c44b3fad0da219f46dd924393df8c1495957e0777d525f1a625b2a25dc295a47

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
28/03/2024, 14:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-28_0d9394ad5a802647767b7c37a5e4d70f_goldeneye.exe
Size

192KB
MD5

0d9394ad5a802647767b7c37a5e4d70f
SHA1

2c6768acd0e75ab679da885f50eeaa0b5d83e0d4
SHA256

c44b3fad0da219f46dd924393df8c1495957e0777d525f1a625b2a25dc295a47
SHA512

587db6453da23c85db83f2c4cba05e10e356c63275b5a046e97156339b573a4cf7ae5a83f764ec45c47ce879cdcecaa83c798f6f0d535b20631be3acba385a21
SSDEEP

1536:1EGh0oAl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oAl1OPOe2MUVg3Ve+rXfMUa

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x00090000000122be-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000015c4c-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000122be-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000015cb0-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000122be-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000122be-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122be-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D3DDB46-32FB-4a0c-8D32-72BBA41A10B8}\stubpath = "C:\\Windows\\{0D3DDB46-32FB-4a0c-8D32-72BBA41A10B8}.exe"	{36647F16-4019-48df-91DE-BCB6CA37B203}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94107769-2D85-4bca-B4EF-F9B1FCF2B156}\stubpath = "C:\\Windows\\{94107769-2D85-4bca-B4EF-F9B1FCF2B156}.exe"	2024-03-28_0d9394ad5a802647767b7c37a5e4d70f_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECDAE34F-4576-4191-9D54-3A0E559901E7}	{94107769-2D85-4bca-B4EF-F9B1FCF2B156}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F18DF3B3-F08E-4676-A29D-C2B38128106D}	{ECDAE34F-4576-4191-9D54-3A0E559901E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD61D845-DDDD-4911-BD85-680577AC4D62}	{5AB139BD-2CF5-4fdb-97FC-A45331C362E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36647F16-4019-48df-91DE-BCB6CA37B203}\stubpath = "C:\\Windows\\{36647F16-4019-48df-91DE-BCB6CA37B203}.exe"	{393719F7-AE5F-45b1-BF58-AE1B2570F90C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AB139BD-2CF5-4fdb-97FC-A45331C362E2}	{BC0B155E-EB55-4b9f-A297-81B6AE804A7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21064752-D710-45be-BE09-CA02B8F13000}	{77261987-5005-4c71-8A5E-08E4BD1CD411}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21064752-D710-45be-BE09-CA02B8F13000}\stubpath = "C:\\Windows\\{21064752-D710-45be-BE09-CA02B8F13000}.exe"	{77261987-5005-4c71-8A5E-08E4BD1CD411}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{393719F7-AE5F-45b1-BF58-AE1B2570F90C}\stubpath = "C:\\Windows\\{393719F7-AE5F-45b1-BF58-AE1B2570F90C}.exe"	{21064752-D710-45be-BE09-CA02B8F13000}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{36647F16-4019-48df-91DE-BCB6CA37B203}	{393719F7-AE5F-45b1-BF58-AE1B2570F90C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D3DDB46-32FB-4a0c-8D32-72BBA41A10B8}	{36647F16-4019-48df-91DE-BCB6CA37B203}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC0B155E-EB55-4b9f-A297-81B6AE804A7D}\stubpath = "C:\\Windows\\{BC0B155E-EB55-4b9f-A297-81B6AE804A7D}.exe"	{F18DF3B3-F08E-4676-A29D-C2B38128106D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AB139BD-2CF5-4fdb-97FC-A45331C362E2}\stubpath = "C:\\Windows\\{5AB139BD-2CF5-4fdb-97FC-A45331C362E2}.exe"	{BC0B155E-EB55-4b9f-A297-81B6AE804A7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77261987-5005-4c71-8A5E-08E4BD1CD411}	{FD61D845-DDDD-4911-BD85-680577AC4D62}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77261987-5005-4c71-8A5E-08E4BD1CD411}\stubpath = "C:\\Windows\\{77261987-5005-4c71-8A5E-08E4BD1CD411}.exe"	{FD61D845-DDDD-4911-BD85-680577AC4D62}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{393719F7-AE5F-45b1-BF58-AE1B2570F90C}	{21064752-D710-45be-BE09-CA02B8F13000}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94107769-2D85-4bca-B4EF-F9B1FCF2B156}	2024-03-28_0d9394ad5a802647767b7c37a5e4d70f_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECDAE34F-4576-4191-9D54-3A0E559901E7}\stubpath = "C:\\Windows\\{ECDAE34F-4576-4191-9D54-3A0E559901E7}.exe"	{94107769-2D85-4bca-B4EF-F9B1FCF2B156}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F18DF3B3-F08E-4676-A29D-C2B38128106D}\stubpath = "C:\\Windows\\{F18DF3B3-F08E-4676-A29D-C2B38128106D}.exe"	{ECDAE34F-4576-4191-9D54-3A0E559901E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC0B155E-EB55-4b9f-A297-81B6AE804A7D}	{F18DF3B3-F08E-4676-A29D-C2B38128106D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD61D845-DDDD-4911-BD85-680577AC4D62}\stubpath = "C:\\Windows\\{FD61D845-DDDD-4911-BD85-680577AC4D62}.exe"	{5AB139BD-2CF5-4fdb-97FC-A45331C362E2}.exe

Deletes itself 1 IoCs

pid	Process
2956	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1564	{94107769-2D85-4bca-B4EF-F9B1FCF2B156}.exe
2772	{ECDAE34F-4576-4191-9D54-3A0E559901E7}.exe
2916	{F18DF3B3-F08E-4676-A29D-C2B38128106D}.exe
1584	{BC0B155E-EB55-4b9f-A297-81B6AE804A7D}.exe
2728	{5AB139BD-2CF5-4fdb-97FC-A45331C362E2}.exe
1644	{FD61D845-DDDD-4911-BD85-680577AC4D62}.exe
2388	{77261987-5005-4c71-8A5E-08E4BD1CD411}.exe
2876	{21064752-D710-45be-BE09-CA02B8F13000}.exe
2216	{393719F7-AE5F-45b1-BF58-AE1B2570F90C}.exe
1928	{36647F16-4019-48df-91DE-BCB6CA37B203}.exe
1700	{0D3DDB46-32FB-4a0c-8D32-72BBA41A10B8}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{21064752-D710-45be-BE09-CA02B8F13000}.exe	{77261987-5005-4c71-8A5E-08E4BD1CD411}.exe
File created	C:\Windows\{393719F7-AE5F-45b1-BF58-AE1B2570F90C}.exe	{21064752-D710-45be-BE09-CA02B8F13000}.exe
File created	C:\Windows\{0D3DDB46-32FB-4a0c-8D32-72BBA41A10B8}.exe	{36647F16-4019-48df-91DE-BCB6CA37B203}.exe
File created	C:\Windows\{94107769-2D85-4bca-B4EF-F9B1FCF2B156}.exe	2024-03-28_0d9394ad5a802647767b7c37a5e4d70f_goldeneye.exe
File created	C:\Windows\{BC0B155E-EB55-4b9f-A297-81B6AE804A7D}.exe	{F18DF3B3-F08E-4676-A29D-C2B38128106D}.exe
File created	C:\Windows\{5AB139BD-2CF5-4fdb-97FC-A45331C362E2}.exe	{BC0B155E-EB55-4b9f-A297-81B6AE804A7D}.exe
File created	C:\Windows\{77261987-5005-4c71-8A5E-08E4BD1CD411}.exe	{FD61D845-DDDD-4911-BD85-680577AC4D62}.exe
File created	C:\Windows\{ECDAE34F-4576-4191-9D54-3A0E559901E7}.exe	{94107769-2D85-4bca-B4EF-F9B1FCF2B156}.exe
File created	C:\Windows\{F18DF3B3-F08E-4676-A29D-C2B38128106D}.exe	{ECDAE34F-4576-4191-9D54-3A0E559901E7}.exe
File created	C:\Windows\{FD61D845-DDDD-4911-BD85-680577AC4D62}.exe	{5AB139BD-2CF5-4fdb-97FC-A45331C362E2}.exe
File created	C:\Windows\{36647F16-4019-48df-91DE-BCB6CA37B203}.exe	{393719F7-AE5F-45b1-BF58-AE1B2570F90C}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2904	2024-03-28_0d9394ad5a802647767b7c37a5e4d70f_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1564	{94107769-2D85-4bca-B4EF-F9B1FCF2B156}.exe
Token: SeIncBasePriorityPrivilege	2772	{ECDAE34F-4576-4191-9D54-3A0E559901E7}.exe
Token: SeIncBasePriorityPrivilege	2916	{F18DF3B3-F08E-4676-A29D-C2B38128106D}.exe
Token: SeIncBasePriorityPrivilege	1584	{BC0B155E-EB55-4b9f-A297-81B6AE804A7D}.exe
Token: SeIncBasePriorityPrivilege	2728	{5AB139BD-2CF5-4fdb-97FC-A45331C362E2}.exe
Token: SeIncBasePriorityPrivilege	1644	{FD61D845-DDDD-4911-BD85-680577AC4D62}.exe
Token: SeIncBasePriorityPrivilege	2388	{77261987-5005-4c71-8A5E-08E4BD1CD411}.exe
Token: SeIncBasePriorityPrivilege	2876	{21064752-D710-45be-BE09-CA02B8F13000}.exe
Token: SeIncBasePriorityPrivilege	2216	{393719F7-AE5F-45b1-BF58-AE1B2570F90C}.exe
Token: SeIncBasePriorityPrivilege	1928	{36647F16-4019-48df-91DE-BCB6CA37B203}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 1564	2904	2024-03-28_0d9394ad5a802647767b7c37a5e4d70f_goldeneye.exe	28
PID 2904 wrote to memory of 1564	2904	2024-03-28_0d9394ad5a802647767b7c37a5e4d70f_goldeneye.exe	28
PID 2904 wrote to memory of 1564	2904	2024-03-28_0d9394ad5a802647767b7c37a5e4d70f_goldeneye.exe	28
PID 2904 wrote to memory of 1564	2904	2024-03-28_0d9394ad5a802647767b7c37a5e4d70f_goldeneye.exe	28
PID 2904 wrote to memory of 2956	2904	2024-03-28_0d9394ad5a802647767b7c37a5e4d70f_goldeneye.exe	29
PID 2904 wrote to memory of 2956	2904	2024-03-28_0d9394ad5a802647767b7c37a5e4d70f_goldeneye.exe	29
PID 2904 wrote to memory of 2956	2904	2024-03-28_0d9394ad5a802647767b7c37a5e4d70f_goldeneye.exe	29
PID 2904 wrote to memory of 2956	2904	2024-03-28_0d9394ad5a802647767b7c37a5e4d70f_goldeneye.exe	29
PID 1564 wrote to memory of 2772	1564	{94107769-2D85-4bca-B4EF-F9B1FCF2B156}.exe	30
PID 1564 wrote to memory of 2772	1564	{94107769-2D85-4bca-B4EF-F9B1FCF2B156}.exe	30
PID 1564 wrote to memory of 2772	1564	{94107769-2D85-4bca-B4EF-F9B1FCF2B156}.exe	30
PID 1564 wrote to memory of 2772	1564	{94107769-2D85-4bca-B4EF-F9B1FCF2B156}.exe	30
PID 1564 wrote to memory of 2600	1564	{94107769-2D85-4bca-B4EF-F9B1FCF2B156}.exe	31
PID 1564 wrote to memory of 2600	1564	{94107769-2D85-4bca-B4EF-F9B1FCF2B156}.exe	31
PID 1564 wrote to memory of 2600	1564	{94107769-2D85-4bca-B4EF-F9B1FCF2B156}.exe	31
PID 1564 wrote to memory of 2600	1564	{94107769-2D85-4bca-B4EF-F9B1FCF2B156}.exe	31
PID 2772 wrote to memory of 2916	2772	{ECDAE34F-4576-4191-9D54-3A0E559901E7}.exe	32
PID 2772 wrote to memory of 2916	2772	{ECDAE34F-4576-4191-9D54-3A0E559901E7}.exe	32
PID 2772 wrote to memory of 2916	2772	{ECDAE34F-4576-4191-9D54-3A0E559901E7}.exe	32
PID 2772 wrote to memory of 2916	2772	{ECDAE34F-4576-4191-9D54-3A0E559901E7}.exe	32
PID 2772 wrote to memory of 2500	2772	{ECDAE34F-4576-4191-9D54-3A0E559901E7}.exe	33
PID 2772 wrote to memory of 2500	2772	{ECDAE34F-4576-4191-9D54-3A0E559901E7}.exe	33
PID 2772 wrote to memory of 2500	2772	{ECDAE34F-4576-4191-9D54-3A0E559901E7}.exe	33
PID 2772 wrote to memory of 2500	2772	{ECDAE34F-4576-4191-9D54-3A0E559901E7}.exe	33
PID 2916 wrote to memory of 1584	2916	{F18DF3B3-F08E-4676-A29D-C2B38128106D}.exe	36
PID 2916 wrote to memory of 1584	2916	{F18DF3B3-F08E-4676-A29D-C2B38128106D}.exe	36
PID 2916 wrote to memory of 1584	2916	{F18DF3B3-F08E-4676-A29D-C2B38128106D}.exe	36
PID 2916 wrote to memory of 1584	2916	{F18DF3B3-F08E-4676-A29D-C2B38128106D}.exe	36
PID 2916 wrote to memory of 2628	2916	{F18DF3B3-F08E-4676-A29D-C2B38128106D}.exe	37
PID 2916 wrote to memory of 2628	2916	{F18DF3B3-F08E-4676-A29D-C2B38128106D}.exe	37
PID 2916 wrote to memory of 2628	2916	{F18DF3B3-F08E-4676-A29D-C2B38128106D}.exe	37
PID 2916 wrote to memory of 2628	2916	{F18DF3B3-F08E-4676-A29D-C2B38128106D}.exe	37
PID 1584 wrote to memory of 2728	1584	{BC0B155E-EB55-4b9f-A297-81B6AE804A7D}.exe	38
PID 1584 wrote to memory of 2728	1584	{BC0B155E-EB55-4b9f-A297-81B6AE804A7D}.exe	38
PID 1584 wrote to memory of 2728	1584	{BC0B155E-EB55-4b9f-A297-81B6AE804A7D}.exe	38
PID 1584 wrote to memory of 2728	1584	{BC0B155E-EB55-4b9f-A297-81B6AE804A7D}.exe	38
PID 1584 wrote to memory of 2740	1584	{BC0B155E-EB55-4b9f-A297-81B6AE804A7D}.exe	39
PID 1584 wrote to memory of 2740	1584	{BC0B155E-EB55-4b9f-A297-81B6AE804A7D}.exe	39
PID 1584 wrote to memory of 2740	1584	{BC0B155E-EB55-4b9f-A297-81B6AE804A7D}.exe	39
PID 1584 wrote to memory of 2740	1584	{BC0B155E-EB55-4b9f-A297-81B6AE804A7D}.exe	39
PID 2728 wrote to memory of 1644	2728	{5AB139BD-2CF5-4fdb-97FC-A45331C362E2}.exe	40
PID 2728 wrote to memory of 1644	2728	{5AB139BD-2CF5-4fdb-97FC-A45331C362E2}.exe	40
PID 2728 wrote to memory of 1644	2728	{5AB139BD-2CF5-4fdb-97FC-A45331C362E2}.exe	40
PID 2728 wrote to memory of 1644	2728	{5AB139BD-2CF5-4fdb-97FC-A45331C362E2}.exe	40
PID 2728 wrote to memory of 1576	2728	{5AB139BD-2CF5-4fdb-97FC-A45331C362E2}.exe	41
PID 2728 wrote to memory of 1576	2728	{5AB139BD-2CF5-4fdb-97FC-A45331C362E2}.exe	41
PID 2728 wrote to memory of 1576	2728	{5AB139BD-2CF5-4fdb-97FC-A45331C362E2}.exe	41
PID 2728 wrote to memory of 1576	2728	{5AB139BD-2CF5-4fdb-97FC-A45331C362E2}.exe	41
PID 1644 wrote to memory of 2388	1644	{FD61D845-DDDD-4911-BD85-680577AC4D62}.exe	42
PID 1644 wrote to memory of 2388	1644	{FD61D845-DDDD-4911-BD85-680577AC4D62}.exe	42
PID 1644 wrote to memory of 2388	1644	{FD61D845-DDDD-4911-BD85-680577AC4D62}.exe	42
PID 1644 wrote to memory of 2388	1644	{FD61D845-DDDD-4911-BD85-680577AC4D62}.exe	42
PID 1644 wrote to memory of 2504	1644	{FD61D845-DDDD-4911-BD85-680577AC4D62}.exe	43
PID 1644 wrote to memory of 2504	1644	{FD61D845-DDDD-4911-BD85-680577AC4D62}.exe	43
PID 1644 wrote to memory of 2504	1644	{FD61D845-DDDD-4911-BD85-680577AC4D62}.exe	43
PID 1644 wrote to memory of 2504	1644	{FD61D845-DDDD-4911-BD85-680577AC4D62}.exe	43
PID 2388 wrote to memory of 2876	2388	{77261987-5005-4c71-8A5E-08E4BD1CD411}.exe	44
PID 2388 wrote to memory of 2876	2388	{77261987-5005-4c71-8A5E-08E4BD1CD411}.exe	44
PID 2388 wrote to memory of 2876	2388	{77261987-5005-4c71-8A5E-08E4BD1CD411}.exe	44
PID 2388 wrote to memory of 2876	2388	{77261987-5005-4c71-8A5E-08E4BD1CD411}.exe	44
PID 2388 wrote to memory of 1356	2388	{77261987-5005-4c71-8A5E-08E4BD1CD411}.exe	45
PID 2388 wrote to memory of 1356	2388	{77261987-5005-4c71-8A5E-08E4BD1CD411}.exe	45
PID 2388 wrote to memory of 1356	2388	{77261987-5005-4c71-8A5E-08E4BD1CD411}.exe	45
PID 2388 wrote to memory of 1356	2388	{77261987-5005-4c71-8A5E-08E4BD1CD411}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-03-28_0d9394ad5a802647767b7c37a5e4d70f_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-28_0d9394ad5a802647767b7c37a5e4d70f_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\{94107769-2D85-4bca-B4EF-F9B1FCF2B156}.exe
  C:\Windows\{94107769-2D85-4bca-B4EF-F9B1FCF2B156}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Windows\{ECDAE34F-4576-4191-9D54-3A0E559901E7}.exe
    C:\Windows\{ECDAE34F-4576-4191-9D54-3A0E559901E7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\{F18DF3B3-F08E-4676-A29D-C2B38128106D}.exe
      C:\Windows\{F18DF3B3-F08E-4676-A29D-C2B38128106D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2916
    - - C:\Windows\{BC0B155E-EB55-4b9f-A297-81B6AE804A7D}.exe
        
        C:\Windows\{BC0B155E-EB55-4b9f-A297-81B6AE804A7D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1584
      - C:\Windows\{5AB139BD-2CF5-4fdb-97FC-A45331C362E2}.exe
        
        C:\Windows\{5AB139BD-2CF5-4fdb-97FC-A45331C362E2}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\{FD61D845-DDDD-4911-BD85-680577AC4D62}.exe
        
        C:\Windows\{FD61D845-DDDD-4911-BD85-680577AC4D62}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\{77261987-5005-4c71-8A5E-08E4BD1CD411}.exe
        
        C:\Windows\{77261987-5005-4c71-8A5E-08E4BD1CD411}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\{21064752-D710-45be-BE09-CA02B8F13000}.exe
        
        C:\Windows\{21064752-D710-45be-BE09-CA02B8F13000}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
        
        C:\Windows\{393719F7-AE5F-45b1-BF58-AE1B2570F90C}.exe
        
        C:\Windows\{393719F7-AE5F-45b1-BF58-AE1B2570F90C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\{36647F16-4019-48df-91DE-BCB6CA37B203}.exe
        
        C:\Windows\{36647F16-4019-48df-91DE-BCB6CA37B203}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
        
        C:\Windows\{0D3DDB46-32FB-4a0c-8D32-72BBA41A10B8}.exe
        
        C:\Windows\{0D3DDB46-32FB-4a0c-8D32-72BBA41A10B8}.exe
        12⤵
        Executes dropped EXE
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36647~1.EXE > nul
        12⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39371~1.EXE > nul
        11⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21064~1.EXE > nul
        10⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77261~1.EXE > nul
        9⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD61D~1.EXE > nul
        8⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5AB13~1.EXE > nul
        7⤵
        
        PID:1576
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC0B1~1.EXE > nul
        6⤵
        
        PID:2740
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F18DF~1.EXE > nul
        5⤵
        
        PID:2628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{ECDAE~1.EXE > nul
      4⤵
      PID:2500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{94107~1.EXE > nul
    3⤵
    PID:2600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0D3DDB46-32FB-4a0c-8D32-72BBA41A10B8}.exe

Filesize
192KB

MD5
c1c07d3d4beddc69bea3211183b8839e

SHA1
5b083b85af83d0afe262309828f65e0e5173ccef

SHA256
e90ea882d0fb726cf149c2b2cf38acd7c16a49580ddb64c5c26aa9e5a3f86d15

SHA512
4c7070b462396f2964975fe7df4c56acd8104d8033a7058194336b043bb5c20908516641156f166b69b851fba57f46419f5edaa7f6bf08a151ecd416948b7898

Download Submit
C:\Windows\{21064752-D710-45be-BE09-CA02B8F13000}.exe

Filesize
192KB

MD5
6bfe19056c29ec1ba1989872c6020d9d

SHA1
ab68e1e5fa89efb6fd2143835e7cbc23736045fa

SHA256
9c0683fb16e41a794d40bd0fbabeb57db7c322182ac30796e49fcf93e98c8bab

SHA512
600d425e312b392b57b912395f6731e4c17bdc8f38abe0808555b1b583a6740a8780703900ebe1ef417b8cf984e197547f88edc9ba50df392d1e0550d52a74bb

Download Submit
C:\Windows\{36647F16-4019-48df-91DE-BCB6CA37B203}.exe

Filesize
192KB

MD5
91357c342eb7e0ba9675221c8b5e025c

SHA1
ca94c68b104da51854162e1940ffffbd53b36cff

SHA256
93a99e0e59f13bfe092a709d0d48dc8373625ce125d9a308668b1615b55c4769

SHA512
3775718b0bc91f3ca41161e7b30c2d079acb91eff95b07b2ec7d863361543c521743ff225076965b505d3bbf3112d45b6d845c0827b3e71ea165ca341a0ab9c8

Download Submit
C:\Windows\{393719F7-AE5F-45b1-BF58-AE1B2570F90C}.exe

Filesize
192KB

MD5
eb7c9617ebcf37c00ce54ed8acb0ddd7

SHA1
68d6d98b9a86d2863ee21405a139aa47bc393bf2

SHA256
702b0e443ce9cb05fdc5f8bac6149b6b168ebe3d55ab13d974d045a46437b172

SHA512
c0b7fd39221367285155dcf84457c7a304c557bcd7c08a110cc9822dee545bbc8484f7d2369543046d11717ea4d87e0f51386d9296ab4bb6ff5e1e85f49a2906

Download Submit
C:\Windows\{5AB139BD-2CF5-4fdb-97FC-A45331C362E2}.exe

Filesize
192KB

MD5
53d49211411a3926399e0bb15c6b829b

SHA1
f204095b3b2000e8f1240ed157be479d53c6117a

SHA256
efc6e3f5d084b2f9f39d8e103b09ac834cb9acc2778fda9faa7728d42393db10

SHA512
57d311db7e06142b629605ac74b29cc90cd1a42aaaab427c13b22487ca3334d335c938acf12862a93eb80b9bc32afdb0cf2a873a871a4172a79aac6b9687a858

Download Submit
C:\Windows\{77261987-5005-4c71-8A5E-08E4BD1CD411}.exe

Filesize
192KB

MD5
d0b77329be4511f61a91a278b0e3dc34

SHA1
c779dd242dcbcb200ecb65133c8002dd050abfe5

SHA256
6aa1f2163c7ccde58a3daf41dbcd5f9e3aceb51b447fd9dd5c5b39862dd80e02

SHA512
8f7e80e7c16b37e7bd2aaabc8a7938d765ed033873b9c797b147efcdedf17bd1c1a153d1ab41d4c372a24f6b6d3db84f6f244fff39c46f5bb21e54128f755127

Download Submit
C:\Windows\{94107769-2D85-4bca-B4EF-F9B1FCF2B156}.exe

Filesize
192KB

MD5
b7891f5e96b35d9a46fdaf282db4ce45

SHA1
d06ae6968953d5c31843ee786b8a280b7be2f763

SHA256
7b9aa60108cf0c1e01019ce5ed0d1f4e94a46c5716e7d70b7ad8d49cfdbd8bbf

SHA512
959afe09507b92028ae595f1ab667ed8f1073c68a7a6298296f6e549a76a1c7bb2be32b6adffe698259f13c79a5b73230e8f9c4c738acb5d1d812e349202e476

Download Submit
C:\Windows\{BC0B155E-EB55-4b9f-A297-81B6AE804A7D}.exe

Filesize
192KB

MD5
cf299f009910215b4dfaf8483ef375fe

SHA1
7cf098b330f434d0c1123e054763400172164c08

SHA256
495805b2ebacd7c9186763ded43ea478dd00cf484deafa9cc93c1ef05f46f0e3

SHA512
54e9aae9c952d191dcc61c207de8ce040588b2e92750260833893f0e1e1c6b65186600cd0233d8032b6d96b1540e3674c17ef10b693749e05d9867e22becabe7

Download Submit
C:\Windows\{ECDAE34F-4576-4191-9D54-3A0E559901E7}.exe

Filesize
192KB

MD5
e16c6524a975d1b9d16a38883ff4d0b8

SHA1
e26b92323d4fa4ae6faa12162ed6023e1b244b5f

SHA256
e98d2bb22ce2cb350b586c1dad7ae4bfad36d3e88d6b79b52f06fb9934a90306

SHA512
53da2ae6e686dba67476b0781a7bb069b82f1e3cefc77d9bfed1844a53ce9af7d6e49aa0dd553b46c6afed660eb4d9bb8647a741f0afd1d200ca9599b6e671d0

Download Submit
C:\Windows\{F18DF3B3-F08E-4676-A29D-C2B38128106D}.exe

Filesize
192KB

MD5
d0dc08b293a66b3d63e501a9179bbdc2

SHA1
0b541f76803eb5aa25492a602f16952f6b483d8b

SHA256
6ecfe68f3aa3dde5fbba9a1f8248c2bd448082582b0736884d77ef1299306b5e

SHA512
8cf6d52f836b4be540a6c025973bf7efc7c4665c3ea0e4621e7d468fbef44432f20f3731d029afdf550dd9f2f70a0c63277399275613b52b2c21bb507db74e84

Download Submit
C:\Windows\{FD61D845-DDDD-4911-BD85-680577AC4D62}.exe

Filesize
192KB

MD5
ee87b884c1dbe87e0b7c2cdacfadffad

SHA1
1efa2f1fcb9a8d0da69c491a3a671d694b777679

SHA256
46792c7e5547fec35757803ea30d165146fcad56f5c3584b7cd4d820f91ec25d

SHA512
f6d41001ec79e34bc9e0149000f95b6b5fc31aa2ff8a1683c89ac8e705198c011b64be8a711b69dd57fd1d656d48f4fcd586d9211f5ebe839647f76e6b0af2ae

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads