9e0852aaa583991114b244b5a255ccc0a2f55dae086fa48baff887f32f99ea35

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
22-02-2024 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-22_ecc271e769b6e917219bc673229c0bbc_goldeneye.exe
Size

344KB
MD5

ecc271e769b6e917219bc673229c0bbc
SHA1

2520d525d3f75e0f76e56bc8a7f106858b9b2a39
SHA256

9e0852aaa583991114b244b5a255ccc0a2f55dae086fa48baff887f32f99ea35
SHA512

55b289620de5b5f2b7152c1b44569c166bdb65a5acc5156c5d739b1acb960794edb7804b833a8fd1f668149790740f59d9ef36ac8f776170f6d6f0b0541579a8
SSDEEP

3072:mEGh0oxlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEG/lqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x00090000000122be-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000014dae-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000122be-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000016cb2-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000122be-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000122be-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000016ce4-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122be-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000016ce4-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AC07853-97ED-41c8-9B13-5FE550ADDC38}	2024-02-22_ecc271e769b6e917219bc673229c0bbc_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2F00070-AAA3-4ad2-80C3-21BF77C419B8}\stubpath = "C:\\Windows\\{E2F00070-AAA3-4ad2-80C3-21BF77C419B8}.exe"	{85BEF514-CE1F-4dca-AC7E-B78873775A75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE1A534B-3B3A-48e9-8FDE-C988A5B811B2}	{2AF5E167-B788-4de9-8FDC-C160901AE6ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85BEF514-CE1F-4dca-AC7E-B78873775A75}\stubpath = "C:\\Windows\\{85BEF514-CE1F-4dca-AC7E-B78873775A75}.exe"	{9041350C-EE50-414e-9CE8-416D212EE781}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D946FFE9-0507-4ccb-BF65-FDAB352EEAEC}	{E2F00070-AAA3-4ad2-80C3-21BF77C419B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BCE2782-09A3-49ce-8BC9-35052E207AFD}\stubpath = "C:\\Windows\\{5BCE2782-09A3-49ce-8BC9-35052E207AFD}.exe"	{D946FFE9-0507-4ccb-BF65-FDAB352EEAEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA224D07-2394-488f-BA62-689A0DEAB74F}	{5BCE2782-09A3-49ce-8BC9-35052E207AFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA224D07-2394-488f-BA62-689A0DEAB74F}\stubpath = "C:\\Windows\\{FA224D07-2394-488f-BA62-689A0DEAB74F}.exe"	{5BCE2782-09A3-49ce-8BC9-35052E207AFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEACC5F6-AD1B-4235-9EAC-033945676A11}\stubpath = "C:\\Windows\\{CEACC5F6-AD1B-4235-9EAC-033945676A11}.exe"	{FA224D07-2394-488f-BA62-689A0DEAB74F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85BEF514-CE1F-4dca-AC7E-B78873775A75}	{9041350C-EE50-414e-9CE8-416D212EE781}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D946FFE9-0507-4ccb-BF65-FDAB352EEAEC}\stubpath = "C:\\Windows\\{D946FFE9-0507-4ccb-BF65-FDAB352EEAEC}.exe"	{E2F00070-AAA3-4ad2-80C3-21BF77C419B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BCE2782-09A3-49ce-8BC9-35052E207AFD}	{D946FFE9-0507-4ccb-BF65-FDAB352EEAEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEACC5F6-AD1B-4235-9EAC-033945676A11}	{FA224D07-2394-488f-BA62-689A0DEAB74F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE1A534B-3B3A-48e9-8FDE-C988A5B811B2}\stubpath = "C:\\Windows\\{AE1A534B-3B3A-48e9-8FDE-C988A5B811B2}.exe"	{2AF5E167-B788-4de9-8FDC-C160901AE6ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8758ED88-3635-4735-8595-9EEB1B18FABD}	{AE1A534B-3B3A-48e9-8FDE-C988A5B811B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AC07853-97ED-41c8-9B13-5FE550ADDC38}\stubpath = "C:\\Windows\\{8AC07853-97ED-41c8-9B13-5FE550ADDC38}.exe"	2024-02-22_ecc271e769b6e917219bc673229c0bbc_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9041350C-EE50-414e-9CE8-416D212EE781}	{8AC07853-97ED-41c8-9B13-5FE550ADDC38}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9041350C-EE50-414e-9CE8-416D212EE781}\stubpath = "C:\\Windows\\{9041350C-EE50-414e-9CE8-416D212EE781}.exe"	{8AC07853-97ED-41c8-9B13-5FE550ADDC38}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2F00070-AAA3-4ad2-80C3-21BF77C419B8}	{85BEF514-CE1F-4dca-AC7E-B78873775A75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AF5E167-B788-4de9-8FDC-C160901AE6ED}	{CEACC5F6-AD1B-4235-9EAC-033945676A11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AF5E167-B788-4de9-8FDC-C160901AE6ED}\stubpath = "C:\\Windows\\{2AF5E167-B788-4de9-8FDC-C160901AE6ED}.exe"	{CEACC5F6-AD1B-4235-9EAC-033945676A11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8758ED88-3635-4735-8595-9EEB1B18FABD}\stubpath = "C:\\Windows\\{8758ED88-3635-4735-8595-9EEB1B18FABD}.exe"	{AE1A534B-3B3A-48e9-8FDE-C988A5B811B2}.exe

Deletes itself 1 IoCs

pid	Process
2952	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2536	{8AC07853-97ED-41c8-9B13-5FE550ADDC38}.exe
2500	{9041350C-EE50-414e-9CE8-416D212EE781}.exe
2596	{85BEF514-CE1F-4dca-AC7E-B78873775A75}.exe
2368	{E2F00070-AAA3-4ad2-80C3-21BF77C419B8}.exe
864	{D946FFE9-0507-4ccb-BF65-FDAB352EEAEC}.exe
1604	{5BCE2782-09A3-49ce-8BC9-35052E207AFD}.exe
1184	{FA224D07-2394-488f-BA62-689A0DEAB74F}.exe
2264	{CEACC5F6-AD1B-4235-9EAC-033945676A11}.exe
3052	{2AF5E167-B788-4de9-8FDC-C160901AE6ED}.exe
2068	{AE1A534B-3B3A-48e9-8FDE-C988A5B811B2}.exe
812	{8758ED88-3635-4735-8595-9EEB1B18FABD}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{E2F00070-AAA3-4ad2-80C3-21BF77C419B8}.exe	{85BEF514-CE1F-4dca-AC7E-B78873775A75}.exe
File created	C:\Windows\{D946FFE9-0507-4ccb-BF65-FDAB352EEAEC}.exe	{E2F00070-AAA3-4ad2-80C3-21BF77C419B8}.exe
File created	C:\Windows\{5BCE2782-09A3-49ce-8BC9-35052E207AFD}.exe	{D946FFE9-0507-4ccb-BF65-FDAB352EEAEC}.exe
File created	C:\Windows\{8AC07853-97ED-41c8-9B13-5FE550ADDC38}.exe	2024-02-22_ecc271e769b6e917219bc673229c0bbc_goldeneye.exe
File created	C:\Windows\{9041350C-EE50-414e-9CE8-416D212EE781}.exe	{8AC07853-97ED-41c8-9B13-5FE550ADDC38}.exe
File created	C:\Windows\{CEACC5F6-AD1B-4235-9EAC-033945676A11}.exe	{FA224D07-2394-488f-BA62-689A0DEAB74F}.exe
File created	C:\Windows\{2AF5E167-B788-4de9-8FDC-C160901AE6ED}.exe	{CEACC5F6-AD1B-4235-9EAC-033945676A11}.exe
File created	C:\Windows\{AE1A534B-3B3A-48e9-8FDE-C988A5B811B2}.exe	{2AF5E167-B788-4de9-8FDC-C160901AE6ED}.exe
File created	C:\Windows\{8758ED88-3635-4735-8595-9EEB1B18FABD}.exe	{AE1A534B-3B3A-48e9-8FDE-C988A5B811B2}.exe
File created	C:\Windows\{85BEF514-CE1F-4dca-AC7E-B78873775A75}.exe	{9041350C-EE50-414e-9CE8-416D212EE781}.exe
File created	C:\Windows\{FA224D07-2394-488f-BA62-689A0DEAB74F}.exe	{5BCE2782-09A3-49ce-8BC9-35052E207AFD}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1540	2024-02-22_ecc271e769b6e917219bc673229c0bbc_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2536	{8AC07853-97ED-41c8-9B13-5FE550ADDC38}.exe
Token: SeIncBasePriorityPrivilege	2500	{9041350C-EE50-414e-9CE8-416D212EE781}.exe
Token: SeIncBasePriorityPrivilege	2596	{85BEF514-CE1F-4dca-AC7E-B78873775A75}.exe
Token: SeIncBasePriorityPrivilege	2368	{E2F00070-AAA3-4ad2-80C3-21BF77C419B8}.exe
Token: SeIncBasePriorityPrivilege	864	{D946FFE9-0507-4ccb-BF65-FDAB352EEAEC}.exe
Token: SeIncBasePriorityPrivilege	1604	{5BCE2782-09A3-49ce-8BC9-35052E207AFD}.exe
Token: SeIncBasePriorityPrivilege	1184	{FA224D07-2394-488f-BA62-689A0DEAB74F}.exe
Token: SeIncBasePriorityPrivilege	2264	{CEACC5F6-AD1B-4235-9EAC-033945676A11}.exe
Token: SeIncBasePriorityPrivilege	3052	{2AF5E167-B788-4de9-8FDC-C160901AE6ED}.exe
Token: SeIncBasePriorityPrivilege	2068	{AE1A534B-3B3A-48e9-8FDE-C988A5B811B2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 2536	1540	2024-02-22_ecc271e769b6e917219bc673229c0bbc_goldeneye.exe	28
PID 1540 wrote to memory of 2536	1540	2024-02-22_ecc271e769b6e917219bc673229c0bbc_goldeneye.exe	28
PID 1540 wrote to memory of 2536	1540	2024-02-22_ecc271e769b6e917219bc673229c0bbc_goldeneye.exe	28
PID 1540 wrote to memory of 2536	1540	2024-02-22_ecc271e769b6e917219bc673229c0bbc_goldeneye.exe	28
PID 1540 wrote to memory of 2952	1540	2024-02-22_ecc271e769b6e917219bc673229c0bbc_goldeneye.exe	29
PID 1540 wrote to memory of 2952	1540	2024-02-22_ecc271e769b6e917219bc673229c0bbc_goldeneye.exe	29
PID 1540 wrote to memory of 2952	1540	2024-02-22_ecc271e769b6e917219bc673229c0bbc_goldeneye.exe	29
PID 1540 wrote to memory of 2952	1540	2024-02-22_ecc271e769b6e917219bc673229c0bbc_goldeneye.exe	29
PID 2536 wrote to memory of 2500	2536	{8AC07853-97ED-41c8-9B13-5FE550ADDC38}.exe	30
PID 2536 wrote to memory of 2500	2536	{8AC07853-97ED-41c8-9B13-5FE550ADDC38}.exe	30
PID 2536 wrote to memory of 2500	2536	{8AC07853-97ED-41c8-9B13-5FE550ADDC38}.exe	30
PID 2536 wrote to memory of 2500	2536	{8AC07853-97ED-41c8-9B13-5FE550ADDC38}.exe	30
PID 2536 wrote to memory of 2600	2536	{8AC07853-97ED-41c8-9B13-5FE550ADDC38}.exe	31
PID 2536 wrote to memory of 2600	2536	{8AC07853-97ED-41c8-9B13-5FE550ADDC38}.exe	31
PID 2536 wrote to memory of 2600	2536	{8AC07853-97ED-41c8-9B13-5FE550ADDC38}.exe	31
PID 2536 wrote to memory of 2600	2536	{8AC07853-97ED-41c8-9B13-5FE550ADDC38}.exe	31
PID 2500 wrote to memory of 2596	2500	{9041350C-EE50-414e-9CE8-416D212EE781}.exe	32
PID 2500 wrote to memory of 2596	2500	{9041350C-EE50-414e-9CE8-416D212EE781}.exe	32
PID 2500 wrote to memory of 2596	2500	{9041350C-EE50-414e-9CE8-416D212EE781}.exe	32
PID 2500 wrote to memory of 2596	2500	{9041350C-EE50-414e-9CE8-416D212EE781}.exe	32
PID 2500 wrote to memory of 2380	2500	{9041350C-EE50-414e-9CE8-416D212EE781}.exe	33
PID 2500 wrote to memory of 2380	2500	{9041350C-EE50-414e-9CE8-416D212EE781}.exe	33
PID 2500 wrote to memory of 2380	2500	{9041350C-EE50-414e-9CE8-416D212EE781}.exe	33
PID 2500 wrote to memory of 2380	2500	{9041350C-EE50-414e-9CE8-416D212EE781}.exe	33
PID 2596 wrote to memory of 2368	2596	{85BEF514-CE1F-4dca-AC7E-B78873775A75}.exe	36
PID 2596 wrote to memory of 2368	2596	{85BEF514-CE1F-4dca-AC7E-B78873775A75}.exe	36
PID 2596 wrote to memory of 2368	2596	{85BEF514-CE1F-4dca-AC7E-B78873775A75}.exe	36
PID 2596 wrote to memory of 2368	2596	{85BEF514-CE1F-4dca-AC7E-B78873775A75}.exe	36
PID 2596 wrote to memory of 548	2596	{85BEF514-CE1F-4dca-AC7E-B78873775A75}.exe	37
PID 2596 wrote to memory of 548	2596	{85BEF514-CE1F-4dca-AC7E-B78873775A75}.exe	37
PID 2596 wrote to memory of 548	2596	{85BEF514-CE1F-4dca-AC7E-B78873775A75}.exe	37
PID 2596 wrote to memory of 548	2596	{85BEF514-CE1F-4dca-AC7E-B78873775A75}.exe	37
PID 2368 wrote to memory of 864	2368	{E2F00070-AAA3-4ad2-80C3-21BF77C419B8}.exe	38
PID 2368 wrote to memory of 864	2368	{E2F00070-AAA3-4ad2-80C3-21BF77C419B8}.exe	38
PID 2368 wrote to memory of 864	2368	{E2F00070-AAA3-4ad2-80C3-21BF77C419B8}.exe	38
PID 2368 wrote to memory of 864	2368	{E2F00070-AAA3-4ad2-80C3-21BF77C419B8}.exe	38
PID 2368 wrote to memory of 2636	2368	{E2F00070-AAA3-4ad2-80C3-21BF77C419B8}.exe	39
PID 2368 wrote to memory of 2636	2368	{E2F00070-AAA3-4ad2-80C3-21BF77C419B8}.exe	39
PID 2368 wrote to memory of 2636	2368	{E2F00070-AAA3-4ad2-80C3-21BF77C419B8}.exe	39
PID 2368 wrote to memory of 2636	2368	{E2F00070-AAA3-4ad2-80C3-21BF77C419B8}.exe	39
PID 864 wrote to memory of 1604	864	{D946FFE9-0507-4ccb-BF65-FDAB352EEAEC}.exe	40
PID 864 wrote to memory of 1604	864	{D946FFE9-0507-4ccb-BF65-FDAB352EEAEC}.exe	40
PID 864 wrote to memory of 1604	864	{D946FFE9-0507-4ccb-BF65-FDAB352EEAEC}.exe	40
PID 864 wrote to memory of 1604	864	{D946FFE9-0507-4ccb-BF65-FDAB352EEAEC}.exe	40
PID 864 wrote to memory of 1488	864	{D946FFE9-0507-4ccb-BF65-FDAB352EEAEC}.exe	41
PID 864 wrote to memory of 1488	864	{D946FFE9-0507-4ccb-BF65-FDAB352EEAEC}.exe	41
PID 864 wrote to memory of 1488	864	{D946FFE9-0507-4ccb-BF65-FDAB352EEAEC}.exe	41
PID 864 wrote to memory of 1488	864	{D946FFE9-0507-4ccb-BF65-FDAB352EEAEC}.exe	41
PID 1604 wrote to memory of 1184	1604	{5BCE2782-09A3-49ce-8BC9-35052E207AFD}.exe	42
PID 1604 wrote to memory of 1184	1604	{5BCE2782-09A3-49ce-8BC9-35052E207AFD}.exe	42
PID 1604 wrote to memory of 1184	1604	{5BCE2782-09A3-49ce-8BC9-35052E207AFD}.exe	42
PID 1604 wrote to memory of 1184	1604	{5BCE2782-09A3-49ce-8BC9-35052E207AFD}.exe	42
PID 1604 wrote to memory of 1720	1604	{5BCE2782-09A3-49ce-8BC9-35052E207AFD}.exe	43
PID 1604 wrote to memory of 1720	1604	{5BCE2782-09A3-49ce-8BC9-35052E207AFD}.exe	43
PID 1604 wrote to memory of 1720	1604	{5BCE2782-09A3-49ce-8BC9-35052E207AFD}.exe	43
PID 1604 wrote to memory of 1720	1604	{5BCE2782-09A3-49ce-8BC9-35052E207AFD}.exe	43
PID 1184 wrote to memory of 2264	1184	{FA224D07-2394-488f-BA62-689A0DEAB74F}.exe	44
PID 1184 wrote to memory of 2264	1184	{FA224D07-2394-488f-BA62-689A0DEAB74F}.exe	44
PID 1184 wrote to memory of 2264	1184	{FA224D07-2394-488f-BA62-689A0DEAB74F}.exe	44
PID 1184 wrote to memory of 2264	1184	{FA224D07-2394-488f-BA62-689A0DEAB74F}.exe	44
PID 1184 wrote to memory of 1180	1184	{FA224D07-2394-488f-BA62-689A0DEAB74F}.exe	45
PID 1184 wrote to memory of 1180	1184	{FA224D07-2394-488f-BA62-689A0DEAB74F}.exe	45
PID 1184 wrote to memory of 1180	1184	{FA224D07-2394-488f-BA62-689A0DEAB74F}.exe	45
PID 1184 wrote to memory of 1180	1184	{FA224D07-2394-488f-BA62-689A0DEAB74F}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-22_ecc271e769b6e917219bc673229c0bbc_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-22_ecc271e769b6e917219bc673229c0bbc_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Windows\{8AC07853-97ED-41c8-9B13-5FE550ADDC38}.exe
  C:\Windows\{8AC07853-97ED-41c8-9B13-5FE550ADDC38}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\{9041350C-EE50-414e-9CE8-416D212EE781}.exe
    C:\Windows\{9041350C-EE50-414e-9CE8-416D212EE781}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Windows\{85BEF514-CE1F-4dca-AC7E-B78873775A75}.exe
      C:\Windows\{85BEF514-CE1F-4dca-AC7E-B78873775A75}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2596
    - - C:\Windows\{E2F00070-AAA3-4ad2-80C3-21BF77C419B8}.exe
        
        C:\Windows\{E2F00070-AAA3-4ad2-80C3-21BF77C419B8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2368
      - C:\Windows\{D946FFE9-0507-4ccb-BF65-FDAB352EEAEC}.exe
        
        C:\Windows\{D946FFE9-0507-4ccb-BF65-FDAB352EEAEC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\{5BCE2782-09A3-49ce-8BC9-35052E207AFD}.exe
        
        C:\Windows\{5BCE2782-09A3-49ce-8BC9-35052E207AFD}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\{FA224D07-2394-488f-BA62-689A0DEAB74F}.exe
        
        C:\Windows\{FA224D07-2394-488f-BA62-689A0DEAB74F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\{CEACC5F6-AD1B-4235-9EAC-033945676A11}.exe
        
        C:\Windows\{CEACC5F6-AD1B-4235-9EAC-033945676A11}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
        
        C:\Windows\{2AF5E167-B788-4de9-8FDC-C160901AE6ED}.exe
        
        C:\Windows\{2AF5E167-B788-4de9-8FDC-C160901AE6ED}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
        
        C:\Windows\{AE1A534B-3B3A-48e9-8FDE-C988A5B811B2}.exe
        
        C:\Windows\{AE1A534B-3B3A-48e9-8FDE-C988A5B811B2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\{8758ED88-3635-4735-8595-9EEB1B18FABD}.exe
        
        C:\Windows\{8758ED88-3635-4735-8595-9EEB1B18FABD}.exe
        12⤵
        Executes dropped EXE
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE1A5~1.EXE > nul
        12⤵
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2AF5E~1.EXE > nul
        11⤵
        
        PID:484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CEACC~1.EXE > nul
        10⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA224~1.EXE > nul
        9⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5BCE2~1.EXE > nul
        8⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D946F~1.EXE > nul
        7⤵
        
        PID:1488
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2F00~1.EXE > nul
        6⤵
        
        PID:2636
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85BEF~1.EXE > nul
        5⤵
        
        PID:548
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{90413~1.EXE > nul
      4⤵
      PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8AC07~1.EXE > nul
    3⤵
    PID:2600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2AF5E167-B788-4de9-8FDC-C160901AE6ED}.exe

Filesize
344KB

MD5
2172c01a7e31f3471771784161921b02

SHA1
9e4e5b863c511fc8084dd41695c43083980581e1

SHA256
e5dd702e732fe257e692eed5abc2cef8bded1e581b5bb5bf471d9f0893f4aa4b

SHA512
3c15447281c28e75a5236935ab1028e4accd423c7b2f5c520da34fa6edd3fd6576d951c2aa9aac112524d77e869fd6a35c4215f6b45b10733bace56958558f34

Download Submit
C:\Windows\{5BCE2782-09A3-49ce-8BC9-35052E207AFD}.exe

Filesize
344KB

MD5
04834ed3bbbfb1facbeb628da4eac1c5

SHA1
db7b3e539c214a90189147dd23468bfbd0c87af8

SHA256
030fb6810a97a3c4723fc5b9ca5211a263a5473762458c6ffd1b8c48f83a8633

SHA512
21a607c57781dad17a33ef62f71474d7800b2f6c00928d9731fd8dc826e4c973c1102a3956495060f4bb34bcbdd9793d0b7ae8352bd37c76e87bbb48875e2808

Download Submit
C:\Windows\{85BEF514-CE1F-4dca-AC7E-B78873775A75}.exe

Filesize
344KB

MD5
1ef6bfdb575b0a382b91ed381c5f9efe

SHA1
3f796b3816b75bf2b83e75d0271b5d1be4628324

SHA256
4300391ff98cd3aa63ce638d4d8283edaa6680de460c92b932cd17d1d64bd73a

SHA512
9f41cdfc7646515e06371047af8daa972c37e4354a00a44cbcb562fe06a88b01aa5168f2176d8eecdea229f7ac37a285d038a969d42d3230a457b724459c7309

Download Submit
C:\Windows\{8758ED88-3635-4735-8595-9EEB1B18FABD}.exe

Filesize
344KB

MD5
03788f79f3ecbab8688a59774abc3d52

SHA1
915a0af7bd7e458bc67f6510f37d42e6d619a351

SHA256
4f2e6bb849fba94a024a05b74bebe18ddf44215889de9f09307d3c896f9d5c74

SHA512
c96bfe032639ce8618860a8028be6ce5fb5e9aab758699051210306325ebe56c545305529b34c6959e8bb72b43dcefc899c363543ce3733bd61604c2411c09d0

Download Submit
C:\Windows\{8AC07853-97ED-41c8-9B13-5FE550ADDC38}.exe

Filesize
344KB

MD5
03162fba1750e0aa68f9309099d0fbeb

SHA1
8c847992801541361bbd340da90d1a430515a178

SHA256
b52da43fa0d5dd7a7a330968a60a9d48c46fa206fad7e93610e2dcf5c7842821

SHA512
26ae5a1e684f2054a51bb0c369604293d6c72df25bfbed4b1117021ad92d6293762936cf88d7565a95b7f8afa545ba15ec1afb56b41bc3119c162e719efe72ae

Download Submit
C:\Windows\{9041350C-EE50-414e-9CE8-416D212EE781}.exe

Filesize
344KB

MD5
f29a560f83cfcce3f18273d2b441688e

SHA1
7bda50682f8fc16feda7bbfed457ec792267250e

SHA256
f5fde9a395b827455de520096fc3e60b21582cea17d9c4e98a183a4173724531

SHA512
d784b4b7991ed165e50d25937f4215b577e2cf9c58ed6035bc28e32b723bb7cf4df23a548914d4fe43fec6ea610ae9d8f7351a3a15a7a7f37473b06defb31894

Download Submit
C:\Windows\{AE1A534B-3B3A-48e9-8FDE-C988A5B811B2}.exe

Filesize
344KB

MD5
27d5fb0ccada93299a8142bf7d7cc174

SHA1
97e440efb12c10f16133fc3a1ba4e1f613200cdd

SHA256
0ddf16938bfad1a7406fffa28b56c68b5066540e045fc016ca72c7e7b9d8bf54

SHA512
36878455782498f70aa8f3dfac7c849bfdcfa703112c8dbd140f697f8e67ecf2468cad5e23e34b1a52f68057220c127f868bee7409f52d3a2a084f4ac88f1826

Download Submit
C:\Windows\{CEACC5F6-AD1B-4235-9EAC-033945676A11}.exe

Filesize
344KB

MD5
011223e534906f06cbd8a99c9d7cb067

SHA1
d3e26f10bc8235832eaac07b5b35bd2242df1427

SHA256
fdfd9bfebb8c26088aa6f30e8277e76002d4c59174cba112b5bd9d40c0367098

SHA512
b86edd50f55e56aba51b43dc44b7b050284f63120be0ee23bfcb690f608d4217c20c13e3f4b466e1d3abc2201388e62c217deed3fb0277cc0339985ff8c8b969

Download Submit
C:\Windows\{D946FFE9-0507-4ccb-BF65-FDAB352EEAEC}.exe

Filesize
344KB

MD5
3449d59b998c112e05a5da727c2940ef

SHA1
14cd072fee78b910b901ba21dac23843bd171cc3

SHA256
025df8fed2c14c931672ebb0831eea74cc058b03abf533a3e74e4a2e39db32f7

SHA512
b0b8a5a8c3e7311da25036e5bfdb3e1cd7a73adce98ea204e1c07a664ee35e7e6cfbf85e392f9d7cdd386230ff7c08acb3745db5ac3d939ff9b8cc5c97dda28a

Download Submit
C:\Windows\{E2F00070-AAA3-4ad2-80C3-21BF77C419B8}.exe

Filesize
344KB

MD5
7e36d94d921781a1688190880f17abb7

SHA1
e53efdae5c81c5c7ed8d4588f3049a761c9e48c1

SHA256
cc1b68f7ae3938cf4234dbc303b0c251b22c3eb73713e83fcd3db87c1f373ca9

SHA512
86a7571e8755f690c42453e2afbaf6ecc914c554cd51c806acbd3862ce19a112842292a2e82d229259e4bb9c2ce35c27ccedfc7db217d75342032bcd1c4726e4

Download Submit
C:\Windows\{FA224D07-2394-488f-BA62-689A0DEAB74F}.exe

Filesize
344KB

MD5
2b36a7de39d1dc4b7cb62742485c174b

SHA1
3e592f84c717cd36402d8ca8e476222fbbc27a83

SHA256
00108c16ae9a7dc7221b5daa3d787721eec241ca5e6832cb082f6f7b27186b34

SHA512
3d965b7908f3ed0818fa836e7fbe7d86ecb443a8e12adaf322cce5e8e175a24c37642914e68bcaeb0c1acbf797fcd53ee19137ce16bb4f73fc641268cbf71dd8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads