7b259bd84a2b33e8d7399687cb7564509683ec7a7f7d62d99f35fc5106f96796

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
06/03/2024, 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-06_0b0b55d7678192cd32672e12249b1a33_goldeneye.exe
Size

192KB
MD5

0b0b55d7678192cd32672e12249b1a33
SHA1

7a1e78ce8a75487e70c647393dc4a580b557c6ed
SHA256

7b259bd84a2b33e8d7399687cb7564509683ec7a7f7d62d99f35fc5106f96796
SHA512

923cb7ca20d039485df64650fa7fda9de1d3e6d6411020ebd9220b72f3bf0854fd02ffe226dc63975852a5df01e0430f6231adb5365a6565217382ba33c5a7ca
SSDEEP

1536:1EGh0ovl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0ovl1OPOe2MUVg3Ve+rXfMUa

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012330-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000013417-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012330-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0036000000013a53-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012330-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012330-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012330-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{539BF7AA-7AA6-4017-8EC6-FEE4BB77C646}	{455CF241-ED88-4729-B225-4C9DD90CBD89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B1181D5-7DF4-4a8e-AF3B-147B56AF367F}	{5E98B07A-33E7-4f93-837D-1341AFF0FB6E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9286A7C3-BFB6-42e3-9C72-328A5BB4FEB7}\stubpath = "C:\\Windows\\{9286A7C3-BFB6-42e3-9C72-328A5BB4FEB7}.exe"	{88E96983-0A4C-4ac4-BBC0-CD0FE9B80D63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9286A7C3-BFB6-42e3-9C72-328A5BB4FEB7}	{88E96983-0A4C-4ac4-BBC0-CD0FE9B80D63}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5EA6DD5-4AFF-4c64-AB0B-686D512396C8}\stubpath = "C:\\Windows\\{E5EA6DD5-4AFF-4c64-AB0B-686D512396C8}.exe"	{9286A7C3-BFB6-42e3-9C72-328A5BB4FEB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A9ACEC6-127E-4cbe-AF41-873EE08E6E97}	{E5EA6DD5-4AFF-4c64-AB0B-686D512396C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3460B0D-B59D-4dc4-BF8C-3D04DB693A91}\stubpath = "C:\\Windows\\{D3460B0D-B59D-4dc4-BF8C-3D04DB693A91}.exe"	{539BF7AA-7AA6-4017-8EC6-FEE4BB77C646}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C996BAAF-1C6E-4717-8E80-5BD7FA275C0C}\stubpath = "C:\\Windows\\{C996BAAF-1C6E-4717-8E80-5BD7FA275C0C}.exe"	{D3460B0D-B59D-4dc4-BF8C-3D04DB693A91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88E96983-0A4C-4ac4-BBC0-CD0FE9B80D63}	{5B1181D5-7DF4-4a8e-AF3B-147B56AF367F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88E96983-0A4C-4ac4-BBC0-CD0FE9B80D63}\stubpath = "C:\\Windows\\{88E96983-0A4C-4ac4-BBC0-CD0FE9B80D63}.exe"	{5B1181D5-7DF4-4a8e-AF3B-147B56AF367F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EF22BC9-7D6A-46e4-A87E-1A32C12BBFAC}\stubpath = "C:\\Windows\\{1EF22BC9-7D6A-46e4-A87E-1A32C12BBFAC}.exe"	{4A9ACEC6-127E-4cbe-AF41-873EE08E6E97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{455CF241-ED88-4729-B225-4C9DD90CBD89}	2024-03-06_0b0b55d7678192cd32672e12249b1a33_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{539BF7AA-7AA6-4017-8EC6-FEE4BB77C646}\stubpath = "C:\\Windows\\{539BF7AA-7AA6-4017-8EC6-FEE4BB77C646}.exe"	{455CF241-ED88-4729-B225-4C9DD90CBD89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E98B07A-33E7-4f93-837D-1341AFF0FB6E}\stubpath = "C:\\Windows\\{5E98B07A-33E7-4f93-837D-1341AFF0FB6E}.exe"	{C996BAAF-1C6E-4717-8E80-5BD7FA275C0C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E98B07A-33E7-4f93-837D-1341AFF0FB6E}	{C996BAAF-1C6E-4717-8E80-5BD7FA275C0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B1181D5-7DF4-4a8e-AF3B-147B56AF367F}\stubpath = "C:\\Windows\\{5B1181D5-7DF4-4a8e-AF3B-147B56AF367F}.exe"	{5E98B07A-33E7-4f93-837D-1341AFF0FB6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5EA6DD5-4AFF-4c64-AB0B-686D512396C8}	{9286A7C3-BFB6-42e3-9C72-328A5BB4FEB7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A9ACEC6-127E-4cbe-AF41-873EE08E6E97}\stubpath = "C:\\Windows\\{4A9ACEC6-127E-4cbe-AF41-873EE08E6E97}.exe"	{E5EA6DD5-4AFF-4c64-AB0B-686D512396C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EF22BC9-7D6A-46e4-A87E-1A32C12BBFAC}	{4A9ACEC6-127E-4cbe-AF41-873EE08E6E97}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{455CF241-ED88-4729-B225-4C9DD90CBD89}\stubpath = "C:\\Windows\\{455CF241-ED88-4729-B225-4C9DD90CBD89}.exe"	2024-03-06_0b0b55d7678192cd32672e12249b1a33_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3460B0D-B59D-4dc4-BF8C-3D04DB693A91}	{539BF7AA-7AA6-4017-8EC6-FEE4BB77C646}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C996BAAF-1C6E-4717-8E80-5BD7FA275C0C}	{D3460B0D-B59D-4dc4-BF8C-3D04DB693A91}.exe

Deletes itself 1 IoCs

pid	Process
2564	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2984	{455CF241-ED88-4729-B225-4C9DD90CBD89}.exe
2940	{539BF7AA-7AA6-4017-8EC6-FEE4BB77C646}.exe
2468	{D3460B0D-B59D-4dc4-BF8C-3D04DB693A91}.exe
1748	{C996BAAF-1C6E-4717-8E80-5BD7FA275C0C}.exe
2692	{5E98B07A-33E7-4f93-837D-1341AFF0FB6E}.exe
1852	{5B1181D5-7DF4-4a8e-AF3B-147B56AF367F}.exe
2356	{88E96983-0A4C-4ac4-BBC0-CD0FE9B80D63}.exe
332	{9286A7C3-BFB6-42e3-9C72-328A5BB4FEB7}.exe
1464	{E5EA6DD5-4AFF-4c64-AB0B-686D512396C8}.exe
540	{4A9ACEC6-127E-4cbe-AF41-873EE08E6E97}.exe
1400	{1EF22BC9-7D6A-46e4-A87E-1A32C12BBFAC}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{455CF241-ED88-4729-B225-4C9DD90CBD89}.exe	2024-03-06_0b0b55d7678192cd32672e12249b1a33_goldeneye.exe
File created	C:\Windows\{9286A7C3-BFB6-42e3-9C72-328A5BB4FEB7}.exe	{88E96983-0A4C-4ac4-BBC0-CD0FE9B80D63}.exe
File created	C:\Windows\{E5EA6DD5-4AFF-4c64-AB0B-686D512396C8}.exe	{9286A7C3-BFB6-42e3-9C72-328A5BB4FEB7}.exe
File created	C:\Windows\{539BF7AA-7AA6-4017-8EC6-FEE4BB77C646}.exe	{455CF241-ED88-4729-B225-4C9DD90CBD89}.exe
File created	C:\Windows\{D3460B0D-B59D-4dc4-BF8C-3D04DB693A91}.exe	{539BF7AA-7AA6-4017-8EC6-FEE4BB77C646}.exe
File created	C:\Windows\{C996BAAF-1C6E-4717-8E80-5BD7FA275C0C}.exe	{D3460B0D-B59D-4dc4-BF8C-3D04DB693A91}.exe
File created	C:\Windows\{5E98B07A-33E7-4f93-837D-1341AFF0FB6E}.exe	{C996BAAF-1C6E-4717-8E80-5BD7FA275C0C}.exe
File created	C:\Windows\{5B1181D5-7DF4-4a8e-AF3B-147B56AF367F}.exe	{5E98B07A-33E7-4f93-837D-1341AFF0FB6E}.exe
File created	C:\Windows\{88E96983-0A4C-4ac4-BBC0-CD0FE9B80D63}.exe	{5B1181D5-7DF4-4a8e-AF3B-147B56AF367F}.exe
File created	C:\Windows\{4A9ACEC6-127E-4cbe-AF41-873EE08E6E97}.exe	{E5EA6DD5-4AFF-4c64-AB0B-686D512396C8}.exe
File created	C:\Windows\{1EF22BC9-7D6A-46e4-A87E-1A32C12BBFAC}.exe	{4A9ACEC6-127E-4cbe-AF41-873EE08E6E97}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3056	2024-03-06_0b0b55d7678192cd32672e12249b1a33_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2984	{455CF241-ED88-4729-B225-4C9DD90CBD89}.exe
Token: SeIncBasePriorityPrivilege	2940	{539BF7AA-7AA6-4017-8EC6-FEE4BB77C646}.exe
Token: SeIncBasePriorityPrivilege	2468	{D3460B0D-B59D-4dc4-BF8C-3D04DB693A91}.exe
Token: SeIncBasePriorityPrivilege	1748	{C996BAAF-1C6E-4717-8E80-5BD7FA275C0C}.exe
Token: SeIncBasePriorityPrivilege	2692	{5E98B07A-33E7-4f93-837D-1341AFF0FB6E}.exe
Token: SeIncBasePriorityPrivilege	1852	{5B1181D5-7DF4-4a8e-AF3B-147B56AF367F}.exe
Token: SeIncBasePriorityPrivilege	2356	{88E96983-0A4C-4ac4-BBC0-CD0FE9B80D63}.exe
Token: SeIncBasePriorityPrivilege	332	{9286A7C3-BFB6-42e3-9C72-328A5BB4FEB7}.exe
Token: SeIncBasePriorityPrivilege	1464	{E5EA6DD5-4AFF-4c64-AB0B-686D512396C8}.exe
Token: SeIncBasePriorityPrivilege	540	{4A9ACEC6-127E-4cbe-AF41-873EE08E6E97}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2984	3056	2024-03-06_0b0b55d7678192cd32672e12249b1a33_goldeneye.exe	28
PID 3056 wrote to memory of 2984	3056	2024-03-06_0b0b55d7678192cd32672e12249b1a33_goldeneye.exe	28
PID 3056 wrote to memory of 2984	3056	2024-03-06_0b0b55d7678192cd32672e12249b1a33_goldeneye.exe	28
PID 3056 wrote to memory of 2984	3056	2024-03-06_0b0b55d7678192cd32672e12249b1a33_goldeneye.exe	28
PID 3056 wrote to memory of 2564	3056	2024-03-06_0b0b55d7678192cd32672e12249b1a33_goldeneye.exe	29
PID 3056 wrote to memory of 2564	3056	2024-03-06_0b0b55d7678192cd32672e12249b1a33_goldeneye.exe	29
PID 3056 wrote to memory of 2564	3056	2024-03-06_0b0b55d7678192cd32672e12249b1a33_goldeneye.exe	29
PID 3056 wrote to memory of 2564	3056	2024-03-06_0b0b55d7678192cd32672e12249b1a33_goldeneye.exe	29
PID 2984 wrote to memory of 2940	2984	{455CF241-ED88-4729-B225-4C9DD90CBD89}.exe	30
PID 2984 wrote to memory of 2940	2984	{455CF241-ED88-4729-B225-4C9DD90CBD89}.exe	30
PID 2984 wrote to memory of 2940	2984	{455CF241-ED88-4729-B225-4C9DD90CBD89}.exe	30
PID 2984 wrote to memory of 2940	2984	{455CF241-ED88-4729-B225-4C9DD90CBD89}.exe	30
PID 2984 wrote to memory of 2728	2984	{455CF241-ED88-4729-B225-4C9DD90CBD89}.exe	31
PID 2984 wrote to memory of 2728	2984	{455CF241-ED88-4729-B225-4C9DD90CBD89}.exe	31
PID 2984 wrote to memory of 2728	2984	{455CF241-ED88-4729-B225-4C9DD90CBD89}.exe	31
PID 2984 wrote to memory of 2728	2984	{455CF241-ED88-4729-B225-4C9DD90CBD89}.exe	31
PID 2940 wrote to memory of 2468	2940	{539BF7AA-7AA6-4017-8EC6-FEE4BB77C646}.exe	32
PID 2940 wrote to memory of 2468	2940	{539BF7AA-7AA6-4017-8EC6-FEE4BB77C646}.exe	32
PID 2940 wrote to memory of 2468	2940	{539BF7AA-7AA6-4017-8EC6-FEE4BB77C646}.exe	32
PID 2940 wrote to memory of 2468	2940	{539BF7AA-7AA6-4017-8EC6-FEE4BB77C646}.exe	32
PID 2940 wrote to memory of 2712	2940	{539BF7AA-7AA6-4017-8EC6-FEE4BB77C646}.exe	33
PID 2940 wrote to memory of 2712	2940	{539BF7AA-7AA6-4017-8EC6-FEE4BB77C646}.exe	33
PID 2940 wrote to memory of 2712	2940	{539BF7AA-7AA6-4017-8EC6-FEE4BB77C646}.exe	33
PID 2940 wrote to memory of 2712	2940	{539BF7AA-7AA6-4017-8EC6-FEE4BB77C646}.exe	33
PID 2468 wrote to memory of 1748	2468	{D3460B0D-B59D-4dc4-BF8C-3D04DB693A91}.exe	36
PID 2468 wrote to memory of 1748	2468	{D3460B0D-B59D-4dc4-BF8C-3D04DB693A91}.exe	36
PID 2468 wrote to memory of 1748	2468	{D3460B0D-B59D-4dc4-BF8C-3D04DB693A91}.exe	36
PID 2468 wrote to memory of 1748	2468	{D3460B0D-B59D-4dc4-BF8C-3D04DB693A91}.exe	36
PID 2468 wrote to memory of 1200	2468	{D3460B0D-B59D-4dc4-BF8C-3D04DB693A91}.exe	37
PID 2468 wrote to memory of 1200	2468	{D3460B0D-B59D-4dc4-BF8C-3D04DB693A91}.exe	37
PID 2468 wrote to memory of 1200	2468	{D3460B0D-B59D-4dc4-BF8C-3D04DB693A91}.exe	37
PID 2468 wrote to memory of 1200	2468	{D3460B0D-B59D-4dc4-BF8C-3D04DB693A91}.exe	37
PID 1748 wrote to memory of 2692	1748	{C996BAAF-1C6E-4717-8E80-5BD7FA275C0C}.exe	38
PID 1748 wrote to memory of 2692	1748	{C996BAAF-1C6E-4717-8E80-5BD7FA275C0C}.exe	38
PID 1748 wrote to memory of 2692	1748	{C996BAAF-1C6E-4717-8E80-5BD7FA275C0C}.exe	38
PID 1748 wrote to memory of 2692	1748	{C996BAAF-1C6E-4717-8E80-5BD7FA275C0C}.exe	38
PID 1748 wrote to memory of 1564	1748	{C996BAAF-1C6E-4717-8E80-5BD7FA275C0C}.exe	39
PID 1748 wrote to memory of 1564	1748	{C996BAAF-1C6E-4717-8E80-5BD7FA275C0C}.exe	39
PID 1748 wrote to memory of 1564	1748	{C996BAAF-1C6E-4717-8E80-5BD7FA275C0C}.exe	39
PID 1748 wrote to memory of 1564	1748	{C996BAAF-1C6E-4717-8E80-5BD7FA275C0C}.exe	39
PID 2692 wrote to memory of 1852	2692	{5E98B07A-33E7-4f93-837D-1341AFF0FB6E}.exe	40
PID 2692 wrote to memory of 1852	2692	{5E98B07A-33E7-4f93-837D-1341AFF0FB6E}.exe	40
PID 2692 wrote to memory of 1852	2692	{5E98B07A-33E7-4f93-837D-1341AFF0FB6E}.exe	40
PID 2692 wrote to memory of 1852	2692	{5E98B07A-33E7-4f93-837D-1341AFF0FB6E}.exe	40
PID 2692 wrote to memory of 1936	2692	{5E98B07A-33E7-4f93-837D-1341AFF0FB6E}.exe	41
PID 2692 wrote to memory of 1936	2692	{5E98B07A-33E7-4f93-837D-1341AFF0FB6E}.exe	41
PID 2692 wrote to memory of 1936	2692	{5E98B07A-33E7-4f93-837D-1341AFF0FB6E}.exe	41
PID 2692 wrote to memory of 1936	2692	{5E98B07A-33E7-4f93-837D-1341AFF0FB6E}.exe	41
PID 1852 wrote to memory of 2356	1852	{5B1181D5-7DF4-4a8e-AF3B-147B56AF367F}.exe	42
PID 1852 wrote to memory of 2356	1852	{5B1181D5-7DF4-4a8e-AF3B-147B56AF367F}.exe	42
PID 1852 wrote to memory of 2356	1852	{5B1181D5-7DF4-4a8e-AF3B-147B56AF367F}.exe	42
PID 1852 wrote to memory of 2356	1852	{5B1181D5-7DF4-4a8e-AF3B-147B56AF367F}.exe	42
PID 1852 wrote to memory of 1012	1852	{5B1181D5-7DF4-4a8e-AF3B-147B56AF367F}.exe	43
PID 1852 wrote to memory of 1012	1852	{5B1181D5-7DF4-4a8e-AF3B-147B56AF367F}.exe	43
PID 1852 wrote to memory of 1012	1852	{5B1181D5-7DF4-4a8e-AF3B-147B56AF367F}.exe	43
PID 1852 wrote to memory of 1012	1852	{5B1181D5-7DF4-4a8e-AF3B-147B56AF367F}.exe	43
PID 2356 wrote to memory of 332	2356	{88E96983-0A4C-4ac4-BBC0-CD0FE9B80D63}.exe	44
PID 2356 wrote to memory of 332	2356	{88E96983-0A4C-4ac4-BBC0-CD0FE9B80D63}.exe	44
PID 2356 wrote to memory of 332	2356	{88E96983-0A4C-4ac4-BBC0-CD0FE9B80D63}.exe	44
PID 2356 wrote to memory of 332	2356	{88E96983-0A4C-4ac4-BBC0-CD0FE9B80D63}.exe	44
PID 2356 wrote to memory of 1680	2356	{88E96983-0A4C-4ac4-BBC0-CD0FE9B80D63}.exe	45
PID 2356 wrote to memory of 1680	2356	{88E96983-0A4C-4ac4-BBC0-CD0FE9B80D63}.exe	45
PID 2356 wrote to memory of 1680	2356	{88E96983-0A4C-4ac4-BBC0-CD0FE9B80D63}.exe	45
PID 2356 wrote to memory of 1680	2356	{88E96983-0A4C-4ac4-BBC0-CD0FE9B80D63}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-06_0b0b55d7678192cd32672e12249b1a33_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-06_0b0b55d7678192cd32672e12249b1a33_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\{455CF241-ED88-4729-B225-4C9DD90CBD89}.exe
  C:\Windows\{455CF241-ED88-4729-B225-4C9DD90CBD89}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\{539BF7AA-7AA6-4017-8EC6-FEE4BB77C646}.exe
    C:\Windows\{539BF7AA-7AA6-4017-8EC6-FEE4BB77C646}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Windows\{D3460B0D-B59D-4dc4-BF8C-3D04DB693A91}.exe
      C:\Windows\{D3460B0D-B59D-4dc4-BF8C-3D04DB693A91}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2468
    - - C:\Windows\{C996BAAF-1C6E-4717-8E80-5BD7FA275C0C}.exe
        
        C:\Windows\{C996BAAF-1C6E-4717-8E80-5BD7FA275C0C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1748
      - C:\Windows\{5E98B07A-33E7-4f93-837D-1341AFF0FB6E}.exe
        
        C:\Windows\{5E98B07A-33E7-4f93-837D-1341AFF0FB6E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\{5B1181D5-7DF4-4a8e-AF3B-147B56AF367F}.exe
        
        C:\Windows\{5B1181D5-7DF4-4a8e-AF3B-147B56AF367F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\{88E96983-0A4C-4ac4-BBC0-CD0FE9B80D63}.exe
        
        C:\Windows\{88E96983-0A4C-4ac4-BBC0-CD0FE9B80D63}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\{9286A7C3-BFB6-42e3-9C72-328A5BB4FEB7}.exe
        
        C:\Windows\{9286A7C3-BFB6-42e3-9C72-328A5BB4FEB7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:332
        
        C:\Windows\{E5EA6DD5-4AFF-4c64-AB0B-686D512396C8}.exe
        
        C:\Windows\{E5EA6DD5-4AFF-4c64-AB0B-686D512396C8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
        
        C:\Windows\{4A9ACEC6-127E-4cbe-AF41-873EE08E6E97}.exe
        
        C:\Windows\{4A9ACEC6-127E-4cbe-AF41-873EE08E6E97}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
        
        C:\Windows\{1EF22BC9-7D6A-46e4-A87E-1A32C12BBFAC}.exe
        
        C:\Windows\{1EF22BC9-7D6A-46e4-A87E-1A32C12BBFAC}.exe
        12⤵
        Executes dropped EXE
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A9AC~1.EXE > nul
        12⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5EA6~1.EXE > nul
        11⤵
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9286A~1.EXE > nul
        10⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88E96~1.EXE > nul
        9⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B118~1.EXE > nul
        8⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E98B~1.EXE > nul
        7⤵
        
        PID:1936
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C996B~1.EXE > nul
        6⤵
        
        PID:1564
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3460~1.EXE > nul
        5⤵
        
        PID:1200
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{539BF~1.EXE > nul
      4⤵
      PID:2712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{455CF~1.EXE > nul
    3⤵
    PID:2728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1EF22BC9-7D6A-46e4-A87E-1A32C12BBFAC}.exe

Filesize
192KB

MD5
a4f91439d3707f5addde3ad079d7900c

SHA1
7d45f7b26719542b773e892ff6ee73eb141dcb6d

SHA256
3e37a78b1e3d373b900a9ec8987a3c922131719e6cb28bc925e5294f15c6da31

SHA512
153a173c2ed489f53532535cf6cc7c2fdf35604631f3549cff03214c71de674287adb0deee4dcbd44111fa0f458623a1def0d554212321c9da3420ca3d06139f

Download Submit
C:\Windows\{455CF241-ED88-4729-B225-4C9DD90CBD89}.exe

Filesize
192KB

MD5
b50166745a4b830328f1b54ddc7916bd

SHA1
a73d4b992d12778990def05001b9e22efca54ae3

SHA256
d57454c94a7136b95b8ba0449e4bdf07529a9f9d07305aeddd38aa40c9081a01

SHA512
aea62abef3521ab2756321c77fa2f61391db42f45763fa21f57ff18eb1a459e68805cfd9717485b73d2e46dda9d0fb5099a9db893c930773731965011d0d717d

Download Submit
C:\Windows\{4A9ACEC6-127E-4cbe-AF41-873EE08E6E97}.exe

Filesize
192KB

MD5
3a9639ef573bc9507f0d5cfe56f0d7db

SHA1
db95fef9bc763600030fa9c9744d76c6061e136f

SHA256
4c7219df3a38c4c5c1fb7f29946149f55622dca11ed0adb49b86d5b2513ec641

SHA512
16fb013e5338f665f089ccd7ea9f886a772683068860f7f2a2a3304ae7c2f6cc033667dd86cf582fa5a632473f23cb36f5c519770c92c0678ad9b62461987c51

Download Submit
C:\Windows\{539BF7AA-7AA6-4017-8EC6-FEE4BB77C646}.exe

Filesize
192KB

MD5
41f12a49e20b179ad3d19bf0c064985c

SHA1
155684731b21c22a1b0fdb992e3af2e2bec259c6

SHA256
9b73f5576d6e19c11f8ab974a88946eb176abb5548d457cdd642dbc9fa6148bf

SHA512
75f1e607381c1a7dc77e30ed1003ae8c7a8ff6c6e16a210369d9c912c59e5de1f0cabea94f05ef950932d65a815cd24f6d1941d19205d0fe1ade0fb6fd8d50b3

Download Submit
C:\Windows\{5B1181D5-7DF4-4a8e-AF3B-147B56AF367F}.exe

Filesize
192KB

MD5
685bc1526513c611dfe8c65974ebe219

SHA1
91935498b7e1dd9ec29eb4d2219f18e364e99c2a

SHA256
14e87e3852c9ee6a82b407c09bbf5dd9f1b0093bf09fdca44cfd426bd2047796

SHA512
2b7fef17e8bdaf338531721d7bfcecb05d3e0994cb3796c2cefabc44694be9b770da65b82a8bd3b4929dccedabe4811509b307c33bc76b678ebeb0719d0dab9e

Download Submit
C:\Windows\{5E98B07A-33E7-4f93-837D-1341AFF0FB6E}.exe

Filesize
192KB

MD5
422f724288ef83908cd982fb0d50581c

SHA1
524fd8a8c273bbe697b75a25c7b9b24ad3ff1aeb

SHA256
fdbf911eaea025901bec22b28ee478b7e361dc8e9879da3d8cd7cf02cbe429bc

SHA512
cb6ff63afb4a9a8374b390c23ffa8145bae07755aa5c71e21a87be7908123b963a5f980234023129aa407d6529bc8914e779f2fdf9a1b76d8dd1e921e472c35b

Download Submit
C:\Windows\{88E96983-0A4C-4ac4-BBC0-CD0FE9B80D63}.exe

Filesize
192KB

MD5
dd769a786357fc75a462891ba5de9238

SHA1
ec8d6ea128a2d3e0312e652fb16d5a3fc17030ab

SHA256
66663df476386bdeab437278bc4c133662f841ab92a5331446e8bd7a2daf0f2d

SHA512
d9349fe2195db3c24e0ca6ea4c60b15c6cc8a56015efc1e7c02a14cf40ec6c3e4f18d12742e1f6db1dc3f8eb17b1399d456a596f7e03f24ec475a9065cc7c834

Download Submit
C:\Windows\{9286A7C3-BFB6-42e3-9C72-328A5BB4FEB7}.exe

Filesize
192KB

MD5
8e665338e0fd7fd51ca3825a6a2b7f78

SHA1
9bb2f38a14207de0e75fceba6f927ec953d83dab

SHA256
a71ad85d52c9d99cfa48ea9892acfeb6def7b24dbc579adf126a41b8bec1f9cb

SHA512
4b5f3cb441eddca05b94207b88cb8583043a46e31efd68a50f135d2cae5ac702415e336642fa06cc41345ba1b2f003f7414b6cd405de233a2ecf45ca5fa49136

Download Submit
C:\Windows\{C996BAAF-1C6E-4717-8E80-5BD7FA275C0C}.exe

Filesize
192KB

MD5
ce9a456b7d884488ded521ad26d3ee1e

SHA1
65e4f1a8dab24f8c06b0f4e3cc51a0055e7bb7ab

SHA256
05b6ae23c02f4413a785206a1b6c0ba8c503e02b905e6201e16f2110e0001289

SHA512
17ee748a488aefd9021b8adcfdbfcd179b6f38fcab546619476ef14445466bec7a0ad8608b128f27b0592d2a4e7c1885abf78c377e2a0118a1b8d07921d54117

Download Submit
C:\Windows\{D3460B0D-B59D-4dc4-BF8C-3D04DB693A91}.exe

Filesize
192KB

MD5
58a94f27d12e436b4fd8cf562d2cc59f

SHA1
0aee32f8d312ca298c113e5c559bfbbc4553a4ff

SHA256
97627331f04e8bbf0cc726aaadcc57f5aa4312d5b3e4b696d68fcd91994444f5

SHA512
11ff809d4b1f4612f7fae39cfff8a68386bc3b658df989173443d15cf3d89dbf41e8cda1c87ffd639d8ed3bd064a8cbd7c605d43e7e89f03247346cdadf4997b

Download Submit
C:\Windows\{E5EA6DD5-4AFF-4c64-AB0B-686D512396C8}.exe

Filesize
192KB

MD5
0bc7fc889959b9c3386d4205dd4038b0

SHA1
e27c435c87ef4eca16e41e5091387e28d5510978

SHA256
daa8e55615e51088b67e37e348085ede4574c1ed8b9ff001bb886cd9c2624d8a

SHA512
4fe0e0f517a9ca6cf47b5b87357a9afeedd066e1e1775b04fa0677592fdbc3699f09f07f6fc591f993abb0258ab0551160ac1237bc172fc253fa7570c2c47be2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads