7ff33a48273f34848abe192f7abe02842a040d8519c68f3520c8887672875f56

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
02/02/2024, 02:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-02_dbf116eade6512a497d7b9e4f6abbb98_goldeneye.exe
Size

408KB
MD5

dbf116eade6512a497d7b9e4f6abbb98
SHA1

fe727422c34cad5791a438390f5fbc90375686ad
SHA256

7ff33a48273f34848abe192f7abe02842a040d8519c68f3520c8887672875f56
SHA512

08ef6893d9f683a06adfd5aeada45b3515123bf04b580a840787e0bcb34cebd0b8bfb695d479c732eb16f0a89f7697ca99f56601d6b07b9c9df5eba18d2a6443
SSDEEP

3072:CEGh0ovl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGBldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x00070000000122c9-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000014249-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00080000000122c9-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00340000000144df-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000122c9-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000122c9-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000122c9-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1E14A9F-3FE6-413d-8AF2-1809732B9BE2}\stubpath = "C:\\Windows\\{C1E14A9F-3FE6-413d-8AF2-1809732B9BE2}.exe"	{969C7318-F215-4fbe-B5DD-307CC91798CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDE6FCBE-B8FD-4086-A0F0-E55275807AEC}	{15D226F6-BB7A-428e-9119-68FF7CB9177B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46960229-D72E-411d-98A6-A2E093B6A888}	{49B1EB02-110C-4238-B6E1-DB3684B9119D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{868C015B-B04F-4421-B36D-60AFC6A1979D}	{46960229-D72E-411d-98A6-A2E093B6A888}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{969C7318-F215-4fbe-B5DD-307CC91798CF}	2024-02-02_dbf116eade6512a497d7b9e4f6abbb98_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{969C7318-F215-4fbe-B5DD-307CC91798CF}\stubpath = "C:\\Windows\\{969C7318-F215-4fbe-B5DD-307CC91798CF}.exe"	2024-02-02_dbf116eade6512a497d7b9e4f6abbb98_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D708770C-3854-45e4-B33E-C638E6426DD1}\stubpath = "C:\\Windows\\{D708770C-3854-45e4-B33E-C638E6426DD1}.exe"	{C1E14A9F-3FE6-413d-8AF2-1809732B9BE2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B78B70A-DEC3-43f4-8903-749D387E3F93}	{D708770C-3854-45e4-B33E-C638E6426DD1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15D226F6-BB7A-428e-9119-68FF7CB9177B}	{2B78B70A-DEC3-43f4-8903-749D387E3F93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15D226F6-BB7A-428e-9119-68FF7CB9177B}\stubpath = "C:\\Windows\\{15D226F6-BB7A-428e-9119-68FF7CB9177B}.exe"	{2B78B70A-DEC3-43f4-8903-749D387E3F93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49B1EB02-110C-4238-B6E1-DB3684B9119D}\stubpath = "C:\\Windows\\{49B1EB02-110C-4238-B6E1-DB3684B9119D}.exe"	{EDE6FCBE-B8FD-4086-A0F0-E55275807AEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BCFC271-4015-45d5-950E-FDF80C1F918A}	{868C015B-B04F-4421-B36D-60AFC6A1979D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D708770C-3854-45e4-B33E-C638E6426DD1}	{C1E14A9F-3FE6-413d-8AF2-1809732B9BE2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDE6FCBE-B8FD-4086-A0F0-E55275807AEC}\stubpath = "C:\\Windows\\{EDE6FCBE-B8FD-4086-A0F0-E55275807AEC}.exe"	{15D226F6-BB7A-428e-9119-68FF7CB9177B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46960229-D72E-411d-98A6-A2E093B6A888}\stubpath = "C:\\Windows\\{46960229-D72E-411d-98A6-A2E093B6A888}.exe"	{49B1EB02-110C-4238-B6E1-DB3684B9119D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{868C015B-B04F-4421-B36D-60AFC6A1979D}\stubpath = "C:\\Windows\\{868C015B-B04F-4421-B36D-60AFC6A1979D}.exe"	{46960229-D72E-411d-98A6-A2E093B6A888}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BCFC271-4015-45d5-950E-FDF80C1F918A}\stubpath = "C:\\Windows\\{0BCFC271-4015-45d5-950E-FDF80C1F918A}.exe"	{868C015B-B04F-4421-B36D-60AFC6A1979D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1E14A9F-3FE6-413d-8AF2-1809732B9BE2}	{969C7318-F215-4fbe-B5DD-307CC91798CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B78B70A-DEC3-43f4-8903-749D387E3F93}\stubpath = "C:\\Windows\\{2B78B70A-DEC3-43f4-8903-749D387E3F93}.exe"	{D708770C-3854-45e4-B33E-C638E6426DD1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49B1EB02-110C-4238-B6E1-DB3684B9119D}	{EDE6FCBE-B8FD-4086-A0F0-E55275807AEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25CC7246-D859-4c22-81C9-1D36E6D3B261}	{0BCFC271-4015-45d5-950E-FDF80C1F918A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25CC7246-D859-4c22-81C9-1D36E6D3B261}\stubpath = "C:\\Windows\\{25CC7246-D859-4c22-81C9-1D36E6D3B261}.exe"	{0BCFC271-4015-45d5-950E-FDF80C1F918A}.exe

Deletes itself 1 IoCs

pid	Process
2652	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2324	{969C7318-F215-4fbe-B5DD-307CC91798CF}.exe
2396	{C1E14A9F-3FE6-413d-8AF2-1809732B9BE2}.exe
2824	{D708770C-3854-45e4-B33E-C638E6426DD1}.exe
1588	{2B78B70A-DEC3-43f4-8903-749D387E3F93}.exe
2944	{15D226F6-BB7A-428e-9119-68FF7CB9177B}.exe
1920	{EDE6FCBE-B8FD-4086-A0F0-E55275807AEC}.exe
2440	{49B1EB02-110C-4238-B6E1-DB3684B9119D}.exe
1280	{46960229-D72E-411d-98A6-A2E093B6A888}.exe
2216	{868C015B-B04F-4421-B36D-60AFC6A1979D}.exe
540	{0BCFC271-4015-45d5-950E-FDF80C1F918A}.exe
652	{25CC7246-D859-4c22-81C9-1D36E6D3B261}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{49B1EB02-110C-4238-B6E1-DB3684B9119D}.exe	{EDE6FCBE-B8FD-4086-A0F0-E55275807AEC}.exe
File created	C:\Windows\{46960229-D72E-411d-98A6-A2E093B6A888}.exe	{49B1EB02-110C-4238-B6E1-DB3684B9119D}.exe
File created	C:\Windows\{0BCFC271-4015-45d5-950E-FDF80C1F918A}.exe	{868C015B-B04F-4421-B36D-60AFC6A1979D}.exe
File created	C:\Windows\{25CC7246-D859-4c22-81C9-1D36E6D3B261}.exe	{0BCFC271-4015-45d5-950E-FDF80C1F918A}.exe
File created	C:\Windows\{969C7318-F215-4fbe-B5DD-307CC91798CF}.exe	2024-02-02_dbf116eade6512a497d7b9e4f6abbb98_goldeneye.exe
File created	C:\Windows\{C1E14A9F-3FE6-413d-8AF2-1809732B9BE2}.exe	{969C7318-F215-4fbe-B5DD-307CC91798CF}.exe
File created	C:\Windows\{15D226F6-BB7A-428e-9119-68FF7CB9177B}.exe	{2B78B70A-DEC3-43f4-8903-749D387E3F93}.exe
File created	C:\Windows\{EDE6FCBE-B8FD-4086-A0F0-E55275807AEC}.exe	{15D226F6-BB7A-428e-9119-68FF7CB9177B}.exe
File created	C:\Windows\{868C015B-B04F-4421-B36D-60AFC6A1979D}.exe	{46960229-D72E-411d-98A6-A2E093B6A888}.exe
File created	C:\Windows\{D708770C-3854-45e4-B33E-C638E6426DD1}.exe	{C1E14A9F-3FE6-413d-8AF2-1809732B9BE2}.exe
File created	C:\Windows\{2B78B70A-DEC3-43f4-8903-749D387E3F93}.exe	{D708770C-3854-45e4-B33E-C638E6426DD1}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1672	2024-02-02_dbf116eade6512a497d7b9e4f6abbb98_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2324	{969C7318-F215-4fbe-B5DD-307CC91798CF}.exe
Token: SeIncBasePriorityPrivilege	2396	{C1E14A9F-3FE6-413d-8AF2-1809732B9BE2}.exe
Token: SeIncBasePriorityPrivilege	2824	{D708770C-3854-45e4-B33E-C638E6426DD1}.exe
Token: SeIncBasePriorityPrivilege	1588	{2B78B70A-DEC3-43f4-8903-749D387E3F93}.exe
Token: SeIncBasePriorityPrivilege	2944	{15D226F6-BB7A-428e-9119-68FF7CB9177B}.exe
Token: SeIncBasePriorityPrivilege	1920	{EDE6FCBE-B8FD-4086-A0F0-E55275807AEC}.exe
Token: SeIncBasePriorityPrivilege	2440	{49B1EB02-110C-4238-B6E1-DB3684B9119D}.exe
Token: SeIncBasePriorityPrivilege	1280	{46960229-D72E-411d-98A6-A2E093B6A888}.exe
Token: SeIncBasePriorityPrivilege	2216	{868C015B-B04F-4421-B36D-60AFC6A1979D}.exe
Token: SeIncBasePriorityPrivilege	540	{0BCFC271-4015-45d5-950E-FDF80C1F918A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 2324	1672	2024-02-02_dbf116eade6512a497d7b9e4f6abbb98_goldeneye.exe	28
PID 1672 wrote to memory of 2324	1672	2024-02-02_dbf116eade6512a497d7b9e4f6abbb98_goldeneye.exe	28
PID 1672 wrote to memory of 2324	1672	2024-02-02_dbf116eade6512a497d7b9e4f6abbb98_goldeneye.exe	28
PID 1672 wrote to memory of 2324	1672	2024-02-02_dbf116eade6512a497d7b9e4f6abbb98_goldeneye.exe	28
PID 1672 wrote to memory of 2652	1672	2024-02-02_dbf116eade6512a497d7b9e4f6abbb98_goldeneye.exe	29
PID 1672 wrote to memory of 2652	1672	2024-02-02_dbf116eade6512a497d7b9e4f6abbb98_goldeneye.exe	29
PID 1672 wrote to memory of 2652	1672	2024-02-02_dbf116eade6512a497d7b9e4f6abbb98_goldeneye.exe	29
PID 1672 wrote to memory of 2652	1672	2024-02-02_dbf116eade6512a497d7b9e4f6abbb98_goldeneye.exe	29
PID 2324 wrote to memory of 2396	2324	{969C7318-F215-4fbe-B5DD-307CC91798CF}.exe	30
PID 2324 wrote to memory of 2396	2324	{969C7318-F215-4fbe-B5DD-307CC91798CF}.exe	30
PID 2324 wrote to memory of 2396	2324	{969C7318-F215-4fbe-B5DD-307CC91798CF}.exe	30
PID 2324 wrote to memory of 2396	2324	{969C7318-F215-4fbe-B5DD-307CC91798CF}.exe	30
PID 2324 wrote to memory of 2708	2324	{969C7318-F215-4fbe-B5DD-307CC91798CF}.exe	31
PID 2324 wrote to memory of 2708	2324	{969C7318-F215-4fbe-B5DD-307CC91798CF}.exe	31
PID 2324 wrote to memory of 2708	2324	{969C7318-F215-4fbe-B5DD-307CC91798CF}.exe	31
PID 2324 wrote to memory of 2708	2324	{969C7318-F215-4fbe-B5DD-307CC91798CF}.exe	31
PID 2396 wrote to memory of 2824	2396	{C1E14A9F-3FE6-413d-8AF2-1809732B9BE2}.exe	32
PID 2396 wrote to memory of 2824	2396	{C1E14A9F-3FE6-413d-8AF2-1809732B9BE2}.exe	32
PID 2396 wrote to memory of 2824	2396	{C1E14A9F-3FE6-413d-8AF2-1809732B9BE2}.exe	32
PID 2396 wrote to memory of 2824	2396	{C1E14A9F-3FE6-413d-8AF2-1809732B9BE2}.exe	32
PID 2396 wrote to memory of 2608	2396	{C1E14A9F-3FE6-413d-8AF2-1809732B9BE2}.exe	33
PID 2396 wrote to memory of 2608	2396	{C1E14A9F-3FE6-413d-8AF2-1809732B9BE2}.exe	33
PID 2396 wrote to memory of 2608	2396	{C1E14A9F-3FE6-413d-8AF2-1809732B9BE2}.exe	33
PID 2396 wrote to memory of 2608	2396	{C1E14A9F-3FE6-413d-8AF2-1809732B9BE2}.exe	33
PID 2824 wrote to memory of 1588	2824	{D708770C-3854-45e4-B33E-C638E6426DD1}.exe	36
PID 2824 wrote to memory of 1588	2824	{D708770C-3854-45e4-B33E-C638E6426DD1}.exe	36
PID 2824 wrote to memory of 1588	2824	{D708770C-3854-45e4-B33E-C638E6426DD1}.exe	36
PID 2824 wrote to memory of 1588	2824	{D708770C-3854-45e4-B33E-C638E6426DD1}.exe	36
PID 2824 wrote to memory of 2528	2824	{D708770C-3854-45e4-B33E-C638E6426DD1}.exe	37
PID 2824 wrote to memory of 2528	2824	{D708770C-3854-45e4-B33E-C638E6426DD1}.exe	37
PID 2824 wrote to memory of 2528	2824	{D708770C-3854-45e4-B33E-C638E6426DD1}.exe	37
PID 2824 wrote to memory of 2528	2824	{D708770C-3854-45e4-B33E-C638E6426DD1}.exe	37
PID 1588 wrote to memory of 2944	1588	{2B78B70A-DEC3-43f4-8903-749D387E3F93}.exe	38
PID 1588 wrote to memory of 2944	1588	{2B78B70A-DEC3-43f4-8903-749D387E3F93}.exe	38
PID 1588 wrote to memory of 2944	1588	{2B78B70A-DEC3-43f4-8903-749D387E3F93}.exe	38
PID 1588 wrote to memory of 2944	1588	{2B78B70A-DEC3-43f4-8903-749D387E3F93}.exe	38
PID 1588 wrote to memory of 1756	1588	{2B78B70A-DEC3-43f4-8903-749D387E3F93}.exe	39
PID 1588 wrote to memory of 1756	1588	{2B78B70A-DEC3-43f4-8903-749D387E3F93}.exe	39
PID 1588 wrote to memory of 1756	1588	{2B78B70A-DEC3-43f4-8903-749D387E3F93}.exe	39
PID 1588 wrote to memory of 1756	1588	{2B78B70A-DEC3-43f4-8903-749D387E3F93}.exe	39
PID 2944 wrote to memory of 1920	2944	{15D226F6-BB7A-428e-9119-68FF7CB9177B}.exe	41
PID 2944 wrote to memory of 1920	2944	{15D226F6-BB7A-428e-9119-68FF7CB9177B}.exe	41
PID 2944 wrote to memory of 1920	2944	{15D226F6-BB7A-428e-9119-68FF7CB9177B}.exe	41
PID 2944 wrote to memory of 1920	2944	{15D226F6-BB7A-428e-9119-68FF7CB9177B}.exe	41
PID 2944 wrote to memory of 2276	2944	{15D226F6-BB7A-428e-9119-68FF7CB9177B}.exe	40
PID 2944 wrote to memory of 2276	2944	{15D226F6-BB7A-428e-9119-68FF7CB9177B}.exe	40
PID 2944 wrote to memory of 2276	2944	{15D226F6-BB7A-428e-9119-68FF7CB9177B}.exe	40
PID 2944 wrote to memory of 2276	2944	{15D226F6-BB7A-428e-9119-68FF7CB9177B}.exe	40
PID 1920 wrote to memory of 2440	1920	{EDE6FCBE-B8FD-4086-A0F0-E55275807AEC}.exe	42
PID 1920 wrote to memory of 2440	1920	{EDE6FCBE-B8FD-4086-A0F0-E55275807AEC}.exe	42
PID 1920 wrote to memory of 2440	1920	{EDE6FCBE-B8FD-4086-A0F0-E55275807AEC}.exe	42
PID 1920 wrote to memory of 2440	1920	{EDE6FCBE-B8FD-4086-A0F0-E55275807AEC}.exe	42
PID 1920 wrote to memory of 1580	1920	{EDE6FCBE-B8FD-4086-A0F0-E55275807AEC}.exe	43
PID 1920 wrote to memory of 1580	1920	{EDE6FCBE-B8FD-4086-A0F0-E55275807AEC}.exe	43
PID 1920 wrote to memory of 1580	1920	{EDE6FCBE-B8FD-4086-A0F0-E55275807AEC}.exe	43
PID 1920 wrote to memory of 1580	1920	{EDE6FCBE-B8FD-4086-A0F0-E55275807AEC}.exe	43
PID 2440 wrote to memory of 1280	2440	{49B1EB02-110C-4238-B6E1-DB3684B9119D}.exe	44
PID 2440 wrote to memory of 1280	2440	{49B1EB02-110C-4238-B6E1-DB3684B9119D}.exe	44
PID 2440 wrote to memory of 1280	2440	{49B1EB02-110C-4238-B6E1-DB3684B9119D}.exe	44
PID 2440 wrote to memory of 1280	2440	{49B1EB02-110C-4238-B6E1-DB3684B9119D}.exe	44
PID 2440 wrote to memory of 1212	2440	{49B1EB02-110C-4238-B6E1-DB3684B9119D}.exe	45
PID 2440 wrote to memory of 1212	2440	{49B1EB02-110C-4238-B6E1-DB3684B9119D}.exe	45
PID 2440 wrote to memory of 1212	2440	{49B1EB02-110C-4238-B6E1-DB3684B9119D}.exe	45
PID 2440 wrote to memory of 1212	2440	{49B1EB02-110C-4238-B6E1-DB3684B9119D}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-02_dbf116eade6512a497d7b9e4f6abbb98_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-02_dbf116eade6512a497d7b9e4f6abbb98_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\{969C7318-F215-4fbe-B5DD-307CC91798CF}.exe
  C:\Windows\{969C7318-F215-4fbe-B5DD-307CC91798CF}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\{C1E14A9F-3FE6-413d-8AF2-1809732B9BE2}.exe
    C:\Windows\{C1E14A9F-3FE6-413d-8AF2-1809732B9BE2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Windows\{D708770C-3854-45e4-B33E-C638E6426DD1}.exe
      C:\Windows\{D708770C-3854-45e4-B33E-C638E6426DD1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2824
    - - C:\Windows\{2B78B70A-DEC3-43f4-8903-749D387E3F93}.exe
        
        C:\Windows\{2B78B70A-DEC3-43f4-8903-749D387E3F93}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1588
      - C:\Windows\{15D226F6-BB7A-428e-9119-68FF7CB9177B}.exe
        
        C:\Windows\{15D226F6-BB7A-428e-9119-68FF7CB9177B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15D22~1.EXE > nul
        7⤵
        
        PID:2276
        
        C:\Windows\{EDE6FCBE-B8FD-4086-A0F0-E55275807AEC}.exe
        
        C:\Windows\{EDE6FCBE-B8FD-4086-A0F0-E55275807AEC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\{49B1EB02-110C-4238-B6E1-DB3684B9119D}.exe
        
        C:\Windows\{49B1EB02-110C-4238-B6E1-DB3684B9119D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\{46960229-D72E-411d-98A6-A2E093B6A888}.exe
        
        C:\Windows\{46960229-D72E-411d-98A6-A2E093B6A888}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1280
        
        C:\Windows\{868C015B-B04F-4421-B36D-60AFC6A1979D}.exe
        
        C:\Windows\{868C015B-B04F-4421-B36D-60AFC6A1979D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\{0BCFC271-4015-45d5-950E-FDF80C1F918A}.exe
        
        C:\Windows\{0BCFC271-4015-45d5-950E-FDF80C1F918A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
        
        C:\Windows\{25CC7246-D859-4c22-81C9-1D36E6D3B261}.exe
        
        C:\Windows\{25CC7246-D859-4c22-81C9-1D36E6D3B261}.exe
        12⤵
        Executes dropped EXE
        
        PID:652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0BCFC~1.EXE > nul
        12⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{868C0~1.EXE > nul
        11⤵
        
        PID:324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46960~1.EXE > nul
        10⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49B1E~1.EXE > nul
        9⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EDE6F~1.EXE > nul
        8⤵
        
        PID:1580
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B78B~1.EXE > nul
        6⤵
        
        PID:1756
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7087~1.EXE > nul
        5⤵
        
        PID:2528
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C1E14~1.EXE > nul
      4⤵
      PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{969C7~1.EXE > nul
    3⤵
    PID:2708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0BCFC271-4015-45d5-950E-FDF80C1F918A}.exe

Filesize
408KB

MD5
a1033551dc83acdd9c5a8b2bcda50f28

SHA1
4c3ed064804a8efd145cc556f14a9bc869b5424e

SHA256
9ef050dfd7ea0bd2610260f9a908508514adf9390749c5ede2a1ccc6153f2daf

SHA512
f0a56e7ee8a1154d1006883976262bb0ce0a5e326555fb648233cedb4200a3fe69c914379e86bdc1b16b06418561eee9c8359d48eb9ae7f0bd2f5e698c04e64b

Download Submit
C:\Windows\{15D226F6-BB7A-428e-9119-68FF7CB9177B}.exe

Filesize
408KB

MD5
dbf04cf8d8909323c2f32c9490090efb

SHA1
bce0c3fcb6107ff4b5563e6ed9246afae9f467c2

SHA256
3209a39a463a559009f3c64735d12ed287d029d18e5c4a3bf9fb89ac36df7d77

SHA512
3998068c574babb0ab6623e436bcc8a2f4ec417596f148f13340d7b2d39c13d1410c5024a1270a666952e3ca579e6e206d58257674f2e6731e73e0d307c4785a

Download Submit
C:\Windows\{25CC7246-D859-4c22-81C9-1D36E6D3B261}.exe

Filesize
408KB

MD5
511db92e0ea37d8a83bfca05dcabeab7

SHA1
c3ac254eed15cf02f28ee401322ed1928a1cd3b2

SHA256
a0f1861a7216202b172caf637c00546629d2b0c7cae9f2210ace5e9af553c398

SHA512
be7ef56044e92c5760b05d14b1b70a95ad60f3a1da3e42533c7fb41edfb8550742e3d21aeb82593e7a8fbfd3bdbfd2a9082680a4dce10760eee699c632b183f0

Download Submit
C:\Windows\{2B78B70A-DEC3-43f4-8903-749D387E3F93}.exe

Filesize
408KB

MD5
98b56113daf707ced6f2f5006d330c69

SHA1
22d467e07a37f730b7a3c3286aa6d1d70f98e06a

SHA256
9f3bd81144f8a416469b08e14892c93704c37b342944e4f847b3673ed64869b0

SHA512
70b704d5a76a31aa39f2022ca3a2f7c2df77b452791a316a3b6e51caac88a31899e8234ddc51271cd915ab7ff33cc25828aad5751869bca662278cbe66cc89e7

Download Submit
C:\Windows\{46960229-D72E-411d-98A6-A2E093B6A888}.exe

Filesize
408KB

MD5
dae859f668497e525e2a2cd6277dbb64

SHA1
d4ec7054451a0059bc2bb6d6dfba179b0ea31992

SHA256
9ee99be92f10b978ed72accf3c1f2e8b0eb4d29df98922dd6b0448df99ebbc32

SHA512
03063bb27f5ed9688e68a07d8f57302aa5b6b95853cd2a2133d87657d1c9fc697d931cb4d20c076402543e12e44fe479fb6f1facf4d56a8df9264647609e9b8b

Download Submit
C:\Windows\{49B1EB02-110C-4238-B6E1-DB3684B9119D}.exe

Filesize
408KB

MD5
3a4ad20a5c7e53c158c4738b20479594

SHA1
0da8ef3b56068c35aa4a55366730c2727cc5d49e

SHA256
ee5266203f881361221b2f876b73bb479dd2fc5c574b775353c4aa4387adb5d8

SHA512
e1bf091b9d96e9ed81af905be200ccdfc2aa2fabf5b2081d736ef6ba26976e08c2fbfc27e372899ad33231129fff984d0b67ebec707c76c39cf19efa7059d514

Download Submit
C:\Windows\{868C015B-B04F-4421-B36D-60AFC6A1979D}.exe

Filesize
408KB

MD5
c464997177f7a1a519556664c2b039d0

SHA1
9d1a848624a66f9615ff215c2e9a829516d810ed

SHA256
6d435aca7784d1defefca58c887569a7e81f32b5ea9345d250f3194eeaa4d4ea

SHA512
7a82f374bd8050c7c8d9407d69e1940d17fd64f1f31828ea7f6db09cb6564da1c687ec9a631d6c1f21d42a99eaee00605a9a9b3d9a8909f9504e3314b996ee39

Download Submit
C:\Windows\{969C7318-F215-4fbe-B5DD-307CC91798CF}.exe

Filesize
408KB

MD5
95048376fb8d3a2d4e4ff21a0c039e9d

SHA1
ab59371ae6321d98ab56ca1a3928b51ea701f597

SHA256
97a7189cc84c7b45f3d494ba257a0e3e5fa812fff84772282bef9d82457db81b

SHA512
e9042762a1e328a0e195e461ebd4bb0e54390eba900a07273476209d8f6f006992a0a5ddb55e1398bd7398a19284361a1c9418b514eab5c6004303988b0a452f

Download Submit
C:\Windows\{C1E14A9F-3FE6-413d-8AF2-1809732B9BE2}.exe

Filesize
408KB

MD5
b1182b56d7993e5df93231d351867de5

SHA1
364286a40f5e8100113537a36b8c5f80ecea7339

SHA256
6100efc86937aa3e384e358a039b6f35f8fe438b1becdabaca970e93901a0c7e

SHA512
832c9709ff3a242da0e20ac7c674f765489d49216506da7d1bcc48b137ebd1a7c58617fbf5028019af152dfeba21311eb586fe7492bbe7b411fa6bb2fd6bb93d

Download Submit
C:\Windows\{D708770C-3854-45e4-B33E-C638E6426DD1}.exe

Filesize
408KB

MD5
555acad216a58b3364998cf6a94e9cb3

SHA1
eb306239284c340b081f85ebeea32c90299869e4

SHA256
aa6448b54c15d49811400a2d38cd6c3402ed85b18213e1fde6a0bd63e0912889

SHA512
8b9256b2c7153bfc67d5193c5bca1a50a2e6034c35884f6d3300664a952d4c8a327a6ae183ead8f20132f6ad827911f563fc767231655e4eef2420034657ee93

Download Submit
C:\Windows\{EDE6FCBE-B8FD-4086-A0F0-E55275807AEC}.exe

Filesize
408KB

MD5
2e6b07991fcadd1e152336a007df4de3

SHA1
9a8410bf2671e9884300ae3c85d2d8466fdfd0d6

SHA256
8c51ff74bafc482991fecac77741219082540094e90e464f0cce9d7f37a40462

SHA512
63d5c81a04a55dd744ffb83466b4eb9a0e4ded65a2a6a5be9312d6b52464d1abecf994a2b0cf73f2164162c589ca9633ede394c41c75212e84f5ae6b8a2712c3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads