e354af3776eb64d144aa20b2f95edce389197b4d637d8526ff7351aa041f2a97

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13/02/2024, 08:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-13_cf70d1a8f13eceb3f827be4fda424511_goldeneye.exe
Size

372KB
MD5

cf70d1a8f13eceb3f827be4fda424511
SHA1

b0462c297aca9ff3e36fe6c2baf154f187c9af7d
SHA256

e354af3776eb64d144aa20b2f95edce389197b4d637d8526ff7351aa041f2a97
SHA512

0384c1fae206a5a0b7dbd6daa79bebc514a4c4e1f014850ae89c30c04e315048198fb20b2ca804b93c28eae80469f9ce6d9ab75bc69a96927d3cbd068b1d9238
SSDEEP

3072:CEGh0ovmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEG4l/Oe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012270-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00360000000152bc-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003600000001554b-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002900000000b1f4-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00370000000152bc-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00380000000152bc-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003700000001554b-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001559d-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB8826CC-B6BD-42eb-AC3F-AB19032ED89B}	{BBD644CC-BFFD-4868-8630-0BE3527BB900}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B684223-1058-41c3-9CA8-6E698E20E8C1}	{7BA5F560-ADB9-489e-8F74-C5BDC619349D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86FFEE72-09DC-495b-9FF5-C760E70BE5E7}	{B7F540DB-D5E5-4af6-B4A3-B9AE73A2C28F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70985F89-1C25-4640-AE85-2CE911A86D76}	{86FFEE72-09DC-495b-9FF5-C760E70BE5E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70985F89-1C25-4640-AE85-2CE911A86D76}\stubpath = "C:\\Windows\\{70985F89-1C25-4640-AE85-2CE911A86D76}.exe"	{86FFEE72-09DC-495b-9FF5-C760E70BE5E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBD644CC-BFFD-4868-8630-0BE3527BB900}	2024-02-13_cf70d1a8f13eceb3f827be4fda424511_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB8826CC-B6BD-42eb-AC3F-AB19032ED89B}\stubpath = "C:\\Windows\\{FB8826CC-B6BD-42eb-AC3F-AB19032ED89B}.exe"	{BBD644CC-BFFD-4868-8630-0BE3527BB900}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7BA5F560-ADB9-489e-8F74-C5BDC619349D}	{3609FD7E-B3EF-4e73-9F39-1FD01AADE8A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86FFEE72-09DC-495b-9FF5-C760E70BE5E7}\stubpath = "C:\\Windows\\{86FFEE72-09DC-495b-9FF5-C760E70BE5E7}.exe"	{B7F540DB-D5E5-4af6-B4A3-B9AE73A2C28F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC5FDB95-BFED-4d4a-86A8-0B266FB0F11D}\stubpath = "C:\\Windows\\{AC5FDB95-BFED-4d4a-86A8-0B266FB0F11D}.exe"	{B4E8BE6C-CDBF-4933-995A-ACC3489BD0B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBD644CC-BFFD-4868-8630-0BE3527BB900}\stubpath = "C:\\Windows\\{BBD644CC-BFFD-4868-8630-0BE3527BB900}.exe"	2024-02-13_cf70d1a8f13eceb3f827be4fda424511_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3609FD7E-B3EF-4e73-9F39-1FD01AADE8A0}\stubpath = "C:\\Windows\\{3609FD7E-B3EF-4e73-9F39-1FD01AADE8A0}.exe"	{FB8826CC-B6BD-42eb-AC3F-AB19032ED89B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1400935A-236E-40b0-8B13-257D76F4A951}\stubpath = "C:\\Windows\\{1400935A-236E-40b0-8B13-257D76F4A951}.exe"	{3B684223-1058-41c3-9CA8-6E698E20E8C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4E8BE6C-CDBF-4933-995A-ACC3489BD0B3}	{70985F89-1C25-4640-AE85-2CE911A86D76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4E8BE6C-CDBF-4933-995A-ACC3489BD0B3}\stubpath = "C:\\Windows\\{B4E8BE6C-CDBF-4933-995A-ACC3489BD0B3}.exe"	{70985F89-1C25-4640-AE85-2CE911A86D76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7F540DB-D5E5-4af6-B4A3-B9AE73A2C28F}\stubpath = "C:\\Windows\\{B7F540DB-D5E5-4af6-B4A3-B9AE73A2C28F}.exe"	{1400935A-236E-40b0-8B13-257D76F4A951}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC5FDB95-BFED-4d4a-86A8-0B266FB0F11D}	{B4E8BE6C-CDBF-4933-995A-ACC3489BD0B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3609FD7E-B3EF-4e73-9F39-1FD01AADE8A0}	{FB8826CC-B6BD-42eb-AC3F-AB19032ED89B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7BA5F560-ADB9-489e-8F74-C5BDC619349D}\stubpath = "C:\\Windows\\{7BA5F560-ADB9-489e-8F74-C5BDC619349D}.exe"	{3609FD7E-B3EF-4e73-9F39-1FD01AADE8A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B684223-1058-41c3-9CA8-6E698E20E8C1}\stubpath = "C:\\Windows\\{3B684223-1058-41c3-9CA8-6E698E20E8C1}.exe"	{7BA5F560-ADB9-489e-8F74-C5BDC619349D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1400935A-236E-40b0-8B13-257D76F4A951}	{3B684223-1058-41c3-9CA8-6E698E20E8C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7F540DB-D5E5-4af6-B4A3-B9AE73A2C28F}	{1400935A-236E-40b0-8B13-257D76F4A951}.exe

Deletes itself 1 IoCs

pid	Process
2780	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2704	{BBD644CC-BFFD-4868-8630-0BE3527BB900}.exe
2308	{FB8826CC-B6BD-42eb-AC3F-AB19032ED89B}.exe
1712	{3609FD7E-B3EF-4e73-9F39-1FD01AADE8A0}.exe
2848	{7BA5F560-ADB9-489e-8F74-C5BDC619349D}.exe
676	{3B684223-1058-41c3-9CA8-6E698E20E8C1}.exe
1524	{1400935A-236E-40b0-8B13-257D76F4A951}.exe
2568	{B7F540DB-D5E5-4af6-B4A3-B9AE73A2C28F}.exe
1484	{86FFEE72-09DC-495b-9FF5-C760E70BE5E7}.exe
1312	{70985F89-1C25-4640-AE85-2CE911A86D76}.exe
3008	{B4E8BE6C-CDBF-4933-995A-ACC3489BD0B3}.exe
1616	{AC5FDB95-BFED-4d4a-86A8-0B266FB0F11D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{AC5FDB95-BFED-4d4a-86A8-0B266FB0F11D}.exe	{B4E8BE6C-CDBF-4933-995A-ACC3489BD0B3}.exe
File created	C:\Windows\{7BA5F560-ADB9-489e-8F74-C5BDC619349D}.exe	{3609FD7E-B3EF-4e73-9F39-1FD01AADE8A0}.exe
File created	C:\Windows\{1400935A-236E-40b0-8B13-257D76F4A951}.exe	{3B684223-1058-41c3-9CA8-6E698E20E8C1}.exe
File created	C:\Windows\{86FFEE72-09DC-495b-9FF5-C760E70BE5E7}.exe	{B7F540DB-D5E5-4af6-B4A3-B9AE73A2C28F}.exe
File created	C:\Windows\{70985F89-1C25-4640-AE85-2CE911A86D76}.exe	{86FFEE72-09DC-495b-9FF5-C760E70BE5E7}.exe
File created	C:\Windows\{B4E8BE6C-CDBF-4933-995A-ACC3489BD0B3}.exe	{70985F89-1C25-4640-AE85-2CE911A86D76}.exe
File created	C:\Windows\{BBD644CC-BFFD-4868-8630-0BE3527BB900}.exe	2024-02-13_cf70d1a8f13eceb3f827be4fda424511_goldeneye.exe
File created	C:\Windows\{FB8826CC-B6BD-42eb-AC3F-AB19032ED89B}.exe	{BBD644CC-BFFD-4868-8630-0BE3527BB900}.exe
File created	C:\Windows\{3609FD7E-B3EF-4e73-9F39-1FD01AADE8A0}.exe	{FB8826CC-B6BD-42eb-AC3F-AB19032ED89B}.exe
File created	C:\Windows\{3B684223-1058-41c3-9CA8-6E698E20E8C1}.exe	{7BA5F560-ADB9-489e-8F74-C5BDC619349D}.exe
File created	C:\Windows\{B7F540DB-D5E5-4af6-B4A3-B9AE73A2C28F}.exe	{1400935A-236E-40b0-8B13-257D76F4A951}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2776	2024-02-13_cf70d1a8f13eceb3f827be4fda424511_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2704	{BBD644CC-BFFD-4868-8630-0BE3527BB900}.exe
Token: SeIncBasePriorityPrivilege	2308	{FB8826CC-B6BD-42eb-AC3F-AB19032ED89B}.exe
Token: SeIncBasePriorityPrivilege	1712	{3609FD7E-B3EF-4e73-9F39-1FD01AADE8A0}.exe
Token: SeIncBasePriorityPrivilege	2848	{7BA5F560-ADB9-489e-8F74-C5BDC619349D}.exe
Token: SeIncBasePriorityPrivilege	676	{3B684223-1058-41c3-9CA8-6E698E20E8C1}.exe
Token: SeIncBasePriorityPrivilege	1524	{1400935A-236E-40b0-8B13-257D76F4A951}.exe
Token: SeIncBasePriorityPrivilege	2568	{B7F540DB-D5E5-4af6-B4A3-B9AE73A2C28F}.exe
Token: SeIncBasePriorityPrivilege	1484	{86FFEE72-09DC-495b-9FF5-C760E70BE5E7}.exe
Token: SeIncBasePriorityPrivilege	1312	{70985F89-1C25-4640-AE85-2CE911A86D76}.exe
Token: SeIncBasePriorityPrivilege	3008	{B4E8BE6C-CDBF-4933-995A-ACC3489BD0B3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2704	2776	2024-02-13_cf70d1a8f13eceb3f827be4fda424511_goldeneye.exe	28
PID 2776 wrote to memory of 2704	2776	2024-02-13_cf70d1a8f13eceb3f827be4fda424511_goldeneye.exe	28
PID 2776 wrote to memory of 2704	2776	2024-02-13_cf70d1a8f13eceb3f827be4fda424511_goldeneye.exe	28
PID 2776 wrote to memory of 2704	2776	2024-02-13_cf70d1a8f13eceb3f827be4fda424511_goldeneye.exe	28
PID 2776 wrote to memory of 2780	2776	2024-02-13_cf70d1a8f13eceb3f827be4fda424511_goldeneye.exe	29
PID 2776 wrote to memory of 2780	2776	2024-02-13_cf70d1a8f13eceb3f827be4fda424511_goldeneye.exe	29
PID 2776 wrote to memory of 2780	2776	2024-02-13_cf70d1a8f13eceb3f827be4fda424511_goldeneye.exe	29
PID 2776 wrote to memory of 2780	2776	2024-02-13_cf70d1a8f13eceb3f827be4fda424511_goldeneye.exe	29
PID 2704 wrote to memory of 2308	2704	{BBD644CC-BFFD-4868-8630-0BE3527BB900}.exe	30
PID 2704 wrote to memory of 2308	2704	{BBD644CC-BFFD-4868-8630-0BE3527BB900}.exe	30
PID 2704 wrote to memory of 2308	2704	{BBD644CC-BFFD-4868-8630-0BE3527BB900}.exe	30
PID 2704 wrote to memory of 2308	2704	{BBD644CC-BFFD-4868-8630-0BE3527BB900}.exe	30
PID 2704 wrote to memory of 2868	2704	{BBD644CC-BFFD-4868-8630-0BE3527BB900}.exe	31
PID 2704 wrote to memory of 2868	2704	{BBD644CC-BFFD-4868-8630-0BE3527BB900}.exe	31
PID 2704 wrote to memory of 2868	2704	{BBD644CC-BFFD-4868-8630-0BE3527BB900}.exe	31
PID 2704 wrote to memory of 2868	2704	{BBD644CC-BFFD-4868-8630-0BE3527BB900}.exe	31
PID 2308 wrote to memory of 1712	2308	{FB8826CC-B6BD-42eb-AC3F-AB19032ED89B}.exe	34
PID 2308 wrote to memory of 1712	2308	{FB8826CC-B6BD-42eb-AC3F-AB19032ED89B}.exe	34
PID 2308 wrote to memory of 1712	2308	{FB8826CC-B6BD-42eb-AC3F-AB19032ED89B}.exe	34
PID 2308 wrote to memory of 1712	2308	{FB8826CC-B6BD-42eb-AC3F-AB19032ED89B}.exe	34
PID 2308 wrote to memory of 1168	2308	{FB8826CC-B6BD-42eb-AC3F-AB19032ED89B}.exe	35
PID 2308 wrote to memory of 1168	2308	{FB8826CC-B6BD-42eb-AC3F-AB19032ED89B}.exe	35
PID 2308 wrote to memory of 1168	2308	{FB8826CC-B6BD-42eb-AC3F-AB19032ED89B}.exe	35
PID 2308 wrote to memory of 1168	2308	{FB8826CC-B6BD-42eb-AC3F-AB19032ED89B}.exe	35
PID 1712 wrote to memory of 2848	1712	{3609FD7E-B3EF-4e73-9F39-1FD01AADE8A0}.exe	36
PID 1712 wrote to memory of 2848	1712	{3609FD7E-B3EF-4e73-9F39-1FD01AADE8A0}.exe	36
PID 1712 wrote to memory of 2848	1712	{3609FD7E-B3EF-4e73-9F39-1FD01AADE8A0}.exe	36
PID 1712 wrote to memory of 2848	1712	{3609FD7E-B3EF-4e73-9F39-1FD01AADE8A0}.exe	36
PID 1712 wrote to memory of 2860	1712	{3609FD7E-B3EF-4e73-9F39-1FD01AADE8A0}.exe	37
PID 1712 wrote to memory of 2860	1712	{3609FD7E-B3EF-4e73-9F39-1FD01AADE8A0}.exe	37
PID 1712 wrote to memory of 2860	1712	{3609FD7E-B3EF-4e73-9F39-1FD01AADE8A0}.exe	37
PID 1712 wrote to memory of 2860	1712	{3609FD7E-B3EF-4e73-9F39-1FD01AADE8A0}.exe	37
PID 2848 wrote to memory of 676	2848	{7BA5F560-ADB9-489e-8F74-C5BDC619349D}.exe	38
PID 2848 wrote to memory of 676	2848	{7BA5F560-ADB9-489e-8F74-C5BDC619349D}.exe	38
PID 2848 wrote to memory of 676	2848	{7BA5F560-ADB9-489e-8F74-C5BDC619349D}.exe	38
PID 2848 wrote to memory of 676	2848	{7BA5F560-ADB9-489e-8F74-C5BDC619349D}.exe	38
PID 2848 wrote to memory of 2948	2848	{7BA5F560-ADB9-489e-8F74-C5BDC619349D}.exe	39
PID 2848 wrote to memory of 2948	2848	{7BA5F560-ADB9-489e-8F74-C5BDC619349D}.exe	39
PID 2848 wrote to memory of 2948	2848	{7BA5F560-ADB9-489e-8F74-C5BDC619349D}.exe	39
PID 2848 wrote to memory of 2948	2848	{7BA5F560-ADB9-489e-8F74-C5BDC619349D}.exe	39
PID 676 wrote to memory of 1524	676	{3B684223-1058-41c3-9CA8-6E698E20E8C1}.exe	40
PID 676 wrote to memory of 1524	676	{3B684223-1058-41c3-9CA8-6E698E20E8C1}.exe	40
PID 676 wrote to memory of 1524	676	{3B684223-1058-41c3-9CA8-6E698E20E8C1}.exe	40
PID 676 wrote to memory of 1524	676	{3B684223-1058-41c3-9CA8-6E698E20E8C1}.exe	40
PID 676 wrote to memory of 1976	676	{3B684223-1058-41c3-9CA8-6E698E20E8C1}.exe	41
PID 676 wrote to memory of 1976	676	{3B684223-1058-41c3-9CA8-6E698E20E8C1}.exe	41
PID 676 wrote to memory of 1976	676	{3B684223-1058-41c3-9CA8-6E698E20E8C1}.exe	41
PID 676 wrote to memory of 1976	676	{3B684223-1058-41c3-9CA8-6E698E20E8C1}.exe	41
PID 1524 wrote to memory of 2568	1524	{1400935A-236E-40b0-8B13-257D76F4A951}.exe	42
PID 1524 wrote to memory of 2568	1524	{1400935A-236E-40b0-8B13-257D76F4A951}.exe	42
PID 1524 wrote to memory of 2568	1524	{1400935A-236E-40b0-8B13-257D76F4A951}.exe	42
PID 1524 wrote to memory of 2568	1524	{1400935A-236E-40b0-8B13-257D76F4A951}.exe	42
PID 1524 wrote to memory of 1692	1524	{1400935A-236E-40b0-8B13-257D76F4A951}.exe	43
PID 1524 wrote to memory of 1692	1524	{1400935A-236E-40b0-8B13-257D76F4A951}.exe	43
PID 1524 wrote to memory of 1692	1524	{1400935A-236E-40b0-8B13-257D76F4A951}.exe	43
PID 1524 wrote to memory of 1692	1524	{1400935A-236E-40b0-8B13-257D76F4A951}.exe	43
PID 2568 wrote to memory of 1484	2568	{B7F540DB-D5E5-4af6-B4A3-B9AE73A2C28F}.exe	44
PID 2568 wrote to memory of 1484	2568	{B7F540DB-D5E5-4af6-B4A3-B9AE73A2C28F}.exe	44
PID 2568 wrote to memory of 1484	2568	{B7F540DB-D5E5-4af6-B4A3-B9AE73A2C28F}.exe	44
PID 2568 wrote to memory of 1484	2568	{B7F540DB-D5E5-4af6-B4A3-B9AE73A2C28F}.exe	44
PID 2568 wrote to memory of 2004	2568	{B7F540DB-D5E5-4af6-B4A3-B9AE73A2C28F}.exe	45
PID 2568 wrote to memory of 2004	2568	{B7F540DB-D5E5-4af6-B4A3-B9AE73A2C28F}.exe	45
PID 2568 wrote to memory of 2004	2568	{B7F540DB-D5E5-4af6-B4A3-B9AE73A2C28F}.exe	45
PID 2568 wrote to memory of 2004	2568	{B7F540DB-D5E5-4af6-B4A3-B9AE73A2C28F}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-13_cf70d1a8f13eceb3f827be4fda424511_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-13_cf70d1a8f13eceb3f827be4fda424511_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Windows\{BBD644CC-BFFD-4868-8630-0BE3527BB900}.exe
  C:\Windows\{BBD644CC-BFFD-4868-8630-0BE3527BB900}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\{FB8826CC-B6BD-42eb-AC3F-AB19032ED89B}.exe
    C:\Windows\{FB8826CC-B6BD-42eb-AC3F-AB19032ED89B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Windows\{3609FD7E-B3EF-4e73-9F39-1FD01AADE8A0}.exe
      C:\Windows\{3609FD7E-B3EF-4e73-9F39-1FD01AADE8A0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1712
    - - C:\Windows\{7BA5F560-ADB9-489e-8F74-C5BDC619349D}.exe
        
        C:\Windows\{7BA5F560-ADB9-489e-8F74-C5BDC619349D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2848
      - C:\Windows\{3B684223-1058-41c3-9CA8-6E698E20E8C1}.exe
        
        C:\Windows\{3B684223-1058-41c3-9CA8-6E698E20E8C1}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:676
        
        C:\Windows\{1400935A-236E-40b0-8B13-257D76F4A951}.exe
        
        C:\Windows\{1400935A-236E-40b0-8B13-257D76F4A951}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\{B7F540DB-D5E5-4af6-B4A3-B9AE73A2C28F}.exe
        
        C:\Windows\{B7F540DB-D5E5-4af6-B4A3-B9AE73A2C28F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\{86FFEE72-09DC-495b-9FF5-C760E70BE5E7}.exe
        
        C:\Windows\{86FFEE72-09DC-495b-9FF5-C760E70BE5E7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Windows\{70985F89-1C25-4640-AE85-2CE911A86D76}.exe
        
        C:\Windows\{70985F89-1C25-4640-AE85-2CE911A86D76}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
        
        C:\Windows\{B4E8BE6C-CDBF-4933-995A-ACC3489BD0B3}.exe
        
        C:\Windows\{B4E8BE6C-CDBF-4933-995A-ACC3489BD0B3}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
        
        C:\Windows\{AC5FDB95-BFED-4d4a-86A8-0B266FB0F11D}.exe
        
        C:\Windows\{AC5FDB95-BFED-4d4a-86A8-0B266FB0F11D}.exe
        12⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4E8B~1.EXE > nul
        12⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70985~1.EXE > nul
        11⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86FFE~1.EXE > nul
        10⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7F54~1.EXE > nul
        9⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14009~1.EXE > nul
        8⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B684~1.EXE > nul
        7⤵
        
        PID:1976
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7BA5F~1.EXE > nul
        6⤵
        
        PID:2948
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3609F~1.EXE > nul
        5⤵
        
        PID:2860
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FB882~1.EXE > nul
      4⤵
      PID:1168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BBD64~1.EXE > nul
    3⤵
    PID:2868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1400935A-236E-40b0-8B13-257D76F4A951}.exe

Filesize
372KB

MD5
9f04b00be3e803f85c6624800be9a0ca

SHA1
3893ea23e992207a6a2498f720e3ad8cbfbc4641

SHA256
8a31464a7c6fab32cfa9f7f21e6954c15af0ab4f8035cb84801ac278a95cb9af

SHA512
1dca421b5b54a34f2d95a0ae008e9242ba08f84f68ff88cedb771bc285625e7fe5c1113cdc70179175f7d39d5362928fe43e37f8cc8c9e53853b30fd555ed5d6

Download Submit
C:\Windows\{3609FD7E-B3EF-4e73-9F39-1FD01AADE8A0}.exe

Filesize
372KB

MD5
0d093204d431467fdeca6296575df2f4

SHA1
9ff0f62157118508573250fd6c4ba3a9fb78a978

SHA256
84a6aad3e4af13c9e75cd30d017661f5bd5e866cef5afcbd22bb3bcb5591bace

SHA512
b7aacd36360faddd3d62e8756d125144330312ecff1e568ffbcc82a00082a75c332e0ffdaa82a52f340585d05c0414d923443a92ef18c196635246241ea689f1

Download Submit
C:\Windows\{3B684223-1058-41c3-9CA8-6E698E20E8C1}.exe

Filesize
372KB

MD5
c8c1da42684989c606e3dec590f35164

SHA1
d0cd8ada009aa9217d76dd57e548e6960dde47e8

SHA256
230cc7b04ce41680e12b810dccb5142f81a494c00b2eedd8c7e30861b33ac7fd

SHA512
684884416d4aed136bac37d3adc6b283711f411ec2f46039665e383bf7581a9cfd980ac3ccaa3a9403aee4fd935f16713187ef62347328ba27326e6c8873930d

Download Submit
C:\Windows\{70985F89-1C25-4640-AE85-2CE911A86D76}.exe

Filesize
372KB

MD5
cee4011df951dad7880d5a1441561909

SHA1
f1f0e603c2e67f5e9490d829a451ad1343bde603

SHA256
20a42c0a782302cac39a11b08f04202a45c417fff45d5b390512d67938f4e22b

SHA512
2ffd9f0d3033024a12808d95622462d08823c6e71486371b5dbdc9897674b38a0937033a0268b1be1d2fc2669604125839156ce4d6d13174b81996e46f89634f

Download Submit
C:\Windows\{7BA5F560-ADB9-489e-8F74-C5BDC619349D}.exe

Filesize
372KB

MD5
02f8b18f2af4f47ab5bf3905c882a730

SHA1
3ad5cefbc330cce95269f508f284db2685da415d

SHA256
40df0c56038ab60a43fb3235590e3cc62ed22e69cf444d59c791e5628ff589a0

SHA512
088b9ba3b38bbfcd230a6daf563621e4feabfd2c1aaeedbddf3a572b054165eb32ffd7ccf03e81decb9926f964e292bbcf303dfbcb33f1b2f9b7d2cd91842154

Download Submit
C:\Windows\{86FFEE72-09DC-495b-9FF5-C760E70BE5E7}.exe

Filesize
372KB

MD5
061380f2d63796318f912be9f3eea144

SHA1
1a06260531daabfc5113f7609f015175673ddb37

SHA256
6a3acb95d07f60e7ea763921923f5267eec7c0e573182ec0912a18547d831df9

SHA512
3c8c8163c170630f598f46634473ca2a41aa519020b7f844de56ccef3f598c1b711390cc426079b19806b8694976faf43a2d9f037f25acc83300a100429c30f5

Download Submit
C:\Windows\{AC5FDB95-BFED-4d4a-86A8-0B266FB0F11D}.exe

Filesize
372KB

MD5
e9720ce34594d7bb2d3cb29e5a330d39

SHA1
ee6102fcdbfbd302165d9caa34e0c461a7270c4b

SHA256
9766f61f8f9db7df19145068dc328e24e6291031f7bea45ce9818f1c1701da0b

SHA512
a2ddb0c9bc080d07326778fc8c36c187d3b3f9c12c642b9034e95e777e4e29fc4363c6dada80e478c35903098bd200bbdc6063cccf0491080b04674a4744f41c

Download Submit
C:\Windows\{B4E8BE6C-CDBF-4933-995A-ACC3489BD0B3}.exe

Filesize
372KB

MD5
5e92002e85d20e3bc5aedb2d1580f595

SHA1
591fc3384b3105c6ebe62b1d4456fc30e84b4119

SHA256
3f933748c69345143878c077ea11d452ca55af969385542eaa99d19ca92f1405

SHA512
fe748840a69a355b372bf084af45d8d1c6a65ce14096603bcb9fea11dbbf3d767a895e65b6450edd5595967de4beb8cb4d49647d0521487e3dedba378a1bfb17

Download Submit
C:\Windows\{B7F540DB-D5E5-4af6-B4A3-B9AE73A2C28F}.exe

Filesize
372KB

MD5
7c3e987d06269be577679027d330a4b0

SHA1
ebb7edbe0bd25a07fa0d18c2619b65b13eae4246

SHA256
d2a0aef91a147ac76a0a87933dc8df19e3b7231510e6530c785b67f78bc3b989

SHA512
ef7359a8e2816463b129b3d93beb04871f06263c938ac46dd53a5323dc3ec9fc87d47bf89652e774a11d8059738fcafeb29081cabab2a7d997beadc6e33350d6

Download Submit
C:\Windows\{BBD644CC-BFFD-4868-8630-0BE3527BB900}.exe

Filesize
372KB

MD5
08005deb3e92cdcce1728d1a72fd0f99

SHA1
643a070b980a16d10f6a0ccc0a3906f958687cfa

SHA256
412d21a66c993251189fa1bb26b7564742b9f67c927dcbb087665fbbb10c3999

SHA512
c8175c776c0f300786286e9845effc663dcad3ee06d21402f265a117f3593d0c37dca207c7b1205a136eada276a4e65431e3c8b87ab79a8e290367e749a36595

Download Submit
C:\Windows\{FB8826CC-B6BD-42eb-AC3F-AB19032ED89B}.exe

Filesize
372KB

MD5
e24fe5a569639f4cec2da24c74a333fd

SHA1
238b8697a329f3db8df6e49925e2aa0939d9b3b8

SHA256
ae7261e03ce686069b4060c223dcb105c2546e473b301b24e95180028fbe1cac

SHA512
75ec4a8830b8dc9062e754de3ab9b072a5618aaa82a7900415065688942bd5af00e346e5be317321d3243ba92e966d6d31cfbe182ebae4acebc52bf37424b157

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads