86e77fe812c63dbeaefb6acc11474c4718360217fd34c09426792b1e874ca2a9

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
17-02-2024 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-17_8158b7f3336d7d98c9c3d9b373544643_goldeneye.exe
Size

197KB
MD5

8158b7f3336d7d98c9c3d9b373544643
SHA1

c613fd8059c5b4376857df023ece28e8c1c344c1
SHA256

86e77fe812c63dbeaefb6acc11474c4718360217fd34c09426792b1e874ca2a9
SHA512

8fc1dc56e2f4c5a2e0bbedfdd0003328cdd801eef6f49ec74b16ae0c9d9b6795cd5cbfd6362fb31a4d20503ac83c6d8ff146788b4cd9e9f2fc6a0d6cb588cf2e
SSDEEP

3072:jEGh0oSl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGAlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012251-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001508a-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012251-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0036000000015b12-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-34.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012251-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012251-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012251-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19ED28CD-8711-43bb-96F8-CE93E70FBD31}\stubpath = "C:\\Windows\\{19ED28CD-8711-43bb-96F8-CE93E70FBD31}.exe"	{CB662941-1C76-430d-BBBB-BE87DB953230}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEF185FF-1293-473c-A8AD-FA10E460F79B}	{19ED28CD-8711-43bb-96F8-CE93E70FBD31}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEF185FF-1293-473c-A8AD-FA10E460F79B}\stubpath = "C:\\Windows\\{EEF185FF-1293-473c-A8AD-FA10E460F79B}.exe"	{19ED28CD-8711-43bb-96F8-CE93E70FBD31}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{843B5B63-E6A2-4f62-9421-9199D8245D89}\stubpath = "C:\\Windows\\{843B5B63-E6A2-4f62-9421-9199D8245D89}.exe"	{53E14B43-FF71-4f6c-9707-4CFEE0A205A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B138607-C4D1-4ebc-8D64-294EE8019EF7}\stubpath = "C:\\Windows\\{7B138607-C4D1-4ebc-8D64-294EE8019EF7}.exe"	{AD1A6665-B30A-4e8c-BDD1-4D7102E4BB73}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D867DAF7-F016-4966-BEB8-4EBBABB79697}	{7B138607-C4D1-4ebc-8D64-294EE8019EF7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB662941-1C76-430d-BBBB-BE87DB953230}\stubpath = "C:\\Windows\\{CB662941-1C76-430d-BBBB-BE87DB953230}.exe"	2024-02-17_8158b7f3336d7d98c9c3d9b373544643_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{406FBC47-1D70-4069-A134-E9C93B5BD496}	{10C81C74-20A2-4c7a-8637-0B16E72E6EAC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{406FBC47-1D70-4069-A134-E9C93B5BD496}\stubpath = "C:\\Windows\\{406FBC47-1D70-4069-A134-E9C93B5BD496}.exe"	{10C81C74-20A2-4c7a-8637-0B16E72E6EAC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A002C835-3E03-4f28-B96F-0DFE59106296}\stubpath = "C:\\Windows\\{A002C835-3E03-4f28-B96F-0DFE59106296}.exe"	{406FBC47-1D70-4069-A134-E9C93B5BD496}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53E14B43-FF71-4f6c-9707-4CFEE0A205A4}\stubpath = "C:\\Windows\\{53E14B43-FF71-4f6c-9707-4CFEE0A205A4}.exe"	{A002C835-3E03-4f28-B96F-0DFE59106296}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B138607-C4D1-4ebc-8D64-294EE8019EF7}	{AD1A6665-B30A-4e8c-BDD1-4D7102E4BB73}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D867DAF7-F016-4966-BEB8-4EBBABB79697}\stubpath = "C:\\Windows\\{D867DAF7-F016-4966-BEB8-4EBBABB79697}.exe"	{7B138607-C4D1-4ebc-8D64-294EE8019EF7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10C81C74-20A2-4c7a-8637-0B16E72E6EAC}\stubpath = "C:\\Windows\\{10C81C74-20A2-4c7a-8637-0B16E72E6EAC}.exe"	{EEF185FF-1293-473c-A8AD-FA10E460F79B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19ED28CD-8711-43bb-96F8-CE93E70FBD31}	{CB662941-1C76-430d-BBBB-BE87DB953230}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10C81C74-20A2-4c7a-8637-0B16E72E6EAC}	{EEF185FF-1293-473c-A8AD-FA10E460F79B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A002C835-3E03-4f28-B96F-0DFE59106296}	{406FBC47-1D70-4069-A134-E9C93B5BD496}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53E14B43-FF71-4f6c-9707-4CFEE0A205A4}	{A002C835-3E03-4f28-B96F-0DFE59106296}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{843B5B63-E6A2-4f62-9421-9199D8245D89}	{53E14B43-FF71-4f6c-9707-4CFEE0A205A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD1A6665-B30A-4e8c-BDD1-4D7102E4BB73}	{843B5B63-E6A2-4f62-9421-9199D8245D89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD1A6665-B30A-4e8c-BDD1-4D7102E4BB73}\stubpath = "C:\\Windows\\{AD1A6665-B30A-4e8c-BDD1-4D7102E4BB73}.exe"	{843B5B63-E6A2-4f62-9421-9199D8245D89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB662941-1C76-430d-BBBB-BE87DB953230}	2024-02-17_8158b7f3336d7d98c9c3d9b373544643_goldeneye.exe

Deletes itself 1 IoCs

pid	Process
2784	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2412	{CB662941-1C76-430d-BBBB-BE87DB953230}.exe
2812	{19ED28CD-8711-43bb-96F8-CE93E70FBD31}.exe
2836	{EEF185FF-1293-473c-A8AD-FA10E460F79B}.exe
2372	{10C81C74-20A2-4c7a-8637-0B16E72E6EAC}.exe
288	{406FBC47-1D70-4069-A134-E9C93B5BD496}.exe
1812	{A002C835-3E03-4f28-B96F-0DFE59106296}.exe
1952	{53E14B43-FF71-4f6c-9707-4CFEE0A205A4}.exe
808	{843B5B63-E6A2-4f62-9421-9199D8245D89}.exe
1764	{AD1A6665-B30A-4e8c-BDD1-4D7102E4BB73}.exe
2996	{7B138607-C4D1-4ebc-8D64-294EE8019EF7}.exe
588	{D867DAF7-F016-4966-BEB8-4EBBABB79697}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{19ED28CD-8711-43bb-96F8-CE93E70FBD31}.exe	{CB662941-1C76-430d-BBBB-BE87DB953230}.exe
File created	C:\Windows\{10C81C74-20A2-4c7a-8637-0B16E72E6EAC}.exe	{EEF185FF-1293-473c-A8AD-FA10E460F79B}.exe
File created	C:\Windows\{406FBC47-1D70-4069-A134-E9C93B5BD496}.exe	{10C81C74-20A2-4c7a-8637-0B16E72E6EAC}.exe
File created	C:\Windows\{53E14B43-FF71-4f6c-9707-4CFEE0A205A4}.exe	{A002C835-3E03-4f28-B96F-0DFE59106296}.exe
File created	C:\Windows\{AD1A6665-B30A-4e8c-BDD1-4D7102E4BB73}.exe	{843B5B63-E6A2-4f62-9421-9199D8245D89}.exe
File created	C:\Windows\{D867DAF7-F016-4966-BEB8-4EBBABB79697}.exe	{7B138607-C4D1-4ebc-8D64-294EE8019EF7}.exe
File created	C:\Windows\{CB662941-1C76-430d-BBBB-BE87DB953230}.exe	2024-02-17_8158b7f3336d7d98c9c3d9b373544643_goldeneye.exe
File created	C:\Windows\{A002C835-3E03-4f28-B96F-0DFE59106296}.exe	{406FBC47-1D70-4069-A134-E9C93B5BD496}.exe
File created	C:\Windows\{843B5B63-E6A2-4f62-9421-9199D8245D89}.exe	{53E14B43-FF71-4f6c-9707-4CFEE0A205A4}.exe
File created	C:\Windows\{7B138607-C4D1-4ebc-8D64-294EE8019EF7}.exe	{AD1A6665-B30A-4e8c-BDD1-4D7102E4BB73}.exe
File created	C:\Windows\{EEF185FF-1293-473c-A8AD-FA10E460F79B}.exe	{19ED28CD-8711-43bb-96F8-CE93E70FBD31}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1716	2024-02-17_8158b7f3336d7d98c9c3d9b373544643_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2412	{CB662941-1C76-430d-BBBB-BE87DB953230}.exe
Token: SeIncBasePriorityPrivilege	2812	{19ED28CD-8711-43bb-96F8-CE93E70FBD31}.exe
Token: SeIncBasePriorityPrivilege	2836	{EEF185FF-1293-473c-A8AD-FA10E460F79B}.exe
Token: SeIncBasePriorityPrivilege	2372	{10C81C74-20A2-4c7a-8637-0B16E72E6EAC}.exe
Token: SeIncBasePriorityPrivilege	288	{406FBC47-1D70-4069-A134-E9C93B5BD496}.exe
Token: SeIncBasePriorityPrivilege	1812	{A002C835-3E03-4f28-B96F-0DFE59106296}.exe
Token: SeIncBasePriorityPrivilege	1952	{53E14B43-FF71-4f6c-9707-4CFEE0A205A4}.exe
Token: SeIncBasePriorityPrivilege	808	{843B5B63-E6A2-4f62-9421-9199D8245D89}.exe
Token: SeIncBasePriorityPrivilege	1764	{AD1A6665-B30A-4e8c-BDD1-4D7102E4BB73}.exe
Token: SeIncBasePriorityPrivilege	2996	{7B138607-C4D1-4ebc-8D64-294EE8019EF7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 2412	1716	2024-02-17_8158b7f3336d7d98c9c3d9b373544643_goldeneye.exe	28
PID 1716 wrote to memory of 2412	1716	2024-02-17_8158b7f3336d7d98c9c3d9b373544643_goldeneye.exe	28
PID 1716 wrote to memory of 2412	1716	2024-02-17_8158b7f3336d7d98c9c3d9b373544643_goldeneye.exe	28
PID 1716 wrote to memory of 2412	1716	2024-02-17_8158b7f3336d7d98c9c3d9b373544643_goldeneye.exe	28
PID 1716 wrote to memory of 2784	1716	2024-02-17_8158b7f3336d7d98c9c3d9b373544643_goldeneye.exe	29
PID 1716 wrote to memory of 2784	1716	2024-02-17_8158b7f3336d7d98c9c3d9b373544643_goldeneye.exe	29
PID 1716 wrote to memory of 2784	1716	2024-02-17_8158b7f3336d7d98c9c3d9b373544643_goldeneye.exe	29
PID 1716 wrote to memory of 2784	1716	2024-02-17_8158b7f3336d7d98c9c3d9b373544643_goldeneye.exe	29
PID 2412 wrote to memory of 2812	2412	{CB662941-1C76-430d-BBBB-BE87DB953230}.exe	30
PID 2412 wrote to memory of 2812	2412	{CB662941-1C76-430d-BBBB-BE87DB953230}.exe	30
PID 2412 wrote to memory of 2812	2412	{CB662941-1C76-430d-BBBB-BE87DB953230}.exe	30
PID 2412 wrote to memory of 2812	2412	{CB662941-1C76-430d-BBBB-BE87DB953230}.exe	30
PID 2412 wrote to memory of 2980	2412	{CB662941-1C76-430d-BBBB-BE87DB953230}.exe	31
PID 2412 wrote to memory of 2980	2412	{CB662941-1C76-430d-BBBB-BE87DB953230}.exe	31
PID 2412 wrote to memory of 2980	2412	{CB662941-1C76-430d-BBBB-BE87DB953230}.exe	31
PID 2412 wrote to memory of 2980	2412	{CB662941-1C76-430d-BBBB-BE87DB953230}.exe	31
PID 2812 wrote to memory of 2836	2812	{19ED28CD-8711-43bb-96F8-CE93E70FBD31}.exe	32
PID 2812 wrote to memory of 2836	2812	{19ED28CD-8711-43bb-96F8-CE93E70FBD31}.exe	32
PID 2812 wrote to memory of 2836	2812	{19ED28CD-8711-43bb-96F8-CE93E70FBD31}.exe	32
PID 2812 wrote to memory of 2836	2812	{19ED28CD-8711-43bb-96F8-CE93E70FBD31}.exe	32
PID 2812 wrote to memory of 2900	2812	{19ED28CD-8711-43bb-96F8-CE93E70FBD31}.exe	33
PID 2812 wrote to memory of 2900	2812	{19ED28CD-8711-43bb-96F8-CE93E70FBD31}.exe	33
PID 2812 wrote to memory of 2900	2812	{19ED28CD-8711-43bb-96F8-CE93E70FBD31}.exe	33
PID 2812 wrote to memory of 2900	2812	{19ED28CD-8711-43bb-96F8-CE93E70FBD31}.exe	33
PID 2836 wrote to memory of 2372	2836	{EEF185FF-1293-473c-A8AD-FA10E460F79B}.exe	36
PID 2836 wrote to memory of 2372	2836	{EEF185FF-1293-473c-A8AD-FA10E460F79B}.exe	36
PID 2836 wrote to memory of 2372	2836	{EEF185FF-1293-473c-A8AD-FA10E460F79B}.exe	36
PID 2836 wrote to memory of 2372	2836	{EEF185FF-1293-473c-A8AD-FA10E460F79B}.exe	36
PID 2836 wrote to memory of 2660	2836	{EEF185FF-1293-473c-A8AD-FA10E460F79B}.exe	37
PID 2836 wrote to memory of 2660	2836	{EEF185FF-1293-473c-A8AD-FA10E460F79B}.exe	37
PID 2836 wrote to memory of 2660	2836	{EEF185FF-1293-473c-A8AD-FA10E460F79B}.exe	37
PID 2836 wrote to memory of 2660	2836	{EEF185FF-1293-473c-A8AD-FA10E460F79B}.exe	37
PID 2372 wrote to memory of 288	2372	{10C81C74-20A2-4c7a-8637-0B16E72E6EAC}.exe	38
PID 2372 wrote to memory of 288	2372	{10C81C74-20A2-4c7a-8637-0B16E72E6EAC}.exe	38
PID 2372 wrote to memory of 288	2372	{10C81C74-20A2-4c7a-8637-0B16E72E6EAC}.exe	38
PID 2372 wrote to memory of 288	2372	{10C81C74-20A2-4c7a-8637-0B16E72E6EAC}.exe	38
PID 2372 wrote to memory of 1416	2372	{10C81C74-20A2-4c7a-8637-0B16E72E6EAC}.exe	39
PID 2372 wrote to memory of 1416	2372	{10C81C74-20A2-4c7a-8637-0B16E72E6EAC}.exe	39
PID 2372 wrote to memory of 1416	2372	{10C81C74-20A2-4c7a-8637-0B16E72E6EAC}.exe	39
PID 2372 wrote to memory of 1416	2372	{10C81C74-20A2-4c7a-8637-0B16E72E6EAC}.exe	39
PID 288 wrote to memory of 1812	288	{406FBC47-1D70-4069-A134-E9C93B5BD496}.exe	40
PID 288 wrote to memory of 1812	288	{406FBC47-1D70-4069-A134-E9C93B5BD496}.exe	40
PID 288 wrote to memory of 1812	288	{406FBC47-1D70-4069-A134-E9C93B5BD496}.exe	40
PID 288 wrote to memory of 1812	288	{406FBC47-1D70-4069-A134-E9C93B5BD496}.exe	40
PID 288 wrote to memory of 2492	288	{406FBC47-1D70-4069-A134-E9C93B5BD496}.exe	41
PID 288 wrote to memory of 2492	288	{406FBC47-1D70-4069-A134-E9C93B5BD496}.exe	41
PID 288 wrote to memory of 2492	288	{406FBC47-1D70-4069-A134-E9C93B5BD496}.exe	41
PID 288 wrote to memory of 2492	288	{406FBC47-1D70-4069-A134-E9C93B5BD496}.exe	41
PID 1812 wrote to memory of 1952	1812	{A002C835-3E03-4f28-B96F-0DFE59106296}.exe	42
PID 1812 wrote to memory of 1952	1812	{A002C835-3E03-4f28-B96F-0DFE59106296}.exe	42
PID 1812 wrote to memory of 1952	1812	{A002C835-3E03-4f28-B96F-0DFE59106296}.exe	42
PID 1812 wrote to memory of 1952	1812	{A002C835-3E03-4f28-B96F-0DFE59106296}.exe	42
PID 1812 wrote to memory of 2000	1812	{A002C835-3E03-4f28-B96F-0DFE59106296}.exe	43
PID 1812 wrote to memory of 2000	1812	{A002C835-3E03-4f28-B96F-0DFE59106296}.exe	43
PID 1812 wrote to memory of 2000	1812	{A002C835-3E03-4f28-B96F-0DFE59106296}.exe	43
PID 1812 wrote to memory of 2000	1812	{A002C835-3E03-4f28-B96F-0DFE59106296}.exe	43
PID 1952 wrote to memory of 808	1952	{53E14B43-FF71-4f6c-9707-4CFEE0A205A4}.exe	44
PID 1952 wrote to memory of 808	1952	{53E14B43-FF71-4f6c-9707-4CFEE0A205A4}.exe	44
PID 1952 wrote to memory of 808	1952	{53E14B43-FF71-4f6c-9707-4CFEE0A205A4}.exe	44
PID 1952 wrote to memory of 808	1952	{53E14B43-FF71-4f6c-9707-4CFEE0A205A4}.exe	44
PID 1952 wrote to memory of 1644	1952	{53E14B43-FF71-4f6c-9707-4CFEE0A205A4}.exe	45
PID 1952 wrote to memory of 1644	1952	{53E14B43-FF71-4f6c-9707-4CFEE0A205A4}.exe	45
PID 1952 wrote to memory of 1644	1952	{53E14B43-FF71-4f6c-9707-4CFEE0A205A4}.exe	45
PID 1952 wrote to memory of 1644	1952	{53E14B43-FF71-4f6c-9707-4CFEE0A205A4}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-17_8158b7f3336d7d98c9c3d9b373544643_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-17_8158b7f3336d7d98c9c3d9b373544643_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Windows\{CB662941-1C76-430d-BBBB-BE87DB953230}.exe
  C:\Windows\{CB662941-1C76-430d-BBBB-BE87DB953230}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\{19ED28CD-8711-43bb-96F8-CE93E70FBD31}.exe
    C:\Windows\{19ED28CD-8711-43bb-96F8-CE93E70FBD31}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\{EEF185FF-1293-473c-A8AD-FA10E460F79B}.exe
      C:\Windows\{EEF185FF-1293-473c-A8AD-FA10E460F79B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\{10C81C74-20A2-4c7a-8637-0B16E72E6EAC}.exe
        
        C:\Windows\{10C81C74-20A2-4c7a-8637-0B16E72E6EAC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2372
      - C:\Windows\{406FBC47-1D70-4069-A134-E9C93B5BD496}.exe
        
        C:\Windows\{406FBC47-1D70-4069-A134-E9C93B5BD496}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:288
        
        C:\Windows\{A002C835-3E03-4f28-B96F-0DFE59106296}.exe
        
        C:\Windows\{A002C835-3E03-4f28-B96F-0DFE59106296}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\{53E14B43-FF71-4f6c-9707-4CFEE0A205A4}.exe
        
        C:\Windows\{53E14B43-FF71-4f6c-9707-4CFEE0A205A4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\{843B5B63-E6A2-4f62-9421-9199D8245D89}.exe
        
        C:\Windows\{843B5B63-E6A2-4f62-9421-9199D8245D89}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{843B5~1.EXE > nul
        10⤵
        
        PID:3040
        
        C:\Windows\{AD1A6665-B30A-4e8c-BDD1-4D7102E4BB73}.exe
        
        C:\Windows\{AD1A6665-B30A-4e8c-BDD1-4D7102E4BB73}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
        
        C:\Windows\{7B138607-C4D1-4ebc-8D64-294EE8019EF7}.exe
        
        C:\Windows\{7B138607-C4D1-4ebc-8D64-294EE8019EF7}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B138~1.EXE > nul
        12⤵
        
        PID:308
        
        C:\Windows\{D867DAF7-F016-4966-BEB8-4EBBABB79697}.exe
        
        C:\Windows\{D867DAF7-F016-4966-BEB8-4EBBABB79697}.exe
        12⤵
        Executes dropped EXE
        
        PID:588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD1A6~1.EXE > nul
        11⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53E14~1.EXE > nul
        9⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A002C~1.EXE > nul
        8⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{406FB~1.EXE > nul
        7⤵
        
        PID:2492
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10C81~1.EXE > nul
        6⤵
        
        PID:1416
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EEF18~1.EXE > nul
        5⤵
        
        PID:2660
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{19ED2~1.EXE > nul
      4⤵
      PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CB662~1.EXE > nul
    3⤵
    PID:2980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{10C81C74-20A2-4c7a-8637-0B16E72E6EAC}.exe

Filesize
197KB

MD5
2227edb68827ac44c52e3f75af7b4b05

SHA1
83c71b19f2d703b11578be7149594ab7134042c6

SHA256
01d85d5d504c1440af546b748ee1bf72fa02b10d80693824b41563413b64b702

SHA512
2f201cfe645e0f2d9f39ebb956c8b53df43934a76355d7c16ed8255e05a487e7e91a2ea784aa577ee11264837f25af1c59451895367947622664c89b916b63fa

Download Submit
C:\Windows\{19ED28CD-8711-43bb-96F8-CE93E70FBD31}.exe

Filesize
197KB

MD5
82f42f8dc9622709b27d347c820e1736

SHA1
e16405bbaa40d6ea66967c310884a7dbb9f5bf73

SHA256
0e18d3500085630fc4ab19db1dc8b6b86340b2a193974fd53f187fb0b508c0ab

SHA512
2b43c3f0b631b1528db9a422c4ba02d9046c85eb7ce36121a4412fe7f86d5ab86a888e8123b25d4231e31c063118966b9530f134bbceff07e852ed1398e304fe

Download Submit
C:\Windows\{406FBC47-1D70-4069-A134-E9C93B5BD496}.exe

Filesize
197KB

MD5
b131d183c81ea53b891c477b9bb2851c

SHA1
0bd6de29a0faa79f5fd56cc2e052ad79fdabcb38

SHA256
dba4a4e961eb37798523edc208cd004deaffcdc84f04c6076266c006fa1b670b

SHA512
78a6c9017e928d168bbaea5871bb4846ffd35b64c6fe550d4e18428e7d8bf9e36a6a70abea5a9fead0d871b6a88aba3077b8e4e53c432b87adf972658c7fbeb0

Download Submit
C:\Windows\{53E14B43-FF71-4f6c-9707-4CFEE0A205A4}.exe

Filesize
197KB

MD5
6d9295b24c3d7f04fb98043cec323a75

SHA1
cd4f6474726e8ff58abd771cbbfdb0c3de50a097

SHA256
20d63781d92050721c86615c448489e551d4cbae0f989987ad95ac1e5ed56f0e

SHA512
582025b1eee39f561cb97ea02f2553cddddd5c06870fe999d078e4514e3f81402385f018d70a9643ad1066887a2e553b049ea795e8aa2541ead0381a3105aed1

Download Submit
C:\Windows\{7B138607-C4D1-4ebc-8D64-294EE8019EF7}.exe

Filesize
197KB

MD5
d0ba108cb9ef868b6e446b37f9ac8912

SHA1
e585e1522e3a6b9c3f88d99b02b6eaa90b24e7ac

SHA256
64a4d5c97617b7b82fb620d52da92a933031a8ce61a7bf32a8dbed337626c25d

SHA512
3fb0ab3690a8f9442c02c294079308a33bf038cdc7287df5899b33bb05c082dc0d1216be6065278a6d9f11db83563fbb0f14189dc653f77ec4de5cb4394ab9af

Download Submit
C:\Windows\{843B5B63-E6A2-4f62-9421-9199D8245D89}.exe

Filesize
197KB

MD5
02e472977c973be5f5d5c80c020722b5

SHA1
356e8fc47ee439ec0eb78bdf5a7457dc655bce60

SHA256
3e3233a2459798473a42c2265620e589818b13f03e1845effa05c51acb91e1c2

SHA512
4bab6ec88d98daba54f091da07899596d81b9aef17e0269ee56a5046a4fe7e95a064a43b24baa1278637c5879aa02f812ccda0ba1b5a8c4f1b9edda8f3fa7b59

Download Submit
C:\Windows\{A002C835-3E03-4f28-B96F-0DFE59106296}.exe

Filesize
197KB

MD5
07fb36ff3014f971073d63da61b68d70

SHA1
00cc65cc3ee98c65db063a963fe1413f64dae125

SHA256
d81832c7ade5d5c48e60f2427b701cf5bd3600d757c28419544a2910b22181d1

SHA512
c63776898b28d79b940327e01023b7b5d4270fc6b74bfcd3225202fd36aa395543e08b505dc2d8d58c92fa09b01d6402d24a9f6bf79698501211a07794c9aa88

Download Submit
C:\Windows\{AD1A6665-B30A-4e8c-BDD1-4D7102E4BB73}.exe

Filesize
197KB

MD5
372b3031ae5d7002c27caaf351bde338

SHA1
f9324c23ef7cb65cc03fa2881292854260cdc46f

SHA256
a5c7efc3da9a57c34575628eb116d30db50d15a7c5ee1f9ed2a29a5338395976

SHA512
9b1408642dc49d9d5c5c04f9a736b16b6ac927db2ccf331e3a1b8345a95ec8669f7203df3d88ceb1e046670350f0ed7f9e418aac57346e2075df1256ebeef74b

Download Submit
C:\Windows\{CB662941-1C76-430d-BBBB-BE87DB953230}.exe

Filesize
197KB

MD5
a80a07147cdbb0e8183566f537d85850

SHA1
9e81b5378f1a8911065899a6ce69f54af26d800c

SHA256
c6cd5c7bc5ce133d7d063f8978faca6966ff0685137c8ee18a3a69eb34137869

SHA512
3e373fb22855ab98d4eded11b0547c5513e85588c9ba980ed28f20f9467ffd1f5acd281b80a70e4ec0e7621621e435ce44f5b6fd794e45fc619848f4c3c1d3f6

Download Submit
C:\Windows\{D867DAF7-F016-4966-BEB8-4EBBABB79697}.exe

Filesize
197KB

MD5
1c90c5473bb0fff4750abdc4b406218f

SHA1
9fdadea45813e3056ad3613a0b18da590c5dba76

SHA256
4728bf1ad03efafad1f7153dd01d0a9419a36a35e57268eacd5e6040efc04eae

SHA512
00d98f177b12c0c4f6b36a4e774721994dd40951c0d5fa1ff882b2f545ab0ff52b417cdfe56c05d4a711132f6a0f6ba40f6e5d1e99eef62a5dc1a1630cd42a4c

Download Submit
C:\Windows\{EEF185FF-1293-473c-A8AD-FA10E460F79B}.exe

Filesize
197KB

MD5
7256ff5d5ee6a34d45cf22d562397fc0

SHA1
0699ed4e5a5e2ef67a9aafb2d7e6b5fdd7f7da97

SHA256
23622baf4723cd738fb7462b8621f69496f0300133768c955cc801b4e9816985

SHA512
0b559ea548f18e7e88e59c161329c6095f976ec6a56024b509a9a70fe1b2b71301c33068730c21af0d75ba5d1a8c0d6e4e001c20f9c426d317277bd89a19d654

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads