5e08fdca503429ce6b3d9623187e9a5351817a139abac09ca05bbae33020dd1e

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
05/03/2024, 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-05_d94181afe75ed07ca5556964d38bd198_goldeneye.exe
Size

380KB
MD5

d94181afe75ed07ca5556964d38bd198
SHA1

076cb5c2c14957716b2ad964eec7f8f9e524b444
SHA256

5e08fdca503429ce6b3d9623187e9a5351817a139abac09ca05bbae33020dd1e
SHA512

6d9c5d3f8a3789769051becdb86497fd66176f21d03a3b22d40fa31d7ccd16df6ce4da33dbcf40c6818bb3cc03365a1695afbf90593831f285a95e4983c127b9
SSDEEP

3072:mEGh0oalPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG8l7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012251-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012331-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012251-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0032000000013a88-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012251-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012251-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012251-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33552CAE-0656-4c26-8E87-19ACAD62E905}\stubpath = "C:\\Windows\\{33552CAE-0656-4c26-8E87-19ACAD62E905}.exe"	{36B11B6F-74DF-41fe-A82E-978FF5790C79}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49ADC4EB-F92B-4fa3-8352-D95184FD735D}\stubpath = "C:\\Windows\\{49ADC4EB-F92B-4fa3-8352-D95184FD735D}.exe"	{33552CAE-0656-4c26-8E87-19ACAD62E905}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{593BB004-B8EB-4f50-B939-2757A5B3FDFF}\stubpath = "C:\\Windows\\{593BB004-B8EB-4f50-B939-2757A5B3FDFF}.exe"	{33DB05C0-A4D9-48e5-BB89-BAD264D33F2B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6D3C0E8-5427-4b6e-B42E-E7F59039109E}	{135096AB-BC52-4be9-A71E-D1BADDD7997B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6D3C0E8-5427-4b6e-B42E-E7F59039109E}\stubpath = "C:\\Windows\\{B6D3C0E8-5427-4b6e-B42E-E7F59039109E}.exe"	{135096AB-BC52-4be9-A71E-D1BADDD7997B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3084AAAD-6ADC-4560-92F9-E605776AF8D0}	{B6D3C0E8-5427-4b6e-B42E-E7F59039109E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3084AAAD-6ADC-4560-92F9-E605776AF8D0}\stubpath = "C:\\Windows\\{3084AAAD-6ADC-4560-92F9-E605776AF8D0}.exe"	{B6D3C0E8-5427-4b6e-B42E-E7F59039109E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F918288-B44D-434a-8A95-FDD04EC9669A}\stubpath = "C:\\Windows\\{0F918288-B44D-434a-8A95-FDD04EC9669A}.exe"	{3084AAAD-6ADC-4560-92F9-E605776AF8D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{759916E7-A6B4-446e-9828-5437F17CCE9A}\stubpath = "C:\\Windows\\{759916E7-A6B4-446e-9828-5437F17CCE9A}.exe"	{0F918288-B44D-434a-8A95-FDD04EC9669A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33552CAE-0656-4c26-8E87-19ACAD62E905}	{36B11B6F-74DF-41fe-A82E-978FF5790C79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49ADC4EB-F92B-4fa3-8352-D95184FD735D}	{33552CAE-0656-4c26-8E87-19ACAD62E905}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33DB05C0-A4D9-48e5-BB89-BAD264D33F2B}	2024-03-05_d94181afe75ed07ca5556964d38bd198_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33DB05C0-A4D9-48e5-BB89-BAD264D33F2B}\stubpath = "C:\\Windows\\{33DB05C0-A4D9-48e5-BB89-BAD264D33F2B}.exe"	2024-03-05_d94181afe75ed07ca5556964d38bd198_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{135096AB-BC52-4be9-A71E-D1BADDD7997B}	{593BB004-B8EB-4f50-B939-2757A5B3FDFF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{135096AB-BC52-4be9-A71E-D1BADDD7997B}\stubpath = "C:\\Windows\\{135096AB-BC52-4be9-A71E-D1BADDD7997B}.exe"	{593BB004-B8EB-4f50-B939-2757A5B3FDFF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{759916E7-A6B4-446e-9828-5437F17CCE9A}	{0F918288-B44D-434a-8A95-FDD04EC9669A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{588E12DA-BCD0-439c-A1B2-93803194EDCB}\stubpath = "C:\\Windows\\{588E12DA-BCD0-439c-A1B2-93803194EDCB}.exe"	{759916E7-A6B4-446e-9828-5437F17CCE9A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{593BB004-B8EB-4f50-B939-2757A5B3FDFF}	{33DB05C0-A4D9-48e5-BB89-BAD264D33F2B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F918288-B44D-434a-8A95-FDD04EC9669A}	{3084AAAD-6ADC-4560-92F9-E605776AF8D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{588E12DA-BCD0-439c-A1B2-93803194EDCB}	{759916E7-A6B4-446e-9828-5437F17CCE9A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36B11B6F-74DF-41fe-A82E-978FF5790C79}	{588E12DA-BCD0-439c-A1B2-93803194EDCB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36B11B6F-74DF-41fe-A82E-978FF5790C79}\stubpath = "C:\\Windows\\{36B11B6F-74DF-41fe-A82E-978FF5790C79}.exe"	{588E12DA-BCD0-439c-A1B2-93803194EDCB}.exe

Deletes itself 1 IoCs

pid	Process
2564	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2368	{33DB05C0-A4D9-48e5-BB89-BAD264D33F2B}.exe
2028	{593BB004-B8EB-4f50-B939-2757A5B3FDFF}.exe
2556	{135096AB-BC52-4be9-A71E-D1BADDD7997B}.exe
2116	{B6D3C0E8-5427-4b6e-B42E-E7F59039109E}.exe
2784	{3084AAAD-6ADC-4560-92F9-E605776AF8D0}.exe
2300	{0F918288-B44D-434a-8A95-FDD04EC9669A}.exe
284	{759916E7-A6B4-446e-9828-5437F17CCE9A}.exe
1176	{588E12DA-BCD0-439c-A1B2-93803194EDCB}.exe
2236	{36B11B6F-74DF-41fe-A82E-978FF5790C79}.exe
2232	{33552CAE-0656-4c26-8E87-19ACAD62E905}.exe
1080	{49ADC4EB-F92B-4fa3-8352-D95184FD735D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{36B11B6F-74DF-41fe-A82E-978FF5790C79}.exe	{588E12DA-BCD0-439c-A1B2-93803194EDCB}.exe
File created	C:\Windows\{33552CAE-0656-4c26-8E87-19ACAD62E905}.exe	{36B11B6F-74DF-41fe-A82E-978FF5790C79}.exe
File created	C:\Windows\{33DB05C0-A4D9-48e5-BB89-BAD264D33F2B}.exe	2024-03-05_d94181afe75ed07ca5556964d38bd198_goldeneye.exe
File created	C:\Windows\{593BB004-B8EB-4f50-B939-2757A5B3FDFF}.exe	{33DB05C0-A4D9-48e5-BB89-BAD264D33F2B}.exe
File created	C:\Windows\{3084AAAD-6ADC-4560-92F9-E605776AF8D0}.exe	{B6D3C0E8-5427-4b6e-B42E-E7F59039109E}.exe
File created	C:\Windows\{0F918288-B44D-434a-8A95-FDD04EC9669A}.exe	{3084AAAD-6ADC-4560-92F9-E605776AF8D0}.exe
File created	C:\Windows\{49ADC4EB-F92B-4fa3-8352-D95184FD735D}.exe	{33552CAE-0656-4c26-8E87-19ACAD62E905}.exe
File created	C:\Windows\{135096AB-BC52-4be9-A71E-D1BADDD7997B}.exe	{593BB004-B8EB-4f50-B939-2757A5B3FDFF}.exe
File created	C:\Windows\{B6D3C0E8-5427-4b6e-B42E-E7F59039109E}.exe	{135096AB-BC52-4be9-A71E-D1BADDD7997B}.exe
File created	C:\Windows\{759916E7-A6B4-446e-9828-5437F17CCE9A}.exe	{0F918288-B44D-434a-8A95-FDD04EC9669A}.exe
File created	C:\Windows\{588E12DA-BCD0-439c-A1B2-93803194EDCB}.exe	{759916E7-A6B4-446e-9828-5437F17CCE9A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2876	2024-03-05_d94181afe75ed07ca5556964d38bd198_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2368	{33DB05C0-A4D9-48e5-BB89-BAD264D33F2B}.exe
Token: SeIncBasePriorityPrivilege	2028	{593BB004-B8EB-4f50-B939-2757A5B3FDFF}.exe
Token: SeIncBasePriorityPrivilege	2556	{135096AB-BC52-4be9-A71E-D1BADDD7997B}.exe
Token: SeIncBasePriorityPrivilege	2116	{B6D3C0E8-5427-4b6e-B42E-E7F59039109E}.exe
Token: SeIncBasePriorityPrivilege	2784	{3084AAAD-6ADC-4560-92F9-E605776AF8D0}.exe
Token: SeIncBasePriorityPrivilege	2300	{0F918288-B44D-434a-8A95-FDD04EC9669A}.exe
Token: SeIncBasePriorityPrivilege	284	{759916E7-A6B4-446e-9828-5437F17CCE9A}.exe
Token: SeIncBasePriorityPrivilege	1176	{588E12DA-BCD0-439c-A1B2-93803194EDCB}.exe
Token: SeIncBasePriorityPrivilege	2236	{36B11B6F-74DF-41fe-A82E-978FF5790C79}.exe
Token: SeIncBasePriorityPrivilege	2232	{33552CAE-0656-4c26-8E87-19ACAD62E905}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2368	2876	2024-03-05_d94181afe75ed07ca5556964d38bd198_goldeneye.exe	28
PID 2876 wrote to memory of 2368	2876	2024-03-05_d94181afe75ed07ca5556964d38bd198_goldeneye.exe	28
PID 2876 wrote to memory of 2368	2876	2024-03-05_d94181afe75ed07ca5556964d38bd198_goldeneye.exe	28
PID 2876 wrote to memory of 2368	2876	2024-03-05_d94181afe75ed07ca5556964d38bd198_goldeneye.exe	28
PID 2876 wrote to memory of 2564	2876	2024-03-05_d94181afe75ed07ca5556964d38bd198_goldeneye.exe	29
PID 2876 wrote to memory of 2564	2876	2024-03-05_d94181afe75ed07ca5556964d38bd198_goldeneye.exe	29
PID 2876 wrote to memory of 2564	2876	2024-03-05_d94181afe75ed07ca5556964d38bd198_goldeneye.exe	29
PID 2876 wrote to memory of 2564	2876	2024-03-05_d94181afe75ed07ca5556964d38bd198_goldeneye.exe	29
PID 2368 wrote to memory of 2028	2368	{33DB05C0-A4D9-48e5-BB89-BAD264D33F2B}.exe	30
PID 2368 wrote to memory of 2028	2368	{33DB05C0-A4D9-48e5-BB89-BAD264D33F2B}.exe	30
PID 2368 wrote to memory of 2028	2368	{33DB05C0-A4D9-48e5-BB89-BAD264D33F2B}.exe	30
PID 2368 wrote to memory of 2028	2368	{33DB05C0-A4D9-48e5-BB89-BAD264D33F2B}.exe	30
PID 2368 wrote to memory of 2676	2368	{33DB05C0-A4D9-48e5-BB89-BAD264D33F2B}.exe	31
PID 2368 wrote to memory of 2676	2368	{33DB05C0-A4D9-48e5-BB89-BAD264D33F2B}.exe	31
PID 2368 wrote to memory of 2676	2368	{33DB05C0-A4D9-48e5-BB89-BAD264D33F2B}.exe	31
PID 2368 wrote to memory of 2676	2368	{33DB05C0-A4D9-48e5-BB89-BAD264D33F2B}.exe	31
PID 2028 wrote to memory of 2556	2028	{593BB004-B8EB-4f50-B939-2757A5B3FDFF}.exe	32
PID 2028 wrote to memory of 2556	2028	{593BB004-B8EB-4f50-B939-2757A5B3FDFF}.exe	32
PID 2028 wrote to memory of 2556	2028	{593BB004-B8EB-4f50-B939-2757A5B3FDFF}.exe	32
PID 2028 wrote to memory of 2556	2028	{593BB004-B8EB-4f50-B939-2757A5B3FDFF}.exe	32
PID 2028 wrote to memory of 2656	2028	{593BB004-B8EB-4f50-B939-2757A5B3FDFF}.exe	33
PID 2028 wrote to memory of 2656	2028	{593BB004-B8EB-4f50-B939-2757A5B3FDFF}.exe	33
PID 2028 wrote to memory of 2656	2028	{593BB004-B8EB-4f50-B939-2757A5B3FDFF}.exe	33
PID 2028 wrote to memory of 2656	2028	{593BB004-B8EB-4f50-B939-2757A5B3FDFF}.exe	33
PID 2556 wrote to memory of 2116	2556	{135096AB-BC52-4be9-A71E-D1BADDD7997B}.exe	36
PID 2556 wrote to memory of 2116	2556	{135096AB-BC52-4be9-A71E-D1BADDD7997B}.exe	36
PID 2556 wrote to memory of 2116	2556	{135096AB-BC52-4be9-A71E-D1BADDD7997B}.exe	36
PID 2556 wrote to memory of 2116	2556	{135096AB-BC52-4be9-A71E-D1BADDD7997B}.exe	36
PID 2556 wrote to memory of 2644	2556	{135096AB-BC52-4be9-A71E-D1BADDD7997B}.exe	37
PID 2556 wrote to memory of 2644	2556	{135096AB-BC52-4be9-A71E-D1BADDD7997B}.exe	37
PID 2556 wrote to memory of 2644	2556	{135096AB-BC52-4be9-A71E-D1BADDD7997B}.exe	37
PID 2556 wrote to memory of 2644	2556	{135096AB-BC52-4be9-A71E-D1BADDD7997B}.exe	37
PID 2116 wrote to memory of 2784	2116	{B6D3C0E8-5427-4b6e-B42E-E7F59039109E}.exe	38
PID 2116 wrote to memory of 2784	2116	{B6D3C0E8-5427-4b6e-B42E-E7F59039109E}.exe	38
PID 2116 wrote to memory of 2784	2116	{B6D3C0E8-5427-4b6e-B42E-E7F59039109E}.exe	38
PID 2116 wrote to memory of 2784	2116	{B6D3C0E8-5427-4b6e-B42E-E7F59039109E}.exe	38
PID 2116 wrote to memory of 1772	2116	{B6D3C0E8-5427-4b6e-B42E-E7F59039109E}.exe	39
PID 2116 wrote to memory of 1772	2116	{B6D3C0E8-5427-4b6e-B42E-E7F59039109E}.exe	39
PID 2116 wrote to memory of 1772	2116	{B6D3C0E8-5427-4b6e-B42E-E7F59039109E}.exe	39
PID 2116 wrote to memory of 1772	2116	{B6D3C0E8-5427-4b6e-B42E-E7F59039109E}.exe	39
PID 2784 wrote to memory of 2300	2784	{3084AAAD-6ADC-4560-92F9-E605776AF8D0}.exe	40
PID 2784 wrote to memory of 2300	2784	{3084AAAD-6ADC-4560-92F9-E605776AF8D0}.exe	40
PID 2784 wrote to memory of 2300	2784	{3084AAAD-6ADC-4560-92F9-E605776AF8D0}.exe	40
PID 2784 wrote to memory of 2300	2784	{3084AAAD-6ADC-4560-92F9-E605776AF8D0}.exe	40
PID 2784 wrote to memory of 1268	2784	{3084AAAD-6ADC-4560-92F9-E605776AF8D0}.exe	41
PID 2784 wrote to memory of 1268	2784	{3084AAAD-6ADC-4560-92F9-E605776AF8D0}.exe	41
PID 2784 wrote to memory of 1268	2784	{3084AAAD-6ADC-4560-92F9-E605776AF8D0}.exe	41
PID 2784 wrote to memory of 1268	2784	{3084AAAD-6ADC-4560-92F9-E605776AF8D0}.exe	41
PID 2300 wrote to memory of 284	2300	{0F918288-B44D-434a-8A95-FDD04EC9669A}.exe	42
PID 2300 wrote to memory of 284	2300	{0F918288-B44D-434a-8A95-FDD04EC9669A}.exe	42
PID 2300 wrote to memory of 284	2300	{0F918288-B44D-434a-8A95-FDD04EC9669A}.exe	42
PID 2300 wrote to memory of 284	2300	{0F918288-B44D-434a-8A95-FDD04EC9669A}.exe	42
PID 2300 wrote to memory of 2460	2300	{0F918288-B44D-434a-8A95-FDD04EC9669A}.exe	43
PID 2300 wrote to memory of 2460	2300	{0F918288-B44D-434a-8A95-FDD04EC9669A}.exe	43
PID 2300 wrote to memory of 2460	2300	{0F918288-B44D-434a-8A95-FDD04EC9669A}.exe	43
PID 2300 wrote to memory of 2460	2300	{0F918288-B44D-434a-8A95-FDD04EC9669A}.exe	43
PID 284 wrote to memory of 1176	284	{759916E7-A6B4-446e-9828-5437F17CCE9A}.exe	44
PID 284 wrote to memory of 1176	284	{759916E7-A6B4-446e-9828-5437F17CCE9A}.exe	44
PID 284 wrote to memory of 1176	284	{759916E7-A6B4-446e-9828-5437F17CCE9A}.exe	44
PID 284 wrote to memory of 1176	284	{759916E7-A6B4-446e-9828-5437F17CCE9A}.exe	44
PID 284 wrote to memory of 2024	284	{759916E7-A6B4-446e-9828-5437F17CCE9A}.exe	45
PID 284 wrote to memory of 2024	284	{759916E7-A6B4-446e-9828-5437F17CCE9A}.exe	45
PID 284 wrote to memory of 2024	284	{759916E7-A6B4-446e-9828-5437F17CCE9A}.exe	45
PID 284 wrote to memory of 2024	284	{759916E7-A6B4-446e-9828-5437F17CCE9A}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-05_d94181afe75ed07ca5556964d38bd198_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-05_d94181afe75ed07ca5556964d38bd198_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\{33DB05C0-A4D9-48e5-BB89-BAD264D33F2B}.exe
  C:\Windows\{33DB05C0-A4D9-48e5-BB89-BAD264D33F2B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\{593BB004-B8EB-4f50-B939-2757A5B3FDFF}.exe
    C:\Windows\{593BB004-B8EB-4f50-B939-2757A5B3FDFF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2028
  - - C:\Windows\{135096AB-BC52-4be9-A71E-D1BADDD7997B}.exe
      C:\Windows\{135096AB-BC52-4be9-A71E-D1BADDD7997B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2556
    - - C:\Windows\{B6D3C0E8-5427-4b6e-B42E-E7F59039109E}.exe
        
        C:\Windows\{B6D3C0E8-5427-4b6e-B42E-E7F59039109E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2116
      - C:\Windows\{3084AAAD-6ADC-4560-92F9-E605776AF8D0}.exe
        
        C:\Windows\{3084AAAD-6ADC-4560-92F9-E605776AF8D0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\{0F918288-B44D-434a-8A95-FDD04EC9669A}.exe
        
        C:\Windows\{0F918288-B44D-434a-8A95-FDD04EC9669A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\{759916E7-A6B4-446e-9828-5437F17CCE9A}.exe
        
        C:\Windows\{759916E7-A6B4-446e-9828-5437F17CCE9A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:284
        
        C:\Windows\{588E12DA-BCD0-439c-A1B2-93803194EDCB}.exe
        
        C:\Windows\{588E12DA-BCD0-439c-A1B2-93803194EDCB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1176
        
        C:\Windows\{36B11B6F-74DF-41fe-A82E-978FF5790C79}.exe
        
        C:\Windows\{36B11B6F-74DF-41fe-A82E-978FF5790C79}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
        
        C:\Windows\{33552CAE-0656-4c26-8E87-19ACAD62E905}.exe
        
        C:\Windows\{33552CAE-0656-4c26-8E87-19ACAD62E905}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\{49ADC4EB-F92B-4fa3-8352-D95184FD735D}.exe
        
        C:\Windows\{49ADC4EB-F92B-4fa3-8352-D95184FD735D}.exe
        12⤵
        Executes dropped EXE
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33552~1.EXE > nul
        12⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36B11~1.EXE > nul
        11⤵
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{588E1~1.EXE > nul
        10⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75991~1.EXE > nul
        9⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F918~1.EXE > nul
        8⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3084A~1.EXE > nul
        7⤵
        
        PID:1268
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6D3C~1.EXE > nul
        6⤵
        
        PID:1772
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13509~1.EXE > nul
        5⤵
        
        PID:2644
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{593BB~1.EXE > nul
      4⤵
      PID:2656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{33DB0~1.EXE > nul
    3⤵
    PID:2676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F918288-B44D-434a-8A95-FDD04EC9669A}.exe

Filesize
380KB

MD5
07cf6b114389ca3fde0d26615c90c8bd

SHA1
4da1f1452c693b674497d9870c322d999dc11081

SHA256
ec51f0f03a4fcf4f004ffa6b20d63837438086d83ca4348ea452fe184f1b5ba0

SHA512
a6c5108fff4c29802ea98e5faf860fe06e9095b18b77350510603ce521de1dfb6e7c2cff73652dbe748d40e09fa829721a0241bb30be282017810bee71a59a43

Download Submit
C:\Windows\{135096AB-BC52-4be9-A71E-D1BADDD7997B}.exe

Filesize
380KB

MD5
bdd37736b3ee612242ef4a11e59736a1

SHA1
34d51c9417db7ceb8eee2d18046904df45b9fe1c

SHA256
9312aa4ff9a06823621ecc113bd0046d913a33af7159091d4b1b61a5922da0bd

SHA512
987762d53c46986d444acb75b093bba9b2742ac6c5313eeda961b41a11811d3ce86fcadf62725b31b6189e1c198cd6ed6a8df26bdcf59ff434153b2ceb87a6a4

Download Submit
C:\Windows\{3084AAAD-6ADC-4560-92F9-E605776AF8D0}.exe

Filesize
380KB

MD5
ec66d52bf6048220f874fb1053b2c8b9

SHA1
f6b5170d5a9dac5b3f8721cab182409fc798b7c7

SHA256
cab5b555384c366dc3d65331f4312ab304c9841194fe7e5843befabb6b006e23

SHA512
0c4b6999b5b7d2569f038385fb1af4fb0b83fd23e7b10397203a3309f92019f14be9fc8958f323ff6b65505f4fea2a960762fc32b818db920104b0acd6c1bf3f

Download Submit
C:\Windows\{33552CAE-0656-4c26-8E87-19ACAD62E905}.exe

Filesize
380KB

MD5
734468fd74eeec116c52911d5f89ae8b

SHA1
54c8854bd6a70256d349842faea938549f7e2815

SHA256
1f545575fc545aac887e195a2df613a40090f2d12ec55f6f11a85dd2fac20ec0

SHA512
60aaf3627974e049c5ff106e3d6c9d2ae61779d9dd693ee01f7010b69562241f63e1bdbb8480b4fd452842e5a872ddc377949fbbddb8f8daeaefef8499e4be41

Download Submit
C:\Windows\{33DB05C0-A4D9-48e5-BB89-BAD264D33F2B}.exe

Filesize
380KB

MD5
2fc9a1807059bcbd05b3e0a87646ef65

SHA1
c94151126b2bab473e52410040b5513af8836ee9

SHA256
48b76bd0392ada55d09b30c2c5c735aebc363e716bf009773499fab680e729cd

SHA512
213a40dff0bcd038e32a608252bd389deb832c29eb8513d36493b4814704a3a0041d13574f7bb3bf63a94dfb35ee491548030ea41f5771dc4975b7cfedc9c7a9

Download Submit
C:\Windows\{36B11B6F-74DF-41fe-A82E-978FF5790C79}.exe

Filesize
380KB

MD5
b4d80204d5330ebfb9bc142386d1aa6e

SHA1
f717b9570fde027c1733ac909e6f23d73f3333f2

SHA256
e82f669e115a159dec2286dd4be877918dbf9735b549e79ea243004c5370f1d8

SHA512
e66f21bf6e34856b30e848fa359f202152f9cc04cd78670233ea0e20c201e97180b8c80b073aca832eb79886eda4c13c25f54c3a88ebb9c2a9700bbaf7ffba96

Download Submit
C:\Windows\{49ADC4EB-F92B-4fa3-8352-D95184FD735D}.exe

Filesize
380KB

MD5
04da251e5b4fe4c3fd3c1956f1f88c29

SHA1
268a359d4b3717c1f89fa4a2b6665eb85fa12239

SHA256
a666ac1cf291a0c93d8bfb1c2079db71a23e97931534341439b8b32eae63b48e

SHA512
4e9ee6ccf988f6595bc243de688dc65ced15c710d76d538b6be2a74f27485317dd562f6205af62f326229644f229ff1547b33340838e90edd0513b8ddfeae3de

Download Submit
C:\Windows\{588E12DA-BCD0-439c-A1B2-93803194EDCB}.exe

Filesize
380KB

MD5
edcfad13c5d0344689b2ebb838822c9d

SHA1
d84f91f56412d96d1101e005a494beb1bfa94e13

SHA256
67b0070cec4e3f157695c8ffdeb7bf7acc8a498210819f70642b80c06b3daefd

SHA512
79eefcdea49b08fa06d7740be527670cf2e22b90d2f9934574d3235cc9cf916957471e77c642c743592681541fc909a7011aa0d3fb534e66793f1ffa65c1e330

Download Submit
C:\Windows\{593BB004-B8EB-4f50-B939-2757A5B3FDFF}.exe

Filesize
380KB

MD5
221f16e9c40570076337bdb9ef4f3201

SHA1
6e0ed515a1d9c4d3a6521305c64c99929a072c0b

SHA256
38ae0c98298fca51fa2f75df541230ec82aef3562e169a3382bedb37fa272857

SHA512
aebf50b2c9f6a1029b9dedbde1d23f64eee5e1544ac8e92efcabcd2dc455fa5e1cbaa37fd7904b4071f462a93891ae517084e66531e72f95ab4c8f55ecfd5966

Download Submit
C:\Windows\{759916E7-A6B4-446e-9828-5437F17CCE9A}.exe

Filesize
380KB

MD5
4ccced07c4105594da7229b0ef5acb78

SHA1
12b60900ae7d1f6f3f656cfae52ccd7d4d3b30a6

SHA256
e63344daa64ec3a519cb16323bf5e2aef2852a0a5cfa35620dccfd833d54a6c3

SHA512
a3b2bee62983399334e99f8abc0e7f654b69a33a3ff7f40ec8a06efdebaecf8168c5332d646045c51727170d47fcf5270fa4a466437c1e111b72766b2fa6cf1a

Download Submit
C:\Windows\{B6D3C0E8-5427-4b6e-B42E-E7F59039109E}.exe

Filesize
380KB

MD5
f09e50d2a2ff7c56a0fe29b05a91d14b

SHA1
4db0046341ea5b2fe1c165b7da2782863266d6ab

SHA256
4f45311275a5cf9f226127c48b071a1671267efd55f9f6020655bc3baa5348ae

SHA512
1ceaf09f67f180686fe0a0ae9cb3ca815bffe865a44f3abcdcc42e2ddd771490f38d1351078efbdf02f5701abdfceba95e1bd22660ebaf16ae48e7a9b9bea2f9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads