6d733f2fe1c7c2435516753e64a83ca9373e7adb185aec53ecd17b70d438917f

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
25/02/2024, 17:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-25_2fc5f476cbb0979b13c5533c861531a9_goldeneye.exe
Size

197KB
MD5

2fc5f476cbb0979b13c5533c861531a9
SHA1

dbd6817da7342b87fa4fb0781a52fa38a3db882c
SHA256

6d733f2fe1c7c2435516753e64a83ca9373e7adb185aec53ecd17b70d438917f
SHA512

b49633dfaabaa597a769dffffe367a739cd3646e0eecac1404165b260be04c23956d835e97b361cfe70fa91f2a22684e1a63962f4f08ae071c54d4ccd5f0cd32
SSDEEP

3072:jEGh0oml+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEG4lEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000900000001224d-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001431b-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000001224d-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001224d-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001224d-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001224d-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001224d-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74883814-ACC6-47db-802E-C70EA9B39ED7}\stubpath = "C:\\Windows\\{74883814-ACC6-47db-802E-C70EA9B39ED7}.exe"	{2E4800A7-66AB-4986-A1F8-9511F869ACB4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC871AC5-6139-4187-A0EA-A045D7F36B32}	{EEE6BD56-A590-4a80-8B46-BAFCA77C9C36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{242B3F43-7F3B-48b3-BE34-AFE72A752BC6}\stubpath = "C:\\Windows\\{242B3F43-7F3B-48b3-BE34-AFE72A752BC6}.exe"	{E8143F8A-AADE-4306-9C8C-AC8BB9FF871C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08477938-8A0A-409e-AB9B-FE5BEAC59314}\stubpath = "C:\\Windows\\{08477938-8A0A-409e-AB9B-FE5BEAC59314}.exe"	{E56BE1E7-95F4-48ce-9BA5-2830B6071D42}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E4800A7-66AB-4986-A1F8-9511F869ACB4}\stubpath = "C:\\Windows\\{2E4800A7-66AB-4986-A1F8-9511F869ACB4}.exe"	2024-02-25_2fc5f476cbb0979b13c5533c861531a9_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEE6BD56-A590-4a80-8B46-BAFCA77C9C36}\stubpath = "C:\\Windows\\{EEE6BD56-A590-4a80-8B46-BAFCA77C9C36}.exe"	{74883814-ACC6-47db-802E-C70EA9B39ED7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E513AB2-578C-4c2b-9BD5-1DF57951FDDF}	{AC871AC5-6139-4187-A0EA-A045D7F36B32}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E513AB2-578C-4c2b-9BD5-1DF57951FDDF}\stubpath = "C:\\Windows\\{9E513AB2-578C-4c2b-9BD5-1DF57951FDDF}.exe"	{AC871AC5-6139-4187-A0EA-A045D7F36B32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8143F8A-AADE-4306-9C8C-AC8BB9FF871C}	{9E513AB2-578C-4c2b-9BD5-1DF57951FDDF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{242B3F43-7F3B-48b3-BE34-AFE72A752BC6}	{E8143F8A-AADE-4306-9C8C-AC8BB9FF871C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EC9928B-E2E0-4387-97F5-406DAF02E7A0}	{242B3F43-7F3B-48b3-BE34-AFE72A752BC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EC9928B-E2E0-4387-97F5-406DAF02E7A0}\stubpath = "C:\\Windows\\{3EC9928B-E2E0-4387-97F5-406DAF02E7A0}.exe"	{242B3F43-7F3B-48b3-BE34-AFE72A752BC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D87C8B6B-2174-4e76-898E-9A6C0724B627}\stubpath = "C:\\Windows\\{D87C8B6B-2174-4e76-898E-9A6C0724B627}.exe"	{3EC9928B-E2E0-4387-97F5-406DAF02E7A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC871AC5-6139-4187-A0EA-A045D7F36B32}\stubpath = "C:\\Windows\\{AC871AC5-6139-4187-A0EA-A045D7F36B32}.exe"	{EEE6BD56-A590-4a80-8B46-BAFCA77C9C36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8143F8A-AADE-4306-9C8C-AC8BB9FF871C}\stubpath = "C:\\Windows\\{E8143F8A-AADE-4306-9C8C-AC8BB9FF871C}.exe"	{9E513AB2-578C-4c2b-9BD5-1DF57951FDDF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E56BE1E7-95F4-48ce-9BA5-2830B6071D42}	{D87C8B6B-2174-4e76-898E-9A6C0724B627}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E56BE1E7-95F4-48ce-9BA5-2830B6071D42}\stubpath = "C:\\Windows\\{E56BE1E7-95F4-48ce-9BA5-2830B6071D42}.exe"	{D87C8B6B-2174-4e76-898E-9A6C0724B627}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E4800A7-66AB-4986-A1F8-9511F869ACB4}	2024-02-25_2fc5f476cbb0979b13c5533c861531a9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74883814-ACC6-47db-802E-C70EA9B39ED7}	{2E4800A7-66AB-4986-A1F8-9511F869ACB4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEE6BD56-A590-4a80-8B46-BAFCA77C9C36}	{74883814-ACC6-47db-802E-C70EA9B39ED7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D87C8B6B-2174-4e76-898E-9A6C0724B627}	{3EC9928B-E2E0-4387-97F5-406DAF02E7A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08477938-8A0A-409e-AB9B-FE5BEAC59314}	{E56BE1E7-95F4-48ce-9BA5-2830B6071D42}.exe

Deletes itself 1 IoCs

pid	Process
2556	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2508	{2E4800A7-66AB-4986-A1F8-9511F869ACB4}.exe
2532	{74883814-ACC6-47db-802E-C70EA9B39ED7}.exe
2572	{EEE6BD56-A590-4a80-8B46-BAFCA77C9C36}.exe
1188	{AC871AC5-6139-4187-A0EA-A045D7F36B32}.exe
2188	{9E513AB2-578C-4c2b-9BD5-1DF57951FDDF}.exe
2216	{E8143F8A-AADE-4306-9C8C-AC8BB9FF871C}.exe
1272	{242B3F43-7F3B-48b3-BE34-AFE72A752BC6}.exe
2176	{3EC9928B-E2E0-4387-97F5-406DAF02E7A0}.exe
3048	{D87C8B6B-2174-4e76-898E-9A6C0724B627}.exe
2752	{E56BE1E7-95F4-48ce-9BA5-2830B6071D42}.exe
908	{08477938-8A0A-409e-AB9B-FE5BEAC59314}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{AC871AC5-6139-4187-A0EA-A045D7F36B32}.exe	{EEE6BD56-A590-4a80-8B46-BAFCA77C9C36}.exe
File created	C:\Windows\{E8143F8A-AADE-4306-9C8C-AC8BB9FF871C}.exe	{9E513AB2-578C-4c2b-9BD5-1DF57951FDDF}.exe
File created	C:\Windows\{242B3F43-7F3B-48b3-BE34-AFE72A752BC6}.exe	{E8143F8A-AADE-4306-9C8C-AC8BB9FF871C}.exe
File created	C:\Windows\{3EC9928B-E2E0-4387-97F5-406DAF02E7A0}.exe	{242B3F43-7F3B-48b3-BE34-AFE72A752BC6}.exe
File created	C:\Windows\{D87C8B6B-2174-4e76-898E-9A6C0724B627}.exe	{3EC9928B-E2E0-4387-97F5-406DAF02E7A0}.exe
File created	C:\Windows\{E56BE1E7-95F4-48ce-9BA5-2830B6071D42}.exe	{D87C8B6B-2174-4e76-898E-9A6C0724B627}.exe
File created	C:\Windows\{74883814-ACC6-47db-802E-C70EA9B39ED7}.exe	{2E4800A7-66AB-4986-A1F8-9511F869ACB4}.exe
File created	C:\Windows\{EEE6BD56-A590-4a80-8B46-BAFCA77C9C36}.exe	{74883814-ACC6-47db-802E-C70EA9B39ED7}.exe
File created	C:\Windows\{9E513AB2-578C-4c2b-9BD5-1DF57951FDDF}.exe	{AC871AC5-6139-4187-A0EA-A045D7F36B32}.exe
File created	C:\Windows\{08477938-8A0A-409e-AB9B-FE5BEAC59314}.exe	{E56BE1E7-95F4-48ce-9BA5-2830B6071D42}.exe
File created	C:\Windows\{2E4800A7-66AB-4986-A1F8-9511F869ACB4}.exe	2024-02-25_2fc5f476cbb0979b13c5533c861531a9_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2792	2024-02-25_2fc5f476cbb0979b13c5533c861531a9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2508	{2E4800A7-66AB-4986-A1F8-9511F869ACB4}.exe
Token: SeIncBasePriorityPrivilege	2532	{74883814-ACC6-47db-802E-C70EA9B39ED7}.exe
Token: SeIncBasePriorityPrivilege	2572	{EEE6BD56-A590-4a80-8B46-BAFCA77C9C36}.exe
Token: SeIncBasePriorityPrivilege	1188	{AC871AC5-6139-4187-A0EA-A045D7F36B32}.exe
Token: SeIncBasePriorityPrivilege	2188	{9E513AB2-578C-4c2b-9BD5-1DF57951FDDF}.exe
Token: SeIncBasePriorityPrivilege	2216	{E8143F8A-AADE-4306-9C8C-AC8BB9FF871C}.exe
Token: SeIncBasePriorityPrivilege	1272	{242B3F43-7F3B-48b3-BE34-AFE72A752BC6}.exe
Token: SeIncBasePriorityPrivilege	2176	{3EC9928B-E2E0-4387-97F5-406DAF02E7A0}.exe
Token: SeIncBasePriorityPrivilege	3048	{D87C8B6B-2174-4e76-898E-9A6C0724B627}.exe
Token: SeIncBasePriorityPrivilege	2752	{E56BE1E7-95F4-48ce-9BA5-2830B6071D42}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2508	2792	2024-02-25_2fc5f476cbb0979b13c5533c861531a9_goldeneye.exe	28
PID 2792 wrote to memory of 2508	2792	2024-02-25_2fc5f476cbb0979b13c5533c861531a9_goldeneye.exe	28
PID 2792 wrote to memory of 2508	2792	2024-02-25_2fc5f476cbb0979b13c5533c861531a9_goldeneye.exe	28
PID 2792 wrote to memory of 2508	2792	2024-02-25_2fc5f476cbb0979b13c5533c861531a9_goldeneye.exe	28
PID 2792 wrote to memory of 2556	2792	2024-02-25_2fc5f476cbb0979b13c5533c861531a9_goldeneye.exe	29
PID 2792 wrote to memory of 2556	2792	2024-02-25_2fc5f476cbb0979b13c5533c861531a9_goldeneye.exe	29
PID 2792 wrote to memory of 2556	2792	2024-02-25_2fc5f476cbb0979b13c5533c861531a9_goldeneye.exe	29
PID 2792 wrote to memory of 2556	2792	2024-02-25_2fc5f476cbb0979b13c5533c861531a9_goldeneye.exe	29
PID 2508 wrote to memory of 2532	2508	{2E4800A7-66AB-4986-A1F8-9511F869ACB4}.exe	30
PID 2508 wrote to memory of 2532	2508	{2E4800A7-66AB-4986-A1F8-9511F869ACB4}.exe	30
PID 2508 wrote to memory of 2532	2508	{2E4800A7-66AB-4986-A1F8-9511F869ACB4}.exe	30
PID 2508 wrote to memory of 2532	2508	{2E4800A7-66AB-4986-A1F8-9511F869ACB4}.exe	30
PID 2508 wrote to memory of 2516	2508	{2E4800A7-66AB-4986-A1F8-9511F869ACB4}.exe	31
PID 2508 wrote to memory of 2516	2508	{2E4800A7-66AB-4986-A1F8-9511F869ACB4}.exe	31
PID 2508 wrote to memory of 2516	2508	{2E4800A7-66AB-4986-A1F8-9511F869ACB4}.exe	31
PID 2508 wrote to memory of 2516	2508	{2E4800A7-66AB-4986-A1F8-9511F869ACB4}.exe	31
PID 2532 wrote to memory of 2572	2532	{74883814-ACC6-47db-802E-C70EA9B39ED7}.exe	32
PID 2532 wrote to memory of 2572	2532	{74883814-ACC6-47db-802E-C70EA9B39ED7}.exe	32
PID 2532 wrote to memory of 2572	2532	{74883814-ACC6-47db-802E-C70EA9B39ED7}.exe	32
PID 2532 wrote to memory of 2572	2532	{74883814-ACC6-47db-802E-C70EA9B39ED7}.exe	32
PID 2532 wrote to memory of 2168	2532	{74883814-ACC6-47db-802E-C70EA9B39ED7}.exe	33
PID 2532 wrote to memory of 2168	2532	{74883814-ACC6-47db-802E-C70EA9B39ED7}.exe	33
PID 2532 wrote to memory of 2168	2532	{74883814-ACC6-47db-802E-C70EA9B39ED7}.exe	33
PID 2532 wrote to memory of 2168	2532	{74883814-ACC6-47db-802E-C70EA9B39ED7}.exe	33
PID 2572 wrote to memory of 1188	2572	{EEE6BD56-A590-4a80-8B46-BAFCA77C9C36}.exe	36
PID 2572 wrote to memory of 1188	2572	{EEE6BD56-A590-4a80-8B46-BAFCA77C9C36}.exe	36
PID 2572 wrote to memory of 1188	2572	{EEE6BD56-A590-4a80-8B46-BAFCA77C9C36}.exe	36
PID 2572 wrote to memory of 1188	2572	{EEE6BD56-A590-4a80-8B46-BAFCA77C9C36}.exe	36
PID 2572 wrote to memory of 2660	2572	{EEE6BD56-A590-4a80-8B46-BAFCA77C9C36}.exe	37
PID 2572 wrote to memory of 2660	2572	{EEE6BD56-A590-4a80-8B46-BAFCA77C9C36}.exe	37
PID 2572 wrote to memory of 2660	2572	{EEE6BD56-A590-4a80-8B46-BAFCA77C9C36}.exe	37
PID 2572 wrote to memory of 2660	2572	{EEE6BD56-A590-4a80-8B46-BAFCA77C9C36}.exe	37
PID 1188 wrote to memory of 2188	1188	{AC871AC5-6139-4187-A0EA-A045D7F36B32}.exe	38
PID 1188 wrote to memory of 2188	1188	{AC871AC5-6139-4187-A0EA-A045D7F36B32}.exe	38
PID 1188 wrote to memory of 2188	1188	{AC871AC5-6139-4187-A0EA-A045D7F36B32}.exe	38
PID 1188 wrote to memory of 2188	1188	{AC871AC5-6139-4187-A0EA-A045D7F36B32}.exe	38
PID 1188 wrote to memory of 2744	1188	{AC871AC5-6139-4187-A0EA-A045D7F36B32}.exe	39
PID 1188 wrote to memory of 2744	1188	{AC871AC5-6139-4187-A0EA-A045D7F36B32}.exe	39
PID 1188 wrote to memory of 2744	1188	{AC871AC5-6139-4187-A0EA-A045D7F36B32}.exe	39
PID 1188 wrote to memory of 2744	1188	{AC871AC5-6139-4187-A0EA-A045D7F36B32}.exe	39
PID 2188 wrote to memory of 2216	2188	{9E513AB2-578C-4c2b-9BD5-1DF57951FDDF}.exe	40
PID 2188 wrote to memory of 2216	2188	{9E513AB2-578C-4c2b-9BD5-1DF57951FDDF}.exe	40
PID 2188 wrote to memory of 2216	2188	{9E513AB2-578C-4c2b-9BD5-1DF57951FDDF}.exe	40
PID 2188 wrote to memory of 2216	2188	{9E513AB2-578C-4c2b-9BD5-1DF57951FDDF}.exe	40
PID 2188 wrote to memory of 276	2188	{9E513AB2-578C-4c2b-9BD5-1DF57951FDDF}.exe	41
PID 2188 wrote to memory of 276	2188	{9E513AB2-578C-4c2b-9BD5-1DF57951FDDF}.exe	41
PID 2188 wrote to memory of 276	2188	{9E513AB2-578C-4c2b-9BD5-1DF57951FDDF}.exe	41
PID 2188 wrote to memory of 276	2188	{9E513AB2-578C-4c2b-9BD5-1DF57951FDDF}.exe	41
PID 2216 wrote to memory of 1272	2216	{E8143F8A-AADE-4306-9C8C-AC8BB9FF871C}.exe	42
PID 2216 wrote to memory of 1272	2216	{E8143F8A-AADE-4306-9C8C-AC8BB9FF871C}.exe	42
PID 2216 wrote to memory of 1272	2216	{E8143F8A-AADE-4306-9C8C-AC8BB9FF871C}.exe	42
PID 2216 wrote to memory of 1272	2216	{E8143F8A-AADE-4306-9C8C-AC8BB9FF871C}.exe	42
PID 2216 wrote to memory of 1288	2216	{E8143F8A-AADE-4306-9C8C-AC8BB9FF871C}.exe	43
PID 2216 wrote to memory of 1288	2216	{E8143F8A-AADE-4306-9C8C-AC8BB9FF871C}.exe	43
PID 2216 wrote to memory of 1288	2216	{E8143F8A-AADE-4306-9C8C-AC8BB9FF871C}.exe	43
PID 2216 wrote to memory of 1288	2216	{E8143F8A-AADE-4306-9C8C-AC8BB9FF871C}.exe	43
PID 1272 wrote to memory of 2176	1272	{242B3F43-7F3B-48b3-BE34-AFE72A752BC6}.exe	44
PID 1272 wrote to memory of 2176	1272	{242B3F43-7F3B-48b3-BE34-AFE72A752BC6}.exe	44
PID 1272 wrote to memory of 2176	1272	{242B3F43-7F3B-48b3-BE34-AFE72A752BC6}.exe	44
PID 1272 wrote to memory of 2176	1272	{242B3F43-7F3B-48b3-BE34-AFE72A752BC6}.exe	44
PID 1272 wrote to memory of 2008	1272	{242B3F43-7F3B-48b3-BE34-AFE72A752BC6}.exe	45
PID 1272 wrote to memory of 2008	1272	{242B3F43-7F3B-48b3-BE34-AFE72A752BC6}.exe	45
PID 1272 wrote to memory of 2008	1272	{242B3F43-7F3B-48b3-BE34-AFE72A752BC6}.exe	45
PID 1272 wrote to memory of 2008	1272	{242B3F43-7F3B-48b3-BE34-AFE72A752BC6}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-02-25_2fc5f476cbb0979b13c5533c861531a9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-25_2fc5f476cbb0979b13c5533c861531a9_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\{2E4800A7-66AB-4986-A1F8-9511F869ACB4}.exe
  C:\Windows\{2E4800A7-66AB-4986-A1F8-9511F869ACB4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\{74883814-ACC6-47db-802E-C70EA9B39ED7}.exe
    C:\Windows\{74883814-ACC6-47db-802E-C70EA9B39ED7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Windows\{EEE6BD56-A590-4a80-8B46-BAFCA77C9C36}.exe
      C:\Windows\{EEE6BD56-A590-4a80-8B46-BAFCA77C9C36}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\{AC871AC5-6139-4187-A0EA-A045D7F36B32}.exe
        
        C:\Windows\{AC871AC5-6139-4187-A0EA-A045D7F36B32}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1188
      - C:\Windows\{9E513AB2-578C-4c2b-9BD5-1DF57951FDDF}.exe
        
        C:\Windows\{9E513AB2-578C-4c2b-9BD5-1DF57951FDDF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\{E8143F8A-AADE-4306-9C8C-AC8BB9FF871C}.exe
        
        C:\Windows\{E8143F8A-AADE-4306-9C8C-AC8BB9FF871C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\{242B3F43-7F3B-48b3-BE34-AFE72A752BC6}.exe
        
        C:\Windows\{242B3F43-7F3B-48b3-BE34-AFE72A752BC6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Windows\{3EC9928B-E2E0-4387-97F5-406DAF02E7A0}.exe
        
        C:\Windows\{3EC9928B-E2E0-4387-97F5-406DAF02E7A0}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3EC99~1.EXE > nul
        10⤵
        
        PID:2248
        
        C:\Windows\{D87C8B6B-2174-4e76-898E-9A6C0724B627}.exe
        
        C:\Windows\{D87C8B6B-2174-4e76-898E-9A6C0724B627}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D87C8~1.EXE > nul
        11⤵
        
        PID:1932
        
        C:\Windows\{E56BE1E7-95F4-48ce-9BA5-2830B6071D42}.exe
        
        C:\Windows\{E56BE1E7-95F4-48ce-9BA5-2830B6071D42}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E56BE~1.EXE > nul
        12⤵
        
        PID:1800
        
        C:\Windows\{08477938-8A0A-409e-AB9B-FE5BEAC59314}.exe
        
        C:\Windows\{08477938-8A0A-409e-AB9B-FE5BEAC59314}.exe
        12⤵
        Executes dropped EXE
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{242B3~1.EXE > nul
        9⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8143~1.EXE > nul
        8⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E513~1.EXE > nul
        7⤵
        
        PID:276
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AC871~1.EXE > nul
        6⤵
        
        PID:2744
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EEE6B~1.EXE > nul
        5⤵
        
        PID:2660
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{74883~1.EXE > nul
      4⤵
      PID:2168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2E480~1.EXE > nul
    3⤵
    PID:2516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08477938-8A0A-409e-AB9B-FE5BEAC59314}.exe

Filesize
197KB

MD5
4be772ef88d6094f3b0c1916d9272c2b

SHA1
78766190b9fd78de56acc71c0c8458e53de06394

SHA256
c38b3e8aa5a628e02364f29e1cbe54a4f5207bb89fa27cffbdde7c6a20a31ff5

SHA512
ba926495719c8f4ed446da708dd2173727dd8c70721e8073a1655ae4ad2113240dc3975e715df77db458cf1d6359673385ecc0ce07a61f28d0ace364baf42992

Download Submit
C:\Windows\{242B3F43-7F3B-48b3-BE34-AFE72A752BC6}.exe

Filesize
197KB

MD5
3a0086cb5c4fcabe6bc202355bd736af

SHA1
a82ac3543c9c300b19e0a39de486fdbd7e098237

SHA256
2b5eaed5a668099f121be289fe6e3ee99eb1bd3a3d85ee482f4a85966b168674

SHA512
262bc2477d60b3f5afa8d46a711e7dbc1d978ccc60909d1f271bc7536a5523a76ad6608a74412e7d3c2eee3617329d230a65dc01570f41499dd0d79867287747

Download Submit
C:\Windows\{2E4800A7-66AB-4986-A1F8-9511F869ACB4}.exe

Filesize
197KB

MD5
93a9f93d99b12e5004f1c8d44a1ae124

SHA1
3525faf8fee74b23883583552ca35c66810d91ed

SHA256
547d9f63813cdb4bde51f29285d67a376ec477bdfc9436586c7284cfd71f0c5c

SHA512
9d7acf4684392b7eac18824cdeaa89329695bfcdc93671b531f9987ce07f8284bef80012d0fbb931257c10fd64962df5049a51038ac87f3a71f31d959e6d80bc

Download Submit
C:\Windows\{3EC9928B-E2E0-4387-97F5-406DAF02E7A0}.exe

Filesize
197KB

MD5
21d53ad6deb97804692e644503da87a0

SHA1
3a5ab836f7aefd84dd971df715d3e6515da4499c

SHA256
b286b998b1660740cbb18a2346b394d4fdffa5e97918687212b3f0f434bc4965

SHA512
70e0db3e3b40a0c7995f4dda55fa501af8a40725e2321b97c04efc11ac0eba7bed54ea63fff97d5e73c0e4a6865786ad1e2816aba64f63b25b57dd4abe864515

Download Submit
C:\Windows\{74883814-ACC6-47db-802E-C70EA9B39ED7}.exe

Filesize
197KB

MD5
c4016cf92217782db821223ff63e1876

SHA1
5dbbab332278bbb41eeaf385ceaa5dbb0a5c7f3d

SHA256
c10a5c7bedd1e1f9d74d41964f157be35650edb5ef4ee3a777c202cfee11c14b

SHA512
9274506310b6c4b470a7d7a2507f1f707b9bc27df6e808d81a5b8b383de6829078d3d30005ee0da6908b2ad54c99aa38dd774a792dc4ba17d1e6c926bddf8b07

Download Submit
C:\Windows\{9E513AB2-578C-4c2b-9BD5-1DF57951FDDF}.exe

Filesize
197KB

MD5
1cd84f0b8356773816efe38f2f5e710f

SHA1
4bcc719d3e352cafbdf47eb0f7374b476a7c6398

SHA256
e4348b43ccd1cde8a77ac2d3018e1af00b5d84bbcda63a0675545feea6fde05e

SHA512
3cf957f342bb4358d81a2d14308ca244e2f915cdd71bb96ec2b7f28668215e9c1d53344415320017c82ab4e31085131fa508ac5228cfc8a0ed9c98b503f79ef0

Download Submit
C:\Windows\{AC871AC5-6139-4187-A0EA-A045D7F36B32}.exe

Filesize
197KB

MD5
3a9d64472ae2a330ce4190c46672b17c

SHA1
622daf44662f030e23e61555236a1a4ca22d5344

SHA256
469f1a341d309ad93734d582764779124127445e4976b0518297774807f00193

SHA512
55b2b51f7bc3e126479503b8a167e664fecf22faf0aab59f5fe85f4ebe90c54e7a8e341074ae3f2725954f749a6624973680e6b1ce0f99c4e04bc8f4258b07fe

Download Submit
C:\Windows\{D87C8B6B-2174-4e76-898E-9A6C0724B627}.exe

Filesize
197KB

MD5
166c108a6243b569bcbf59b4ff651f84

SHA1
d87339914878a9ffc2cca90538856c3e8dc46599

SHA256
817ff5a04dc612700691dfd6f96277e72eb6962efb4ca61a2e992e4f544aa608

SHA512
3899823bd171a6afe8fdda3d438fb16a0f1273d35467e8ecb6adbd01dfa26602ce114e889563b84b9159fb9ff883c6834397b71c61b891d4c5451e8ff3b77935

Download Submit
C:\Windows\{E56BE1E7-95F4-48ce-9BA5-2830B6071D42}.exe

Filesize
197KB

MD5
f3c2b46e811f576c5f3a280b360e405f

SHA1
a0078447c27ee1eaf8480de0d77534da9e9c5deb

SHA256
47878e45c5b2daa49ec5431dd72e90e67e3d39db37ee4ae40fc5acb25a44c09c

SHA512
83caa89c93367c91ec723c36f0592609068807af3faca3d3964b4f64f42963f86f132300b16150defea0323d838f505ce31d6bcf778c53c6901ff1d1634858c1

Download Submit
C:\Windows\{E8143F8A-AADE-4306-9C8C-AC8BB9FF871C}.exe

Filesize
197KB

MD5
04c1daaf118c5d2c0b44bb69b3a24e6e

SHA1
9d3cdc000844e8a6bbf8a406915ce4854083926d

SHA256
67894ab70d09240d2311224e2f402095543dbd1d410e35ba115c18d2ed1ebf07

SHA512
4797a2ae29f90e1b292ad71529b7b83de05536fdd2ba9f604fa11d2b62ead939546b3f5e9eb295810d4d7978daaaf997a3cb4bb295eb990707bb9ebbf4371230

Download Submit
C:\Windows\{EEE6BD56-A590-4a80-8B46-BAFCA77C9C36}.exe

Filesize
197KB

MD5
8674cc40b877be5e2d9c460485468094

SHA1
c00dda561a0e264f76529eb8ba8f0c3e3f72b469

SHA256
87ad6de547500ccddda950fe422934e43653b3f239519ac6c0f84193d43d6a41

SHA512
cca8edfd24412506fac9d4935a672e00d4e911e427e931073768bfacd00de9dd07585b7b784992973faeb4debccd0382aa8a79705c3e3b59d0cb7fc1a107f252

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads