0920cc1e39f5bedceb6666b7d3350de31d2dfd7e1de32b0da5df4d589f4a111c

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-03-2024 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-28_c9b52e528fd861128138e0586f9c001d_goldeneye.exe
Size

344KB
MD5

c9b52e528fd861128138e0586f9c001d
SHA1

89ccf5d4d10daa19fd90fdb9993c08223f739843
SHA256

0920cc1e39f5bedceb6666b7d3350de31d2dfd7e1de32b0da5df4d589f4a111c
SHA512

2e39abc354c763c7f6119dc8229d4a1dac16df85de9c6d58c9c9e46e54468654e0ca3dc7314fefbf79159d93fa29056388f67fcde01a6223deed89c06a91979a
SSDEEP

3072:mEGh0oYlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGalqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012256-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00070000000122cd-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012256-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000013a45-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012256-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000013a45-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000013a45-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7B468F1-C008-4b21-84A2-04C9F00BBD2D}	2024-03-28_c9b52e528fd861128138e0586f9c001d_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{578CC763-8D66-4593-B559-7B9403CCDCD0}\stubpath = "C:\\Windows\\{578CC763-8D66-4593-B559-7B9403CCDCD0}.exe"	{7B40045E-72E9-45f8-93BE-1581472296BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4003619-1198-4037-8F53-3F1033146F5D}\stubpath = "C:\\Windows\\{C4003619-1198-4037-8F53-3F1033146F5D}.exe"	{E0BE1DCF-C64B-4154-8E47-9BB8A0C60BE6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{704F20BB-09AE-4587-8521-E96ECA26C073}\stubpath = "C:\\Windows\\{704F20BB-09AE-4587-8521-E96ECA26C073}.exe"	{678CF679-148F-4af0-8323-B9B5FF429E1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63BC043E-F35F-4a30-B646-194B4C1DFCC1}\stubpath = "C:\\Windows\\{63BC043E-F35F-4a30-B646-194B4C1DFCC1}.exe"	{C7B468F1-C008-4b21-84A2-04C9F00BBD2D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B40045E-72E9-45f8-93BE-1581472296BD}	{63BC043E-F35F-4a30-B646-194B4C1DFCC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B40045E-72E9-45f8-93BE-1581472296BD}\stubpath = "C:\\Windows\\{7B40045E-72E9-45f8-93BE-1581472296BD}.exe"	{63BC043E-F35F-4a30-B646-194B4C1DFCC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39F1BF29-009E-4afe-9D7A-5E652431DB64}	{971CCE69-62EB-45ea-A30B-6E21C2F64FA1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0BE1DCF-C64B-4154-8E47-9BB8A0C60BE6}\stubpath = "C:\\Windows\\{E0BE1DCF-C64B-4154-8E47-9BB8A0C60BE6}.exe"	{39F1BF29-009E-4afe-9D7A-5E652431DB64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{678CF679-148F-4af0-8323-B9B5FF429E1A}\stubpath = "C:\\Windows\\{678CF679-148F-4af0-8323-B9B5FF429E1A}.exe"	{C4003619-1198-4037-8F53-3F1033146F5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63BC043E-F35F-4a30-B646-194B4C1DFCC1}	{C7B468F1-C008-4b21-84A2-04C9F00BBD2D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{971CCE69-62EB-45ea-A30B-6E21C2F64FA1}	{0042FD64-0C28-4c5c-959D-1BFF3B08684E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{971CCE69-62EB-45ea-A30B-6E21C2F64FA1}\stubpath = "C:\\Windows\\{971CCE69-62EB-45ea-A30B-6E21C2F64FA1}.exe"	{0042FD64-0C28-4c5c-959D-1BFF3B08684E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4003619-1198-4037-8F53-3F1033146F5D}	{E0BE1DCF-C64B-4154-8E47-9BB8A0C60BE6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{704F20BB-09AE-4587-8521-E96ECA26C073}	{678CF679-148F-4af0-8323-B9B5FF429E1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7B468F1-C008-4b21-84A2-04C9F00BBD2D}\stubpath = "C:\\Windows\\{C7B468F1-C008-4b21-84A2-04C9F00BBD2D}.exe"	2024-03-28_c9b52e528fd861128138e0586f9c001d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{578CC763-8D66-4593-B559-7B9403CCDCD0}	{7B40045E-72E9-45f8-93BE-1581472296BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0042FD64-0C28-4c5c-959D-1BFF3B08684E}	{578CC763-8D66-4593-B559-7B9403CCDCD0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0042FD64-0C28-4c5c-959D-1BFF3B08684E}\stubpath = "C:\\Windows\\{0042FD64-0C28-4c5c-959D-1BFF3B08684E}.exe"	{578CC763-8D66-4593-B559-7B9403CCDCD0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39F1BF29-009E-4afe-9D7A-5E652431DB64}\stubpath = "C:\\Windows\\{39F1BF29-009E-4afe-9D7A-5E652431DB64}.exe"	{971CCE69-62EB-45ea-A30B-6E21C2F64FA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0BE1DCF-C64B-4154-8E47-9BB8A0C60BE6}	{39F1BF29-009E-4afe-9D7A-5E652431DB64}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{678CF679-148F-4af0-8323-B9B5FF429E1A}	{C4003619-1198-4037-8F53-3F1033146F5D}.exe

Deletes itself 1 IoCs

pid	Process
2260	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1724	{C7B468F1-C008-4b21-84A2-04C9F00BBD2D}.exe
1276	{63BC043E-F35F-4a30-B646-194B4C1DFCC1}.exe
2560	{7B40045E-72E9-45f8-93BE-1581472296BD}.exe
2500	{578CC763-8D66-4593-B559-7B9403CCDCD0}.exe
2484	{0042FD64-0C28-4c5c-959D-1BFF3B08684E}.exe
2700	{971CCE69-62EB-45ea-A30B-6E21C2F64FA1}.exe
1860	{39F1BF29-009E-4afe-9D7A-5E652431DB64}.exe
2720	{E0BE1DCF-C64B-4154-8E47-9BB8A0C60BE6}.exe
2892	{C4003619-1198-4037-8F53-3F1033146F5D}.exe
2200	{678CF679-148F-4af0-8323-B9B5FF429E1A}.exe
588	{704F20BB-09AE-4587-8521-E96ECA26C073}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{63BC043E-F35F-4a30-B646-194B4C1DFCC1}.exe	{C7B468F1-C008-4b21-84A2-04C9F00BBD2D}.exe
File created	C:\Windows\{971CCE69-62EB-45ea-A30B-6E21C2F64FA1}.exe	{0042FD64-0C28-4c5c-959D-1BFF3B08684E}.exe
File created	C:\Windows\{39F1BF29-009E-4afe-9D7A-5E652431DB64}.exe	{971CCE69-62EB-45ea-A30B-6E21C2F64FA1}.exe
File created	C:\Windows\{0042FD64-0C28-4c5c-959D-1BFF3B08684E}.exe	{578CC763-8D66-4593-B559-7B9403CCDCD0}.exe
File created	C:\Windows\{E0BE1DCF-C64B-4154-8E47-9BB8A0C60BE6}.exe	{39F1BF29-009E-4afe-9D7A-5E652431DB64}.exe
File created	C:\Windows\{C4003619-1198-4037-8F53-3F1033146F5D}.exe	{E0BE1DCF-C64B-4154-8E47-9BB8A0C60BE6}.exe
File created	C:\Windows\{678CF679-148F-4af0-8323-B9B5FF429E1A}.exe	{C4003619-1198-4037-8F53-3F1033146F5D}.exe
File created	C:\Windows\{704F20BB-09AE-4587-8521-E96ECA26C073}.exe	{678CF679-148F-4af0-8323-B9B5FF429E1A}.exe
File created	C:\Windows\{C7B468F1-C008-4b21-84A2-04C9F00BBD2D}.exe	2024-03-28_c9b52e528fd861128138e0586f9c001d_goldeneye.exe
File created	C:\Windows\{7B40045E-72E9-45f8-93BE-1581472296BD}.exe	{63BC043E-F35F-4a30-B646-194B4C1DFCC1}.exe
File created	C:\Windows\{578CC763-8D66-4593-B559-7B9403CCDCD0}.exe	{7B40045E-72E9-45f8-93BE-1581472296BD}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2176	2024-03-28_c9b52e528fd861128138e0586f9c001d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1724	{C7B468F1-C008-4b21-84A2-04C9F00BBD2D}.exe
Token: SeIncBasePriorityPrivilege	1276	{63BC043E-F35F-4a30-B646-194B4C1DFCC1}.exe
Token: SeIncBasePriorityPrivilege	2560	{7B40045E-72E9-45f8-93BE-1581472296BD}.exe
Token: SeIncBasePriorityPrivilege	2500	{578CC763-8D66-4593-B559-7B9403CCDCD0}.exe
Token: SeIncBasePriorityPrivilege	2484	{0042FD64-0C28-4c5c-959D-1BFF3B08684E}.exe
Token: SeIncBasePriorityPrivilege	2700	{971CCE69-62EB-45ea-A30B-6E21C2F64FA1}.exe
Token: SeIncBasePriorityPrivilege	1860	{39F1BF29-009E-4afe-9D7A-5E652431DB64}.exe
Token: SeIncBasePriorityPrivilege	2720	{E0BE1DCF-C64B-4154-8E47-9BB8A0C60BE6}.exe
Token: SeIncBasePriorityPrivilege	2892	{C4003619-1198-4037-8F53-3F1033146F5D}.exe
Token: SeIncBasePriorityPrivilege	2200	{678CF679-148F-4af0-8323-B9B5FF429E1A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 1724	2176	2024-03-28_c9b52e528fd861128138e0586f9c001d_goldeneye.exe	28
PID 2176 wrote to memory of 1724	2176	2024-03-28_c9b52e528fd861128138e0586f9c001d_goldeneye.exe	28
PID 2176 wrote to memory of 1724	2176	2024-03-28_c9b52e528fd861128138e0586f9c001d_goldeneye.exe	28
PID 2176 wrote to memory of 1724	2176	2024-03-28_c9b52e528fd861128138e0586f9c001d_goldeneye.exe	28
PID 2176 wrote to memory of 2260	2176	2024-03-28_c9b52e528fd861128138e0586f9c001d_goldeneye.exe	29
PID 2176 wrote to memory of 2260	2176	2024-03-28_c9b52e528fd861128138e0586f9c001d_goldeneye.exe	29
PID 2176 wrote to memory of 2260	2176	2024-03-28_c9b52e528fd861128138e0586f9c001d_goldeneye.exe	29
PID 2176 wrote to memory of 2260	2176	2024-03-28_c9b52e528fd861128138e0586f9c001d_goldeneye.exe	29
PID 1724 wrote to memory of 1276	1724	{C7B468F1-C008-4b21-84A2-04C9F00BBD2D}.exe	30
PID 1724 wrote to memory of 1276	1724	{C7B468F1-C008-4b21-84A2-04C9F00BBD2D}.exe	30
PID 1724 wrote to memory of 1276	1724	{C7B468F1-C008-4b21-84A2-04C9F00BBD2D}.exe	30
PID 1724 wrote to memory of 1276	1724	{C7B468F1-C008-4b21-84A2-04C9F00BBD2D}.exe	30
PID 1724 wrote to memory of 2928	1724	{C7B468F1-C008-4b21-84A2-04C9F00BBD2D}.exe	31
PID 1724 wrote to memory of 2928	1724	{C7B468F1-C008-4b21-84A2-04C9F00BBD2D}.exe	31
PID 1724 wrote to memory of 2928	1724	{C7B468F1-C008-4b21-84A2-04C9F00BBD2D}.exe	31
PID 1724 wrote to memory of 2928	1724	{C7B468F1-C008-4b21-84A2-04C9F00BBD2D}.exe	31
PID 1276 wrote to memory of 2560	1276	{63BC043E-F35F-4a30-B646-194B4C1DFCC1}.exe	32
PID 1276 wrote to memory of 2560	1276	{63BC043E-F35F-4a30-B646-194B4C1DFCC1}.exe	32
PID 1276 wrote to memory of 2560	1276	{63BC043E-F35F-4a30-B646-194B4C1DFCC1}.exe	32
PID 1276 wrote to memory of 2560	1276	{63BC043E-F35F-4a30-B646-194B4C1DFCC1}.exe	32
PID 1276 wrote to memory of 2648	1276	{63BC043E-F35F-4a30-B646-194B4C1DFCC1}.exe	33
PID 1276 wrote to memory of 2648	1276	{63BC043E-F35F-4a30-B646-194B4C1DFCC1}.exe	33
PID 1276 wrote to memory of 2648	1276	{63BC043E-F35F-4a30-B646-194B4C1DFCC1}.exe	33
PID 1276 wrote to memory of 2648	1276	{63BC043E-F35F-4a30-B646-194B4C1DFCC1}.exe	33
PID 2560 wrote to memory of 2500	2560	{7B40045E-72E9-45f8-93BE-1581472296BD}.exe	36
PID 2560 wrote to memory of 2500	2560	{7B40045E-72E9-45f8-93BE-1581472296BD}.exe	36
PID 2560 wrote to memory of 2500	2560	{7B40045E-72E9-45f8-93BE-1581472296BD}.exe	36
PID 2560 wrote to memory of 2500	2560	{7B40045E-72E9-45f8-93BE-1581472296BD}.exe	36
PID 2560 wrote to memory of 2476	2560	{7B40045E-72E9-45f8-93BE-1581472296BD}.exe	37
PID 2560 wrote to memory of 2476	2560	{7B40045E-72E9-45f8-93BE-1581472296BD}.exe	37
PID 2560 wrote to memory of 2476	2560	{7B40045E-72E9-45f8-93BE-1581472296BD}.exe	37
PID 2560 wrote to memory of 2476	2560	{7B40045E-72E9-45f8-93BE-1581472296BD}.exe	37
PID 2500 wrote to memory of 2484	2500	{578CC763-8D66-4593-B559-7B9403CCDCD0}.exe	38
PID 2500 wrote to memory of 2484	2500	{578CC763-8D66-4593-B559-7B9403CCDCD0}.exe	38
PID 2500 wrote to memory of 2484	2500	{578CC763-8D66-4593-B559-7B9403CCDCD0}.exe	38
PID 2500 wrote to memory of 2484	2500	{578CC763-8D66-4593-B559-7B9403CCDCD0}.exe	38
PID 2500 wrote to memory of 2884	2500	{578CC763-8D66-4593-B559-7B9403CCDCD0}.exe	39
PID 2500 wrote to memory of 2884	2500	{578CC763-8D66-4593-B559-7B9403CCDCD0}.exe	39
PID 2500 wrote to memory of 2884	2500	{578CC763-8D66-4593-B559-7B9403CCDCD0}.exe	39
PID 2500 wrote to memory of 2884	2500	{578CC763-8D66-4593-B559-7B9403CCDCD0}.exe	39
PID 2484 wrote to memory of 2700	2484	{0042FD64-0C28-4c5c-959D-1BFF3B08684E}.exe	40
PID 2484 wrote to memory of 2700	2484	{0042FD64-0C28-4c5c-959D-1BFF3B08684E}.exe	40
PID 2484 wrote to memory of 2700	2484	{0042FD64-0C28-4c5c-959D-1BFF3B08684E}.exe	40
PID 2484 wrote to memory of 2700	2484	{0042FD64-0C28-4c5c-959D-1BFF3B08684E}.exe	40
PID 2484 wrote to memory of 1676	2484	{0042FD64-0C28-4c5c-959D-1BFF3B08684E}.exe	41
PID 2484 wrote to memory of 1676	2484	{0042FD64-0C28-4c5c-959D-1BFF3B08684E}.exe	41
PID 2484 wrote to memory of 1676	2484	{0042FD64-0C28-4c5c-959D-1BFF3B08684E}.exe	41
PID 2484 wrote to memory of 1676	2484	{0042FD64-0C28-4c5c-959D-1BFF3B08684E}.exe	41
PID 2700 wrote to memory of 1860	2700	{971CCE69-62EB-45ea-A30B-6E21C2F64FA1}.exe	42
PID 2700 wrote to memory of 1860	2700	{971CCE69-62EB-45ea-A30B-6E21C2F64FA1}.exe	42
PID 2700 wrote to memory of 1860	2700	{971CCE69-62EB-45ea-A30B-6E21C2F64FA1}.exe	42
PID 2700 wrote to memory of 1860	2700	{971CCE69-62EB-45ea-A30B-6E21C2F64FA1}.exe	42
PID 2700 wrote to memory of 2600	2700	{971CCE69-62EB-45ea-A30B-6E21C2F64FA1}.exe	43
PID 2700 wrote to memory of 2600	2700	{971CCE69-62EB-45ea-A30B-6E21C2F64FA1}.exe	43
PID 2700 wrote to memory of 2600	2700	{971CCE69-62EB-45ea-A30B-6E21C2F64FA1}.exe	43
PID 2700 wrote to memory of 2600	2700	{971CCE69-62EB-45ea-A30B-6E21C2F64FA1}.exe	43
PID 1860 wrote to memory of 2720	1860	{39F1BF29-009E-4afe-9D7A-5E652431DB64}.exe	44
PID 1860 wrote to memory of 2720	1860	{39F1BF29-009E-4afe-9D7A-5E652431DB64}.exe	44
PID 1860 wrote to memory of 2720	1860	{39F1BF29-009E-4afe-9D7A-5E652431DB64}.exe	44
PID 1860 wrote to memory of 2720	1860	{39F1BF29-009E-4afe-9D7A-5E652431DB64}.exe	44
PID 1860 wrote to memory of 1620	1860	{39F1BF29-009E-4afe-9D7A-5E652431DB64}.exe	45
PID 1860 wrote to memory of 1620	1860	{39F1BF29-009E-4afe-9D7A-5E652431DB64}.exe	45
PID 1860 wrote to memory of 1620	1860	{39F1BF29-009E-4afe-9D7A-5E652431DB64}.exe	45
PID 1860 wrote to memory of 1620	1860	{39F1BF29-009E-4afe-9D7A-5E652431DB64}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-28_c9b52e528fd861128138e0586f9c001d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-28_c9b52e528fd861128138e0586f9c001d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\{C7B468F1-C008-4b21-84A2-04C9F00BBD2D}.exe
  C:\Windows\{C7B468F1-C008-4b21-84A2-04C9F00BBD2D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\{63BC043E-F35F-4a30-B646-194B4C1DFCC1}.exe
    C:\Windows\{63BC043E-F35F-4a30-B646-194B4C1DFCC1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1276
  - - C:\Windows\{7B40045E-72E9-45f8-93BE-1581472296BD}.exe
      C:\Windows\{7B40045E-72E9-45f8-93BE-1581472296BD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2560
    - - C:\Windows\{578CC763-8D66-4593-B559-7B9403CCDCD0}.exe
        
        C:\Windows\{578CC763-8D66-4593-B559-7B9403CCDCD0}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2500
      - C:\Windows\{0042FD64-0C28-4c5c-959D-1BFF3B08684E}.exe
        
        C:\Windows\{0042FD64-0C28-4c5c-959D-1BFF3B08684E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\{971CCE69-62EB-45ea-A30B-6E21C2F64FA1}.exe
        
        C:\Windows\{971CCE69-62EB-45ea-A30B-6E21C2F64FA1}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\{39F1BF29-009E-4afe-9D7A-5E652431DB64}.exe
        
        C:\Windows\{39F1BF29-009E-4afe-9D7A-5E652431DB64}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\{E0BE1DCF-C64B-4154-8E47-9BB8A0C60BE6}.exe
        
        C:\Windows\{E0BE1DCF-C64B-4154-8E47-9BB8A0C60BE6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
        
        C:\Windows\{C4003619-1198-4037-8F53-3F1033146F5D}.exe
        
        C:\Windows\{C4003619-1198-4037-8F53-3F1033146F5D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
        
        C:\Windows\{678CF679-148F-4af0-8323-B9B5FF429E1A}.exe
        
        C:\Windows\{678CF679-148F-4af0-8323-B9B5FF429E1A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
        
        C:\Windows\{704F20BB-09AE-4587-8521-E96ECA26C073}.exe
        
        C:\Windows\{704F20BB-09AE-4587-8521-E96ECA26C073}.exe
        12⤵
        Executes dropped EXE
        
        PID:588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{678CF~1.EXE > nul
        12⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4003~1.EXE > nul
        11⤵
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0BE1~1.EXE > nul
        10⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39F1B~1.EXE > nul
        9⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{971CC~1.EXE > nul
        8⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0042F~1.EXE > nul
        7⤵
        
        PID:1676
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{578CC~1.EXE > nul
        6⤵
        
        PID:2884
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B400~1.EXE > nul
        5⤵
        
        PID:2476
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{63BC0~1.EXE > nul
      4⤵
      PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C7B46~1.EXE > nul
    3⤵
    PID:2928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0042FD64-0C28-4c5c-959D-1BFF3B08684E}.exe

Filesize
344KB

MD5
0dd1b6cfa19323fc05b0c81bfe3181e3

SHA1
bca41825fb2213f78f3acad685598016ae60150f

SHA256
4914a99b8ab340d03750a8bb0726386e1e3f430118158afbd3744bba9770b682

SHA512
61e506301005bb039c840b5579f4910fc19475c50da27df58e40de1eceb4cee53c1ff931527b79578173d578b774970253f14e5c3cfa524ad6aeba6f91116502

Download Submit
C:\Windows\{39F1BF29-009E-4afe-9D7A-5E652431DB64}.exe

Filesize
344KB

MD5
1d277766ed89b78f1869a5684f51af72

SHA1
3353259ecf0c104c3a0b4ebf323f563c2d7b2d96

SHA256
886a88fd53676b3e3e3e3124614001d42a7241d129f3869edfd465be5c879210

SHA512
cd0e3bb3d081cb538e4070249e000c22cfec491cc4b9ab542b97bb13ad7e2ab37b4ca8971dbbaee5b9f2656b7b1ce4af4ed78cb5fd48dcd980427aae93167954

Download Submit
C:\Windows\{578CC763-8D66-4593-B559-7B9403CCDCD0}.exe

Filesize
344KB

MD5
290684777380fe211fbb4704c2f1a916

SHA1
03ca3db76aaf8626c88ea7541d52da79f31a0b7b

SHA256
39d91476bfa04a19be38060b73b3b6568aab270fbe1fa8e5c38e79ce7c4530bf

SHA512
7ddf0f2e82e47d0f8c21905a6d4018543026b31884e5ce3950352245b8682ba83edbdbba30c9299cf63ab5f7c301dca49f7696849f6b333e4cee8d5d19eab4fc

Download Submit
C:\Windows\{63BC043E-F35F-4a30-B646-194B4C1DFCC1}.exe

Filesize
344KB

MD5
b116ee568810d8fd5736316149bc307c

SHA1
dfa567a5c925702a45001b67a837dd0cd6a53804

SHA256
6dbe57ea6fd6c1421c75159bddcf90087547d673940da17021ab077a2554ce5f

SHA512
383686ea237b4ff1b75f4d729600174204c1aafdfd2c3dd1fc3fc6a75f6c25f2091a42363a276e42b70b1ee794d379d0cb38b68bc8230722d734cfc2c3f0da89

Download Submit
C:\Windows\{678CF679-148F-4af0-8323-B9B5FF429E1A}.exe

Filesize
344KB

MD5
7fc23ce78dca01c667d5c38d642a1c9e

SHA1
2ab4ab00738a75973293fc3e478a1d715cb5e778

SHA256
9c9542a69731e5df8df1e3d71127b012da43b44d6b24a540b31c1e8c5e541395

SHA512
378f7550105b7bcde416dccebd2be9b572170223f8d67e1f1648e923eb2ea3a0bfab00c2843cb68be4f4d1b7ae79ab8cc26ad9ad94dd20ca59e804d7a1eae957

Download Submit
C:\Windows\{704F20BB-09AE-4587-8521-E96ECA26C073}.exe

Filesize
344KB

MD5
33631609bbe7dfc3495370a296b02f3b

SHA1
f592c362c7e632edebb3b1567685128c8902579a

SHA256
aedb9fd8a1f29b3b93db38b742626014a30e3373317806723c41f87969cb1952

SHA512
ba9d2db9495a0d4a13b179e07008e72935fe8eda73b15e0db99c5e0d5296c72e1297ecc651467284e1e9a2dd9873e79ab419879b2b8dbce5598dc1b5f0db33ef

Download Submit
C:\Windows\{7B40045E-72E9-45f8-93BE-1581472296BD}.exe

Filesize
344KB

MD5
1d54290c314b2f61d0510fbcfa4b48e4

SHA1
4b270e7932faa3b0e63a305d7812d3704842e39c

SHA256
1a58605c08d889808354eb09458072e99a80d4a605b52434514ca778832f09c8

SHA512
cd946ace24db881d1c578efca10fbfcf63027175a0c6ab28f8d621b02b35474b22c8c69a00fc2f372cef3e9797958f2441ae23933ff4db2b278b4f8c622a66e3

Download Submit
C:\Windows\{971CCE69-62EB-45ea-A30B-6E21C2F64FA1}.exe

Filesize
344KB

MD5
abc01fd7253aa02a00bb0465325107d3

SHA1
2999932e6132a19985e0070ac9ed0f8ad75906c9

SHA256
b26c1d822b05d5fa58c74abc3b9ca0d15b5f8c232ce8f01f99740702ec2ffc21

SHA512
a0d683d3e3744694e1e8bfe95b43b9eb1ad69868a34fa1763f6c44ae1fca1c7250d0c4a6b73d0d1189e3e0eb86502ae59723682cc6d38f122a84c2680e23074c

Download Submit
C:\Windows\{C4003619-1198-4037-8F53-3F1033146F5D}.exe

Filesize
344KB

MD5
d29eb947ad8366ef2067ecf44555387c

SHA1
30aace8fafa74b58f41c4a0667e5333f15867785

SHA256
791bcc4a61f5b7623a8aafe20cd2c6e265a1fd1857f7f394dcdd041be2cf3171

SHA512
e1030f14450f1ca7043f884074ac910ac36d553eab34b75d73a1e6f186874ddc20715d23acac5eb7df1d97ba40b666a5340c4f749f39761d2c4f5d1d25d2fffe

Download Submit
C:\Windows\{C7B468F1-C008-4b21-84A2-04C9F00BBD2D}.exe

Filesize
344KB

MD5
951fed68b92a41cb36bf548eef13f75e

SHA1
17231627e08ab5d1e315538048bdfc61d98fdefd

SHA256
bb65375706dac21142e4a4a20f250acf1571c9bd3f77ab589c9cd20d5eaeb6b1

SHA512
da261754d061c2f4a59e7e0fa037d45e24159dd58631faef434b2107cb1f33b204f34a5a72a6493fbe29acba309126984b3dfd4dd4fdce8a94e0507c2a455bb4

Download Submit
C:\Windows\{E0BE1DCF-C64B-4154-8E47-9BB8A0C60BE6}.exe

Filesize
344KB

MD5
9aa60e86b9027186d0bc6645ab65e899

SHA1
e2bf4848796c5645db5ee256b82812f5dce7f07c

SHA256
10231a8c1e4a54d2100d4b5acb276da2eb743ce7cb31b3ac22bba7111e35cf1f

SHA512
6bdbdcbeedf7fd250b049073021f5f224819720622e9a817cab5af7b92bc97f1811159dbad1ea2afe2efbadfcbd99efad61be1c6ddc8515c950049c90aae8978

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads