95c9856db7345eb39056df0a9e68ddf577f6f2fdf87d5dac8dd87cb2176e18c3

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/03/2024, 11:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-25_6bcceb78bd5826c94710b44be8adcaec_goldeneye.exe
Size

204KB
MD5

6bcceb78bd5826c94710b44be8adcaec
SHA1

e49c1bc2b159568b7a21474b52b60767b8031f38
SHA256

95c9856db7345eb39056df0a9e68ddf577f6f2fdf87d5dac8dd87cb2176e18c3
SHA512

83ad5c12c7b83c19b2ddc4c8cea61fbf8029c5fa02b9656dd759b86b6ae4b889f4c6214acab91fa4240c169ebdc0fb53df9280b21bf6ebeb76a81ef955b5d2be
SSDEEP

1536:1EGh0ool15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0ool1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001224d-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012324-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001224d-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0035000000013413-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001224d-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001224d-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001224d-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15423CCE-C2D2-4546-B601-618409989F49}\stubpath = "C:\\Windows\\{15423CCE-C2D2-4546-B601-618409989F49}.exe"	{CB70C419-F283-4723-A1C3-EA8405D8558B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{160A2D50-F3F8-44f0-AFAF-AE19597C6CB3}	{39BF7C59-8D4B-42a8-90F1-E97DA1B2DD9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{160A2D50-F3F8-44f0-AFAF-AE19597C6CB3}\stubpath = "C:\\Windows\\{160A2D50-F3F8-44f0-AFAF-AE19597C6CB3}.exe"	{39BF7C59-8D4B-42a8-90F1-E97DA1B2DD9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{899D95BF-68B4-4d22-916A-549B7FDA9093}	{160A2D50-F3F8-44f0-AFAF-AE19597C6CB3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BB29306-8A8B-42a3-9E1B-9EC521445D8F}	{9E2DDCC3-F65F-4f9b-8C95-4DE6C3DB4FE1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC576AC7-46F4-4b71-A075-7DC5E61DB6E2}	2024-03-25_6bcceb78bd5826c94710b44be8adcaec_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6A1CA81-9411-41e8-8C94-0FCF9A3625FE}\stubpath = "C:\\Windows\\{B6A1CA81-9411-41e8-8C94-0FCF9A3625FE}.exe"	{BC576AC7-46F4-4b71-A075-7DC5E61DB6E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15423CCE-C2D2-4546-B601-618409989F49}	{CB70C419-F283-4723-A1C3-EA8405D8558B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{483BA8A4-1EE6-44af-84EB-1035E9876C98}\stubpath = "C:\\Windows\\{483BA8A4-1EE6-44af-84EB-1035E9876C98}.exe"	{1BB29306-8A8B-42a3-9E1B-9EC521445D8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5150633-FD38-4852-B43B-6FAFE35C2CE5}\stubpath = "C:\\Windows\\{D5150633-FD38-4852-B43B-6FAFE35C2CE5}.exe"	{899D95BF-68B4-4d22-916A-549B7FDA9093}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB70C419-F283-4723-A1C3-EA8405D8558B}	{B6A1CA81-9411-41e8-8C94-0FCF9A3625FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39BF7C59-8D4B-42a8-90F1-E97DA1B2DD9B}	{15423CCE-C2D2-4546-B601-618409989F49}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{899D95BF-68B4-4d22-916A-549B7FDA9093}\stubpath = "C:\\Windows\\{899D95BF-68B4-4d22-916A-549B7FDA9093}.exe"	{160A2D50-F3F8-44f0-AFAF-AE19597C6CB3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6A1CA81-9411-41e8-8C94-0FCF9A3625FE}	{BC576AC7-46F4-4b71-A075-7DC5E61DB6E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E2DDCC3-F65F-4f9b-8C95-4DE6C3DB4FE1}	{D5150633-FD38-4852-B43B-6FAFE35C2CE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{483BA8A4-1EE6-44af-84EB-1035E9876C98}	{1BB29306-8A8B-42a3-9E1B-9EC521445D8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5150633-FD38-4852-B43B-6FAFE35C2CE5}	{899D95BF-68B4-4d22-916A-549B7FDA9093}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E2DDCC3-F65F-4f9b-8C95-4DE6C3DB4FE1}\stubpath = "C:\\Windows\\{9E2DDCC3-F65F-4f9b-8C95-4DE6C3DB4FE1}.exe"	{D5150633-FD38-4852-B43B-6FAFE35C2CE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BB29306-8A8B-42a3-9E1B-9EC521445D8F}\stubpath = "C:\\Windows\\{1BB29306-8A8B-42a3-9E1B-9EC521445D8F}.exe"	{9E2DDCC3-F65F-4f9b-8C95-4DE6C3DB4FE1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC576AC7-46F4-4b71-A075-7DC5E61DB6E2}\stubpath = "C:\\Windows\\{BC576AC7-46F4-4b71-A075-7DC5E61DB6E2}.exe"	2024-03-25_6bcceb78bd5826c94710b44be8adcaec_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB70C419-F283-4723-A1C3-EA8405D8558B}\stubpath = "C:\\Windows\\{CB70C419-F283-4723-A1C3-EA8405D8558B}.exe"	{B6A1CA81-9411-41e8-8C94-0FCF9A3625FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39BF7C59-8D4B-42a8-90F1-E97DA1B2DD9B}\stubpath = "C:\\Windows\\{39BF7C59-8D4B-42a8-90F1-E97DA1B2DD9B}.exe"	{15423CCE-C2D2-4546-B601-618409989F49}.exe

Deletes itself 1 IoCs

pid	Process
2624	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2532	{BC576AC7-46F4-4b71-A075-7DC5E61DB6E2}.exe
2652	{B6A1CA81-9411-41e8-8C94-0FCF9A3625FE}.exe
2632	{CB70C419-F283-4723-A1C3-EA8405D8558B}.exe
1148	{15423CCE-C2D2-4546-B601-618409989F49}.exe
2708	{39BF7C59-8D4B-42a8-90F1-E97DA1B2DD9B}.exe
1604	{160A2D50-F3F8-44f0-AFAF-AE19597C6CB3}.exe
284	{899D95BF-68B4-4d22-916A-549B7FDA9093}.exe
1260	{D5150633-FD38-4852-B43B-6FAFE35C2CE5}.exe
2712	{9E2DDCC3-F65F-4f9b-8C95-4DE6C3DB4FE1}.exe
608	{1BB29306-8A8B-42a3-9E1B-9EC521445D8F}.exe
2704	{483BA8A4-1EE6-44af-84EB-1035E9876C98}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{B6A1CA81-9411-41e8-8C94-0FCF9A3625FE}.exe	{BC576AC7-46F4-4b71-A075-7DC5E61DB6E2}.exe
File created	C:\Windows\{CB70C419-F283-4723-A1C3-EA8405D8558B}.exe	{B6A1CA81-9411-41e8-8C94-0FCF9A3625FE}.exe
File created	C:\Windows\{15423CCE-C2D2-4546-B601-618409989F49}.exe	{CB70C419-F283-4723-A1C3-EA8405D8558B}.exe
File created	C:\Windows\{D5150633-FD38-4852-B43B-6FAFE35C2CE5}.exe	{899D95BF-68B4-4d22-916A-549B7FDA9093}.exe
File created	C:\Windows\{BC576AC7-46F4-4b71-A075-7DC5E61DB6E2}.exe	2024-03-25_6bcceb78bd5826c94710b44be8adcaec_goldeneye.exe
File created	C:\Windows\{160A2D50-F3F8-44f0-AFAF-AE19597C6CB3}.exe	{39BF7C59-8D4B-42a8-90F1-E97DA1B2DD9B}.exe
File created	C:\Windows\{899D95BF-68B4-4d22-916A-549B7FDA9093}.exe	{160A2D50-F3F8-44f0-AFAF-AE19597C6CB3}.exe
File created	C:\Windows\{9E2DDCC3-F65F-4f9b-8C95-4DE6C3DB4FE1}.exe	{D5150633-FD38-4852-B43B-6FAFE35C2CE5}.exe
File created	C:\Windows\{1BB29306-8A8B-42a3-9E1B-9EC521445D8F}.exe	{9E2DDCC3-F65F-4f9b-8C95-4DE6C3DB4FE1}.exe
File created	C:\Windows\{483BA8A4-1EE6-44af-84EB-1035E9876C98}.exe	{1BB29306-8A8B-42a3-9E1B-9EC521445D8F}.exe
File created	C:\Windows\{39BF7C59-8D4B-42a8-90F1-E97DA1B2DD9B}.exe	{15423CCE-C2D2-4546-B601-618409989F49}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2880	2024-03-25_6bcceb78bd5826c94710b44be8adcaec_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2532	{BC576AC7-46F4-4b71-A075-7DC5E61DB6E2}.exe
Token: SeIncBasePriorityPrivilege	2652	{B6A1CA81-9411-41e8-8C94-0FCF9A3625FE}.exe
Token: SeIncBasePriorityPrivilege	2632	{CB70C419-F283-4723-A1C3-EA8405D8558B}.exe
Token: SeIncBasePriorityPrivilege	1148	{15423CCE-C2D2-4546-B601-618409989F49}.exe
Token: SeIncBasePriorityPrivilege	2708	{39BF7C59-8D4B-42a8-90F1-E97DA1B2DD9B}.exe
Token: SeIncBasePriorityPrivilege	1604	{160A2D50-F3F8-44f0-AFAF-AE19597C6CB3}.exe
Token: SeIncBasePriorityPrivilege	284	{899D95BF-68B4-4d22-916A-549B7FDA9093}.exe
Token: SeIncBasePriorityPrivilege	1260	{D5150633-FD38-4852-B43B-6FAFE35C2CE5}.exe
Token: SeIncBasePriorityPrivilege	2712	{9E2DDCC3-F65F-4f9b-8C95-4DE6C3DB4FE1}.exe
Token: SeIncBasePriorityPrivilege	608	{1BB29306-8A8B-42a3-9E1B-9EC521445D8F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2532	2880	2024-03-25_6bcceb78bd5826c94710b44be8adcaec_goldeneye.exe	28
PID 2880 wrote to memory of 2532	2880	2024-03-25_6bcceb78bd5826c94710b44be8adcaec_goldeneye.exe	28
PID 2880 wrote to memory of 2532	2880	2024-03-25_6bcceb78bd5826c94710b44be8adcaec_goldeneye.exe	28
PID 2880 wrote to memory of 2532	2880	2024-03-25_6bcceb78bd5826c94710b44be8adcaec_goldeneye.exe	28
PID 2880 wrote to memory of 2624	2880	2024-03-25_6bcceb78bd5826c94710b44be8adcaec_goldeneye.exe	29
PID 2880 wrote to memory of 2624	2880	2024-03-25_6bcceb78bd5826c94710b44be8adcaec_goldeneye.exe	29
PID 2880 wrote to memory of 2624	2880	2024-03-25_6bcceb78bd5826c94710b44be8adcaec_goldeneye.exe	29
PID 2880 wrote to memory of 2624	2880	2024-03-25_6bcceb78bd5826c94710b44be8adcaec_goldeneye.exe	29
PID 2532 wrote to memory of 2652	2532	{BC576AC7-46F4-4b71-A075-7DC5E61DB6E2}.exe	30
PID 2532 wrote to memory of 2652	2532	{BC576AC7-46F4-4b71-A075-7DC5E61DB6E2}.exe	30
PID 2532 wrote to memory of 2652	2532	{BC576AC7-46F4-4b71-A075-7DC5E61DB6E2}.exe	30
PID 2532 wrote to memory of 2652	2532	{BC576AC7-46F4-4b71-A075-7DC5E61DB6E2}.exe	30
PID 2532 wrote to memory of 2700	2532	{BC576AC7-46F4-4b71-A075-7DC5E61DB6E2}.exe	31
PID 2532 wrote to memory of 2700	2532	{BC576AC7-46F4-4b71-A075-7DC5E61DB6E2}.exe	31
PID 2532 wrote to memory of 2700	2532	{BC576AC7-46F4-4b71-A075-7DC5E61DB6E2}.exe	31
PID 2532 wrote to memory of 2700	2532	{BC576AC7-46F4-4b71-A075-7DC5E61DB6E2}.exe	31
PID 2652 wrote to memory of 2632	2652	{B6A1CA81-9411-41e8-8C94-0FCF9A3625FE}.exe	32
PID 2652 wrote to memory of 2632	2652	{B6A1CA81-9411-41e8-8C94-0FCF9A3625FE}.exe	32
PID 2652 wrote to memory of 2632	2652	{B6A1CA81-9411-41e8-8C94-0FCF9A3625FE}.exe	32
PID 2652 wrote to memory of 2632	2652	{B6A1CA81-9411-41e8-8C94-0FCF9A3625FE}.exe	32
PID 2652 wrote to memory of 2408	2652	{B6A1CA81-9411-41e8-8C94-0FCF9A3625FE}.exe	33
PID 2652 wrote to memory of 2408	2652	{B6A1CA81-9411-41e8-8C94-0FCF9A3625FE}.exe	33
PID 2652 wrote to memory of 2408	2652	{B6A1CA81-9411-41e8-8C94-0FCF9A3625FE}.exe	33
PID 2652 wrote to memory of 2408	2652	{B6A1CA81-9411-41e8-8C94-0FCF9A3625FE}.exe	33
PID 2632 wrote to memory of 1148	2632	{CB70C419-F283-4723-A1C3-EA8405D8558B}.exe	36
PID 2632 wrote to memory of 1148	2632	{CB70C419-F283-4723-A1C3-EA8405D8558B}.exe	36
PID 2632 wrote to memory of 1148	2632	{CB70C419-F283-4723-A1C3-EA8405D8558B}.exe	36
PID 2632 wrote to memory of 1148	2632	{CB70C419-F283-4723-A1C3-EA8405D8558B}.exe	36
PID 2632 wrote to memory of 2388	2632	{CB70C419-F283-4723-A1C3-EA8405D8558B}.exe	37
PID 2632 wrote to memory of 2388	2632	{CB70C419-F283-4723-A1C3-EA8405D8558B}.exe	37
PID 2632 wrote to memory of 2388	2632	{CB70C419-F283-4723-A1C3-EA8405D8558B}.exe	37
PID 2632 wrote to memory of 2388	2632	{CB70C419-F283-4723-A1C3-EA8405D8558B}.exe	37
PID 1148 wrote to memory of 2708	1148	{15423CCE-C2D2-4546-B601-618409989F49}.exe	38
PID 1148 wrote to memory of 2708	1148	{15423CCE-C2D2-4546-B601-618409989F49}.exe	38
PID 1148 wrote to memory of 2708	1148	{15423CCE-C2D2-4546-B601-618409989F49}.exe	38
PID 1148 wrote to memory of 2708	1148	{15423CCE-C2D2-4546-B601-618409989F49}.exe	38
PID 1148 wrote to memory of 2320	1148	{15423CCE-C2D2-4546-B601-618409989F49}.exe	39
PID 1148 wrote to memory of 2320	1148	{15423CCE-C2D2-4546-B601-618409989F49}.exe	39
PID 1148 wrote to memory of 2320	1148	{15423CCE-C2D2-4546-B601-618409989F49}.exe	39
PID 1148 wrote to memory of 2320	1148	{15423CCE-C2D2-4546-B601-618409989F49}.exe	39
PID 2708 wrote to memory of 1604	2708	{39BF7C59-8D4B-42a8-90F1-E97DA1B2DD9B}.exe	40
PID 2708 wrote to memory of 1604	2708	{39BF7C59-8D4B-42a8-90F1-E97DA1B2DD9B}.exe	40
PID 2708 wrote to memory of 1604	2708	{39BF7C59-8D4B-42a8-90F1-E97DA1B2DD9B}.exe	40
PID 2708 wrote to memory of 1604	2708	{39BF7C59-8D4B-42a8-90F1-E97DA1B2DD9B}.exe	40
PID 2708 wrote to memory of 1800	2708	{39BF7C59-8D4B-42a8-90F1-E97DA1B2DD9B}.exe	41
PID 2708 wrote to memory of 1800	2708	{39BF7C59-8D4B-42a8-90F1-E97DA1B2DD9B}.exe	41
PID 2708 wrote to memory of 1800	2708	{39BF7C59-8D4B-42a8-90F1-E97DA1B2DD9B}.exe	41
PID 2708 wrote to memory of 1800	2708	{39BF7C59-8D4B-42a8-90F1-E97DA1B2DD9B}.exe	41
PID 1604 wrote to memory of 284	1604	{160A2D50-F3F8-44f0-AFAF-AE19597C6CB3}.exe	42
PID 1604 wrote to memory of 284	1604	{160A2D50-F3F8-44f0-AFAF-AE19597C6CB3}.exe	42
PID 1604 wrote to memory of 284	1604	{160A2D50-F3F8-44f0-AFAF-AE19597C6CB3}.exe	42
PID 1604 wrote to memory of 284	1604	{160A2D50-F3F8-44f0-AFAF-AE19597C6CB3}.exe	42
PID 1604 wrote to memory of 1492	1604	{160A2D50-F3F8-44f0-AFAF-AE19597C6CB3}.exe	43
PID 1604 wrote to memory of 1492	1604	{160A2D50-F3F8-44f0-AFAF-AE19597C6CB3}.exe	43
PID 1604 wrote to memory of 1492	1604	{160A2D50-F3F8-44f0-AFAF-AE19597C6CB3}.exe	43
PID 1604 wrote to memory of 1492	1604	{160A2D50-F3F8-44f0-AFAF-AE19597C6CB3}.exe	43
PID 284 wrote to memory of 1260	284	{899D95BF-68B4-4d22-916A-549B7FDA9093}.exe	44
PID 284 wrote to memory of 1260	284	{899D95BF-68B4-4d22-916A-549B7FDA9093}.exe	44
PID 284 wrote to memory of 1260	284	{899D95BF-68B4-4d22-916A-549B7FDA9093}.exe	44
PID 284 wrote to memory of 1260	284	{899D95BF-68B4-4d22-916A-549B7FDA9093}.exe	44
PID 284 wrote to memory of 2212	284	{899D95BF-68B4-4d22-916A-549B7FDA9093}.exe	45
PID 284 wrote to memory of 2212	284	{899D95BF-68B4-4d22-916A-549B7FDA9093}.exe	45
PID 284 wrote to memory of 2212	284	{899D95BF-68B4-4d22-916A-549B7FDA9093}.exe	45
PID 284 wrote to memory of 2212	284	{899D95BF-68B4-4d22-916A-549B7FDA9093}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-25_6bcceb78bd5826c94710b44be8adcaec_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-25_6bcceb78bd5826c94710b44be8adcaec_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\{BC576AC7-46F4-4b71-A075-7DC5E61DB6E2}.exe
  C:\Windows\{BC576AC7-46F4-4b71-A075-7DC5E61DB6E2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\{B6A1CA81-9411-41e8-8C94-0FCF9A3625FE}.exe
    C:\Windows\{B6A1CA81-9411-41e8-8C94-0FCF9A3625FE}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\{CB70C419-F283-4723-A1C3-EA8405D8558B}.exe
      C:\Windows\{CB70C419-F283-4723-A1C3-EA8405D8558B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\{15423CCE-C2D2-4546-B601-618409989F49}.exe
        
        C:\Windows\{15423CCE-C2D2-4546-B601-618409989F49}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1148
      - C:\Windows\{39BF7C59-8D4B-42a8-90F1-E97DA1B2DD9B}.exe
        
        C:\Windows\{39BF7C59-8D4B-42a8-90F1-E97DA1B2DD9B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\{160A2D50-F3F8-44f0-AFAF-AE19597C6CB3}.exe
        
        C:\Windows\{160A2D50-F3F8-44f0-AFAF-AE19597C6CB3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\{899D95BF-68B4-4d22-916A-549B7FDA9093}.exe
        
        C:\Windows\{899D95BF-68B4-4d22-916A-549B7FDA9093}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:284
        
        C:\Windows\{D5150633-FD38-4852-B43B-6FAFE35C2CE5}.exe
        
        C:\Windows\{D5150633-FD38-4852-B43B-6FAFE35C2CE5}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1260
        
        C:\Windows\{9E2DDCC3-F65F-4f9b-8C95-4DE6C3DB4FE1}.exe
        
        C:\Windows\{9E2DDCC3-F65F-4f9b-8C95-4DE6C3DB4FE1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
        
        C:\Windows\{1BB29306-8A8B-42a3-9E1B-9EC521445D8F}.exe
        
        C:\Windows\{1BB29306-8A8B-42a3-9E1B-9EC521445D8F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:608
        
        C:\Windows\{483BA8A4-1EE6-44af-84EB-1035E9876C98}.exe
        
        C:\Windows\{483BA8A4-1EE6-44af-84EB-1035E9876C98}.exe
        12⤵
        Executes dropped EXE
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1BB29~1.EXE > nul
        12⤵
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E2DD~1.EXE > nul
        11⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5150~1.EXE > nul
        10⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{899D9~1.EXE > nul
        9⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{160A2~1.EXE > nul
        8⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39BF7~1.EXE > nul
        7⤵
        
        PID:1800
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15423~1.EXE > nul
        6⤵
        
        PID:2320
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB70C~1.EXE > nul
        5⤵
        
        PID:2388
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B6A1C~1.EXE > nul
      4⤵
      PID:2408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BC576~1.EXE > nul
    3⤵
    PID:2700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{15423CCE-C2D2-4546-B601-618409989F49}.exe

Filesize
204KB

MD5
95b9b64fb31b017ec0e83d48b5cc4be8

SHA1
aff0d2d94c14e6bcff8fcff0e45762e3acf616f5

SHA256
b668749f0ef3b9c33d821bd34f52b59e714367af35d647983295a1316f874de6

SHA512
595729298858eb8264f0435954fd135db6fabecf52a685d63bc4585d6493570010354c9d34f12133fd8f7b29b3c2e10a851c76de2a2c98e968c4a675f8896557

Download Submit
C:\Windows\{160A2D50-F3F8-44f0-AFAF-AE19597C6CB3}.exe

Filesize
204KB

MD5
7e61ac5377f2df56de65c25ef59f3383

SHA1
b65508e8c4c5255d8319322ab3d2ef47cd0f00c5

SHA256
902b588ded9887f0ea1c11b4782c1ceff7396017f688e1e9eff228ea63ceb3a5

SHA512
ab2201908fb248f0369f3b511c07482b0d1c859277f001c0f5bc3a969d2ccc691adacea635685623156193efdf33f3ac361ba302cbea046fb40eae0a5bcf810b

Download Submit
C:\Windows\{1BB29306-8A8B-42a3-9E1B-9EC521445D8F}.exe

Filesize
204KB

MD5
5b8a466c0fa0cfc4c4357133762744bd

SHA1
3fc30b152e3b452f259368d0ec7f6fe4a661a75e

SHA256
d120a7371e67d30106162321f62954a4ac7b90e1e16fe1d60d4053b5bafc4ace

SHA512
c86cfd7f96c28e577bdb1a91d6545dc5197a4e517724902f78b883ed857ffdcd8b87b1a474a52a20e5ee916131a727428bd40bd9e6794fe91a57014bc32bfd30

Download Submit
C:\Windows\{39BF7C59-8D4B-42a8-90F1-E97DA1B2DD9B}.exe

Filesize
204KB

MD5
d9ee97fab97aeabde2164651387eed26

SHA1
89f105145709a2e54a772dbd52c2cf163c328543

SHA256
bff554c7979bec481e839cc433d5528adb213e1e6bbb55dbe9564169486a44c0

SHA512
5c851ef737e74be6d7de1e474dd40d34166890ec066fca729fa68a5f4dd2c6113199d93cd995f79dbc7789017dfea2d5a4ea48b503c567c71a35fa842b5d7c20

Download Submit
C:\Windows\{483BA8A4-1EE6-44af-84EB-1035E9876C98}.exe

Filesize
204KB

MD5
de869e4a6c183b76eabd770d8621bc58

SHA1
29749cb228ce6a86bcb518da973d0b4df83078a0

SHA256
258f492ddfafccb9ae67e12c811f54ae05325cb0c7863e4c87160fd83356ddb0

SHA512
41ca0be564a6cf466cede377ee843125798711a0c54f8b1403faba2d4bfb446d56a0a33276b104e7c4de01438f26530103cd207b75c13fad57f8b8cc88594cf6

Download Submit
C:\Windows\{899D95BF-68B4-4d22-916A-549B7FDA9093}.exe

Filesize
204KB

MD5
e92563d6a5b6db0956651eadb2749a68

SHA1
905ce99b1a63b642fb6c99a1f0535c7fd8baa36c

SHA256
981cec66eb56a3df8d6525e6bd855aec5c68f677597f4aced5e94156c5c63a54

SHA512
d9a00d495d0d25393b1f588dab7c7c9dc3f05a9963405ca48ed87ece918deb1aed6fd8a73581839e1d1b05b644e920c3663cdf4b768c3d4d789a83c68403f2a7

Download Submit
C:\Windows\{9E2DDCC3-F65F-4f9b-8C95-4DE6C3DB4FE1}.exe

Filesize
204KB

MD5
12d4cfbeb17b35036e354b301a48f345

SHA1
f53407b57730718de96bd43285e3dd6204117aa2

SHA256
a61499b8782f00f30d0a988cd497d3d8d78d78dafd7d67c70ad67cfbc6bbd14e

SHA512
ffbac26855096449eefba0cf0452677932b2355b695bbb261d0f3316ba25153a7a1670253dfff0962e09fd26d524383137cb191091b7ff9e8b701aed6d977da1

Download Submit
C:\Windows\{B6A1CA81-9411-41e8-8C94-0FCF9A3625FE}.exe

Filesize
204KB

MD5
639cb6105e3f801de4d072235c50b259

SHA1
0ee8b7332a2c3712e592d5d709b3a38532f12a98

SHA256
0170ddc85a2f7cc297b58e725a7316654bb52a1d8ad203ae01d86914a6bb9fd2

SHA512
f8df37bff53aea5a1fd1da2164077e232dad2aaa7442ae47b5929d10656eeb5247700ed2735ff8eb060d028e670f3763d0da409db170f1384d553cec4629188e

Download Submit
C:\Windows\{BC576AC7-46F4-4b71-A075-7DC5E61DB6E2}.exe

Filesize
204KB

MD5
a67e8fb87425853b2cbe42a44fdac29a

SHA1
de06948f4b51aae9692e28fa2740d7cfd762e64c

SHA256
7f3d7dbf87a2d1388a00720a667ace1a66fcb6beb5f64acc458c496d55bd5014

SHA512
e2563a20ad5ece2ded8326e2e444da43f18cc856b09db98e495ff3467510e52c5f80362e569f247e3fb23675f88c8fd0c11cefe10d7a584ab81074d4ad59b1fe

Download Submit
C:\Windows\{CB70C419-F283-4723-A1C3-EA8405D8558B}.exe

Filesize
204KB

MD5
996f4c37eafd27262e6a56b2e9b32f7d

SHA1
c45f7bc9277ef0bc6ffa49a1dd5f4dc1dbb08697

SHA256
632984e68027644db58e9f07101ab4e269be13e35ed2ca6f56ae215665330ccf

SHA512
f5d67e25f51116d55fcec0c133ab28e518f40a7235cd6242074634b6b31bb2b0a5a52ce9c4387fe2ff4371a5698e4e27455387d71b3e8b38424e70288d05088d

Download Submit
C:\Windows\{D5150633-FD38-4852-B43B-6FAFE35C2CE5}.exe

Filesize
204KB

MD5
11525beda876c24a863702ae2c8b40b0

SHA1
7a39da5e5e3c50847c8c548a465b92e1cdfcdef3

SHA256
1d368c93f3808c586e8ffaaaa79a4532c460ef3a8b041d2e3525a5ff25108a49

SHA512
158748d2da2500a37b41b70bfb68f735dc3a203107b35e7935626de11f55779d19667b1744ad18350dda661c5af74ba4ffc49c0b01a77507ebf04efd44f9b02f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads