22b2aa8ad0697085b11dcd6e517af491ec4de59f8b0be57182cce39b109d9c57

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
28-01-2024 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-28_a7015cbccc9421c3466867fc97532ca3_goldeneye.exe
Size

197KB
MD5

a7015cbccc9421c3466867fc97532ca3
SHA1

c7f7b2d596da2f790d5d2c9ed5ebcfc05d329799
SHA256

22b2aa8ad0697085b11dcd6e517af491ec4de59f8b0be57182cce39b109d9c57
SHA512

7b6306def999de24521de855ea6b4c90bc41ab28d4b109827841f1be8589b74797abe685445ea78a527cef4f666adb5149156a58e694922ae46f5d425df562bc
SSDEEP

3072:jEGh0oFl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGDlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d0000000122fa-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000014af6-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000122fa-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000155f3-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000122fa-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00100000000122fa-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00110000000122fa-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14580413-D1A1-4e33-BB83-879A431DBA4B}	{89E2EC68-78CC-410c-95F0-D3F34153E1A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1407411-B0FE-4174-870B-277A6C93642F}	{3D8E1DDA-1849-4da6-8F74-AEF40AAFD540}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37F8A3A1-D72B-4fa7-ABB1-780C7D792C4B}	{E7091DB2-5777-4d8b-AAF7-00806CFD8226}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9EED225C-556F-4253-9662-97EE6B6F6005}	2024-01-28_a7015cbccc9421c3466867fc97532ca3_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D8E1DDA-1849-4da6-8F74-AEF40AAFD540}\stubpath = "C:\\Windows\\{3D8E1DDA-1849-4da6-8F74-AEF40AAFD540}.exe"	{F941451E-5570-4d3a-95B0-4CB825A27643}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7091DB2-5777-4d8b-AAF7-00806CFD8226}\stubpath = "C:\\Windows\\{E7091DB2-5777-4d8b-AAF7-00806CFD8226}.exe"	{D1407411-B0FE-4174-870B-277A6C93642F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72942BBB-A36D-4b0f-B598-FF74F5265F2A}	{51B10D36-7E88-442e-986A-DB283E072B45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72942BBB-A36D-4b0f-B598-FF74F5265F2A}\stubpath = "C:\\Windows\\{72942BBB-A36D-4b0f-B598-FF74F5265F2A}.exe"	{51B10D36-7E88-442e-986A-DB283E072B45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51B10D36-7E88-442e-986A-DB283E072B45}	{37F8A3A1-D72B-4fa7-ABB1-780C7D792C4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9EED225C-556F-4253-9662-97EE6B6F6005}\stubpath = "C:\\Windows\\{9EED225C-556F-4253-9662-97EE6B6F6005}.exe"	2024-01-28_a7015cbccc9421c3466867fc97532ca3_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89E2EC68-78CC-410c-95F0-D3F34153E1A7}\stubpath = "C:\\Windows\\{89E2EC68-78CC-410c-95F0-D3F34153E1A7}.exe"	{9EED225C-556F-4253-9662-97EE6B6F6005}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{532839B4-5942-4976-9717-FDD75AEC2494}	{14580413-D1A1-4e33-BB83-879A431DBA4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F941451E-5570-4d3a-95B0-4CB825A27643}\stubpath = "C:\\Windows\\{F941451E-5570-4d3a-95B0-4CB825A27643}.exe"	{532839B4-5942-4976-9717-FDD75AEC2494}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1407411-B0FE-4174-870B-277A6C93642F}\stubpath = "C:\\Windows\\{D1407411-B0FE-4174-870B-277A6C93642F}.exe"	{3D8E1DDA-1849-4da6-8F74-AEF40AAFD540}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37F8A3A1-D72B-4fa7-ABB1-780C7D792C4B}\stubpath = "C:\\Windows\\{37F8A3A1-D72B-4fa7-ABB1-780C7D792C4B}.exe"	{E7091DB2-5777-4d8b-AAF7-00806CFD8226}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51B10D36-7E88-442e-986A-DB283E072B45}\stubpath = "C:\\Windows\\{51B10D36-7E88-442e-986A-DB283E072B45}.exe"	{37F8A3A1-D72B-4fa7-ABB1-780C7D792C4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89E2EC68-78CC-410c-95F0-D3F34153E1A7}	{9EED225C-556F-4253-9662-97EE6B6F6005}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14580413-D1A1-4e33-BB83-879A431DBA4B}\stubpath = "C:\\Windows\\{14580413-D1A1-4e33-BB83-879A431DBA4B}.exe"	{89E2EC68-78CC-410c-95F0-D3F34153E1A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{532839B4-5942-4976-9717-FDD75AEC2494}\stubpath = "C:\\Windows\\{532839B4-5942-4976-9717-FDD75AEC2494}.exe"	{14580413-D1A1-4e33-BB83-879A431DBA4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F941451E-5570-4d3a-95B0-4CB825A27643}	{532839B4-5942-4976-9717-FDD75AEC2494}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D8E1DDA-1849-4da6-8F74-AEF40AAFD540}	{F941451E-5570-4d3a-95B0-4CB825A27643}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7091DB2-5777-4d8b-AAF7-00806CFD8226}	{D1407411-B0FE-4174-870B-277A6C93642F}.exe

Deletes itself 1 IoCs

pid	Process
3060	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2740	{9EED225C-556F-4253-9662-97EE6B6F6005}.exe
2600	{89E2EC68-78CC-410c-95F0-D3F34153E1A7}.exe
2712	{14580413-D1A1-4e33-BB83-879A431DBA4B}.exe
2504	{532839B4-5942-4976-9717-FDD75AEC2494}.exe
1888	{F941451E-5570-4d3a-95B0-4CB825A27643}.exe
1328	{3D8E1DDA-1849-4da6-8F74-AEF40AAFD540}.exe
1340	{D1407411-B0FE-4174-870B-277A6C93642F}.exe
1420	{E7091DB2-5777-4d8b-AAF7-00806CFD8226}.exe
2988	{37F8A3A1-D72B-4fa7-ABB1-780C7D792C4B}.exe
2116	{51B10D36-7E88-442e-986A-DB283E072B45}.exe
1660	{72942BBB-A36D-4b0f-B598-FF74F5265F2A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{37F8A3A1-D72B-4fa7-ABB1-780C7D792C4B}.exe	{E7091DB2-5777-4d8b-AAF7-00806CFD8226}.exe
File created	C:\Windows\{9EED225C-556F-4253-9662-97EE6B6F6005}.exe	2024-01-28_a7015cbccc9421c3466867fc97532ca3_goldeneye.exe
File created	C:\Windows\{89E2EC68-78CC-410c-95F0-D3F34153E1A7}.exe	{9EED225C-556F-4253-9662-97EE6B6F6005}.exe
File created	C:\Windows\{14580413-D1A1-4e33-BB83-879A431DBA4B}.exe	{89E2EC68-78CC-410c-95F0-D3F34153E1A7}.exe
File created	C:\Windows\{F941451E-5570-4d3a-95B0-4CB825A27643}.exe	{532839B4-5942-4976-9717-FDD75AEC2494}.exe
File created	C:\Windows\{3D8E1DDA-1849-4da6-8F74-AEF40AAFD540}.exe	{F941451E-5570-4d3a-95B0-4CB825A27643}.exe
File created	C:\Windows\{D1407411-B0FE-4174-870B-277A6C93642F}.exe	{3D8E1DDA-1849-4da6-8F74-AEF40AAFD540}.exe
File created	C:\Windows\{E7091DB2-5777-4d8b-AAF7-00806CFD8226}.exe	{D1407411-B0FE-4174-870B-277A6C93642F}.exe
File created	C:\Windows\{51B10D36-7E88-442e-986A-DB283E072B45}.exe	{37F8A3A1-D72B-4fa7-ABB1-780C7D792C4B}.exe
File created	C:\Windows\{72942BBB-A36D-4b0f-B598-FF74F5265F2A}.exe	{51B10D36-7E88-442e-986A-DB283E072B45}.exe
File created	C:\Windows\{532839B4-5942-4976-9717-FDD75AEC2494}.exe	{14580413-D1A1-4e33-BB83-879A431DBA4B}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2316	2024-01-28_a7015cbccc9421c3466867fc97532ca3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2740	{9EED225C-556F-4253-9662-97EE6B6F6005}.exe
Token: SeIncBasePriorityPrivilege	2600	{89E2EC68-78CC-410c-95F0-D3F34153E1A7}.exe
Token: SeIncBasePriorityPrivilege	2712	{14580413-D1A1-4e33-BB83-879A431DBA4B}.exe
Token: SeIncBasePriorityPrivilege	2504	{532839B4-5942-4976-9717-FDD75AEC2494}.exe
Token: SeIncBasePriorityPrivilege	1888	{F941451E-5570-4d3a-95B0-4CB825A27643}.exe
Token: SeIncBasePriorityPrivilege	1328	{3D8E1DDA-1849-4da6-8F74-AEF40AAFD540}.exe
Token: SeIncBasePriorityPrivilege	1340	{D1407411-B0FE-4174-870B-277A6C93642F}.exe
Token: SeIncBasePriorityPrivilege	1420	{E7091DB2-5777-4d8b-AAF7-00806CFD8226}.exe
Token: SeIncBasePriorityPrivilege	2988	{37F8A3A1-D72B-4fa7-ABB1-780C7D792C4B}.exe
Token: SeIncBasePriorityPrivilege	2116	{51B10D36-7E88-442e-986A-DB283E072B45}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2740	2316	2024-01-28_a7015cbccc9421c3466867fc97532ca3_goldeneye.exe	28
PID 2316 wrote to memory of 2740	2316	2024-01-28_a7015cbccc9421c3466867fc97532ca3_goldeneye.exe	28
PID 2316 wrote to memory of 2740	2316	2024-01-28_a7015cbccc9421c3466867fc97532ca3_goldeneye.exe	28
PID 2316 wrote to memory of 2740	2316	2024-01-28_a7015cbccc9421c3466867fc97532ca3_goldeneye.exe	28
PID 2316 wrote to memory of 3060	2316	2024-01-28_a7015cbccc9421c3466867fc97532ca3_goldeneye.exe	29
PID 2316 wrote to memory of 3060	2316	2024-01-28_a7015cbccc9421c3466867fc97532ca3_goldeneye.exe	29
PID 2316 wrote to memory of 3060	2316	2024-01-28_a7015cbccc9421c3466867fc97532ca3_goldeneye.exe	29
PID 2316 wrote to memory of 3060	2316	2024-01-28_a7015cbccc9421c3466867fc97532ca3_goldeneye.exe	29
PID 2740 wrote to memory of 2600	2740	{9EED225C-556F-4253-9662-97EE6B6F6005}.exe	30
PID 2740 wrote to memory of 2600	2740	{9EED225C-556F-4253-9662-97EE6B6F6005}.exe	30
PID 2740 wrote to memory of 2600	2740	{9EED225C-556F-4253-9662-97EE6B6F6005}.exe	30
PID 2740 wrote to memory of 2600	2740	{9EED225C-556F-4253-9662-97EE6B6F6005}.exe	30
PID 2740 wrote to memory of 2680	2740	{9EED225C-556F-4253-9662-97EE6B6F6005}.exe	31
PID 2740 wrote to memory of 2680	2740	{9EED225C-556F-4253-9662-97EE6B6F6005}.exe	31
PID 2740 wrote to memory of 2680	2740	{9EED225C-556F-4253-9662-97EE6B6F6005}.exe	31
PID 2740 wrote to memory of 2680	2740	{9EED225C-556F-4253-9662-97EE6B6F6005}.exe	31
PID 2600 wrote to memory of 2712	2600	{89E2EC68-78CC-410c-95F0-D3F34153E1A7}.exe	32
PID 2600 wrote to memory of 2712	2600	{89E2EC68-78CC-410c-95F0-D3F34153E1A7}.exe	32
PID 2600 wrote to memory of 2712	2600	{89E2EC68-78CC-410c-95F0-D3F34153E1A7}.exe	32
PID 2600 wrote to memory of 2712	2600	{89E2EC68-78CC-410c-95F0-D3F34153E1A7}.exe	32
PID 2600 wrote to memory of 2148	2600	{89E2EC68-78CC-410c-95F0-D3F34153E1A7}.exe	33
PID 2600 wrote to memory of 2148	2600	{89E2EC68-78CC-410c-95F0-D3F34153E1A7}.exe	33
PID 2600 wrote to memory of 2148	2600	{89E2EC68-78CC-410c-95F0-D3F34153E1A7}.exe	33
PID 2600 wrote to memory of 2148	2600	{89E2EC68-78CC-410c-95F0-D3F34153E1A7}.exe	33
PID 2712 wrote to memory of 2504	2712	{14580413-D1A1-4e33-BB83-879A431DBA4B}.exe	36
PID 2712 wrote to memory of 2504	2712	{14580413-D1A1-4e33-BB83-879A431DBA4B}.exe	36
PID 2712 wrote to memory of 2504	2712	{14580413-D1A1-4e33-BB83-879A431DBA4B}.exe	36
PID 2712 wrote to memory of 2504	2712	{14580413-D1A1-4e33-BB83-879A431DBA4B}.exe	36
PID 2712 wrote to memory of 2752	2712	{14580413-D1A1-4e33-BB83-879A431DBA4B}.exe	37
PID 2712 wrote to memory of 2752	2712	{14580413-D1A1-4e33-BB83-879A431DBA4B}.exe	37
PID 2712 wrote to memory of 2752	2712	{14580413-D1A1-4e33-BB83-879A431DBA4B}.exe	37
PID 2712 wrote to memory of 2752	2712	{14580413-D1A1-4e33-BB83-879A431DBA4B}.exe	37
PID 2504 wrote to memory of 1888	2504	{532839B4-5942-4976-9717-FDD75AEC2494}.exe	39
PID 2504 wrote to memory of 1888	2504	{532839B4-5942-4976-9717-FDD75AEC2494}.exe	39
PID 2504 wrote to memory of 1888	2504	{532839B4-5942-4976-9717-FDD75AEC2494}.exe	39
PID 2504 wrote to memory of 1888	2504	{532839B4-5942-4976-9717-FDD75AEC2494}.exe	39
PID 2504 wrote to memory of 1204	2504	{532839B4-5942-4976-9717-FDD75AEC2494}.exe	38
PID 2504 wrote to memory of 1204	2504	{532839B4-5942-4976-9717-FDD75AEC2494}.exe	38
PID 2504 wrote to memory of 1204	2504	{532839B4-5942-4976-9717-FDD75AEC2494}.exe	38
PID 2504 wrote to memory of 1204	2504	{532839B4-5942-4976-9717-FDD75AEC2494}.exe	38
PID 1888 wrote to memory of 1328	1888	{F941451E-5570-4d3a-95B0-4CB825A27643}.exe	40
PID 1888 wrote to memory of 1328	1888	{F941451E-5570-4d3a-95B0-4CB825A27643}.exe	40
PID 1888 wrote to memory of 1328	1888	{F941451E-5570-4d3a-95B0-4CB825A27643}.exe	40
PID 1888 wrote to memory of 1328	1888	{F941451E-5570-4d3a-95B0-4CB825A27643}.exe	40
PID 1888 wrote to memory of 2732	1888	{F941451E-5570-4d3a-95B0-4CB825A27643}.exe	41
PID 1888 wrote to memory of 2732	1888	{F941451E-5570-4d3a-95B0-4CB825A27643}.exe	41
PID 1888 wrote to memory of 2732	1888	{F941451E-5570-4d3a-95B0-4CB825A27643}.exe	41
PID 1888 wrote to memory of 2732	1888	{F941451E-5570-4d3a-95B0-4CB825A27643}.exe	41
PID 1328 wrote to memory of 1340	1328	{3D8E1DDA-1849-4da6-8F74-AEF40AAFD540}.exe	43
PID 1328 wrote to memory of 1340	1328	{3D8E1DDA-1849-4da6-8F74-AEF40AAFD540}.exe	43
PID 1328 wrote to memory of 1340	1328	{3D8E1DDA-1849-4da6-8F74-AEF40AAFD540}.exe	43
PID 1328 wrote to memory of 1340	1328	{3D8E1DDA-1849-4da6-8F74-AEF40AAFD540}.exe	43
PID 1328 wrote to memory of 2756	1328	{3D8E1DDA-1849-4da6-8F74-AEF40AAFD540}.exe	42
PID 1328 wrote to memory of 2756	1328	{3D8E1DDA-1849-4da6-8F74-AEF40AAFD540}.exe	42
PID 1328 wrote to memory of 2756	1328	{3D8E1DDA-1849-4da6-8F74-AEF40AAFD540}.exe	42
PID 1328 wrote to memory of 2756	1328	{3D8E1DDA-1849-4da6-8F74-AEF40AAFD540}.exe	42
PID 1340 wrote to memory of 1420	1340	{D1407411-B0FE-4174-870B-277A6C93642F}.exe	44
PID 1340 wrote to memory of 1420	1340	{D1407411-B0FE-4174-870B-277A6C93642F}.exe	44
PID 1340 wrote to memory of 1420	1340	{D1407411-B0FE-4174-870B-277A6C93642F}.exe	44
PID 1340 wrote to memory of 1420	1340	{D1407411-B0FE-4174-870B-277A6C93642F}.exe	44
PID 1340 wrote to memory of 1092	1340	{D1407411-B0FE-4174-870B-277A6C93642F}.exe	45
PID 1340 wrote to memory of 1092	1340	{D1407411-B0FE-4174-870B-277A6C93642F}.exe	45
PID 1340 wrote to memory of 1092	1340	{D1407411-B0FE-4174-870B-277A6C93642F}.exe	45
PID 1340 wrote to memory of 1092	1340	{D1407411-B0FE-4174-870B-277A6C93642F}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-01-28_a7015cbccc9421c3466867fc97532ca3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-28_a7015cbccc9421c3466867fc97532ca3_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\{9EED225C-556F-4253-9662-97EE6B6F6005}.exe
  C:\Windows\{9EED225C-556F-4253-9662-97EE6B6F6005}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\{89E2EC68-78CC-410c-95F0-D3F34153E1A7}.exe
    C:\Windows\{89E2EC68-78CC-410c-95F0-D3F34153E1A7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\{14580413-D1A1-4e33-BB83-879A431DBA4B}.exe
      C:\Windows\{14580413-D1A1-4e33-BB83-879A431DBA4B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Windows\{532839B4-5942-4976-9717-FDD75AEC2494}.exe
        
        C:\Windows\{532839B4-5942-4976-9717-FDD75AEC2494}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2504
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53283~1.EXE > nul
        6⤵
        
        PID:1204
      - C:\Windows\{F941451E-5570-4d3a-95B0-4CB825A27643}.exe
        
        C:\Windows\{F941451E-5570-4d3a-95B0-4CB825A27643}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\{3D8E1DDA-1849-4da6-8F74-AEF40AAFD540}.exe
        
        C:\Windows\{3D8E1DDA-1849-4da6-8F74-AEF40AAFD540}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D8E1~1.EXE > nul
        8⤵
        
        PID:2756
        
        C:\Windows\{D1407411-B0FE-4174-870B-277A6C93642F}.exe
        
        C:\Windows\{D1407411-B0FE-4174-870B-277A6C93642F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\{E7091DB2-5777-4d8b-AAF7-00806CFD8226}.exe
        
        C:\Windows\{E7091DB2-5777-4d8b-AAF7-00806CFD8226}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7091~1.EXE > nul
        10⤵
        
        PID:2340
        
        C:\Windows\{37F8A3A1-D72B-4fa7-ABB1-780C7D792C4B}.exe
        
        C:\Windows\{37F8A3A1-D72B-4fa7-ABB1-780C7D792C4B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
        
        C:\Windows\{51B10D36-7E88-442e-986A-DB283E072B45}.exe
        
        C:\Windows\{51B10D36-7E88-442e-986A-DB283E072B45}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        C:\Windows\{72942BBB-A36D-4b0f-B598-FF74F5265F2A}.exe
        
        C:\Windows\{72942BBB-A36D-4b0f-B598-FF74F5265F2A}.exe
        12⤵
        Executes dropped EXE
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51B10~1.EXE > nul
        12⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37F8A~1.EXE > nul
        11⤵
        
        PID:600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D1407~1.EXE > nul
        9⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9414~1.EXE > nul
        7⤵
        
        PID:2732
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14580~1.EXE > nul
        5⤵
        
        PID:2752
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{89E2E~1.EXE > nul
      4⤵
      PID:2148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9EED2~1.EXE > nul
    3⤵
    PID:2680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{14580413-D1A1-4e33-BB83-879A431DBA4B}.exe

Filesize
197KB

MD5
911af7a543e7be5cf5ed8c5088317dcc

SHA1
3a1d34ce35e6fe322c260545bfbe45601556fb78

SHA256
0cecc67fe10e7ca04065a73e59326f6b36899ff8cf7399c2cf458589eb96730a

SHA512
7f801c75b3c83709a4f6b6e9e572a7ecfad460d92a4a2a80a2909952430216fe9b55d9b7025842ba149f34826ee48a6e942d683827e4b823bbdf5e2cc1f67e26

Download Submit
C:\Windows\{37F8A3A1-D72B-4fa7-ABB1-780C7D792C4B}.exe

Filesize
197KB

MD5
f5fab7b96c33ad60e1f28b6b40c0bcb6

SHA1
cbc6558dd72511a5bef6f35eb8d7048a01c5456b

SHA256
573b55ba1957faaca8cb27daa0893997fb0a491605261649043be445646e3749

SHA512
3c7874bc4055e575cab16b8f8b6013587e6918a8d3b8aab5ae6db67ec94ea0af2f4ac42975c51846d7899cee67792b9753843d721c113d46062834b16fb96562

Download Submit
C:\Windows\{3D8E1DDA-1849-4da6-8F74-AEF40AAFD540}.exe

Filesize
197KB

MD5
03d2491a5fefdbd49db966f5d4701a0e

SHA1
a9dda7ca07d6277c4714b8b2b743a2f3b2e6d66a

SHA256
008aa8ae590b98a44aedc79074ce4c44541fdeb1cbd4063cadbabcd3fffe07a0

SHA512
4e324792c00e34a172a67d351f5c8aab0e3f64d02fae066b65c0699bedeae411cbe61652432429731aaff9d2141312e8f98837a110ad76346e9fc54bc73a1eb5

Download Submit
C:\Windows\{51B10D36-7E88-442e-986A-DB283E072B45}.exe

Filesize
197KB

MD5
06608699a54e3b0bf1cfb1548760a2f6

SHA1
ffe24f209a9dea8591d11120b22782c2b1448af3

SHA256
cd859b321cd0ab19e5ebce6c2092aa20f8f9b0e0eb50af67ffada89e5d5f6b8a

SHA512
374416deab5b6a32bf844e097d2eecca06585cc4582c87cc505ad74fa2f7fc5d1bb312135f1838c871de80ec48e2a92ae1c71ccd16f63fe9d115e4e5b99027e1

Download Submit
C:\Windows\{532839B4-5942-4976-9717-FDD75AEC2494}.exe

Filesize
197KB

MD5
75ced6a2c6df75abbe3077de6eb20750

SHA1
2297c9df46fe3abc40c178d6b74c42557ebb0cef

SHA256
36fb4b34b1e014ba0740b5280b10dc68a267d7262e802f7b2f6174b4072e8d2c

SHA512
53418bb1f37250ec26b1962ebc3477e3b776e03ee37b025862f72189434582cd595bb433ebe1d775ae1bc39e953673d9a0d1e6af4e91a4921b1eaea7b210231a

Download Submit
C:\Windows\{72942BBB-A36D-4b0f-B598-FF74F5265F2A}.exe

Filesize
197KB

MD5
1db34da504e8d329f9d4a9f46af92e1a

SHA1
ee670c8fbe8a8f7944cb53b3039e4fd23ab5e24c

SHA256
f260dbea4588be6dd1fd69490855c6f9f1f33b3a9c609312340e45cb8c955c95

SHA512
9d759e7aa925bb6731b6f94aa2b4cae9f0da7474f5e9a1720f578a650abac6000bd02bd6840928ee0ad4fcf61a1353b4790fba2a961c576a1aa2ebebddb51ccf

Download Submit
C:\Windows\{89E2EC68-78CC-410c-95F0-D3F34153E1A7}.exe

Filesize
197KB

MD5
4a5ab79755f1fc1ecea6be60f59319e1

SHA1
29743c2c49031841f96510c854be4227eca44961

SHA256
325c6809f6ab6a2f21334524714aef44d96af0dec352eb74a4e32a4e6f936728

SHA512
3e45a6ba804938194872f9aa486a74214cba8f546bcdd7ec7a8fe6771b2cb2f0a1eaaa4ff758e52e174a6de15602c0fc6cae19e87b1e248dbb65bf1afd9af14d

Download Submit
C:\Windows\{9EED225C-556F-4253-9662-97EE6B6F6005}.exe

Filesize
197KB

MD5
20e77a43f0c17deec30a4a1adfe6811b

SHA1
c37baf360477b960d57c5f50ab4ea85d9c176a8c

SHA256
ef0edf7b66be776691b406dcab56859d18134b8481abe9c2dc141642b933dc90

SHA512
e7ec77f7a40608c37146e02ca06df5d61bcf3f427ada2eaafd999013927caa6a02d54f943988e8b50f89f652c03e0a29cc703eb44e1aacffa21eb8d81524da1a

Download Submit
C:\Windows\{D1407411-B0FE-4174-870B-277A6C93642F}.exe

Filesize
197KB

MD5
b458bea5e15fdc0b15b88424a1d3bbce

SHA1
69a69768f45809467b777f31953e4fd735bd7271

SHA256
5954e435d0fa453447791e16cbecac6dba541942cf34e048a1e0ca5fec4ab4a4

SHA512
2692e55b0d7c699bce9ea1eb84db674e25876e52025ed54683e3317e43b49bb0ffc7ffd7e0852375305bb44a340a217932b06573ece0349a3a561b83c74eff2c

Download Submit
C:\Windows\{E7091DB2-5777-4d8b-AAF7-00806CFD8226}.exe

Filesize
197KB

MD5
26b98726d4d58f9258f9670bb1a734a2

SHA1
3324726257466f35d9640314afcb81db44d13012

SHA256
d396a93880f533cafeeb7fa159ae621d5e92d55a3b642695199b499984768915

SHA512
9f7b8b3c56aec84d1b5e2d8dc9a1fd358f61713a202b1d03159ab784f051d4f0c6a0977ce91b287d1e809da2abc4e63fdba774fc29903bbb2a4cfba64ad83063

Download Submit
C:\Windows\{F941451E-5570-4d3a-95B0-4CB825A27643}.exe

Filesize
197KB

MD5
e6bff35a97c570508186f5fe2a98aaf5

SHA1
5badd449cd6a4ae4742b749d21357eadfe26ef35

SHA256
7bc9ef378d6ed5cba48149855dc58d42150efe7156ddfba90dccb89e246523c3

SHA512
51ffdedfab73346b0afa95a254b708a477ebd34100c507fae2579d88f77c6db0cdc7fc4657f7e3c6937b4973b8611b60121fbe2d5abd21d0b18e4494a31b3aa0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads