454d240c0f243f2a493f53fd6401718ee4415ed1ea785620164789d2e41ed2ac

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-04-2024 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-05_54d6c3a6b291cef3b0a1e6ced431a459_goldeneye.exe
Size

216KB
MD5

54d6c3a6b291cef3b0a1e6ced431a459
SHA1

5e986b94d227059a6d6c998e5f862d7c10bd9814
SHA256

454d240c0f243f2a493f53fd6401718ee4415ed1ea785620164789d2e41ed2ac
SHA512

e4a4dd478c26c766152b8a0295584a0cd4e2c5ea7232603034f30003bfad6ee49e646c8900bc0161bc1f82dddaf7143979f344ceb92835629cdc7e28d8deec21
SSDEEP

3072:jEGh0opl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGrlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001224f-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001340c-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001224f-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0037000000013a3d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001224f-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001224f-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001224f-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D7456E7-5F67-4dd2-A226-E7E40C0FB9DA}	{3BF62213-4E73-4da7-8095-936BDB2B8847}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D336CFD5-D27C-4fb3-B471-AD3143A948F9}	{1BB034FA-8716-46a8-9637-EB801B3652CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C992B18-0907-42dc-82DE-39BC94658A5A}	{A7CE656B-9118-40c0-A382-6DA31AE1047F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6DE0348-8977-4fd7-9FD1-8704C75C878B}	2024-04-05_54d6c3a6b291cef3b0a1e6ced431a459_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35CFF938-9EA8-4bbc-B28D-C21F947184C4}	{E6DE0348-8977-4fd7-9FD1-8704C75C878B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35CFF938-9EA8-4bbc-B28D-C21F947184C4}\stubpath = "C:\\Windows\\{35CFF938-9EA8-4bbc-B28D-C21F947184C4}.exe"	{E6DE0348-8977-4fd7-9FD1-8704C75C878B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FE361C1-E68D-45e2-B458-88E57CD289B0}\stubpath = "C:\\Windows\\{8FE361C1-E68D-45e2-B458-88E57CD289B0}.exe"	{E1570B42-DE0D-4bf4-904F-457D83032C01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BB034FA-8716-46a8-9637-EB801B3652CF}\stubpath = "C:\\Windows\\{1BB034FA-8716-46a8-9637-EB801B3652CF}.exe"	{8FE361C1-E68D-45e2-B458-88E57CD289B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D336CFD5-D27C-4fb3-B471-AD3143A948F9}\stubpath = "C:\\Windows\\{D336CFD5-D27C-4fb3-B471-AD3143A948F9}.exe"	{1BB034FA-8716-46a8-9637-EB801B3652CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC260155-77E4-4448-B188-42AA5F8D941F}	{D336CFD5-D27C-4fb3-B471-AD3143A948F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7CE656B-9118-40c0-A382-6DA31AE1047F}	{BC260155-77E4-4448-B188-42AA5F8D941F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BF62213-4E73-4da7-8095-936BDB2B8847}	{35CFF938-9EA8-4bbc-B28D-C21F947184C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1570B42-DE0D-4bf4-904F-457D83032C01}\stubpath = "C:\\Windows\\{E1570B42-DE0D-4bf4-904F-457D83032C01}.exe"	{4D7456E7-5F67-4dd2-A226-E7E40C0FB9DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FE361C1-E68D-45e2-B458-88E57CD289B0}	{E1570B42-DE0D-4bf4-904F-457D83032C01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7CE656B-9118-40c0-A382-6DA31AE1047F}\stubpath = "C:\\Windows\\{A7CE656B-9118-40c0-A382-6DA31AE1047F}.exe"	{BC260155-77E4-4448-B188-42AA5F8D941F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C992B18-0907-42dc-82DE-39BC94658A5A}\stubpath = "C:\\Windows\\{4C992B18-0907-42dc-82DE-39BC94658A5A}.exe"	{A7CE656B-9118-40c0-A382-6DA31AE1047F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1570B42-DE0D-4bf4-904F-457D83032C01}	{4D7456E7-5F67-4dd2-A226-E7E40C0FB9DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BB034FA-8716-46a8-9637-EB801B3652CF}	{8FE361C1-E68D-45e2-B458-88E57CD289B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC260155-77E4-4448-B188-42AA5F8D941F}\stubpath = "C:\\Windows\\{BC260155-77E4-4448-B188-42AA5F8D941F}.exe"	{D336CFD5-D27C-4fb3-B471-AD3143A948F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6DE0348-8977-4fd7-9FD1-8704C75C878B}\stubpath = "C:\\Windows\\{E6DE0348-8977-4fd7-9FD1-8704C75C878B}.exe"	2024-04-05_54d6c3a6b291cef3b0a1e6ced431a459_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3BF62213-4E73-4da7-8095-936BDB2B8847}\stubpath = "C:\\Windows\\{3BF62213-4E73-4da7-8095-936BDB2B8847}.exe"	{35CFF938-9EA8-4bbc-B28D-C21F947184C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D7456E7-5F67-4dd2-A226-E7E40C0FB9DA}\stubpath = "C:\\Windows\\{4D7456E7-5F67-4dd2-A226-E7E40C0FB9DA}.exe"	{3BF62213-4E73-4da7-8095-936BDB2B8847}.exe

Deletes itself 1 IoCs

pid	Process
2612	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2204	{E6DE0348-8977-4fd7-9FD1-8704C75C878B}.exe
2680	{35CFF938-9EA8-4bbc-B28D-C21F947184C4}.exe
2456	{3BF62213-4E73-4da7-8095-936BDB2B8847}.exe
2664	{4D7456E7-5F67-4dd2-A226-E7E40C0FB9DA}.exe
2296	{E1570B42-DE0D-4bf4-904F-457D83032C01}.exe
1524	{8FE361C1-E68D-45e2-B458-88E57CD289B0}.exe
1588	{1BB034FA-8716-46a8-9637-EB801B3652CF}.exe
1464	{D336CFD5-D27C-4fb3-B471-AD3143A948F9}.exe
2192	{BC260155-77E4-4448-B188-42AA5F8D941F}.exe
540	{A7CE656B-9118-40c0-A382-6DA31AE1047F}.exe
3008	{4C992B18-0907-42dc-82DE-39BC94658A5A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{4D7456E7-5F67-4dd2-A226-E7E40C0FB9DA}.exe	{3BF62213-4E73-4da7-8095-936BDB2B8847}.exe
File created	C:\Windows\{8FE361C1-E68D-45e2-B458-88E57CD289B0}.exe	{E1570B42-DE0D-4bf4-904F-457D83032C01}.exe
File created	C:\Windows\{1BB034FA-8716-46a8-9637-EB801B3652CF}.exe	{8FE361C1-E68D-45e2-B458-88E57CD289B0}.exe
File created	C:\Windows\{4C992B18-0907-42dc-82DE-39BC94658A5A}.exe	{A7CE656B-9118-40c0-A382-6DA31AE1047F}.exe
File created	C:\Windows\{E6DE0348-8977-4fd7-9FD1-8704C75C878B}.exe	2024-04-05_54d6c3a6b291cef3b0a1e6ced431a459_goldeneye.exe
File created	C:\Windows\{3BF62213-4E73-4da7-8095-936BDB2B8847}.exe	{35CFF938-9EA8-4bbc-B28D-C21F947184C4}.exe
File created	C:\Windows\{E1570B42-DE0D-4bf4-904F-457D83032C01}.exe	{4D7456E7-5F67-4dd2-A226-E7E40C0FB9DA}.exe
File created	C:\Windows\{D336CFD5-D27C-4fb3-B471-AD3143A948F9}.exe	{1BB034FA-8716-46a8-9637-EB801B3652CF}.exe
File created	C:\Windows\{BC260155-77E4-4448-B188-42AA5F8D941F}.exe	{D336CFD5-D27C-4fb3-B471-AD3143A948F9}.exe
File created	C:\Windows\{A7CE656B-9118-40c0-A382-6DA31AE1047F}.exe	{BC260155-77E4-4448-B188-42AA5F8D941F}.exe
File created	C:\Windows\{35CFF938-9EA8-4bbc-B28D-C21F947184C4}.exe	{E6DE0348-8977-4fd7-9FD1-8704C75C878B}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1296	2024-04-05_54d6c3a6b291cef3b0a1e6ced431a459_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2204	{E6DE0348-8977-4fd7-9FD1-8704C75C878B}.exe
Token: SeIncBasePriorityPrivilege	2680	{35CFF938-9EA8-4bbc-B28D-C21F947184C4}.exe
Token: SeIncBasePriorityPrivilege	2456	{3BF62213-4E73-4da7-8095-936BDB2B8847}.exe
Token: SeIncBasePriorityPrivilege	2664	{4D7456E7-5F67-4dd2-A226-E7E40C0FB9DA}.exe
Token: SeIncBasePriorityPrivilege	2296	{E1570B42-DE0D-4bf4-904F-457D83032C01}.exe
Token: SeIncBasePriorityPrivilege	1524	{8FE361C1-E68D-45e2-B458-88E57CD289B0}.exe
Token: SeIncBasePriorityPrivilege	1588	{1BB034FA-8716-46a8-9637-EB801B3652CF}.exe
Token: SeIncBasePriorityPrivilege	1464	{D336CFD5-D27C-4fb3-B471-AD3143A948F9}.exe
Token: SeIncBasePriorityPrivilege	2192	{BC260155-77E4-4448-B188-42AA5F8D941F}.exe
Token: SeIncBasePriorityPrivilege	540	{A7CE656B-9118-40c0-A382-6DA31AE1047F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 2204	1296	2024-04-05_54d6c3a6b291cef3b0a1e6ced431a459_goldeneye.exe	28
PID 1296 wrote to memory of 2204	1296	2024-04-05_54d6c3a6b291cef3b0a1e6ced431a459_goldeneye.exe	28
PID 1296 wrote to memory of 2204	1296	2024-04-05_54d6c3a6b291cef3b0a1e6ced431a459_goldeneye.exe	28
PID 1296 wrote to memory of 2204	1296	2024-04-05_54d6c3a6b291cef3b0a1e6ced431a459_goldeneye.exe	28
PID 1296 wrote to memory of 2612	1296	2024-04-05_54d6c3a6b291cef3b0a1e6ced431a459_goldeneye.exe	29
PID 1296 wrote to memory of 2612	1296	2024-04-05_54d6c3a6b291cef3b0a1e6ced431a459_goldeneye.exe	29
PID 1296 wrote to memory of 2612	1296	2024-04-05_54d6c3a6b291cef3b0a1e6ced431a459_goldeneye.exe	29
PID 1296 wrote to memory of 2612	1296	2024-04-05_54d6c3a6b291cef3b0a1e6ced431a459_goldeneye.exe	29
PID 2204 wrote to memory of 2680	2204	{E6DE0348-8977-4fd7-9FD1-8704C75C878B}.exe	30
PID 2204 wrote to memory of 2680	2204	{E6DE0348-8977-4fd7-9FD1-8704C75C878B}.exe	30
PID 2204 wrote to memory of 2680	2204	{E6DE0348-8977-4fd7-9FD1-8704C75C878B}.exe	30
PID 2204 wrote to memory of 2680	2204	{E6DE0348-8977-4fd7-9FD1-8704C75C878B}.exe	30
PID 2204 wrote to memory of 2688	2204	{E6DE0348-8977-4fd7-9FD1-8704C75C878B}.exe	31
PID 2204 wrote to memory of 2688	2204	{E6DE0348-8977-4fd7-9FD1-8704C75C878B}.exe	31
PID 2204 wrote to memory of 2688	2204	{E6DE0348-8977-4fd7-9FD1-8704C75C878B}.exe	31
PID 2204 wrote to memory of 2688	2204	{E6DE0348-8977-4fd7-9FD1-8704C75C878B}.exe	31
PID 2680 wrote to memory of 2456	2680	{35CFF938-9EA8-4bbc-B28D-C21F947184C4}.exe	32
PID 2680 wrote to memory of 2456	2680	{35CFF938-9EA8-4bbc-B28D-C21F947184C4}.exe	32
PID 2680 wrote to memory of 2456	2680	{35CFF938-9EA8-4bbc-B28D-C21F947184C4}.exe	32
PID 2680 wrote to memory of 2456	2680	{35CFF938-9EA8-4bbc-B28D-C21F947184C4}.exe	32
PID 2680 wrote to memory of 2416	2680	{35CFF938-9EA8-4bbc-B28D-C21F947184C4}.exe	33
PID 2680 wrote to memory of 2416	2680	{35CFF938-9EA8-4bbc-B28D-C21F947184C4}.exe	33
PID 2680 wrote to memory of 2416	2680	{35CFF938-9EA8-4bbc-B28D-C21F947184C4}.exe	33
PID 2680 wrote to memory of 2416	2680	{35CFF938-9EA8-4bbc-B28D-C21F947184C4}.exe	33
PID 2456 wrote to memory of 2664	2456	{3BF62213-4E73-4da7-8095-936BDB2B8847}.exe	36
PID 2456 wrote to memory of 2664	2456	{3BF62213-4E73-4da7-8095-936BDB2B8847}.exe	36
PID 2456 wrote to memory of 2664	2456	{3BF62213-4E73-4da7-8095-936BDB2B8847}.exe	36
PID 2456 wrote to memory of 2664	2456	{3BF62213-4E73-4da7-8095-936BDB2B8847}.exe	36
PID 2456 wrote to memory of 2732	2456	{3BF62213-4E73-4da7-8095-936BDB2B8847}.exe	37
PID 2456 wrote to memory of 2732	2456	{3BF62213-4E73-4da7-8095-936BDB2B8847}.exe	37
PID 2456 wrote to memory of 2732	2456	{3BF62213-4E73-4da7-8095-936BDB2B8847}.exe	37
PID 2456 wrote to memory of 2732	2456	{3BF62213-4E73-4da7-8095-936BDB2B8847}.exe	37
PID 2664 wrote to memory of 2296	2664	{4D7456E7-5F67-4dd2-A226-E7E40C0FB9DA}.exe	38
PID 2664 wrote to memory of 2296	2664	{4D7456E7-5F67-4dd2-A226-E7E40C0FB9DA}.exe	38
PID 2664 wrote to memory of 2296	2664	{4D7456E7-5F67-4dd2-A226-E7E40C0FB9DA}.exe	38
PID 2664 wrote to memory of 2296	2664	{4D7456E7-5F67-4dd2-A226-E7E40C0FB9DA}.exe	38
PID 2664 wrote to memory of 2304	2664	{4D7456E7-5F67-4dd2-A226-E7E40C0FB9DA}.exe	39
PID 2664 wrote to memory of 2304	2664	{4D7456E7-5F67-4dd2-A226-E7E40C0FB9DA}.exe	39
PID 2664 wrote to memory of 2304	2664	{4D7456E7-5F67-4dd2-A226-E7E40C0FB9DA}.exe	39
PID 2664 wrote to memory of 2304	2664	{4D7456E7-5F67-4dd2-A226-E7E40C0FB9DA}.exe	39
PID 2296 wrote to memory of 1524	2296	{E1570B42-DE0D-4bf4-904F-457D83032C01}.exe	40
PID 2296 wrote to memory of 1524	2296	{E1570B42-DE0D-4bf4-904F-457D83032C01}.exe	40
PID 2296 wrote to memory of 1524	2296	{E1570B42-DE0D-4bf4-904F-457D83032C01}.exe	40
PID 2296 wrote to memory of 1524	2296	{E1570B42-DE0D-4bf4-904F-457D83032C01}.exe	40
PID 2296 wrote to memory of 1884	2296	{E1570B42-DE0D-4bf4-904F-457D83032C01}.exe	41
PID 2296 wrote to memory of 1884	2296	{E1570B42-DE0D-4bf4-904F-457D83032C01}.exe	41
PID 2296 wrote to memory of 1884	2296	{E1570B42-DE0D-4bf4-904F-457D83032C01}.exe	41
PID 2296 wrote to memory of 1884	2296	{E1570B42-DE0D-4bf4-904F-457D83032C01}.exe	41
PID 1524 wrote to memory of 1588	1524	{8FE361C1-E68D-45e2-B458-88E57CD289B0}.exe	42
PID 1524 wrote to memory of 1588	1524	{8FE361C1-E68D-45e2-B458-88E57CD289B0}.exe	42
PID 1524 wrote to memory of 1588	1524	{8FE361C1-E68D-45e2-B458-88E57CD289B0}.exe	42
PID 1524 wrote to memory of 1588	1524	{8FE361C1-E68D-45e2-B458-88E57CD289B0}.exe	42
PID 1524 wrote to memory of 2388	1524	{8FE361C1-E68D-45e2-B458-88E57CD289B0}.exe	43
PID 1524 wrote to memory of 2388	1524	{8FE361C1-E68D-45e2-B458-88E57CD289B0}.exe	43
PID 1524 wrote to memory of 2388	1524	{8FE361C1-E68D-45e2-B458-88E57CD289B0}.exe	43
PID 1524 wrote to memory of 2388	1524	{8FE361C1-E68D-45e2-B458-88E57CD289B0}.exe	43
PID 1588 wrote to memory of 1464	1588	{1BB034FA-8716-46a8-9637-EB801B3652CF}.exe	44
PID 1588 wrote to memory of 1464	1588	{1BB034FA-8716-46a8-9637-EB801B3652CF}.exe	44
PID 1588 wrote to memory of 1464	1588	{1BB034FA-8716-46a8-9637-EB801B3652CF}.exe	44
PID 1588 wrote to memory of 1464	1588	{1BB034FA-8716-46a8-9637-EB801B3652CF}.exe	44
PID 1588 wrote to memory of 1336	1588	{1BB034FA-8716-46a8-9637-EB801B3652CF}.exe	45
PID 1588 wrote to memory of 1336	1588	{1BB034FA-8716-46a8-9637-EB801B3652CF}.exe	45
PID 1588 wrote to memory of 1336	1588	{1BB034FA-8716-46a8-9637-EB801B3652CF}.exe	45
PID 1588 wrote to memory of 1336	1588	{1BB034FA-8716-46a8-9637-EB801B3652CF}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-05_54d6c3a6b291cef3b0a1e6ced431a459_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-05_54d6c3a6b291cef3b0a1e6ced431a459_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Windows\{E6DE0348-8977-4fd7-9FD1-8704C75C878B}.exe
  C:\Windows\{E6DE0348-8977-4fd7-9FD1-8704C75C878B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\{35CFF938-9EA8-4bbc-B28D-C21F947184C4}.exe
    C:\Windows\{35CFF938-9EA8-4bbc-B28D-C21F947184C4}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\{3BF62213-4E73-4da7-8095-936BDB2B8847}.exe
      C:\Windows\{3BF62213-4E73-4da7-8095-936BDB2B8847}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2456
    - - C:\Windows\{4D7456E7-5F67-4dd2-A226-E7E40C0FB9DA}.exe
        
        C:\Windows\{4D7456E7-5F67-4dd2-A226-E7E40C0FB9DA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2664
      - C:\Windows\{E1570B42-DE0D-4bf4-904F-457D83032C01}.exe
        
        C:\Windows\{E1570B42-DE0D-4bf4-904F-457D83032C01}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\{8FE361C1-E68D-45e2-B458-88E57CD289B0}.exe
        
        C:\Windows\{8FE361C1-E68D-45e2-B458-88E57CD289B0}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\{1BB034FA-8716-46a8-9637-EB801B3652CF}.exe
        
        C:\Windows\{1BB034FA-8716-46a8-9637-EB801B3652CF}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\{D336CFD5-D27C-4fb3-B471-AD3143A948F9}.exe
        
        C:\Windows\{D336CFD5-D27C-4fb3-B471-AD3143A948F9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
        
        C:\Windows\{BC260155-77E4-4448-B188-42AA5F8D941F}.exe
        
        C:\Windows\{BC260155-77E4-4448-B188-42AA5F8D941F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Windows\{A7CE656B-9118-40c0-A382-6DA31AE1047F}.exe
        
        C:\Windows\{A7CE656B-9118-40c0-A382-6DA31AE1047F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
        
        C:\Windows\{4C992B18-0907-42dc-82DE-39BC94658A5A}.exe
        
        C:\Windows\{4C992B18-0907-42dc-82DE-39BC94658A5A}.exe
        12⤵
        Executes dropped EXE
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7CE6~1.EXE > nul
        12⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC260~1.EXE > nul
        11⤵
        
        PID:324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D336C~1.EXE > nul
        10⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1BB03~1.EXE > nul
        9⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8FE36~1.EXE > nul
        8⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1570~1.EXE > nul
        7⤵
        
        PID:1884
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D745~1.EXE > nul
        6⤵
        
        PID:2304
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3BF62~1.EXE > nul
        5⤵
        
        PID:2732
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{35CFF~1.EXE > nul
      4⤵
      PID:2416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E6DE0~1.EXE > nul
    3⤵
    PID:2688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1BB034FA-8716-46a8-9637-EB801B3652CF}.exe

Filesize
216KB

MD5
87aff484492dd96bf01832c41e808636

SHA1
ebe8f60771448a32aac62ca6e73591366e40545e

SHA256
c9444194391c34ca5a3c46e07c6321672ae7bada223687ce178d3cb737a7342e

SHA512
e39378273136997af23de82c936ae224cc93501d72717a5d7974a2ea3e387d85f78e0e63e42f12b9b34c93bc3a50532c2d73f51dce264064beb335fc1c43e65a

Download Submit
C:\Windows\{35CFF938-9EA8-4bbc-B28D-C21F947184C4}.exe

Filesize
216KB

MD5
2bc900924a2af678cb9c6c4f35375fe5

SHA1
c067f210faef9edc0057cdd7656e139a7f5e4242

SHA256
115f283e861aecf69d3091ee29e9b5bafb821f5ccc24b7fca9b6cdec049df718

SHA512
2eb3814c84a91ed7c16d5b73f4373c78f778caaf96a1c22b6b65dde661056d93d58febd7424ee500753e23ef3224bf5c6e8ed82919d7c942955edf8b3e153d9c

Download Submit
C:\Windows\{3BF62213-4E73-4da7-8095-936BDB2B8847}.exe

Filesize
216KB

MD5
60aa1e25b946abe96fe6b5d726c1da6d

SHA1
8b50f55517b601c3bedadf12d6fc6ed683b8c571

SHA256
0e75ccfdbf00fc129e3ec3da52c466a248d03d53df1f2d3dcf1ef454054b0316

SHA512
462de252779524717605fd2b385c4cf74ca9b4af4e91386e5da7da238982e6593ce17a0e5af8cf9f72443726a412ded15c58c0bb9537b8304949ec536352e7b4

Download Submit
C:\Windows\{4C992B18-0907-42dc-82DE-39BC94658A5A}.exe

Filesize
216KB

MD5
3a89d928b6107a473ac70de8dcc12aee

SHA1
a03962dbb15924f787368bb2b07f4702db45f6d2

SHA256
089b3d37da72cf022e597223bf8663e1b28cdaa40796482c9336a323512f85dc

SHA512
5c1b41dfadd41f4c088b63d681480d2a1dbc1e9f1359cdb2f2114255ffd368872a2ef2589ccddd940043669f6a35e442263994f042ba30ee31d24d69d7f55921

Download Submit
C:\Windows\{4D7456E7-5F67-4dd2-A226-E7E40C0FB9DA}.exe

Filesize
216KB

MD5
9216fda84770c2971e748c8acf909202

SHA1
07b08e79d243b2c3ba6be289fc4ccd8bc50d80df

SHA256
095e43a9bd1bd2e8d84006815860e63b35b26ff052cf6f82e845c6a1a6be94bb

SHA512
cb8d264b2278b3f75153bfe6877ff0a361d60231d990f4139b5e275cf50dbd248cf0e9c7cce01f85e6c87d0d4712e9e4181c348520a2632ef63f76841a5d06a3

Download Submit
C:\Windows\{8FE361C1-E68D-45e2-B458-88E57CD289B0}.exe

Filesize
216KB

MD5
7f5e0d27951e231a27dcd37891d0f6a9

SHA1
0d7b051b023dc3a38a93e295df485413fe330d10

SHA256
f6f568a164171ed1cfe763743929d5ee3f054ccf40963d677aa8dc6f8e45daa9

SHA512
aa491acc77b3f7e557c6448b3ae1ecab89fd4e3e18ad4f69fd52987d6b83c8d2b30252c619d0fa82067c2e6963924083b83ee2148d16fb3d52999ce8ff03e35e

Download Submit
C:\Windows\{A7CE656B-9118-40c0-A382-6DA31AE1047F}.exe

Filesize
216KB

MD5
f49e4fa22171c2756d150b2747a31d18

SHA1
c3efd4614c1b85cd9f123698056665e890301d16

SHA256
810922ffd3359f747dcbadd67bad6aa9dd54fcad2efd7770eef8ed36938e2e94

SHA512
57dfb95603c869f421dbc3ec938367bcc5eed772b940d246064955671df7b986af699a451da59c85cf693184c471a690f78804537836ea729b49a0f461d5dc76

Download Submit
C:\Windows\{BC260155-77E4-4448-B188-42AA5F8D941F}.exe

Filesize
216KB

MD5
dab98ae6e3df702282f712d060911331

SHA1
ed6c1a24749d1afb9db3441c4931f8d7840d230f

SHA256
06415e17cbbbb411433275f3d341af7143c7ed205a193a76838810c3f430546a

SHA512
a0195f87fa30d64ce3880f5cfe7e4d8439be042a9143d6df8777e6b4c23eae478f34b5c913909a55c49183009ea2953c65559898039da027598dac83a2725c8c

Download Submit
C:\Windows\{D336CFD5-D27C-4fb3-B471-AD3143A948F9}.exe

Filesize
216KB

MD5
0f32693bd8554247a8b46772fcb9c3d3

SHA1
9d0ea25954b9142dd8f99bbba426cd8763ceafd4

SHA256
fc5e5421ccbc199266c8581a7a4c1834ac39c774d066a2e3f5c1b99369eb7df8

SHA512
cd59ced65d388cea2df891eedef02c4e8ab93fdb768ffcf5834b3a4aef9e3807b573bc9bbb92da43717cb2ee97e061fef30f030b4ef254e71215a9c1c3ac2a48

Download Submit
C:\Windows\{E1570B42-DE0D-4bf4-904F-457D83032C01}.exe

Filesize
216KB

MD5
2c66c2407c5a3b069d98f8f2c6a2b21e

SHA1
59775562aeb39b9f57460c7c7cb61c10238ad10e

SHA256
ab677a00efe7c7ca22580570c35bb8298b55a6f28645743a441801f1b2254190

SHA512
45974c2154203436a7f9954ca87e0ba2ce4cfcead17841447465305bb55e734e3b2ba9d8f251aaacb4d8a0cc941fb7807807308f5cc17993a09102704f51a324

Download Submit
C:\Windows\{E6DE0348-8977-4fd7-9FD1-8704C75C878B}.exe

Filesize
216KB

MD5
0f4978358c325deefd7e48b6e14f1fba

SHA1
1f25066b877bbc54a2ad6909aaa8766fb536ac8d

SHA256
007f69c3b168907688a8b90d0d035580ff06916ac41bffa1362906d93cb89229

SHA512
02eebb0ef6df4927c5808a398513a94fb5b95a178b31f5448b66cbfd3e3fd379228cacbcdfffe015712efb34bb18103f9ffd3cac6637658f8433f3c12d1486a5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads