51b22cf2eabce789edfaf4f6c14cf29ba3c7d63a813f5678a0b5b03deb190074

Analysis

max time kernel
144s
max time network
117s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
14/02/2024, 00:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-14_cd94d78b38bb12c61b095c57a5d7eeb3_goldeneye.exe
Size

372KB
MD5

cd94d78b38bb12c61b095c57a5d7eeb3
SHA1

e01a532a3d392279cec74edfee58fd8c678c4339
SHA256

51b22cf2eabce789edfaf4f6c14cf29ba3c7d63a813f5678a0b5b03deb190074
SHA512

d7b7ddc552cdf3e86a08f2e9ad393acc2fd586e03473b09c5bc7d8d7285816f8d34f1ce3dbbed58513ecc930ae52b03112989c90f690f5fda5d2e488eb868d54
SSDEEP

3072:CEGh0o2mlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGtl/Oe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a000000013a1a-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000001410b-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000013a1a-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000142cc-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a5a-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000013a1a-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a5a-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000013a1a-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a5a-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000013a1a-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a5a-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38A2DB59-60FE-456b-9DE2-4483DA5B84FD}	{358CF7B4-524E-4293-AF3C-9CB7676FCB11}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24EA0001-F8E2-40ef-A31C-4281E04D6EF5}	{AE76A998-08B0-4656-BDE1-0EE56474952D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{358CF7B4-524E-4293-AF3C-9CB7676FCB11}	{F2B89AAD-033F-4102-B8B3-CA584E62A317}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{358CF7B4-524E-4293-AF3C-9CB7676FCB11}\stubpath = "C:\\Windows\\{358CF7B4-524E-4293-AF3C-9CB7676FCB11}.exe"	{F2B89AAD-033F-4102-B8B3-CA584E62A317}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09727AB1-4515-421a-98A9-749FA7A345D2}	{38A2DB59-60FE-456b-9DE2-4483DA5B84FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09727AB1-4515-421a-98A9-749FA7A345D2}\stubpath = "C:\\Windows\\{09727AB1-4515-421a-98A9-749FA7A345D2}.exe"	{38A2DB59-60FE-456b-9DE2-4483DA5B84FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E337FC88-3F8A-4689-9D89-542E6F45D594}\stubpath = "C:\\Windows\\{E337FC88-3F8A-4689-9D89-542E6F45D594}.exe"	2024-02-14_cd94d78b38bb12c61b095c57a5d7eeb3_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{399CD5E0-6F6F-43ff-A57F-4FF677964CE6}\stubpath = "C:\\Windows\\{399CD5E0-6F6F-43ff-A57F-4FF677964CE6}.exe"	{E337FC88-3F8A-4689-9D89-542E6F45D594}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA9A349A-E0AB-4d5f-80E1-0F6C72DB8559}\stubpath = "C:\\Windows\\{DA9A349A-E0AB-4d5f-80E1-0F6C72DB8559}.exe"	{399CD5E0-6F6F-43ff-A57F-4FF677964CE6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F773A2B0-88AB-4ede-B072-CE9A387AFFA1}	{DA9A349A-E0AB-4d5f-80E1-0F6C72DB8559}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE76A998-08B0-4656-BDE1-0EE56474952D}	{09727AB1-4515-421a-98A9-749FA7A345D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38A2DB59-60FE-456b-9DE2-4483DA5B84FD}\stubpath = "C:\\Windows\\{38A2DB59-60FE-456b-9DE2-4483DA5B84FD}.exe"	{358CF7B4-524E-4293-AF3C-9CB7676FCB11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE76A998-08B0-4656-BDE1-0EE56474952D}\stubpath = "C:\\Windows\\{AE76A998-08B0-4656-BDE1-0EE56474952D}.exe"	{09727AB1-4515-421a-98A9-749FA7A345D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{399CD5E0-6F6F-43ff-A57F-4FF677964CE6}	{E337FC88-3F8A-4689-9D89-542E6F45D594}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F773A2B0-88AB-4ede-B072-CE9A387AFFA1}\stubpath = "C:\\Windows\\{F773A2B0-88AB-4ede-B072-CE9A387AFFA1}.exe"	{DA9A349A-E0AB-4d5f-80E1-0F6C72DB8559}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2B89AAD-033F-4102-B8B3-CA584E62A317}	{B07060D3-EB7B-4f54-A2C3-343B03214ED3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2B89AAD-033F-4102-B8B3-CA584E62A317}\stubpath = "C:\\Windows\\{F2B89AAD-033F-4102-B8B3-CA584E62A317}.exe"	{B07060D3-EB7B-4f54-A2C3-343B03214ED3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24EA0001-F8E2-40ef-A31C-4281E04D6EF5}\stubpath = "C:\\Windows\\{24EA0001-F8E2-40ef-A31C-4281E04D6EF5}.exe"	{AE76A998-08B0-4656-BDE1-0EE56474952D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E337FC88-3F8A-4689-9D89-542E6F45D594}	2024-02-14_cd94d78b38bb12c61b095c57a5d7eeb3_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA9A349A-E0AB-4d5f-80E1-0F6C72DB8559}	{399CD5E0-6F6F-43ff-A57F-4FF677964CE6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B07060D3-EB7B-4f54-A2C3-343B03214ED3}	{F773A2B0-88AB-4ede-B072-CE9A387AFFA1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B07060D3-EB7B-4f54-A2C3-343B03214ED3}\stubpath = "C:\\Windows\\{B07060D3-EB7B-4f54-A2C3-343B03214ED3}.exe"	{F773A2B0-88AB-4ede-B072-CE9A387AFFA1}.exe

Deletes itself 1 IoCs

pid	Process
2536	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2196	{E337FC88-3F8A-4689-9D89-542E6F45D594}.exe
2604	{399CD5E0-6F6F-43ff-A57F-4FF677964CE6}.exe
2588	{DA9A349A-E0AB-4d5f-80E1-0F6C72DB8559}.exe
2532	{F773A2B0-88AB-4ede-B072-CE9A387AFFA1}.exe
1172	{B07060D3-EB7B-4f54-A2C3-343B03214ED3}.exe
1792	{F2B89AAD-033F-4102-B8B3-CA584E62A317}.exe
1496	{358CF7B4-524E-4293-AF3C-9CB7676FCB11}.exe
1632	{38A2DB59-60FE-456b-9DE2-4483DA5B84FD}.exe
2792	{09727AB1-4515-421a-98A9-749FA7A345D2}.exe
2136	{AE76A998-08B0-4656-BDE1-0EE56474952D}.exe
1444	{24EA0001-F8E2-40ef-A31C-4281E04D6EF5}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{24EA0001-F8E2-40ef-A31C-4281E04D6EF5}.exe	{AE76A998-08B0-4656-BDE1-0EE56474952D}.exe
File created	C:\Windows\{DA9A349A-E0AB-4d5f-80E1-0F6C72DB8559}.exe	{399CD5E0-6F6F-43ff-A57F-4FF677964CE6}.exe
File created	C:\Windows\{F773A2B0-88AB-4ede-B072-CE9A387AFFA1}.exe	{DA9A349A-E0AB-4d5f-80E1-0F6C72DB8559}.exe
File created	C:\Windows\{B07060D3-EB7B-4f54-A2C3-343B03214ED3}.exe	{F773A2B0-88AB-4ede-B072-CE9A387AFFA1}.exe
File created	C:\Windows\{38A2DB59-60FE-456b-9DE2-4483DA5B84FD}.exe	{358CF7B4-524E-4293-AF3C-9CB7676FCB11}.exe
File created	C:\Windows\{09727AB1-4515-421a-98A9-749FA7A345D2}.exe	{38A2DB59-60FE-456b-9DE2-4483DA5B84FD}.exe
File created	C:\Windows\{AE76A998-08B0-4656-BDE1-0EE56474952D}.exe	{09727AB1-4515-421a-98A9-749FA7A345D2}.exe
File created	C:\Windows\{E337FC88-3F8A-4689-9D89-542E6F45D594}.exe	2024-02-14_cd94d78b38bb12c61b095c57a5d7eeb3_goldeneye.exe
File created	C:\Windows\{399CD5E0-6F6F-43ff-A57F-4FF677964CE6}.exe	{E337FC88-3F8A-4689-9D89-542E6F45D594}.exe
File created	C:\Windows\{F2B89AAD-033F-4102-B8B3-CA584E62A317}.exe	{B07060D3-EB7B-4f54-A2C3-343B03214ED3}.exe
File created	C:\Windows\{358CF7B4-524E-4293-AF3C-9CB7676FCB11}.exe	{F2B89AAD-033F-4102-B8B3-CA584E62A317}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2948	2024-02-14_cd94d78b38bb12c61b095c57a5d7eeb3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2196	{E337FC88-3F8A-4689-9D89-542E6F45D594}.exe
Token: SeIncBasePriorityPrivilege	2604	{399CD5E0-6F6F-43ff-A57F-4FF677964CE6}.exe
Token: SeIncBasePriorityPrivilege	2588	{DA9A349A-E0AB-4d5f-80E1-0F6C72DB8559}.exe
Token: SeIncBasePriorityPrivilege	2532	{F773A2B0-88AB-4ede-B072-CE9A387AFFA1}.exe
Token: SeIncBasePriorityPrivilege	1172	{B07060D3-EB7B-4f54-A2C3-343B03214ED3}.exe
Token: SeIncBasePriorityPrivilege	1792	{F2B89AAD-033F-4102-B8B3-CA584E62A317}.exe
Token: SeIncBasePriorityPrivilege	1496	{358CF7B4-524E-4293-AF3C-9CB7676FCB11}.exe
Token: SeIncBasePriorityPrivilege	1632	{38A2DB59-60FE-456b-9DE2-4483DA5B84FD}.exe
Token: SeIncBasePriorityPrivilege	2792	{09727AB1-4515-421a-98A9-749FA7A345D2}.exe
Token: SeIncBasePriorityPrivilege	2136	{AE76A998-08B0-4656-BDE1-0EE56474952D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 2196	2948	2024-02-14_cd94d78b38bb12c61b095c57a5d7eeb3_goldeneye.exe	28
PID 2948 wrote to memory of 2196	2948	2024-02-14_cd94d78b38bb12c61b095c57a5d7eeb3_goldeneye.exe	28
PID 2948 wrote to memory of 2196	2948	2024-02-14_cd94d78b38bb12c61b095c57a5d7eeb3_goldeneye.exe	28
PID 2948 wrote to memory of 2196	2948	2024-02-14_cd94d78b38bb12c61b095c57a5d7eeb3_goldeneye.exe	28
PID 2948 wrote to memory of 2536	2948	2024-02-14_cd94d78b38bb12c61b095c57a5d7eeb3_goldeneye.exe	29
PID 2948 wrote to memory of 2536	2948	2024-02-14_cd94d78b38bb12c61b095c57a5d7eeb3_goldeneye.exe	29
PID 2948 wrote to memory of 2536	2948	2024-02-14_cd94d78b38bb12c61b095c57a5d7eeb3_goldeneye.exe	29
PID 2948 wrote to memory of 2536	2948	2024-02-14_cd94d78b38bb12c61b095c57a5d7eeb3_goldeneye.exe	29
PID 2196 wrote to memory of 2604	2196	{E337FC88-3F8A-4689-9D89-542E6F45D594}.exe	30
PID 2196 wrote to memory of 2604	2196	{E337FC88-3F8A-4689-9D89-542E6F45D594}.exe	30
PID 2196 wrote to memory of 2604	2196	{E337FC88-3F8A-4689-9D89-542E6F45D594}.exe	30
PID 2196 wrote to memory of 2604	2196	{E337FC88-3F8A-4689-9D89-542E6F45D594}.exe	30
PID 2196 wrote to memory of 2672	2196	{E337FC88-3F8A-4689-9D89-542E6F45D594}.exe	31
PID 2196 wrote to memory of 2672	2196	{E337FC88-3F8A-4689-9D89-542E6F45D594}.exe	31
PID 2196 wrote to memory of 2672	2196	{E337FC88-3F8A-4689-9D89-542E6F45D594}.exe	31
PID 2196 wrote to memory of 2672	2196	{E337FC88-3F8A-4689-9D89-542E6F45D594}.exe	31
PID 2604 wrote to memory of 2588	2604	{399CD5E0-6F6F-43ff-A57F-4FF677964CE6}.exe	32
PID 2604 wrote to memory of 2588	2604	{399CD5E0-6F6F-43ff-A57F-4FF677964CE6}.exe	32
PID 2604 wrote to memory of 2588	2604	{399CD5E0-6F6F-43ff-A57F-4FF677964CE6}.exe	32
PID 2604 wrote to memory of 2588	2604	{399CD5E0-6F6F-43ff-A57F-4FF677964CE6}.exe	32
PID 2604 wrote to memory of 2724	2604	{399CD5E0-6F6F-43ff-A57F-4FF677964CE6}.exe	33
PID 2604 wrote to memory of 2724	2604	{399CD5E0-6F6F-43ff-A57F-4FF677964CE6}.exe	33
PID 2604 wrote to memory of 2724	2604	{399CD5E0-6F6F-43ff-A57F-4FF677964CE6}.exe	33
PID 2604 wrote to memory of 2724	2604	{399CD5E0-6F6F-43ff-A57F-4FF677964CE6}.exe	33
PID 2588 wrote to memory of 2532	2588	{DA9A349A-E0AB-4d5f-80E1-0F6C72DB8559}.exe	37
PID 2588 wrote to memory of 2532	2588	{DA9A349A-E0AB-4d5f-80E1-0F6C72DB8559}.exe	37
PID 2588 wrote to memory of 2532	2588	{DA9A349A-E0AB-4d5f-80E1-0F6C72DB8559}.exe	37
PID 2588 wrote to memory of 2532	2588	{DA9A349A-E0AB-4d5f-80E1-0F6C72DB8559}.exe	37
PID 2588 wrote to memory of 2924	2588	{DA9A349A-E0AB-4d5f-80E1-0F6C72DB8559}.exe	36
PID 2588 wrote to memory of 2924	2588	{DA9A349A-E0AB-4d5f-80E1-0F6C72DB8559}.exe	36
PID 2588 wrote to memory of 2924	2588	{DA9A349A-E0AB-4d5f-80E1-0F6C72DB8559}.exe	36
PID 2588 wrote to memory of 2924	2588	{DA9A349A-E0AB-4d5f-80E1-0F6C72DB8559}.exe	36
PID 2532 wrote to memory of 1172	2532	{F773A2B0-88AB-4ede-B072-CE9A387AFFA1}.exe	39
PID 2532 wrote to memory of 1172	2532	{F773A2B0-88AB-4ede-B072-CE9A387AFFA1}.exe	39
PID 2532 wrote to memory of 1172	2532	{F773A2B0-88AB-4ede-B072-CE9A387AFFA1}.exe	39
PID 2532 wrote to memory of 1172	2532	{F773A2B0-88AB-4ede-B072-CE9A387AFFA1}.exe	39
PID 2532 wrote to memory of 1296	2532	{F773A2B0-88AB-4ede-B072-CE9A387AFFA1}.exe	38
PID 2532 wrote to memory of 1296	2532	{F773A2B0-88AB-4ede-B072-CE9A387AFFA1}.exe	38
PID 2532 wrote to memory of 1296	2532	{F773A2B0-88AB-4ede-B072-CE9A387AFFA1}.exe	38
PID 2532 wrote to memory of 1296	2532	{F773A2B0-88AB-4ede-B072-CE9A387AFFA1}.exe	38
PID 1172 wrote to memory of 1792	1172	{B07060D3-EB7B-4f54-A2C3-343B03214ED3}.exe	40
PID 1172 wrote to memory of 1792	1172	{B07060D3-EB7B-4f54-A2C3-343B03214ED3}.exe	40
PID 1172 wrote to memory of 1792	1172	{B07060D3-EB7B-4f54-A2C3-343B03214ED3}.exe	40
PID 1172 wrote to memory of 1792	1172	{B07060D3-EB7B-4f54-A2C3-343B03214ED3}.exe	40
PID 1172 wrote to memory of 1724	1172	{B07060D3-EB7B-4f54-A2C3-343B03214ED3}.exe	41
PID 1172 wrote to memory of 1724	1172	{B07060D3-EB7B-4f54-A2C3-343B03214ED3}.exe	41
PID 1172 wrote to memory of 1724	1172	{B07060D3-EB7B-4f54-A2C3-343B03214ED3}.exe	41
PID 1172 wrote to memory of 1724	1172	{B07060D3-EB7B-4f54-A2C3-343B03214ED3}.exe	41
PID 1792 wrote to memory of 1496	1792	{F2B89AAD-033F-4102-B8B3-CA584E62A317}.exe	43
PID 1792 wrote to memory of 1496	1792	{F2B89AAD-033F-4102-B8B3-CA584E62A317}.exe	43
PID 1792 wrote to memory of 1496	1792	{F2B89AAD-033F-4102-B8B3-CA584E62A317}.exe	43
PID 1792 wrote to memory of 1496	1792	{F2B89AAD-033F-4102-B8B3-CA584E62A317}.exe	43
PID 1792 wrote to memory of 2756	1792	{F2B89AAD-033F-4102-B8B3-CA584E62A317}.exe	42
PID 1792 wrote to memory of 2756	1792	{F2B89AAD-033F-4102-B8B3-CA584E62A317}.exe	42
PID 1792 wrote to memory of 2756	1792	{F2B89AAD-033F-4102-B8B3-CA584E62A317}.exe	42
PID 1792 wrote to memory of 2756	1792	{F2B89AAD-033F-4102-B8B3-CA584E62A317}.exe	42
PID 1496 wrote to memory of 1632	1496	{358CF7B4-524E-4293-AF3C-9CB7676FCB11}.exe	45
PID 1496 wrote to memory of 1632	1496	{358CF7B4-524E-4293-AF3C-9CB7676FCB11}.exe	45
PID 1496 wrote to memory of 1632	1496	{358CF7B4-524E-4293-AF3C-9CB7676FCB11}.exe	45
PID 1496 wrote to memory of 1632	1496	{358CF7B4-524E-4293-AF3C-9CB7676FCB11}.exe	45
PID 1496 wrote to memory of 1532	1496	{358CF7B4-524E-4293-AF3C-9CB7676FCB11}.exe	44
PID 1496 wrote to memory of 1532	1496	{358CF7B4-524E-4293-AF3C-9CB7676FCB11}.exe	44
PID 1496 wrote to memory of 1532	1496	{358CF7B4-524E-4293-AF3C-9CB7676FCB11}.exe	44
PID 1496 wrote to memory of 1532	1496	{358CF7B4-524E-4293-AF3C-9CB7676FCB11}.exe	44

C:\Users\Admin\AppData\Local\Temp\2024-02-14_cd94d78b38bb12c61b095c57a5d7eeb3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-14_cd94d78b38bb12c61b095c57a5d7eeb3_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Windows\{E337FC88-3F8A-4689-9D89-542E6F45D594}.exe
  C:\Windows\{E337FC88-3F8A-4689-9D89-542E6F45D594}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\{399CD5E0-6F6F-43ff-A57F-4FF677964CE6}.exe
    C:\Windows\{399CD5E0-6F6F-43ff-A57F-4FF677964CE6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\{DA9A349A-E0AB-4d5f-80E1-0F6C72DB8559}.exe
      C:\Windows\{DA9A349A-E0AB-4d5f-80E1-0F6C72DB8559}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA9A3~1.EXE > nul
        5⤵
        
        PID:2924
    - - C:\Windows\{F773A2B0-88AB-4ede-B072-CE9A387AFFA1}.exe
        
        C:\Windows\{F773A2B0-88AB-4ede-B072-CE9A387AFFA1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2532
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F773A~1.EXE > nul
        6⤵
        
        PID:1296
      - C:\Windows\{B07060D3-EB7B-4f54-A2C3-343B03214ED3}.exe
        
        C:\Windows\{B07060D3-EB7B-4f54-A2C3-343B03214ED3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\{F2B89AAD-033F-4102-B8B3-CA584E62A317}.exe
        
        C:\Windows\{F2B89AAD-033F-4102-B8B3-CA584E62A317}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2B89~1.EXE > nul
        8⤵
        
        PID:2756
        
        C:\Windows\{358CF7B4-524E-4293-AF3C-9CB7676FCB11}.exe
        
        C:\Windows\{358CF7B4-524E-4293-AF3C-9CB7676FCB11}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{358CF~1.EXE > nul
        9⤵
        
        PID:1532
        
        C:\Windows\{38A2DB59-60FE-456b-9DE2-4483DA5B84FD}.exe
        
        C:\Windows\{38A2DB59-60FE-456b-9DE2-4483DA5B84FD}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38A2D~1.EXE > nul
        10⤵
        
        PID:2284
        
        C:\Windows\{09727AB1-4515-421a-98A9-749FA7A345D2}.exe
        
        C:\Windows\{09727AB1-4515-421a-98A9-749FA7A345D2}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
        
        C:\Windows\{AE76A998-08B0-4656-BDE1-0EE56474952D}.exe
        
        C:\Windows\{AE76A998-08B0-4656-BDE1-0EE56474952D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
        
        C:\Windows\{24EA0001-F8E2-40ef-A31C-4281E04D6EF5}.exe
        
        C:\Windows\{24EA0001-F8E2-40ef-A31C-4281E04D6EF5}.exe
        12⤵
        Executes dropped EXE
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE76A~1.EXE > nul
        12⤵
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09727~1.EXE > nul
        11⤵
        
        PID:604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0706~1.EXE > nul
        7⤵
        
        PID:1724
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{399CD~1.EXE > nul
      4⤵
      PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E337F~1.EXE > nul
    3⤵
    PID:2672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09727AB1-4515-421a-98A9-749FA7A345D2}.exe

Filesize
372KB

MD5
0bf664971c1c4a2b7db99b6cde2b198e

SHA1
17ed2f63807be565f5fdd8501f63d88f5243670e

SHA256
01463d62eba6e32e90146df0ead30f2e0850894e3743deea78d18abc65cdf115

SHA512
2a15fe447d2390f295461c1fa6003cf5471fc78a849aa706ace91eeb0f3f072e43f5e11a0b2167965613156dba92e994b518f318a19274d2b124375cd0f979cc

Download Submit
C:\Windows\{24EA0001-F8E2-40ef-A31C-4281E04D6EF5}.exe

Filesize
372KB

MD5
e3c86be3bf7fce989cb8850fbe74235a

SHA1
5a6b65a90bb7995e4e61422da878487c2e2590ca

SHA256
21382d1c71ba4893893d9bf4100a03ed320b8d44c436d3fbacd4a54ee53b70f8

SHA512
b2fd3f85e197cb1b8102d0e43eab85482f14ef48662c8157a301323a1af2f63c04d3e41398ce2eb67cd52e1713c500f32b64ae33b8d85f98b95dd3f2d1872c55

Download Submit
C:\Windows\{358CF7B4-524E-4293-AF3C-9CB7676FCB11}.exe

Filesize
372KB

MD5
5ee571706fb282f53235ee01cd1186be

SHA1
ba20104a266f1c86d0c557864355432db66c0bdd

SHA256
ed88f223e51f1565861035b85b8cd0611bd9e720defe6d7807d1bec84a2449dd

SHA512
268b233c9e8492bf2f46135fd3927d073c6b5b7a40db4c3120f8333560a57bcbce67bab5c245bf1a95dc9463609478ed325f702bc575ffa68e7fc2d6abe56459

Download Submit
C:\Windows\{38A2DB59-60FE-456b-9DE2-4483DA5B84FD}.exe

Filesize
372KB

MD5
924573bbcd7d40f27a45e878fd846903

SHA1
7369a03f070e350e2f32a64aafb80b8fe6690f43

SHA256
b18a350a238c58d0733cd653337da03b9445b792d07e50e5f82c32ee50add01c

SHA512
ac1d03a8d832d068ff54e6eb41f5f02875d614fb8116aee6ce715c72397cdf8de42835d863bfa4924d40955d090e90fbdc60e826624b119f59b6ca1f1b3eb932

Download Submit
C:\Windows\{399CD5E0-6F6F-43ff-A57F-4FF677964CE6}.exe

Filesize
372KB

MD5
522ad77ffcd4442c28bed3fcea790a34

SHA1
f6bb7ca60441cc727d961fb02850d20726ec98f0

SHA256
f40262937d9bd512d3bd777a7b6a4702d0e3e6bc5d1f67d9de2ca79973b69e2e

SHA512
bb7abf1ac059b52aabbcf14830c6900105959f47d899a71c0c15e2ccb5a29a91a4fee1b192250f7f2f25fa0c57bf4e168612ffe858646c6ae2dc1e7b41748780

Download Submit
C:\Windows\{AE76A998-08B0-4656-BDE1-0EE56474952D}.exe

Filesize
372KB

MD5
efa797e9024af285588b1918be5a50c2

SHA1
2ac95ddb8e983e80bcf19eb57132096fc762dad4

SHA256
52e6cb8d9e09238de548930970b4b77553342c4a8938162ee69ca5dce5ca47ad

SHA512
01b5a65bd8e577846fd0856d6b55a9a7db4a7345026e679a466fd8f6b9b3c2722464a7d0c2febb1f6d465000a9e42e25ad56df8f6a7ef4e3dedf9125f8b6a978

Download Submit
C:\Windows\{B07060D3-EB7B-4f54-A2C3-343B03214ED3}.exe

Filesize
372KB

MD5
e21c92ceea9b7e818099673f892adf90

SHA1
79c0038e8cb35db51fc80fe6f3d66caa0325fca5

SHA256
bacbfa81e79f7fe4ea654cc3e235be8489600742038b88deb6bf3492afd17085

SHA512
5f1b32fdc3d2518f52711f76dcf4711ee383d2ff8150ecd7fdfd3691ec8c818a711522f7cfb78b0ff52d421bbb1fca82642cc26a883ad6d46171c64476383f3d

Download Submit
C:\Windows\{DA9A349A-E0AB-4d5f-80E1-0F6C72DB8559}.exe

Filesize
372KB

MD5
5df06ea602626b75c64161ea6261d6a3

SHA1
09e93f9be60c51670c12d336987b29e6aec07f79

SHA256
e618da8b53480bc1c97a6e35a54772f5d1fefd1156cbc3e50a2e4f85c7d28897

SHA512
17a1ef96050cbec5d4389f1ca3a0f49f573ab532f163adcd5876af891da46412bfb9a8801b918ddf9b294ac8259db8a439b05cc4148218fbf20af25a4581aa38

Download Submit
C:\Windows\{E337FC88-3F8A-4689-9D89-542E6F45D594}.exe

Filesize
372KB

MD5
d0f97b72eedc8a60cedc82a617592380

SHA1
e7ef80d260cca296b5d875fcab2cf8a95b961e5e

SHA256
3528888bd83090e15e18571b96edbca9b6a832ef41552df0fc9ed9e1094067d9

SHA512
f25b312eadb74f17a8127b9333ffdb506da5fb2f31514ad24c680c744b5b51574083c161367374853fbbdfa662af60cf15d3c55f3267adb3d934d5ae18847b89

Download Submit
C:\Windows\{F2B89AAD-033F-4102-B8B3-CA584E62A317}.exe

Filesize
372KB

MD5
3d004f9e6707cc80ee356b323668f5d4

SHA1
e682d463925b0a1e640ffc011593d705f4b9ae3e

SHA256
b50e2c9aeeffbae36cb6344f3cbb0bc1001d61fc789fa9daef0bb4cf1f57c8c9

SHA512
d4a0babcddeb90978ae48d048bea9df478cf1a7208416175387949d602db983e5647354d2b949573903b94695746cb4cf62deea9d2c1ca45ac2c3cffa40f611f

Download Submit
C:\Windows\{F773A2B0-88AB-4ede-B072-CE9A387AFFA1}.exe

Filesize
372KB

MD5
a1db39e72cdc44f9c203498e3c3fc4a9

SHA1
0e3debc769933ae356f3386a3d6d5f87528da76b

SHA256
5a267bc1cd550b8e9ae6a163c445dd1b7050149b27419014fdb983342d31119f

SHA512
74dc82f52cf5b6629b384834190fef3246d6e0d46bc40b9593cac2b4e5785d3f6fa351d4b28aea44278f14401e98f9929370b09649aeaf84162a3ea8b7577341

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads