3b7fe1a1741bb0a552792ca843a2163837ddb85efd1fa696ac55573465d8efa8

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/01/2024, 21:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-26_68f6c8a3298d159d4c69229b9734330c_goldeneye.exe
Size

168KB
MD5

68f6c8a3298d159d4c69229b9734330c
SHA1

6ef316ac15274219ee6268eb628309bf45be0f5c
SHA256

3b7fe1a1741bb0a552792ca843a2163837ddb85efd1fa696ac55573465d8efa8
SHA512

dd86f8cba90beaf1abbf3a06ea737779ad495a0b4f85d874ee348cd29594325ec3486a13ae61b19d6338dc9b284ab23cef99e40d17c3362332b9a49b3425cff2
SSDEEP

1536:1EGh0oIlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oIlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 13 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012281-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00100000000133bf-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000012281-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-55.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f7-62.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A8AAD34-810F-4611-8BCC-C5F9DFA262E8}	{E2BA6F14-56DB-4cd7-964B-324AFC953D76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A8AAD34-810F-4611-8BCC-C5F9DFA262E8}\stubpath = "C:\\Windows\\{0A8AAD34-810F-4611-8BCC-C5F9DFA262E8}.exe"	{E2BA6F14-56DB-4cd7-964B-324AFC953D76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85777CBD-5CE5-43fc-B860-A95F942DB2B5}\stubpath = "C:\\Windows\\{85777CBD-5CE5-43fc-B860-A95F942DB2B5}.exe"	{0A8AAD34-810F-4611-8BCC-C5F9DFA262E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA44F453-2A75-4b6f-A4B6-92ED64CCCC3E}\stubpath = "C:\\Windows\\{EA44F453-2A75-4b6f-A4B6-92ED64CCCC3E}.exe"	{066D0687-826F-4407-8CF7-716DDDBE4AE6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2BA6F14-56DB-4cd7-964B-324AFC953D76}\stubpath = "C:\\Windows\\{E2BA6F14-56DB-4cd7-964B-324AFC953D76}.exe"	{A4E0993A-7C66-4f7e-B659-A7303E78D02B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E83C114B-F882-46c3-B94A-28B22895C8AB}	{C115908B-7A42-422f-8207-413F7FD80969}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E83C114B-F882-46c3-B94A-28B22895C8AB}\stubpath = "C:\\Windows\\{E83C114B-F882-46c3-B94A-28B22895C8AB}.exe"	{C115908B-7A42-422f-8207-413F7FD80969}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43FBE7DA-BAB1-424b-BBF0-CB3B17B974DC}	{EA44F453-2A75-4b6f-A4B6-92ED64CCCC3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B3D81E5-ECA9-4769-885E-8E54AB66376A}\stubpath = "C:\\Windows\\{0B3D81E5-ECA9-4769-885E-8E54AB66376A}.exe"	{43FBE7DA-BAB1-424b-BBF0-CB3B17B974DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2BA6F14-56DB-4cd7-964B-324AFC953D76}	{A4E0993A-7C66-4f7e-B659-A7303E78D02B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86FA636D-A44C-4846-920D-D1EC3ACCE0BF}\stubpath = "C:\\Windows\\{86FA636D-A44C-4846-920D-D1EC3ACCE0BF}.exe"	2024-01-26_68f6c8a3298d159d4c69229b9734330c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C115908B-7A42-422f-8207-413F7FD80969}	{86FA636D-A44C-4846-920D-D1EC3ACCE0BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA44F453-2A75-4b6f-A4B6-92ED64CCCC3E}	{066D0687-826F-4407-8CF7-716DDDBE4AE6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43FBE7DA-BAB1-424b-BBF0-CB3B17B974DC}\stubpath = "C:\\Windows\\{43FBE7DA-BAB1-424b-BBF0-CB3B17B974DC}.exe"	{EA44F453-2A75-4b6f-A4B6-92ED64CCCC3E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86FA636D-A44C-4846-920D-D1EC3ACCE0BF}	2024-01-26_68f6c8a3298d159d4c69229b9734330c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{066D0687-826F-4407-8CF7-716DDDBE4AE6}\stubpath = "C:\\Windows\\{066D0687-826F-4407-8CF7-716DDDBE4AE6}.exe"	{E83C114B-F882-46c3-B94A-28B22895C8AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B3D81E5-ECA9-4769-885E-8E54AB66376A}	{43FBE7DA-BAB1-424b-BBF0-CB3B17B974DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4E0993A-7C66-4f7e-B659-A7303E78D02B}	{0B3D81E5-ECA9-4769-885E-8E54AB66376A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4E0993A-7C66-4f7e-B659-A7303E78D02B}\stubpath = "C:\\Windows\\{A4E0993A-7C66-4f7e-B659-A7303E78D02B}.exe"	{0B3D81E5-ECA9-4769-885E-8E54AB66376A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85777CBD-5CE5-43fc-B860-A95F942DB2B5}	{0A8AAD34-810F-4611-8BCC-C5F9DFA262E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C115908B-7A42-422f-8207-413F7FD80969}\stubpath = "C:\\Windows\\{C115908B-7A42-422f-8207-413F7FD80969}.exe"	{86FA636D-A44C-4846-920D-D1EC3ACCE0BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{066D0687-826F-4407-8CF7-716DDDBE4AE6}	{E83C114B-F882-46c3-B94A-28B22895C8AB}.exe

Deletes itself 1 IoCs

pid	Process
2436	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2656	{86FA636D-A44C-4846-920D-D1EC3ACCE0BF}.exe
2712	{C115908B-7A42-422f-8207-413F7FD80969}.exe
1952	{E83C114B-F882-46c3-B94A-28B22895C8AB}.exe
1560	{066D0687-826F-4407-8CF7-716DDDBE4AE6}.exe
1512	{EA44F453-2A75-4b6f-A4B6-92ED64CCCC3E}.exe
1728	{43FBE7DA-BAB1-424b-BBF0-CB3B17B974DC}.exe
2916	{0B3D81E5-ECA9-4769-885E-8E54AB66376A}.exe
312	{A4E0993A-7C66-4f7e-B659-A7303E78D02B}.exe
1288	{E2BA6F14-56DB-4cd7-964B-324AFC953D76}.exe
2152	{0A8AAD34-810F-4611-8BCC-C5F9DFA262E8}.exe
1720	{85777CBD-5CE5-43fc-B860-A95F942DB2B5}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{0B3D81E5-ECA9-4769-885E-8E54AB66376A}.exe	{43FBE7DA-BAB1-424b-BBF0-CB3B17B974DC}.exe
File created	C:\Windows\{A4E0993A-7C66-4f7e-B659-A7303E78D02B}.exe	{0B3D81E5-ECA9-4769-885E-8E54AB66376A}.exe
File created	C:\Windows\{E2BA6F14-56DB-4cd7-964B-324AFC953D76}.exe	{A4E0993A-7C66-4f7e-B659-A7303E78D02B}.exe
File created	C:\Windows\{85777CBD-5CE5-43fc-B860-A95F942DB2B5}.exe	{0A8AAD34-810F-4611-8BCC-C5F9DFA262E8}.exe
File created	C:\Windows\{E83C114B-F882-46c3-B94A-28B22895C8AB}.exe	{C115908B-7A42-422f-8207-413F7FD80969}.exe
File created	C:\Windows\{C115908B-7A42-422f-8207-413F7FD80969}.exe	{86FA636D-A44C-4846-920D-D1EC3ACCE0BF}.exe
File created	C:\Windows\{066D0687-826F-4407-8CF7-716DDDBE4AE6}.exe	{E83C114B-F882-46c3-B94A-28B22895C8AB}.exe
File created	C:\Windows\{EA44F453-2A75-4b6f-A4B6-92ED64CCCC3E}.exe	{066D0687-826F-4407-8CF7-716DDDBE4AE6}.exe
File created	C:\Windows\{43FBE7DA-BAB1-424b-BBF0-CB3B17B974DC}.exe	{EA44F453-2A75-4b6f-A4B6-92ED64CCCC3E}.exe
File created	C:\Windows\{0A8AAD34-810F-4611-8BCC-C5F9DFA262E8}.exe	{E2BA6F14-56DB-4cd7-964B-324AFC953D76}.exe
File created	C:\Windows\{86FA636D-A44C-4846-920D-D1EC3ACCE0BF}.exe	2024-01-26_68f6c8a3298d159d4c69229b9734330c_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2540	2024-01-26_68f6c8a3298d159d4c69229b9734330c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2656	{86FA636D-A44C-4846-920D-D1EC3ACCE0BF}.exe
Token: SeIncBasePriorityPrivilege	2712	{C115908B-7A42-422f-8207-413F7FD80969}.exe
Token: SeIncBasePriorityPrivilege	1952	{E83C114B-F882-46c3-B94A-28B22895C8AB}.exe
Token: SeIncBasePriorityPrivilege	1560	{066D0687-826F-4407-8CF7-716DDDBE4AE6}.exe
Token: SeIncBasePriorityPrivilege	1512	{EA44F453-2A75-4b6f-A4B6-92ED64CCCC3E}.exe
Token: SeIncBasePriorityPrivilege	1728	{43FBE7DA-BAB1-424b-BBF0-CB3B17B974DC}.exe
Token: SeIncBasePriorityPrivilege	2916	{0B3D81E5-ECA9-4769-885E-8E54AB66376A}.exe
Token: SeIncBasePriorityPrivilege	312	{A4E0993A-7C66-4f7e-B659-A7303E78D02B}.exe
Token: SeIncBasePriorityPrivilege	1288	{E2BA6F14-56DB-4cd7-964B-324AFC953D76}.exe
Token: SeIncBasePriorityPrivilege	2152	{0A8AAD34-810F-4611-8BCC-C5F9DFA262E8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 2656	2540	2024-01-26_68f6c8a3298d159d4c69229b9734330c_goldeneye.exe	28
PID 2540 wrote to memory of 2656	2540	2024-01-26_68f6c8a3298d159d4c69229b9734330c_goldeneye.exe	28
PID 2540 wrote to memory of 2656	2540	2024-01-26_68f6c8a3298d159d4c69229b9734330c_goldeneye.exe	28
PID 2540 wrote to memory of 2656	2540	2024-01-26_68f6c8a3298d159d4c69229b9734330c_goldeneye.exe	28
PID 2540 wrote to memory of 2436	2540	2024-01-26_68f6c8a3298d159d4c69229b9734330c_goldeneye.exe	29
PID 2540 wrote to memory of 2436	2540	2024-01-26_68f6c8a3298d159d4c69229b9734330c_goldeneye.exe	29
PID 2540 wrote to memory of 2436	2540	2024-01-26_68f6c8a3298d159d4c69229b9734330c_goldeneye.exe	29
PID 2540 wrote to memory of 2436	2540	2024-01-26_68f6c8a3298d159d4c69229b9734330c_goldeneye.exe	29
PID 2656 wrote to memory of 2712	2656	{86FA636D-A44C-4846-920D-D1EC3ACCE0BF}.exe	30
PID 2656 wrote to memory of 2712	2656	{86FA636D-A44C-4846-920D-D1EC3ACCE0BF}.exe	30
PID 2656 wrote to memory of 2712	2656	{86FA636D-A44C-4846-920D-D1EC3ACCE0BF}.exe	30
PID 2656 wrote to memory of 2712	2656	{86FA636D-A44C-4846-920D-D1EC3ACCE0BF}.exe	30
PID 2656 wrote to memory of 3028	2656	{86FA636D-A44C-4846-920D-D1EC3ACCE0BF}.exe	31
PID 2656 wrote to memory of 3028	2656	{86FA636D-A44C-4846-920D-D1EC3ACCE0BF}.exe	31
PID 2656 wrote to memory of 3028	2656	{86FA636D-A44C-4846-920D-D1EC3ACCE0BF}.exe	31
PID 2656 wrote to memory of 3028	2656	{86FA636D-A44C-4846-920D-D1EC3ACCE0BF}.exe	31
PID 2712 wrote to memory of 1952	2712	{C115908B-7A42-422f-8207-413F7FD80969}.exe	32
PID 2712 wrote to memory of 1952	2712	{C115908B-7A42-422f-8207-413F7FD80969}.exe	32
PID 2712 wrote to memory of 1952	2712	{C115908B-7A42-422f-8207-413F7FD80969}.exe	32
PID 2712 wrote to memory of 1952	2712	{C115908B-7A42-422f-8207-413F7FD80969}.exe	32
PID 2712 wrote to memory of 2672	2712	{C115908B-7A42-422f-8207-413F7FD80969}.exe	33
PID 2712 wrote to memory of 2672	2712	{C115908B-7A42-422f-8207-413F7FD80969}.exe	33
PID 2712 wrote to memory of 2672	2712	{C115908B-7A42-422f-8207-413F7FD80969}.exe	33
PID 2712 wrote to memory of 2672	2712	{C115908B-7A42-422f-8207-413F7FD80969}.exe	33
PID 1952 wrote to memory of 1560	1952	{E83C114B-F882-46c3-B94A-28B22895C8AB}.exe	36
PID 1952 wrote to memory of 1560	1952	{E83C114B-F882-46c3-B94A-28B22895C8AB}.exe	36
PID 1952 wrote to memory of 1560	1952	{E83C114B-F882-46c3-B94A-28B22895C8AB}.exe	36
PID 1952 wrote to memory of 1560	1952	{E83C114B-F882-46c3-B94A-28B22895C8AB}.exe	36
PID 1952 wrote to memory of 2956	1952	{E83C114B-F882-46c3-B94A-28B22895C8AB}.exe	37
PID 1952 wrote to memory of 2956	1952	{E83C114B-F882-46c3-B94A-28B22895C8AB}.exe	37
PID 1952 wrote to memory of 2956	1952	{E83C114B-F882-46c3-B94A-28B22895C8AB}.exe	37
PID 1952 wrote to memory of 2956	1952	{E83C114B-F882-46c3-B94A-28B22895C8AB}.exe	37
PID 1560 wrote to memory of 1512	1560	{066D0687-826F-4407-8CF7-716DDDBE4AE6}.exe	38
PID 1560 wrote to memory of 1512	1560	{066D0687-826F-4407-8CF7-716DDDBE4AE6}.exe	38
PID 1560 wrote to memory of 1512	1560	{066D0687-826F-4407-8CF7-716DDDBE4AE6}.exe	38
PID 1560 wrote to memory of 1512	1560	{066D0687-826F-4407-8CF7-716DDDBE4AE6}.exe	38
PID 1560 wrote to memory of 1876	1560	{066D0687-826F-4407-8CF7-716DDDBE4AE6}.exe	39
PID 1560 wrote to memory of 1876	1560	{066D0687-826F-4407-8CF7-716DDDBE4AE6}.exe	39
PID 1560 wrote to memory of 1876	1560	{066D0687-826F-4407-8CF7-716DDDBE4AE6}.exe	39
PID 1560 wrote to memory of 1876	1560	{066D0687-826F-4407-8CF7-716DDDBE4AE6}.exe	39
PID 1512 wrote to memory of 1728	1512	{EA44F453-2A75-4b6f-A4B6-92ED64CCCC3E}.exe	41
PID 1512 wrote to memory of 1728	1512	{EA44F453-2A75-4b6f-A4B6-92ED64CCCC3E}.exe	41
PID 1512 wrote to memory of 1728	1512	{EA44F453-2A75-4b6f-A4B6-92ED64CCCC3E}.exe	41
PID 1512 wrote to memory of 1728	1512	{EA44F453-2A75-4b6f-A4B6-92ED64CCCC3E}.exe	41
PID 1512 wrote to memory of 2840	1512	{EA44F453-2A75-4b6f-A4B6-92ED64CCCC3E}.exe	40
PID 1512 wrote to memory of 2840	1512	{EA44F453-2A75-4b6f-A4B6-92ED64CCCC3E}.exe	40
PID 1512 wrote to memory of 2840	1512	{EA44F453-2A75-4b6f-A4B6-92ED64CCCC3E}.exe	40
PID 1512 wrote to memory of 2840	1512	{EA44F453-2A75-4b6f-A4B6-92ED64CCCC3E}.exe	40
PID 1728 wrote to memory of 2916	1728	{43FBE7DA-BAB1-424b-BBF0-CB3B17B974DC}.exe	42
PID 1728 wrote to memory of 2916	1728	{43FBE7DA-BAB1-424b-BBF0-CB3B17B974DC}.exe	42
PID 1728 wrote to memory of 2916	1728	{43FBE7DA-BAB1-424b-BBF0-CB3B17B974DC}.exe	42
PID 1728 wrote to memory of 2916	1728	{43FBE7DA-BAB1-424b-BBF0-CB3B17B974DC}.exe	42
PID 1728 wrote to memory of 652	1728	{43FBE7DA-BAB1-424b-BBF0-CB3B17B974DC}.exe	43
PID 1728 wrote to memory of 652	1728	{43FBE7DA-BAB1-424b-BBF0-CB3B17B974DC}.exe	43
PID 1728 wrote to memory of 652	1728	{43FBE7DA-BAB1-424b-BBF0-CB3B17B974DC}.exe	43
PID 1728 wrote to memory of 652	1728	{43FBE7DA-BAB1-424b-BBF0-CB3B17B974DC}.exe	43
PID 2916 wrote to memory of 312	2916	{0B3D81E5-ECA9-4769-885E-8E54AB66376A}.exe	44
PID 2916 wrote to memory of 312	2916	{0B3D81E5-ECA9-4769-885E-8E54AB66376A}.exe	44
PID 2916 wrote to memory of 312	2916	{0B3D81E5-ECA9-4769-885E-8E54AB66376A}.exe	44
PID 2916 wrote to memory of 312	2916	{0B3D81E5-ECA9-4769-885E-8E54AB66376A}.exe	44
PID 2916 wrote to memory of 2980	2916	{0B3D81E5-ECA9-4769-885E-8E54AB66376A}.exe	45
PID 2916 wrote to memory of 2980	2916	{0B3D81E5-ECA9-4769-885E-8E54AB66376A}.exe	45
PID 2916 wrote to memory of 2980	2916	{0B3D81E5-ECA9-4769-885E-8E54AB66376A}.exe	45
PID 2916 wrote to memory of 2980	2916	{0B3D81E5-ECA9-4769-885E-8E54AB66376A}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-26_68f6c8a3298d159d4c69229b9734330c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-26_68f6c8a3298d159d4c69229b9734330c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\{86FA636D-A44C-4846-920D-D1EC3ACCE0BF}.exe
  C:\Windows\{86FA636D-A44C-4846-920D-D1EC3ACCE0BF}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\{C115908B-7A42-422f-8207-413F7FD80969}.exe
    C:\Windows\{C115908B-7A42-422f-8207-413F7FD80969}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\{E83C114B-F882-46c3-B94A-28B22895C8AB}.exe
      C:\Windows\{E83C114B-F882-46c3-B94A-28B22895C8AB}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1952
    - - C:\Windows\{066D0687-826F-4407-8CF7-716DDDBE4AE6}.exe
        
        C:\Windows\{066D0687-826F-4407-8CF7-716DDDBE4AE6}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1560
      - C:\Windows\{EA44F453-2A75-4b6f-A4B6-92ED64CCCC3E}.exe
        
        C:\Windows\{EA44F453-2A75-4b6f-A4B6-92ED64CCCC3E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA44F~1.EXE > nul
        7⤵
        
        PID:2840
        
        C:\Windows\{43FBE7DA-BAB1-424b-BBF0-CB3B17B974DC}.exe
        
        C:\Windows\{43FBE7DA-BAB1-424b-BBF0-CB3B17B974DC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\{0B3D81E5-ECA9-4769-885E-8E54AB66376A}.exe
        
        C:\Windows\{0B3D81E5-ECA9-4769-885E-8E54AB66376A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\{A4E0993A-7C66-4f7e-B659-A7303E78D02B}.exe
        
        C:\Windows\{A4E0993A-7C66-4f7e-B659-A7303E78D02B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:312
        
        C:\Windows\{E2BA6F14-56DB-4cd7-964B-324AFC953D76}.exe
        
        C:\Windows\{E2BA6F14-56DB-4cd7-964B-324AFC953D76}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1288
        
        C:\Windows\{0A8AAD34-810F-4611-8BCC-C5F9DFA262E8}.exe
        
        C:\Windows\{0A8AAD34-810F-4611-8BCC-C5F9DFA262E8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\Windows\{85777CBD-5CE5-43fc-B860-A95F942DB2B5}.exe
        
        C:\Windows\{85777CBD-5CE5-43fc-B860-A95F942DB2B5}.exe
        12⤵
        Executes dropped EXE
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A8AA~1.EXE > nul
        12⤵
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2BA6~1.EXE > nul
        11⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4E09~1.EXE > nul
        10⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B3D8~1.EXE > nul
        9⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43FBE~1.EXE > nul
        8⤵
        
        PID:652
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{066D0~1.EXE > nul
        6⤵
        
        PID:1876
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E83C1~1.EXE > nul
        5⤵
        
        PID:2956
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C1159~1.EXE > nul
      4⤵
      PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{86FA6~1.EXE > nul
    3⤵
    PID:3028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{066D0687-826F-4407-8CF7-716DDDBE4AE6}.exe

Filesize
168KB

MD5
c7d51292266649a12c4180010396643a

SHA1
7476b331771b14276a3098642981b8fa08abbf83

SHA256
bb379197daf27605964aea7d4e28759d7a56a0f62c10d116fedb7b02ca2ef615

SHA512
dfe46099232d8554d9790a94c274d32aff5d87e79386a13212bf935b92255bee756f3dd5e417ca3aacae4fb76f114d8471d3c2b839c0ab5ff4bebd314e9219f9

Download Submit
C:\Windows\{0A8AAD34-810F-4611-8BCC-C5F9DFA262E8}.exe

Filesize
168KB

MD5
8cfd1a0fc96143c658e4e71ccd1abb6c

SHA1
3e276c0667cb85c7da7990082f990ce3deb6d94c

SHA256
0d9dec984a6cd55a86eebbf74ca3354ea39041fabc7fe23477ebcf8ea378e94d

SHA512
650e9ca4fdafe4d4581bc8384d94f6679da88b3b4f7e37a0300af73a50d860e1d01d2046b86a334e1be63ff3e691120766b4ff0b8dbe5d2885ce7f5e444be682

Download Submit
C:\Windows\{0B3D81E5-ECA9-4769-885E-8E54AB66376A}.exe

Filesize
168KB

MD5
7bd2975fc979884586cdce28b755103b

SHA1
5eae861e8b2870e545dad42ef524e29fb26072b8

SHA256
6b502d1a029f4081960cc4f0bfc345e8dc244bf08d79485b034ba201dff6ec75

SHA512
f376280a4b1295834669d5f60ad9fe590125a20d536f54aead73e8d9cb9d676cee05c30877e3079cf7a75eae98f89b29032f87e0c8c3916fc04926f5c4095df5

Download Submit
C:\Windows\{43FBE7DA-BAB1-424b-BBF0-CB3B17B974DC}.exe

Filesize
168KB

MD5
9a0492cafe679c6095ffc0eeba63ba1c

SHA1
62f039073dbb2e1ee759921036ab9c156b680226

SHA256
ce3497c4988757ead8ab3e7b550cc11f79d9e78d1705cf9169dbdf4b03f23aed

SHA512
ef191c3aaede5559da954cac906542536caf68bc27eaab0ccbefae5c791e815dda33fb4985298f6e69c09650fb3938e51933a91210538f6382b5eb7dde91c702

Download Submit
C:\Windows\{85777CBD-5CE5-43fc-B860-A95F942DB2B5}.exe

Filesize
168KB

MD5
df3a2f8b188b1b285ad4ba85f2b69fcf

SHA1
108c4910e14363b49b73b97ed9fa66eda850481a

SHA256
02263aa642308057fb824f1af90757bf27951192340727bdf722fcf3b4786f65

SHA512
3522e1a628486f0f509d3a59368fe9cef2e0a4c4f6597e78c2c376aac44fbb8767c346d42c4040b885d9c1f6d79126fdb57b1cad96d480841bd7649fb01740fa

Download Submit
C:\Windows\{86FA636D-A44C-4846-920D-D1EC3ACCE0BF}.exe

Filesize
168KB

MD5
bb9a55cb4ad1bf1bc5437d1a9ee4060f

SHA1
a3893d97d03338f5b885b1a457f582caae463f21

SHA256
0f865da7071c775a4ab11cac70b39389d02720cc6d29e237bb0d06310d9a2817

SHA512
b18d8b6243b4cc030954fa45ef010e9091770f3e7da0c660ba7f6ead8234d6dc1bf9fb5be364f56aa6429e787df8e9692c09e0308f57fcea0ebdf0e3132b09f0

Download Submit
C:\Windows\{A4E0993A-7C66-4f7e-B659-A7303E78D02B}.exe

Filesize
168KB

MD5
70c193583b8fcc721add4a4b92c7e90c

SHA1
75dff84b5961093b76b4df3958b770114f5f92d9

SHA256
1395c22de866075060bd5d6b0989e91e9a72aeb4c2c3874450b66c39f1919c79

SHA512
496027ecb564452c310e8fa18634922201b12c365ea886e8ceed7d83da5642eb9fe64894ffc12842ed25cd412a7bb79ad92592aa18304f5c3173ba9c4c028232

Download Submit
C:\Windows\{A4E0993A-7C66-4f7e-B659-A7303E78D02B}.exe

Filesize
134KB

MD5
542c5962373dce20cf39779427b43a61

SHA1
f70d39679068b460c3294c1d9a2f96808333f455

SHA256
5e0fe597be7fdea4f6b2fe7e9c40cfe4b6ea410e13da2246c160f8e0f2253126

SHA512
977fb244e35200e14012dc7f2a8c041eccddf5f7c4d2d1b9aa625fbf29009d23a81fbab0b26737687e03579e8278d601f69422d2d557bf7d5d436af8f0ebe340

Download Submit
C:\Windows\{C115908B-7A42-422f-8207-413F7FD80969}.exe

Filesize
168KB

MD5
3aa064d56d89211d91dc44fb022c704b

SHA1
0816fb6e19f42c66c12456e7c1516f37bafad22d

SHA256
3bd5119472353da4c000a3e16057efa1c67b2ea6fa8b4494bdba02aff49210db

SHA512
19cf95c3762ad665a375725cec22aea0d954dbc84920d95cf65bc320267f1d3ab4951dae236a2be33679834524efaee1e037b6a73f331fc612481d611eab3b6e

Download Submit
C:\Windows\{E2BA6F14-56DB-4cd7-964B-324AFC953D76}.exe

Filesize
111KB

MD5
9008e8b2403f0f96d6be0190c7fc65f5

SHA1
90052d4784af6b569964ffe3e6476e1ea750af9e

SHA256
e9224ffb1671833ae830e9f0ec0928a06fe5a768a138ea17966d581401b31f8b

SHA512
34f2551b75127514d65909a7204c7180e75f2f40a3baad5b44faa123f439de6d1aaefa5e0882c4efcd87dc5f57afffafa17ac7a4f977079aaa63517581858ecb

Download Submit
C:\Windows\{E2BA6F14-56DB-4cd7-964B-324AFC953D76}.exe

Filesize
168KB

MD5
f0a279148ae943c2b2fc0448c514c274

SHA1
ad5646bf47a8f8612b8cd8e5f913a30938f73ea8

SHA256
67b73f374523490898ede82e8900fd2f3dd43021dbe7bb2e75a0bb1cf459ac70

SHA512
19dba6e841ecbe46248ef9590a851e751de0c7014ddea5569bcc90f0f93ce43414a03bf106ed6d8f55c8b68794027afd064ac402311b3416ca71b8dd6533e4f8

Download Submit
C:\Windows\{E83C114B-F882-46c3-B94A-28B22895C8AB}.exe

Filesize
168KB

MD5
09e95a1be3ed928cc18caae597953990

SHA1
fba4d4305d3970b61f6c10d24ca3c630effe9b6b

SHA256
628798d461545e4b11a8755e2ea0479d3af292a92ac7089086572105469207f4

SHA512
755e31a7652225c10857f4f1c0b22e526291e0e2b88a6ec94a6b68252b46f3b0aed198d91a4b620715a2c3ad4af462bd20d8ccbd1ca533ae838f09d85f714744

Download Submit
C:\Windows\{EA44F453-2A75-4b6f-A4B6-92ED64CCCC3E}.exe

Filesize
168KB

MD5
c19dbe437dd703afaaad1e3fd6785001

SHA1
1c3ab1264c773fd6776dd2b08fe04ab232f8e55d

SHA256
92f40bf2d901506285b813a5730cbb19dbd215249bd0cadc34224d9faa3a5e17

SHA512
c3032bba035f8fbf16c976f80de92f30d051b4fcb92a839acae922afccf9fb38ecefd99eee3780814ef34d98380f371b40102ffa778e47a0c9da00f219eeef10

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads