f7abe3dd451d75aebfc8aa47eb53002e33a7781ba8e34478635d71d51fbe2610

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
21-02-2024 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-21_eb8bb63ed8f9e11abd72155afc57db49_goldeneye.exe
Size

408KB
MD5

eb8bb63ed8f9e11abd72155afc57db49
SHA1

7e8096a79bf86d0a9ff75c53280ade377496f1a9
SHA256

f7abe3dd451d75aebfc8aa47eb53002e33a7781ba8e34478635d71d51fbe2610
SHA512

f6476b339d3a4ea450e4cffd7eb6210b4be9562895e26f432bfacd90effbdbd08e72ea6b7b46d08315becf9807798041fab18f18419f05b2181659e2ffefdfd7
SSDEEP

3072:CEGh0oVl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGjldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012252-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000001225f-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000012252-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012252-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012252-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000001225f-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012252-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0034000000016fc4-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0034000000017081-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAB3A5F9-D3E7-4219-B904-3127F4AE961E}	{96931E17-EE17-4ec5-AB96-F95874048599}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAB3A5F9-D3E7-4219-B904-3127F4AE961E}\stubpath = "C:\\Windows\\{FAB3A5F9-D3E7-4219-B904-3127F4AE961E}.exe"	{96931E17-EE17-4ec5-AB96-F95874048599}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{813CFB9E-90BB-4512-9501-AA0A3CCDDAC0}\stubpath = "C:\\Windows\\{813CFB9E-90BB-4512-9501-AA0A3CCDDAC0}.exe"	{4A32CD07-98D9-406d-AC79-F1A5CC5E7CBE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC29B6B1-6485-45a5-B395-DBAA39E9EE27}\stubpath = "C:\\Windows\\{DC29B6B1-6485-45a5-B395-DBAA39E9EE27}.exe"	{813CFB9E-90BB-4512-9501-AA0A3CCDDAC0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C400224-63CD-419d-B815-A5CA67C72FE2}\stubpath = "C:\\Windows\\{8C400224-63CD-419d-B815-A5CA67C72FE2}.exe"	{DC29B6B1-6485-45a5-B395-DBAA39E9EE27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9827736-4855-46c8-AF69-CB5990A194C0}	{4BA30FF3-DFF9-4d8a-9002-893BA28E7BA0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96931E17-EE17-4ec5-AB96-F95874048599}	{BA2A31BB-25B8-43da-A668-3557F14390AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC29B6B1-6485-45a5-B395-DBAA39E9EE27}	{813CFB9E-90BB-4512-9501-AA0A3CCDDAC0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C400224-63CD-419d-B815-A5CA67C72FE2}	{DC29B6B1-6485-45a5-B395-DBAA39E9EE27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE5F595A-202E-4874-8070-2F040DE8B446}	2024-02-21_eb8bb63ed8f9e11abd72155afc57db49_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A29550AC-C173-4177-A902-ECDA877AD60D}	{A9827736-4855-46c8-AF69-CB5990A194C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9827736-4855-46c8-AF69-CB5990A194C0}\stubpath = "C:\\Windows\\{A9827736-4855-46c8-AF69-CB5990A194C0}.exe"	{4BA30FF3-DFF9-4d8a-9002-893BA28E7BA0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA2A31BB-25B8-43da-A668-3557F14390AC}	{A29550AC-C173-4177-A902-ECDA877AD60D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A32CD07-98D9-406d-AC79-F1A5CC5E7CBE}	{FAB3A5F9-D3E7-4219-B904-3127F4AE961E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A32CD07-98D9-406d-AC79-F1A5CC5E7CBE}\stubpath = "C:\\Windows\\{4A32CD07-98D9-406d-AC79-F1A5CC5E7CBE}.exe"	{FAB3A5F9-D3E7-4219-B904-3127F4AE961E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BA30FF3-DFF9-4d8a-9002-893BA28E7BA0}	{CE5F595A-202E-4874-8070-2F040DE8B446}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BA30FF3-DFF9-4d8a-9002-893BA28E7BA0}\stubpath = "C:\\Windows\\{4BA30FF3-DFF9-4d8a-9002-893BA28E7BA0}.exe"	{CE5F595A-202E-4874-8070-2F040DE8B446}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA2A31BB-25B8-43da-A668-3557F14390AC}\stubpath = "C:\\Windows\\{BA2A31BB-25B8-43da-A668-3557F14390AC}.exe"	{A29550AC-C173-4177-A902-ECDA877AD60D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96931E17-EE17-4ec5-AB96-F95874048599}\stubpath = "C:\\Windows\\{96931E17-EE17-4ec5-AB96-F95874048599}.exe"	{BA2A31BB-25B8-43da-A668-3557F14390AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{813CFB9E-90BB-4512-9501-AA0A3CCDDAC0}	{4A32CD07-98D9-406d-AC79-F1A5CC5E7CBE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE5F595A-202E-4874-8070-2F040DE8B446}\stubpath = "C:\\Windows\\{CE5F595A-202E-4874-8070-2F040DE8B446}.exe"	2024-02-21_eb8bb63ed8f9e11abd72155afc57db49_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A29550AC-C173-4177-A902-ECDA877AD60D}\stubpath = "C:\\Windows\\{A29550AC-C173-4177-A902-ECDA877AD60D}.exe"	{A9827736-4855-46c8-AF69-CB5990A194C0}.exe

Deletes itself 1 IoCs

pid	Process
2660	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1340	{CE5F595A-202E-4874-8070-2F040DE8B446}.exe
2680	{4BA30FF3-DFF9-4d8a-9002-893BA28E7BA0}.exe
2600	{A9827736-4855-46c8-AF69-CB5990A194C0}.exe
1128	{A29550AC-C173-4177-A902-ECDA877AD60D}.exe
2864	{BA2A31BB-25B8-43da-A668-3557F14390AC}.exe
2992	{96931E17-EE17-4ec5-AB96-F95874048599}.exe
2472	{FAB3A5F9-D3E7-4219-B904-3127F4AE961E}.exe
1192	{4A32CD07-98D9-406d-AC79-F1A5CC5E7CBE}.exe
1992	{813CFB9E-90BB-4512-9501-AA0A3CCDDAC0}.exe
2652	{DC29B6B1-6485-45a5-B395-DBAA39E9EE27}.exe
2316	{8C400224-63CD-419d-B815-A5CA67C72FE2}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{A29550AC-C173-4177-A902-ECDA877AD60D}.exe	{A9827736-4855-46c8-AF69-CB5990A194C0}.exe
File created	C:\Windows\{BA2A31BB-25B8-43da-A668-3557F14390AC}.exe	{A29550AC-C173-4177-A902-ECDA877AD60D}.exe
File created	C:\Windows\{96931E17-EE17-4ec5-AB96-F95874048599}.exe	{BA2A31BB-25B8-43da-A668-3557F14390AC}.exe
File created	C:\Windows\{4A32CD07-98D9-406d-AC79-F1A5CC5E7CBE}.exe	{FAB3A5F9-D3E7-4219-B904-3127F4AE961E}.exe
File created	C:\Windows\{813CFB9E-90BB-4512-9501-AA0A3CCDDAC0}.exe	{4A32CD07-98D9-406d-AC79-F1A5CC5E7CBE}.exe
File created	C:\Windows\{CE5F595A-202E-4874-8070-2F040DE8B446}.exe	2024-02-21_eb8bb63ed8f9e11abd72155afc57db49_goldeneye.exe
File created	C:\Windows\{A9827736-4855-46c8-AF69-CB5990A194C0}.exe	{4BA30FF3-DFF9-4d8a-9002-893BA28E7BA0}.exe
File created	C:\Windows\{FAB3A5F9-D3E7-4219-B904-3127F4AE961E}.exe	{96931E17-EE17-4ec5-AB96-F95874048599}.exe
File created	C:\Windows\{DC29B6B1-6485-45a5-B395-DBAA39E9EE27}.exe	{813CFB9E-90BB-4512-9501-AA0A3CCDDAC0}.exe
File created	C:\Windows\{8C400224-63CD-419d-B815-A5CA67C72FE2}.exe	{DC29B6B1-6485-45a5-B395-DBAA39E9EE27}.exe
File created	C:\Windows\{4BA30FF3-DFF9-4d8a-9002-893BA28E7BA0}.exe	{CE5F595A-202E-4874-8070-2F040DE8B446}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2152	2024-02-21_eb8bb63ed8f9e11abd72155afc57db49_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1340	{CE5F595A-202E-4874-8070-2F040DE8B446}.exe
Token: SeIncBasePriorityPrivilege	2680	{4BA30FF3-DFF9-4d8a-9002-893BA28E7BA0}.exe
Token: SeIncBasePriorityPrivilege	2600	{A9827736-4855-46c8-AF69-CB5990A194C0}.exe
Token: SeIncBasePriorityPrivilege	1128	{A29550AC-C173-4177-A902-ECDA877AD60D}.exe
Token: SeIncBasePriorityPrivilege	2864	{BA2A31BB-25B8-43da-A668-3557F14390AC}.exe
Token: SeIncBasePriorityPrivilege	2992	{96931E17-EE17-4ec5-AB96-F95874048599}.exe
Token: SeIncBasePriorityPrivilege	2472	{FAB3A5F9-D3E7-4219-B904-3127F4AE961E}.exe
Token: SeIncBasePriorityPrivilege	1192	{4A32CD07-98D9-406d-AC79-F1A5CC5E7CBE}.exe
Token: SeIncBasePriorityPrivilege	1992	{813CFB9E-90BB-4512-9501-AA0A3CCDDAC0}.exe
Token: SeIncBasePriorityPrivilege	2652	{DC29B6B1-6485-45a5-B395-DBAA39E9EE27}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 1340	2152	2024-02-21_eb8bb63ed8f9e11abd72155afc57db49_goldeneye.exe	28
PID 2152 wrote to memory of 1340	2152	2024-02-21_eb8bb63ed8f9e11abd72155afc57db49_goldeneye.exe	28
PID 2152 wrote to memory of 1340	2152	2024-02-21_eb8bb63ed8f9e11abd72155afc57db49_goldeneye.exe	28
PID 2152 wrote to memory of 1340	2152	2024-02-21_eb8bb63ed8f9e11abd72155afc57db49_goldeneye.exe	28
PID 2152 wrote to memory of 2660	2152	2024-02-21_eb8bb63ed8f9e11abd72155afc57db49_goldeneye.exe	29
PID 2152 wrote to memory of 2660	2152	2024-02-21_eb8bb63ed8f9e11abd72155afc57db49_goldeneye.exe	29
PID 2152 wrote to memory of 2660	2152	2024-02-21_eb8bb63ed8f9e11abd72155afc57db49_goldeneye.exe	29
PID 2152 wrote to memory of 2660	2152	2024-02-21_eb8bb63ed8f9e11abd72155afc57db49_goldeneye.exe	29
PID 1340 wrote to memory of 2680	1340	{CE5F595A-202E-4874-8070-2F040DE8B446}.exe	30
PID 1340 wrote to memory of 2680	1340	{CE5F595A-202E-4874-8070-2F040DE8B446}.exe	30
PID 1340 wrote to memory of 2680	1340	{CE5F595A-202E-4874-8070-2F040DE8B446}.exe	30
PID 1340 wrote to memory of 2680	1340	{CE5F595A-202E-4874-8070-2F040DE8B446}.exe	30
PID 1340 wrote to memory of 2092	1340	{CE5F595A-202E-4874-8070-2F040DE8B446}.exe	31
PID 1340 wrote to memory of 2092	1340	{CE5F595A-202E-4874-8070-2F040DE8B446}.exe	31
PID 1340 wrote to memory of 2092	1340	{CE5F595A-202E-4874-8070-2F040DE8B446}.exe	31
PID 1340 wrote to memory of 2092	1340	{CE5F595A-202E-4874-8070-2F040DE8B446}.exe	31
PID 2680 wrote to memory of 2600	2680	{4BA30FF3-DFF9-4d8a-9002-893BA28E7BA0}.exe	34
PID 2680 wrote to memory of 2600	2680	{4BA30FF3-DFF9-4d8a-9002-893BA28E7BA0}.exe	34
PID 2680 wrote to memory of 2600	2680	{4BA30FF3-DFF9-4d8a-9002-893BA28E7BA0}.exe	34
PID 2680 wrote to memory of 2600	2680	{4BA30FF3-DFF9-4d8a-9002-893BA28E7BA0}.exe	34
PID 2680 wrote to memory of 1260	2680	{4BA30FF3-DFF9-4d8a-9002-893BA28E7BA0}.exe	35
PID 2680 wrote to memory of 1260	2680	{4BA30FF3-DFF9-4d8a-9002-893BA28E7BA0}.exe	35
PID 2680 wrote to memory of 1260	2680	{4BA30FF3-DFF9-4d8a-9002-893BA28E7BA0}.exe	35
PID 2680 wrote to memory of 1260	2680	{4BA30FF3-DFF9-4d8a-9002-893BA28E7BA0}.exe	35
PID 2600 wrote to memory of 1128	2600	{A9827736-4855-46c8-AF69-CB5990A194C0}.exe	36
PID 2600 wrote to memory of 1128	2600	{A9827736-4855-46c8-AF69-CB5990A194C0}.exe	36
PID 2600 wrote to memory of 1128	2600	{A9827736-4855-46c8-AF69-CB5990A194C0}.exe	36
PID 2600 wrote to memory of 1128	2600	{A9827736-4855-46c8-AF69-CB5990A194C0}.exe	36
PID 2600 wrote to memory of 552	2600	{A9827736-4855-46c8-AF69-CB5990A194C0}.exe	37
PID 2600 wrote to memory of 552	2600	{A9827736-4855-46c8-AF69-CB5990A194C0}.exe	37
PID 2600 wrote to memory of 552	2600	{A9827736-4855-46c8-AF69-CB5990A194C0}.exe	37
PID 2600 wrote to memory of 552	2600	{A9827736-4855-46c8-AF69-CB5990A194C0}.exe	37
PID 1128 wrote to memory of 2864	1128	{A29550AC-C173-4177-A902-ECDA877AD60D}.exe	38
PID 1128 wrote to memory of 2864	1128	{A29550AC-C173-4177-A902-ECDA877AD60D}.exe	38
PID 1128 wrote to memory of 2864	1128	{A29550AC-C173-4177-A902-ECDA877AD60D}.exe	38
PID 1128 wrote to memory of 2864	1128	{A29550AC-C173-4177-A902-ECDA877AD60D}.exe	38
PID 1128 wrote to memory of 2920	1128	{A29550AC-C173-4177-A902-ECDA877AD60D}.exe	39
PID 1128 wrote to memory of 2920	1128	{A29550AC-C173-4177-A902-ECDA877AD60D}.exe	39
PID 1128 wrote to memory of 2920	1128	{A29550AC-C173-4177-A902-ECDA877AD60D}.exe	39
PID 1128 wrote to memory of 2920	1128	{A29550AC-C173-4177-A902-ECDA877AD60D}.exe	39
PID 2864 wrote to memory of 2992	2864	{BA2A31BB-25B8-43da-A668-3557F14390AC}.exe	40
PID 2864 wrote to memory of 2992	2864	{BA2A31BB-25B8-43da-A668-3557F14390AC}.exe	40
PID 2864 wrote to memory of 2992	2864	{BA2A31BB-25B8-43da-A668-3557F14390AC}.exe	40
PID 2864 wrote to memory of 2992	2864	{BA2A31BB-25B8-43da-A668-3557F14390AC}.exe	40
PID 2864 wrote to memory of 3016	2864	{BA2A31BB-25B8-43da-A668-3557F14390AC}.exe	41
PID 2864 wrote to memory of 3016	2864	{BA2A31BB-25B8-43da-A668-3557F14390AC}.exe	41
PID 2864 wrote to memory of 3016	2864	{BA2A31BB-25B8-43da-A668-3557F14390AC}.exe	41
PID 2864 wrote to memory of 3016	2864	{BA2A31BB-25B8-43da-A668-3557F14390AC}.exe	41
PID 2992 wrote to memory of 2472	2992	{96931E17-EE17-4ec5-AB96-F95874048599}.exe	42
PID 2992 wrote to memory of 2472	2992	{96931E17-EE17-4ec5-AB96-F95874048599}.exe	42
PID 2992 wrote to memory of 2472	2992	{96931E17-EE17-4ec5-AB96-F95874048599}.exe	42
PID 2992 wrote to memory of 2472	2992	{96931E17-EE17-4ec5-AB96-F95874048599}.exe	42
PID 2992 wrote to memory of 2624	2992	{96931E17-EE17-4ec5-AB96-F95874048599}.exe	43
PID 2992 wrote to memory of 2624	2992	{96931E17-EE17-4ec5-AB96-F95874048599}.exe	43
PID 2992 wrote to memory of 2624	2992	{96931E17-EE17-4ec5-AB96-F95874048599}.exe	43
PID 2992 wrote to memory of 2624	2992	{96931E17-EE17-4ec5-AB96-F95874048599}.exe	43
PID 2472 wrote to memory of 1192	2472	{FAB3A5F9-D3E7-4219-B904-3127F4AE961E}.exe	44
PID 2472 wrote to memory of 1192	2472	{FAB3A5F9-D3E7-4219-B904-3127F4AE961E}.exe	44
PID 2472 wrote to memory of 1192	2472	{FAB3A5F9-D3E7-4219-B904-3127F4AE961E}.exe	44
PID 2472 wrote to memory of 1192	2472	{FAB3A5F9-D3E7-4219-B904-3127F4AE961E}.exe	44
PID 2472 wrote to memory of 2892	2472	{FAB3A5F9-D3E7-4219-B904-3127F4AE961E}.exe	45
PID 2472 wrote to memory of 2892	2472	{FAB3A5F9-D3E7-4219-B904-3127F4AE961E}.exe	45
PID 2472 wrote to memory of 2892	2472	{FAB3A5F9-D3E7-4219-B904-3127F4AE961E}.exe	45
PID 2472 wrote to memory of 2892	2472	{FAB3A5F9-D3E7-4219-B904-3127F4AE961E}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-21_eb8bb63ed8f9e11abd72155afc57db49_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-21_eb8bb63ed8f9e11abd72155afc57db49_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Windows\{CE5F595A-202E-4874-8070-2F040DE8B446}.exe
  C:\Windows\{CE5F595A-202E-4874-8070-2F040DE8B446}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Windows\{4BA30FF3-DFF9-4d8a-9002-893BA28E7BA0}.exe
    C:\Windows\{4BA30FF3-DFF9-4d8a-9002-893BA28E7BA0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\{A9827736-4855-46c8-AF69-CB5990A194C0}.exe
      C:\Windows\{A9827736-4855-46c8-AF69-CB5990A194C0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Windows\{A29550AC-C173-4177-A902-ECDA877AD60D}.exe
        
        C:\Windows\{A29550AC-C173-4177-A902-ECDA877AD60D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1128
      - C:\Windows\{BA2A31BB-25B8-43da-A668-3557F14390AC}.exe
        
        C:\Windows\{BA2A31BB-25B8-43da-A668-3557F14390AC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\{96931E17-EE17-4ec5-AB96-F95874048599}.exe
        
        C:\Windows\{96931E17-EE17-4ec5-AB96-F95874048599}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\{FAB3A5F9-D3E7-4219-B904-3127F4AE961E}.exe
        
        C:\Windows\{FAB3A5F9-D3E7-4219-B904-3127F4AE961E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\{4A32CD07-98D9-406d-AC79-F1A5CC5E7CBE}.exe
        
        C:\Windows\{4A32CD07-98D9-406d-AC79-F1A5CC5E7CBE}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1192
        
        C:\Windows\{813CFB9E-90BB-4512-9501-AA0A3CCDDAC0}.exe
        
        C:\Windows\{813CFB9E-90BB-4512-9501-AA0A3CCDDAC0}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
        
        C:\Windows\{DC29B6B1-6485-45a5-B395-DBAA39E9EE27}.exe
        
        C:\Windows\{DC29B6B1-6485-45a5-B395-DBAA39E9EE27}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
        
        C:\Windows\{8C400224-63CD-419d-B815-A5CA67C72FE2}.exe
        
        C:\Windows\{8C400224-63CD-419d-B815-A5CA67C72FE2}.exe
        12⤵
        Executes dropped EXE
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC29B~1.EXE > nul
        12⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{813CF~1.EXE > nul
        11⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A32C~1.EXE > nul
        10⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FAB3A~1.EXE > nul
        9⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96931~1.EXE > nul
        8⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BA2A3~1.EXE > nul
        7⤵
        
        PID:3016
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2955~1.EXE > nul
        6⤵
        
        PID:2920
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A9827~1.EXE > nul
        5⤵
        
        PID:552
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4BA30~1.EXE > nul
      4⤵
      PID:1260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CE5F5~1.EXE > nul
    3⤵
    PID:2092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{4A32CD07-98D9-406d-AC79-F1A5CC5E7CBE}.exe

Filesize
408KB

MD5
4fd8b9f2f08135476fd655321ba96590

SHA1
1961e59132915eb651e5bb5dc75a88c9ce37cee8

SHA256
5d8ebf17b4c7c00e30f7e495aad203daf10d4c9fa86565a1536bd67599c48d26

SHA512
be89e26e7d6c73906629d8df1fff417f5a4264eab9254f27c358d94852a740b59a43beb030981fc14e64ea5b26a7b3b5e2a00b282e4f57282002f9f72d45cab1

Download Submit
C:\Windows\{4BA30FF3-DFF9-4d8a-9002-893BA28E7BA0}.exe

Filesize
408KB

MD5
3708857feae074df23498a35b82900cb

SHA1
f267a20db40b4f39ac31f7bf2d16712f3f383b16

SHA256
d16113ed589283e7d6d9f971537982e5f0ac0bb80366e5ef9713e2bbc889c7c8

SHA512
2bb0b53cd6bf02ce8f927288c04c03dd4a4a9de08b9a9c8810008fe52d285d3569044c8d06a9b909d3dc0972ca1ee5724415e2bcb0a775d3daaf43180d953d8d

Download Submit
C:\Windows\{813CFB9E-90BB-4512-9501-AA0A3CCDDAC0}.exe

Filesize
408KB

MD5
0c6bab4fe60492920b5f1ed6a5faca45

SHA1
c2b1f5d050875867ab1942c521534e17a5a11c87

SHA256
9444bbfeec8ff8d0bf04ef0967af1ee913f3658402088cf307524ed00570aa5c

SHA512
f0170460351a701d6e03802c8f1a5717830f92ed8d412f9b2b6b91c3f300f37df90a0441ffba0685e7e1948c6c0d6caa02e7caa6511f0d0417bb5ad581797db3

Download Submit
C:\Windows\{8C400224-63CD-419d-B815-A5CA67C72FE2}.exe

Filesize
408KB

MD5
3ed76fa9fe916f5520d0bb560e310f4a

SHA1
91efcfd717f4c7931d07dced01e2bdc701513ec7

SHA256
223c9e188c6c16c190333decd52ff833f8352a66e5039d8874b1c69cbcb62100

SHA512
581310da449f4d6e83cd442b2c995134bc756449ed03e51df9f18dc97ce8ca760f981e26762a887ac297a28207351760c5531516a62ee71e2c958796009d607b

Download Submit
C:\Windows\{96931E17-EE17-4ec5-AB96-F95874048599}.exe

Filesize
408KB

MD5
f8abf41c2ac0f8a3be13eb073f798eb1

SHA1
a2f0eb8f9a74304b70f0ba2276d0cea407e02464

SHA256
633b7e7a82bf41a2cb4d08870ae9de7114a13b37bdc8770767a48ea0de274b17

SHA512
fe8ee537bd48df524c9e849f9f448dbaaca646e7f6ce5c70d826319bc310d9f59256e8af0da506d2aeaec30bb05f4f11229525d694e2848663441be5e11d7917

Download Submit
C:\Windows\{A29550AC-C173-4177-A902-ECDA877AD60D}.exe

Filesize
408KB

MD5
01c21ba807448148468c8c74be50b7ac

SHA1
3947fc68ca4af10a50325120a77879360deef27f

SHA256
ab9804a2352fb5292aacd99be41ba69d4d23f55264154d74d100daf9c8bbc994

SHA512
d374f49598692c4e5b358d7be15a419da67d5a226eaeee22f5d00db1f31f6967835038ee5aed7a63803fa659834257b425b75eabf154cd8e649281bc1b425735

Download Submit
C:\Windows\{A9827736-4855-46c8-AF69-CB5990A194C0}.exe

Filesize
408KB

MD5
e57891cd2655a297f063524b8582eabd

SHA1
53777830e51854dcab7634f9155c75dbb4fbdcbd

SHA256
423b1dbc7d09bc554d58f4fd8e6acf27fe9452e6e602054537fe930121cadfa0

SHA512
c0bcf7f110d7a43a3dcd0ee85039514ece95e2838deb94062d8d1c4cbd9a5dcf05339750e54a5d9b88b331504921db43e58f463f0e46ec1068a0a591e5eb2bca

Download Submit
C:\Windows\{BA2A31BB-25B8-43da-A668-3557F14390AC}.exe

Filesize
408KB

MD5
d7af1f009c5f5ebe75597edb39980fa9

SHA1
ad880b539cdb01901201b5992f1d532374c7936d

SHA256
1818e2d34538537d4f00ed5fecf2087d62e93e7e68b9bde1dce7b164bb2a0fb1

SHA512
66524572a4dc317f491101901ed53ac3033aa7983bbb8506e72e4a9b3db22f5d843ee24fa2701584a551b03305044fe332f5e49bb17b148d03baaab0306a94f7

Download Submit
C:\Windows\{CE5F595A-202E-4874-8070-2F040DE8B446}.exe

Filesize
408KB

MD5
e2bdf05285162ca76a3d0ce460a763ae

SHA1
2283a5556ad5ef984fdfda713265e10fd841b997

SHA256
56e95c2409937dc51a0ff9caf62ad91a5824acc83073a67950862ae211e743fc

SHA512
639f1902e0f60b284243411e4c4379683125167a29a79bc302b66bfaea7c20d0855a540306afe0e497c48b9d0dc9afc682211b5961a44ba45a95779c569e111b

Download Submit
C:\Windows\{DC29B6B1-6485-45a5-B395-DBAA39E9EE27}.exe

Filesize
408KB

MD5
c720fb9139fc1e132bc024e9e2fda819

SHA1
490afdd9c3744552d8d0d78145cefc31eae4731f

SHA256
dfa33dd8ce515ac07acb94ba8101a004179b5ad1386893609888db68d885e1ab

SHA512
f6a706aad2551857180a16af96f19c3177dccb58eb2e7f4d1d3fb7d317f863fe8744a0bd4fc6cc04da5c597272189ba619ea7990193d8f3153d6f772c69477b5

Download Submit
C:\Windows\{FAB3A5F9-D3E7-4219-B904-3127F4AE961E}.exe

Filesize
408KB

MD5
1c99b34ff5f1f3cc0b896ea1987b0ed7

SHA1
7efa9b121bb6665c7c4787af96181189a22630ae

SHA256
6e7e28148af2e3b20bc03a8cb6d41ae11592669567c0f0e56dc73f7aef644a19

SHA512
90adb380a15bd0b3343c70d9d155c223f6469baa93d8d4c066745de5cfb32702617a811c932f8d52a6bd039e74f6080b9ac1eff1c224062736fb4725c6f932f0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads