626379c00f64a824f5b680eb0a1359efc2659dabce4c63edd0c2928b2854c63d

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
05/04/2024, 16:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-05_c640cad00d33bdb80c5825847634a27b_goldeneye.exe
Size

408KB
MD5

c640cad00d33bdb80c5825847634a27b
SHA1

adce47bf433e76ec23d9471e87ed369a80eb51f2
SHA256

626379c00f64a824f5b680eb0a1359efc2659dabce4c63edd0c2928b2854c63d
SHA512

a2975b539fd3237a476b86cc8e08a441a7fef349a0c1dc5445d4b5ee78ce33e5eecdde1ff6f510e5ac6843dbadb8a6358a00d4c603dbffd8f7f01ed70750a487
SSDEEP

3072:CEGh0oLl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGJldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012331-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001342e-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012331-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002a000000013a88-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012331-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012331-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012331-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7659C868-7566-4e52-B2DD-BA47DC83FD85}\stubpath = "C:\\Windows\\{7659C868-7566-4e52-B2DD-BA47DC83FD85}.exe"	{996690DB-AF16-40f3-9479-928B780C88A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB8EC781-AD68-4594-9DCF-7D83FB494718}\stubpath = "C:\\Windows\\{FB8EC781-AD68-4594-9DCF-7D83FB494718}.exe"	{3B3BF1BD-05A7-4f30-915C-C2E70024307B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DAA52F14-C2E6-4a1d-885E-C1A5E17C0E04}	2024-04-05_c640cad00d33bdb80c5825847634a27b_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0286241F-38C0-470a-8C1B-F493FC2EF0B5}	{DAA52F14-C2E6-4a1d-885E-C1A5E17C0E04}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7659C868-7566-4e52-B2DD-BA47DC83FD85}	{996690DB-AF16-40f3-9479-928B780C88A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{996690DB-AF16-40f3-9479-928B780C88A7}	{ACD1C633-91BB-4bdc-AE85-D48A9F9D19E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B3BF1BD-05A7-4f30-915C-C2E70024307B}\stubpath = "C:\\Windows\\{3B3BF1BD-05A7-4f30-915C-C2E70024307B}.exe"	{9F77D63A-4738-4999-BCC4-3AD65FC1DB3D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DAA52F14-C2E6-4a1d-885E-C1A5E17C0E04}\stubpath = "C:\\Windows\\{DAA52F14-C2E6-4a1d-885E-C1A5E17C0E04}.exe"	2024-04-05_c640cad00d33bdb80c5825847634a27b_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0286241F-38C0-470a-8C1B-F493FC2EF0B5}\stubpath = "C:\\Windows\\{0286241F-38C0-470a-8C1B-F493FC2EF0B5}.exe"	{DAA52F14-C2E6-4a1d-885E-C1A5E17C0E04}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACD1C633-91BB-4bdc-AE85-D48A9F9D19E3}	{3F8E9EC4-647F-45c7-A38E-6D2F1FD8C72A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F77D63A-4738-4999-BCC4-3AD65FC1DB3D}	{7659C868-7566-4e52-B2DD-BA47DC83FD85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F77D63A-4738-4999-BCC4-3AD65FC1DB3D}\stubpath = "C:\\Windows\\{9F77D63A-4738-4999-BCC4-3AD65FC1DB3D}.exe"	{7659C868-7566-4e52-B2DD-BA47DC83FD85}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B3BF1BD-05A7-4f30-915C-C2E70024307B}	{9F77D63A-4738-4999-BCC4-3AD65FC1DB3D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB8EC781-AD68-4594-9DCF-7D83FB494718}	{3B3BF1BD-05A7-4f30-915C-C2E70024307B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44E1F93A-A3D8-4849-8182-BABDD967070F}\stubpath = "C:\\Windows\\{44E1F93A-A3D8-4849-8182-BABDD967070F}.exe"	{0286241F-38C0-470a-8C1B-F493FC2EF0B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F8E9EC4-647F-45c7-A38E-6D2F1FD8C72A}	{7FBBB1A5-960D-4f7f-B83E-27E0E110605D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACD1C633-91BB-4bdc-AE85-D48A9F9D19E3}\stubpath = "C:\\Windows\\{ACD1C633-91BB-4bdc-AE85-D48A9F9D19E3}.exe"	{3F8E9EC4-647F-45c7-A38E-6D2F1FD8C72A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F8E9EC4-647F-45c7-A38E-6D2F1FD8C72A}\stubpath = "C:\\Windows\\{3F8E9EC4-647F-45c7-A38E-6D2F1FD8C72A}.exe"	{7FBBB1A5-960D-4f7f-B83E-27E0E110605D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{996690DB-AF16-40f3-9479-928B780C88A7}\stubpath = "C:\\Windows\\{996690DB-AF16-40f3-9479-928B780C88A7}.exe"	{ACD1C633-91BB-4bdc-AE85-D48A9F9D19E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44E1F93A-A3D8-4849-8182-BABDD967070F}	{0286241F-38C0-470a-8C1B-F493FC2EF0B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FBBB1A5-960D-4f7f-B83E-27E0E110605D}	{44E1F93A-A3D8-4849-8182-BABDD967070F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FBBB1A5-960D-4f7f-B83E-27E0E110605D}\stubpath = "C:\\Windows\\{7FBBB1A5-960D-4f7f-B83E-27E0E110605D}.exe"	{44E1F93A-A3D8-4849-8182-BABDD967070F}.exe

Deletes itself 1 IoCs

pid	Process
2520	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2944	{DAA52F14-C2E6-4a1d-885E-C1A5E17C0E04}.exe
2388	{0286241F-38C0-470a-8C1B-F493FC2EF0B5}.exe
2916	{44E1F93A-A3D8-4849-8182-BABDD967070F}.exe
856	{7FBBB1A5-960D-4f7f-B83E-27E0E110605D}.exe
2716	{3F8E9EC4-647F-45c7-A38E-6D2F1FD8C72A}.exe
2264	{ACD1C633-91BB-4bdc-AE85-D48A9F9D19E3}.exe
2736	{996690DB-AF16-40f3-9479-928B780C88A7}.exe
1272	{7659C868-7566-4e52-B2DD-BA47DC83FD85}.exe
2196	{9F77D63A-4738-4999-BCC4-3AD65FC1DB3D}.exe
768	{3B3BF1BD-05A7-4f30-915C-C2E70024307B}.exe
824	{FB8EC781-AD68-4594-9DCF-7D83FB494718}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{996690DB-AF16-40f3-9479-928B780C88A7}.exe	{ACD1C633-91BB-4bdc-AE85-D48A9F9D19E3}.exe
File created	C:\Windows\{3B3BF1BD-05A7-4f30-915C-C2E70024307B}.exe	{9F77D63A-4738-4999-BCC4-3AD65FC1DB3D}.exe
File created	C:\Windows\{DAA52F14-C2E6-4a1d-885E-C1A5E17C0E04}.exe	2024-04-05_c640cad00d33bdb80c5825847634a27b_goldeneye.exe
File created	C:\Windows\{0286241F-38C0-470a-8C1B-F493FC2EF0B5}.exe	{DAA52F14-C2E6-4a1d-885E-C1A5E17C0E04}.exe
File created	C:\Windows\{44E1F93A-A3D8-4849-8182-BABDD967070F}.exe	{0286241F-38C0-470a-8C1B-F493FC2EF0B5}.exe
File created	C:\Windows\{7FBBB1A5-960D-4f7f-B83E-27E0E110605D}.exe	{44E1F93A-A3D8-4849-8182-BABDD967070F}.exe
File created	C:\Windows\{3F8E9EC4-647F-45c7-A38E-6D2F1FD8C72A}.exe	{7FBBB1A5-960D-4f7f-B83E-27E0E110605D}.exe
File created	C:\Windows\{ACD1C633-91BB-4bdc-AE85-D48A9F9D19E3}.exe	{3F8E9EC4-647F-45c7-A38E-6D2F1FD8C72A}.exe
File created	C:\Windows\{7659C868-7566-4e52-B2DD-BA47DC83FD85}.exe	{996690DB-AF16-40f3-9479-928B780C88A7}.exe
File created	C:\Windows\{9F77D63A-4738-4999-BCC4-3AD65FC1DB3D}.exe	{7659C868-7566-4e52-B2DD-BA47DC83FD85}.exe
File created	C:\Windows\{FB8EC781-AD68-4594-9DCF-7D83FB494718}.exe	{3B3BF1BD-05A7-4f30-915C-C2E70024307B}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1620	2024-04-05_c640cad00d33bdb80c5825847634a27b_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2944	{DAA52F14-C2E6-4a1d-885E-C1A5E17C0E04}.exe
Token: SeIncBasePriorityPrivilege	2388	{0286241F-38C0-470a-8C1B-F493FC2EF0B5}.exe
Token: SeIncBasePriorityPrivilege	2916	{44E1F93A-A3D8-4849-8182-BABDD967070F}.exe
Token: SeIncBasePriorityPrivilege	856	{7FBBB1A5-960D-4f7f-B83E-27E0E110605D}.exe
Token: SeIncBasePriorityPrivilege	2716	{3F8E9EC4-647F-45c7-A38E-6D2F1FD8C72A}.exe
Token: SeIncBasePriorityPrivilege	2264	{ACD1C633-91BB-4bdc-AE85-D48A9F9D19E3}.exe
Token: SeIncBasePriorityPrivilege	2736	{996690DB-AF16-40f3-9479-928B780C88A7}.exe
Token: SeIncBasePriorityPrivilege	1272	{7659C868-7566-4e52-B2DD-BA47DC83FD85}.exe
Token: SeIncBasePriorityPrivilege	2196	{9F77D63A-4738-4999-BCC4-3AD65FC1DB3D}.exe
Token: SeIncBasePriorityPrivilege	768	{3B3BF1BD-05A7-4f30-915C-C2E70024307B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 2944	1620	2024-04-05_c640cad00d33bdb80c5825847634a27b_goldeneye.exe	28
PID 1620 wrote to memory of 2944	1620	2024-04-05_c640cad00d33bdb80c5825847634a27b_goldeneye.exe	28
PID 1620 wrote to memory of 2944	1620	2024-04-05_c640cad00d33bdb80c5825847634a27b_goldeneye.exe	28
PID 1620 wrote to memory of 2944	1620	2024-04-05_c640cad00d33bdb80c5825847634a27b_goldeneye.exe	28
PID 1620 wrote to memory of 2520	1620	2024-04-05_c640cad00d33bdb80c5825847634a27b_goldeneye.exe	29
PID 1620 wrote to memory of 2520	1620	2024-04-05_c640cad00d33bdb80c5825847634a27b_goldeneye.exe	29
PID 1620 wrote to memory of 2520	1620	2024-04-05_c640cad00d33bdb80c5825847634a27b_goldeneye.exe	29
PID 1620 wrote to memory of 2520	1620	2024-04-05_c640cad00d33bdb80c5825847634a27b_goldeneye.exe	29
PID 2944 wrote to memory of 2388	2944	{DAA52F14-C2E6-4a1d-885E-C1A5E17C0E04}.exe	30
PID 2944 wrote to memory of 2388	2944	{DAA52F14-C2E6-4a1d-885E-C1A5E17C0E04}.exe	30
PID 2944 wrote to memory of 2388	2944	{DAA52F14-C2E6-4a1d-885E-C1A5E17C0E04}.exe	30
PID 2944 wrote to memory of 2388	2944	{DAA52F14-C2E6-4a1d-885E-C1A5E17C0E04}.exe	30
PID 2944 wrote to memory of 2700	2944	{DAA52F14-C2E6-4a1d-885E-C1A5E17C0E04}.exe	31
PID 2944 wrote to memory of 2700	2944	{DAA52F14-C2E6-4a1d-885E-C1A5E17C0E04}.exe	31
PID 2944 wrote to memory of 2700	2944	{DAA52F14-C2E6-4a1d-885E-C1A5E17C0E04}.exe	31
PID 2944 wrote to memory of 2700	2944	{DAA52F14-C2E6-4a1d-885E-C1A5E17C0E04}.exe	31
PID 2388 wrote to memory of 2916	2388	{0286241F-38C0-470a-8C1B-F493FC2EF0B5}.exe	32
PID 2388 wrote to memory of 2916	2388	{0286241F-38C0-470a-8C1B-F493FC2EF0B5}.exe	32
PID 2388 wrote to memory of 2916	2388	{0286241F-38C0-470a-8C1B-F493FC2EF0B5}.exe	32
PID 2388 wrote to memory of 2916	2388	{0286241F-38C0-470a-8C1B-F493FC2EF0B5}.exe	32
PID 2388 wrote to memory of 2492	2388	{0286241F-38C0-470a-8C1B-F493FC2EF0B5}.exe	33
PID 2388 wrote to memory of 2492	2388	{0286241F-38C0-470a-8C1B-F493FC2EF0B5}.exe	33
PID 2388 wrote to memory of 2492	2388	{0286241F-38C0-470a-8C1B-F493FC2EF0B5}.exe	33
PID 2388 wrote to memory of 2492	2388	{0286241F-38C0-470a-8C1B-F493FC2EF0B5}.exe	33
PID 2916 wrote to memory of 856	2916	{44E1F93A-A3D8-4849-8182-BABDD967070F}.exe	36
PID 2916 wrote to memory of 856	2916	{44E1F93A-A3D8-4849-8182-BABDD967070F}.exe	36
PID 2916 wrote to memory of 856	2916	{44E1F93A-A3D8-4849-8182-BABDD967070F}.exe	36
PID 2916 wrote to memory of 856	2916	{44E1F93A-A3D8-4849-8182-BABDD967070F}.exe	36
PID 2916 wrote to memory of 1364	2916	{44E1F93A-A3D8-4849-8182-BABDD967070F}.exe	37
PID 2916 wrote to memory of 1364	2916	{44E1F93A-A3D8-4849-8182-BABDD967070F}.exe	37
PID 2916 wrote to memory of 1364	2916	{44E1F93A-A3D8-4849-8182-BABDD967070F}.exe	37
PID 2916 wrote to memory of 1364	2916	{44E1F93A-A3D8-4849-8182-BABDD967070F}.exe	37
PID 856 wrote to memory of 2716	856	{7FBBB1A5-960D-4f7f-B83E-27E0E110605D}.exe	38
PID 856 wrote to memory of 2716	856	{7FBBB1A5-960D-4f7f-B83E-27E0E110605D}.exe	38
PID 856 wrote to memory of 2716	856	{7FBBB1A5-960D-4f7f-B83E-27E0E110605D}.exe	38
PID 856 wrote to memory of 2716	856	{7FBBB1A5-960D-4f7f-B83E-27E0E110605D}.exe	38
PID 856 wrote to memory of 1612	856	{7FBBB1A5-960D-4f7f-B83E-27E0E110605D}.exe	39
PID 856 wrote to memory of 1612	856	{7FBBB1A5-960D-4f7f-B83E-27E0E110605D}.exe	39
PID 856 wrote to memory of 1612	856	{7FBBB1A5-960D-4f7f-B83E-27E0E110605D}.exe	39
PID 856 wrote to memory of 1612	856	{7FBBB1A5-960D-4f7f-B83E-27E0E110605D}.exe	39
PID 2716 wrote to memory of 2264	2716	{3F8E9EC4-647F-45c7-A38E-6D2F1FD8C72A}.exe	40
PID 2716 wrote to memory of 2264	2716	{3F8E9EC4-647F-45c7-A38E-6D2F1FD8C72A}.exe	40
PID 2716 wrote to memory of 2264	2716	{3F8E9EC4-647F-45c7-A38E-6D2F1FD8C72A}.exe	40
PID 2716 wrote to memory of 2264	2716	{3F8E9EC4-647F-45c7-A38E-6D2F1FD8C72A}.exe	40
PID 2716 wrote to memory of 2144	2716	{3F8E9EC4-647F-45c7-A38E-6D2F1FD8C72A}.exe	41
PID 2716 wrote to memory of 2144	2716	{3F8E9EC4-647F-45c7-A38E-6D2F1FD8C72A}.exe	41
PID 2716 wrote to memory of 2144	2716	{3F8E9EC4-647F-45c7-A38E-6D2F1FD8C72A}.exe	41
PID 2716 wrote to memory of 2144	2716	{3F8E9EC4-647F-45c7-A38E-6D2F1FD8C72A}.exe	41
PID 2264 wrote to memory of 2736	2264	{ACD1C633-91BB-4bdc-AE85-D48A9F9D19E3}.exe	42
PID 2264 wrote to memory of 2736	2264	{ACD1C633-91BB-4bdc-AE85-D48A9F9D19E3}.exe	42
PID 2264 wrote to memory of 2736	2264	{ACD1C633-91BB-4bdc-AE85-D48A9F9D19E3}.exe	42
PID 2264 wrote to memory of 2736	2264	{ACD1C633-91BB-4bdc-AE85-D48A9F9D19E3}.exe	42
PID 2264 wrote to memory of 1348	2264	{ACD1C633-91BB-4bdc-AE85-D48A9F9D19E3}.exe	43
PID 2264 wrote to memory of 1348	2264	{ACD1C633-91BB-4bdc-AE85-D48A9F9D19E3}.exe	43
PID 2264 wrote to memory of 1348	2264	{ACD1C633-91BB-4bdc-AE85-D48A9F9D19E3}.exe	43
PID 2264 wrote to memory of 1348	2264	{ACD1C633-91BB-4bdc-AE85-D48A9F9D19E3}.exe	43
PID 2736 wrote to memory of 1272	2736	{996690DB-AF16-40f3-9479-928B780C88A7}.exe	44
PID 2736 wrote to memory of 1272	2736	{996690DB-AF16-40f3-9479-928B780C88A7}.exe	44
PID 2736 wrote to memory of 1272	2736	{996690DB-AF16-40f3-9479-928B780C88A7}.exe	44
PID 2736 wrote to memory of 1272	2736	{996690DB-AF16-40f3-9479-928B780C88A7}.exe	44
PID 2736 wrote to memory of 1688	2736	{996690DB-AF16-40f3-9479-928B780C88A7}.exe	45
PID 2736 wrote to memory of 1688	2736	{996690DB-AF16-40f3-9479-928B780C88A7}.exe	45
PID 2736 wrote to memory of 1688	2736	{996690DB-AF16-40f3-9479-928B780C88A7}.exe	45
PID 2736 wrote to memory of 1688	2736	{996690DB-AF16-40f3-9479-928B780C88A7}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-05_c640cad00d33bdb80c5825847634a27b_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-05_c640cad00d33bdb80c5825847634a27b_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\{DAA52F14-C2E6-4a1d-885E-C1A5E17C0E04}.exe
  C:\Windows\{DAA52F14-C2E6-4a1d-885E-C1A5E17C0E04}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\{0286241F-38C0-470a-8C1B-F493FC2EF0B5}.exe
    C:\Windows\{0286241F-38C0-470a-8C1B-F493FC2EF0B5}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Windows\{44E1F93A-A3D8-4849-8182-BABDD967070F}.exe
      C:\Windows\{44E1F93A-A3D8-4849-8182-BABDD967070F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2916
    - - C:\Windows\{7FBBB1A5-960D-4f7f-B83E-27E0E110605D}.exe
        
        C:\Windows\{7FBBB1A5-960D-4f7f-B83E-27E0E110605D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:856
      - C:\Windows\{3F8E9EC4-647F-45c7-A38E-6D2F1FD8C72A}.exe
        
        C:\Windows\{3F8E9EC4-647F-45c7-A38E-6D2F1FD8C72A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\{ACD1C633-91BB-4bdc-AE85-D48A9F9D19E3}.exe
        
        C:\Windows\{ACD1C633-91BB-4bdc-AE85-D48A9F9D19E3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\{996690DB-AF16-40f3-9479-928B780C88A7}.exe
        
        C:\Windows\{996690DB-AF16-40f3-9479-928B780C88A7}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\{7659C868-7566-4e52-B2DD-BA47DC83FD85}.exe
        
        C:\Windows\{7659C868-7566-4e52-B2DD-BA47DC83FD85}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1272
        
        C:\Windows\{9F77D63A-4738-4999-BCC4-3AD65FC1DB3D}.exe
        
        C:\Windows\{9F77D63A-4738-4999-BCC4-3AD65FC1DB3D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Windows\{3B3BF1BD-05A7-4f30-915C-C2E70024307B}.exe
        
        C:\Windows\{3B3BF1BD-05A7-4f30-915C-C2E70024307B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
        
        C:\Windows\{FB8EC781-AD68-4594-9DCF-7D83FB494718}.exe
        
        C:\Windows\{FB8EC781-AD68-4594-9DCF-7D83FB494718}.exe
        12⤵
        Executes dropped EXE
        
        PID:824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B3BF~1.EXE > nul
        12⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F77D~1.EXE > nul
        11⤵
        
        PID:584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7659C~1.EXE > nul
        10⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99669~1.EXE > nul
        9⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ACD1C~1.EXE > nul
        8⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F8E9~1.EXE > nul
        7⤵
        
        PID:2144
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7FBBB~1.EXE > nul
        6⤵
        
        PID:1612
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44E1F~1.EXE > nul
        5⤵
        
        PID:1364
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{02862~1.EXE > nul
      4⤵
      PID:2492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DAA52~1.EXE > nul
    3⤵
    PID:2700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0286241F-38C0-470a-8C1B-F493FC2EF0B5}.exe

Filesize
408KB

MD5
316284699b62e228eb27b414e83f05d6

SHA1
bbb39a4f82e3c07d321f599adbcd762a33f84d76

SHA256
6ae8b13623f92e926bfa0152e6bf9d3e3a05bfd693f1b6adc8fac720d5618593

SHA512
6db20d46d99e81e10727c53d9063e99ad7e63fd67d79bdd958dd8ed9862d2ef4aea3a55e47d940ffad5b9d7516ad5606bf59a3c6e9e9308a10f4d03cf6ac80eb

Download Submit
C:\Windows\{3B3BF1BD-05A7-4f30-915C-C2E70024307B}.exe

Filesize
408KB

MD5
cd6f9d2302845106a7c2970e78f3f6bc

SHA1
6fe186d38af828879c9d9644d188daa3a7fcdc29

SHA256
f80190a4bca7b08014b223eaf3fd1688023445b189c5fc23bb54b9fb388a7555

SHA512
c787e73f04fc3869c2feb289a228c71d9ef772e7efddd822991ce720f44eae511808b5dcdec280827538006995334e989b285b756bfc2aeb4e551d95e9aedafa

Download Submit
C:\Windows\{3F8E9EC4-647F-45c7-A38E-6D2F1FD8C72A}.exe

Filesize
408KB

MD5
02865c64772d8c8c9e92404df2e67860

SHA1
d2e83c489818802480e69684b45f3b3e110e9eab

SHA256
be3ffb96abdbe2218fddaf98468269215d91054766261648a5d5d78845f614f2

SHA512
4b163785a4eeb6d190ccbd90fa80bb57e49a2a5e48ed86eb5222672c95895be06b7fa38591a11c3a5b16368ce60004426b16b1e736f49b36bf561a7ce7b955c6

Download Submit
C:\Windows\{44E1F93A-A3D8-4849-8182-BABDD967070F}.exe

Filesize
408KB

MD5
03491df8ff5d8ff24115344bf41f2453

SHA1
161de5cced235e1172a765cb936f850edaf77176

SHA256
80169e2da2e97928b47bf5f093fbd8b8552c4e1a6970fec11796896b5a10ebcf

SHA512
6744e53d9e8ffbfd9d00ea1d382cb6170eada4854023060c61a1637f1592a3e39b43bca89c71f11e2d4fb4e67960eb1b32e34264bb368d734b858b64508f5753

Download Submit
C:\Windows\{7659C868-7566-4e52-B2DD-BA47DC83FD85}.exe

Filesize
408KB

MD5
88b2edd975fce325986c3e914eeee75b

SHA1
812083928efc7090da1f9844bcb7b3c4e947c2d3

SHA256
1e647002a3b1814ceb5b2e929a86f9f62bb90e3ed404afa795488a7cd52d8b00

SHA512
c92541fd17710677f13cc30d100b2a582b0eed455bb8f9f7267ca3edd6787b553e150cbb3549c988dd99501733597f5f204d66a8b13fd6648422b36a7266dc9b

Download Submit
C:\Windows\{7FBBB1A5-960D-4f7f-B83E-27E0E110605D}.exe

Filesize
408KB

MD5
1f9d136c4fc1b817dd4bcefbe125d38e

SHA1
c7b763e9849c1cca7372955faa595ada4b4d70ad

SHA256
5b363553b8dff54e8ebecc3bb4cc59f9ca4d07cc0c0ce712bf53fd448593b2d0

SHA512
bad994a2d3535c416bcf6f10da7d3e9c00e7c4d88529a9726a3e46d70f58676b3f8db172ceb0519f9bea6f0a85bc5e36f87eeedfbb722e6f088ad2ab823ca807

Download Submit
C:\Windows\{996690DB-AF16-40f3-9479-928B780C88A7}.exe

Filesize
408KB

MD5
52297e368e749ce581ac2a84ede154db

SHA1
9391b917ec8a550d04d48ae50708e2a4752826cf

SHA256
487842a366a3584b8da169cf4e0b22c6aa75570c876a876fa8a33808587fd757

SHA512
99a0325a453cd135ecbfacfe6541f2b4754cf5d2172ab63f010afc7e76b4e583c86e70a4d58eb1c213912d1c90cd1479d2dbbbc7d88188100e1ff8241884e215

Download Submit
C:\Windows\{9F77D63A-4738-4999-BCC4-3AD65FC1DB3D}.exe

Filesize
408KB

MD5
e484cb9716d6c1518c3761e6b333c714

SHA1
460643a5b83a7faba62cced5f12c4b0d847d3e33

SHA256
6791e3bbde84e96471d2ebbd0237a88426ca3e3a2662cd8ede80ecef00f6e055

SHA512
f9e159e3073f84dd91b91373e8eed679e53712f52a9f5b15f7917c397095bb19c480b9a45d5db80acf6cf2fd124db9e948551be31a261204c8556db4b5037fc8

Download Submit
C:\Windows\{ACD1C633-91BB-4bdc-AE85-D48A9F9D19E3}.exe

Filesize
408KB

MD5
b83344a77fbe7bbae91a7aa0984a5e25

SHA1
5925344bde1f167c7c48cef22c5ce4f4f14a449b

SHA256
02deeaeed5640266e5f48be499bb836391e5ecd764e059e906037738a9858bca

SHA512
34523978d8b97fe05d4cc8f049098d759de14d41b11f190fd5c9410d8b789e9b43fdcd374d6d62a38823fa81065938fe5170072186acc4872656f2bc2f1bb08f

Download Submit
C:\Windows\{DAA52F14-C2E6-4a1d-885E-C1A5E17C0E04}.exe

Filesize
408KB

MD5
dccdc277694254306eacc438e451b459

SHA1
a2b1262b72b49f934addc6464af3e0054c2e2fae

SHA256
e9a6fe413bdd43e0e17458387ad325b465d0ae8c72e5329fdf2ed5db913c866b

SHA512
b040b8c52b01c2d5a852c1b194670f8c1726b971aec6075206d4c10913608fcf5ed56cb6f0495a1652b5d380ed5699af8a7603f9f8099841d7ac5c35d328c3bd

Download Submit
C:\Windows\{FB8EC781-AD68-4594-9DCF-7D83FB494718}.exe

Filesize
408KB

MD5
cae8eb24c98f127d81d807136f2c68d9

SHA1
d93e8140228bbc1fca797d6ac8c649d4af2c2d71

SHA256
54a0edde5bcf407d2c7c16eb0b1cb1539739f7f62d24bbc1a935e23d1f43238e

SHA512
ef56daee29aed44f3518cdea601e30894093b68d44e34d453089bfe15c6c585da9f94c4bd4b521c8b8634caaa67e9aeb4a7d94564a31d789e249d5910dc5a1fd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads