df8f7b4ced293aad99d973cb301ef049ff2d0be240f604bbefac7905f482ee0c

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
06-03-2024 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-06_0d152b9ab06fb51c55516120b60e8aa3_goldeneye.exe
Size

197KB
MD5

0d152b9ab06fb51c55516120b60e8aa3
SHA1

dffba86aad6b6f3915f989aa97085e3a462087b4
SHA256

df8f7b4ced293aad99d973cb301ef049ff2d0be240f604bbefac7905f482ee0c
SHA512

f6facb8c6a55ede6a1f98d30b0d207e748da81ed0351354ef1405134c2ddefafc81f92b5fabcff9c9ef301b6738229b8b82be8c45fb6f6897cfdb8b0310bd167
SSDEEP

3072:jEGh0oTl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGxlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012352-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000155f6-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012352-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000015c6f-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012352-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012352-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012352-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EEB0993-BA2E-4888-8EDC-D382E90A3BD0}	{58D19D33-DB32-4680-B8EF-C25926772F7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B94509A-BFB2-4f0b-B535-A4BC4A557076}	{566B89DD-6626-4265-9B72-1CE780EA066A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A791427-43ED-4526-A450-625A3DEAF5E1}	{BF3612F7-7B1C-448a-82DC-7B884B5316A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1249605C-6735-4a3f-8381-ADC4923B9DC5}\stubpath = "C:\\Windows\\{1249605C-6735-4a3f-8381-ADC4923B9DC5}.exe"	{31A6FED4-49E2-41db-A4F4-BA7B5784DDAE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A791427-43ED-4526-A450-625A3DEAF5E1}\stubpath = "C:\\Windows\\{2A791427-43ED-4526-A450-625A3DEAF5E1}.exe"	{BF3612F7-7B1C-448a-82DC-7B884B5316A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31A6FED4-49E2-41db-A4F4-BA7B5784DDAE}	{5F3F8A80-8E2F-4a0a-BECD-3760296796F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31A6FED4-49E2-41db-A4F4-BA7B5784DDAE}\stubpath = "C:\\Windows\\{31A6FED4-49E2-41db-A4F4-BA7B5784DDAE}.exe"	{5F3F8A80-8E2F-4a0a-BECD-3760296796F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58D19D33-DB32-4680-B8EF-C25926772F7D}	2024-03-06_0d152b9ab06fb51c55516120b60e8aa3_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58D19D33-DB32-4680-B8EF-C25926772F7D}\stubpath = "C:\\Windows\\{58D19D33-DB32-4680-B8EF-C25926772F7D}.exe"	2024-03-06_0d152b9ab06fb51c55516120b60e8aa3_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EEB0993-BA2E-4888-8EDC-D382E90A3BD0}\stubpath = "C:\\Windows\\{1EEB0993-BA2E-4888-8EDC-D382E90A3BD0}.exe"	{58D19D33-DB32-4680-B8EF-C25926772F7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B94509A-BFB2-4f0b-B535-A4BC4A557076}\stubpath = "C:\\Windows\\{8B94509A-BFB2-4f0b-B535-A4BC4A557076}.exe"	{566B89DD-6626-4265-9B72-1CE780EA066A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF3612F7-7B1C-448a-82DC-7B884B5316A4}	{06E8726C-3864-4320-B0BC-D8E7027E74AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{566B89DD-6626-4265-9B72-1CE780EA066A}\stubpath = "C:\\Windows\\{566B89DD-6626-4265-9B72-1CE780EA066A}.exe"	{1EEB0993-BA2E-4888-8EDC-D382E90A3BD0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94C869D6-A880-46a2-885F-7C3373E4C492}	{8B94509A-BFB2-4f0b-B535-A4BC4A557076}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06E8726C-3864-4320-B0BC-D8E7027E74AB}\stubpath = "C:\\Windows\\{06E8726C-3864-4320-B0BC-D8E7027E74AB}.exe"	{94C869D6-A880-46a2-885F-7C3373E4C492}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF3612F7-7B1C-448a-82DC-7B884B5316A4}\stubpath = "C:\\Windows\\{BF3612F7-7B1C-448a-82DC-7B884B5316A4}.exe"	{06E8726C-3864-4320-B0BC-D8E7027E74AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1249605C-6735-4a3f-8381-ADC4923B9DC5}	{31A6FED4-49E2-41db-A4F4-BA7B5784DDAE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{566B89DD-6626-4265-9B72-1CE780EA066A}	{1EEB0993-BA2E-4888-8EDC-D382E90A3BD0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94C869D6-A880-46a2-885F-7C3373E4C492}\stubpath = "C:\\Windows\\{94C869D6-A880-46a2-885F-7C3373E4C492}.exe"	{8B94509A-BFB2-4f0b-B535-A4BC4A557076}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06E8726C-3864-4320-B0BC-D8E7027E74AB}	{94C869D6-A880-46a2-885F-7C3373E4C492}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F3F8A80-8E2F-4a0a-BECD-3760296796F4}	{2A791427-43ED-4526-A450-625A3DEAF5E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F3F8A80-8E2F-4a0a-BECD-3760296796F4}\stubpath = "C:\\Windows\\{5F3F8A80-8E2F-4a0a-BECD-3760296796F4}.exe"	{2A791427-43ED-4526-A450-625A3DEAF5E1}.exe

Deletes itself 1 IoCs

pid	Process
1288	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1976	{58D19D33-DB32-4680-B8EF-C25926772F7D}.exe
2656	{1EEB0993-BA2E-4888-8EDC-D382E90A3BD0}.exe
2736	{566B89DD-6626-4265-9B72-1CE780EA066A}.exe
3004	{8B94509A-BFB2-4f0b-B535-A4BC4A557076}.exe
2964	{94C869D6-A880-46a2-885F-7C3373E4C492}.exe
2712	{06E8726C-3864-4320-B0BC-D8E7027E74AB}.exe
2680	{BF3612F7-7B1C-448a-82DC-7B884B5316A4}.exe
2872	{2A791427-43ED-4526-A450-625A3DEAF5E1}.exe
1532	{5F3F8A80-8E2F-4a0a-BECD-3760296796F4}.exe
2068	{31A6FED4-49E2-41db-A4F4-BA7B5784DDAE}.exe
808	{1249605C-6735-4a3f-8381-ADC4923B9DC5}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{94C869D6-A880-46a2-885F-7C3373E4C492}.exe	{8B94509A-BFB2-4f0b-B535-A4BC4A557076}.exe
File created	C:\Windows\{06E8726C-3864-4320-B0BC-D8E7027E74AB}.exe	{94C869D6-A880-46a2-885F-7C3373E4C492}.exe
File created	C:\Windows\{2A791427-43ED-4526-A450-625A3DEAF5E1}.exe	{BF3612F7-7B1C-448a-82DC-7B884B5316A4}.exe
File created	C:\Windows\{566B89DD-6626-4265-9B72-1CE780EA066A}.exe	{1EEB0993-BA2E-4888-8EDC-D382E90A3BD0}.exe
File created	C:\Windows\{8B94509A-BFB2-4f0b-B535-A4BC4A557076}.exe	{566B89DD-6626-4265-9B72-1CE780EA066A}.exe
File created	C:\Windows\{BF3612F7-7B1C-448a-82DC-7B884B5316A4}.exe	{06E8726C-3864-4320-B0BC-D8E7027E74AB}.exe
File created	C:\Windows\{5F3F8A80-8E2F-4a0a-BECD-3760296796F4}.exe	{2A791427-43ED-4526-A450-625A3DEAF5E1}.exe
File created	C:\Windows\{31A6FED4-49E2-41db-A4F4-BA7B5784DDAE}.exe	{5F3F8A80-8E2F-4a0a-BECD-3760296796F4}.exe
File created	C:\Windows\{1249605C-6735-4a3f-8381-ADC4923B9DC5}.exe	{31A6FED4-49E2-41db-A4F4-BA7B5784DDAE}.exe
File created	C:\Windows\{58D19D33-DB32-4680-B8EF-C25926772F7D}.exe	2024-03-06_0d152b9ab06fb51c55516120b60e8aa3_goldeneye.exe
File created	C:\Windows\{1EEB0993-BA2E-4888-8EDC-D382E90A3BD0}.exe	{58D19D33-DB32-4680-B8EF-C25926772F7D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2944	2024-03-06_0d152b9ab06fb51c55516120b60e8aa3_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1976	{58D19D33-DB32-4680-B8EF-C25926772F7D}.exe
Token: SeIncBasePriorityPrivilege	2656	{1EEB0993-BA2E-4888-8EDC-D382E90A3BD0}.exe
Token: SeIncBasePriorityPrivilege	2736	{566B89DD-6626-4265-9B72-1CE780EA066A}.exe
Token: SeIncBasePriorityPrivilege	3004	{8B94509A-BFB2-4f0b-B535-A4BC4A557076}.exe
Token: SeIncBasePriorityPrivilege	2964	{94C869D6-A880-46a2-885F-7C3373E4C492}.exe
Token: SeIncBasePriorityPrivilege	2712	{06E8726C-3864-4320-B0BC-D8E7027E74AB}.exe
Token: SeIncBasePriorityPrivilege	2680	{BF3612F7-7B1C-448a-82DC-7B884B5316A4}.exe
Token: SeIncBasePriorityPrivilege	2872	{2A791427-43ED-4526-A450-625A3DEAF5E1}.exe
Token: SeIncBasePriorityPrivilege	1532	{5F3F8A80-8E2F-4a0a-BECD-3760296796F4}.exe
Token: SeIncBasePriorityPrivilege	2068	{31A6FED4-49E2-41db-A4F4-BA7B5784DDAE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 1976	2944	2024-03-06_0d152b9ab06fb51c55516120b60e8aa3_goldeneye.exe	28
PID 2944 wrote to memory of 1976	2944	2024-03-06_0d152b9ab06fb51c55516120b60e8aa3_goldeneye.exe	28
PID 2944 wrote to memory of 1976	2944	2024-03-06_0d152b9ab06fb51c55516120b60e8aa3_goldeneye.exe	28
PID 2944 wrote to memory of 1976	2944	2024-03-06_0d152b9ab06fb51c55516120b60e8aa3_goldeneye.exe	28
PID 2944 wrote to memory of 1288	2944	2024-03-06_0d152b9ab06fb51c55516120b60e8aa3_goldeneye.exe	29
PID 2944 wrote to memory of 1288	2944	2024-03-06_0d152b9ab06fb51c55516120b60e8aa3_goldeneye.exe	29
PID 2944 wrote to memory of 1288	2944	2024-03-06_0d152b9ab06fb51c55516120b60e8aa3_goldeneye.exe	29
PID 2944 wrote to memory of 1288	2944	2024-03-06_0d152b9ab06fb51c55516120b60e8aa3_goldeneye.exe	29
PID 1976 wrote to memory of 2656	1976	{58D19D33-DB32-4680-B8EF-C25926772F7D}.exe	30
PID 1976 wrote to memory of 2656	1976	{58D19D33-DB32-4680-B8EF-C25926772F7D}.exe	30
PID 1976 wrote to memory of 2656	1976	{58D19D33-DB32-4680-B8EF-C25926772F7D}.exe	30
PID 1976 wrote to memory of 2656	1976	{58D19D33-DB32-4680-B8EF-C25926772F7D}.exe	30
PID 1976 wrote to memory of 2568	1976	{58D19D33-DB32-4680-B8EF-C25926772F7D}.exe	31
PID 1976 wrote to memory of 2568	1976	{58D19D33-DB32-4680-B8EF-C25926772F7D}.exe	31
PID 1976 wrote to memory of 2568	1976	{58D19D33-DB32-4680-B8EF-C25926772F7D}.exe	31
PID 1976 wrote to memory of 2568	1976	{58D19D33-DB32-4680-B8EF-C25926772F7D}.exe	31
PID 2656 wrote to memory of 2736	2656	{1EEB0993-BA2E-4888-8EDC-D382E90A3BD0}.exe	32
PID 2656 wrote to memory of 2736	2656	{1EEB0993-BA2E-4888-8EDC-D382E90A3BD0}.exe	32
PID 2656 wrote to memory of 2736	2656	{1EEB0993-BA2E-4888-8EDC-D382E90A3BD0}.exe	32
PID 2656 wrote to memory of 2736	2656	{1EEB0993-BA2E-4888-8EDC-D382E90A3BD0}.exe	32
PID 2656 wrote to memory of 2668	2656	{1EEB0993-BA2E-4888-8EDC-D382E90A3BD0}.exe	33
PID 2656 wrote to memory of 2668	2656	{1EEB0993-BA2E-4888-8EDC-D382E90A3BD0}.exe	33
PID 2656 wrote to memory of 2668	2656	{1EEB0993-BA2E-4888-8EDC-D382E90A3BD0}.exe	33
PID 2656 wrote to memory of 2668	2656	{1EEB0993-BA2E-4888-8EDC-D382E90A3BD0}.exe	33
PID 2736 wrote to memory of 3004	2736	{566B89DD-6626-4265-9B72-1CE780EA066A}.exe	36
PID 2736 wrote to memory of 3004	2736	{566B89DD-6626-4265-9B72-1CE780EA066A}.exe	36
PID 2736 wrote to memory of 3004	2736	{566B89DD-6626-4265-9B72-1CE780EA066A}.exe	36
PID 2736 wrote to memory of 3004	2736	{566B89DD-6626-4265-9B72-1CE780EA066A}.exe	36
PID 2736 wrote to memory of 1312	2736	{566B89DD-6626-4265-9B72-1CE780EA066A}.exe	37
PID 2736 wrote to memory of 1312	2736	{566B89DD-6626-4265-9B72-1CE780EA066A}.exe	37
PID 2736 wrote to memory of 1312	2736	{566B89DD-6626-4265-9B72-1CE780EA066A}.exe	37
PID 2736 wrote to memory of 1312	2736	{566B89DD-6626-4265-9B72-1CE780EA066A}.exe	37
PID 3004 wrote to memory of 2964	3004	{8B94509A-BFB2-4f0b-B535-A4BC4A557076}.exe	38
PID 3004 wrote to memory of 2964	3004	{8B94509A-BFB2-4f0b-B535-A4BC4A557076}.exe	38
PID 3004 wrote to memory of 2964	3004	{8B94509A-BFB2-4f0b-B535-A4BC4A557076}.exe	38
PID 3004 wrote to memory of 2964	3004	{8B94509A-BFB2-4f0b-B535-A4BC4A557076}.exe	38
PID 3004 wrote to memory of 2476	3004	{8B94509A-BFB2-4f0b-B535-A4BC4A557076}.exe	39
PID 3004 wrote to memory of 2476	3004	{8B94509A-BFB2-4f0b-B535-A4BC4A557076}.exe	39
PID 3004 wrote to memory of 2476	3004	{8B94509A-BFB2-4f0b-B535-A4BC4A557076}.exe	39
PID 3004 wrote to memory of 2476	3004	{8B94509A-BFB2-4f0b-B535-A4BC4A557076}.exe	39
PID 2964 wrote to memory of 2712	2964	{94C869D6-A880-46a2-885F-7C3373E4C492}.exe	40
PID 2964 wrote to memory of 2712	2964	{94C869D6-A880-46a2-885F-7C3373E4C492}.exe	40
PID 2964 wrote to memory of 2712	2964	{94C869D6-A880-46a2-885F-7C3373E4C492}.exe	40
PID 2964 wrote to memory of 2712	2964	{94C869D6-A880-46a2-885F-7C3373E4C492}.exe	40
PID 2964 wrote to memory of 2496	2964	{94C869D6-A880-46a2-885F-7C3373E4C492}.exe	41
PID 2964 wrote to memory of 2496	2964	{94C869D6-A880-46a2-885F-7C3373E4C492}.exe	41
PID 2964 wrote to memory of 2496	2964	{94C869D6-A880-46a2-885F-7C3373E4C492}.exe	41
PID 2964 wrote to memory of 2496	2964	{94C869D6-A880-46a2-885F-7C3373E4C492}.exe	41
PID 2712 wrote to memory of 2680	2712	{06E8726C-3864-4320-B0BC-D8E7027E74AB}.exe	42
PID 2712 wrote to memory of 2680	2712	{06E8726C-3864-4320-B0BC-D8E7027E74AB}.exe	42
PID 2712 wrote to memory of 2680	2712	{06E8726C-3864-4320-B0BC-D8E7027E74AB}.exe	42
PID 2712 wrote to memory of 2680	2712	{06E8726C-3864-4320-B0BC-D8E7027E74AB}.exe	42
PID 2712 wrote to memory of 2776	2712	{06E8726C-3864-4320-B0BC-D8E7027E74AB}.exe	43
PID 2712 wrote to memory of 2776	2712	{06E8726C-3864-4320-B0BC-D8E7027E74AB}.exe	43
PID 2712 wrote to memory of 2776	2712	{06E8726C-3864-4320-B0BC-D8E7027E74AB}.exe	43
PID 2712 wrote to memory of 2776	2712	{06E8726C-3864-4320-B0BC-D8E7027E74AB}.exe	43
PID 2680 wrote to memory of 2872	2680	{BF3612F7-7B1C-448a-82DC-7B884B5316A4}.exe	44
PID 2680 wrote to memory of 2872	2680	{BF3612F7-7B1C-448a-82DC-7B884B5316A4}.exe	44
PID 2680 wrote to memory of 2872	2680	{BF3612F7-7B1C-448a-82DC-7B884B5316A4}.exe	44
PID 2680 wrote to memory of 2872	2680	{BF3612F7-7B1C-448a-82DC-7B884B5316A4}.exe	44
PID 2680 wrote to memory of 848	2680	{BF3612F7-7B1C-448a-82DC-7B884B5316A4}.exe	45
PID 2680 wrote to memory of 848	2680	{BF3612F7-7B1C-448a-82DC-7B884B5316A4}.exe	45
PID 2680 wrote to memory of 848	2680	{BF3612F7-7B1C-448a-82DC-7B884B5316A4}.exe	45
PID 2680 wrote to memory of 848	2680	{BF3612F7-7B1C-448a-82DC-7B884B5316A4}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-06_0d152b9ab06fb51c55516120b60e8aa3_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-06_0d152b9ab06fb51c55516120b60e8aa3_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\{58D19D33-DB32-4680-B8EF-C25926772F7D}.exe
  C:\Windows\{58D19D33-DB32-4680-B8EF-C25926772F7D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\{1EEB0993-BA2E-4888-8EDC-D382E90A3BD0}.exe
    C:\Windows\{1EEB0993-BA2E-4888-8EDC-D382E90A3BD0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\{566B89DD-6626-4265-9B72-1CE780EA066A}.exe
      C:\Windows\{566B89DD-6626-4265-9B72-1CE780EA066A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Windows\{8B94509A-BFB2-4f0b-B535-A4BC4A557076}.exe
        
        C:\Windows\{8B94509A-BFB2-4f0b-B535-A4BC4A557076}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3004
      - C:\Windows\{94C869D6-A880-46a2-885F-7C3373E4C492}.exe
        
        C:\Windows\{94C869D6-A880-46a2-885F-7C3373E4C492}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\{06E8726C-3864-4320-B0BC-D8E7027E74AB}.exe
        
        C:\Windows\{06E8726C-3864-4320-B0BC-D8E7027E74AB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\{BF3612F7-7B1C-448a-82DC-7B884B5316A4}.exe
        
        C:\Windows\{BF3612F7-7B1C-448a-82DC-7B884B5316A4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\{2A791427-43ED-4526-A450-625A3DEAF5E1}.exe
        
        C:\Windows\{2A791427-43ED-4526-A450-625A3DEAF5E1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
        
        C:\Windows\{5F3F8A80-8E2F-4a0a-BECD-3760296796F4}.exe
        
        C:\Windows\{5F3F8A80-8E2F-4a0a-BECD-3760296796F4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
        
        C:\Windows\{31A6FED4-49E2-41db-A4F4-BA7B5784DDAE}.exe
        
        C:\Windows\{31A6FED4-49E2-41db-A4F4-BA7B5784DDAE}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\{1249605C-6735-4a3f-8381-ADC4923B9DC5}.exe
        
        C:\Windows\{1249605C-6735-4a3f-8381-ADC4923B9DC5}.exe
        12⤵
        Executes dropped EXE
        
        PID:808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31A6F~1.EXE > nul
        12⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F3F8~1.EXE > nul
        11⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A791~1.EXE > nul
        10⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF361~1.EXE > nul
        9⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06E87~1.EXE > nul
        8⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94C86~1.EXE > nul
        7⤵
        
        PID:2496
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B945~1.EXE > nul
        6⤵
        
        PID:2476
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{566B8~1.EXE > nul
        5⤵
        
        PID:1312
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1EEB0~1.EXE > nul
      4⤵
      PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{58D19~1.EXE > nul
    3⤵
    PID:2568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06E8726C-3864-4320-B0BC-D8E7027E74AB}.exe

Filesize
197KB

MD5
493da17646ea6c791082a7297c00acff

SHA1
491850600cd061238e6d45f748306c0af9cd9913

SHA256
2cb664ce07e8ebdb19d51b9834a32cfa87dbcd261a69ccc0df248b3dcf83dfe5

SHA512
b6212783192e0ac72c629803cd4ebd22b167ce6ff91cd7a87e3675bbde61f796d5d606be790e8f09dcfc9783fa0733846e59076bc4b1e01e02fe0e14974f70e4

Download Submit
C:\Windows\{1249605C-6735-4a3f-8381-ADC4923B9DC5}.exe

Filesize
197KB

MD5
3af924b7546afd4c817eb3bc6f364842

SHA1
518e51bea52e4cebaa8bf721fbbfba8168f32a3a

SHA256
bee0986a82c286d9df7fdea4be712e51f16875b16ee84b6d9cbe687452c70f21

SHA512
e30f1a315447f09241c5251b2a14c70265e1e73bfd2f0b9333e1dbef6611047bac4adfd6baaa4f45a9fa5e9a6670ca3b87783f89277ed6902c3eca1cc4d4bd16

Download Submit
C:\Windows\{1EEB0993-BA2E-4888-8EDC-D382E90A3BD0}.exe

Filesize
197KB

MD5
7679f55b0efed79adf1cf3361c95abe2

SHA1
bf61d44f77b6fb6b7e7cdf79581d35e0d7100503

SHA256
b52d9e5fa86dd670a0c9c02172f91051c4ead24a30ac7a10d4d77ebabcd4d5da

SHA512
a6148770112b202da99c0cc7bd98223beefa99731ce0104e335ac0883cfc0557f98a31dd3d4372e72581d760659e350cfe327344f0848d2d364c882306f7bb0c

Download Submit
C:\Windows\{2A791427-43ED-4526-A450-625A3DEAF5E1}.exe

Filesize
197KB

MD5
461814bbc84b0a0e46cf7dff5cb1b0ed

SHA1
175edfa067d10d112ceb4cf2b3e2e5b549c54505

SHA256
0935e535027391725d0d26b9dfbdab7bc4b41db23747c86961fb5f085d045c03

SHA512
da4535ab09e1e14bfb2cb70a75bc8ad3a8ec09391478d2d66d3b6729cc059376de4bcb3d588501200f8858c997d3f203e663ba8582d52d6cd04f3da5165f9f8c

Download Submit
C:\Windows\{31A6FED4-49E2-41db-A4F4-BA7B5784DDAE}.exe

Filesize
197KB

MD5
b116df4bab6b914797f72ece1a4e25f2

SHA1
f34f3671c6aad9a639010d8cac62265f1d7605b8

SHA256
e8e9ef09b26b447f70b932eba7978a537b99d01841614eb2f3a7d6383b32de95

SHA512
1f09e32810a05bd706b098cf29e18bc4229108ac2c174e446965a8defd5d546483d6331e38babf522206ab1be2189c8fd470da38a0b2730a8fda90b49ffe71a5

Download Submit
C:\Windows\{566B89DD-6626-4265-9B72-1CE780EA066A}.exe

Filesize
197KB

MD5
ed75da7e1aa85f254774f179a677a719

SHA1
be9642237ca97193ba26034e144ac534cf739b29

SHA256
f901f17258d1e3c000dbf91a49d05c7a453c25d6a149d7f0210dd3fc958ab256

SHA512
531d13a76886334c4730f10b5255252e7e347acd12ceea9a44e2ff362f750bdce1908e157f5155cbd6a115971393ce40e5cc33176bf8e4979e40d6ae7545b398

Download Submit
C:\Windows\{58D19D33-DB32-4680-B8EF-C25926772F7D}.exe

Filesize
197KB

MD5
c70e97193efa43b440008c5ab3748ae8

SHA1
f481e44655ac8e9dc247b70db4bd912640ff94da

SHA256
702623b287b2fd6ef431d98d870a1ac68eabeba9eb673e02f6e0738a3983180e

SHA512
c9db03802aead544d3f8d065149c3cff92dd69389cd9357406d6234ed56210f324d6c8ed7aed00598af6c0d8c489e4819b755379c1bb9d6dec706b2030579f2c

Download Submit
C:\Windows\{5F3F8A80-8E2F-4a0a-BECD-3760296796F4}.exe

Filesize
197KB

MD5
c378a3528ba69e3b59e48309aec09b76

SHA1
ae24a4a0e4e3873bdecb509961b41854831743e4

SHA256
3111ec56bb55d48d5c479d3659c01bc2c41f5f12ed8230f0efabfbd6946cf70e

SHA512
2b365f2433108168418e3f80723fe6c7d2a5f63798a3f1c16304866ce0190f1ac6af480739d7233b99f0fcdd9fc2c33b8549bb4acc381936413351c97778af8a

Download Submit
C:\Windows\{8B94509A-BFB2-4f0b-B535-A4BC4A557076}.exe

Filesize
197KB

MD5
b44033c460919c92a59ac7f6f0bd3861

SHA1
ad7f8834b04adaa44e109f477f1b2de488571fca

SHA256
789493436d40582311df58ca94ec23c184c995ca0efe8f1a6af796ec1bb15e9a

SHA512
749894ec55ce2cba7db11c3320601a8048d2ec8e58189ca2fa6c25a4739d67ae096dd80c954194df26dd3c78553ffde3d9dbc227ea40464a09ec4e7cf6952b21

Download Submit
C:\Windows\{94C869D6-A880-46a2-885F-7C3373E4C492}.exe

Filesize
197KB

MD5
1f6452dc9191fcbf806d600500ac8fa3

SHA1
b03079f9bed5bbe4e87e3cd633cba3c9c44af2a7

SHA256
93a3e1e1cbdb17be1522b3b704a25994e5b27c5b5a0ac9be76c1723b83daf8ea

SHA512
2624622fcd61ebbc6b3367d58ce50b38cbf0481a1ae1842f3523da87c1854bf05e7c2b3e0cf1d18744ffc36b7ef883e868b512d39164d8fef2283c4cb44480ea

Download Submit
C:\Windows\{BF3612F7-7B1C-448a-82DC-7B884B5316A4}.exe

Filesize
197KB

MD5
ae19a7ef3c9929bcec848a1837dd7ad7

SHA1
4520fb342807b597a621618bb3a160c8aa3e3e69

SHA256
2c3a1cf6839c1a32f3d84947b21341d6206d535552db975a2b68c7b0d4848fc6

SHA512
42b359749120b266728a5ed167e0faf3336651a89a5bc6da50a8cd9bf3af5bec0ff1c1f3fae2d7bfe654f418027ecd37a504a2365f5d5457e17497bf6175344f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads