9a8308ec3e82bdac8f2156a597e73890243b1e7ff51d1e9fdd76734a9f0e6b96

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/02/2024, 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_5e1766617cd68aa91cacdb5907e49a05_goldeneye.exe
Size

180KB
MD5

5e1766617cd68aa91cacdb5907e49a05
SHA1

9f5b528a121be43ddbe6feb8f5491e0247db2cb4
SHA256

9a8308ec3e82bdac8f2156a597e73890243b1e7ff51d1e9fdd76734a9f0e6b96
SHA512

33b0a37379458ff2a9c8e6d07f2a08bdc53e7574e129856376966c75031cde75693bee6997b7ab5ce4d9c8142fbca153c503aaf9985ff1ed921cda8dea31d0b4
SSDEEP

3072:jEGh0oelfOso7ie+rcC4F0fJGRIS8Rfd7eQEcGcr:jEGgl5eKcAEc

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012280-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122f6-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000012280-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-55.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A66FD1B6-7F79-45a1-A9E5-C240088323E5}\stubpath = "C:\\Windows\\{A66FD1B6-7F79-45a1-A9E5-C240088323E5}.exe"	{B8DA474F-3285-4120-B88A-A30ED481EF8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{996B5381-95F6-4762-96B5-4046FFF4B7B0}	{A66FD1B6-7F79-45a1-A9E5-C240088323E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{996B5381-95F6-4762-96B5-4046FFF4B7B0}\stubpath = "C:\\Windows\\{996B5381-95F6-4762-96B5-4046FFF4B7B0}.exe"	{A66FD1B6-7F79-45a1-A9E5-C240088323E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36039762-F9DA-4463-A695-8EF44CAAC70D}	{46FFDB64-1803-468c-A5C7-7C492E337364}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B01DDE3C-D71C-4566-B064-3EBFDD8BD0F5}	{36039762-F9DA-4463-A695-8EF44CAAC70D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5ECF22C-6F33-4ba3-BD08-AF2E0EA5D8C0}	{B01DDE3C-D71C-4566-B064-3EBFDD8BD0F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5ECF22C-6F33-4ba3-BD08-AF2E0EA5D8C0}\stubpath = "C:\\Windows\\{A5ECF22C-6F33-4ba3-BD08-AF2E0EA5D8C0}.exe"	{B01DDE3C-D71C-4566-B064-3EBFDD8BD0F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A66FD1B6-7F79-45a1-A9E5-C240088323E5}	{B8DA474F-3285-4120-B88A-A30ED481EF8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCE38018-AC93-4a6e-ADEA-7DED2F340D93}\stubpath = "C:\\Windows\\{CCE38018-AC93-4a6e-ADEA-7DED2F340D93}.exe"	{720EE8F0-9A86-4236-82CB-4C460237CEFA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BB1A86E-86A4-42a3-98E0-CB11543DD8FD}\stubpath = "C:\\Windows\\{3BB1A86E-86A4-42a3-98E0-CB11543DD8FD}.exe"	{CCE38018-AC93-4a6e-ADEA-7DED2F340D93}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C92F8E0-C381-47a8-958F-B9A9CB359CD8}	{996B5381-95F6-4762-96B5-4046FFF4B7B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C92F8E0-C381-47a8-958F-B9A9CB359CD8}\stubpath = "C:\\Windows\\{7C92F8E0-C381-47a8-958F-B9A9CB359CD8}.exe"	{996B5381-95F6-4762-96B5-4046FFF4B7B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{720EE8F0-9A86-4236-82CB-4C460237CEFA}	{7C92F8E0-C381-47a8-958F-B9A9CB359CD8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BB1A86E-86A4-42a3-98E0-CB11543DD8FD}	{CCE38018-AC93-4a6e-ADEA-7DED2F340D93}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46FFDB64-1803-468c-A5C7-7C492E337364}	2024-02-12_5e1766617cd68aa91cacdb5907e49a05_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46FFDB64-1803-468c-A5C7-7C492E337364}\stubpath = "C:\\Windows\\{46FFDB64-1803-468c-A5C7-7C492E337364}.exe"	2024-02-12_5e1766617cd68aa91cacdb5907e49a05_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36039762-F9DA-4463-A695-8EF44CAAC70D}\stubpath = "C:\\Windows\\{36039762-F9DA-4463-A695-8EF44CAAC70D}.exe"	{46FFDB64-1803-468c-A5C7-7C492E337364}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8DA474F-3285-4120-B88A-A30ED481EF8F}	{A5ECF22C-6F33-4ba3-BD08-AF2E0EA5D8C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8DA474F-3285-4120-B88A-A30ED481EF8F}\stubpath = "C:\\Windows\\{B8DA474F-3285-4120-B88A-A30ED481EF8F}.exe"	{A5ECF22C-6F33-4ba3-BD08-AF2E0EA5D8C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B01DDE3C-D71C-4566-B064-3EBFDD8BD0F5}\stubpath = "C:\\Windows\\{B01DDE3C-D71C-4566-B064-3EBFDD8BD0F5}.exe"	{36039762-F9DA-4463-A695-8EF44CAAC70D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{720EE8F0-9A86-4236-82CB-4C460237CEFA}\stubpath = "C:\\Windows\\{720EE8F0-9A86-4236-82CB-4C460237CEFA}.exe"	{7C92F8E0-C381-47a8-958F-B9A9CB359CD8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCE38018-AC93-4a6e-ADEA-7DED2F340D93}	{720EE8F0-9A86-4236-82CB-4C460237CEFA}.exe

Deletes itself 1 IoCs

pid	Process
2704	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2388	{46FFDB64-1803-468c-A5C7-7C492E337364}.exe
2808	{36039762-F9DA-4463-A695-8EF44CAAC70D}.exe
2740	{B01DDE3C-D71C-4566-B064-3EBFDD8BD0F5}.exe
2148	{A5ECF22C-6F33-4ba3-BD08-AF2E0EA5D8C0}.exe
2776	{B8DA474F-3285-4120-B88A-A30ED481EF8F}.exe
1968	{A66FD1B6-7F79-45a1-A9E5-C240088323E5}.exe
268	{996B5381-95F6-4762-96B5-4046FFF4B7B0}.exe
1644	{7C92F8E0-C381-47a8-958F-B9A9CB359CD8}.exe
1692	{720EE8F0-9A86-4236-82CB-4C460237CEFA}.exe
2968	{CCE38018-AC93-4a6e-ADEA-7DED2F340D93}.exe
2076	{3BB1A86E-86A4-42a3-98E0-CB11543DD8FD}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{36039762-F9DA-4463-A695-8EF44CAAC70D}.exe	{46FFDB64-1803-468c-A5C7-7C492E337364}.exe
File created	C:\Windows\{996B5381-95F6-4762-96B5-4046FFF4B7B0}.exe	{A66FD1B6-7F79-45a1-A9E5-C240088323E5}.exe
File created	C:\Windows\{720EE8F0-9A86-4236-82CB-4C460237CEFA}.exe	{7C92F8E0-C381-47a8-958F-B9A9CB359CD8}.exe
File created	C:\Windows\{A66FD1B6-7F79-45a1-A9E5-C240088323E5}.exe	{B8DA474F-3285-4120-B88A-A30ED481EF8F}.exe
File created	C:\Windows\{7C92F8E0-C381-47a8-958F-B9A9CB359CD8}.exe	{996B5381-95F6-4762-96B5-4046FFF4B7B0}.exe
File created	C:\Windows\{CCE38018-AC93-4a6e-ADEA-7DED2F340D93}.exe	{720EE8F0-9A86-4236-82CB-4C460237CEFA}.exe
File created	C:\Windows\{3BB1A86E-86A4-42a3-98E0-CB11543DD8FD}.exe	{CCE38018-AC93-4a6e-ADEA-7DED2F340D93}.exe
File created	C:\Windows\{46FFDB64-1803-468c-A5C7-7C492E337364}.exe	2024-02-12_5e1766617cd68aa91cacdb5907e49a05_goldeneye.exe
File created	C:\Windows\{B01DDE3C-D71C-4566-B064-3EBFDD8BD0F5}.exe	{36039762-F9DA-4463-A695-8EF44CAAC70D}.exe
File created	C:\Windows\{A5ECF22C-6F33-4ba3-BD08-AF2E0EA5D8C0}.exe	{B01DDE3C-D71C-4566-B064-3EBFDD8BD0F5}.exe
File created	C:\Windows\{B8DA474F-3285-4120-B88A-A30ED481EF8F}.exe	{A5ECF22C-6F33-4ba3-BD08-AF2E0EA5D8C0}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2176	2024-02-12_5e1766617cd68aa91cacdb5907e49a05_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2388	{46FFDB64-1803-468c-A5C7-7C492E337364}.exe
Token: SeIncBasePriorityPrivilege	2808	{36039762-F9DA-4463-A695-8EF44CAAC70D}.exe
Token: SeIncBasePriorityPrivilege	2740	{B01DDE3C-D71C-4566-B064-3EBFDD8BD0F5}.exe
Token: SeIncBasePriorityPrivilege	2148	{A5ECF22C-6F33-4ba3-BD08-AF2E0EA5D8C0}.exe
Token: SeIncBasePriorityPrivilege	2776	{B8DA474F-3285-4120-B88A-A30ED481EF8F}.exe
Token: SeIncBasePriorityPrivilege	1968	{A66FD1B6-7F79-45a1-A9E5-C240088323E5}.exe
Token: SeIncBasePriorityPrivilege	268	{996B5381-95F6-4762-96B5-4046FFF4B7B0}.exe
Token: SeIncBasePriorityPrivilege	1644	{7C92F8E0-C381-47a8-958F-B9A9CB359CD8}.exe
Token: SeIncBasePriorityPrivilege	1692	{720EE8F0-9A86-4236-82CB-4C460237CEFA}.exe
Token: SeIncBasePriorityPrivilege	2968	{CCE38018-AC93-4a6e-ADEA-7DED2F340D93}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2388	2176	2024-02-12_5e1766617cd68aa91cacdb5907e49a05_goldeneye.exe	28
PID 2176 wrote to memory of 2388	2176	2024-02-12_5e1766617cd68aa91cacdb5907e49a05_goldeneye.exe	28
PID 2176 wrote to memory of 2388	2176	2024-02-12_5e1766617cd68aa91cacdb5907e49a05_goldeneye.exe	28
PID 2176 wrote to memory of 2388	2176	2024-02-12_5e1766617cd68aa91cacdb5907e49a05_goldeneye.exe	28
PID 2176 wrote to memory of 2704	2176	2024-02-12_5e1766617cd68aa91cacdb5907e49a05_goldeneye.exe	29
PID 2176 wrote to memory of 2704	2176	2024-02-12_5e1766617cd68aa91cacdb5907e49a05_goldeneye.exe	29
PID 2176 wrote to memory of 2704	2176	2024-02-12_5e1766617cd68aa91cacdb5907e49a05_goldeneye.exe	29
PID 2176 wrote to memory of 2704	2176	2024-02-12_5e1766617cd68aa91cacdb5907e49a05_goldeneye.exe	29
PID 2388 wrote to memory of 2808	2388	{46FFDB64-1803-468c-A5C7-7C492E337364}.exe	30
PID 2388 wrote to memory of 2808	2388	{46FFDB64-1803-468c-A5C7-7C492E337364}.exe	30
PID 2388 wrote to memory of 2808	2388	{46FFDB64-1803-468c-A5C7-7C492E337364}.exe	30
PID 2388 wrote to memory of 2808	2388	{46FFDB64-1803-468c-A5C7-7C492E337364}.exe	30
PID 2388 wrote to memory of 2332	2388	{46FFDB64-1803-468c-A5C7-7C492E337364}.exe	31
PID 2388 wrote to memory of 2332	2388	{46FFDB64-1803-468c-A5C7-7C492E337364}.exe	31
PID 2388 wrote to memory of 2332	2388	{46FFDB64-1803-468c-A5C7-7C492E337364}.exe	31
PID 2388 wrote to memory of 2332	2388	{46FFDB64-1803-468c-A5C7-7C492E337364}.exe	31
PID 2808 wrote to memory of 2740	2808	{36039762-F9DA-4463-A695-8EF44CAAC70D}.exe	32
PID 2808 wrote to memory of 2740	2808	{36039762-F9DA-4463-A695-8EF44CAAC70D}.exe	32
PID 2808 wrote to memory of 2740	2808	{36039762-F9DA-4463-A695-8EF44CAAC70D}.exe	32
PID 2808 wrote to memory of 2740	2808	{36039762-F9DA-4463-A695-8EF44CAAC70D}.exe	32
PID 2808 wrote to memory of 2620	2808	{36039762-F9DA-4463-A695-8EF44CAAC70D}.exe	33
PID 2808 wrote to memory of 2620	2808	{36039762-F9DA-4463-A695-8EF44CAAC70D}.exe	33
PID 2808 wrote to memory of 2620	2808	{36039762-F9DA-4463-A695-8EF44CAAC70D}.exe	33
PID 2808 wrote to memory of 2620	2808	{36039762-F9DA-4463-A695-8EF44CAAC70D}.exe	33
PID 2740 wrote to memory of 2148	2740	{B01DDE3C-D71C-4566-B064-3EBFDD8BD0F5}.exe	36
PID 2740 wrote to memory of 2148	2740	{B01DDE3C-D71C-4566-B064-3EBFDD8BD0F5}.exe	36
PID 2740 wrote to memory of 2148	2740	{B01DDE3C-D71C-4566-B064-3EBFDD8BD0F5}.exe	36
PID 2740 wrote to memory of 2148	2740	{B01DDE3C-D71C-4566-B064-3EBFDD8BD0F5}.exe	36
PID 2740 wrote to memory of 2876	2740	{B01DDE3C-D71C-4566-B064-3EBFDD8BD0F5}.exe	37
PID 2740 wrote to memory of 2876	2740	{B01DDE3C-D71C-4566-B064-3EBFDD8BD0F5}.exe	37
PID 2740 wrote to memory of 2876	2740	{B01DDE3C-D71C-4566-B064-3EBFDD8BD0F5}.exe	37
PID 2740 wrote to memory of 2876	2740	{B01DDE3C-D71C-4566-B064-3EBFDD8BD0F5}.exe	37
PID 2148 wrote to memory of 2776	2148	{A5ECF22C-6F33-4ba3-BD08-AF2E0EA5D8C0}.exe	38
PID 2148 wrote to memory of 2776	2148	{A5ECF22C-6F33-4ba3-BD08-AF2E0EA5D8C0}.exe	38
PID 2148 wrote to memory of 2776	2148	{A5ECF22C-6F33-4ba3-BD08-AF2E0EA5D8C0}.exe	38
PID 2148 wrote to memory of 2776	2148	{A5ECF22C-6F33-4ba3-BD08-AF2E0EA5D8C0}.exe	38
PID 2148 wrote to memory of 1912	2148	{A5ECF22C-6F33-4ba3-BD08-AF2E0EA5D8C0}.exe	39
PID 2148 wrote to memory of 1912	2148	{A5ECF22C-6F33-4ba3-BD08-AF2E0EA5D8C0}.exe	39
PID 2148 wrote to memory of 1912	2148	{A5ECF22C-6F33-4ba3-BD08-AF2E0EA5D8C0}.exe	39
PID 2148 wrote to memory of 1912	2148	{A5ECF22C-6F33-4ba3-BD08-AF2E0EA5D8C0}.exe	39
PID 2776 wrote to memory of 1968	2776	{B8DA474F-3285-4120-B88A-A30ED481EF8F}.exe	40
PID 2776 wrote to memory of 1968	2776	{B8DA474F-3285-4120-B88A-A30ED481EF8F}.exe	40
PID 2776 wrote to memory of 1968	2776	{B8DA474F-3285-4120-B88A-A30ED481EF8F}.exe	40
PID 2776 wrote to memory of 1968	2776	{B8DA474F-3285-4120-B88A-A30ED481EF8F}.exe	40
PID 2776 wrote to memory of 1752	2776	{B8DA474F-3285-4120-B88A-A30ED481EF8F}.exe	41
PID 2776 wrote to memory of 1752	2776	{B8DA474F-3285-4120-B88A-A30ED481EF8F}.exe	41
PID 2776 wrote to memory of 1752	2776	{B8DA474F-3285-4120-B88A-A30ED481EF8F}.exe	41
PID 2776 wrote to memory of 1752	2776	{B8DA474F-3285-4120-B88A-A30ED481EF8F}.exe	41
PID 1968 wrote to memory of 268	1968	{A66FD1B6-7F79-45a1-A9E5-C240088323E5}.exe	42
PID 1968 wrote to memory of 268	1968	{A66FD1B6-7F79-45a1-A9E5-C240088323E5}.exe	42
PID 1968 wrote to memory of 268	1968	{A66FD1B6-7F79-45a1-A9E5-C240088323E5}.exe	42
PID 1968 wrote to memory of 268	1968	{A66FD1B6-7F79-45a1-A9E5-C240088323E5}.exe	42
PID 1968 wrote to memory of 768	1968	{A66FD1B6-7F79-45a1-A9E5-C240088323E5}.exe	43
PID 1968 wrote to memory of 768	1968	{A66FD1B6-7F79-45a1-A9E5-C240088323E5}.exe	43
PID 1968 wrote to memory of 768	1968	{A66FD1B6-7F79-45a1-A9E5-C240088323E5}.exe	43
PID 1968 wrote to memory of 768	1968	{A66FD1B6-7F79-45a1-A9E5-C240088323E5}.exe	43
PID 268 wrote to memory of 1644	268	{996B5381-95F6-4762-96B5-4046FFF4B7B0}.exe	44
PID 268 wrote to memory of 1644	268	{996B5381-95F6-4762-96B5-4046FFF4B7B0}.exe	44
PID 268 wrote to memory of 1644	268	{996B5381-95F6-4762-96B5-4046FFF4B7B0}.exe	44
PID 268 wrote to memory of 1644	268	{996B5381-95F6-4762-96B5-4046FFF4B7B0}.exe	44
PID 268 wrote to memory of 2636	268	{996B5381-95F6-4762-96B5-4046FFF4B7B0}.exe	45
PID 268 wrote to memory of 2636	268	{996B5381-95F6-4762-96B5-4046FFF4B7B0}.exe	45
PID 268 wrote to memory of 2636	268	{996B5381-95F6-4762-96B5-4046FFF4B7B0}.exe	45
PID 268 wrote to memory of 2636	268	{996B5381-95F6-4762-96B5-4046FFF4B7B0}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-12_5e1766617cd68aa91cacdb5907e49a05_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_5e1766617cd68aa91cacdb5907e49a05_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\{46FFDB64-1803-468c-A5C7-7C492E337364}.exe
  C:\Windows\{46FFDB64-1803-468c-A5C7-7C492E337364}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\{36039762-F9DA-4463-A695-8EF44CAAC70D}.exe
    C:\Windows\{36039762-F9DA-4463-A695-8EF44CAAC70D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\{B01DDE3C-D71C-4566-B064-3EBFDD8BD0F5}.exe
      C:\Windows\{B01DDE3C-D71C-4566-B064-3EBFDD8BD0F5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\{A5ECF22C-6F33-4ba3-BD08-AF2E0EA5D8C0}.exe
        
        C:\Windows\{A5ECF22C-6F33-4ba3-BD08-AF2E0EA5D8C0}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2148
      - C:\Windows\{B8DA474F-3285-4120-B88A-A30ED481EF8F}.exe
        
        C:\Windows\{B8DA474F-3285-4120-B88A-A30ED481EF8F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\{A66FD1B6-7F79-45a1-A9E5-C240088323E5}.exe
        
        C:\Windows\{A66FD1B6-7F79-45a1-A9E5-C240088323E5}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\{996B5381-95F6-4762-96B5-4046FFF4B7B0}.exe
        
        C:\Windows\{996B5381-95F6-4762-96B5-4046FFF4B7B0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:268
        
        C:\Windows\{7C92F8E0-C381-47a8-958F-B9A9CB359CD8}.exe
        
        C:\Windows\{7C92F8E0-C381-47a8-958F-B9A9CB359CD8}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Windows\{720EE8F0-9A86-4236-82CB-4C460237CEFA}.exe
        
        C:\Windows\{720EE8F0-9A86-4236-82CB-4C460237CEFA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{720EE~1.EXE > nul
        11⤵
        
        PID:2976
        
        C:\Windows\{CCE38018-AC93-4a6e-ADEA-7DED2F340D93}.exe
        
        C:\Windows\{CCE38018-AC93-4a6e-ADEA-7DED2F340D93}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
        
        C:\Windows\{3BB1A86E-86A4-42a3-98E0-CB11543DD8FD}.exe
        
        C:\Windows\{3BB1A86E-86A4-42a3-98E0-CB11543DD8FD}.exe
        12⤵
        Executes dropped EXE
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CCE38~1.EXE > nul
        12⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C92F~1.EXE > nul
        10⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{996B5~1.EXE > nul
        9⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A66FD~1.EXE > nul
        8⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8DA4~1.EXE > nul
        7⤵
        
        PID:1752
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5ECF~1.EXE > nul
        6⤵
        
        PID:1912
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B01DD~1.EXE > nul
        5⤵
        
        PID:2876
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{36039~1.EXE > nul
      4⤵
      PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{46FFD~1.EXE > nul
    3⤵
    PID:2332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{36039762-F9DA-4463-A695-8EF44CAAC70D}.exe

Filesize
180KB

MD5
7bc1d298ebb891838e1f3f2327875c37

SHA1
afe8ac09b540b6888894ccc356046b00bc2325b9

SHA256
23b43997602eda8978026f175505b024ea3c7fa431ab2c1aa68677d69ff11b3a

SHA512
fa93d4d8c8ebdbfe9b02520287d0c4b729ffafd1a9e1ef609eb4e895a3fb7a502170bf67babf4109ecf47d8c55c31d653d0db3304b717171de93f0d5ba93a432

Download Submit
C:\Windows\{3BB1A86E-86A4-42a3-98E0-CB11543DD8FD}.exe

Filesize
180KB

MD5
033d5f28301ce4becef996c8b7e9f580

SHA1
07dee5b231df781d52d2ef886aefae204cfee0dc

SHA256
6f2f566ece1f2ba66518e82be4e82006100324bb5320c3a2c1123cf151e31e98

SHA512
65ce208ca4d3b80aa342b1c0d9423d3670f0763a6b5e6b20af32bf7cdc2c706917ef2b5fbfa45e521fca323642d8994e8d1723bdc02a0df075656382d6f1e50f

Download Submit
C:\Windows\{46FFDB64-1803-468c-A5C7-7C492E337364}.exe

Filesize
180KB

MD5
a1f618fcc6123b30aab6ff1b71585b0c

SHA1
45ade7f4171b615954fa8e0bba4a04c201072996

SHA256
8cc084590e548dc10eeb65b27a28f9d224edcfad9c7d56feda5164d4e3063e2c

SHA512
73c55da3159da4311e483fd5f5878fb4e929b97f9ed76ca94b4a909919345481e15bca3571739e85ecdf46e988060a37f7ea0e1f7b2fc151b21816b7eb4f2fbc

Download Submit
C:\Windows\{720EE8F0-9A86-4236-82CB-4C460237CEFA}.exe

Filesize
180KB

MD5
26e3590a45c0cff73f10f15e2fda081b

SHA1
c21c676d5e14d309d521b829c9f648a10bf81537

SHA256
88166003490d127914a4c2f92161eb4e0a5614601875718601b3274395ee8f83

SHA512
d4dc131b68fd569605074dc9146d2d123874593f9207ec0489c8d0066c09a8133090e4bcc194e17ffa2d4f56792dadf7b02c66061539655b119d281ac62eae4f

Download Submit
C:\Windows\{7C92F8E0-C381-47a8-958F-B9A9CB359CD8}.exe

Filesize
180KB

MD5
b0334810093c19876033142df05ae09b

SHA1
cecb4bbeb1c92b9232d0bc57e0b16b8e61ced0a1

SHA256
c457c5cbf00a699b2b248701b9fb3f76d5949d41cbd638819edb53bc104a174b

SHA512
52d2acace483d216565a1c232c4e5c31ab03ae9fa1ff10aa7c25cc34e602d6cbd76a53e608b14858344c76392f8db2ffe8bd6dde6e956932c84fa3f53fc0ee6d

Download Submit
C:\Windows\{7C92F8E0-C381-47a8-958F-B9A9CB359CD8}.exe

Filesize
25KB

MD5
ca3ba168b4e79db49879da1761da211e

SHA1
00d8c8d27c360ee2147197cd4892f9498dcf8333

SHA256
2f6f2cd974833dc5358ed00c21c2e6d3a4da5b4eafb3a8be977c207d041aaf25

SHA512
8b4c12554ac571eaf50048fb8488213cd674f3ace6ba12999d086ec10cc7cec3ec1ef2677a87c5d29ec75863aaf4226df2906ddd2404c30aaa43e99531676e03

Download Submit
C:\Windows\{996B5381-95F6-4762-96B5-4046FFF4B7B0}.exe

Filesize
180KB

MD5
844d212203c2fe1c86d3a86a7d1dad5d

SHA1
6b1a1c7bd68a7b5a850e3672e3e5396fbf58c7f2

SHA256
48f600657a43d92aef761b94826bd7cc1b3102d625c602e0d8b301b22530ee13

SHA512
f8a3aae3ef33623b2a212245020e61405c9f69cbd6f21739d652a71f6f9b62fe74741f4b5ca761ab9caf7ecb0d7ef2bc89c54018a855913d2c33e70dbf33afd2

Download Submit
C:\Windows\{A5ECF22C-6F33-4ba3-BD08-AF2E0EA5D8C0}.exe

Filesize
180KB

MD5
a7cefbd49d40f5a4818f95f0d442310b

SHA1
ee21f5eb21c85bff54d9af233fe4fa40a0171db8

SHA256
edf82433c91d7198e013b904b1ab0ad69fb51eb591a1b53d872f448c883d05f0

SHA512
72792009e91bed9f4d4849dbd1e4dc506b4b935e38ad0667301fa7dc15a225fc66bdbac57af1bf1db4ab9ec20020ef55dfb587501d09d0776510962c6b4f2b57

Download Submit
C:\Windows\{A66FD1B6-7F79-45a1-A9E5-C240088323E5}.exe

Filesize
180KB

MD5
ce1fbebeff149677d8ed75b8c3ac9c27

SHA1
87f68bf1332f1274421bc4dad8d1770d97e67800

SHA256
ff66b736b7d83c067884cdd7971f75d94d707f4ec5d2edd0adfbc30aaf3079ca

SHA512
88f809b7fdf00ec4dc610923b48535dbbbb50e30720e356f85716ccf490593a51eb2620772bcb16ca54bb1defb334992762d842eed117e6b0473afd6a3e89e0e

Download Submit
C:\Windows\{B01DDE3C-D71C-4566-B064-3EBFDD8BD0F5}.exe

Filesize
180KB

MD5
594cc3d87caaffbe466165e523a89a83

SHA1
53795e51cadf6c5e8d2a4274a4df0c4f73727b75

SHA256
06422504c447083421e8a638e9aa7600f898b799b607fa4643d949a5b8daf968

SHA512
fbac23a2573a6f4f086804211f19cc0c67f27137ce2ef04ba6a987f2c3a5607a5de90c4fde76f09c9d95d38dd91ac00b6a117d77db7b0aff76a758e230f2fdad

Download Submit
C:\Windows\{B8DA474F-3285-4120-B88A-A30ED481EF8F}.exe

Filesize
180KB

MD5
40e993e5c8cd0266b37e9462ff8e11d3

SHA1
5541186924b711b56ec137eb0650494af19dfd83

SHA256
600256cd0d51f865ca726625d0e203ec4208549a22d5dc5f0cf7c0030d669353

SHA512
a93f81b8fbecf2aaf92995c2a66d67130a5c79940f3c861f86e8654911ce39d28475875ef2abe1efe805c9dd9c5b16485a80a1f4dd154d7b4aea14d1f177d2e3

Download Submit
C:\Windows\{CCE38018-AC93-4a6e-ADEA-7DED2F340D93}.exe

Filesize
180KB

MD5
73dd61f7871d75ae0bbe78bf6e04fdd5

SHA1
f3449cae0455ea383f9c9a61ada3d552c21b7f24

SHA256
79968a5fe62e8b0b00da6f8093b4d0ad4a57daca7d949df679a7c57ea5f6ec2f

SHA512
117964525667cd6f6c4a87b4ff7f9ebad590338a4cd45c858d7537645f961285f392bf387ce3e6f7384265955514aec25456ada44a5d65d93cc51a5b7f3643cf

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads