72ae3839516c476e41712f06a554a9f52d5399529aaaf4ae3f2ef60a0d1e5f04

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13/03/2024, 08:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-13_a9ef100867ef5bde12ac04ad058932c9_goldeneye.exe
Size

197KB
MD5

a9ef100867ef5bde12ac04ad058932c9
SHA1

1a9360fb189e483c0077ae8c8da11c62e1c292a0
SHA256

72ae3839516c476e41712f06a554a9f52d5399529aaaf4ae3f2ef60a0d1e5f04
SHA512

cc7be695d0902a386f560268f9e64b936d9c65d70fe374f02615cb6c11134a2bc540dfabddc103879e8990c493b95c7ecd2bcf9a0a26e9f4e639ecdb9d18f525
SSDEEP

3072:jEGh0ofl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGVlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001224d-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012674-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001224d-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000014207-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001224d-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001224d-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001224d-55.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001224d-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E43DB19-189A-4fef-85AE-8FCF4C41758C}	2024-03-13_a9ef100867ef5bde12ac04ad058932c9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CEEA932-7641-481a-88DA-EEA497C85218}	{8A58C973-9C12-4b70-B0D0-53EA1FAE4C86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CEEA932-7641-481a-88DA-EEA497C85218}\stubpath = "C:\\Windows\\{4CEEA932-7641-481a-88DA-EEA497C85218}.exe"	{8A58C973-9C12-4b70-B0D0-53EA1FAE4C86}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0939CABF-5F3A-40f9-8008-B4820AFEA7BC}	{95F6B294-DB09-4f21-9229-242F37E2189B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A58C973-9C12-4b70-B0D0-53EA1FAE4C86}	{0E43DB19-189A-4fef-85AE-8FCF4C41758C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA89D2DA-2158-4fd3-BA86-49C896048EC3}	{4CEEA932-7641-481a-88DA-EEA497C85218}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA89D2DA-2158-4fd3-BA86-49C896048EC3}\stubpath = "C:\\Windows\\{FA89D2DA-2158-4fd3-BA86-49C896048EC3}.exe"	{4CEEA932-7641-481a-88DA-EEA497C85218}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB0A931C-AF3F-4aaa-A4F1-7A6CF3366D71}\stubpath = "C:\\Windows\\{EB0A931C-AF3F-4aaa-A4F1-7A6CF3366D71}.exe"	{66889307-172C-45ce-8066-F1B309ECB60E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F0F218C-4058-4471-B79A-F7BA8832235E}	{57516514-EFF9-4929-BFC1-489A7D675214}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95F6B294-DB09-4f21-9229-242F37E2189B}\stubpath = "C:\\Windows\\{95F6B294-DB09-4f21-9229-242F37E2189B}.exe"	{6F0F218C-4058-4471-B79A-F7BA8832235E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CCD5F48-5532-423a-912A-FD6FFBE758ED}	{0939CABF-5F3A-40f9-8008-B4820AFEA7BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CCD5F48-5532-423a-912A-FD6FFBE758ED}\stubpath = "C:\\Windows\\{1CCD5F48-5532-423a-912A-FD6FFBE758ED}.exe"	{0939CABF-5F3A-40f9-8008-B4820AFEA7BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A58C973-9C12-4b70-B0D0-53EA1FAE4C86}\stubpath = "C:\\Windows\\{8A58C973-9C12-4b70-B0D0-53EA1FAE4C86}.exe"	{0E43DB19-189A-4fef-85AE-8FCF4C41758C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66889307-172C-45ce-8066-F1B309ECB60E}\stubpath = "C:\\Windows\\{66889307-172C-45ce-8066-F1B309ECB60E}.exe"	{FA89D2DA-2158-4fd3-BA86-49C896048EC3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB0A931C-AF3F-4aaa-A4F1-7A6CF3366D71}	{66889307-172C-45ce-8066-F1B309ECB60E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57516514-EFF9-4929-BFC1-489A7D675214}\stubpath = "C:\\Windows\\{57516514-EFF9-4929-BFC1-489A7D675214}.exe"	{EB0A931C-AF3F-4aaa-A4F1-7A6CF3366D71}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F0F218C-4058-4471-B79A-F7BA8832235E}\stubpath = "C:\\Windows\\{6F0F218C-4058-4471-B79A-F7BA8832235E}.exe"	{57516514-EFF9-4929-BFC1-489A7D675214}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95F6B294-DB09-4f21-9229-242F37E2189B}	{6F0F218C-4058-4471-B79A-F7BA8832235E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E43DB19-189A-4fef-85AE-8FCF4C41758C}\stubpath = "C:\\Windows\\{0E43DB19-189A-4fef-85AE-8FCF4C41758C}.exe"	2024-03-13_a9ef100867ef5bde12ac04ad058932c9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66889307-172C-45ce-8066-F1B309ECB60E}	{FA89D2DA-2158-4fd3-BA86-49C896048EC3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57516514-EFF9-4929-BFC1-489A7D675214}	{EB0A931C-AF3F-4aaa-A4F1-7A6CF3366D71}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0939CABF-5F3A-40f9-8008-B4820AFEA7BC}\stubpath = "C:\\Windows\\{0939CABF-5F3A-40f9-8008-B4820AFEA7BC}.exe"	{95F6B294-DB09-4f21-9229-242F37E2189B}.exe

Deletes itself 1 IoCs

pid	Process
2520	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2872	{0E43DB19-189A-4fef-85AE-8FCF4C41758C}.exe
2648	{8A58C973-9C12-4b70-B0D0-53EA1FAE4C86}.exe
2408	{4CEEA932-7641-481a-88DA-EEA497C85218}.exe
2304	{FA89D2DA-2158-4fd3-BA86-49C896048EC3}.exe
2724	{66889307-172C-45ce-8066-F1B309ECB60E}.exe
840	{EB0A931C-AF3F-4aaa-A4F1-7A6CF3366D71}.exe
1256	{57516514-EFF9-4929-BFC1-489A7D675214}.exe
1656	{6F0F218C-4058-4471-B79A-F7BA8832235E}.exe
2260	{95F6B294-DB09-4f21-9229-242F37E2189B}.exe
380	{0939CABF-5F3A-40f9-8008-B4820AFEA7BC}.exe
948	{1CCD5F48-5532-423a-912A-FD6FFBE758ED}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{57516514-EFF9-4929-BFC1-489A7D675214}.exe	{EB0A931C-AF3F-4aaa-A4F1-7A6CF3366D71}.exe
File created	C:\Windows\{1CCD5F48-5532-423a-912A-FD6FFBE758ED}.exe	{0939CABF-5F3A-40f9-8008-B4820AFEA7BC}.exe
File created	C:\Windows\{4CEEA932-7641-481a-88DA-EEA497C85218}.exe	{8A58C973-9C12-4b70-B0D0-53EA1FAE4C86}.exe
File created	C:\Windows\{FA89D2DA-2158-4fd3-BA86-49C896048EC3}.exe	{4CEEA932-7641-481a-88DA-EEA497C85218}.exe
File created	C:\Windows\{66889307-172C-45ce-8066-F1B309ECB60E}.exe	{FA89D2DA-2158-4fd3-BA86-49C896048EC3}.exe
File created	C:\Windows\{EB0A931C-AF3F-4aaa-A4F1-7A6CF3366D71}.exe	{66889307-172C-45ce-8066-F1B309ECB60E}.exe
File created	C:\Windows\{6F0F218C-4058-4471-B79A-F7BA8832235E}.exe	{57516514-EFF9-4929-BFC1-489A7D675214}.exe
File created	C:\Windows\{95F6B294-DB09-4f21-9229-242F37E2189B}.exe	{6F0F218C-4058-4471-B79A-F7BA8832235E}.exe
File created	C:\Windows\{0E43DB19-189A-4fef-85AE-8FCF4C41758C}.exe	2024-03-13_a9ef100867ef5bde12ac04ad058932c9_goldeneye.exe
File created	C:\Windows\{8A58C973-9C12-4b70-B0D0-53EA1FAE4C86}.exe	{0E43DB19-189A-4fef-85AE-8FCF4C41758C}.exe
File created	C:\Windows\{0939CABF-5F3A-40f9-8008-B4820AFEA7BC}.exe	{95F6B294-DB09-4f21-9229-242F37E2189B}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2992	2024-03-13_a9ef100867ef5bde12ac04ad058932c9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2872	{0E43DB19-189A-4fef-85AE-8FCF4C41758C}.exe
Token: SeIncBasePriorityPrivilege	2648	{8A58C973-9C12-4b70-B0D0-53EA1FAE4C86}.exe
Token: SeIncBasePriorityPrivilege	2408	{4CEEA932-7641-481a-88DA-EEA497C85218}.exe
Token: SeIncBasePriorityPrivilege	2304	{FA89D2DA-2158-4fd3-BA86-49C896048EC3}.exe
Token: SeIncBasePriorityPrivilege	2724	{66889307-172C-45ce-8066-F1B309ECB60E}.exe
Token: SeIncBasePriorityPrivilege	840	{EB0A931C-AF3F-4aaa-A4F1-7A6CF3366D71}.exe
Token: SeIncBasePriorityPrivilege	1256	{57516514-EFF9-4929-BFC1-489A7D675214}.exe
Token: SeIncBasePriorityPrivilege	1656	{6F0F218C-4058-4471-B79A-F7BA8832235E}.exe
Token: SeIncBasePriorityPrivilege	2260	{95F6B294-DB09-4f21-9229-242F37E2189B}.exe
Token: SeIncBasePriorityPrivilege	380	{0939CABF-5F3A-40f9-8008-B4820AFEA7BC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 2872	2992	2024-03-13_a9ef100867ef5bde12ac04ad058932c9_goldeneye.exe	28
PID 2992 wrote to memory of 2872	2992	2024-03-13_a9ef100867ef5bde12ac04ad058932c9_goldeneye.exe	28
PID 2992 wrote to memory of 2872	2992	2024-03-13_a9ef100867ef5bde12ac04ad058932c9_goldeneye.exe	28
PID 2992 wrote to memory of 2872	2992	2024-03-13_a9ef100867ef5bde12ac04ad058932c9_goldeneye.exe	28
PID 2992 wrote to memory of 2520	2992	2024-03-13_a9ef100867ef5bde12ac04ad058932c9_goldeneye.exe	29
PID 2992 wrote to memory of 2520	2992	2024-03-13_a9ef100867ef5bde12ac04ad058932c9_goldeneye.exe	29
PID 2992 wrote to memory of 2520	2992	2024-03-13_a9ef100867ef5bde12ac04ad058932c9_goldeneye.exe	29
PID 2992 wrote to memory of 2520	2992	2024-03-13_a9ef100867ef5bde12ac04ad058932c9_goldeneye.exe	29
PID 2872 wrote to memory of 2648	2872	{0E43DB19-189A-4fef-85AE-8FCF4C41758C}.exe	30
PID 2872 wrote to memory of 2648	2872	{0E43DB19-189A-4fef-85AE-8FCF4C41758C}.exe	30
PID 2872 wrote to memory of 2648	2872	{0E43DB19-189A-4fef-85AE-8FCF4C41758C}.exe	30
PID 2872 wrote to memory of 2648	2872	{0E43DB19-189A-4fef-85AE-8FCF4C41758C}.exe	30
PID 2872 wrote to memory of 2392	2872	{0E43DB19-189A-4fef-85AE-8FCF4C41758C}.exe	31
PID 2872 wrote to memory of 2392	2872	{0E43DB19-189A-4fef-85AE-8FCF4C41758C}.exe	31
PID 2872 wrote to memory of 2392	2872	{0E43DB19-189A-4fef-85AE-8FCF4C41758C}.exe	31
PID 2872 wrote to memory of 2392	2872	{0E43DB19-189A-4fef-85AE-8FCF4C41758C}.exe	31
PID 2648 wrote to memory of 2408	2648	{8A58C973-9C12-4b70-B0D0-53EA1FAE4C86}.exe	32
PID 2648 wrote to memory of 2408	2648	{8A58C973-9C12-4b70-B0D0-53EA1FAE4C86}.exe	32
PID 2648 wrote to memory of 2408	2648	{8A58C973-9C12-4b70-B0D0-53EA1FAE4C86}.exe	32
PID 2648 wrote to memory of 2408	2648	{8A58C973-9C12-4b70-B0D0-53EA1FAE4C86}.exe	32
PID 2648 wrote to memory of 2432	2648	{8A58C973-9C12-4b70-B0D0-53EA1FAE4C86}.exe	33
PID 2648 wrote to memory of 2432	2648	{8A58C973-9C12-4b70-B0D0-53EA1FAE4C86}.exe	33
PID 2648 wrote to memory of 2432	2648	{8A58C973-9C12-4b70-B0D0-53EA1FAE4C86}.exe	33
PID 2648 wrote to memory of 2432	2648	{8A58C973-9C12-4b70-B0D0-53EA1FAE4C86}.exe	33
PID 2408 wrote to memory of 2304	2408	{4CEEA932-7641-481a-88DA-EEA497C85218}.exe	36
PID 2408 wrote to memory of 2304	2408	{4CEEA932-7641-481a-88DA-EEA497C85218}.exe	36
PID 2408 wrote to memory of 2304	2408	{4CEEA932-7641-481a-88DA-EEA497C85218}.exe	36
PID 2408 wrote to memory of 2304	2408	{4CEEA932-7641-481a-88DA-EEA497C85218}.exe	36
PID 2408 wrote to memory of 1776	2408	{4CEEA932-7641-481a-88DA-EEA497C85218}.exe	37
PID 2408 wrote to memory of 1776	2408	{4CEEA932-7641-481a-88DA-EEA497C85218}.exe	37
PID 2408 wrote to memory of 1776	2408	{4CEEA932-7641-481a-88DA-EEA497C85218}.exe	37
PID 2408 wrote to memory of 1776	2408	{4CEEA932-7641-481a-88DA-EEA497C85218}.exe	37
PID 2304 wrote to memory of 2724	2304	{FA89D2DA-2158-4fd3-BA86-49C896048EC3}.exe	38
PID 2304 wrote to memory of 2724	2304	{FA89D2DA-2158-4fd3-BA86-49C896048EC3}.exe	38
PID 2304 wrote to memory of 2724	2304	{FA89D2DA-2158-4fd3-BA86-49C896048EC3}.exe	38
PID 2304 wrote to memory of 2724	2304	{FA89D2DA-2158-4fd3-BA86-49C896048EC3}.exe	38
PID 2304 wrote to memory of 2760	2304	{FA89D2DA-2158-4fd3-BA86-49C896048EC3}.exe	39
PID 2304 wrote to memory of 2760	2304	{FA89D2DA-2158-4fd3-BA86-49C896048EC3}.exe	39
PID 2304 wrote to memory of 2760	2304	{FA89D2DA-2158-4fd3-BA86-49C896048EC3}.exe	39
PID 2304 wrote to memory of 2760	2304	{FA89D2DA-2158-4fd3-BA86-49C896048EC3}.exe	39
PID 2724 wrote to memory of 840	2724	{66889307-172C-45ce-8066-F1B309ECB60E}.exe	40
PID 2724 wrote to memory of 840	2724	{66889307-172C-45ce-8066-F1B309ECB60E}.exe	40
PID 2724 wrote to memory of 840	2724	{66889307-172C-45ce-8066-F1B309ECB60E}.exe	40
PID 2724 wrote to memory of 840	2724	{66889307-172C-45ce-8066-F1B309ECB60E}.exe	40
PID 2724 wrote to memory of 2216	2724	{66889307-172C-45ce-8066-F1B309ECB60E}.exe	41
PID 2724 wrote to memory of 2216	2724	{66889307-172C-45ce-8066-F1B309ECB60E}.exe	41
PID 2724 wrote to memory of 2216	2724	{66889307-172C-45ce-8066-F1B309ECB60E}.exe	41
PID 2724 wrote to memory of 2216	2724	{66889307-172C-45ce-8066-F1B309ECB60E}.exe	41
PID 840 wrote to memory of 1256	840	{EB0A931C-AF3F-4aaa-A4F1-7A6CF3366D71}.exe	42
PID 840 wrote to memory of 1256	840	{EB0A931C-AF3F-4aaa-A4F1-7A6CF3366D71}.exe	42
PID 840 wrote to memory of 1256	840	{EB0A931C-AF3F-4aaa-A4F1-7A6CF3366D71}.exe	42
PID 840 wrote to memory of 1256	840	{EB0A931C-AF3F-4aaa-A4F1-7A6CF3366D71}.exe	42
PID 840 wrote to memory of 1408	840	{EB0A931C-AF3F-4aaa-A4F1-7A6CF3366D71}.exe	43
PID 840 wrote to memory of 1408	840	{EB0A931C-AF3F-4aaa-A4F1-7A6CF3366D71}.exe	43
PID 840 wrote to memory of 1408	840	{EB0A931C-AF3F-4aaa-A4F1-7A6CF3366D71}.exe	43
PID 840 wrote to memory of 1408	840	{EB0A931C-AF3F-4aaa-A4F1-7A6CF3366D71}.exe	43
PID 1256 wrote to memory of 1656	1256	{57516514-EFF9-4929-BFC1-489A7D675214}.exe	44
PID 1256 wrote to memory of 1656	1256	{57516514-EFF9-4929-BFC1-489A7D675214}.exe	44
PID 1256 wrote to memory of 1656	1256	{57516514-EFF9-4929-BFC1-489A7D675214}.exe	44
PID 1256 wrote to memory of 1656	1256	{57516514-EFF9-4929-BFC1-489A7D675214}.exe	44
PID 1256 wrote to memory of 1760	1256	{57516514-EFF9-4929-BFC1-489A7D675214}.exe	45
PID 1256 wrote to memory of 1760	1256	{57516514-EFF9-4929-BFC1-489A7D675214}.exe	45
PID 1256 wrote to memory of 1760	1256	{57516514-EFF9-4929-BFC1-489A7D675214}.exe	45
PID 1256 wrote to memory of 1760	1256	{57516514-EFF9-4929-BFC1-489A7D675214}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-13_a9ef100867ef5bde12ac04ad058932c9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-13_a9ef100867ef5bde12ac04ad058932c9_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\{0E43DB19-189A-4fef-85AE-8FCF4C41758C}.exe
  C:\Windows\{0E43DB19-189A-4fef-85AE-8FCF4C41758C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\{8A58C973-9C12-4b70-B0D0-53EA1FAE4C86}.exe
    C:\Windows\{8A58C973-9C12-4b70-B0D0-53EA1FAE4C86}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\{4CEEA932-7641-481a-88DA-EEA497C85218}.exe
      C:\Windows\{4CEEA932-7641-481a-88DA-EEA497C85218}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2408
    - - C:\Windows\{FA89D2DA-2158-4fd3-BA86-49C896048EC3}.exe
        
        C:\Windows\{FA89D2DA-2158-4fd3-BA86-49C896048EC3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2304
      - C:\Windows\{66889307-172C-45ce-8066-F1B309ECB60E}.exe
        
        C:\Windows\{66889307-172C-45ce-8066-F1B309ECB60E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\{EB0A931C-AF3F-4aaa-A4F1-7A6CF3366D71}.exe
        
        C:\Windows\{EB0A931C-AF3F-4aaa-A4F1-7A6CF3366D71}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\{57516514-EFF9-4929-BFC1-489A7D675214}.exe
        
        C:\Windows\{57516514-EFF9-4929-BFC1-489A7D675214}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Windows\{6F0F218C-4058-4471-B79A-F7BA8832235E}.exe
        
        C:\Windows\{6F0F218C-4058-4471-B79A-F7BA8832235E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
        
        C:\Windows\{95F6B294-DB09-4f21-9229-242F37E2189B}.exe
        
        C:\Windows\{95F6B294-DB09-4f21-9229-242F37E2189B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Windows\{0939CABF-5F3A-40f9-8008-B4820AFEA7BC}.exe
        
        C:\Windows\{0939CABF-5F3A-40f9-8008-B4820AFEA7BC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:380
        
        C:\Windows\{1CCD5F48-5532-423a-912A-FD6FFBE758ED}.exe
        
        C:\Windows\{1CCD5F48-5532-423a-912A-FD6FFBE758ED}.exe
        12⤵
        Executes dropped EXE
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0939C~1.EXE > nul
        12⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95F6B~1.EXE > nul
        11⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F0F2~1.EXE > nul
        10⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57516~1.EXE > nul
        9⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB0A9~1.EXE > nul
        8⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{66889~1.EXE > nul
        7⤵
        
        PID:2216
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA89D~1.EXE > nul
        6⤵
        
        PID:2760
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4CEEA~1.EXE > nul
        5⤵
        
        PID:1776
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8A58C~1.EXE > nul
      4⤵
      PID:2432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0E43D~1.EXE > nul
    3⤵
    PID:2392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0939CABF-5F3A-40f9-8008-B4820AFEA7BC}.exe

Filesize
197KB

MD5
98b68855499de6260bffb87dbd6c0246

SHA1
edafff1eb34b3c3dd4b318897c2bb931fe47c5d0

SHA256
16616d0262fa5c6968ba7e2e7513e94ac182fccc1af6fd50d43233c37991df6f

SHA512
12008231f5cab93962555d3ebe310271d03b0327a23a3606f60ac889e5f9872bb55804d97a99dd5d8d90a02fff1446bddb6d919065f77bfe745927f97a4451e8

Download Submit
C:\Windows\{0E43DB19-189A-4fef-85AE-8FCF4C41758C}.exe

Filesize
197KB

MD5
fe61d214fc8d463113e1486c99bed4d5

SHA1
82ca4c2256d4391ea388b137ca860ecbf31cc76e

SHA256
fff4e3242fc2b215ae8da53e6ae3c740628ebde1f068834eb4c90622e3cde4ef

SHA512
07f77f2d8262129c5a6ea41f724433f9db6f7fc213404e8015f703e29c76e7ab3bc83b4d684bdd5097b5e41ed91aa3c667d6aeaedc6cb8cdd00b6e9450df00f1

Download Submit
C:\Windows\{1CCD5F48-5532-423a-912A-FD6FFBE758ED}.exe

Filesize
197KB

MD5
0cc53d9b25dff2c261896a09329b5286

SHA1
304a47b1c5c7e5a9916a74cb92765949c666f7e5

SHA256
482a3ff01feeda9c9cd0a215040768f5868b37d6c7c14a4843e5681f3d044f24

SHA512
f460db45a66aa0fbcc9dfc1cd1a695939c7068295894b64fcc8f8f15315f011ab4528ea30b012cfebb075ed8e7d830a6901eccadb378af851693b74b4bb0ac0f

Download Submit
C:\Windows\{4CEEA932-7641-481a-88DA-EEA497C85218}.exe

Filesize
197KB

MD5
6a441d628d9922e5002b6d63a034e3b6

SHA1
558e4dd5ab68eecf4459435d37bbcc1ebb3616d7

SHA256
1daac80b63bcffc20d129a2dcc8cf98e1f5ad19c5747a37f83f229a9f169fec3

SHA512
e2b36f60910eb47ef2d55193470ba0664bf9dc1cda00a1bc0c9b2c52cc70c1d097a3354d251e9fed922fafd28a8bbe99631adc38717d70585840aa0957007303

Download Submit
C:\Windows\{57516514-EFF9-4929-BFC1-489A7D675214}.exe

Filesize
197KB

MD5
0391caa4076eba8de38b1ceef083701d

SHA1
fb59ad70b750545a964bc0a0541dece65f31cbc6

SHA256
bc33bb0113c0dba82b43273c4bebb1c62bbf537169ea1721a73947ecf9fca56a

SHA512
23d8a4af250b3536445952dcfc550b9f767eb98eee85c8d6cffcfe0f80399b3e8852007c0427e692ac45ceadfbe0c666863675eb31a4da4214a6f59014a07ccd

Download Submit
C:\Windows\{66889307-172C-45ce-8066-F1B309ECB60E}.exe

Filesize
197KB

MD5
a52c30691adfcaadce57b0b99299e548

SHA1
4b69dc100a1d2dc3d4f8c2a6bc0c3598b109b06c

SHA256
0fca7d025e8591e6531d6acbd7534fa639bd07cba5ba5ab516e9ec54dcea6fb5

SHA512
9fe39e35c0e7be4b9a7e8cee2ff4cd384a3c8bf24c3ce9f0143b74cfd218fe774a9210564256edd83c60680d5d60bb5291cc1bc488ac9737de80929557cb7bc2

Download Submit
C:\Windows\{6F0F218C-4058-4471-B79A-F7BA8832235E}.exe

Filesize
197KB

MD5
f35635a30ab324a701cb90109543235e

SHA1
cf0ef2e3718b467c8280504185c4bad5b3808be0

SHA256
faea59b77840203564d34313a512b366c5d4981c3156590026afe2168473d9ab

SHA512
1be5aceff82d85606af1167a22cb07ca7ce9dd29d16c0c6babded151ea0677f96eaf2742357ad460cb1cc5a63e7c9d6ea2fba1126e2e6913e05ff7544bf8a996

Download Submit
C:\Windows\{6F0F218C-4058-4471-B79A-F7BA8832235E}.exe

Filesize
187KB

MD5
bc9452d72115138894a0b06d24a29141

SHA1
72eb27d6da57cb2453201c7802770ed993e38c8e

SHA256
b33588d313e6a678045d3f83135b3d2ca8414b629939216d1637d30a344b2720

SHA512
fd4abc30af5e6acc3b0a2f294b4c46916684403cff6f7e6762355d2f7f15d6501f5c046b37398f9de6ff22e5f7338546136c8a58181f050c60a00dbb8498e30f

Download Submit
C:\Windows\{8A58C973-9C12-4b70-B0D0-53EA1FAE4C86}.exe

Filesize
197KB

MD5
a661257ca4b6d9eb744264fb66955d0f

SHA1
2b6ff80e4cc3118ae7801855ffb1701126b3d813

SHA256
ffe49a3b0eaa7a5d454e31513479b28fdfd051009bedc7e15783509f234066b1

SHA512
d41f74b306ef1115ed744351893fa99300f7ef71f7a94f4cd33d05bbd0786c5037a25a537f2600065f043d0de858062d098079a6c8e1613a0ec2866708e0ba77

Download Submit
C:\Windows\{95F6B294-DB09-4f21-9229-242F37E2189B}.exe

Filesize
197KB

MD5
c9ab19b5c681ed21e93ef388ab01605b

SHA1
4ca77dc76faebde09c90472f692dbbb227e8c269

SHA256
72e803ac904b90faff7120de96da00cf70cc5774aabdaf44162e7cfcef1f7a79

SHA512
833a8a72786720ef9ca55b01779b15a4b70c28a4e9cbc488a74f5929136e87480d6aeaff318707b207f30f9406c804cf138ecdfd37a37002e936c9d3805f401b

Download Submit
C:\Windows\{EB0A931C-AF3F-4aaa-A4F1-7A6CF3366D71}.exe

Filesize
197KB

MD5
a62214d0317f829170c50f6216590917

SHA1
d017b361a59dc4ec471d458a99903385a6c961ab

SHA256
f76e2f42120a53640351ee1d7e2cd0986763a8b526d6d01b56fa199afb91e0ae

SHA512
2301f26f41dd4df6885528cfa1d451f2e204681eef369aec5ebaefc6fba9d9803929fb565295e944b14155557425a0ba048d99cd8f345bccfe176247604414f2

Download Submit
C:\Windows\{FA89D2DA-2158-4fd3-BA86-49C896048EC3}.exe

Filesize
197KB

MD5
5107b16851a1baaa867e32ef3631202b

SHA1
569bd0d1c5acea405be9dcde4ab5a0535a2151ea

SHA256
bac1119a6a8774e8a5acfd501b306536321b2e1bd81af6755897f99c221b81c7

SHA512
afbbdabd3fd063dce1d5c4af377f38b64e259901cf565a0220b3be5f518c17970ee36e1be85c9266b2f53473e58f39fc1fb05259cc52824d0104b26b1bfdaef3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads