4ca7dcc7ab3e340c3a3c06627fd5fa42121f8314a136b841d29f93e4675d13d1

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
22/02/2024, 00:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-22_7f466e6da60479abb7f8d9d522d4fb30_goldeneye.exe
Size

216KB
MD5

7f466e6da60479abb7f8d9d522d4fb30
SHA1

833fae78477c6fb7daade00258819977f6fc8ccf
SHA256

4ca7dcc7ab3e340c3a3c06627fd5fa42121f8314a136b841d29f93e4675d13d1
SHA512

22a8d6d37a7c68ea719e7d018bbe33b1c4eab9ce43ee2669839a29a01e644db90a819afeb9d9ed2dbd9b5dcc593d0791ca9751a78a496f2c66ee40d524014870
SSDEEP

3072:jEGh0oQl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGmlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001225d-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000013a3f-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001225d-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0036000000014183-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001225d-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001225d-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001225d-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0037000000014183-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBECF089-F7DB-4dce-A7B1-8CB04D1F8073}\stubpath = "C:\\Windows\\{EBECF089-F7DB-4dce-A7B1-8CB04D1F8073}.exe"	{D9D1BC86-F824-4fd4-A33C-7C61195C2022}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D053C2A-1A80-45e1-90DF-7CF9B9DBDE60}	{EBECF089-F7DB-4dce-A7B1-8CB04D1F8073}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDE3F62B-AC6F-4b63-8712-D86C67670F4F}	{66CE1695-64CA-454d-A8AE-E4882C1D5BA1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDE3F62B-AC6F-4b63-8712-D86C67670F4F}\stubpath = "C:\\Windows\\{EDE3F62B-AC6F-4b63-8712-D86C67670F4F}.exe"	{66CE1695-64CA-454d-A8AE-E4882C1D5BA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E95D5531-B6E2-436c-A443-72C83D61CA0F}	{EDE3F62B-AC6F-4b63-8712-D86C67670F4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACEBB7B3-9B02-4fb5-993F-8A392A51D8D6}	{E95D5531-B6E2-436c-A443-72C83D61CA0F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9D1BC86-F824-4fd4-A33C-7C61195C2022}	2024-02-22_7f466e6da60479abb7f8d9d522d4fb30_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBECF089-F7DB-4dce-A7B1-8CB04D1F8073}	{D9D1BC86-F824-4fd4-A33C-7C61195C2022}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E317FD7C-DCC4-49e2-8190-F1A367E69D9F}	{4F721455-EA39-4ff3-A83A-61158751F371}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E317FD7C-DCC4-49e2-8190-F1A367E69D9F}\stubpath = "C:\\Windows\\{E317FD7C-DCC4-49e2-8190-F1A367E69D9F}.exe"	{4F721455-EA39-4ff3-A83A-61158751F371}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66CE1695-64CA-454d-A8AE-E4882C1D5BA1}	{2A93665B-4296-4fe4-AF18-8C53BA380A48}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66CE1695-64CA-454d-A8AE-E4882C1D5BA1}\stubpath = "C:\\Windows\\{66CE1695-64CA-454d-A8AE-E4882C1D5BA1}.exe"	{2A93665B-4296-4fe4-AF18-8C53BA380A48}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F721455-EA39-4ff3-A83A-61158751F371}	{ACEBB7B3-9B02-4fb5-993F-8A392A51D8D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F721455-EA39-4ff3-A83A-61158751F371}\stubpath = "C:\\Windows\\{4F721455-EA39-4ff3-A83A-61158751F371}.exe"	{ACEBB7B3-9B02-4fb5-993F-8A392A51D8D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2C351BC-E20E-4f11-99F1-F2EE78785FBD}\stubpath = "C:\\Windows\\{C2C351BC-E20E-4f11-99F1-F2EE78785FBD}.exe"	{E317FD7C-DCC4-49e2-8190-F1A367E69D9F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A93665B-4296-4fe4-AF18-8C53BA380A48}	{0D053C2A-1A80-45e1-90DF-7CF9B9DBDE60}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACEBB7B3-9B02-4fb5-993F-8A392A51D8D6}\stubpath = "C:\\Windows\\{ACEBB7B3-9B02-4fb5-993F-8A392A51D8D6}.exe"	{E95D5531-B6E2-436c-A443-72C83D61CA0F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A93665B-4296-4fe4-AF18-8C53BA380A48}\stubpath = "C:\\Windows\\{2A93665B-4296-4fe4-AF18-8C53BA380A48}.exe"	{0D053C2A-1A80-45e1-90DF-7CF9B9DBDE60}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E95D5531-B6E2-436c-A443-72C83D61CA0F}\stubpath = "C:\\Windows\\{E95D5531-B6E2-436c-A443-72C83D61CA0F}.exe"	{EDE3F62B-AC6F-4b63-8712-D86C67670F4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C2C351BC-E20E-4f11-99F1-F2EE78785FBD}	{E317FD7C-DCC4-49e2-8190-F1A367E69D9F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9D1BC86-F824-4fd4-A33C-7C61195C2022}\stubpath = "C:\\Windows\\{D9D1BC86-F824-4fd4-A33C-7C61195C2022}.exe"	2024-02-22_7f466e6da60479abb7f8d9d522d4fb30_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D053C2A-1A80-45e1-90DF-7CF9B9DBDE60}\stubpath = "C:\\Windows\\{0D053C2A-1A80-45e1-90DF-7CF9B9DBDE60}.exe"	{EBECF089-F7DB-4dce-A7B1-8CB04D1F8073}.exe

Deletes itself 1 IoCs

pid	Process
3020	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2396	{D9D1BC86-F824-4fd4-A33C-7C61195C2022}.exe
2716	{EBECF089-F7DB-4dce-A7B1-8CB04D1F8073}.exe
2608	{0D053C2A-1A80-45e1-90DF-7CF9B9DBDE60}.exe
2976	{2A93665B-4296-4fe4-AF18-8C53BA380A48}.exe
2656	{66CE1695-64CA-454d-A8AE-E4882C1D5BA1}.exe
1816	{EDE3F62B-AC6F-4b63-8712-D86C67670F4F}.exe
760	{E95D5531-B6E2-436c-A443-72C83D61CA0F}.exe
1368	{ACEBB7B3-9B02-4fb5-993F-8A392A51D8D6}.exe
2064	{4F721455-EA39-4ff3-A83A-61158751F371}.exe
664	{E317FD7C-DCC4-49e2-8190-F1A367E69D9F}.exe
1104	{C2C351BC-E20E-4f11-99F1-F2EE78785FBD}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D9D1BC86-F824-4fd4-A33C-7C61195C2022}.exe	2024-02-22_7f466e6da60479abb7f8d9d522d4fb30_goldeneye.exe
File created	C:\Windows\{EBECF089-F7DB-4dce-A7B1-8CB04D1F8073}.exe	{D9D1BC86-F824-4fd4-A33C-7C61195C2022}.exe
File created	C:\Windows\{0D053C2A-1A80-45e1-90DF-7CF9B9DBDE60}.exe	{EBECF089-F7DB-4dce-A7B1-8CB04D1F8073}.exe
File created	C:\Windows\{66CE1695-64CA-454d-A8AE-E4882C1D5BA1}.exe	{2A93665B-4296-4fe4-AF18-8C53BA380A48}.exe
File created	C:\Windows\{EDE3F62B-AC6F-4b63-8712-D86C67670F4F}.exe	{66CE1695-64CA-454d-A8AE-E4882C1D5BA1}.exe
File created	C:\Windows\{ACEBB7B3-9B02-4fb5-993F-8A392A51D8D6}.exe	{E95D5531-B6E2-436c-A443-72C83D61CA0F}.exe
File created	C:\Windows\{E317FD7C-DCC4-49e2-8190-F1A367E69D9F}.exe	{4F721455-EA39-4ff3-A83A-61158751F371}.exe
File created	C:\Windows\{2A93665B-4296-4fe4-AF18-8C53BA380A48}.exe	{0D053C2A-1A80-45e1-90DF-7CF9B9DBDE60}.exe
File created	C:\Windows\{E95D5531-B6E2-436c-A443-72C83D61CA0F}.exe	{EDE3F62B-AC6F-4b63-8712-D86C67670F4F}.exe
File created	C:\Windows\{4F721455-EA39-4ff3-A83A-61158751F371}.exe	{ACEBB7B3-9B02-4fb5-993F-8A392A51D8D6}.exe
File created	C:\Windows\{C2C351BC-E20E-4f11-99F1-F2EE78785FBD}.exe	{E317FD7C-DCC4-49e2-8190-F1A367E69D9F}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2368	2024-02-22_7f466e6da60479abb7f8d9d522d4fb30_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2396	{D9D1BC86-F824-4fd4-A33C-7C61195C2022}.exe
Token: SeIncBasePriorityPrivilege	2716	{EBECF089-F7DB-4dce-A7B1-8CB04D1F8073}.exe
Token: SeIncBasePriorityPrivilege	2608	{0D053C2A-1A80-45e1-90DF-7CF9B9DBDE60}.exe
Token: SeIncBasePriorityPrivilege	2976	{2A93665B-4296-4fe4-AF18-8C53BA380A48}.exe
Token: SeIncBasePriorityPrivilege	2656	{66CE1695-64CA-454d-A8AE-E4882C1D5BA1}.exe
Token: SeIncBasePriorityPrivilege	1816	{EDE3F62B-AC6F-4b63-8712-D86C67670F4F}.exe
Token: SeIncBasePriorityPrivilege	760	{E95D5531-B6E2-436c-A443-72C83D61CA0F}.exe
Token: SeIncBasePriorityPrivilege	1368	{ACEBB7B3-9B02-4fb5-993F-8A392A51D8D6}.exe
Token: SeIncBasePriorityPrivilege	2064	{4F721455-EA39-4ff3-A83A-61158751F371}.exe
Token: SeIncBasePriorityPrivilege	664	{E317FD7C-DCC4-49e2-8190-F1A367E69D9F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2396	2368	2024-02-22_7f466e6da60479abb7f8d9d522d4fb30_goldeneye.exe	28
PID 2368 wrote to memory of 2396	2368	2024-02-22_7f466e6da60479abb7f8d9d522d4fb30_goldeneye.exe	28
PID 2368 wrote to memory of 2396	2368	2024-02-22_7f466e6da60479abb7f8d9d522d4fb30_goldeneye.exe	28
PID 2368 wrote to memory of 2396	2368	2024-02-22_7f466e6da60479abb7f8d9d522d4fb30_goldeneye.exe	28
PID 2368 wrote to memory of 3020	2368	2024-02-22_7f466e6da60479abb7f8d9d522d4fb30_goldeneye.exe	29
PID 2368 wrote to memory of 3020	2368	2024-02-22_7f466e6da60479abb7f8d9d522d4fb30_goldeneye.exe	29
PID 2368 wrote to memory of 3020	2368	2024-02-22_7f466e6da60479abb7f8d9d522d4fb30_goldeneye.exe	29
PID 2368 wrote to memory of 3020	2368	2024-02-22_7f466e6da60479abb7f8d9d522d4fb30_goldeneye.exe	29
PID 2396 wrote to memory of 2716	2396	{D9D1BC86-F824-4fd4-A33C-7C61195C2022}.exe	30
PID 2396 wrote to memory of 2716	2396	{D9D1BC86-F824-4fd4-A33C-7C61195C2022}.exe	30
PID 2396 wrote to memory of 2716	2396	{D9D1BC86-F824-4fd4-A33C-7C61195C2022}.exe	30
PID 2396 wrote to memory of 2716	2396	{D9D1BC86-F824-4fd4-A33C-7C61195C2022}.exe	30
PID 2396 wrote to memory of 2600	2396	{D9D1BC86-F824-4fd4-A33C-7C61195C2022}.exe	31
PID 2396 wrote to memory of 2600	2396	{D9D1BC86-F824-4fd4-A33C-7C61195C2022}.exe	31
PID 2396 wrote to memory of 2600	2396	{D9D1BC86-F824-4fd4-A33C-7C61195C2022}.exe	31
PID 2396 wrote to memory of 2600	2396	{D9D1BC86-F824-4fd4-A33C-7C61195C2022}.exe	31
PID 2716 wrote to memory of 2608	2716	{EBECF089-F7DB-4dce-A7B1-8CB04D1F8073}.exe	32
PID 2716 wrote to memory of 2608	2716	{EBECF089-F7DB-4dce-A7B1-8CB04D1F8073}.exe	32
PID 2716 wrote to memory of 2608	2716	{EBECF089-F7DB-4dce-A7B1-8CB04D1F8073}.exe	32
PID 2716 wrote to memory of 2608	2716	{EBECF089-F7DB-4dce-A7B1-8CB04D1F8073}.exe	32
PID 2716 wrote to memory of 2808	2716	{EBECF089-F7DB-4dce-A7B1-8CB04D1F8073}.exe	33
PID 2716 wrote to memory of 2808	2716	{EBECF089-F7DB-4dce-A7B1-8CB04D1F8073}.exe	33
PID 2716 wrote to memory of 2808	2716	{EBECF089-F7DB-4dce-A7B1-8CB04D1F8073}.exe	33
PID 2716 wrote to memory of 2808	2716	{EBECF089-F7DB-4dce-A7B1-8CB04D1F8073}.exe	33
PID 2608 wrote to memory of 2976	2608	{0D053C2A-1A80-45e1-90DF-7CF9B9DBDE60}.exe	36
PID 2608 wrote to memory of 2976	2608	{0D053C2A-1A80-45e1-90DF-7CF9B9DBDE60}.exe	36
PID 2608 wrote to memory of 2976	2608	{0D053C2A-1A80-45e1-90DF-7CF9B9DBDE60}.exe	36
PID 2608 wrote to memory of 2976	2608	{0D053C2A-1A80-45e1-90DF-7CF9B9DBDE60}.exe	36
PID 2608 wrote to memory of 2060	2608	{0D053C2A-1A80-45e1-90DF-7CF9B9DBDE60}.exe	37
PID 2608 wrote to memory of 2060	2608	{0D053C2A-1A80-45e1-90DF-7CF9B9DBDE60}.exe	37
PID 2608 wrote to memory of 2060	2608	{0D053C2A-1A80-45e1-90DF-7CF9B9DBDE60}.exe	37
PID 2608 wrote to memory of 2060	2608	{0D053C2A-1A80-45e1-90DF-7CF9B9DBDE60}.exe	37
PID 2976 wrote to memory of 2656	2976	{2A93665B-4296-4fe4-AF18-8C53BA380A48}.exe	38
PID 2976 wrote to memory of 2656	2976	{2A93665B-4296-4fe4-AF18-8C53BA380A48}.exe	38
PID 2976 wrote to memory of 2656	2976	{2A93665B-4296-4fe4-AF18-8C53BA380A48}.exe	38
PID 2976 wrote to memory of 2656	2976	{2A93665B-4296-4fe4-AF18-8C53BA380A48}.exe	38
PID 2976 wrote to memory of 2752	2976	{2A93665B-4296-4fe4-AF18-8C53BA380A48}.exe	39
PID 2976 wrote to memory of 2752	2976	{2A93665B-4296-4fe4-AF18-8C53BA380A48}.exe	39
PID 2976 wrote to memory of 2752	2976	{2A93665B-4296-4fe4-AF18-8C53BA380A48}.exe	39
PID 2976 wrote to memory of 2752	2976	{2A93665B-4296-4fe4-AF18-8C53BA380A48}.exe	39
PID 2656 wrote to memory of 1816	2656	{66CE1695-64CA-454d-A8AE-E4882C1D5BA1}.exe	40
PID 2656 wrote to memory of 1816	2656	{66CE1695-64CA-454d-A8AE-E4882C1D5BA1}.exe	40
PID 2656 wrote to memory of 1816	2656	{66CE1695-64CA-454d-A8AE-E4882C1D5BA1}.exe	40
PID 2656 wrote to memory of 1816	2656	{66CE1695-64CA-454d-A8AE-E4882C1D5BA1}.exe	40
PID 2656 wrote to memory of 1992	2656	{66CE1695-64CA-454d-A8AE-E4882C1D5BA1}.exe	41
PID 2656 wrote to memory of 1992	2656	{66CE1695-64CA-454d-A8AE-E4882C1D5BA1}.exe	41
PID 2656 wrote to memory of 1992	2656	{66CE1695-64CA-454d-A8AE-E4882C1D5BA1}.exe	41
PID 2656 wrote to memory of 1992	2656	{66CE1695-64CA-454d-A8AE-E4882C1D5BA1}.exe	41
PID 1816 wrote to memory of 760	1816	{EDE3F62B-AC6F-4b63-8712-D86C67670F4F}.exe	42
PID 1816 wrote to memory of 760	1816	{EDE3F62B-AC6F-4b63-8712-D86C67670F4F}.exe	42
PID 1816 wrote to memory of 760	1816	{EDE3F62B-AC6F-4b63-8712-D86C67670F4F}.exe	42
PID 1816 wrote to memory of 760	1816	{EDE3F62B-AC6F-4b63-8712-D86C67670F4F}.exe	42
PID 1816 wrote to memory of 2004	1816	{EDE3F62B-AC6F-4b63-8712-D86C67670F4F}.exe	43
PID 1816 wrote to memory of 2004	1816	{EDE3F62B-AC6F-4b63-8712-D86C67670F4F}.exe	43
PID 1816 wrote to memory of 2004	1816	{EDE3F62B-AC6F-4b63-8712-D86C67670F4F}.exe	43
PID 1816 wrote to memory of 2004	1816	{EDE3F62B-AC6F-4b63-8712-D86C67670F4F}.exe	43
PID 760 wrote to memory of 1368	760	{E95D5531-B6E2-436c-A443-72C83D61CA0F}.exe	44
PID 760 wrote to memory of 1368	760	{E95D5531-B6E2-436c-A443-72C83D61CA0F}.exe	44
PID 760 wrote to memory of 1368	760	{E95D5531-B6E2-436c-A443-72C83D61CA0F}.exe	44
PID 760 wrote to memory of 1368	760	{E95D5531-B6E2-436c-A443-72C83D61CA0F}.exe	44
PID 760 wrote to memory of 2228	760	{E95D5531-B6E2-436c-A443-72C83D61CA0F}.exe	45
PID 760 wrote to memory of 2228	760	{E95D5531-B6E2-436c-A443-72C83D61CA0F}.exe	45
PID 760 wrote to memory of 2228	760	{E95D5531-B6E2-436c-A443-72C83D61CA0F}.exe	45
PID 760 wrote to memory of 2228	760	{E95D5531-B6E2-436c-A443-72C83D61CA0F}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-22_7f466e6da60479abb7f8d9d522d4fb30_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-22_7f466e6da60479abb7f8d9d522d4fb30_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\{D9D1BC86-F824-4fd4-A33C-7C61195C2022}.exe
  C:\Windows\{D9D1BC86-F824-4fd4-A33C-7C61195C2022}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\{EBECF089-F7DB-4dce-A7B1-8CB04D1F8073}.exe
    C:\Windows\{EBECF089-F7DB-4dce-A7B1-8CB04D1F8073}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\{0D053C2A-1A80-45e1-90DF-7CF9B9DBDE60}.exe
      C:\Windows\{0D053C2A-1A80-45e1-90DF-7CF9B9DBDE60}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Windows\{2A93665B-4296-4fe4-AF18-8C53BA380A48}.exe
        
        C:\Windows\{2A93665B-4296-4fe4-AF18-8C53BA380A48}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2976
      - C:\Windows\{66CE1695-64CA-454d-A8AE-E4882C1D5BA1}.exe
        
        C:\Windows\{66CE1695-64CA-454d-A8AE-E4882C1D5BA1}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\{EDE3F62B-AC6F-4b63-8712-D86C67670F4F}.exe
        
        C:\Windows\{EDE3F62B-AC6F-4b63-8712-D86C67670F4F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\{E95D5531-B6E2-436c-A443-72C83D61CA0F}.exe
        
        C:\Windows\{E95D5531-B6E2-436c-A443-72C83D61CA0F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\{ACEBB7B3-9B02-4fb5-993F-8A392A51D8D6}.exe
        
        C:\Windows\{ACEBB7B3-9B02-4fb5-993F-8A392A51D8D6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1368
        
        C:\Windows\{4F721455-EA39-4ff3-A83A-61158751F371}.exe
        
        C:\Windows\{4F721455-EA39-4ff3-A83A-61158751F371}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
        
        C:\Windows\{E317FD7C-DCC4-49e2-8190-F1A367E69D9F}.exe
        
        C:\Windows\{E317FD7C-DCC4-49e2-8190-F1A367E69D9F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:664
        
        C:\Windows\{C2C351BC-E20E-4f11-99F1-F2EE78785FBD}.exe
        
        C:\Windows\{C2C351BC-E20E-4f11-99F1-F2EE78785FBD}.exe
        12⤵
        Executes dropped EXE
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E317F~1.EXE > nul
        12⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4F721~1.EXE > nul
        11⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ACEBB~1.EXE > nul
        10⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E95D5~1.EXE > nul
        9⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EDE3F~1.EXE > nul
        8⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{66CE1~1.EXE > nul
        7⤵
        
        PID:1992
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A936~1.EXE > nul
        6⤵
        
        PID:2752
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D053~1.EXE > nul
        5⤵
        
        PID:2060
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EBECF~1.EXE > nul
      4⤵
      PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D9D1B~1.EXE > nul
    3⤵
    PID:2600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0D053C2A-1A80-45e1-90DF-7CF9B9DBDE60}.exe

Filesize
216KB

MD5
10a5284d81d365a65097fc20eda30a53

SHA1
2adefbc68eee58aa8e990196eefb28f277b13b99

SHA256
4d99a57c9a4d647a30bc9f83c906803eaffe9362c49ebe567988ce688731b34b

SHA512
3ccbf95d2d78df5d3376d0fe04ab032dbdba2b993290cbccab21f042f9ed106ba253353de9ff8f2cbccd65874e2d0514336544fe60f913f5aa53b7665eed4614

Download Submit
C:\Windows\{2A93665B-4296-4fe4-AF18-8C53BA380A48}.exe

Filesize
216KB

MD5
1a7e3b4b8f3441ed7f40c5543096e3fd

SHA1
2a4f8fc62f7c184796d357ee8bface8b2e6486de

SHA256
ddb78a33ffad7b8a57b8c2beab6837deb6741703a62ff3004d91c567d10859e5

SHA512
2a06b51096d16f43bdc893bae3bcdd219e43d1e14a5d1f64efe37d72539accbfbff609318dcfafdee592d6697fe6b033286df007cc29548aa9923e186e21d265

Download Submit
C:\Windows\{4F721455-EA39-4ff3-A83A-61158751F371}.exe

Filesize
216KB

MD5
7697ef09ce4ca317170e7f2d2cfcdd58

SHA1
85639c669b8f74d5178d64eaa97f048a2d9b7da0

SHA256
5dfcd53c0a1e852d902d583856f7966c8eee55f622e9992e8b9e23872b1fe70a

SHA512
ec2a658ae8cd101695d30aa1c7be6cab570c68ac1ec03db9f3b965dc2ea15735d7cd4ca9d1346b8397a2b3ae15ec62e17e783c529e8e318825a9ebb01071550e

Download Submit
C:\Windows\{66CE1695-64CA-454d-A8AE-E4882C1D5BA1}.exe

Filesize
216KB

MD5
ad5ba1c0849412c60e8f516d0625da0d

SHA1
06de6777f4d446983fbe481d94bf6a894479634e

SHA256
ed177906c260a960231a2c383425315d1d443e1df73936c5524268f2b84b259c

SHA512
bf47a77e9ccca70243c44dffabea541994c2ab0ccf4af4536a9096e5b6c9495701d8301a9c4881e678eea358f37523ec80feea27fd3327088b85c1884b4e45d5

Download Submit
C:\Windows\{ACEBB7B3-9B02-4fb5-993F-8A392A51D8D6}.exe

Filesize
216KB

MD5
c57071a06557e8a8e52b103c71aeb619

SHA1
65b9db09d70b623187cdb83d30dea18e4272c143

SHA256
58a7e48fc6d32a5b6c5289ab1a1cdce062c9a371dd85507f76a52abf76475af4

SHA512
6a3260fcd5bee5d2d0111f8a60bcf8314d49e92703f36d9d381b52cf842bbaa4eafdc2fc338b647eb0c710ff5c03bfc07a84061bb08c894fedf329c05cda4203

Download Submit
C:\Windows\{C2C351BC-E20E-4f11-99F1-F2EE78785FBD}.exe

Filesize
216KB

MD5
bae03a4cdcf7482c3ae295378d52c418

SHA1
169240e8aa26054fdfaa7eb2685d25f539c7ac15

SHA256
dbc509031eccff3f177e7c780d7666acf2284a25e76bc2a1f39f799da387fc2b

SHA512
53b03134cb56f50b64d72c681bc8804f11672552872281a529f96f37f4e90cb9064d8047ee288623a18d1ffc9c754dd562322d683c3720c6d9f3d8874086cf12

Download Submit
C:\Windows\{D9D1BC86-F824-4fd4-A33C-7C61195C2022}.exe

Filesize
216KB

MD5
9ec6ad14233cf2b82f46535bc8e27f06

SHA1
1c240b5f02ff5567c9af27f958b8b5ddc4a43099

SHA256
005b38b0f9adb0ae1cd5e8cec985c94630658eaa23faac745b059d620fd7553e

SHA512
01cd3930185a3ce7190f9f0b02189725f4912a5dcd3c2b2d4674f966264b048aeb72711a0a5c5018a6ae2a995ed5b4596161569899cec72a54698e4246672b4b

Download Submit
C:\Windows\{E317FD7C-DCC4-49e2-8190-F1A367E69D9F}.exe

Filesize
216KB

MD5
65528d80f594f057709dee1b1f87f89c

SHA1
9487822813fcf4f80a6ea292fca07da5aa44db98

SHA256
f840afbe69291033d2034bebad2c62c53e5e6a7d4452cf0fe4a0567d796c1c26

SHA512
633ce6e31d640014c6f37f709746e3b8cfd3b573e8a43b48dd9fe2ed0226910d6804f5a7c680181cc4b32dcd4dbb65fb970dddb6d4eb430f8ba0d228c9badbcf

Download Submit
C:\Windows\{E95D5531-B6E2-436c-A443-72C83D61CA0F}.exe

Filesize
216KB

MD5
08c6ddaaa8241b508e5eb6018e76b31c

SHA1
f0503ea7f99e150d7ccf8ee2bf8d741bc99c18a4

SHA256
8128e003ee2324773f366fd02372d680e40bad3decea9efb52ed938a19c10e3d

SHA512
fc29ed1d622c5e374ecc573d6ea1ab7ca9729e6dc9f31041cbdbdb862cbba40f2e5687099f592cd1cf3ca38977d27b83876bb0d343d46c15471a44f3bbb9bfd7

Download Submit
C:\Windows\{EBECF089-F7DB-4dce-A7B1-8CB04D1F8073}.exe

Filesize
216KB

MD5
b33419e608e76c101ec2985be0828e40

SHA1
4c735591947ff2c274d4eea707631ad1180a03ac

SHA256
cfe141e1ac49875d4cbc06d6de3a4108921c3835bdbe7777feebe9726e346d61

SHA512
41369cbfe5ddca7fa7a29f496f21161f4800e3658cc87eeff88a947775870354862cf50515eea58f04b7e02e88e14b2c78f89c4966a00dbdd72feaca156b4260

Download Submit
C:\Windows\{EDE3F62B-AC6F-4b63-8712-D86C67670F4F}.exe

Filesize
216KB

MD5
46afc062de281ea631d22573fe3f31f3

SHA1
b953507a638d3c6abb048cbe1889564b08d5c665

SHA256
81990fac8656253a3cb225e2c8284abce36117fcdf1a022dd8def77f49706ea0

SHA512
01ed46e82407cd8aac71ae7a116ceef1c816c9a3d0728569296a1ac9529b7fcd1582ae1a028e437138c716776c16b26a5417e5e8986d88d26ab6861dd4a62af0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads