8e9b9843db40b8a14ff257be3e03daedc0683d3cf78578a7414f11a0c8f9faf4

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
19/02/2024, 05:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-19_a0ed88629cdf2f6b9e422a4762d7d3a2_goldeneye.exe
Size

168KB
MD5

a0ed88629cdf2f6b9e422a4762d7d3a2
SHA1

a58825ef820cd9c0c1ffdd52a6cbfe86a8fa4195
SHA256

8e9b9843db40b8a14ff257be3e03daedc0683d3cf78578a7414f11a0c8f9faf4
SHA512

9b1e014257ae28444a843588a6f5f78b16e15cd4e6bb1a4da02fa1fd08952fa74c44ddfc2b310b5d9a0305e4b4a0cd49fa0d33b48c619fcc7d44731d92f56d78
SSDEEP

1536:1EGh0oUClq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o/lqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000900000001447e-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000144ac-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000001447e-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000014825-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001447e-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001447e-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001447e-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12F5D0EC-0975-4bf8-810C-3DEC776FA929}	{4D8C495C-4010-48a0-A778-79FB696885E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01751CE2-04B7-41bf-8826-2A84E36D040F}\stubpath = "C:\\Windows\\{01751CE2-04B7-41bf-8826-2A84E36D040F}.exe"	{69CECD9A-8504-4cbf-8F03-8E742B3680DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE2C825F-5EF1-4681-AA3B-DE479FFC642E}	{39609DA8-D1D6-4104-877B-734E9BBA79D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D8C495C-4010-48a0-A778-79FB696885E8}	{85AC0A59-C536-4bc5-A7FE-3295D7D9104A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D8C495C-4010-48a0-A778-79FB696885E8}\stubpath = "C:\\Windows\\{4D8C495C-4010-48a0-A778-79FB696885E8}.exe"	{85AC0A59-C536-4bc5-A7FE-3295D7D9104A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39609DA8-D1D6-4104-877B-734E9BBA79D8}\stubpath = "C:\\Windows\\{39609DA8-D1D6-4104-877B-734E9BBA79D8}.exe"	{9A357345-AF85-47ca-806C-9EFC374985BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16E65717-A5E9-4746-989C-775FFD9E2B13}	{AE2C825F-5EF1-4681-AA3B-DE479FFC642E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85AC0A59-C536-4bc5-A7FE-3295D7D9104A}\stubpath = "C:\\Windows\\{85AC0A59-C536-4bc5-A7FE-3295D7D9104A}.exe"	{16E65717-A5E9-4746-989C-775FFD9E2B13}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8D61C52-5458-415e-9611-4878BCF8E81B}\stubpath = "C:\\Windows\\{D8D61C52-5458-415e-9611-4878BCF8E81B}.exe"	2024-02-19_a0ed88629cdf2f6b9e422a4762d7d3a2_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{586EBDDF-7C7E-421a-A021-EBBBBE533110}\stubpath = "C:\\Windows\\{586EBDDF-7C7E-421a-A021-EBBBBE533110}.exe"	{D8D61C52-5458-415e-9611-4878BCF8E81B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69CECD9A-8504-4cbf-8F03-8E742B3680DA}	{586EBDDF-7C7E-421a-A021-EBBBBE533110}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01751CE2-04B7-41bf-8826-2A84E36D040F}	{69CECD9A-8504-4cbf-8F03-8E742B3680DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE2C825F-5EF1-4681-AA3B-DE479FFC642E}\stubpath = "C:\\Windows\\{AE2C825F-5EF1-4681-AA3B-DE479FFC642E}.exe"	{39609DA8-D1D6-4104-877B-734E9BBA79D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16E65717-A5E9-4746-989C-775FFD9E2B13}\stubpath = "C:\\Windows\\{16E65717-A5E9-4746-989C-775FFD9E2B13}.exe"	{AE2C825F-5EF1-4681-AA3B-DE479FFC642E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85AC0A59-C536-4bc5-A7FE-3295D7D9104A}	{16E65717-A5E9-4746-989C-775FFD9E2B13}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12F5D0EC-0975-4bf8-810C-3DEC776FA929}\stubpath = "C:\\Windows\\{12F5D0EC-0975-4bf8-810C-3DEC776FA929}.exe"	{4D8C495C-4010-48a0-A778-79FB696885E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8D61C52-5458-415e-9611-4878BCF8E81B}	2024-02-19_a0ed88629cdf2f6b9e422a4762d7d3a2_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A357345-AF85-47ca-806C-9EFC374985BF}	{01751CE2-04B7-41bf-8826-2A84E36D040F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A357345-AF85-47ca-806C-9EFC374985BF}\stubpath = "C:\\Windows\\{9A357345-AF85-47ca-806C-9EFC374985BF}.exe"	{01751CE2-04B7-41bf-8826-2A84E36D040F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39609DA8-D1D6-4104-877B-734E9BBA79D8}	{9A357345-AF85-47ca-806C-9EFC374985BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{586EBDDF-7C7E-421a-A021-EBBBBE533110}	{D8D61C52-5458-415e-9611-4878BCF8E81B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69CECD9A-8504-4cbf-8F03-8E742B3680DA}\stubpath = "C:\\Windows\\{69CECD9A-8504-4cbf-8F03-8E742B3680DA}.exe"	{586EBDDF-7C7E-421a-A021-EBBBBE533110}.exe

Deletes itself 1 IoCs

pid	Process
3060	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2944	{D8D61C52-5458-415e-9611-4878BCF8E81B}.exe
2632	{586EBDDF-7C7E-421a-A021-EBBBBE533110}.exe
1744	{69CECD9A-8504-4cbf-8F03-8E742B3680DA}.exe
2504	{01751CE2-04B7-41bf-8826-2A84E36D040F}.exe
2852	{9A357345-AF85-47ca-806C-9EFC374985BF}.exe
2820	{39609DA8-D1D6-4104-877B-734E9BBA79D8}.exe
2532	{AE2C825F-5EF1-4681-AA3B-DE479FFC642E}.exe
2972	{16E65717-A5E9-4746-989C-775FFD9E2B13}.exe
2988	{85AC0A59-C536-4bc5-A7FE-3295D7D9104A}.exe
268	{4D8C495C-4010-48a0-A778-79FB696885E8}.exe
1396	{12F5D0EC-0975-4bf8-810C-3DEC776FA929}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{85AC0A59-C536-4bc5-A7FE-3295D7D9104A}.exe	{16E65717-A5E9-4746-989C-775FFD9E2B13}.exe
File created	C:\Windows\{69CECD9A-8504-4cbf-8F03-8E742B3680DA}.exe	{586EBDDF-7C7E-421a-A021-EBBBBE533110}.exe
File created	C:\Windows\{01751CE2-04B7-41bf-8826-2A84E36D040F}.exe	{69CECD9A-8504-4cbf-8F03-8E742B3680DA}.exe
File created	C:\Windows\{AE2C825F-5EF1-4681-AA3B-DE479FFC642E}.exe	{39609DA8-D1D6-4104-877B-734E9BBA79D8}.exe
File created	C:\Windows\{16E65717-A5E9-4746-989C-775FFD9E2B13}.exe	{AE2C825F-5EF1-4681-AA3B-DE479FFC642E}.exe
File created	C:\Windows\{4D8C495C-4010-48a0-A778-79FB696885E8}.exe	{85AC0A59-C536-4bc5-A7FE-3295D7D9104A}.exe
File created	C:\Windows\{12F5D0EC-0975-4bf8-810C-3DEC776FA929}.exe	{4D8C495C-4010-48a0-A778-79FB696885E8}.exe
File created	C:\Windows\{D8D61C52-5458-415e-9611-4878BCF8E81B}.exe	2024-02-19_a0ed88629cdf2f6b9e422a4762d7d3a2_goldeneye.exe
File created	C:\Windows\{586EBDDF-7C7E-421a-A021-EBBBBE533110}.exe	{D8D61C52-5458-415e-9611-4878BCF8E81B}.exe
File created	C:\Windows\{9A357345-AF85-47ca-806C-9EFC374985BF}.exe	{01751CE2-04B7-41bf-8826-2A84E36D040F}.exe
File created	C:\Windows\{39609DA8-D1D6-4104-877B-734E9BBA79D8}.exe	{9A357345-AF85-47ca-806C-9EFC374985BF}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1720	2024-02-19_a0ed88629cdf2f6b9e422a4762d7d3a2_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2944	{D8D61C52-5458-415e-9611-4878BCF8E81B}.exe
Token: SeIncBasePriorityPrivilege	2632	{586EBDDF-7C7E-421a-A021-EBBBBE533110}.exe
Token: SeIncBasePriorityPrivilege	1744	{69CECD9A-8504-4cbf-8F03-8E742B3680DA}.exe
Token: SeIncBasePriorityPrivilege	2504	{01751CE2-04B7-41bf-8826-2A84E36D040F}.exe
Token: SeIncBasePriorityPrivilege	2852	{9A357345-AF85-47ca-806C-9EFC374985BF}.exe
Token: SeIncBasePriorityPrivilege	2820	{39609DA8-D1D6-4104-877B-734E9BBA79D8}.exe
Token: SeIncBasePriorityPrivilege	2532	{AE2C825F-5EF1-4681-AA3B-DE479FFC642E}.exe
Token: SeIncBasePriorityPrivilege	2972	{16E65717-A5E9-4746-989C-775FFD9E2B13}.exe
Token: SeIncBasePriorityPrivilege	2988	{85AC0A59-C536-4bc5-A7FE-3295D7D9104A}.exe
Token: SeIncBasePriorityPrivilege	268	{4D8C495C-4010-48a0-A778-79FB696885E8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2944	1720	2024-02-19_a0ed88629cdf2f6b9e422a4762d7d3a2_goldeneye.exe	28
PID 1720 wrote to memory of 2944	1720	2024-02-19_a0ed88629cdf2f6b9e422a4762d7d3a2_goldeneye.exe	28
PID 1720 wrote to memory of 2944	1720	2024-02-19_a0ed88629cdf2f6b9e422a4762d7d3a2_goldeneye.exe	28
PID 1720 wrote to memory of 2944	1720	2024-02-19_a0ed88629cdf2f6b9e422a4762d7d3a2_goldeneye.exe	28
PID 1720 wrote to memory of 3060	1720	2024-02-19_a0ed88629cdf2f6b9e422a4762d7d3a2_goldeneye.exe	29
PID 1720 wrote to memory of 3060	1720	2024-02-19_a0ed88629cdf2f6b9e422a4762d7d3a2_goldeneye.exe	29
PID 1720 wrote to memory of 3060	1720	2024-02-19_a0ed88629cdf2f6b9e422a4762d7d3a2_goldeneye.exe	29
PID 1720 wrote to memory of 3060	1720	2024-02-19_a0ed88629cdf2f6b9e422a4762d7d3a2_goldeneye.exe	29
PID 2944 wrote to memory of 2632	2944	{D8D61C52-5458-415e-9611-4878BCF8E81B}.exe	30
PID 2944 wrote to memory of 2632	2944	{D8D61C52-5458-415e-9611-4878BCF8E81B}.exe	30
PID 2944 wrote to memory of 2632	2944	{D8D61C52-5458-415e-9611-4878BCF8E81B}.exe	30
PID 2944 wrote to memory of 2632	2944	{D8D61C52-5458-415e-9611-4878BCF8E81B}.exe	30
PID 2944 wrote to memory of 2732	2944	{D8D61C52-5458-415e-9611-4878BCF8E81B}.exe	31
PID 2944 wrote to memory of 2732	2944	{D8D61C52-5458-415e-9611-4878BCF8E81B}.exe	31
PID 2944 wrote to memory of 2732	2944	{D8D61C52-5458-415e-9611-4878BCF8E81B}.exe	31
PID 2944 wrote to memory of 2732	2944	{D8D61C52-5458-415e-9611-4878BCF8E81B}.exe	31
PID 2632 wrote to memory of 1744	2632	{586EBDDF-7C7E-421a-A021-EBBBBE533110}.exe	33
PID 2632 wrote to memory of 1744	2632	{586EBDDF-7C7E-421a-A021-EBBBBE533110}.exe	33
PID 2632 wrote to memory of 1744	2632	{586EBDDF-7C7E-421a-A021-EBBBBE533110}.exe	33
PID 2632 wrote to memory of 1744	2632	{586EBDDF-7C7E-421a-A021-EBBBBE533110}.exe	33
PID 2632 wrote to memory of 2860	2632	{586EBDDF-7C7E-421a-A021-EBBBBE533110}.exe	32
PID 2632 wrote to memory of 2860	2632	{586EBDDF-7C7E-421a-A021-EBBBBE533110}.exe	32
PID 2632 wrote to memory of 2860	2632	{586EBDDF-7C7E-421a-A021-EBBBBE533110}.exe	32
PID 2632 wrote to memory of 2860	2632	{586EBDDF-7C7E-421a-A021-EBBBBE533110}.exe	32
PID 1744 wrote to memory of 2504	1744	{69CECD9A-8504-4cbf-8F03-8E742B3680DA}.exe	37
PID 1744 wrote to memory of 2504	1744	{69CECD9A-8504-4cbf-8F03-8E742B3680DA}.exe	37
PID 1744 wrote to memory of 2504	1744	{69CECD9A-8504-4cbf-8F03-8E742B3680DA}.exe	37
PID 1744 wrote to memory of 2504	1744	{69CECD9A-8504-4cbf-8F03-8E742B3680DA}.exe	37
PID 1744 wrote to memory of 2996	1744	{69CECD9A-8504-4cbf-8F03-8E742B3680DA}.exe	36
PID 1744 wrote to memory of 2996	1744	{69CECD9A-8504-4cbf-8F03-8E742B3680DA}.exe	36
PID 1744 wrote to memory of 2996	1744	{69CECD9A-8504-4cbf-8F03-8E742B3680DA}.exe	36
PID 1744 wrote to memory of 2996	1744	{69CECD9A-8504-4cbf-8F03-8E742B3680DA}.exe	36
PID 2504 wrote to memory of 2852	2504	{01751CE2-04B7-41bf-8826-2A84E36D040F}.exe	39
PID 2504 wrote to memory of 2852	2504	{01751CE2-04B7-41bf-8826-2A84E36D040F}.exe	39
PID 2504 wrote to memory of 2852	2504	{01751CE2-04B7-41bf-8826-2A84E36D040F}.exe	39
PID 2504 wrote to memory of 2852	2504	{01751CE2-04B7-41bf-8826-2A84E36D040F}.exe	39
PID 2504 wrote to memory of 2792	2504	{01751CE2-04B7-41bf-8826-2A84E36D040F}.exe	38
PID 2504 wrote to memory of 2792	2504	{01751CE2-04B7-41bf-8826-2A84E36D040F}.exe	38
PID 2504 wrote to memory of 2792	2504	{01751CE2-04B7-41bf-8826-2A84E36D040F}.exe	38
PID 2504 wrote to memory of 2792	2504	{01751CE2-04B7-41bf-8826-2A84E36D040F}.exe	38
PID 2852 wrote to memory of 2820	2852	{9A357345-AF85-47ca-806C-9EFC374985BF}.exe	40
PID 2852 wrote to memory of 2820	2852	{9A357345-AF85-47ca-806C-9EFC374985BF}.exe	40
PID 2852 wrote to memory of 2820	2852	{9A357345-AF85-47ca-806C-9EFC374985BF}.exe	40
PID 2852 wrote to memory of 2820	2852	{9A357345-AF85-47ca-806C-9EFC374985BF}.exe	40
PID 2852 wrote to memory of 1916	2852	{9A357345-AF85-47ca-806C-9EFC374985BF}.exe	41
PID 2852 wrote to memory of 1916	2852	{9A357345-AF85-47ca-806C-9EFC374985BF}.exe	41
PID 2852 wrote to memory of 1916	2852	{9A357345-AF85-47ca-806C-9EFC374985BF}.exe	41
PID 2852 wrote to memory of 1916	2852	{9A357345-AF85-47ca-806C-9EFC374985BF}.exe	41
PID 2820 wrote to memory of 2532	2820	{39609DA8-D1D6-4104-877B-734E9BBA79D8}.exe	43
PID 2820 wrote to memory of 2532	2820	{39609DA8-D1D6-4104-877B-734E9BBA79D8}.exe	43
PID 2820 wrote to memory of 2532	2820	{39609DA8-D1D6-4104-877B-734E9BBA79D8}.exe	43
PID 2820 wrote to memory of 2532	2820	{39609DA8-D1D6-4104-877B-734E9BBA79D8}.exe	43
PID 2820 wrote to memory of 2684	2820	{39609DA8-D1D6-4104-877B-734E9BBA79D8}.exe	42
PID 2820 wrote to memory of 2684	2820	{39609DA8-D1D6-4104-877B-734E9BBA79D8}.exe	42
PID 2820 wrote to memory of 2684	2820	{39609DA8-D1D6-4104-877B-734E9BBA79D8}.exe	42
PID 2820 wrote to memory of 2684	2820	{39609DA8-D1D6-4104-877B-734E9BBA79D8}.exe	42
PID 2532 wrote to memory of 2972	2532	{AE2C825F-5EF1-4681-AA3B-DE479FFC642E}.exe	44
PID 2532 wrote to memory of 2972	2532	{AE2C825F-5EF1-4681-AA3B-DE479FFC642E}.exe	44
PID 2532 wrote to memory of 2972	2532	{AE2C825F-5EF1-4681-AA3B-DE479FFC642E}.exe	44
PID 2532 wrote to memory of 2972	2532	{AE2C825F-5EF1-4681-AA3B-DE479FFC642E}.exe	44
PID 2532 wrote to memory of 1644	2532	{AE2C825F-5EF1-4681-AA3B-DE479FFC642E}.exe	45
PID 2532 wrote to memory of 1644	2532	{AE2C825F-5EF1-4681-AA3B-DE479FFC642E}.exe	45
PID 2532 wrote to memory of 1644	2532	{AE2C825F-5EF1-4681-AA3B-DE479FFC642E}.exe	45
PID 2532 wrote to memory of 1644	2532	{AE2C825F-5EF1-4681-AA3B-DE479FFC642E}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-19_a0ed88629cdf2f6b9e422a4762d7d3a2_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_a0ed88629cdf2f6b9e422a4762d7d3a2_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\{D8D61C52-5458-415e-9611-4878BCF8E81B}.exe
  C:\Windows\{D8D61C52-5458-415e-9611-4878BCF8E81B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\{586EBDDF-7C7E-421a-A021-EBBBBE533110}.exe
    C:\Windows\{586EBDDF-7C7E-421a-A021-EBBBBE533110}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{586EB~1.EXE > nul
      4⤵
      PID:2860
  - - C:\Windows\{69CECD9A-8504-4cbf-8F03-8E742B3680DA}.exe
      C:\Windows\{69CECD9A-8504-4cbf-8F03-8E742B3680DA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1744
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69CEC~1.EXE > nul
        5⤵
        
        PID:2996
    - - C:\Windows\{01751CE2-04B7-41bf-8826-2A84E36D040F}.exe
        
        C:\Windows\{01751CE2-04B7-41bf-8826-2A84E36D040F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2504
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01751~1.EXE > nul
        6⤵
        
        PID:2792
      - C:\Windows\{9A357345-AF85-47ca-806C-9EFC374985BF}.exe
        
        C:\Windows\{9A357345-AF85-47ca-806C-9EFC374985BF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\{39609DA8-D1D6-4104-877B-734E9BBA79D8}.exe
        
        C:\Windows\{39609DA8-D1D6-4104-877B-734E9BBA79D8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39609~1.EXE > nul
        8⤵
        
        PID:2684
        
        C:\Windows\{AE2C825F-5EF1-4681-AA3B-DE479FFC642E}.exe
        
        C:\Windows\{AE2C825F-5EF1-4681-AA3B-DE479FFC642E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\{16E65717-A5E9-4746-989C-775FFD9E2B13}.exe
        
        C:\Windows\{16E65717-A5E9-4746-989C-775FFD9E2B13}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
        
        C:\Windows\{85AC0A59-C536-4bc5-A7FE-3295D7D9104A}.exe
        
        C:\Windows\{85AC0A59-C536-4bc5-A7FE-3295D7D9104A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85AC0~1.EXE > nul
        11⤵
        
        PID:784
        
        C:\Windows\{4D8C495C-4010-48a0-A778-79FB696885E8}.exe
        
        C:\Windows\{4D8C495C-4010-48a0-A778-79FB696885E8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D8C4~1.EXE > nul
        12⤵
        
        PID:1496
        
        C:\Windows\{12F5D0EC-0975-4bf8-810C-3DEC776FA929}.exe
        
        C:\Windows\{12F5D0EC-0975-4bf8-810C-3DEC776FA929}.exe
        12⤵
        Executes dropped EXE
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16E65~1.EXE > nul
        10⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE2C8~1.EXE > nul
        9⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A357~1.EXE > nul
        7⤵
        
        PID:1916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D8D61~1.EXE > nul
    3⤵
    PID:2732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01751CE2-04B7-41bf-8826-2A84E36D040F}.exe

Filesize
168KB

MD5
eb01c4694f1bd2a0c200c6ec0f0b524c

SHA1
f10f9c61a8b62f45aa254eaeb191f80c4d69fbad

SHA256
716d7adec9117aa51570b1f56ad84c6f60914ec898a57fc2bc87fc73247518d4

SHA512
3c1e524e705f98100c3912aff9b1e3f7fcae534b4ae3030b7b8f9cc157a85adbfb718b804c47764433712c35ba1361fc769094b72da710f47e0cae197dde16fd

Download Submit
C:\Windows\{12F5D0EC-0975-4bf8-810C-3DEC776FA929}.exe

Filesize
168KB

MD5
4f96e1473e08ad3807533d1519d8a9a6

SHA1
36c5085c1b84d0044ce85ddb1d2d0c55c36fdd10

SHA256
908dd5f8994b8adfca7bc88291c901faa11252dd973246a323846e73a56f2ee3

SHA512
d56af02468b20539127249ddce23179abbab7f342e046f59da4e752129dc751a5e0ca84fc373128ccb6250ed9d6e8544012bb7d564bf183abfeb75b1da2ca7c2

Download Submit
C:\Windows\{16E65717-A5E9-4746-989C-775FFD9E2B13}.exe

Filesize
168KB

MD5
e1871cd0032d2ec9a5d432eb71bd2c60

SHA1
6c4f931c8d3f395f59b3b69a4e6f9595efd25c3d

SHA256
688ccfe8c1310c3f2ed6ff3b0b634cc956e3cc2bb9001a90f3702ebcc34287d3

SHA512
8dc49f6d33edd23cf6370842ecbcebc7a921ea4fb5f3396f2b2878a8bd51224be41087ee3d0352d70b9b41085d80b156954344e8b4ab994c5cfdad47fe5906cc

Download Submit
C:\Windows\{39609DA8-D1D6-4104-877B-734E9BBA79D8}.exe

Filesize
168KB

MD5
8bab879de6d8c6bb5757cf00a178d660

SHA1
2c565d5aea468cb0641d6778567646aab03b4d21

SHA256
a95c3e42328170c728656aa7608ab1ee4783bb8ec778a54e4a50282f82657008

SHA512
48f9bd99ed816ac0993c4fb86902aa8693a52c780c433e4caa7588709d40a841f0b6305b4936283c9c2ffcb710aac0e5abf50c164a0f6bdda2902a1dcd9b454f

Download Submit
C:\Windows\{4D8C495C-4010-48a0-A778-79FB696885E8}.exe

Filesize
168KB

MD5
b05a2b6cd1ed54f6d9dfb70ec60014e6

SHA1
88ffa4bf802a2322548a9009954af7d66dd9e3ff

SHA256
4da050c3766f9a3df9d7bcf79a60a527a2338c4bba5238c1964f5fec1b27d05d

SHA512
cfb8c8a11e38fc9c4a65168928064b76bc89f8b4157a06fb0add0139ebef5e13489f18829731370607d06f0e3fd394a30ea2bf941e789548feeb01042d81c9cf

Download Submit
C:\Windows\{586EBDDF-7C7E-421a-A021-EBBBBE533110}.exe

Filesize
168KB

MD5
5baaef60cad1046875674f31460f222d

SHA1
8af757d2bcbc9d9c32446706327a4973e3a48a38

SHA256
e46e401aee85e7cce53894aa3a31c6813aebeee772bd254b1063aca9acf47cf5

SHA512
afbd7bca3b6246833d26e8818c52d33f9ee100e37aa5da29ec20ce7aeabcd620f0eb1f410f20be23e4312186af3b2f42dee14d065a55aa822c923ef2e64104fe

Download Submit
C:\Windows\{69CECD9A-8504-4cbf-8F03-8E742B3680DA}.exe

Filesize
168KB

MD5
3d727af9e280ebabc82fce6fd1e2a15b

SHA1
a64eae4ea743f4a1a96e76b1bb05441bc5cccea9

SHA256
ab04b814e67fdac5e63c470c99e64c6c541f861444159f8ef583f424609e02aa

SHA512
6afa7f85293a4f7e94f4e6ae2e305f6c0191c33232c6a60bc5a02df9881175c8495606063b638491923c3ee7bd1cae937c871557cb5f9c2a9ad135a397e6325d

Download Submit
C:\Windows\{85AC0A59-C536-4bc5-A7FE-3295D7D9104A}.exe

Filesize
168KB

MD5
a09bc0bdfe00e8e15e06b41574f7d57d

SHA1
8fb46d3eaf4d7b21827f2dba4214c1f430abd26f

SHA256
9d3036c828409fc056b24d83dd5ecd345458de43e8f1a53eec4c42bf67186a05

SHA512
e7f76ab4db5c9faba1ef8aedce244e9e9c4df2164281346dd41beebeb249e441e8b8fb48d69917b4791229c402f01f193eb0264b6b783a1aa1d8f2d474ef6092

Download Submit
C:\Windows\{9A357345-AF85-47ca-806C-9EFC374985BF}.exe

Filesize
168KB

MD5
25c5768ebebd00d2742d1856a467c1ee

SHA1
aec64457ab87f7c8e3c81e9025537aa6e4c4668f

SHA256
2e8f86a6702f43d39019df57ff8fdf8d429963e58386b080034827ada0f59132

SHA512
2e2c41fb04ec6dcaf8f920fe8b0463fc94ba23794b6b709e461516eab366ac4ee0941c44036ab29e90974ff5e98e5dcee4ed4de9c334de86f3369472ba6ea2c3

Download Submit
C:\Windows\{AE2C825F-5EF1-4681-AA3B-DE479FFC642E}.exe

Filesize
168KB

MD5
0a7fdc1804a14a93a55d92b4b4068a58

SHA1
a3918b17a62928631c1c1b2683362e66a0d3f9dc

SHA256
0c3b23bfc814faaa7e06ea29c9c42664236bf1cac1a79a5e835d3d8a6ce66b14

SHA512
ec5f66fe91b7408afa1b4815a17ddc5aea96dde82d80184814e33e2dc945d49ab1ff4ac03c5614cef976c64aeeab2ff8775f1d1acee5664eaa6c210d2a2d0a3f

Download Submit
C:\Windows\{D8D61C52-5458-415e-9611-4878BCF8E81B}.exe

Filesize
168KB

MD5
54f5640b9708d42df43f6836b2924661

SHA1
258ad30e87350148b56a8d365ee518da285a7ff4

SHA256
877e06d06669b16896d055e32c5f0f34e76d5c0c4858d9ad6c7288095bd68ec5

SHA512
09cacd0f2c0d18bb060e84d88072bfd4e3ce6467f8e671c29e18e1cc2e41fbee02f40cee651552528fe7eb4a8a85a29af8ff3f8a30d13d31829c67c4a5533f0f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads