091564fafca3bf76577502f9ce700348e72fe88efe1c710bc1793b3c56129d44

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/02/2024, 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_e9317b24ab59ee31d978266de98ddc30_goldeneye.exe
Size

408KB
MD5

e9317b24ab59ee31d978266de98ddc30
SHA1

1cf795c083ede4d8730cbd756b27ab9caff90036
SHA256

091564fafca3bf76577502f9ce700348e72fe88efe1c710bc1793b3c56129d44
SHA512

7c0224d506bf7b530f2254adf3216046c7a7308e327d692234c8ce04e059c29e078977b2dc28a84b19736125e04c29d88aabeb645c737b2cfac59c985826357c
SSDEEP

3072:CEGh0ozl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGZldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000d000000012246-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001232a-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012246-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000146c8-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012246-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012246-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0011000000012246-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{976C00FE-6FE1-44ad-9B71-B455980F0B07}	{04043A32-1B09-4e95-9875-AD1659BBE7D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F019C656-D59F-487f-ACE7-01FCB4CF6D19}\stubpath = "C:\\Windows\\{F019C656-D59F-487f-ACE7-01FCB4CF6D19}.exe"	{976C00FE-6FE1-44ad-9B71-B455980F0B07}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83D6E1F4-72E3-4f52-A4E0-A044C9B2817E}\stubpath = "C:\\Windows\\{83D6E1F4-72E3-4f52-A4E0-A044C9B2817E}.exe"	{582351E4-97B5-49a5-828A-B4628EC35988}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8308CF3-4416-4230-9620-11B1640DED59}	{83D6E1F4-72E3-4f52-A4E0-A044C9B2817E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6E446FA-D2CE-4ca1-9DB0-E66B32332D76}	{D8B2AA57-E3CB-406a-8727-EC21051051B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54D2C92B-715F-40d9-AD93-86E12E824F26}\stubpath = "C:\\Windows\\{54D2C92B-715F-40d9-AD93-86E12E824F26}.exe"	{B6E446FA-D2CE-4ca1-9DB0-E66B32332D76}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04043A32-1B09-4e95-9875-AD1659BBE7D7}	2024-02-12_e9317b24ab59ee31d978266de98ddc30_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{976C00FE-6FE1-44ad-9B71-B455980F0B07}\stubpath = "C:\\Windows\\{976C00FE-6FE1-44ad-9B71-B455980F0B07}.exe"	{04043A32-1B09-4e95-9875-AD1659BBE7D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F019C656-D59F-487f-ACE7-01FCB4CF6D19}	{976C00FE-6FE1-44ad-9B71-B455980F0B07}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BDB2B0C7-FF80-42ea-99BA-12754F144BF9}	{C8308CF3-4416-4230-9620-11B1640DED59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BDB2B0C7-FF80-42ea-99BA-12754F144BF9}\stubpath = "C:\\Windows\\{BDB2B0C7-FF80-42ea-99BA-12754F144BF9}.exe"	{C8308CF3-4416-4230-9620-11B1640DED59}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1AE1DAFA-3399-4718-AA1B-4D0AB03C9BED}	{BDB2B0C7-FF80-42ea-99BA-12754F144BF9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04043A32-1B09-4e95-9875-AD1659BBE7D7}\stubpath = "C:\\Windows\\{04043A32-1B09-4e95-9875-AD1659BBE7D7}.exe"	2024-02-12_e9317b24ab59ee31d978266de98ddc30_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{582351E4-97B5-49a5-828A-B4628EC35988}\stubpath = "C:\\Windows\\{582351E4-97B5-49a5-828A-B4628EC35988}.exe"	{F019C656-D59F-487f-ACE7-01FCB4CF6D19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1AE1DAFA-3399-4718-AA1B-4D0AB03C9BED}\stubpath = "C:\\Windows\\{1AE1DAFA-3399-4718-AA1B-4D0AB03C9BED}.exe"	{BDB2B0C7-FF80-42ea-99BA-12754F144BF9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6E446FA-D2CE-4ca1-9DB0-E66B32332D76}\stubpath = "C:\\Windows\\{B6E446FA-D2CE-4ca1-9DB0-E66B32332D76}.exe"	{D8B2AA57-E3CB-406a-8727-EC21051051B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{582351E4-97B5-49a5-828A-B4628EC35988}	{F019C656-D59F-487f-ACE7-01FCB4CF6D19}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83D6E1F4-72E3-4f52-A4E0-A044C9B2817E}	{582351E4-97B5-49a5-828A-B4628EC35988}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8308CF3-4416-4230-9620-11B1640DED59}\stubpath = "C:\\Windows\\{C8308CF3-4416-4230-9620-11B1640DED59}.exe"	{83D6E1F4-72E3-4f52-A4E0-A044C9B2817E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8B2AA57-E3CB-406a-8727-EC21051051B5}	{1AE1DAFA-3399-4718-AA1B-4D0AB03C9BED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8B2AA57-E3CB-406a-8727-EC21051051B5}\stubpath = "C:\\Windows\\{D8B2AA57-E3CB-406a-8727-EC21051051B5}.exe"	{1AE1DAFA-3399-4718-AA1B-4D0AB03C9BED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54D2C92B-715F-40d9-AD93-86E12E824F26}	{B6E446FA-D2CE-4ca1-9DB0-E66B32332D76}.exe

Executes dropped EXE 11 IoCs

pid	Process
2520	{04043A32-1B09-4e95-9875-AD1659BBE7D7}.exe
2420	{976C00FE-6FE1-44ad-9B71-B455980F0B07}.exe
2812	{F019C656-D59F-487f-ACE7-01FCB4CF6D19}.exe
2856	{582351E4-97B5-49a5-828A-B4628EC35988}.exe
2136	{83D6E1F4-72E3-4f52-A4E0-A044C9B2817E}.exe
344	{C8308CF3-4416-4230-9620-11B1640DED59}.exe
2308	{BDB2B0C7-FF80-42ea-99BA-12754F144BF9}.exe
2892	{1AE1DAFA-3399-4718-AA1B-4D0AB03C9BED}.exe
2948	{D8B2AA57-E3CB-406a-8727-EC21051051B5}.exe
2236	{B6E446FA-D2CE-4ca1-9DB0-E66B32332D76}.exe
1308	{54D2C92B-715F-40d9-AD93-86E12E824F26}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{582351E4-97B5-49a5-828A-B4628EC35988}.exe	{F019C656-D59F-487f-ACE7-01FCB4CF6D19}.exe
File created	C:\Windows\{C8308CF3-4416-4230-9620-11B1640DED59}.exe	{83D6E1F4-72E3-4f52-A4E0-A044C9B2817E}.exe
File created	C:\Windows\{976C00FE-6FE1-44ad-9B71-B455980F0B07}.exe	{04043A32-1B09-4e95-9875-AD1659BBE7D7}.exe
File created	C:\Windows\{F019C656-D59F-487f-ACE7-01FCB4CF6D19}.exe	{976C00FE-6FE1-44ad-9B71-B455980F0B07}.exe
File created	C:\Windows\{83D6E1F4-72E3-4f52-A4E0-A044C9B2817E}.exe	{582351E4-97B5-49a5-828A-B4628EC35988}.exe
File created	C:\Windows\{BDB2B0C7-FF80-42ea-99BA-12754F144BF9}.exe	{C8308CF3-4416-4230-9620-11B1640DED59}.exe
File created	C:\Windows\{1AE1DAFA-3399-4718-AA1B-4D0AB03C9BED}.exe	{BDB2B0C7-FF80-42ea-99BA-12754F144BF9}.exe
File created	C:\Windows\{D8B2AA57-E3CB-406a-8727-EC21051051B5}.exe	{1AE1DAFA-3399-4718-AA1B-4D0AB03C9BED}.exe
File created	C:\Windows\{B6E446FA-D2CE-4ca1-9DB0-E66B32332D76}.exe	{D8B2AA57-E3CB-406a-8727-EC21051051B5}.exe
File created	C:\Windows\{54D2C92B-715F-40d9-AD93-86E12E824F26}.exe	{B6E446FA-D2CE-4ca1-9DB0-E66B32332D76}.exe
File created	C:\Windows\{04043A32-1B09-4e95-9875-AD1659BBE7D7}.exe	2024-02-12_e9317b24ab59ee31d978266de98ddc30_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1416	2024-02-12_e9317b24ab59ee31d978266de98ddc30_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2520	{04043A32-1B09-4e95-9875-AD1659BBE7D7}.exe
Token: SeIncBasePriorityPrivilege	2420	{976C00FE-6FE1-44ad-9B71-B455980F0B07}.exe
Token: SeIncBasePriorityPrivilege	2812	{F019C656-D59F-487f-ACE7-01FCB4CF6D19}.exe
Token: SeIncBasePriorityPrivilege	2856	{582351E4-97B5-49a5-828A-B4628EC35988}.exe
Token: SeIncBasePriorityPrivilege	2136	{83D6E1F4-72E3-4f52-A4E0-A044C9B2817E}.exe
Token: SeIncBasePriorityPrivilege	344	{C8308CF3-4416-4230-9620-11B1640DED59}.exe
Token: SeIncBasePriorityPrivilege	2308	{BDB2B0C7-FF80-42ea-99BA-12754F144BF9}.exe
Token: SeIncBasePriorityPrivilege	2892	{1AE1DAFA-3399-4718-AA1B-4D0AB03C9BED}.exe
Token: SeIncBasePriorityPrivilege	2948	{D8B2AA57-E3CB-406a-8727-EC21051051B5}.exe
Token: SeIncBasePriorityPrivilege	2236	{B6E446FA-D2CE-4ca1-9DB0-E66B32332D76}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 2520	1416	2024-02-12_e9317b24ab59ee31d978266de98ddc30_goldeneye.exe	28
PID 1416 wrote to memory of 2520	1416	2024-02-12_e9317b24ab59ee31d978266de98ddc30_goldeneye.exe	28
PID 1416 wrote to memory of 2520	1416	2024-02-12_e9317b24ab59ee31d978266de98ddc30_goldeneye.exe	28
PID 1416 wrote to memory of 2520	1416	2024-02-12_e9317b24ab59ee31d978266de98ddc30_goldeneye.exe	28
PID 1416 wrote to memory of 2104	1416	2024-02-12_e9317b24ab59ee31d978266de98ddc30_goldeneye.exe	29
PID 1416 wrote to memory of 2104	1416	2024-02-12_e9317b24ab59ee31d978266de98ddc30_goldeneye.exe	29
PID 1416 wrote to memory of 2104	1416	2024-02-12_e9317b24ab59ee31d978266de98ddc30_goldeneye.exe	29
PID 1416 wrote to memory of 2104	1416	2024-02-12_e9317b24ab59ee31d978266de98ddc30_goldeneye.exe	29
PID 2520 wrote to memory of 2420	2520	{04043A32-1B09-4e95-9875-AD1659BBE7D7}.exe	30
PID 2520 wrote to memory of 2420	2520	{04043A32-1B09-4e95-9875-AD1659BBE7D7}.exe	30
PID 2520 wrote to memory of 2420	2520	{04043A32-1B09-4e95-9875-AD1659BBE7D7}.exe	30
PID 2520 wrote to memory of 2420	2520	{04043A32-1B09-4e95-9875-AD1659BBE7D7}.exe	30
PID 2520 wrote to memory of 1280	2520	{04043A32-1B09-4e95-9875-AD1659BBE7D7}.exe	31
PID 2520 wrote to memory of 1280	2520	{04043A32-1B09-4e95-9875-AD1659BBE7D7}.exe	31
PID 2520 wrote to memory of 1280	2520	{04043A32-1B09-4e95-9875-AD1659BBE7D7}.exe	31
PID 2520 wrote to memory of 1280	2520	{04043A32-1B09-4e95-9875-AD1659BBE7D7}.exe	31
PID 2420 wrote to memory of 2812	2420	{976C00FE-6FE1-44ad-9B71-B455980F0B07}.exe	32
PID 2420 wrote to memory of 2812	2420	{976C00FE-6FE1-44ad-9B71-B455980F0B07}.exe	32
PID 2420 wrote to memory of 2812	2420	{976C00FE-6FE1-44ad-9B71-B455980F0B07}.exe	32
PID 2420 wrote to memory of 2812	2420	{976C00FE-6FE1-44ad-9B71-B455980F0B07}.exe	32
PID 2420 wrote to memory of 2744	2420	{976C00FE-6FE1-44ad-9B71-B455980F0B07}.exe	33
PID 2420 wrote to memory of 2744	2420	{976C00FE-6FE1-44ad-9B71-B455980F0B07}.exe	33
PID 2420 wrote to memory of 2744	2420	{976C00FE-6FE1-44ad-9B71-B455980F0B07}.exe	33
PID 2420 wrote to memory of 2744	2420	{976C00FE-6FE1-44ad-9B71-B455980F0B07}.exe	33
PID 2812 wrote to memory of 2856	2812	{F019C656-D59F-487f-ACE7-01FCB4CF6D19}.exe	37
PID 2812 wrote to memory of 2856	2812	{F019C656-D59F-487f-ACE7-01FCB4CF6D19}.exe	37
PID 2812 wrote to memory of 2856	2812	{F019C656-D59F-487f-ACE7-01FCB4CF6D19}.exe	37
PID 2812 wrote to memory of 2856	2812	{F019C656-D59F-487f-ACE7-01FCB4CF6D19}.exe	37
PID 2812 wrote to memory of 2604	2812	{F019C656-D59F-487f-ACE7-01FCB4CF6D19}.exe	36
PID 2812 wrote to memory of 2604	2812	{F019C656-D59F-487f-ACE7-01FCB4CF6D19}.exe	36
PID 2812 wrote to memory of 2604	2812	{F019C656-D59F-487f-ACE7-01FCB4CF6D19}.exe	36
PID 2812 wrote to memory of 2604	2812	{F019C656-D59F-487f-ACE7-01FCB4CF6D19}.exe	36
PID 2856 wrote to memory of 2136	2856	{582351E4-97B5-49a5-828A-B4628EC35988}.exe	39
PID 2856 wrote to memory of 2136	2856	{582351E4-97B5-49a5-828A-B4628EC35988}.exe	39
PID 2856 wrote to memory of 2136	2856	{582351E4-97B5-49a5-828A-B4628EC35988}.exe	39
PID 2856 wrote to memory of 2136	2856	{582351E4-97B5-49a5-828A-B4628EC35988}.exe	39
PID 2856 wrote to memory of 1876	2856	{582351E4-97B5-49a5-828A-B4628EC35988}.exe	38
PID 2856 wrote to memory of 1876	2856	{582351E4-97B5-49a5-828A-B4628EC35988}.exe	38
PID 2856 wrote to memory of 1876	2856	{582351E4-97B5-49a5-828A-B4628EC35988}.exe	38
PID 2856 wrote to memory of 1876	2856	{582351E4-97B5-49a5-828A-B4628EC35988}.exe	38
PID 2136 wrote to memory of 344	2136	{83D6E1F4-72E3-4f52-A4E0-A044C9B2817E}.exe	40
PID 2136 wrote to memory of 344	2136	{83D6E1F4-72E3-4f52-A4E0-A044C9B2817E}.exe	40
PID 2136 wrote to memory of 344	2136	{83D6E1F4-72E3-4f52-A4E0-A044C9B2817E}.exe	40
PID 2136 wrote to memory of 344	2136	{83D6E1F4-72E3-4f52-A4E0-A044C9B2817E}.exe	40
PID 2136 wrote to memory of 2008	2136	{83D6E1F4-72E3-4f52-A4E0-A044C9B2817E}.exe	41
PID 2136 wrote to memory of 2008	2136	{83D6E1F4-72E3-4f52-A4E0-A044C9B2817E}.exe	41
PID 2136 wrote to memory of 2008	2136	{83D6E1F4-72E3-4f52-A4E0-A044C9B2817E}.exe	41
PID 2136 wrote to memory of 2008	2136	{83D6E1F4-72E3-4f52-A4E0-A044C9B2817E}.exe	41
PID 344 wrote to memory of 2308	344	{C8308CF3-4416-4230-9620-11B1640DED59}.exe	43
PID 344 wrote to memory of 2308	344	{C8308CF3-4416-4230-9620-11B1640DED59}.exe	43
PID 344 wrote to memory of 2308	344	{C8308CF3-4416-4230-9620-11B1640DED59}.exe	43
PID 344 wrote to memory of 2308	344	{C8308CF3-4416-4230-9620-11B1640DED59}.exe	43
PID 344 wrote to memory of 1648	344	{C8308CF3-4416-4230-9620-11B1640DED59}.exe	42
PID 344 wrote to memory of 1648	344	{C8308CF3-4416-4230-9620-11B1640DED59}.exe	42
PID 344 wrote to memory of 1648	344	{C8308CF3-4416-4230-9620-11B1640DED59}.exe	42
PID 344 wrote to memory of 1648	344	{C8308CF3-4416-4230-9620-11B1640DED59}.exe	42
PID 2308 wrote to memory of 2892	2308	{BDB2B0C7-FF80-42ea-99BA-12754F144BF9}.exe	44
PID 2308 wrote to memory of 2892	2308	{BDB2B0C7-FF80-42ea-99BA-12754F144BF9}.exe	44
PID 2308 wrote to memory of 2892	2308	{BDB2B0C7-FF80-42ea-99BA-12754F144BF9}.exe	44
PID 2308 wrote to memory of 2892	2308	{BDB2B0C7-FF80-42ea-99BA-12754F144BF9}.exe	44
PID 2308 wrote to memory of 1516	2308	{BDB2B0C7-FF80-42ea-99BA-12754F144BF9}.exe	45
PID 2308 wrote to memory of 1516	2308	{BDB2B0C7-FF80-42ea-99BA-12754F144BF9}.exe	45
PID 2308 wrote to memory of 1516	2308	{BDB2B0C7-FF80-42ea-99BA-12754F144BF9}.exe	45
PID 2308 wrote to memory of 1516	2308	{BDB2B0C7-FF80-42ea-99BA-12754F144BF9}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-12_e9317b24ab59ee31d978266de98ddc30_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_e9317b24ab59ee31d978266de98ddc30_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Windows\{04043A32-1B09-4e95-9875-AD1659BBE7D7}.exe
  C:\Windows\{04043A32-1B09-4e95-9875-AD1659BBE7D7}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\{976C00FE-6FE1-44ad-9B71-B455980F0B07}.exe
    C:\Windows\{976C00FE-6FE1-44ad-9B71-B455980F0B07}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Windows\{F019C656-D59F-487f-ACE7-01FCB4CF6D19}.exe
      C:\Windows\{F019C656-D59F-487f-ACE7-01FCB4CF6D19}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F019C~1.EXE > nul
        5⤵
        
        PID:2604
    - - C:\Windows\{582351E4-97B5-49a5-828A-B4628EC35988}.exe
        
        C:\Windows\{582351E4-97B5-49a5-828A-B4628EC35988}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2856
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58235~1.EXE > nul
        6⤵
        
        PID:1876
      - C:\Windows\{83D6E1F4-72E3-4f52-A4E0-A044C9B2817E}.exe
        
        C:\Windows\{83D6E1F4-72E3-4f52-A4E0-A044C9B2817E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\{C8308CF3-4416-4230-9620-11B1640DED59}.exe
        
        C:\Windows\{C8308CF3-4416-4230-9620-11B1640DED59}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8308~1.EXE > nul
        8⤵
        
        PID:1648
        
        C:\Windows\{BDB2B0C7-FF80-42ea-99BA-12754F144BF9}.exe
        
        C:\Windows\{BDB2B0C7-FF80-42ea-99BA-12754F144BF9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\{1AE1DAFA-3399-4718-AA1B-4D0AB03C9BED}.exe
        
        C:\Windows\{1AE1DAFA-3399-4718-AA1B-4D0AB03C9BED}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1AE1D~1.EXE > nul
        10⤵
        
        PID:2692
        
        C:\Windows\{D8B2AA57-E3CB-406a-8727-EC21051051B5}.exe
        
        C:\Windows\{D8B2AA57-E3CB-406a-8727-EC21051051B5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8B2A~1.EXE > nul
        11⤵
        
        PID:3000
        
        C:\Windows\{B6E446FA-D2CE-4ca1-9DB0-E66B32332D76}.exe
        
        C:\Windows\{B6E446FA-D2CE-4ca1-9DB0-E66B32332D76}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6E44~1.EXE > nul
        12⤵
        
        PID:1656
        
        C:\Windows\{54D2C92B-715F-40d9-AD93-86E12E824F26}.exe
        
        C:\Windows\{54D2C92B-715F-40d9-AD93-86E12E824F26}.exe
        12⤵
        Executes dropped EXE
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BDB2B~1.EXE > nul
        9⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83D6E~1.EXE > nul
        7⤵
        
        PID:2008
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{976C0~1.EXE > nul
      4⤵
      PID:2744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{04043~1.EXE > nul
    3⤵
    PID:1280
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04043A32-1B09-4e95-9875-AD1659BBE7D7}.exe

Filesize
408KB

MD5
b6b125f0e978d56b9bb00cf1521a430e

SHA1
62cfd64e82f4f2044c32f7e70a02ad4a57a47890

SHA256
5dd03952f80085c395a754ef984d8a44527a838bee71fe70cbb09654cef39869

SHA512
2f8194b226ca0f27f109509308f70d7bdd3f2c26a43d12ad528ec6239d192dd104337c80663e6aeb7aba10b3929d4c13a0867d6b1b5e12a7b779d7e241ac2adf

Download Submit
C:\Windows\{1AE1DAFA-3399-4718-AA1B-4D0AB03C9BED}.exe

Filesize
408KB

MD5
b3b8c6370879d61e1694df14dcd1ce64

SHA1
597a80c6731185d1418548efb6728818649cc43f

SHA256
21fa32ba12fa5fd0143d5e67aa36341d4e6a98b08dfdc726ab62b3461a301cae

SHA512
c6dda482d293965b68c3c044816d41aba345f000bf0edf718e51d9d853772335d9bece3c32a16c1c238632a4c21ea665e73ced3c545f134fd4ebaa89788ded0c

Download Submit
C:\Windows\{54D2C92B-715F-40d9-AD93-86E12E824F26}.exe

Filesize
408KB

MD5
7daab7d2addbedfab024c5aa28f18c6f

SHA1
3ac43c517f898450c71a8402f5cd6fc700d0a6f6

SHA256
bb9210b09fe930835754674f3486790bc36e63cdcf9ff7632e8cb95ca7ecd740

SHA512
f72573f06850f04aba67ac4476fd48f889f1bbbaa4a1b4213d8375b46aa160988d08f1e14b11e7c9d2c3b19178d8fb93b08f5cc013483a39e8dc8922b1141281

Download Submit
C:\Windows\{582351E4-97B5-49a5-828A-B4628EC35988}.exe

Filesize
408KB

MD5
6600a7b263df984bbc5abf90d04d569e

SHA1
660b3c010ffba9fdd2b3158c9b9169085cc0f163

SHA256
300b06eba32f68f243553a77fb08abde94b1b00d23dbb7b02f285b279663ec66

SHA512
5448728cf4a0ab3a639066d9142894fc63dd34fc0cb6ef2bda31a652fe27d546fa60696ade56bfbddf4ee0724048b3deb2a689c5b8f5bbdeaff9bf3c05024bbd

Download Submit
C:\Windows\{83D6E1F4-72E3-4f52-A4E0-A044C9B2817E}.exe

Filesize
408KB

MD5
cf9980880a32becfb212818aa3e512f6

SHA1
724bb75937b0dae7f0e7286d2896af3ab1233df0

SHA256
77535bed1d51b8d46b2d2107309577ec26321bb2ef8cc0c66775dd4927ace3bc

SHA512
707efdfe11911b60d37a4b88d2f11c31cddf78659f0e7397bace70a92fa4147aa39b6f7d2d068d2c992e4703c0b5715aca5ef727df095670dcc252d040d741ea

Download Submit
C:\Windows\{83D6E1F4-72E3-4f52-A4E0-A044C9B2817E}.exe

Filesize
79KB

MD5
5a721f64c032964303afd5bb9e46b36b

SHA1
6fa91ca705626cd2c5991eb9a9dccd61ab0bc8ff

SHA256
0dcdabb176f0b82b9c088ec59cb82bd8067e6edcf5ecb51ac6074965a0950c53

SHA512
499463608b08a3cc99128351b769b46b448c2d311bfddb5da9f730465aa7c63494a8e8fee65c6ad18d0b5be30d7d87dd9a74cdb954a62008e5844aa65671166e

Download Submit
C:\Windows\{976C00FE-6FE1-44ad-9B71-B455980F0B07}.exe

Filesize
408KB

MD5
f1e94d78b564ed3b52879ae303d7e8f4

SHA1
d3cb89f92f4055d1c6f44240dd3c43ee203ff6a7

SHA256
a956eb76bb5f644a705c5473b8fcbbe1ab090bda3b664b6771712da90beca396

SHA512
b3d3c7966349949790ffedfa6c0d279c77e215f91f42bb0ebccfb6f1b351ee75f5dba56516a2b1a2067a198eade8ef9d0cbb265b1357b833d7b1cefb10e438ec

Download Submit
C:\Windows\{B6E446FA-D2CE-4ca1-9DB0-E66B32332D76}.exe

Filesize
408KB

MD5
3a2abc396effc790c1f89a707a323df0

SHA1
06c9ef0d9d4a43235175ade76d8c84bf41d4d3e9

SHA256
dad32a5a172168e9c98cfb1b3ef6d374b77e31aa24793836f2194a0724c84233

SHA512
8eeb9c519a8ee96175dec738da86661289db07f67800d037d2752e157060cae2393285e1ccef74dbb1f52d4dde438e54e7c38b36502ff6b8817809810d948c43

Download Submit
C:\Windows\{BDB2B0C7-FF80-42ea-99BA-12754F144BF9}.exe

Filesize
408KB

MD5
589a8a7bc06c6d639034843a6298e1fd

SHA1
fac0f91656d9e42333f803b1d15b06fa419c698b

SHA256
70052dfaa460cff0a9d35a0d7bb5fd0f1a4785170f3bb395cf5578cf1ee8e201

SHA512
a52e28dabfb32248d3ea9180d45acce7f6487d109686b049ed22e91b121cf260a2fc69530e6690ed06f254d61f5b1f85e4f418689da50cfea01b52f05d5c6f32

Download Submit
C:\Windows\{C8308CF3-4416-4230-9620-11B1640DED59}.exe

Filesize
408KB

MD5
18ccc43541a4a1cc717cfd48c5651387

SHA1
53b5c98b511e039065f23598c36c23bec917db3d

SHA256
ac4515ee9e646d87df16f1d2c3c94e8763908a827873679a75857570f38e354e

SHA512
2c5c2215c77d7f65b5f30510e5ffd8c42dcd7e66e01635fe884958c7d8bbc3eb2fcaf1153b0c5ae230ec8bd11aee560dd248c24629d83c77f451e028aec1df26

Download Submit
C:\Windows\{D8B2AA57-E3CB-406a-8727-EC21051051B5}.exe

Filesize
408KB

MD5
4354f7e6fd0bbf51de84a303c4f9358b

SHA1
ec7d532a9aea6ea6ac40de8f0f1c7aa7d0418914

SHA256
230918bc633a3835ac4e587abb82ef9f74e499bc721f6f5c2c743cfb496c4ed2

SHA512
39e44a13e5f5183ca95e488c33dc35424b8e756d716f0c15ff4150ace64efdecdad7674f1ed6e95101d957eff99600a72679a01b14c6d033a2ce8fd3f613f4e9

Download Submit
C:\Windows\{F019C656-D59F-487f-ACE7-01FCB4CF6D19}.exe

Filesize
408KB

MD5
63e31056607c8548e1d9f8995cb30cb6

SHA1
6070f7af83d47e88e6eea6ac2b4388840676ae65

SHA256
aa5af2f5e5321bb0ada2cba762ec199644b0573eba95897d612840a8ea1c77d0

SHA512
6beb5681d17abb457d16d0b1d82e5f18702f5ee133f4aafefc9a45a96cb2461099f160778973a750a45d13a416cac0f032210b671531084f4b8a7c99320ea9c7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads