7140f6e5de2222cd6d3fbbbb2562ea1b33cf15936824d920369fcdea0e7815cf

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/02/2024, 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_3ad941e74aa54f33189e9eb12ea0cb34_goldeneye.exe
Size

180KB
MD5

3ad941e74aa54f33189e9eb12ea0cb34
SHA1

ad4f4e3d3f54a08217e493f81f53bec8dd585be5
SHA256

7140f6e5de2222cd6d3fbbbb2562ea1b33cf15936824d920369fcdea0e7815cf
SHA512

2d2a0c7d81f80c7050ce7c605c985a9ce5bbb4ebfbe9ee2e452175b23063514976ca76ec17969a561ae5d4a1de354b2cdba65a7eaebcce6975b8be2e06c2eb32
SSDEEP

3072:jEGh0o3lfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGJl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012255-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122ec-11.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012255-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0002000000010f1d-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0003000000010f1d-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000010f1d-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000700000000b1f7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000010f1d-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80668404-0B20-49ce-85F0-76CC1163FDA7}	{843E9D52-CF37-4f64-B42B-DA076255F3DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C077C91-84E4-410b-A654-6555EB85A2F1}	{80668404-0B20-49ce-85F0-76CC1163FDA7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{367A6EA3-3144-492d-9C50-0B2161254918}\stubpath = "C:\\Windows\\{367A6EA3-3144-492d-9C50-0B2161254918}.exe"	{5C34D1D0-FD14-4a19-BCEF-F064D52A1155}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80668404-0B20-49ce-85F0-76CC1163FDA7}\stubpath = "C:\\Windows\\{80668404-0B20-49ce-85F0-76CC1163FDA7}.exe"	{843E9D52-CF37-4f64-B42B-DA076255F3DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C34D1D0-FD14-4a19-BCEF-F064D52A1155}\stubpath = "C:\\Windows\\{5C34D1D0-FD14-4a19-BCEF-F064D52A1155}.exe"	{FD28948F-A10D-40ee-B663-FDAC5C100762}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{367A6EA3-3144-492d-9C50-0B2161254918}	{5C34D1D0-FD14-4a19-BCEF-F064D52A1155}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{429A6BCB-9DF7-4aea-ACE3-BA98020C6FB2}	2024-02-12_3ad941e74aa54f33189e9eb12ea0cb34_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3655D3E1-2255-4644-9CBF-E315EA74D6E9}\stubpath = "C:\\Windows\\{3655D3E1-2255-4644-9CBF-E315EA74D6E9}.exe"	{B1F82986-6013-4635-870A-128BFD64C933}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{843E9D52-CF37-4f64-B42B-DA076255F3DB}	{02C03885-AA2B-4b6d-8A21-91657D13A90A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02C03885-AA2B-4b6d-8A21-91657D13A90A}	{3655D3E1-2255-4644-9CBF-E315EA74D6E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C077C91-84E4-410b-A654-6555EB85A2F1}\stubpath = "C:\\Windows\\{3C077C91-84E4-410b-A654-6555EB85A2F1}.exe"	{80668404-0B20-49ce-85F0-76CC1163FDA7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD28948F-A10D-40ee-B663-FDAC5C100762}	{3C077C91-84E4-410b-A654-6555EB85A2F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD28948F-A10D-40ee-B663-FDAC5C100762}\stubpath = "C:\\Windows\\{FD28948F-A10D-40ee-B663-FDAC5C100762}.exe"	{3C077C91-84E4-410b-A654-6555EB85A2F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{429A6BCB-9DF7-4aea-ACE3-BA98020C6FB2}\stubpath = "C:\\Windows\\{429A6BCB-9DF7-4aea-ACE3-BA98020C6FB2}.exe"	2024-02-12_3ad941e74aa54f33189e9eb12ea0cb34_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0C23246-A5F4-4f08-973E-1F00E5BDA562}	{429A6BCB-9DF7-4aea-ACE3-BA98020C6FB2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3655D3E1-2255-4644-9CBF-E315EA74D6E9}	{B1F82986-6013-4635-870A-128BFD64C933}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02C03885-AA2B-4b6d-8A21-91657D13A90A}\stubpath = "C:\\Windows\\{02C03885-AA2B-4b6d-8A21-91657D13A90A}.exe"	{3655D3E1-2255-4644-9CBF-E315EA74D6E9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{843E9D52-CF37-4f64-B42B-DA076255F3DB}\stubpath = "C:\\Windows\\{843E9D52-CF37-4f64-B42B-DA076255F3DB}.exe"	{02C03885-AA2B-4b6d-8A21-91657D13A90A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C34D1D0-FD14-4a19-BCEF-F064D52A1155}	{FD28948F-A10D-40ee-B663-FDAC5C100762}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0C23246-A5F4-4f08-973E-1F00E5BDA562}\stubpath = "C:\\Windows\\{E0C23246-A5F4-4f08-973E-1F00E5BDA562}.exe"	{429A6BCB-9DF7-4aea-ACE3-BA98020C6FB2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1F82986-6013-4635-870A-128BFD64C933}	{E0C23246-A5F4-4f08-973E-1F00E5BDA562}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1F82986-6013-4635-870A-128BFD64C933}\stubpath = "C:\\Windows\\{B1F82986-6013-4635-870A-128BFD64C933}.exe"	{E0C23246-A5F4-4f08-973E-1F00E5BDA562}.exe

Deletes itself 1 IoCs

pid	Process
2028	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2672	{429A6BCB-9DF7-4aea-ACE3-BA98020C6FB2}.exe
2704	{E0C23246-A5F4-4f08-973E-1F00E5BDA562}.exe
1292	{B1F82986-6013-4635-870A-128BFD64C933}.exe
2556	{3655D3E1-2255-4644-9CBF-E315EA74D6E9}.exe
2840	{02C03885-AA2B-4b6d-8A21-91657D13A90A}.exe
1736	{843E9D52-CF37-4f64-B42B-DA076255F3DB}.exe
1576	{80668404-0B20-49ce-85F0-76CC1163FDA7}.exe
2820	{3C077C91-84E4-410b-A654-6555EB85A2F1}.exe
1500	{FD28948F-A10D-40ee-B663-FDAC5C100762}.exe
1984	{5C34D1D0-FD14-4a19-BCEF-F064D52A1155}.exe
2004	{367A6EA3-3144-492d-9C50-0B2161254918}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{5C34D1D0-FD14-4a19-BCEF-F064D52A1155}.exe	{FD28948F-A10D-40ee-B663-FDAC5C100762}.exe
File created	C:\Windows\{367A6EA3-3144-492d-9C50-0B2161254918}.exe	{5C34D1D0-FD14-4a19-BCEF-F064D52A1155}.exe
File created	C:\Windows\{B1F82986-6013-4635-870A-128BFD64C933}.exe	{E0C23246-A5F4-4f08-973E-1F00E5BDA562}.exe
File created	C:\Windows\{3655D3E1-2255-4644-9CBF-E315EA74D6E9}.exe	{B1F82986-6013-4635-870A-128BFD64C933}.exe
File created	C:\Windows\{02C03885-AA2B-4b6d-8A21-91657D13A90A}.exe	{3655D3E1-2255-4644-9CBF-E315EA74D6E9}.exe
File created	C:\Windows\{843E9D52-CF37-4f64-B42B-DA076255F3DB}.exe	{02C03885-AA2B-4b6d-8A21-91657D13A90A}.exe
File created	C:\Windows\{3C077C91-84E4-410b-A654-6555EB85A2F1}.exe	{80668404-0B20-49ce-85F0-76CC1163FDA7}.exe
File created	C:\Windows\{429A6BCB-9DF7-4aea-ACE3-BA98020C6FB2}.exe	2024-02-12_3ad941e74aa54f33189e9eb12ea0cb34_goldeneye.exe
File created	C:\Windows\{E0C23246-A5F4-4f08-973E-1F00E5BDA562}.exe	{429A6BCB-9DF7-4aea-ACE3-BA98020C6FB2}.exe
File created	C:\Windows\{80668404-0B20-49ce-85F0-76CC1163FDA7}.exe	{843E9D52-CF37-4f64-B42B-DA076255F3DB}.exe
File created	C:\Windows\{FD28948F-A10D-40ee-B663-FDAC5C100762}.exe	{3C077C91-84E4-410b-A654-6555EB85A2F1}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2172	2024-02-12_3ad941e74aa54f33189e9eb12ea0cb34_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2672	{429A6BCB-9DF7-4aea-ACE3-BA98020C6FB2}.exe
Token: SeIncBasePriorityPrivilege	2704	{E0C23246-A5F4-4f08-973E-1F00E5BDA562}.exe
Token: SeIncBasePriorityPrivilege	1292	{B1F82986-6013-4635-870A-128BFD64C933}.exe
Token: SeIncBasePriorityPrivilege	2556	{3655D3E1-2255-4644-9CBF-E315EA74D6E9}.exe
Token: SeIncBasePriorityPrivilege	2840	{02C03885-AA2B-4b6d-8A21-91657D13A90A}.exe
Token: SeIncBasePriorityPrivilege	1736	{843E9D52-CF37-4f64-B42B-DA076255F3DB}.exe
Token: SeIncBasePriorityPrivilege	1576	{80668404-0B20-49ce-85F0-76CC1163FDA7}.exe
Token: SeIncBasePriorityPrivilege	2820	{3C077C91-84E4-410b-A654-6555EB85A2F1}.exe
Token: SeIncBasePriorityPrivilege	1500	{FD28948F-A10D-40ee-B663-FDAC5C100762}.exe
Token: SeIncBasePriorityPrivilege	1984	{5C34D1D0-FD14-4a19-BCEF-F064D52A1155}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2672	2172	2024-02-12_3ad941e74aa54f33189e9eb12ea0cb34_goldeneye.exe	28
PID 2172 wrote to memory of 2672	2172	2024-02-12_3ad941e74aa54f33189e9eb12ea0cb34_goldeneye.exe	28
PID 2172 wrote to memory of 2672	2172	2024-02-12_3ad941e74aa54f33189e9eb12ea0cb34_goldeneye.exe	28
PID 2172 wrote to memory of 2672	2172	2024-02-12_3ad941e74aa54f33189e9eb12ea0cb34_goldeneye.exe	28
PID 2172 wrote to memory of 2028	2172	2024-02-12_3ad941e74aa54f33189e9eb12ea0cb34_goldeneye.exe	29
PID 2172 wrote to memory of 2028	2172	2024-02-12_3ad941e74aa54f33189e9eb12ea0cb34_goldeneye.exe	29
PID 2172 wrote to memory of 2028	2172	2024-02-12_3ad941e74aa54f33189e9eb12ea0cb34_goldeneye.exe	29
PID 2172 wrote to memory of 2028	2172	2024-02-12_3ad941e74aa54f33189e9eb12ea0cb34_goldeneye.exe	29
PID 2672 wrote to memory of 2704	2672	{429A6BCB-9DF7-4aea-ACE3-BA98020C6FB2}.exe	30
PID 2672 wrote to memory of 2704	2672	{429A6BCB-9DF7-4aea-ACE3-BA98020C6FB2}.exe	30
PID 2672 wrote to memory of 2704	2672	{429A6BCB-9DF7-4aea-ACE3-BA98020C6FB2}.exe	30
PID 2672 wrote to memory of 2704	2672	{429A6BCB-9DF7-4aea-ACE3-BA98020C6FB2}.exe	30
PID 2672 wrote to memory of 2808	2672	{429A6BCB-9DF7-4aea-ACE3-BA98020C6FB2}.exe	31
PID 2672 wrote to memory of 2808	2672	{429A6BCB-9DF7-4aea-ACE3-BA98020C6FB2}.exe	31
PID 2672 wrote to memory of 2808	2672	{429A6BCB-9DF7-4aea-ACE3-BA98020C6FB2}.exe	31
PID 2672 wrote to memory of 2808	2672	{429A6BCB-9DF7-4aea-ACE3-BA98020C6FB2}.exe	31
PID 2704 wrote to memory of 1292	2704	{E0C23246-A5F4-4f08-973E-1F00E5BDA562}.exe	32
PID 2704 wrote to memory of 1292	2704	{E0C23246-A5F4-4f08-973E-1F00E5BDA562}.exe	32
PID 2704 wrote to memory of 1292	2704	{E0C23246-A5F4-4f08-973E-1F00E5BDA562}.exe	32
PID 2704 wrote to memory of 1292	2704	{E0C23246-A5F4-4f08-973E-1F00E5BDA562}.exe	32
PID 2704 wrote to memory of 2692	2704	{E0C23246-A5F4-4f08-973E-1F00E5BDA562}.exe	33
PID 2704 wrote to memory of 2692	2704	{E0C23246-A5F4-4f08-973E-1F00E5BDA562}.exe	33
PID 2704 wrote to memory of 2692	2704	{E0C23246-A5F4-4f08-973E-1F00E5BDA562}.exe	33
PID 2704 wrote to memory of 2692	2704	{E0C23246-A5F4-4f08-973E-1F00E5BDA562}.exe	33
PID 1292 wrote to memory of 2556	1292	{B1F82986-6013-4635-870A-128BFD64C933}.exe	36
PID 1292 wrote to memory of 2556	1292	{B1F82986-6013-4635-870A-128BFD64C933}.exe	36
PID 1292 wrote to memory of 2556	1292	{B1F82986-6013-4635-870A-128BFD64C933}.exe	36
PID 1292 wrote to memory of 2556	1292	{B1F82986-6013-4635-870A-128BFD64C933}.exe	36
PID 1292 wrote to memory of 2844	1292	{B1F82986-6013-4635-870A-128BFD64C933}.exe	37
PID 1292 wrote to memory of 2844	1292	{B1F82986-6013-4635-870A-128BFD64C933}.exe	37
PID 1292 wrote to memory of 2844	1292	{B1F82986-6013-4635-870A-128BFD64C933}.exe	37
PID 1292 wrote to memory of 2844	1292	{B1F82986-6013-4635-870A-128BFD64C933}.exe	37
PID 2556 wrote to memory of 2840	2556	{3655D3E1-2255-4644-9CBF-E315EA74D6E9}.exe	38
PID 2556 wrote to memory of 2840	2556	{3655D3E1-2255-4644-9CBF-E315EA74D6E9}.exe	38
PID 2556 wrote to memory of 2840	2556	{3655D3E1-2255-4644-9CBF-E315EA74D6E9}.exe	38
PID 2556 wrote to memory of 2840	2556	{3655D3E1-2255-4644-9CBF-E315EA74D6E9}.exe	38
PID 2556 wrote to memory of 2984	2556	{3655D3E1-2255-4644-9CBF-E315EA74D6E9}.exe	39
PID 2556 wrote to memory of 2984	2556	{3655D3E1-2255-4644-9CBF-E315EA74D6E9}.exe	39
PID 2556 wrote to memory of 2984	2556	{3655D3E1-2255-4644-9CBF-E315EA74D6E9}.exe	39
PID 2556 wrote to memory of 2984	2556	{3655D3E1-2255-4644-9CBF-E315EA74D6E9}.exe	39
PID 2840 wrote to memory of 1736	2840	{02C03885-AA2B-4b6d-8A21-91657D13A90A}.exe	40
PID 2840 wrote to memory of 1736	2840	{02C03885-AA2B-4b6d-8A21-91657D13A90A}.exe	40
PID 2840 wrote to memory of 1736	2840	{02C03885-AA2B-4b6d-8A21-91657D13A90A}.exe	40
PID 2840 wrote to memory of 1736	2840	{02C03885-AA2B-4b6d-8A21-91657D13A90A}.exe	40
PID 2840 wrote to memory of 1960	2840	{02C03885-AA2B-4b6d-8A21-91657D13A90A}.exe	41
PID 2840 wrote to memory of 1960	2840	{02C03885-AA2B-4b6d-8A21-91657D13A90A}.exe	41
PID 2840 wrote to memory of 1960	2840	{02C03885-AA2B-4b6d-8A21-91657D13A90A}.exe	41
PID 2840 wrote to memory of 1960	2840	{02C03885-AA2B-4b6d-8A21-91657D13A90A}.exe	41
PID 1736 wrote to memory of 1576	1736	{843E9D52-CF37-4f64-B42B-DA076255F3DB}.exe	42
PID 1736 wrote to memory of 1576	1736	{843E9D52-CF37-4f64-B42B-DA076255F3DB}.exe	42
PID 1736 wrote to memory of 1576	1736	{843E9D52-CF37-4f64-B42B-DA076255F3DB}.exe	42
PID 1736 wrote to memory of 1576	1736	{843E9D52-CF37-4f64-B42B-DA076255F3DB}.exe	42
PID 1736 wrote to memory of 324	1736	{843E9D52-CF37-4f64-B42B-DA076255F3DB}.exe	43
PID 1736 wrote to memory of 324	1736	{843E9D52-CF37-4f64-B42B-DA076255F3DB}.exe	43
PID 1736 wrote to memory of 324	1736	{843E9D52-CF37-4f64-B42B-DA076255F3DB}.exe	43
PID 1736 wrote to memory of 324	1736	{843E9D52-CF37-4f64-B42B-DA076255F3DB}.exe	43
PID 1576 wrote to memory of 2820	1576	{80668404-0B20-49ce-85F0-76CC1163FDA7}.exe	44
PID 1576 wrote to memory of 2820	1576	{80668404-0B20-49ce-85F0-76CC1163FDA7}.exe	44
PID 1576 wrote to memory of 2820	1576	{80668404-0B20-49ce-85F0-76CC1163FDA7}.exe	44
PID 1576 wrote to memory of 2820	1576	{80668404-0B20-49ce-85F0-76CC1163FDA7}.exe	44
PID 1576 wrote to memory of 972	1576	{80668404-0B20-49ce-85F0-76CC1163FDA7}.exe	45
PID 1576 wrote to memory of 972	1576	{80668404-0B20-49ce-85F0-76CC1163FDA7}.exe	45
PID 1576 wrote to memory of 972	1576	{80668404-0B20-49ce-85F0-76CC1163FDA7}.exe	45
PID 1576 wrote to memory of 972	1576	{80668404-0B20-49ce-85F0-76CC1163FDA7}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-12_3ad941e74aa54f33189e9eb12ea0cb34_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_3ad941e74aa54f33189e9eb12ea0cb34_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\{429A6BCB-9DF7-4aea-ACE3-BA98020C6FB2}.exe
  C:\Windows\{429A6BCB-9DF7-4aea-ACE3-BA98020C6FB2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\{E0C23246-A5F4-4f08-973E-1F00E5BDA562}.exe
    C:\Windows\{E0C23246-A5F4-4f08-973E-1F00E5BDA562}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\{B1F82986-6013-4635-870A-128BFD64C933}.exe
      C:\Windows\{B1F82986-6013-4635-870A-128BFD64C933}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1292
    - - C:\Windows\{3655D3E1-2255-4644-9CBF-E315EA74D6E9}.exe
        
        C:\Windows\{3655D3E1-2255-4644-9CBF-E315EA74D6E9}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2556
      - C:\Windows\{02C03885-AA2B-4b6d-8A21-91657D13A90A}.exe
        
        C:\Windows\{02C03885-AA2B-4b6d-8A21-91657D13A90A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\{843E9D52-CF37-4f64-B42B-DA076255F3DB}.exe
        
        C:\Windows\{843E9D52-CF37-4f64-B42B-DA076255F3DB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\{80668404-0B20-49ce-85F0-76CC1163FDA7}.exe
        
        C:\Windows\{80668404-0B20-49ce-85F0-76CC1163FDA7}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\{3C077C91-84E4-410b-A654-6555EB85A2F1}.exe
        
        C:\Windows\{3C077C91-84E4-410b-A654-6555EB85A2F1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
        
        C:\Windows\{FD28948F-A10D-40ee-B663-FDAC5C100762}.exe
        
        C:\Windows\{FD28948F-A10D-40ee-B663-FDAC5C100762}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
        
        C:\Windows\{5C34D1D0-FD14-4a19-BCEF-F064D52A1155}.exe
        
        C:\Windows\{5C34D1D0-FD14-4a19-BCEF-F064D52A1155}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
        
        C:\Windows\{367A6EA3-3144-492d-9C50-0B2161254918}.exe
        
        C:\Windows\{367A6EA3-3144-492d-9C50-0B2161254918}.exe
        12⤵
        Executes dropped EXE
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C34D~1.EXE > nul
        12⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD289~1.EXE > nul
        11⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C077~1.EXE > nul
        10⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80668~1.EXE > nul
        9⤵
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{843E9~1.EXE > nul
        8⤵
        
        PID:324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02C03~1.EXE > nul
        7⤵
        
        PID:1960
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3655D~1.EXE > nul
        6⤵
        
        PID:2984
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1F82~1.EXE > nul
        5⤵
        
        PID:2844
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E0C23~1.EXE > nul
      4⤵
      PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{429A6~1.EXE > nul
    3⤵
    PID:2808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02C03885-AA2B-4b6d-8A21-91657D13A90A}.exe

Filesize
180KB

MD5
d9450453f26b6ba22a4a1c486e541ed3

SHA1
bbd98aac31b625328a3522f83078ef8a4aa57cc2

SHA256
a7b3ac93162770a4e349795a923e7afe16971e5d2dc548b05509ab80484f6855

SHA512
12d822e40b309a08d3eb75a9e4db00e8f53d31770ff5b319170dfff1f6ef7c2129d5b9aeccdcd17a319238cf8fdbcfb0c1c5608ed6d7b6281bde6066760a80ae

Download Submit
C:\Windows\{3655D3E1-2255-4644-9CBF-E315EA74D6E9}.exe

Filesize
180KB

MD5
9083ed96275a0d4d608e11aebfbe4b81

SHA1
2e845b03386dbce793d3ba7eb3b939af7e3d4132

SHA256
a03e2260c87de486962fb707c4c0f44e31ebf4f9f5a45e55c785fcea4c3bfbb5

SHA512
df81bef6b87e324f03eb002ba9f329c706740c09a9a6a9271660a87b9d78355401cfad42efdd044f5bcdf43fd9add602a73a3285e84a0b52b31707effbd4bca1

Download Submit
C:\Windows\{367A6EA3-3144-492d-9C50-0B2161254918}.exe

Filesize
180KB

MD5
1915d1a2c1b5ed2f63a8e3b85b045011

SHA1
9e1d257b763bd07616c92e9668972f0980d06972

SHA256
2132e01c8b816cd290f449963a41c0de409fc8c5e62070a1dfbc818a8820ecfe

SHA512
fa30e7b01d7517b0f2c7100aa83ad6b893d3efb67b79a556343e20f50b7754a2946acc5355f5a848acec1cb6ef0fc68d23e9aa96b5c5e8096190109e59ca2e59

Download Submit
C:\Windows\{3C077C91-84E4-410b-A654-6555EB85A2F1}.exe

Filesize
180KB

MD5
42d4fb6891b01123e8b02ad2e0d6e356

SHA1
3a9e1ef4ef62f13a14fdda4239596fdca5acf7ed

SHA256
11001427e81a35dae1ab30b845cf6ef422b194381db870119ce351b5515b7d47

SHA512
34b4478020864fb549651f529b09dd47e957e08e2174193672d719604631d747e639f7d7fb30a8192630548c0fe6935215baa46b2efed778459ef468f7e60fad

Download Submit
C:\Windows\{429A6BCB-9DF7-4aea-ACE3-BA98020C6FB2}.exe

Filesize
180KB

MD5
279d389f3e82fff91cdf201d04473050

SHA1
be7c79dd3c95372429cf95e9e6423b4d77db85aa

SHA256
a52e3be9bb8c90a18d1bf63e33fb2a7de10d6010bbda8d8e77a0bc3f56b34a5f

SHA512
76baa2b3e674f4348e4b2e285ae5fb0ea9e9dac11ec1dee1ab151a3d0e9214520c4829e0d5bfae4ce629b3b123e9e785ba88f3ea3df488dba87bb794c9dc58ba

Download Submit
C:\Windows\{5C34D1D0-FD14-4a19-BCEF-F064D52A1155}.exe

Filesize
180KB

MD5
0dfa6b5e69c7f46330f63812e2511fd6

SHA1
29da5b193c1ec37de1c4e5b54f20bb698792f3d8

SHA256
8af069766b58d3d537d1e836b36ce17f8dafd01be12f5beb7d6f4a83f222fab7

SHA512
67690ff0ae43fac6104425d1d91f1ba2f5c218be2aa1c5588920195bf4c4cc6a05324f564c99fc1fa63884d5f1fce31731d59386b7dc1d63ebc8ca280aad6b56

Download Submit
C:\Windows\{80668404-0B20-49ce-85F0-76CC1163FDA7}.exe

Filesize
180KB

MD5
0e263797ea2414d6b6c43f66b04c5454

SHA1
0f31363bd64d737a550dfc1ecccaf10a4fad5074

SHA256
fca77556258a5384e6d37c1331586be19df689802c9d9e28c714d21bb7a4947b

SHA512
ecf4e21012bd0b7a0e0bae5a17299bdf01d49aab580a60dbe6a611d181e20976545130e32a2f94aaae9d965bae1877307cf4e691db4e451e34c8bcc68e169a4a

Download Submit
C:\Windows\{843E9D52-CF37-4f64-B42B-DA076255F3DB}.exe

Filesize
180KB

MD5
a7edba67b40ed39672bd1fd2d51a4819

SHA1
f5010d6a9184828be48089791d315becee5ee732

SHA256
dc7d794043d3911569228b8b4b936ec33557556f4f55ae291a8357f119f8b24f

SHA512
62eb605bc38e564bab998662d339d5b928451506deb3ca65d5720b63f95db8eeeb830746ea723f95163919ce0161a0c736135c327a6eaf07ee1e969e738152c1

Download Submit
C:\Windows\{B1F82986-6013-4635-870A-128BFD64C933}.exe

Filesize
180KB

MD5
96e33cbfcf34ff53e389fd53b90976db

SHA1
2d596ccf0c06a90e4a8e74b8e85c76ea251291db

SHA256
2bc4b086ea51f9c7a82d0c854218bea75f06c9604f21c7443d2577bfb43bc63e

SHA512
510acf08f8930dd632a8487d6d0fc16d2dab11a1e2e2490d5f13deef2228aed33115614a2fd83d71fb4243cb94449fefd1b87c597aeb60fcb9ddeb4928e5cabf

Download Submit
C:\Windows\{E0C23246-A5F4-4f08-973E-1F00E5BDA562}.exe

Filesize
180KB

MD5
5cee9c55b1369b75d057f612a3a655dd

SHA1
4bb684d410fa17bdf5dd99d912c045a4f7f52919

SHA256
5c6e2b33c62386709d919ee67d4999501ff03bb3f1fd1feb4bdc4ca4b3244f77

SHA512
31ec6d9b782160ba48f4b4b0645ea61c7b2ad551cff9b0aa7f013da6d6f128df837c208e1c97fa0406978271fdb96fe38f739eb2167c118ea6c6aa9cbb11080a

Download Submit
C:\Windows\{FD28948F-A10D-40ee-B663-FDAC5C100762}.exe

Filesize
180KB

MD5
ad1b2debc831d2e436438ed1031b7a7f

SHA1
7694478fc442df971b422e1ffeb3d8bcc70d97b3

SHA256
8cc48d02e4c6274775f4144df96f24dce1765c9345bbb2c6ffe25d5c0dc4fee2

SHA512
7f8517390f01a7a4e36666601c7fc1a250722bb445c7d43c31bca5f8fd62cc215964af3cae0c2f8cfbf6f54ff2a72758cfd204fef0a50bd1feab9b2a0c66e3d0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads