3bf79ec06fcf9f697541032bdd5dc7d1828ee15b8a0a6d70bf2b502b1e15b2c6

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/03/2024, 01:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-11_835f9ba9f9bd88a6ccda4d6036214afc_goldeneye.exe
Size

344KB
MD5

835f9ba9f9bd88a6ccda4d6036214afc
SHA1

7796dc26a9b50bf56684a450cf80d1e65d95f526
SHA256

3bf79ec06fcf9f697541032bdd5dc7d1828ee15b8a0a6d70bf2b502b1e15b2c6
SHA512

c8c43e8197092d28178e791fc407b28ace06f227c9b3a1e94c20cf2e5ca6b863d7dc5471981ab94ffd456cca1c45e2a0ff3fcf44f70eefa0907cc77ebdcee038
SSDEEP

3072:mEGh0oKlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGwlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001224c-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000144e8-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001224c-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0035000000014712-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001224c-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001224c-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001224c-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18C972D7-9874-498c-8363-1B5E0DC2F30C}\stubpath = "C:\\Windows\\{18C972D7-9874-498c-8363-1B5E0DC2F30C}.exe"	{DBC55086-8052-48ed-ABC7-184ADA7D5CDE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5D0763A-7E28-4d75-A3A0-A36B11AE92E2}	{A478AC4D-E0B9-425f-9E81-F56253465CA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2D34EBC-E7BD-4fda-B148-89BD2875FA0C}	{5D49EEC9-1425-440d-A46B-5EAFAC1F20B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2D34EBC-E7BD-4fda-B148-89BD2875FA0C}\stubpath = "C:\\Windows\\{E2D34EBC-E7BD-4fda-B148-89BD2875FA0C}.exe"	{5D49EEC9-1425-440d-A46B-5EAFAC1F20B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CAE2D219-CA25-4d5b-A42A-6FC415EA7DBD}\stubpath = "C:\\Windows\\{CAE2D219-CA25-4d5b-A42A-6FC415EA7DBD}.exe"	{E2D34EBC-E7BD-4fda-B148-89BD2875FA0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5D0763A-7E28-4d75-A3A0-A36B11AE92E2}\stubpath = "C:\\Windows\\{C5D0763A-7E28-4d75-A3A0-A36B11AE92E2}.exe"	{A478AC4D-E0B9-425f-9E81-F56253465CA9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B170BD3E-5094-45ad-9EB3-D4B4A7B7D9F9}\stubpath = "C:\\Windows\\{B170BD3E-5094-45ad-9EB3-D4B4A7B7D9F9}.exe"	{C5D0763A-7E28-4d75-A3A0-A36B11AE92E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4010FA4-0B06-41ec-9E06-C6DC91E21082}	{B170BD3E-5094-45ad-9EB3-D4B4A7B7D9F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4086AAF0-A5CF-49c1-81A3-D8DFE5C663CC}\stubpath = "C:\\Windows\\{4086AAF0-A5CF-49c1-81A3-D8DFE5C663CC}.exe"	{A4010FA4-0B06-41ec-9E06-C6DC91E21082}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CAE2D219-CA25-4d5b-A42A-6FC415EA7DBD}	{E2D34EBC-E7BD-4fda-B148-89BD2875FA0C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18C972D7-9874-498c-8363-1B5E0DC2F30C}	{DBC55086-8052-48ed-ABC7-184ADA7D5CDE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A478AC4D-E0B9-425f-9E81-F56253465CA9}\stubpath = "C:\\Windows\\{A478AC4D-E0B9-425f-9E81-F56253465CA9}.exe"	{18C972D7-9874-498c-8363-1B5E0DC2F30C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A478AC4D-E0B9-425f-9E81-F56253465CA9}	{18C972D7-9874-498c-8363-1B5E0DC2F30C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B170BD3E-5094-45ad-9EB3-D4B4A7B7D9F9}	{C5D0763A-7E28-4d75-A3A0-A36B11AE92E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4086AAF0-A5CF-49c1-81A3-D8DFE5C663CC}	{A4010FA4-0B06-41ec-9E06-C6DC91E21082}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D49EEC9-1425-440d-A46B-5EAFAC1F20B3}	2024-03-11_835f9ba9f9bd88a6ccda4d6036214afc_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D49EEC9-1425-440d-A46B-5EAFAC1F20B3}\stubpath = "C:\\Windows\\{5D49EEC9-1425-440d-A46B-5EAFAC1F20B3}.exe"	2024-03-11_835f9ba9f9bd88a6ccda4d6036214afc_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F73AFE21-6124-45a5-AD63-CB2D21A784D4}\stubpath = "C:\\Windows\\{F73AFE21-6124-45a5-AD63-CB2D21A784D4}.exe"	{CAE2D219-CA25-4d5b-A42A-6FC415EA7DBD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4010FA4-0B06-41ec-9E06-C6DC91E21082}\stubpath = "C:\\Windows\\{A4010FA4-0B06-41ec-9E06-C6DC91E21082}.exe"	{B170BD3E-5094-45ad-9EB3-D4B4A7B7D9F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F73AFE21-6124-45a5-AD63-CB2D21A784D4}	{CAE2D219-CA25-4d5b-A42A-6FC415EA7DBD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBC55086-8052-48ed-ABC7-184ADA7D5CDE}	{F73AFE21-6124-45a5-AD63-CB2D21A784D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBC55086-8052-48ed-ABC7-184ADA7D5CDE}\stubpath = "C:\\Windows\\{DBC55086-8052-48ed-ABC7-184ADA7D5CDE}.exe"	{F73AFE21-6124-45a5-AD63-CB2D21A784D4}.exe

Deletes itself 1 IoCs

pid	Process
2576	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2096	{5D49EEC9-1425-440d-A46B-5EAFAC1F20B3}.exe
2136	{E2D34EBC-E7BD-4fda-B148-89BD2875FA0C}.exe
2284	{CAE2D219-CA25-4d5b-A42A-6FC415EA7DBD}.exe
1552	{F73AFE21-6124-45a5-AD63-CB2D21A784D4}.exe
1480	{DBC55086-8052-48ed-ABC7-184ADA7D5CDE}.exe
2368	{18C972D7-9874-498c-8363-1B5E0DC2F30C}.exe
1212	{A478AC4D-E0B9-425f-9E81-F56253465CA9}.exe
2028	{C5D0763A-7E28-4d75-A3A0-A36B11AE92E2}.exe
2364	{B170BD3E-5094-45ad-9EB3-D4B4A7B7D9F9}.exe
700	{A4010FA4-0B06-41ec-9E06-C6DC91E21082}.exe
880	{4086AAF0-A5CF-49c1-81A3-D8DFE5C663CC}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{DBC55086-8052-48ed-ABC7-184ADA7D5CDE}.exe	{F73AFE21-6124-45a5-AD63-CB2D21A784D4}.exe
File created	C:\Windows\{A478AC4D-E0B9-425f-9E81-F56253465CA9}.exe	{18C972D7-9874-498c-8363-1B5E0DC2F30C}.exe
File created	C:\Windows\{B170BD3E-5094-45ad-9EB3-D4B4A7B7D9F9}.exe	{C5D0763A-7E28-4d75-A3A0-A36B11AE92E2}.exe
File created	C:\Windows\{5D49EEC9-1425-440d-A46B-5EAFAC1F20B3}.exe	2024-03-11_835f9ba9f9bd88a6ccda4d6036214afc_goldeneye.exe
File created	C:\Windows\{CAE2D219-CA25-4d5b-A42A-6FC415EA7DBD}.exe	{E2D34EBC-E7BD-4fda-B148-89BD2875FA0C}.exe
File created	C:\Windows\{F73AFE21-6124-45a5-AD63-CB2D21A784D4}.exe	{CAE2D219-CA25-4d5b-A42A-6FC415EA7DBD}.exe
File created	C:\Windows\{A4010FA4-0B06-41ec-9E06-C6DC91E21082}.exe	{B170BD3E-5094-45ad-9EB3-D4B4A7B7D9F9}.exe
File created	C:\Windows\{4086AAF0-A5CF-49c1-81A3-D8DFE5C663CC}.exe	{A4010FA4-0B06-41ec-9E06-C6DC91E21082}.exe
File created	C:\Windows\{E2D34EBC-E7BD-4fda-B148-89BD2875FA0C}.exe	{5D49EEC9-1425-440d-A46B-5EAFAC1F20B3}.exe
File created	C:\Windows\{18C972D7-9874-498c-8363-1B5E0DC2F30C}.exe	{DBC55086-8052-48ed-ABC7-184ADA7D5CDE}.exe
File created	C:\Windows\{C5D0763A-7E28-4d75-A3A0-A36B11AE92E2}.exe	{A478AC4D-E0B9-425f-9E81-F56253465CA9}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1736	2024-03-11_835f9ba9f9bd88a6ccda4d6036214afc_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2096	{5D49EEC9-1425-440d-A46B-5EAFAC1F20B3}.exe
Token: SeIncBasePriorityPrivilege	2136	{E2D34EBC-E7BD-4fda-B148-89BD2875FA0C}.exe
Token: SeIncBasePriorityPrivilege	2284	{CAE2D219-CA25-4d5b-A42A-6FC415EA7DBD}.exe
Token: SeIncBasePriorityPrivilege	1552	{F73AFE21-6124-45a5-AD63-CB2D21A784D4}.exe
Token: SeIncBasePriorityPrivilege	1480	{DBC55086-8052-48ed-ABC7-184ADA7D5CDE}.exe
Token: SeIncBasePriorityPrivilege	2368	{18C972D7-9874-498c-8363-1B5E0DC2F30C}.exe
Token: SeIncBasePriorityPrivilege	1212	{A478AC4D-E0B9-425f-9E81-F56253465CA9}.exe
Token: SeIncBasePriorityPrivilege	2028	{C5D0763A-7E28-4d75-A3A0-A36B11AE92E2}.exe
Token: SeIncBasePriorityPrivilege	2364	{B170BD3E-5094-45ad-9EB3-D4B4A7B7D9F9}.exe
Token: SeIncBasePriorityPrivilege	700	{A4010FA4-0B06-41ec-9E06-C6DC91E21082}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2096	1736	2024-03-11_835f9ba9f9bd88a6ccda4d6036214afc_goldeneye.exe	28
PID 1736 wrote to memory of 2096	1736	2024-03-11_835f9ba9f9bd88a6ccda4d6036214afc_goldeneye.exe	28
PID 1736 wrote to memory of 2096	1736	2024-03-11_835f9ba9f9bd88a6ccda4d6036214afc_goldeneye.exe	28
PID 1736 wrote to memory of 2096	1736	2024-03-11_835f9ba9f9bd88a6ccda4d6036214afc_goldeneye.exe	28
PID 1736 wrote to memory of 2576	1736	2024-03-11_835f9ba9f9bd88a6ccda4d6036214afc_goldeneye.exe	29
PID 1736 wrote to memory of 2576	1736	2024-03-11_835f9ba9f9bd88a6ccda4d6036214afc_goldeneye.exe	29
PID 1736 wrote to memory of 2576	1736	2024-03-11_835f9ba9f9bd88a6ccda4d6036214afc_goldeneye.exe	29
PID 1736 wrote to memory of 2576	1736	2024-03-11_835f9ba9f9bd88a6ccda4d6036214afc_goldeneye.exe	29
PID 2096 wrote to memory of 2136	2096	{5D49EEC9-1425-440d-A46B-5EAFAC1F20B3}.exe	30
PID 2096 wrote to memory of 2136	2096	{5D49EEC9-1425-440d-A46B-5EAFAC1F20B3}.exe	30
PID 2096 wrote to memory of 2136	2096	{5D49EEC9-1425-440d-A46B-5EAFAC1F20B3}.exe	30
PID 2096 wrote to memory of 2136	2096	{5D49EEC9-1425-440d-A46B-5EAFAC1F20B3}.exe	30
PID 2096 wrote to memory of 2580	2096	{5D49EEC9-1425-440d-A46B-5EAFAC1F20B3}.exe	31
PID 2096 wrote to memory of 2580	2096	{5D49EEC9-1425-440d-A46B-5EAFAC1F20B3}.exe	31
PID 2096 wrote to memory of 2580	2096	{5D49EEC9-1425-440d-A46B-5EAFAC1F20B3}.exe	31
PID 2096 wrote to memory of 2580	2096	{5D49EEC9-1425-440d-A46B-5EAFAC1F20B3}.exe	31
PID 2136 wrote to memory of 2284	2136	{E2D34EBC-E7BD-4fda-B148-89BD2875FA0C}.exe	32
PID 2136 wrote to memory of 2284	2136	{E2D34EBC-E7BD-4fda-B148-89BD2875FA0C}.exe	32
PID 2136 wrote to memory of 2284	2136	{E2D34EBC-E7BD-4fda-B148-89BD2875FA0C}.exe	32
PID 2136 wrote to memory of 2284	2136	{E2D34EBC-E7BD-4fda-B148-89BD2875FA0C}.exe	32
PID 2136 wrote to memory of 2420	2136	{E2D34EBC-E7BD-4fda-B148-89BD2875FA0C}.exe	33
PID 2136 wrote to memory of 2420	2136	{E2D34EBC-E7BD-4fda-B148-89BD2875FA0C}.exe	33
PID 2136 wrote to memory of 2420	2136	{E2D34EBC-E7BD-4fda-B148-89BD2875FA0C}.exe	33
PID 2136 wrote to memory of 2420	2136	{E2D34EBC-E7BD-4fda-B148-89BD2875FA0C}.exe	33
PID 2284 wrote to memory of 1552	2284	{CAE2D219-CA25-4d5b-A42A-6FC415EA7DBD}.exe	36
PID 2284 wrote to memory of 1552	2284	{CAE2D219-CA25-4d5b-A42A-6FC415EA7DBD}.exe	36
PID 2284 wrote to memory of 1552	2284	{CAE2D219-CA25-4d5b-A42A-6FC415EA7DBD}.exe	36
PID 2284 wrote to memory of 1552	2284	{CAE2D219-CA25-4d5b-A42A-6FC415EA7DBD}.exe	36
PID 2284 wrote to memory of 2304	2284	{CAE2D219-CA25-4d5b-A42A-6FC415EA7DBD}.exe	37
PID 2284 wrote to memory of 2304	2284	{CAE2D219-CA25-4d5b-A42A-6FC415EA7DBD}.exe	37
PID 2284 wrote to memory of 2304	2284	{CAE2D219-CA25-4d5b-A42A-6FC415EA7DBD}.exe	37
PID 2284 wrote to memory of 2304	2284	{CAE2D219-CA25-4d5b-A42A-6FC415EA7DBD}.exe	37
PID 1552 wrote to memory of 1480	1552	{F73AFE21-6124-45a5-AD63-CB2D21A784D4}.exe	38
PID 1552 wrote to memory of 1480	1552	{F73AFE21-6124-45a5-AD63-CB2D21A784D4}.exe	38
PID 1552 wrote to memory of 1480	1552	{F73AFE21-6124-45a5-AD63-CB2D21A784D4}.exe	38
PID 1552 wrote to memory of 1480	1552	{F73AFE21-6124-45a5-AD63-CB2D21A784D4}.exe	38
PID 1552 wrote to memory of 1360	1552	{F73AFE21-6124-45a5-AD63-CB2D21A784D4}.exe	39
PID 1552 wrote to memory of 1360	1552	{F73AFE21-6124-45a5-AD63-CB2D21A784D4}.exe	39
PID 1552 wrote to memory of 1360	1552	{F73AFE21-6124-45a5-AD63-CB2D21A784D4}.exe	39
PID 1552 wrote to memory of 1360	1552	{F73AFE21-6124-45a5-AD63-CB2D21A784D4}.exe	39
PID 1480 wrote to memory of 2368	1480	{DBC55086-8052-48ed-ABC7-184ADA7D5CDE}.exe	40
PID 1480 wrote to memory of 2368	1480	{DBC55086-8052-48ed-ABC7-184ADA7D5CDE}.exe	40
PID 1480 wrote to memory of 2368	1480	{DBC55086-8052-48ed-ABC7-184ADA7D5CDE}.exe	40
PID 1480 wrote to memory of 2368	1480	{DBC55086-8052-48ed-ABC7-184ADA7D5CDE}.exe	40
PID 1480 wrote to memory of 2192	1480	{DBC55086-8052-48ed-ABC7-184ADA7D5CDE}.exe	41
PID 1480 wrote to memory of 2192	1480	{DBC55086-8052-48ed-ABC7-184ADA7D5CDE}.exe	41
PID 1480 wrote to memory of 2192	1480	{DBC55086-8052-48ed-ABC7-184ADA7D5CDE}.exe	41
PID 1480 wrote to memory of 2192	1480	{DBC55086-8052-48ed-ABC7-184ADA7D5CDE}.exe	41
PID 2368 wrote to memory of 1212	2368	{18C972D7-9874-498c-8363-1B5E0DC2F30C}.exe	42
PID 2368 wrote to memory of 1212	2368	{18C972D7-9874-498c-8363-1B5E0DC2F30C}.exe	42
PID 2368 wrote to memory of 1212	2368	{18C972D7-9874-498c-8363-1B5E0DC2F30C}.exe	42
PID 2368 wrote to memory of 1212	2368	{18C972D7-9874-498c-8363-1B5E0DC2F30C}.exe	42
PID 2368 wrote to memory of 1576	2368	{18C972D7-9874-498c-8363-1B5E0DC2F30C}.exe	43
PID 2368 wrote to memory of 1576	2368	{18C972D7-9874-498c-8363-1B5E0DC2F30C}.exe	43
PID 2368 wrote to memory of 1576	2368	{18C972D7-9874-498c-8363-1B5E0DC2F30C}.exe	43
PID 2368 wrote to memory of 1576	2368	{18C972D7-9874-498c-8363-1B5E0DC2F30C}.exe	43
PID 1212 wrote to memory of 2028	1212	{A478AC4D-E0B9-425f-9E81-F56253465CA9}.exe	44
PID 1212 wrote to memory of 2028	1212	{A478AC4D-E0B9-425f-9E81-F56253465CA9}.exe	44
PID 1212 wrote to memory of 2028	1212	{A478AC4D-E0B9-425f-9E81-F56253465CA9}.exe	44
PID 1212 wrote to memory of 2028	1212	{A478AC4D-E0B9-425f-9E81-F56253465CA9}.exe	44
PID 1212 wrote to memory of 3036	1212	{A478AC4D-E0B9-425f-9E81-F56253465CA9}.exe	45
PID 1212 wrote to memory of 3036	1212	{A478AC4D-E0B9-425f-9E81-F56253465CA9}.exe	45
PID 1212 wrote to memory of 3036	1212	{A478AC4D-E0B9-425f-9E81-F56253465CA9}.exe	45
PID 1212 wrote to memory of 3036	1212	{A478AC4D-E0B9-425f-9E81-F56253465CA9}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-11_835f9ba9f9bd88a6ccda4d6036214afc_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-11_835f9ba9f9bd88a6ccda4d6036214afc_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\{5D49EEC9-1425-440d-A46B-5EAFAC1F20B3}.exe
  C:\Windows\{5D49EEC9-1425-440d-A46B-5EAFAC1F20B3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\{E2D34EBC-E7BD-4fda-B148-89BD2875FA0C}.exe
    C:\Windows\{E2D34EBC-E7BD-4fda-B148-89BD2875FA0C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2136
  - - C:\Windows\{CAE2D219-CA25-4d5b-A42A-6FC415EA7DBD}.exe
      C:\Windows\{CAE2D219-CA25-4d5b-A42A-6FC415EA7DBD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2284
    - - C:\Windows\{F73AFE21-6124-45a5-AD63-CB2D21A784D4}.exe
        
        C:\Windows\{F73AFE21-6124-45a5-AD63-CB2D21A784D4}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1552
      - C:\Windows\{DBC55086-8052-48ed-ABC7-184ADA7D5CDE}.exe
        
        C:\Windows\{DBC55086-8052-48ed-ABC7-184ADA7D5CDE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\{18C972D7-9874-498c-8363-1B5E0DC2F30C}.exe
        
        C:\Windows\{18C972D7-9874-498c-8363-1B5E0DC2F30C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\{A478AC4D-E0B9-425f-9E81-F56253465CA9}.exe
        
        C:\Windows\{A478AC4D-E0B9-425f-9E81-F56253465CA9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\{C5D0763A-7E28-4d75-A3A0-A36B11AE92E2}.exe
        
        C:\Windows\{C5D0763A-7E28-4d75-A3A0-A36B11AE92E2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Windows\{B170BD3E-5094-45ad-9EB3-D4B4A7B7D9F9}.exe
        
        C:\Windows\{B170BD3E-5094-45ad-9EB3-D4B4A7B7D9F9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Windows\{A4010FA4-0B06-41ec-9E06-C6DC91E21082}.exe
        
        C:\Windows\{A4010FA4-0B06-41ec-9E06-C6DC91E21082}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:700
        
        C:\Windows\{4086AAF0-A5CF-49c1-81A3-D8DFE5C663CC}.exe
        
        C:\Windows\{4086AAF0-A5CF-49c1-81A3-D8DFE5C663CC}.exe
        12⤵
        Executes dropped EXE
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4010~1.EXE > nul
        12⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B170B~1.EXE > nul
        11⤵
        
        PID:800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5D07~1.EXE > nul
        10⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A478A~1.EXE > nul
        9⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18C97~1.EXE > nul
        8⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DBC55~1.EXE > nul
        7⤵
        
        PID:2192
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F73AF~1.EXE > nul
        6⤵
        
        PID:1360
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CAE2D~1.EXE > nul
        5⤵
        
        PID:2304
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E2D34~1.EXE > nul
      4⤵
      PID:2420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5D49E~1.EXE > nul
    3⤵
    PID:2580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{18C972D7-9874-498c-8363-1B5E0DC2F30C}.exe

Filesize
344KB

MD5
7560661afbf5a0646774a33923b27ecf

SHA1
e3bfbc0dc4530d8d024bd68382082daeb42020ce

SHA256
4a641327647aaafa4487beda355498aba10ebe5f907b1c67c3f6b4cd5a2e92f3

SHA512
579f919cabc8b886db6d731cd93642ffcedfe8bbd6d54aaf61939f83da1e2f8a18a3095072c5b19340549eef747cb8ddd72521a00f4ef1891b11da7049517a3f

Download Submit
C:\Windows\{4086AAF0-A5CF-49c1-81A3-D8DFE5C663CC}.exe

Filesize
344KB

MD5
4d1af3900802935c859b32490fa0bb95

SHA1
22e46d70e8a76f9015ed937fb6d34c494dd197e7

SHA256
f4347487e8ce9d4abfcda211933d06391035e5562a331fe3d25c7a4f3e3e862d

SHA512
f8b7e5e2c38d3dec73496ac7ee88dd24a20cc66bcbade84494ca821dbb872980b51b2783abef9de893d4bae38f7b75548b5f088da6c732a479a39a627eaeeac2

Download Submit
C:\Windows\{5D49EEC9-1425-440d-A46B-5EAFAC1F20B3}.exe

Filesize
344KB

MD5
0d32522cc4bfb8919723283c39bc9177

SHA1
a994b6df9d49070aa302c976caf9dd034599f01c

SHA256
833773b3091bca84648260cdfa12042f95e4fd4cfa4e54372c81a1a8d806cbdb

SHA512
68d83649af72fd3290be23718cacfaa82b8f8a85122549e25f0dcb685ef6a9a1d2bbea06aec626a49920b2f1a5c7bc1b855f991483b966887507b17a0e5aa551

Download Submit
C:\Windows\{A4010FA4-0B06-41ec-9E06-C6DC91E21082}.exe

Filesize
344KB

MD5
13b8d73576445b938fbd7546109a2120

SHA1
c710c4006e9cdbac197fb463605d2ba4be10829a

SHA256
0d09903d7d65cd5faa572942fbfe011168e231f42f50d1eb4a679437aabe095a

SHA512
f5ba07281e0df5d941f4974797e8d7a66c328e1d3d577364b62d8a2278a4b37cd884a3a44e4582d0d868471a2c40524e5b2e63898c4da268b789d7dfdef648ad

Download Submit
C:\Windows\{A478AC4D-E0B9-425f-9E81-F56253465CA9}.exe

Filesize
344KB

MD5
7a76d57fdd86ace9078e28f95787e545

SHA1
dc628e6bc07219910a6c9fa2496b767d9b0de3db

SHA256
16febfa08ccde33590c513abad9cfb45943ee27ee166b5a4d1a7b82d91d9f2b2

SHA512
392f44e78da9cea262eae64358099f7f8c4a3937bfb06fc32c121f1f39efff1b2517c97f960ff0b967b474826aab79c3d4e587fefb3b72c47ec63d3249c0cec6

Download Submit
C:\Windows\{B170BD3E-5094-45ad-9EB3-D4B4A7B7D9F9}.exe

Filesize
344KB

MD5
1f8df00c97eaad0ea5299099acf6b4f3

SHA1
f31c543d5a1d46a6f971174ccc6969f47eaf4753

SHA256
a9d1a382d6a96274d2c6718b08262ec8b64a8a1d80214452608c4d7838f7eac2

SHA512
135aa2d1060391089c77ce89f68a89b8802588163bf273da98bb478bec4499a1ed7ed55cb95d3f03c21503290351f955860c744b308958cacc1ff6e30a7b179c

Download Submit
C:\Windows\{C5D0763A-7E28-4d75-A3A0-A36B11AE92E2}.exe

Filesize
344KB

MD5
23bda7bd961043d52437e89e54c34c90

SHA1
fa5d2ac88a1e3f79e6341559537c9049f96be585

SHA256
06a383b3a95585b60898f60d910a47e30a896ccea80f4c2da466b74bf64bc4c3

SHA512
75cfd0fb8a740170905aef069b1ee378238fc41be24265ac0ea8b04c3838a54a9a494ba63424a76622f040e644deba8f572104b4c7842715a8beca59f9a1060f

Download Submit
C:\Windows\{CAE2D219-CA25-4d5b-A42A-6FC415EA7DBD}.exe

Filesize
344KB

MD5
a5f87013fc3021e94094b969c6182bb0

SHA1
1c9881989ff7bf9e5e33a4031992316b52ab1fc7

SHA256
7fa45e08517ad7e79d2164eb23e392a3ee7825c95b75fdeb51316f41bfaba25e

SHA512
e955a7ca2a5e30e4287406114e5b902aa256a1dff2e715d797f27929c067c8eae3c49d2d1f9c09f52eb330802114a736b5069b8114d5994e6da4a41bcf8fdcab

Download Submit
C:\Windows\{DBC55086-8052-48ed-ABC7-184ADA7D5CDE}.exe

Filesize
344KB

MD5
369b2bd7ea1575296d2ca4e9d8700e34

SHA1
869108ca070b67a57ee8f11a4265534a4a4dda63

SHA256
a5b774107643426e070ad52021accb2381705b32750dafba8c6f72504e5895c4

SHA512
aa5405da029d8d39b49463fe5297a77440dd7b3dad879aae0754061e4d1b02f5580bef5ae6c03ea97b077d303c8bb6d7eab5e2a088414bed3ed7fedd1c72ae38

Download Submit
C:\Windows\{E2D34EBC-E7BD-4fda-B148-89BD2875FA0C}.exe

Filesize
344KB

MD5
a275e04088f780be371f7ffe67ac1ae3

SHA1
fa3650c04028f7868b0961b1f6f1504368506520

SHA256
42218b4767f108144794955b3b6b41e93af241872f3b05eaf703863e3458bb7a

SHA512
815452271382b5ead200f33763ebad0940cf72eb00fdff66e68670330ca223bd772a6a05b274711c33e4b12e2e48ac3af28047a28e200d4f6093230a64a0abc5

Download Submit
C:\Windows\{F73AFE21-6124-45a5-AD63-CB2D21A784D4}.exe

Filesize
344KB

MD5
652cc67172f9c7acc36044cf12ed94c7

SHA1
9bda69a2d197e618371d79323d7d3020fec79ad3

SHA256
b632b92de4495c2db6d168f9d71df692cfdf5dbbc86d6b725b7645927093e549

SHA512
691bb92895352f4a0e6f1d97d62334586c6c69f91576c64dc2a65a855b1ed1888f0b02d89353a40d0cdfc563ce4fed4693d4f67f5897c05fc8c020329421456b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads