0B08CDD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4676
    - - C:\Windows\{98C97121-056D-487d-A6A7-49FD0487C147}.exe
        
        C:\Windows\{98C97121-056D-487d-A6A7-49FD0487C147}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4312
      - C:\Windows\{2712D95D-9365-42c8-9BE1-754184595D2A}.exe
        
        C:\Windows\{2712D95D-9365-42c8-9BE1-754184595D2A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\{1B7471BF-D03B-4d69-8345-37487F36107B}.exe
        
        C:\Windows\{1B7471BF-D03B-4d69-8345-37487F36107B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3396
        
        C:\Windows\{BC561C15-2A37-4571-9316-E3BD17767CFC}.exe
        
        C:\Windows\{BC561C15-2A37-4571-9316-E3BD17767CFC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\{533CDE1B-8567-439a-ABE7-37C50BFEFAAB}.exe
        
        C:\Windows\{533CDE1B-8567-439a-ABE7-37C50BFEFAAB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\{00539CEE-F1E3-4d97-A8C0-75C2A61BB438}.exe
        
        C:\Windows\{00539CEE-F1E3-4d97-A8C0-75C2A61BB438}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\{8DC95A31-2E7F-46c9-80FE-EEA15C037343}.exe
        
        C:\Windows\{8DC95A31-2E7F-46c9-80FE-EEA15C037343}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\{A9CFDCAF-B321-48f4-898A-90CEDA1F3968}.exe
        
        C:\Windows\{A9CFDCAF-B321-48f4-898A-90CEDA1F3968}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Windows\{170EA1E2-4FAC-4bbb-AE78-4DBC324A8530}.exe
        
        C:\Windows\{170EA1E2-4FAC-4bbb-AE78-4DBC324A8530}.exe
        13⤵
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A9CFD~1.EXE > nul
        13⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8DC95~1.EXE > nul
        12⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00539~1.EXE > nul
        11⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{533CD~1.EXE > nul
        10⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC561~1.EXE > nul
        9⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B747~1.EXE > nul
        8⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2712D~1.EXE > nul
        7⤵
        
        PID:4708
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98C97~1.EXE > nul
        6⤵
        
        PID:3672
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46BFD~1.EXE > nul
        5⤵
        
        PID:4524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4C635~1.EXE > nul
      4⤵
      PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C684C~1.EXE > nul
    3⤵
    PID:2040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00539CEE-F1E3-4d97-A8C0-75C2A61BB438}.exe

Filesize
180KB

MD5
914de74b581b473b965dabf3d2f931db

SHA1
dbd8c1d67f7e2aa4611ab8f58258e725781b1e00

SHA256
f9357bdfa1daca6954544f986b3f97a52baeb3d7d1d99a5f0021eb4e7fd45a38

SHA512
ae8d207d9a85821cf80d56653a7a6d856f09536a4af556fbbb0f779b215232d0071a749021350373997c24ea20dda911d907b2587dd15b74c2fc5a346374630e

Download Submit
C:\Windows\{170EA1E2-4FAC-4bbb-AE78-4DBC324A8530}.exe

Filesize
180KB

MD5
3d736a0dbce13260ed7d8c02297355df

SHA1
c0885fc33bbe101cbe9863637cf31dd8bc44eef0

SHA256
863cbec3767ce5d507b52791e766633d4ec9e8b5a32f258049d400302cff67ed

SHA512
afaf02031424af1a970bca507f1b52765cf95ecfa287b08fca564f92dd05198b946a60801bf4492f4cee576da81c689c5e668f28e45de2a524cfc13722d6106a

Download Submit
C:\Windows\{1B7471BF-D03B-4d69-8345-37487F36107B}.exe

Filesize
180KB

MD5
d8cf55dfa98f87dd78d9bc3ad9296a01

SHA1
ae467f359e6ad283ad738d0a7c78973eae1ff848

SHA256
3c8aaa51406d67f4eae5f0a4b891b3ad6bc8c733b4ad16669385ae1cbacd0938

SHA512
227beb4540a3b38cb5b5a951ce513ebef40ed1a80151a69ecd7f295160b4a64df92cc630afeb5a51010d61cae000e4728a075086577c010686faecfdbc6e8580

Download Submit
C:\Windows\{2712D95D-9365-42c8-9BE1-754184595D2A}.exe

Filesize
180KB

MD5
a3d9f1e3e20cc0d86082846ebb9de2eb

SHA1
4638414b6bef1a71c5009555592f394d907f370b

SHA256
edf7288d19de0ef8bfecefa7d885011fcf0b03177f54171fe45c4513c0b003a0

SHA512
ef80ac86aaa154fb98d267fcfe5ecb8d0d11f0f07f841830500ad97c7e9ccedff2064503f377bb798fd577bff5e6f56828b097eb2fd32219c38402729af6c39f

Download Submit
C:\Windows\{46BFDD8D-BE64-4963-A645-FEA9A0B08CDD}.exe

Filesize
180KB

MD5
21e000a647f7cc446c579a43c5cd519c

SHA1
bbe6271bb0541096559f32bbe813aa82f21e99f2

SHA256
3c9fecb24f78ba29aee0e598b59d79fbf79d5b49f2ff26306035959cfbaf4251

SHA512
c4fe28c0c148d3540182e64d1c28f667aaf320665607aded6ca08f8ca7127d2e43b9f6c0600dcf6a70f2920e3ab8193415ae1258967807cf245789c53a7dd263

Download Submit
C:\Windows\{4C635363-8BA2-4890-90CB-EBB5B85367B4}.exe

Filesize
180KB

MD5
871a81fe151bbcbe5a879c10aee4b393

SHA1
aeca1155b1b182265264ee8ac226699de5726559

SHA256
c1efb9e9aaefa72818540e4706925d8d8a08eb36ab580009554b1d5be4bc909c

SHA512
656f97b3501a53844d667571b310a30e74397cb189432e5a7b3e0a0bacf2870337ee9185ba2688f503c557b9d75442aa0d0553d179cb8b850d39af72f7852337

Download Submit
C:\Windows\{533CDE1B-8567-439a-ABE7-37C50BFEFAAB}.exe

Filesize
180KB

MD5
bdacda30840ab194054c60405a25b72b

SHA1
f47fdb1b5b8248121e565dee187c024577020682

SHA256
422d9d0da230c99aa53f5b641f92fc29149fcbca34e7bf6c6191c6d34d806917

SHA512
99d0b1993b54f2ed75a6a09d8b3c6f6871c890cf31facfba5880401cf1a9df154ffd3279c776f774952f907f4955b129c6f9b04e6091281b05f509c07fd81a88

Download Submit
C:\Windows\{8DC95A31-2E7F-46c9-80FE-EEA15C037343}.exe

Filesize
180KB

MD5
9aa5731da1e1f52ffd9f6da3bad477fa

SHA1
e840d0a9ec423be3559e0b470dca2fc122d2f462

SHA256
efbd8cc503a0d2d27bf57cdb9d08380598feb55b3db6aa57946d8304019a8e84

SHA512
a516a450f12298500bc66b4f7113e5b5038053854bed6818f7a51518d5e966ddf3809db1a8a8b386ae6cc7ff496428af3848a47de2923cfd48222959d8ce1c2c

Download Submit
C:\Windows\{98C97121-056D-487d-A6A7-49FD0487C147}.exe

Filesize
180KB

MD5
e272dd36d155b12e8057f64842a28cba

SHA1
e55bd74142e306242f92b7dc7fdd712724fd7c82

SHA256
265821da2138d9e4e4d4523831f2f24a290c2a4c6bb9f897eda55146219d2c9c

SHA512
194c0ed9d92e3a0e8a1bae125eb11cbb62d76b45e08f45345be4678ae131849968ae08588f766a42013241654470b634fb6e8f147da562ce97a30370e83e8b75

Download Submit
C:\Windows\{A9CFDCAF-B321-48f4-898A-90CEDA1F3968}.exe

Filesize
180KB

MD5
6bede1468106810f7dc390dd12e9f988

SHA1
560ebd53b726a8906dd167aa87fd370aed7b93a3

SHA256
05f83c2d16517ad8bd113cfae89feeee2f6da75751099c40a27981eab196cb12

SHA512
4012ae090a3d88cc3733f1548ed5b43bbc0615dcb2e246fc1830b2053d233b8d520a322e591aeb2cfe77d65c5789137065f3e2410aa29d8df15f4afd26b14d46

Download Submit
C:\Windows\{BC561C15-2A37-4571-9316-E3BD17767CFC}.exe

Filesize
180KB

MD5
7955ff06964de5666af0c406ccd5a199

SHA1
7bcf67be83226bfc5525ae61f944ef8096bc71ca

SHA256
ed8fc548658e559a41f09f31a8436f05a45b38a43005e7e38e587197f7d5723c

SHA512
1fcfcda2935b226ab40c7c666d2455201b26d56c5c0d46fc2f4c8deffdc559f34f1ec980080b124d0c73d56f0d6d97b83a23f45c869b8fb1a26c7418aa94167c

Download Submit
C:\Windows\{C684CEDA-1764-4998-B932-5210022232C9}.exe

Filesize
180KB

MD5
72e4c58b15af9b3a18e2876aa1cb8aee

SHA1
c0111bfc6fa2e3c283371b580b8b3535d13cad4f

SHA256
3b6f1238473651075c6cbee44539d3d9dee588988d7d72772234d162bd7727cc

SHA512
2b74818e11b714fa7ac2295a77d8634347eedb9ecd2a97edb0eb76fa3a5fbbb8c9fdcd2307d848b6dd535ffa19320d6f6ed5219e0bd4aae6c840de7a5ed78f5c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads