7b5b5e513b26bc46b5f049d6275b5d653ceae00f0a50430e668086679e7f5fdc

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22/02/2024, 05:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-22_6d1025809d2523a84a6390708cffda71_goldeneye.exe
Size

204KB
MD5

6d1025809d2523a84a6390708cffda71
SHA1

406ee79175ba236dbe1f4fa10005e7bc9d8c44ef
SHA256

7b5b5e513b26bc46b5f049d6275b5d653ceae00f0a50430e668086679e7f5fdc
SHA512

8507267f3dfb3fa786bd5c11ab1a3ae5d8560996271ba043e4c9eea498e49e3f6cf3252280de96e4eff38c2c75593d28ac44b48ce47d4f07459f9c1a2caf679f
SSDEEP

1536:1EGh0o3l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o3l1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012328-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000013413-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012328-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000013a3a-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012328-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012328-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012328-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{834FE62A-5FB5-416e-B1AF-B4255731ED7D}\stubpath = "C:\\Windows\\{834FE62A-5FB5-416e-B1AF-B4255731ED7D}.exe"	{65C3E4AD-5546-4a5f-BCB9-AA3665A852BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04CA0655-F067-4e70-9D0E-3868C48446F9}	{A98B3927-BE40-45f8-B4DA-DE2ABF4BAE3E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B8CAEC2-9360-417a-8918-8E69AE1C2AD7}	{04CA0655-F067-4e70-9D0E-3868C48446F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B8CAEC2-9360-417a-8918-8E69AE1C2AD7}\stubpath = "C:\\Windows\\{0B8CAEC2-9360-417a-8918-8E69AE1C2AD7}.exe"	{04CA0655-F067-4e70-9D0E-3868C48446F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{161BBBB9-9BEA-42f2-ABB3-9AE4CF8B2206}	2024-02-22_6d1025809d2523a84a6390708cffda71_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65C3E4AD-5546-4a5f-BCB9-AA3665A852BE}	{161BBBB9-9BEA-42f2-ABB3-9AE4CF8B2206}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{834FE62A-5FB5-416e-B1AF-B4255731ED7D}	{65C3E4AD-5546-4a5f-BCB9-AA3665A852BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65C3E4AD-5546-4a5f-BCB9-AA3665A852BE}\stubpath = "C:\\Windows\\{65C3E4AD-5546-4a5f-BCB9-AA3665A852BE}.exe"	{161BBBB9-9BEA-42f2-ABB3-9AE4CF8B2206}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73C20C90-ECF5-4d45-A3D3-09AC99AB0C21}\stubpath = "C:\\Windows\\{73C20C90-ECF5-4d45-A3D3-09AC99AB0C21}.exe"	{834FE62A-5FB5-416e-B1AF-B4255731ED7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04CA0655-F067-4e70-9D0E-3868C48446F9}\stubpath = "C:\\Windows\\{04CA0655-F067-4e70-9D0E-3868C48446F9}.exe"	{A98B3927-BE40-45f8-B4DA-DE2ABF4BAE3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A98B3927-BE40-45f8-B4DA-DE2ABF4BAE3E}\stubpath = "C:\\Windows\\{A98B3927-BE40-45f8-B4DA-DE2ABF4BAE3E}.exe"	{5FBFD6CA-3EB2-4d0c-BA32-FA9E61F844AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC6F03C6-BF81-40ae-A1B0-4545E1827C04}	{0B8CAEC2-9360-417a-8918-8E69AE1C2AD7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD587E87-A35C-47ff-A550-A1437F3E81FC}	{CC6F03C6-BF81-40ae-A1B0-4545E1827C04}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD587E87-A35C-47ff-A550-A1437F3E81FC}\stubpath = "C:\\Windows\\{AD587E87-A35C-47ff-A550-A1437F3E81FC}.exe"	{CC6F03C6-BF81-40ae-A1B0-4545E1827C04}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{214F2915-6AD1-463c-A63E-CD20DB1F609D}	{AD587E87-A35C-47ff-A550-A1437F3E81FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73C20C90-ECF5-4d45-A3D3-09AC99AB0C21}	{834FE62A-5FB5-416e-B1AF-B4255731ED7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5FBFD6CA-3EB2-4d0c-BA32-FA9E61F844AB}	{73C20C90-ECF5-4d45-A3D3-09AC99AB0C21}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A98B3927-BE40-45f8-B4DA-DE2ABF4BAE3E}	{5FBFD6CA-3EB2-4d0c-BA32-FA9E61F844AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{214F2915-6AD1-463c-A63E-CD20DB1F609D}\stubpath = "C:\\Windows\\{214F2915-6AD1-463c-A63E-CD20DB1F609D}.exe"	{AD587E87-A35C-47ff-A550-A1437F3E81FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{161BBBB9-9BEA-42f2-ABB3-9AE4CF8B2206}\stubpath = "C:\\Windows\\{161BBBB9-9BEA-42f2-ABB3-9AE4CF8B2206}.exe"	2024-02-22_6d1025809d2523a84a6390708cffda71_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5FBFD6CA-3EB2-4d0c-BA32-FA9E61F844AB}\stubpath = "C:\\Windows\\{5FBFD6CA-3EB2-4d0c-BA32-FA9E61F844AB}.exe"	{73C20C90-ECF5-4d45-A3D3-09AC99AB0C21}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC6F03C6-BF81-40ae-A1B0-4545E1827C04}\stubpath = "C:\\Windows\\{CC6F03C6-BF81-40ae-A1B0-4545E1827C04}.exe"	{0B8CAEC2-9360-417a-8918-8E69AE1C2AD7}.exe

Deletes itself 1 IoCs

pid	Process
2628	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2952	{161BBBB9-9BEA-42f2-ABB3-9AE4CF8B2206}.exe
2660	{65C3E4AD-5546-4a5f-BCB9-AA3665A852BE}.exe
2708	{834FE62A-5FB5-416e-B1AF-B4255731ED7D}.exe
3012	{73C20C90-ECF5-4d45-A3D3-09AC99AB0C21}.exe
2776	{5FBFD6CA-3EB2-4d0c-BA32-FA9E61F844AB}.exe
2204	{A98B3927-BE40-45f8-B4DA-DE2ABF4BAE3E}.exe
1768	{04CA0655-F067-4e70-9D0E-3868C48446F9}.exe
1460	{0B8CAEC2-9360-417a-8918-8E69AE1C2AD7}.exe
1272	{CC6F03C6-BF81-40ae-A1B0-4545E1827C04}.exe
1156	{AD587E87-A35C-47ff-A550-A1437F3E81FC}.exe
688	{214F2915-6AD1-463c-A63E-CD20DB1F609D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{5FBFD6CA-3EB2-4d0c-BA32-FA9E61F844AB}.exe	{73C20C90-ECF5-4d45-A3D3-09AC99AB0C21}.exe
File created	C:\Windows\{A98B3927-BE40-45f8-B4DA-DE2ABF4BAE3E}.exe	{5FBFD6CA-3EB2-4d0c-BA32-FA9E61F844AB}.exe
File created	C:\Windows\{0B8CAEC2-9360-417a-8918-8E69AE1C2AD7}.exe	{04CA0655-F067-4e70-9D0E-3868C48446F9}.exe
File created	C:\Windows\{CC6F03C6-BF81-40ae-A1B0-4545E1827C04}.exe	{0B8CAEC2-9360-417a-8918-8E69AE1C2AD7}.exe
File created	C:\Windows\{AD587E87-A35C-47ff-A550-A1437F3E81FC}.exe	{CC6F03C6-BF81-40ae-A1B0-4545E1827C04}.exe
File created	C:\Windows\{214F2915-6AD1-463c-A63E-CD20DB1F609D}.exe	{AD587E87-A35C-47ff-A550-A1437F3E81FC}.exe
File created	C:\Windows\{161BBBB9-9BEA-42f2-ABB3-9AE4CF8B2206}.exe	2024-02-22_6d1025809d2523a84a6390708cffda71_goldeneye.exe
File created	C:\Windows\{65C3E4AD-5546-4a5f-BCB9-AA3665A852BE}.exe	{161BBBB9-9BEA-42f2-ABB3-9AE4CF8B2206}.exe
File created	C:\Windows\{04CA0655-F067-4e70-9D0E-3868C48446F9}.exe	{A98B3927-BE40-45f8-B4DA-DE2ABF4BAE3E}.exe
File created	C:\Windows\{834FE62A-5FB5-416e-B1AF-B4255731ED7D}.exe	{65C3E4AD-5546-4a5f-BCB9-AA3665A852BE}.exe
File created	C:\Windows\{73C20C90-ECF5-4d45-A3D3-09AC99AB0C21}.exe	{834FE62A-5FB5-416e-B1AF-B4255731ED7D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2384	2024-02-22_6d1025809d2523a84a6390708cffda71_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2952	{161BBBB9-9BEA-42f2-ABB3-9AE4CF8B2206}.exe
Token: SeIncBasePriorityPrivilege	2660	{65C3E4AD-5546-4a5f-BCB9-AA3665A852BE}.exe
Token: SeIncBasePriorityPrivilege	2708	{834FE62A-5FB5-416e-B1AF-B4255731ED7D}.exe
Token: SeIncBasePriorityPrivilege	3012	{73C20C90-ECF5-4d45-A3D3-09AC99AB0C21}.exe
Token: SeIncBasePriorityPrivilege	2776	{5FBFD6CA-3EB2-4d0c-BA32-FA9E61F844AB}.exe
Token: SeIncBasePriorityPrivilege	2204	{A98B3927-BE40-45f8-B4DA-DE2ABF4BAE3E}.exe
Token: SeIncBasePriorityPrivilege	1768	{04CA0655-F067-4e70-9D0E-3868C48446F9}.exe
Token: SeIncBasePriorityPrivilege	1460	{0B8CAEC2-9360-417a-8918-8E69AE1C2AD7}.exe
Token: SeIncBasePriorityPrivilege	1272	{CC6F03C6-BF81-40ae-A1B0-4545E1827C04}.exe
Token: SeIncBasePriorityPrivilege	1156	{AD587E87-A35C-47ff-A550-A1437F3E81FC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2952	2384	2024-02-22_6d1025809d2523a84a6390708cffda71_goldeneye.exe	28
PID 2384 wrote to memory of 2952	2384	2024-02-22_6d1025809d2523a84a6390708cffda71_goldeneye.exe	28
PID 2384 wrote to memory of 2952	2384	2024-02-22_6d1025809d2523a84a6390708cffda71_goldeneye.exe	28
PID 2384 wrote to memory of 2952	2384	2024-02-22_6d1025809d2523a84a6390708cffda71_goldeneye.exe	28
PID 2384 wrote to memory of 2628	2384	2024-02-22_6d1025809d2523a84a6390708cffda71_goldeneye.exe	29
PID 2384 wrote to memory of 2628	2384	2024-02-22_6d1025809d2523a84a6390708cffda71_goldeneye.exe	29
PID 2384 wrote to memory of 2628	2384	2024-02-22_6d1025809d2523a84a6390708cffda71_goldeneye.exe	29
PID 2384 wrote to memory of 2628	2384	2024-02-22_6d1025809d2523a84a6390708cffda71_goldeneye.exe	29
PID 2952 wrote to memory of 2660	2952	{161BBBB9-9BEA-42f2-ABB3-9AE4CF8B2206}.exe	30
PID 2952 wrote to memory of 2660	2952	{161BBBB9-9BEA-42f2-ABB3-9AE4CF8B2206}.exe	30
PID 2952 wrote to memory of 2660	2952	{161BBBB9-9BEA-42f2-ABB3-9AE4CF8B2206}.exe	30
PID 2952 wrote to memory of 2660	2952	{161BBBB9-9BEA-42f2-ABB3-9AE4CF8B2206}.exe	30
PID 2952 wrote to memory of 2600	2952	{161BBBB9-9BEA-42f2-ABB3-9AE4CF8B2206}.exe	31
PID 2952 wrote to memory of 2600	2952	{161BBBB9-9BEA-42f2-ABB3-9AE4CF8B2206}.exe	31
PID 2952 wrote to memory of 2600	2952	{161BBBB9-9BEA-42f2-ABB3-9AE4CF8B2206}.exe	31
PID 2952 wrote to memory of 2600	2952	{161BBBB9-9BEA-42f2-ABB3-9AE4CF8B2206}.exe	31
PID 2660 wrote to memory of 2708	2660	{65C3E4AD-5546-4a5f-BCB9-AA3665A852BE}.exe	32
PID 2660 wrote to memory of 2708	2660	{65C3E4AD-5546-4a5f-BCB9-AA3665A852BE}.exe	32
PID 2660 wrote to memory of 2708	2660	{65C3E4AD-5546-4a5f-BCB9-AA3665A852BE}.exe	32
PID 2660 wrote to memory of 2708	2660	{65C3E4AD-5546-4a5f-BCB9-AA3665A852BE}.exe	32
PID 2660 wrote to memory of 2472	2660	{65C3E4AD-5546-4a5f-BCB9-AA3665A852BE}.exe	33
PID 2660 wrote to memory of 2472	2660	{65C3E4AD-5546-4a5f-BCB9-AA3665A852BE}.exe	33
PID 2660 wrote to memory of 2472	2660	{65C3E4AD-5546-4a5f-BCB9-AA3665A852BE}.exe	33
PID 2660 wrote to memory of 2472	2660	{65C3E4AD-5546-4a5f-BCB9-AA3665A852BE}.exe	33
PID 2708 wrote to memory of 3012	2708	{834FE62A-5FB5-416e-B1AF-B4255731ED7D}.exe	36
PID 2708 wrote to memory of 3012	2708	{834FE62A-5FB5-416e-B1AF-B4255731ED7D}.exe	36
PID 2708 wrote to memory of 3012	2708	{834FE62A-5FB5-416e-B1AF-B4255731ED7D}.exe	36
PID 2708 wrote to memory of 3012	2708	{834FE62A-5FB5-416e-B1AF-B4255731ED7D}.exe	36
PID 2708 wrote to memory of 2108	2708	{834FE62A-5FB5-416e-B1AF-B4255731ED7D}.exe	37
PID 2708 wrote to memory of 2108	2708	{834FE62A-5FB5-416e-B1AF-B4255731ED7D}.exe	37
PID 2708 wrote to memory of 2108	2708	{834FE62A-5FB5-416e-B1AF-B4255731ED7D}.exe	37
PID 2708 wrote to memory of 2108	2708	{834FE62A-5FB5-416e-B1AF-B4255731ED7D}.exe	37
PID 3012 wrote to memory of 2776	3012	{73C20C90-ECF5-4d45-A3D3-09AC99AB0C21}.exe	38
PID 3012 wrote to memory of 2776	3012	{73C20C90-ECF5-4d45-A3D3-09AC99AB0C21}.exe	38
PID 3012 wrote to memory of 2776	3012	{73C20C90-ECF5-4d45-A3D3-09AC99AB0C21}.exe	38
PID 3012 wrote to memory of 2776	3012	{73C20C90-ECF5-4d45-A3D3-09AC99AB0C21}.exe	38
PID 3012 wrote to memory of 2764	3012	{73C20C90-ECF5-4d45-A3D3-09AC99AB0C21}.exe	39
PID 3012 wrote to memory of 2764	3012	{73C20C90-ECF5-4d45-A3D3-09AC99AB0C21}.exe	39
PID 3012 wrote to memory of 2764	3012	{73C20C90-ECF5-4d45-A3D3-09AC99AB0C21}.exe	39
PID 3012 wrote to memory of 2764	3012	{73C20C90-ECF5-4d45-A3D3-09AC99AB0C21}.exe	39
PID 2776 wrote to memory of 2204	2776	{5FBFD6CA-3EB2-4d0c-BA32-FA9E61F844AB}.exe	41
PID 2776 wrote to memory of 2204	2776	{5FBFD6CA-3EB2-4d0c-BA32-FA9E61F844AB}.exe	41
PID 2776 wrote to memory of 2204	2776	{5FBFD6CA-3EB2-4d0c-BA32-FA9E61F844AB}.exe	41
PID 2776 wrote to memory of 2204	2776	{5FBFD6CA-3EB2-4d0c-BA32-FA9E61F844AB}.exe	41
PID 2776 wrote to memory of 1300	2776	{5FBFD6CA-3EB2-4d0c-BA32-FA9E61F844AB}.exe	40
PID 2776 wrote to memory of 1300	2776	{5FBFD6CA-3EB2-4d0c-BA32-FA9E61F844AB}.exe	40
PID 2776 wrote to memory of 1300	2776	{5FBFD6CA-3EB2-4d0c-BA32-FA9E61F844AB}.exe	40
PID 2776 wrote to memory of 1300	2776	{5FBFD6CA-3EB2-4d0c-BA32-FA9E61F844AB}.exe	40
PID 2204 wrote to memory of 1768	2204	{A98B3927-BE40-45f8-B4DA-DE2ABF4BAE3E}.exe	42
PID 2204 wrote to memory of 1768	2204	{A98B3927-BE40-45f8-B4DA-DE2ABF4BAE3E}.exe	42
PID 2204 wrote to memory of 1768	2204	{A98B3927-BE40-45f8-B4DA-DE2ABF4BAE3E}.exe	42
PID 2204 wrote to memory of 1768	2204	{A98B3927-BE40-45f8-B4DA-DE2ABF4BAE3E}.exe	42
PID 2204 wrote to memory of 1924	2204	{A98B3927-BE40-45f8-B4DA-DE2ABF4BAE3E}.exe	43
PID 2204 wrote to memory of 1924	2204	{A98B3927-BE40-45f8-B4DA-DE2ABF4BAE3E}.exe	43
PID 2204 wrote to memory of 1924	2204	{A98B3927-BE40-45f8-B4DA-DE2ABF4BAE3E}.exe	43
PID 2204 wrote to memory of 1924	2204	{A98B3927-BE40-45f8-B4DA-DE2ABF4BAE3E}.exe	43
PID 1768 wrote to memory of 1460	1768	{04CA0655-F067-4e70-9D0E-3868C48446F9}.exe	44
PID 1768 wrote to memory of 1460	1768	{04CA0655-F067-4e70-9D0E-3868C48446F9}.exe	44
PID 1768 wrote to memory of 1460	1768	{04CA0655-F067-4e70-9D0E-3868C48446F9}.exe	44
PID 1768 wrote to memory of 1460	1768	{04CA0655-F067-4e70-9D0E-3868C48446F9}.exe	44
PID 1768 wrote to memory of 2208	1768	{04CA0655-F067-4e70-9D0E-3868C48446F9}.exe	45
PID 1768 wrote to memory of 2208	1768	{04CA0655-F067-4e70-9D0E-3868C48446F9}.exe	45
PID 1768 wrote to memory of 2208	1768	{04CA0655-F067-4e70-9D0E-3868C48446F9}.exe	45
PID 1768 wrote to memory of 2208	1768	{04CA0655-F067-4e70-9D0E-3868C48446F9}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-22_6d1025809d2523a84a6390708cffda71_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-22_6d1025809d2523a84a6390708cffda71_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\{161BBBB9-9BEA-42f2-ABB3-9AE4CF8B2206}.exe
  C:\Windows\{161BBBB9-9BEA-42f2-ABB3-9AE4CF8B2206}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\{65C3E4AD-5546-4a5f-BCB9-AA3665A852BE}.exe
    C:\Windows\{65C3E4AD-5546-4a5f-BCB9-AA3665A852BE}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\{834FE62A-5FB5-416e-B1AF-B4255731ED7D}.exe
      C:\Windows\{834FE62A-5FB5-416e-B1AF-B4255731ED7D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\{73C20C90-ECF5-4d45-A3D3-09AC99AB0C21}.exe
        
        C:\Windows\{73C20C90-ECF5-4d45-A3D3-09AC99AB0C21}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3012
      - C:\Windows\{5FBFD6CA-3EB2-4d0c-BA32-FA9E61F844AB}.exe
        
        C:\Windows\{5FBFD6CA-3EB2-4d0c-BA32-FA9E61F844AB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5FBFD~1.EXE > nul
        7⤵
        
        PID:1300
        
        C:\Windows\{A98B3927-BE40-45f8-B4DA-DE2ABF4BAE3E}.exe
        
        C:\Windows\{A98B3927-BE40-45f8-B4DA-DE2ABF4BAE3E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\{04CA0655-F067-4e70-9D0E-3868C48446F9}.exe
        
        C:\Windows\{04CA0655-F067-4e70-9D0E-3868C48446F9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\{0B8CAEC2-9360-417a-8918-8E69AE1C2AD7}.exe
        
        C:\Windows\{0B8CAEC2-9360-417a-8918-8E69AE1C2AD7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1460
        
        C:\Windows\{CC6F03C6-BF81-40ae-A1B0-4545E1827C04}.exe
        
        C:\Windows\{CC6F03C6-BF81-40ae-A1B0-4545E1827C04}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC6F0~1.EXE > nul
        11⤵
        
        PID:2876
        
        C:\Windows\{AD587E87-A35C-47ff-A550-A1437F3E81FC}.exe
        
        C:\Windows\{AD587E87-A35C-47ff-A550-A1437F3E81FC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD587~1.EXE > nul
        12⤵
        
        PID:636
        
        C:\Windows\{214F2915-6AD1-463c-A63E-CD20DB1F609D}.exe
        
        C:\Windows\{214F2915-6AD1-463c-A63E-CD20DB1F609D}.exe
        12⤵
        Executes dropped EXE
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B8CA~1.EXE > nul
        10⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04CA0~1.EXE > nul
        9⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A98B3~1.EXE > nul
        8⤵
        
        PID:1924
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73C20~1.EXE > nul
        6⤵
        
        PID:2764
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{834FE~1.EXE > nul
        5⤵
        
        PID:2108
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{65C3E~1.EXE > nul
      4⤵
      PID:2472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{161BB~1.EXE > nul
    3⤵
    PID:2600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04CA0655-F067-4e70-9D0E-3868C48446F9}.exe

Filesize
204KB

MD5
118fcc5f7a041a587a6990386622346b

SHA1
7d5b4e4908f35e40bb6c45618c2c1e674b314168

SHA256
44c96af303931c5de5a582ca2b77040f3f609f31136a1c915e1dfd071627f584

SHA512
4f3914230a2f593b2835040391b00c0f52a1d7adeaa4f600abf778bd1c3bed0fcecffa16284f87a827f9aae7de65cde8b59ab23016717647fb675ea44218acab

Download Submit
C:\Windows\{0B8CAEC2-9360-417a-8918-8E69AE1C2AD7}.exe

Filesize
204KB

MD5
65c36863101ae16fd826333bd0ddd52b

SHA1
a224ad1f2fce3ecb8d9ddac4fae72088589f8358

SHA256
4ae43f7eaa5daf98dabf2e431fb54f5d819b118c5a5eaf80a53170924215efb1

SHA512
59b8c5f5d19ef95851f3cae92057494c6f9c4afdc942edd1c18b06c7ba253b6d7c0f914f1d471040113e961f47e8b1d90030234192838ef32376c952de7b31d4

Download Submit
C:\Windows\{161BBBB9-9BEA-42f2-ABB3-9AE4CF8B2206}.exe

Filesize
204KB

MD5
676f3ac94126428e435908cc3f3919d2

SHA1
9d4b53e0c9253a338a46dd1d44ee336a17926c63

SHA256
b1c348ff226a5873fc747980b1642d74458eab9213938c83038592e05f94c7fa

SHA512
0d6c77c53ae7187b619dab8987cecf054ebfb6feb3966b7e4e2ebef0836b50d12633e0b44ef3370e9edc90ed60b58f6ddb569fa8dbcca82bf6699ccd50aa0530

Download Submit
C:\Windows\{214F2915-6AD1-463c-A63E-CD20DB1F609D}.exe

Filesize
204KB

MD5
c7e8c3a5fad71ea1d3525a23760c0532

SHA1
5033362f6d029254c86455f0cc2f39767b44502b

SHA256
8341d619c326d59a5e0194ae5291b4ff3d88b5d720094c4122da28b590760f84

SHA512
ff5b425d5de5e1dd0f56e93668c1e4f19c7922d91739f17b884eb9c421188506b2e3d147c171f2f65c893f8de79ba7dab008ed347f6feb9b45d708c64b7db970

Download Submit
C:\Windows\{5FBFD6CA-3EB2-4d0c-BA32-FA9E61F844AB}.exe

Filesize
204KB

MD5
8d501fcf876f85618445e445596af907

SHA1
bde02bb53c3e4e28d9fb17abfe60cf89bc7482fa

SHA256
feecb624638c00c6e2845e5ec58216d1c9dd6485daddf43096f73fd52de55e54

SHA512
e1c1488b7eb430463936e1e56800f148632f7b8d9f6e396f28be082152a1b7071ee6ce21b64d56b9d6a1d683e891d58ee70828a0182626697d55dc3bb137edd2

Download Submit
C:\Windows\{65C3E4AD-5546-4a5f-BCB9-AA3665A852BE}.exe

Filesize
204KB

MD5
cde853c8e94fad6f9f8515b34753febb

SHA1
07ff881d18d18d7669d82e4ab6b908b59f5e3408

SHA256
5e32297534a980998527be2e8e3410ee6c86c3b7f52f56a1691cf7c56bce0bc7

SHA512
8a0ea37194fb7d06b8e073d795bf05bff42c6f0fe5143f7ed5774f79e4290ce9f2166616dcb53c307b52147e66041f5a6e42cb46457e7659db491e58a9a95a9f

Download Submit
C:\Windows\{73C20C90-ECF5-4d45-A3D3-09AC99AB0C21}.exe

Filesize
204KB

MD5
e02348ed57b2c9325249efb580324a34

SHA1
335b73aea1c441b4a52908bdd8437b1029398501

SHA256
d3fa9f5878de65cb0a6b691dda49173fe374fc6627d220746ed35c87b5bad574

SHA512
7d70389634775734cd3c095c03ee184cb46d32deac65aa28481c9a9bc1f8bd928f8374967322c6d500561031685cc0380d58fc340423c7278bc0c19ecf719ad7

Download Submit
C:\Windows\{834FE62A-5FB5-416e-B1AF-B4255731ED7D}.exe

Filesize
204KB

MD5
1dde66b7998aab2c13479c282d3a2fb9

SHA1
83b3ce7e3f8d5b4e115934bb0b586faee3e69440

SHA256
400defad1537038a2e52251f87f38b6984c621c8d90e88d3ec9df140611fc62d

SHA512
ee4268d915d5b21793b73fbfc394affb3308d30ca5923220aaff6c292728d7ddc689a29c3a51230d0f5f2a8f03919c33c54dddd117b5b2c2b6514f50011896ca

Download Submit
C:\Windows\{A98B3927-BE40-45f8-B4DA-DE2ABF4BAE3E}.exe

Filesize
204KB

MD5
b8bee222f7d9fa5eb964e628843867ef

SHA1
c7073ca15d80a05450d2965f40f7402cbed8ca78

SHA256
75173574e9f0c862281405e5e87b288883a1a891ec868ca8368db7d28cfec76a

SHA512
8b2832009983d9ac32302c94992dcad021b31a54195c50528ace9d67660dcbd2a9e55ed6b6b0b2a5ed2f6a9ef1c24b1b4e293fe667722010bcebd30ab75be7bb

Download Submit
C:\Windows\{AD587E87-A35C-47ff-A550-A1437F3E81FC}.exe

Filesize
204KB

MD5
7c99c8bc52375ef2a9551045a5d62af8

SHA1
015ad1acbd381ba0876faf1a852dacd6e00da0eb

SHA256
347e1d5ddd7a9563b1da1088c35447d3e6cccedfa3fdc73575c6c82e02ed8513

SHA512
6a9a1ec35a209b627a95a78eba9c720262eb7262dfb0f20271c4e70abab828f3f3d79a54aa79833c6de8c9be18b3342384e0853b42266d4e7fa45e1bf75b6cc8

Download Submit
C:\Windows\{CC6F03C6-BF81-40ae-A1B0-4545E1827C04}.exe

Filesize
204KB

MD5
f566f5fd9cf9a18f988e5a7d1c1a963f

SHA1
5300f674c96bd69b4daa1f214c3a4b234a02bc85

SHA256
21ed0c574dff827f470c1ee67b71ff7b6bd294640c69ac63becd84cc962dcafc

SHA512
cb9a9c7575e5f7ce542d8a37a21467c0a91490a7dc07700d3119775b512ca0c025bf2109d24eb121b605ee1895c0dadb8a2a76a422a8f486ace72f48575e5979

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads