6d32e498e4bb6db79936ca79a7ad5cdcf4f09006144c5e98b3e95ec65624d6b1

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03/02/2024, 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-03_a36b75335d4b0c61cd9a9716f0e30a76_goldeneye.exe
Size

192KB
MD5

a36b75335d4b0c61cd9a9716f0e30a76
SHA1

a14f8d513b2eb94bc8295b32cc7117efb3395183
SHA256

6d32e498e4bb6db79936ca79a7ad5cdcf4f09006144c5e98b3e95ec65624d6b1
SHA512

539ff821f724d18aca9964da96dfe80ad08422ee080efa2772e6136ffa664b9a31e9ded9931f9d5c49d788e2f1fd1d988a5ef7825e224a177367c1679eaf9c41
SSDEEP

1536:1EGh0oVl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oVl1OPOe2MUVg3Ve+rXfMUa

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012251-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000013a83-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012251-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000016cb4-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012251-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012251-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012251-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD47E74E-A39D-4633-9F79-8E4514C9FB32}\stubpath = "C:\\Windows\\{AD47E74E-A39D-4633-9F79-8E4514C9FB32}.exe"	{D870AE3B-66A4-4f41-A6F0-154E6D12BA45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07C99016-03E0-4ef3-93B2-9336BAAF0C48}	{95789250-C726-48ac-9EFE-E1D29407B7CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07C99016-03E0-4ef3-93B2-9336BAAF0C48}\stubpath = "C:\\Windows\\{07C99016-03E0-4ef3-93B2-9336BAAF0C48}.exe"	{95789250-C726-48ac-9EFE-E1D29407B7CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AB60DD5-E2AA-40ae-89C6-A891E89E611E}	{C2EA2608-EBF0-47e1-A709-7C4676BE54DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84064736-9EB2-425f-A401-54C07622132F}\stubpath = "C:\\Windows\\{84064736-9EB2-425f-A401-54C07622132F}.exe"	{259A22CC-34F4-4632-98A4-0DFCBC7410B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD47E74E-A39D-4633-9F79-8E4514C9FB32}	{D870AE3B-66A4-4f41-A6F0-154E6D12BA45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D870AE3B-66A4-4f41-A6F0-154E6D12BA45}\stubpath = "C:\\Windows\\{D870AE3B-66A4-4f41-A6F0-154E6D12BA45}.exe"	{84064736-9EB2-425f-A401-54C07622132F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B5E2ED0-C4B0-4c00-B421-7AAE973C1ACC}\stubpath = "C:\\Windows\\{3B5E2ED0-C4B0-4c00-B421-7AAE973C1ACC}.exe"	{AD47E74E-A39D-4633-9F79-8E4514C9FB32}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{808FE534-B8D3-4894-9EAD-D58D00D7D0D1}\stubpath = "C:\\Windows\\{808FE534-B8D3-4894-9EAD-D58D00D7D0D1}.exe"	{07C99016-03E0-4ef3-93B2-9336BAAF0C48}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2EA2608-EBF0-47e1-A709-7C4676BE54DF}\stubpath = "C:\\Windows\\{C2EA2608-EBF0-47e1-A709-7C4676BE54DF}.exe"	{9B34D3E9-75D2-4e49-9D53-8E06FD34F8BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{259A22CC-34F4-4632-98A4-0DFCBC7410B5}\stubpath = "C:\\Windows\\{259A22CC-34F4-4632-98A4-0DFCBC7410B5}.exe"	{3AB60DD5-E2AA-40ae-89C6-A891E89E611E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D870AE3B-66A4-4f41-A6F0-154E6D12BA45}	{84064736-9EB2-425f-A401-54C07622132F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{808FE534-B8D3-4894-9EAD-D58D00D7D0D1}	{07C99016-03E0-4ef3-93B2-9336BAAF0C48}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B34D3E9-75D2-4e49-9D53-8E06FD34F8BF}\stubpath = "C:\\Windows\\{9B34D3E9-75D2-4e49-9D53-8E06FD34F8BF}.exe"	2024-02-03_a36b75335d4b0c61cd9a9716f0e30a76_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2EA2608-EBF0-47e1-A709-7C4676BE54DF}	{9B34D3E9-75D2-4e49-9D53-8E06FD34F8BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84064736-9EB2-425f-A401-54C07622132F}	{259A22CC-34F4-4632-98A4-0DFCBC7410B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B5E2ED0-C4B0-4c00-B421-7AAE973C1ACC}	{AD47E74E-A39D-4633-9F79-8E4514C9FB32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95789250-C726-48ac-9EFE-E1D29407B7CC}	{3B5E2ED0-C4B0-4c00-B421-7AAE973C1ACC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95789250-C726-48ac-9EFE-E1D29407B7CC}\stubpath = "C:\\Windows\\{95789250-C726-48ac-9EFE-E1D29407B7CC}.exe"	{3B5E2ED0-C4B0-4c00-B421-7AAE973C1ACC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B34D3E9-75D2-4e49-9D53-8E06FD34F8BF}	2024-02-03_a36b75335d4b0c61cd9a9716f0e30a76_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AB60DD5-E2AA-40ae-89C6-A891E89E611E}\stubpath = "C:\\Windows\\{3AB60DD5-E2AA-40ae-89C6-A891E89E611E}.exe"	{C2EA2608-EBF0-47e1-A709-7C4676BE54DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{259A22CC-34F4-4632-98A4-0DFCBC7410B5}	{3AB60DD5-E2AA-40ae-89C6-A891E89E611E}.exe

Deletes itself 1 IoCs

pid	Process
2196	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2168	{9B34D3E9-75D2-4e49-9D53-8E06FD34F8BF}.exe
2876	{C2EA2608-EBF0-47e1-A709-7C4676BE54DF}.exe
2836	{3AB60DD5-E2AA-40ae-89C6-A891E89E611E}.exe
2756	{259A22CC-34F4-4632-98A4-0DFCBC7410B5}.exe
2252	{84064736-9EB2-425f-A401-54C07622132F}.exe
1624	{D870AE3B-66A4-4f41-A6F0-154E6D12BA45}.exe
2468	{AD47E74E-A39D-4633-9F79-8E4514C9FB32}.exe
1592	{3B5E2ED0-C4B0-4c00-B421-7AAE973C1ACC}.exe
2908	{95789250-C726-48ac-9EFE-E1D29407B7CC}.exe
1128	{07C99016-03E0-4ef3-93B2-9336BAAF0C48}.exe
692	{808FE534-B8D3-4894-9EAD-D58D00D7D0D1}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D870AE3B-66A4-4f41-A6F0-154E6D12BA45}.exe	{84064736-9EB2-425f-A401-54C07622132F}.exe
File created	C:\Windows\{808FE534-B8D3-4894-9EAD-D58D00D7D0D1}.exe	{07C99016-03E0-4ef3-93B2-9336BAAF0C48}.exe
File created	C:\Windows\{C2EA2608-EBF0-47e1-A709-7C4676BE54DF}.exe	{9B34D3E9-75D2-4e49-9D53-8E06FD34F8BF}.exe
File created	C:\Windows\{3AB60DD5-E2AA-40ae-89C6-A891E89E611E}.exe	{C2EA2608-EBF0-47e1-A709-7C4676BE54DF}.exe
File created	C:\Windows\{259A22CC-34F4-4632-98A4-0DFCBC7410B5}.exe	{3AB60DD5-E2AA-40ae-89C6-A891E89E611E}.exe
File created	C:\Windows\{84064736-9EB2-425f-A401-54C07622132F}.exe	{259A22CC-34F4-4632-98A4-0DFCBC7410B5}.exe
File created	C:\Windows\{07C99016-03E0-4ef3-93B2-9336BAAF0C48}.exe	{95789250-C726-48ac-9EFE-E1D29407B7CC}.exe
File created	C:\Windows\{9B34D3E9-75D2-4e49-9D53-8E06FD34F8BF}.exe	2024-02-03_a36b75335d4b0c61cd9a9716f0e30a76_goldeneye.exe
File created	C:\Windows\{AD47E74E-A39D-4633-9F79-8E4514C9FB32}.exe	{D870AE3B-66A4-4f41-A6F0-154E6D12BA45}.exe
File created	C:\Windows\{3B5E2ED0-C4B0-4c00-B421-7AAE973C1ACC}.exe	{AD47E74E-A39D-4633-9F79-8E4514C9FB32}.exe
File created	C:\Windows\{95789250-C726-48ac-9EFE-E1D29407B7CC}.exe	{3B5E2ED0-C4B0-4c00-B421-7AAE973C1ACC}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2224	2024-02-03_a36b75335d4b0c61cd9a9716f0e30a76_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2168	{9B34D3E9-75D2-4e49-9D53-8E06FD34F8BF}.exe
Token: SeIncBasePriorityPrivilege	2876	{C2EA2608-EBF0-47e1-A709-7C4676BE54DF}.exe
Token: SeIncBasePriorityPrivilege	2836	{3AB60DD5-E2AA-40ae-89C6-A891E89E611E}.exe
Token: SeIncBasePriorityPrivilege	2756	{259A22CC-34F4-4632-98A4-0DFCBC7410B5}.exe
Token: SeIncBasePriorityPrivilege	2252	{84064736-9EB2-425f-A401-54C07622132F}.exe
Token: SeIncBasePriorityPrivilege	1624	{D870AE3B-66A4-4f41-A6F0-154E6D12BA45}.exe
Token: SeIncBasePriorityPrivilege	2468	{AD47E74E-A39D-4633-9F79-8E4514C9FB32}.exe
Token: SeIncBasePriorityPrivilege	1592	{3B5E2ED0-C4B0-4c00-B421-7AAE973C1ACC}.exe
Token: SeIncBasePriorityPrivilege	2908	{95789250-C726-48ac-9EFE-E1D29407B7CC}.exe
Token: SeIncBasePriorityPrivilege	1128	{07C99016-03E0-4ef3-93B2-9336BAAF0C48}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2168	2224	2024-02-03_a36b75335d4b0c61cd9a9716f0e30a76_goldeneye.exe	28
PID 2224 wrote to memory of 2168	2224	2024-02-03_a36b75335d4b0c61cd9a9716f0e30a76_goldeneye.exe	28
PID 2224 wrote to memory of 2168	2224	2024-02-03_a36b75335d4b0c61cd9a9716f0e30a76_goldeneye.exe	28
PID 2224 wrote to memory of 2168	2224	2024-02-03_a36b75335d4b0c61cd9a9716f0e30a76_goldeneye.exe	28
PID 2224 wrote to memory of 2196	2224	2024-02-03_a36b75335d4b0c61cd9a9716f0e30a76_goldeneye.exe	29
PID 2224 wrote to memory of 2196	2224	2024-02-03_a36b75335d4b0c61cd9a9716f0e30a76_goldeneye.exe	29
PID 2224 wrote to memory of 2196	2224	2024-02-03_a36b75335d4b0c61cd9a9716f0e30a76_goldeneye.exe	29
PID 2224 wrote to memory of 2196	2224	2024-02-03_a36b75335d4b0c61cd9a9716f0e30a76_goldeneye.exe	29
PID 2168 wrote to memory of 2876	2168	{9B34D3E9-75D2-4e49-9D53-8E06FD34F8BF}.exe	30
PID 2168 wrote to memory of 2876	2168	{9B34D3E9-75D2-4e49-9D53-8E06FD34F8BF}.exe	30
PID 2168 wrote to memory of 2876	2168	{9B34D3E9-75D2-4e49-9D53-8E06FD34F8BF}.exe	30
PID 2168 wrote to memory of 2876	2168	{9B34D3E9-75D2-4e49-9D53-8E06FD34F8BF}.exe	30
PID 2168 wrote to memory of 2352	2168	{9B34D3E9-75D2-4e49-9D53-8E06FD34F8BF}.exe	31
PID 2168 wrote to memory of 2352	2168	{9B34D3E9-75D2-4e49-9D53-8E06FD34F8BF}.exe	31
PID 2168 wrote to memory of 2352	2168	{9B34D3E9-75D2-4e49-9D53-8E06FD34F8BF}.exe	31
PID 2168 wrote to memory of 2352	2168	{9B34D3E9-75D2-4e49-9D53-8E06FD34F8BF}.exe	31
PID 2876 wrote to memory of 2836	2876	{C2EA2608-EBF0-47e1-A709-7C4676BE54DF}.exe	33
PID 2876 wrote to memory of 2836	2876	{C2EA2608-EBF0-47e1-A709-7C4676BE54DF}.exe	33
PID 2876 wrote to memory of 2836	2876	{C2EA2608-EBF0-47e1-A709-7C4676BE54DF}.exe	33
PID 2876 wrote to memory of 2836	2876	{C2EA2608-EBF0-47e1-A709-7C4676BE54DF}.exe	33
PID 2876 wrote to memory of 2964	2876	{C2EA2608-EBF0-47e1-A709-7C4676BE54DF}.exe	32
PID 2876 wrote to memory of 2964	2876	{C2EA2608-EBF0-47e1-A709-7C4676BE54DF}.exe	32
PID 2876 wrote to memory of 2964	2876	{C2EA2608-EBF0-47e1-A709-7C4676BE54DF}.exe	32
PID 2876 wrote to memory of 2964	2876	{C2EA2608-EBF0-47e1-A709-7C4676BE54DF}.exe	32
PID 2836 wrote to memory of 2756	2836	{3AB60DD5-E2AA-40ae-89C6-A891E89E611E}.exe	37
PID 2836 wrote to memory of 2756	2836	{3AB60DD5-E2AA-40ae-89C6-A891E89E611E}.exe	37
PID 2836 wrote to memory of 2756	2836	{3AB60DD5-E2AA-40ae-89C6-A891E89E611E}.exe	37
PID 2836 wrote to memory of 2756	2836	{3AB60DD5-E2AA-40ae-89C6-A891E89E611E}.exe	37
PID 2836 wrote to memory of 2604	2836	{3AB60DD5-E2AA-40ae-89C6-A891E89E611E}.exe	36
PID 2836 wrote to memory of 2604	2836	{3AB60DD5-E2AA-40ae-89C6-A891E89E611E}.exe	36
PID 2836 wrote to memory of 2604	2836	{3AB60DD5-E2AA-40ae-89C6-A891E89E611E}.exe	36
PID 2836 wrote to memory of 2604	2836	{3AB60DD5-E2AA-40ae-89C6-A891E89E611E}.exe	36
PID 2756 wrote to memory of 2252	2756	{259A22CC-34F4-4632-98A4-0DFCBC7410B5}.exe	38
PID 2756 wrote to memory of 2252	2756	{259A22CC-34F4-4632-98A4-0DFCBC7410B5}.exe	38
PID 2756 wrote to memory of 2252	2756	{259A22CC-34F4-4632-98A4-0DFCBC7410B5}.exe	38
PID 2756 wrote to memory of 2252	2756	{259A22CC-34F4-4632-98A4-0DFCBC7410B5}.exe	38
PID 2756 wrote to memory of 1804	2756	{259A22CC-34F4-4632-98A4-0DFCBC7410B5}.exe	39
PID 2756 wrote to memory of 1804	2756	{259A22CC-34F4-4632-98A4-0DFCBC7410B5}.exe	39
PID 2756 wrote to memory of 1804	2756	{259A22CC-34F4-4632-98A4-0DFCBC7410B5}.exe	39
PID 2756 wrote to memory of 1804	2756	{259A22CC-34F4-4632-98A4-0DFCBC7410B5}.exe	39
PID 2252 wrote to memory of 1624	2252	{84064736-9EB2-425f-A401-54C07622132F}.exe	40
PID 2252 wrote to memory of 1624	2252	{84064736-9EB2-425f-A401-54C07622132F}.exe	40
PID 2252 wrote to memory of 1624	2252	{84064736-9EB2-425f-A401-54C07622132F}.exe	40
PID 2252 wrote to memory of 1624	2252	{84064736-9EB2-425f-A401-54C07622132F}.exe	40
PID 2252 wrote to memory of 1928	2252	{84064736-9EB2-425f-A401-54C07622132F}.exe	41
PID 2252 wrote to memory of 1928	2252	{84064736-9EB2-425f-A401-54C07622132F}.exe	41
PID 2252 wrote to memory of 1928	2252	{84064736-9EB2-425f-A401-54C07622132F}.exe	41
PID 2252 wrote to memory of 1928	2252	{84064736-9EB2-425f-A401-54C07622132F}.exe	41
PID 1624 wrote to memory of 2468	1624	{D870AE3B-66A4-4f41-A6F0-154E6D12BA45}.exe	43
PID 1624 wrote to memory of 2468	1624	{D870AE3B-66A4-4f41-A6F0-154E6D12BA45}.exe	43
PID 1624 wrote to memory of 2468	1624	{D870AE3B-66A4-4f41-A6F0-154E6D12BA45}.exe	43
PID 1624 wrote to memory of 2468	1624	{D870AE3B-66A4-4f41-A6F0-154E6D12BA45}.exe	43
PID 1624 wrote to memory of 2556	1624	{D870AE3B-66A4-4f41-A6F0-154E6D12BA45}.exe	42
PID 1624 wrote to memory of 2556	1624	{D870AE3B-66A4-4f41-A6F0-154E6D12BA45}.exe	42
PID 1624 wrote to memory of 2556	1624	{D870AE3B-66A4-4f41-A6F0-154E6D12BA45}.exe	42
PID 1624 wrote to memory of 2556	1624	{D870AE3B-66A4-4f41-A6F0-154E6D12BA45}.exe	42
PID 2468 wrote to memory of 1592	2468	{AD47E74E-A39D-4633-9F79-8E4514C9FB32}.exe	44
PID 2468 wrote to memory of 1592	2468	{AD47E74E-A39D-4633-9F79-8E4514C9FB32}.exe	44
PID 2468 wrote to memory of 1592	2468	{AD47E74E-A39D-4633-9F79-8E4514C9FB32}.exe	44
PID 2468 wrote to memory of 1592	2468	{AD47E74E-A39D-4633-9F79-8E4514C9FB32}.exe	44
PID 2468 wrote to memory of 292	2468	{AD47E74E-A39D-4633-9F79-8E4514C9FB32}.exe	45
PID 2468 wrote to memory of 292	2468	{AD47E74E-A39D-4633-9F79-8E4514C9FB32}.exe	45
PID 2468 wrote to memory of 292	2468	{AD47E74E-A39D-4633-9F79-8E4514C9FB32}.exe	45
PID 2468 wrote to memory of 292	2468	{AD47E74E-A39D-4633-9F79-8E4514C9FB32}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-03_a36b75335d4b0c61cd9a9716f0e30a76_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-03_a36b75335d4b0c61cd9a9716f0e30a76_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\{9B34D3E9-75D2-4e49-9D53-8E06FD34F8BF}.exe
  C:\Windows\{9B34D3E9-75D2-4e49-9D53-8E06FD34F8BF}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\{C2EA2608-EBF0-47e1-A709-7C4676BE54DF}.exe
    C:\Windows\{C2EA2608-EBF0-47e1-A709-7C4676BE54DF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C2EA2~1.EXE > nul
      4⤵
      PID:2964
  - - C:\Windows\{3AB60DD5-E2AA-40ae-89C6-A891E89E611E}.exe
      C:\Windows\{3AB60DD5-E2AA-40ae-89C6-A891E89E611E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3AB60~1.EXE > nul
        5⤵
        
        PID:2604
    - - C:\Windows\{259A22CC-34F4-4632-98A4-0DFCBC7410B5}.exe
        
        C:\Windows\{259A22CC-34F4-4632-98A4-0DFCBC7410B5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2756
      - C:\Windows\{84064736-9EB2-425f-A401-54C07622132F}.exe
        
        C:\Windows\{84064736-9EB2-425f-A401-54C07622132F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\{D870AE3B-66A4-4f41-A6F0-154E6D12BA45}.exe
        
        C:\Windows\{D870AE3B-66A4-4f41-A6F0-154E6D12BA45}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D870A~1.EXE > nul
        8⤵
        
        PID:2556
        
        C:\Windows\{AD47E74E-A39D-4633-9F79-8E4514C9FB32}.exe
        
        C:\Windows\{AD47E74E-A39D-4633-9F79-8E4514C9FB32}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\{3B5E2ED0-C4B0-4c00-B421-7AAE973C1ACC}.exe
        
        C:\Windows\{3B5E2ED0-C4B0-4c00-B421-7AAE973C1ACC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
        
        C:\Windows\{95789250-C726-48ac-9EFE-E1D29407B7CC}.exe
        
        C:\Windows\{95789250-C726-48ac-9EFE-E1D29407B7CC}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
        
        C:\Windows\{07C99016-03E0-4ef3-93B2-9336BAAF0C48}.exe
        
        C:\Windows\{07C99016-03E0-4ef3-93B2-9336BAAF0C48}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07C99~1.EXE > nul
        12⤵
        
        PID:1488
        
        C:\Windows\{808FE534-B8D3-4894-9EAD-D58D00D7D0D1}.exe
        
        C:\Windows\{808FE534-B8D3-4894-9EAD-D58D00D7D0D1}.exe
        12⤵
        Executes dropped EXE
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95789~1.EXE > nul
        11⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B5E2~1.EXE > nul
        10⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD47E~1.EXE > nul
        9⤵
        
        PID:292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{84064~1.EXE > nul
        7⤵
        
        PID:1928
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{259A2~1.EXE > nul
        6⤵
        
        PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9B34D~1.EXE > nul
    3⤵
    PID:2352
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{07C99016-03E0-4ef3-93B2-9336BAAF0C48}.exe

Filesize
192KB

MD5
2793b6606d27f84699a7e000d9788a9c

SHA1
f4b2b1fa875dcac4896e4820dc2f1a112e0f9038

SHA256
72a2b6388c15fa614148a17cc9b5a3ca74128d5236ce5d622fb52a7dbd592684

SHA512
66c6939c71faa80baf16af279aebee83018b216b67dbeddf6ac4a1f86f5c4f9f907805cf59a480cf2506e0be93697b08f66f61498d01c91599cd434fe5bafc77

Download Submit
C:\Windows\{259A22CC-34F4-4632-98A4-0DFCBC7410B5}.exe

Filesize
192KB

MD5
d940323dd4bebef5095e7b4a01796fb8

SHA1
b98412a7bfa75f193354afeef658b091bab2ed6b

SHA256
99724835592e44de6931dc27905f007caaa1ae8586f7f35c599bc14cc9013f6e

SHA512
697875dda8c8b2a6eb34431846c59e89332bfbe840d5695e9971164802ec2bb67c8da678b621d4701f8bba059d0b113276928c47bbf1a31f6db841dee611141a

Download Submit
C:\Windows\{3AB60DD5-E2AA-40ae-89C6-A891E89E611E}.exe

Filesize
192KB

MD5
3434d7fb9425bfc1da074ef9b7e7af6f

SHA1
d32d2d84c28e2935d342f64da88c6cceb5f85d54

SHA256
f0d3a39d864e8b79e7f33ecbba390a2ef77da13ed8c4b1a339978612bc20a905

SHA512
0cdc03cb9333dac5d06f88134b2a96bae930a13bbc3e715fddafe6bdd9ea57d2d0cd1995c2d439094d4f0fe991b55dd907527379d119f78ccbb416112eb2818c

Download Submit
C:\Windows\{3B5E2ED0-C4B0-4c00-B421-7AAE973C1ACC}.exe

Filesize
192KB

MD5
e63334ecf95bc00eac99ec4d123507d1

SHA1
65e426c35477f1d63c0267bd81966b5151d3c156

SHA256
5e4ce94656f698f57066d9aad6b43093591def2d1e85d46f13cf8d3e8d5105ac

SHA512
e9e10551aabe5f72d2f9c8c83021a9951a6ae43a8bea7fda7366fd520094fee6c3d33cab4f1be4369ed748612569e057071c5602777da122d92324a0bfadc4a2

Download Submit
C:\Windows\{808FE534-B8D3-4894-9EAD-D58D00D7D0D1}.exe

Filesize
192KB

MD5
4eb98c45baf73f80273355ae26ad7b7b

SHA1
8b3d3fc1e8a3dda928c08525f10fccb7a10c3261

SHA256
4d167e003e8d71279d19ac8fb68fb91a0ab293157c82cb493e40510e5a4e0bf5

SHA512
be951a033d8658f1ea1b23afdd6a5bad4d3694e99159110379135ccf9940b859deb36feb979e129325ea45555773764aa545f7ccffe1bbf941c0bf75098587fb

Download Submit
C:\Windows\{84064736-9EB2-425f-A401-54C07622132F}.exe

Filesize
192KB

MD5
1f572002a19b3e41cf9f94ccd4a6931b

SHA1
9b854a0a1e30414704285fe5a6a2f640c9c65a0a

SHA256
63aa4ade4d598eb5a4c536158fc7acc8dd637bf93b8e8c557df9a5a32d557f84

SHA512
38f1369a871503d6e83ece4b3f10d8c4a6880e151c54d41677431153e153f43715439e293c52e0173f2ee9aa088d0cf66a95837dd3db3c502c69e4e41ea6afb9

Download Submit
C:\Windows\{95789250-C726-48ac-9EFE-E1D29407B7CC}.exe

Filesize
192KB

MD5
b4fbb54230419ec8c6bb40cdbb41f391

SHA1
7e1fddf64d58bfac47c3f55f56f060956b12ceb1

SHA256
cb8dd70a3992fc945d8ebf482c2296d28b815d66c5e18277c970eee7c098d1d5

SHA512
a66c8633dec7ad0b2959c2b6b72570fec8f9fcd08e99b14c476836448b638fe7800e056ba5497dc3db15c6905212de563e75663c6e0eef1be60f20bd3cffc735

Download Submit
C:\Windows\{9B34D3E9-75D2-4e49-9D53-8E06FD34F8BF}.exe

Filesize
192KB

MD5
8182cca3e0e504d45a652b42bb630951

SHA1
e35af9b28c876b0c4adb73905fc287ac6c25c2d4

SHA256
2fde0d3a62573c35ed94b0a50f4295f52b34d25e5df117361a302ce39fab2450

SHA512
e5b2daa6338c306bb91778b97e9c3ec9000a3e68ba5508b354a9e564bebe45964c18f536a4b42d1ed99a414ad8f61eb3fb1bc1f7992efaa07b88a8fc5a8f3a9c

Download Submit
C:\Windows\{AD47E74E-A39D-4633-9F79-8E4514C9FB32}.exe

Filesize
192KB

MD5
1987e95c68d068604929d368b1050fa5

SHA1
0a23d729084340d430c38619a0ce2807655e0244

SHA256
2abfc84d516dffd774b2820a9ca9ca6625d8ac02eae2ac68379f6318dbc285a4

SHA512
dd7c629647d7aa2f1eba65d773f5b31f5a63b91fcca8d3cf4e52f85db88d5c425c9cc1412ad7fdc50a27c7a22fb2f2cd3ceef3d190955fefb5d8f455d8646b2d

Download Submit
C:\Windows\{C2EA2608-EBF0-47e1-A709-7C4676BE54DF}.exe

Filesize
192KB

MD5
2fbc4c0b4b7d25c817e7d7357f6c2f6c

SHA1
b3cbdde48f3c984e187ad7f7a264586463cea2cb

SHA256
32187ce388f070341a967bdec2353984d4470381e21daae7286f65adf50e64cb

SHA512
a31d42288e4f2ceae697f320768d31dafe72d302613b6ab6c61647ae0ce3693995cb851ecbb02b2f504e63b02e99a1d1128ab2665148abe6a462bee5217dc902

Download Submit
C:\Windows\{D870AE3B-66A4-4f41-A6F0-154E6D12BA45}.exe

Filesize
192KB

MD5
112fb64cbef683c33567ec39d50dc8eb

SHA1
526594e94ab53f00b98e84e4fdffc6be97936c6f

SHA256
fcda2d08d04a23354afd99fbb314b02f6390daff51003526ef7407ca5d080429

SHA512
9351b9389ec4bef00a5172425e938134d5772538912b37ef085fec13862770a516e4b30ec9a4f779e4948d760b1db7e82630e953e176e3da68cc9c2d29551d5c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads