f54fd05835a115a557459c230d4b73171c3b0357de784f08bef61e8ed793dcf2

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01-02-2024 13:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-01_7e9bb85e5df1665e4c116de8de41937e_goldeneye.exe
Size

372KB
MD5

7e9bb85e5df1665e4c116de8de41937e
SHA1

9e0faafbb59ae46fc33f1dd7c15e9f3e6899fc7c
SHA256

f54fd05835a115a557459c230d4b73171c3b0357de784f08bef61e8ed793dcf2
SHA512

14342e3f09a0795eb56d5e7f4a7735238beba9fbd5a08eebf82d3c94039b230428964a1f560aef79da111f34ce1a2c7a647343378733ac1eebe14840bd0b527e
SSDEEP

3072:CEGh0oYlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGelkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000800000001225a-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000014a45-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{443F3EFC-A5AB-4df2-BEEC-386EADF2DAE2}	{4AE6A466-439D-4935-A324-A3E02CEC7D0A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99033E04-3D53-4870-9475-1D12C6C3411A}	{01FF3B73-34A4-41e6-9FEB-97FB57F570BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CC9F26E-83EB-440a-9E3D-AE0805B01F4C}	{DAE1E4A5-BFA7-4a3d-A151-AD4F5C468158}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CC9F26E-83EB-440a-9E3D-AE0805B01F4C}\stubpath = "C:\\Windows\\{9CC9F26E-83EB-440a-9E3D-AE0805B01F4C}.exe"	{DAE1E4A5-BFA7-4a3d-A151-AD4F5C468158}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44275DCC-6C1F-4676-B238-FBDFE7C4E0C8}\stubpath = "C:\\Windows\\{44275DCC-6C1F-4676-B238-FBDFE7C4E0C8}.exe"	{443F3EFC-A5AB-4df2-BEEC-386EADF2DAE2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01FF3B73-34A4-41e6-9FEB-97FB57F570BD}	{44275DCC-6C1F-4676-B238-FBDFE7C4E0C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99033E04-3D53-4870-9475-1D12C6C3411A}\stubpath = "C:\\Windows\\{99033E04-3D53-4870-9475-1D12C6C3411A}.exe"	{01FF3B73-34A4-41e6-9FEB-97FB57F570BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DAE1E4A5-BFA7-4a3d-A151-AD4F5C468158}	{1A579356-7BD5-4de8-BA82-CBC83ED31D4A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44275DCC-6C1F-4676-B238-FBDFE7C4E0C8}	{443F3EFC-A5AB-4df2-BEEC-386EADF2DAE2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2946F52F-DC47-4c1c-9C9C-E089CA291B8C}\stubpath = "C:\\Windows\\{2946F52F-DC47-4c1c-9C9C-E089CA291B8C}.exe"	{99033E04-3D53-4870-9475-1D12C6C3411A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AE6A466-439D-4935-A324-A3E02CEC7D0A}	{C1D3A9CB-DB1B-48e0-8F14-EFAEE0DA59D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2946F52F-DC47-4c1c-9C9C-E089CA291B8C}	{99033E04-3D53-4870-9475-1D12C6C3411A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DAE1E4A5-BFA7-4a3d-A151-AD4F5C468158}\stubpath = "C:\\Windows\\{DAE1E4A5-BFA7-4a3d-A151-AD4F5C468158}.exe"	{1A579356-7BD5-4de8-BA82-CBC83ED31D4A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1D3A9CB-DB1B-48e0-8F14-EFAEE0DA59D4}	{9CC9F26E-83EB-440a-9E3D-AE0805B01F4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1D3A9CB-DB1B-48e0-8F14-EFAEE0DA59D4}\stubpath = "C:\\Windows\\{C1D3A9CB-DB1B-48e0-8F14-EFAEE0DA59D4}.exe"	{9CC9F26E-83EB-440a-9E3D-AE0805B01F4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AE6A466-439D-4935-A324-A3E02CEC7D0A}\stubpath = "C:\\Windows\\{4AE6A466-439D-4935-A324-A3E02CEC7D0A}.exe"	{C1D3A9CB-DB1B-48e0-8F14-EFAEE0DA59D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{443F3EFC-A5AB-4df2-BEEC-386EADF2DAE2}\stubpath = "C:\\Windows\\{443F3EFC-A5AB-4df2-BEEC-386EADF2DAE2}.exe"	{4AE6A466-439D-4935-A324-A3E02CEC7D0A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01FF3B73-34A4-41e6-9FEB-97FB57F570BD}\stubpath = "C:\\Windows\\{01FF3B73-34A4-41e6-9FEB-97FB57F570BD}.exe"	{44275DCC-6C1F-4676-B238-FBDFE7C4E0C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A579356-7BD5-4de8-BA82-CBC83ED31D4A}	2024-02-01_7e9bb85e5df1665e4c116de8de41937e_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A579356-7BD5-4de8-BA82-CBC83ED31D4A}\stubpath = "C:\\Windows\\{1A579356-7BD5-4de8-BA82-CBC83ED31D4A}.exe"	2024-02-01_7e9bb85e5df1665e4c116de8de41937e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9133682-AA6D-4616-B570-3F597DF2DD2B}	{2946F52F-DC47-4c1c-9C9C-E089CA291B8C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9133682-AA6D-4616-B570-3F597DF2DD2B}\stubpath = "C:\\Windows\\{B9133682-AA6D-4616-B570-3F597DF2DD2B}.exe"	{2946F52F-DC47-4c1c-9C9C-E089CA291B8C}.exe

Deletes itself 1 IoCs

pid	Process
2664	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2104	{1A579356-7BD5-4de8-BA82-CBC83ED31D4A}.exe
2928	{DAE1E4A5-BFA7-4a3d-A151-AD4F5C468158}.exe
3036	{9CC9F26E-83EB-440a-9E3D-AE0805B01F4C}.exe
268	{C1D3A9CB-DB1B-48e0-8F14-EFAEE0DA59D4}.exe
2844	{4AE6A466-439D-4935-A324-A3E02CEC7D0A}.exe
2376	{443F3EFC-A5AB-4df2-BEEC-386EADF2DAE2}.exe
652	{44275DCC-6C1F-4676-B238-FBDFE7C4E0C8}.exe
1572	{01FF3B73-34A4-41e6-9FEB-97FB57F570BD}.exe
1516	{99033E04-3D53-4870-9475-1D12C6C3411A}.exe
2956	{2946F52F-DC47-4c1c-9C9C-E089CA291B8C}.exe
1884	{B9133682-AA6D-4616-B570-3F597DF2DD2B}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2946F52F-DC47-4c1c-9C9C-E089CA291B8C}.exe	{99033E04-3D53-4870-9475-1D12C6C3411A}.exe
File created	C:\Windows\{B9133682-AA6D-4616-B570-3F597DF2DD2B}.exe	{2946F52F-DC47-4c1c-9C9C-E089CA291B8C}.exe
File created	C:\Windows\{9CC9F26E-83EB-440a-9E3D-AE0805B01F4C}.exe	{DAE1E4A5-BFA7-4a3d-A151-AD4F5C468158}.exe
File created	C:\Windows\{C1D3A9CB-DB1B-48e0-8F14-EFAEE0DA59D4}.exe	{9CC9F26E-83EB-440a-9E3D-AE0805B01F4C}.exe
File created	C:\Windows\{443F3EFC-A5AB-4df2-BEEC-386EADF2DAE2}.exe	{4AE6A466-439D-4935-A324-A3E02CEC7D0A}.exe
File created	C:\Windows\{01FF3B73-34A4-41e6-9FEB-97FB57F570BD}.exe	{44275DCC-6C1F-4676-B238-FBDFE7C4E0C8}.exe
File created	C:\Windows\{99033E04-3D53-4870-9475-1D12C6C3411A}.exe	{01FF3B73-34A4-41e6-9FEB-97FB57F570BD}.exe
File created	C:\Windows\{1A579356-7BD5-4de8-BA82-CBC83ED31D4A}.exe	2024-02-01_7e9bb85e5df1665e4c116de8de41937e_goldeneye.exe
File created	C:\Windows\{DAE1E4A5-BFA7-4a3d-A151-AD4F5C468158}.exe	{1A579356-7BD5-4de8-BA82-CBC83ED31D4A}.exe
File created	C:\Windows\{4AE6A466-439D-4935-A324-A3E02CEC7D0A}.exe	{C1D3A9CB-DB1B-48e0-8F14-EFAEE0DA59D4}.exe
File created	C:\Windows\{44275DCC-6C1F-4676-B238-FBDFE7C4E0C8}.exe	{443F3EFC-A5AB-4df2-BEEC-386EADF2DAE2}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2640	2024-02-01_7e9bb85e5df1665e4c116de8de41937e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2104	{1A579356-7BD5-4de8-BA82-CBC83ED31D4A}.exe
Token: SeIncBasePriorityPrivilege	2928	{DAE1E4A5-BFA7-4a3d-A151-AD4F5C468158}.exe
Token: SeIncBasePriorityPrivilege	3036	{9CC9F26E-83EB-440a-9E3D-AE0805B01F4C}.exe
Token: SeIncBasePriorityPrivilege	268	{C1D3A9CB-DB1B-48e0-8F14-EFAEE0DA59D4}.exe
Token: SeIncBasePriorityPrivilege	2844	{4AE6A466-439D-4935-A324-A3E02CEC7D0A}.exe
Token: SeIncBasePriorityPrivilege	2376	{443F3EFC-A5AB-4df2-BEEC-386EADF2DAE2}.exe
Token: SeIncBasePriorityPrivilege	652	{44275DCC-6C1F-4676-B238-FBDFE7C4E0C8}.exe
Token: SeIncBasePriorityPrivilege	1572	{01FF3B73-34A4-41e6-9FEB-97FB57F570BD}.exe
Token: SeIncBasePriorityPrivilege	1516	{99033E04-3D53-4870-9475-1D12C6C3411A}.exe
Token: SeIncBasePriorityPrivilege	2956	{2946F52F-DC47-4c1c-9C9C-E089CA291B8C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2104	2640	2024-02-01_7e9bb85e5df1665e4c116de8de41937e_goldeneye.exe	28
PID 2640 wrote to memory of 2104	2640	2024-02-01_7e9bb85e5df1665e4c116de8de41937e_goldeneye.exe	28
PID 2640 wrote to memory of 2104	2640	2024-02-01_7e9bb85e5df1665e4c116de8de41937e_goldeneye.exe	28
PID 2640 wrote to memory of 2104	2640	2024-02-01_7e9bb85e5df1665e4c116de8de41937e_goldeneye.exe	28
PID 2640 wrote to memory of 2664	2640	2024-02-01_7e9bb85e5df1665e4c116de8de41937e_goldeneye.exe	29
PID 2640 wrote to memory of 2664	2640	2024-02-01_7e9bb85e5df1665e4c116de8de41937e_goldeneye.exe	29
PID 2640 wrote to memory of 2664	2640	2024-02-01_7e9bb85e5df1665e4c116de8de41937e_goldeneye.exe	29
PID 2640 wrote to memory of 2664	2640	2024-02-01_7e9bb85e5df1665e4c116de8de41937e_goldeneye.exe	29
PID 2104 wrote to memory of 2928	2104	{1A579356-7BD5-4de8-BA82-CBC83ED31D4A}.exe	30
PID 2104 wrote to memory of 2928	2104	{1A579356-7BD5-4de8-BA82-CBC83ED31D4A}.exe	30
PID 2104 wrote to memory of 2928	2104	{1A579356-7BD5-4de8-BA82-CBC83ED31D4A}.exe	30
PID 2104 wrote to memory of 2928	2104	{1A579356-7BD5-4de8-BA82-CBC83ED31D4A}.exe	30
PID 2104 wrote to memory of 2592	2104	{1A579356-7BD5-4de8-BA82-CBC83ED31D4A}.exe	31
PID 2104 wrote to memory of 2592	2104	{1A579356-7BD5-4de8-BA82-CBC83ED31D4A}.exe	31
PID 2104 wrote to memory of 2592	2104	{1A579356-7BD5-4de8-BA82-CBC83ED31D4A}.exe	31
PID 2104 wrote to memory of 2592	2104	{1A579356-7BD5-4de8-BA82-CBC83ED31D4A}.exe	31
PID 2928 wrote to memory of 3036	2928	{DAE1E4A5-BFA7-4a3d-A151-AD4F5C468158}.exe	35
PID 2928 wrote to memory of 3036	2928	{DAE1E4A5-BFA7-4a3d-A151-AD4F5C468158}.exe	35
PID 2928 wrote to memory of 3036	2928	{DAE1E4A5-BFA7-4a3d-A151-AD4F5C468158}.exe	35
PID 2928 wrote to memory of 3036	2928	{DAE1E4A5-BFA7-4a3d-A151-AD4F5C468158}.exe	35
PID 2928 wrote to memory of 2380	2928	{DAE1E4A5-BFA7-4a3d-A151-AD4F5C468158}.exe	34
PID 2928 wrote to memory of 2380	2928	{DAE1E4A5-BFA7-4a3d-A151-AD4F5C468158}.exe	34
PID 2928 wrote to memory of 2380	2928	{DAE1E4A5-BFA7-4a3d-A151-AD4F5C468158}.exe	34
PID 2928 wrote to memory of 2380	2928	{DAE1E4A5-BFA7-4a3d-A151-AD4F5C468158}.exe	34
PID 3036 wrote to memory of 268	3036	{9CC9F26E-83EB-440a-9E3D-AE0805B01F4C}.exe	37
PID 3036 wrote to memory of 268	3036	{9CC9F26E-83EB-440a-9E3D-AE0805B01F4C}.exe	37
PID 3036 wrote to memory of 268	3036	{9CC9F26E-83EB-440a-9E3D-AE0805B01F4C}.exe	37
PID 3036 wrote to memory of 268	3036	{9CC9F26E-83EB-440a-9E3D-AE0805B01F4C}.exe	37
PID 3036 wrote to memory of 628	3036	{9CC9F26E-83EB-440a-9E3D-AE0805B01F4C}.exe	36
PID 3036 wrote to memory of 628	3036	{9CC9F26E-83EB-440a-9E3D-AE0805B01F4C}.exe	36
PID 3036 wrote to memory of 628	3036	{9CC9F26E-83EB-440a-9E3D-AE0805B01F4C}.exe	36
PID 3036 wrote to memory of 628	3036	{9CC9F26E-83EB-440a-9E3D-AE0805B01F4C}.exe	36
PID 268 wrote to memory of 2844	268	{C1D3A9CB-DB1B-48e0-8F14-EFAEE0DA59D4}.exe	38
PID 268 wrote to memory of 2844	268	{C1D3A9CB-DB1B-48e0-8F14-EFAEE0DA59D4}.exe	38
PID 268 wrote to memory of 2844	268	{C1D3A9CB-DB1B-48e0-8F14-EFAEE0DA59D4}.exe	38
PID 268 wrote to memory of 2844	268	{C1D3A9CB-DB1B-48e0-8F14-EFAEE0DA59D4}.exe	38
PID 268 wrote to memory of 2896	268	{C1D3A9CB-DB1B-48e0-8F14-EFAEE0DA59D4}.exe	39
PID 268 wrote to memory of 2896	268	{C1D3A9CB-DB1B-48e0-8F14-EFAEE0DA59D4}.exe	39
PID 268 wrote to memory of 2896	268	{C1D3A9CB-DB1B-48e0-8F14-EFAEE0DA59D4}.exe	39
PID 268 wrote to memory of 2896	268	{C1D3A9CB-DB1B-48e0-8F14-EFAEE0DA59D4}.exe	39
PID 2844 wrote to memory of 2376	2844	{4AE6A466-439D-4935-A324-A3E02CEC7D0A}.exe	41
PID 2844 wrote to memory of 2376	2844	{4AE6A466-439D-4935-A324-A3E02CEC7D0A}.exe	41
PID 2844 wrote to memory of 2376	2844	{4AE6A466-439D-4935-A324-A3E02CEC7D0A}.exe	41
PID 2844 wrote to memory of 2376	2844	{4AE6A466-439D-4935-A324-A3E02CEC7D0A}.exe	41
PID 2844 wrote to memory of 1996	2844	{4AE6A466-439D-4935-A324-A3E02CEC7D0A}.exe	40
PID 2844 wrote to memory of 1996	2844	{4AE6A466-439D-4935-A324-A3E02CEC7D0A}.exe	40
PID 2844 wrote to memory of 1996	2844	{4AE6A466-439D-4935-A324-A3E02CEC7D0A}.exe	40
PID 2844 wrote to memory of 1996	2844	{4AE6A466-439D-4935-A324-A3E02CEC7D0A}.exe	40
PID 2376 wrote to memory of 652	2376	{443F3EFC-A5AB-4df2-BEEC-386EADF2DAE2}.exe	42
PID 2376 wrote to memory of 652	2376	{443F3EFC-A5AB-4df2-BEEC-386EADF2DAE2}.exe	42
PID 2376 wrote to memory of 652	2376	{443F3EFC-A5AB-4df2-BEEC-386EADF2DAE2}.exe	42
PID 2376 wrote to memory of 652	2376	{443F3EFC-A5AB-4df2-BEEC-386EADF2DAE2}.exe	42
PID 2376 wrote to memory of 1932	2376	{443F3EFC-A5AB-4df2-BEEC-386EADF2DAE2}.exe	43
PID 2376 wrote to memory of 1932	2376	{443F3EFC-A5AB-4df2-BEEC-386EADF2DAE2}.exe	43
PID 2376 wrote to memory of 1932	2376	{443F3EFC-A5AB-4df2-BEEC-386EADF2DAE2}.exe	43
PID 2376 wrote to memory of 1932	2376	{443F3EFC-A5AB-4df2-BEEC-386EADF2DAE2}.exe	43
PID 652 wrote to memory of 1572	652	{44275DCC-6C1F-4676-B238-FBDFE7C4E0C8}.exe	45
PID 652 wrote to memory of 1572	652	{44275DCC-6C1F-4676-B238-FBDFE7C4E0C8}.exe	45
PID 652 wrote to memory of 1572	652	{44275DCC-6C1F-4676-B238-FBDFE7C4E0C8}.exe	45
PID 652 wrote to memory of 1572	652	{44275DCC-6C1F-4676-B238-FBDFE7C4E0C8}.exe	45
PID 652 wrote to memory of 2232	652	{44275DCC-6C1F-4676-B238-FBDFE7C4E0C8}.exe	44
PID 652 wrote to memory of 2232	652	{44275DCC-6C1F-4676-B238-FBDFE7C4E0C8}.exe	44
PID 652 wrote to memory of 2232	652	{44275DCC-6C1F-4676-B238-FBDFE7C4E0C8}.exe	44
PID 652 wrote to memory of 2232	652	{44275DCC-6C1F-4676-B238-FBDFE7C4E0C8}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-02-01_7e9bb85e5df1665e4c116de8de41937e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-01_7e9bb85e5df1665e4c116de8de41937e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\{1A579356-7BD5-4de8-BA82-CBC83ED31D4A}.exe
  C:\Windows\{1A579356-7BD5-4de8-BA82-CBC83ED31D4A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\{DAE1E4A5-BFA7-4a3d-A151-AD4F5C468158}.exe
    C:\Windows\{DAE1E4A5-BFA7-4a3d-A151-AD4F5C468158}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DAE1E~1.EXE > nul
      4⤵
      PID:2380
  - - C:\Windows\{9CC9F26E-83EB-440a-9E3D-AE0805B01F4C}.exe
      C:\Windows\{9CC9F26E-83EB-440a-9E3D-AE0805B01F4C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3036
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9CC9F~1.EXE > nul
        5⤵
        
        PID:628
    - - C:\Windows\{C1D3A9CB-DB1B-48e0-8F14-EFAEE0DA59D4}.exe
        
        C:\Windows\{C1D3A9CB-DB1B-48e0-8F14-EFAEE0DA59D4}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:268
      - C:\Windows\{4AE6A466-439D-4935-A324-A3E02CEC7D0A}.exe
        
        C:\Windows\{4AE6A466-439D-4935-A324-A3E02CEC7D0A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4AE6A~1.EXE > nul
        7⤵
        
        PID:1996
        
        C:\Windows\{443F3EFC-A5AB-4df2-BEEC-386EADF2DAE2}.exe
        
        C:\Windows\{443F3EFC-A5AB-4df2-BEEC-386EADF2DAE2}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\{44275DCC-6C1F-4676-B238-FBDFE7C4E0C8}.exe
        
        C:\Windows\{44275DCC-6C1F-4676-B238-FBDFE7C4E0C8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44275~1.EXE > nul
        9⤵
        
        PID:2232
        
        C:\Windows\{01FF3B73-34A4-41e6-9FEB-97FB57F570BD}.exe
        
        C:\Windows\{01FF3B73-34A4-41e6-9FEB-97FB57F570BD}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
        
        C:\Windows\{99033E04-3D53-4870-9475-1D12C6C3411A}.exe
        
        C:\Windows\{99033E04-3D53-4870-9475-1D12C6C3411A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
        
        C:\Windows\{2946F52F-DC47-4c1c-9C9C-E089CA291B8C}.exe
        
        C:\Windows\{2946F52F-DC47-4c1c-9C9C-E089CA291B8C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2946F~1.EXE > nul
        12⤵
        
        PID:2272
        
        C:\Windows\{B9133682-AA6D-4616-B570-3F597DF2DD2B}.exe
        
        C:\Windows\{B9133682-AA6D-4616-B570-3F597DF2DD2B}.exe
        12⤵
        Executes dropped EXE
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99033~1.EXE > nul
        11⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01FF3~1.EXE > nul
        10⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{443F3~1.EXE > nul
        8⤵
        
        PID:1932
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1D3A~1.EXE > nul
        6⤵
        
        PID:2896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1A579~1.EXE > nul
    3⤵
    PID:2592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01FF3B73-34A4-41e6-9FEB-97FB57F570BD}.exe

Filesize
372KB

MD5
68966be6b94a0c7be2f27bedc1bddc96

SHA1
699f7594db29197e6eac1623cfb877f607ada7de

SHA256
181ffa8018feae370d4270f6cf446f6f1b66e836c24d7baa8676ef9c95c59ae6

SHA512
9d9a621a0cc9dfa71fc0a946b0388d7927370c5b3199ae1d51be5b54215ad31b89b9aee56fe6ed6fd30a5f1a5dcdffb9ce2099c9c907b8dcb9c4163d4a6604d8

Download Submit
C:\Windows\{1A579356-7BD5-4de8-BA82-CBC83ED31D4A}.exe

Filesize
372KB

MD5
517810e35ecd242d7ef0217564569f67

SHA1
ef59a7912fd0212c70fc7eed9fe357bda2f24812

SHA256
3ba90dc02058a409805bc4fee7ddc39e7b733c117c2df41b02188240c47ee715

SHA512
f6dcd627eafba4963f71cada6c22cee643e149e687ed6060295030cf2d6ac2b9583ab5d063c30db7200cad092b9586fc34c53b4f28d1100b9252322374ff480a

Download Submit
C:\Windows\{2946F52F-DC47-4c1c-9C9C-E089CA291B8C}.exe

Filesize
372KB

MD5
2bf94eb6efb0de50158662a96b915ff1

SHA1
983339487981f665847dfa00cab7d3d504d3f124

SHA256
461814c2362a87f60bbed8e584c1d00c0526b38c542a09932348cf282c809315

SHA512
83c11a0563d01fdd2c3e9ef7bca364f7c7b6982de7a28f898e6dbf614bbdacee7f3c4616371f7532020a32ab2dca27460d8f3eb2de6c0ec3849b78fa2427fd7b

Download Submit
C:\Windows\{44275DCC-6C1F-4676-B238-FBDFE7C4E0C8}.exe

Filesize
372KB

MD5
3d0c87aa3bf928a8ccfbbd02bde4ee31

SHA1
d95b1764a164bf0929fe1fdabe43113d042a5b48

SHA256
24645ee6d537f5f355f86931fa75a294be7e38eddf40e6bcd263167d61424607

SHA512
6e674b0c5cac4d4d5f21cbb4ab744018f64610643502e3ff082b553f4a3fa227d81060ff34ec4ce1dd8970ebd26b11693bff637715fd0b3a58e17d63a7638cd9

Download Submit
C:\Windows\{443F3EFC-A5AB-4df2-BEEC-386EADF2DAE2}.exe

Filesize
372KB

MD5
32af93e9f34eb9ad8e9d475ecce87cf8

SHA1
97e98e04d9c39ace13e557ba99b33393c2576d7b

SHA256
4bf73631a9c488a0d4c90d6c116e7488d9f11a24ac9543bb9b4f562664014b8d

SHA512
d8db3d2b1ff447b9d89150ad7b9d74333a0f4b2ecf7729f10bef781adb76c74a5494d3e8b43ed872f7d9bb4120c551259753dfdc77df322b5b3df1f1fbf6e047

Download Submit
C:\Windows\{4AE6A466-439D-4935-A324-A3E02CEC7D0A}.exe

Filesize
372KB

MD5
e8cb7581cf082f06e0c9be4635f62358

SHA1
f1a62b93052e0c3e1af514e260455a6ea1a38b00

SHA256
d72ca416968a7cc41ef35ae8fef527f600d17a9a700aba0608e62b1379301cc4

SHA512
d5e6904c825bdd37e8537a41f9ba2015c95c5b3daa8c2691e267a6cd52f6af700560588c516e690b299c2e971e8c385691e75d9bd30c927cfc913ecbdc78c721

Download Submit
C:\Windows\{99033E04-3D53-4870-9475-1D12C6C3411A}.exe

Filesize
372KB

MD5
8f26e1801e23e74fe8f589296b197125

SHA1
7e565d0faa46c9f92fd1c778ea1c869b8f33414e

SHA256
82efdd464360f27599ab40d2dd216e3b101dc344801ad3551baae09e3a888067

SHA512
cbb2083a7861d6b0592a27343814900fce151e88dcebd3cb89cad96c95de1809f5d244c4e48dc4764eed91600bd5b0cfaabff5b31f4f7107b4f9715383603233

Download Submit
C:\Windows\{9CC9F26E-83EB-440a-9E3D-AE0805B01F4C}.exe

Filesize
372KB

MD5
81860e7de8f609fc8cc1afcef0ac9f44

SHA1
9d3ccd2f6713388c02b707c236bcbb95af0cb648

SHA256
8094fb54fa5c2be7e5053ce7c0805bb4d305ffbf7bf83c9d424dba62917c75ad

SHA512
68f4abfde5f926a5da2afc53f6fc17604d8f6c797d3b5d74749f5a273b4f6b49ca1ff7237ea151383fe5980ae2e5305a27b57b699c08da22f3156443065f70d4

Download Submit
C:\Windows\{B9133682-AA6D-4616-B570-3F597DF2DD2B}.exe

Filesize
372KB

MD5
d98263d5796bfc43886d3e6b9a930bde

SHA1
9504ca601a1d4435ba42aab7a6fd36e9be7daca0

SHA256
a7c39bcfaba77256acae3c7bbc68e6bcaf3f75c36fd40ec58b06a2e15e16a0f6

SHA512
6ad2846129afccdb8b26b0e615b194dfa33921d499dd83a548b30811318df82c8f4897f4c6edb97eef1f4f61d9246e36e1bc28624dbf39e1d23a721ec6fc2526

Download Submit
C:\Windows\{C1D3A9CB-DB1B-48e0-8F14-EFAEE0DA59D4}.exe

Filesize
372KB

MD5
974aa9713e7357e397cad4c3df5e4b06

SHA1
32de55f83bcb4656e934e9fd0bf7e3bceaafc9dc

SHA256
c6d71e0f1ac5a010e52c122248d19ff0859a3899c4e9700c0316df08f09b817e

SHA512
183d67af3fc1dc41ab1357e2ddc4efbd06e568731aa8af7909ab371af0bf94de0f741c6f25a16424ef748d8caef8151083b86aa726f10414180021536ab67c68

Download Submit
C:\Windows\{DAE1E4A5-BFA7-4a3d-A151-AD4F5C468158}.exe

Filesize
372KB

MD5
fae7a705e858f2b9202d08c156da0add

SHA1
df2f48532602fec963f1b2063b6d9b1e2c4b6813

SHA256
e80ece9b92457344632c92e2de9af669598690badfbea5bd1f0355aa2138e665

SHA512
837a898f9cafec80c9486145e9fdf4ce4291508fbef766706971d6f36761ee2537c28d0e59581cd30e252751ddca066e05f4681bd5928c1ab4f753c52cd40979

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads