d7b17ac30b6a7df504bf23fbb82d3d536cd48fb079605bfd9ae5ae85fc637fd9

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/04/2024, 11:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-06_ef20021104bce40f4af90b7ad71c7acc_goldeneye.exe
Size

216KB
MD5

ef20021104bce40f4af90b7ad71c7acc
SHA1

ce57187802b1014b27d0bf7897813df9878ccc40
SHA256

d7b17ac30b6a7df504bf23fbb82d3d536cd48fb079605bfd9ae5ae85fc637fd9
SHA512

6bb6da31b42c3e6e72c9267fbdcd2eff9f55aa0c581d3cc6e996b90830ff979edc900e2c5568dca00604730d60aca9b19397be59d10eca1801287b90314b00e0
SSDEEP

3072:jEGh0o4l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGylEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012331-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001450b-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012331-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000014983-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012331-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012331-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012331-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BD73085-975E-40bd-B525-1E9872AE04CD}	2024-04-06_ef20021104bce40f4af90b7ad71c7acc_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67116EF3-4CE6-446e-93F7-6E711E6B4CCB}\stubpath = "C:\\Windows\\{67116EF3-4CE6-446e-93F7-6E711E6B4CCB}.exe"	{66436934-2717-4ecc-908F-4DD98E833830}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D21CB5B2-4BA6-4d7d-A5A0-F9CB77AA51C6}	{67116EF3-4CE6-446e-93F7-6E711E6B4CCB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA0C1B83-E405-47e9-A4CA-FDC12A7569F1}\stubpath = "C:\\Windows\\{CA0C1B83-E405-47e9-A4CA-FDC12A7569F1}.exe"	{6B85A894-07E1-4c16-BB04-0C9C68A0CD79}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DAAD33F7-FCA0-47d1-826A-A4638BC1F715}\stubpath = "C:\\Windows\\{DAAD33F7-FCA0-47d1-826A-A4638BC1F715}.exe"	{C36C9603-D7CB-4c1e-915A-3AD7AE22535D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5871FDBE-E70B-4233-94E0-B79BA4593426}\stubpath = "C:\\Windows\\{5871FDBE-E70B-4233-94E0-B79BA4593426}.exe"	{DAAD33F7-FCA0-47d1-826A-A4638BC1F715}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5871FDBE-E70B-4233-94E0-B79BA4593426}	{DAAD33F7-FCA0-47d1-826A-A4638BC1F715}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BD73085-975E-40bd-B525-1E9872AE04CD}\stubpath = "C:\\Windows\\{2BD73085-975E-40bd-B525-1E9872AE04CD}.exe"	2024-04-06_ef20021104bce40f4af90b7ad71c7acc_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66436934-2717-4ecc-908F-4DD98E833830}\stubpath = "C:\\Windows\\{66436934-2717-4ecc-908F-4DD98E833830}.exe"	{D26AB1BE-5EF9-4a5e-B545-EA8D20731EA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67116EF3-4CE6-446e-93F7-6E711E6B4CCB}	{66436934-2717-4ecc-908F-4DD98E833830}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D21CB5B2-4BA6-4d7d-A5A0-F9CB77AA51C6}\stubpath = "C:\\Windows\\{D21CB5B2-4BA6-4d7d-A5A0-F9CB77AA51C6}.exe"	{67116EF3-4CE6-446e-93F7-6E711E6B4CCB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B85A894-07E1-4c16-BB04-0C9C68A0CD79}	{A14F3BCF-AB4F-4993-9D75-4067D21C959F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B85A894-07E1-4c16-BB04-0C9C68A0CD79}\stubpath = "C:\\Windows\\{6B85A894-07E1-4c16-BB04-0C9C68A0CD79}.exe"	{A14F3BCF-AB4F-4993-9D75-4067D21C959F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA0C1B83-E405-47e9-A4CA-FDC12A7569F1}	{6B85A894-07E1-4c16-BB04-0C9C68A0CD79}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D26AB1BE-5EF9-4a5e-B545-EA8D20731EA9}\stubpath = "C:\\Windows\\{D26AB1BE-5EF9-4a5e-B545-EA8D20731EA9}.exe"	{2BD73085-975E-40bd-B525-1E9872AE04CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66436934-2717-4ecc-908F-4DD98E833830}	{D26AB1BE-5EF9-4a5e-B545-EA8D20731EA9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C36C9603-D7CB-4c1e-915A-3AD7AE22535D}\stubpath = "C:\\Windows\\{C36C9603-D7CB-4c1e-915A-3AD7AE22535D}.exe"	{CA0C1B83-E405-47e9-A4CA-FDC12A7569F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DAAD33F7-FCA0-47d1-826A-A4638BC1F715}	{C36C9603-D7CB-4c1e-915A-3AD7AE22535D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D26AB1BE-5EF9-4a5e-B545-EA8D20731EA9}	{2BD73085-975E-40bd-B525-1E9872AE04CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A14F3BCF-AB4F-4993-9D75-4067D21C959F}	{D21CB5B2-4BA6-4d7d-A5A0-F9CB77AA51C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A14F3BCF-AB4F-4993-9D75-4067D21C959F}\stubpath = "C:\\Windows\\{A14F3BCF-AB4F-4993-9D75-4067D21C959F}.exe"	{D21CB5B2-4BA6-4d7d-A5A0-F9CB77AA51C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C36C9603-D7CB-4c1e-915A-3AD7AE22535D}	{CA0C1B83-E405-47e9-A4CA-FDC12A7569F1}.exe

Deletes itself 1 IoCs

pid	Process
2816	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2156	{2BD73085-975E-40bd-B525-1E9872AE04CD}.exe
2644	{D26AB1BE-5EF9-4a5e-B545-EA8D20731EA9}.exe
2564	{66436934-2717-4ecc-908F-4DD98E833830}.exe
2492	{67116EF3-4CE6-446e-93F7-6E711E6B4CCB}.exe
2752	{D21CB5B2-4BA6-4d7d-A5A0-F9CB77AA51C6}.exe
1788	{A14F3BCF-AB4F-4993-9D75-4067D21C959F}.exe
1452	{6B85A894-07E1-4c16-BB04-0C9C68A0CD79}.exe
1928	{CA0C1B83-E405-47e9-A4CA-FDC12A7569F1}.exe
2248	{C36C9603-D7CB-4c1e-915A-3AD7AE22535D}.exe
2856	{DAAD33F7-FCA0-47d1-826A-A4638BC1F715}.exe
1112	{5871FDBE-E70B-4233-94E0-B79BA4593426}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{CA0C1B83-E405-47e9-A4CA-FDC12A7569F1}.exe	{6B85A894-07E1-4c16-BB04-0C9C68A0CD79}.exe
File created	C:\Windows\{2BD73085-975E-40bd-B525-1E9872AE04CD}.exe	2024-04-06_ef20021104bce40f4af90b7ad71c7acc_goldeneye.exe
File created	C:\Windows\{D26AB1BE-5EF9-4a5e-B545-EA8D20731EA9}.exe	{2BD73085-975E-40bd-B525-1E9872AE04CD}.exe
File created	C:\Windows\{66436934-2717-4ecc-908F-4DD98E833830}.exe	{D26AB1BE-5EF9-4a5e-B545-EA8D20731EA9}.exe
File created	C:\Windows\{67116EF3-4CE6-446e-93F7-6E711E6B4CCB}.exe	{66436934-2717-4ecc-908F-4DD98E833830}.exe
File created	C:\Windows\{D21CB5B2-4BA6-4d7d-A5A0-F9CB77AA51C6}.exe	{67116EF3-4CE6-446e-93F7-6E711E6B4CCB}.exe
File created	C:\Windows\{6B85A894-07E1-4c16-BB04-0C9C68A0CD79}.exe	{A14F3BCF-AB4F-4993-9D75-4067D21C959F}.exe
File created	C:\Windows\{A14F3BCF-AB4F-4993-9D75-4067D21C959F}.exe	{D21CB5B2-4BA6-4d7d-A5A0-F9CB77AA51C6}.exe
File created	C:\Windows\{C36C9603-D7CB-4c1e-915A-3AD7AE22535D}.exe	{CA0C1B83-E405-47e9-A4CA-FDC12A7569F1}.exe
File created	C:\Windows\{DAAD33F7-FCA0-47d1-826A-A4638BC1F715}.exe	{C36C9603-D7CB-4c1e-915A-3AD7AE22535D}.exe
File created	C:\Windows\{5871FDBE-E70B-4233-94E0-B79BA4593426}.exe	{DAAD33F7-FCA0-47d1-826A-A4638BC1F715}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2936	2024-04-06_ef20021104bce40f4af90b7ad71c7acc_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2156	{2BD73085-975E-40bd-B525-1E9872AE04CD}.exe
Token: SeIncBasePriorityPrivilege	2644	{D26AB1BE-5EF9-4a5e-B545-EA8D20731EA9}.exe
Token: SeIncBasePriorityPrivilege	2564	{66436934-2717-4ecc-908F-4DD98E833830}.exe
Token: SeIncBasePriorityPrivilege	2492	{67116EF3-4CE6-446e-93F7-6E711E6B4CCB}.exe
Token: SeIncBasePriorityPrivilege	2752	{D21CB5B2-4BA6-4d7d-A5A0-F9CB77AA51C6}.exe
Token: SeIncBasePriorityPrivilege	1788	{A14F3BCF-AB4F-4993-9D75-4067D21C959F}.exe
Token: SeIncBasePriorityPrivilege	1452	{6B85A894-07E1-4c16-BB04-0C9C68A0CD79}.exe
Token: SeIncBasePriorityPrivilege	1928	{CA0C1B83-E405-47e9-A4CA-FDC12A7569F1}.exe
Token: SeIncBasePriorityPrivilege	2248	{C36C9603-D7CB-4c1e-915A-3AD7AE22535D}.exe
Token: SeIncBasePriorityPrivilege	2856	{DAAD33F7-FCA0-47d1-826A-A4638BC1F715}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2156	2936	2024-04-06_ef20021104bce40f4af90b7ad71c7acc_goldeneye.exe	28
PID 2936 wrote to memory of 2156	2936	2024-04-06_ef20021104bce40f4af90b7ad71c7acc_goldeneye.exe	28
PID 2936 wrote to memory of 2156	2936	2024-04-06_ef20021104bce40f4af90b7ad71c7acc_goldeneye.exe	28
PID 2936 wrote to memory of 2156	2936	2024-04-06_ef20021104bce40f4af90b7ad71c7acc_goldeneye.exe	28
PID 2936 wrote to memory of 2816	2936	2024-04-06_ef20021104bce40f4af90b7ad71c7acc_goldeneye.exe	29
PID 2936 wrote to memory of 2816	2936	2024-04-06_ef20021104bce40f4af90b7ad71c7acc_goldeneye.exe	29
PID 2936 wrote to memory of 2816	2936	2024-04-06_ef20021104bce40f4af90b7ad71c7acc_goldeneye.exe	29
PID 2936 wrote to memory of 2816	2936	2024-04-06_ef20021104bce40f4af90b7ad71c7acc_goldeneye.exe	29
PID 2156 wrote to memory of 2644	2156	{2BD73085-975E-40bd-B525-1E9872AE04CD}.exe	30
PID 2156 wrote to memory of 2644	2156	{2BD73085-975E-40bd-B525-1E9872AE04CD}.exe	30
PID 2156 wrote to memory of 2644	2156	{2BD73085-975E-40bd-B525-1E9872AE04CD}.exe	30
PID 2156 wrote to memory of 2644	2156	{2BD73085-975E-40bd-B525-1E9872AE04CD}.exe	30
PID 2156 wrote to memory of 2840	2156	{2BD73085-975E-40bd-B525-1E9872AE04CD}.exe	31
PID 2156 wrote to memory of 2840	2156	{2BD73085-975E-40bd-B525-1E9872AE04CD}.exe	31
PID 2156 wrote to memory of 2840	2156	{2BD73085-975E-40bd-B525-1E9872AE04CD}.exe	31
PID 2156 wrote to memory of 2840	2156	{2BD73085-975E-40bd-B525-1E9872AE04CD}.exe	31
PID 2644 wrote to memory of 2564	2644	{D26AB1BE-5EF9-4a5e-B545-EA8D20731EA9}.exe	32
PID 2644 wrote to memory of 2564	2644	{D26AB1BE-5EF9-4a5e-B545-EA8D20731EA9}.exe	32
PID 2644 wrote to memory of 2564	2644	{D26AB1BE-5EF9-4a5e-B545-EA8D20731EA9}.exe	32
PID 2644 wrote to memory of 2564	2644	{D26AB1BE-5EF9-4a5e-B545-EA8D20731EA9}.exe	32
PID 2644 wrote to memory of 2716	2644	{D26AB1BE-5EF9-4a5e-B545-EA8D20731EA9}.exe	33
PID 2644 wrote to memory of 2716	2644	{D26AB1BE-5EF9-4a5e-B545-EA8D20731EA9}.exe	33
PID 2644 wrote to memory of 2716	2644	{D26AB1BE-5EF9-4a5e-B545-EA8D20731EA9}.exe	33
PID 2644 wrote to memory of 2716	2644	{D26AB1BE-5EF9-4a5e-B545-EA8D20731EA9}.exe	33
PID 2564 wrote to memory of 2492	2564	{66436934-2717-4ecc-908F-4DD98E833830}.exe	36
PID 2564 wrote to memory of 2492	2564	{66436934-2717-4ecc-908F-4DD98E833830}.exe	36
PID 2564 wrote to memory of 2492	2564	{66436934-2717-4ecc-908F-4DD98E833830}.exe	36
PID 2564 wrote to memory of 2492	2564	{66436934-2717-4ecc-908F-4DD98E833830}.exe	36
PID 2564 wrote to memory of 2920	2564	{66436934-2717-4ecc-908F-4DD98E833830}.exe	37
PID 2564 wrote to memory of 2920	2564	{66436934-2717-4ecc-908F-4DD98E833830}.exe	37
PID 2564 wrote to memory of 2920	2564	{66436934-2717-4ecc-908F-4DD98E833830}.exe	37
PID 2564 wrote to memory of 2920	2564	{66436934-2717-4ecc-908F-4DD98E833830}.exe	37
PID 2492 wrote to memory of 2752	2492	{67116EF3-4CE6-446e-93F7-6E711E6B4CCB}.exe	38
PID 2492 wrote to memory of 2752	2492	{67116EF3-4CE6-446e-93F7-6E711E6B4CCB}.exe	38
PID 2492 wrote to memory of 2752	2492	{67116EF3-4CE6-446e-93F7-6E711E6B4CCB}.exe	38
PID 2492 wrote to memory of 2752	2492	{67116EF3-4CE6-446e-93F7-6E711E6B4CCB}.exe	38
PID 2492 wrote to memory of 2684	2492	{67116EF3-4CE6-446e-93F7-6E711E6B4CCB}.exe	39
PID 2492 wrote to memory of 2684	2492	{67116EF3-4CE6-446e-93F7-6E711E6B4CCB}.exe	39
PID 2492 wrote to memory of 2684	2492	{67116EF3-4CE6-446e-93F7-6E711E6B4CCB}.exe	39
PID 2492 wrote to memory of 2684	2492	{67116EF3-4CE6-446e-93F7-6E711E6B4CCB}.exe	39
PID 2752 wrote to memory of 1788	2752	{D21CB5B2-4BA6-4d7d-A5A0-F9CB77AA51C6}.exe	40
PID 2752 wrote to memory of 1788	2752	{D21CB5B2-4BA6-4d7d-A5A0-F9CB77AA51C6}.exe	40
PID 2752 wrote to memory of 1788	2752	{D21CB5B2-4BA6-4d7d-A5A0-F9CB77AA51C6}.exe	40
PID 2752 wrote to memory of 1788	2752	{D21CB5B2-4BA6-4d7d-A5A0-F9CB77AA51C6}.exe	40
PID 2752 wrote to memory of 1960	2752	{D21CB5B2-4BA6-4d7d-A5A0-F9CB77AA51C6}.exe	41
PID 2752 wrote to memory of 1960	2752	{D21CB5B2-4BA6-4d7d-A5A0-F9CB77AA51C6}.exe	41
PID 2752 wrote to memory of 1960	2752	{D21CB5B2-4BA6-4d7d-A5A0-F9CB77AA51C6}.exe	41
PID 2752 wrote to memory of 1960	2752	{D21CB5B2-4BA6-4d7d-A5A0-F9CB77AA51C6}.exe	41
PID 1788 wrote to memory of 1452	1788	{A14F3BCF-AB4F-4993-9D75-4067D21C959F}.exe	42
PID 1788 wrote to memory of 1452	1788	{A14F3BCF-AB4F-4993-9D75-4067D21C959F}.exe	42
PID 1788 wrote to memory of 1452	1788	{A14F3BCF-AB4F-4993-9D75-4067D21C959F}.exe	42
PID 1788 wrote to memory of 1452	1788	{A14F3BCF-AB4F-4993-9D75-4067D21C959F}.exe	42
PID 1788 wrote to memory of 276	1788	{A14F3BCF-AB4F-4993-9D75-4067D21C959F}.exe	43
PID 1788 wrote to memory of 276	1788	{A14F3BCF-AB4F-4993-9D75-4067D21C959F}.exe	43
PID 1788 wrote to memory of 276	1788	{A14F3BCF-AB4F-4993-9D75-4067D21C959F}.exe	43
PID 1788 wrote to memory of 276	1788	{A14F3BCF-AB4F-4993-9D75-4067D21C959F}.exe	43
PID 1452 wrote to memory of 1928	1452	{6B85A894-07E1-4c16-BB04-0C9C68A0CD79}.exe	44
PID 1452 wrote to memory of 1928	1452	{6B85A894-07E1-4c16-BB04-0C9C68A0CD79}.exe	44
PID 1452 wrote to memory of 1928	1452	{6B85A894-07E1-4c16-BB04-0C9C68A0CD79}.exe	44
PID 1452 wrote to memory of 1928	1452	{6B85A894-07E1-4c16-BB04-0C9C68A0CD79}.exe	44
PID 1452 wrote to memory of 2220	1452	{6B85A894-07E1-4c16-BB04-0C9C68A0CD79}.exe	45
PID 1452 wrote to memory of 2220	1452	{6B85A894-07E1-4c16-BB04-0C9C68A0CD79}.exe	45
PID 1452 wrote to memory of 2220	1452	{6B85A894-07E1-4c16-BB04-0C9C68A0CD79}.exe	45
PID 1452 wrote to memory of 2220	1452	{6B85A894-07E1-4c16-BB04-0C9C68A0CD79}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-06_ef20021104bce40f4af90b7ad71c7acc_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-06_ef20021104bce40f4af90b7ad71c7acc_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\{2BD73085-975E-40bd-B525-1E9872AE04CD}.exe
  C:\Windows\{2BD73085-975E-40bd-B525-1E9872AE04CD}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\{D26AB1BE-5EF9-4a5e-B545-EA8D20731EA9}.exe
    C:\Windows\{D26AB1BE-5EF9-4a5e-B545-EA8D20731EA9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\{66436934-2717-4ecc-908F-4DD98E833830}.exe
      C:\Windows\{66436934-2717-4ecc-908F-4DD98E833830}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2564
    - - C:\Windows\{67116EF3-4CE6-446e-93F7-6E711E6B4CCB}.exe
        
        C:\Windows\{67116EF3-4CE6-446e-93F7-6E711E6B4CCB}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2492
      - C:\Windows\{D21CB5B2-4BA6-4d7d-A5A0-F9CB77AA51C6}.exe
        
        C:\Windows\{D21CB5B2-4BA6-4d7d-A5A0-F9CB77AA51C6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\{A14F3BCF-AB4F-4993-9D75-4067D21C959F}.exe
        
        C:\Windows\{A14F3BCF-AB4F-4993-9D75-4067D21C959F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\{6B85A894-07E1-4c16-BB04-0C9C68A0CD79}.exe
        
        C:\Windows\{6B85A894-07E1-4c16-BB04-0C9C68A0CD79}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\{CA0C1B83-E405-47e9-A4CA-FDC12A7569F1}.exe
        
        C:\Windows\{CA0C1B83-E405-47e9-A4CA-FDC12A7569F1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
        
        C:\Windows\{C36C9603-D7CB-4c1e-915A-3AD7AE22535D}.exe
        
        C:\Windows\{C36C9603-D7CB-4c1e-915A-3AD7AE22535D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
        
        C:\Windows\{DAAD33F7-FCA0-47d1-826A-A4638BC1F715}.exe
        
        C:\Windows\{DAAD33F7-FCA0-47d1-826A-A4638BC1F715}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\{5871FDBE-E70B-4233-94E0-B79BA4593426}.exe
        
        C:\Windows\{5871FDBE-E70B-4233-94E0-B79BA4593426}.exe
        12⤵
        Executes dropped EXE
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DAAD3~1.EXE > nul
        12⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C36C9~1.EXE > nul
        11⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA0C1~1.EXE > nul
        10⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B85A~1.EXE > nul
        9⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A14F3~1.EXE > nul
        8⤵
        
        PID:276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D21CB~1.EXE > nul
        7⤵
        
        PID:1960
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67116~1.EXE > nul
        6⤵
        
        PID:2684
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{66436~1.EXE > nul
        5⤵
        
        PID:2920
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D26AB~1.EXE > nul
      4⤵
      PID:2716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2BD73~1.EXE > nul
    3⤵
    PID:2840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2BD73085-975E-40bd-B525-1E9872AE04CD}.exe

Filesize
216KB

MD5
873eb9654968cb8ab34bb88bc52e2f64

SHA1
8fcf13d303f661f0075309a19269780e5ccc70a4

SHA256
67d87e11516ce20d895e70b5def1bf72c13f237ee191e60d4bf113ac6a26792a

SHA512
284abca6e8ff750f4c10b57630b3183faf42bc1ebc9e1bd441714f0fec7a80169c33a7152af69e930f263c4e8bf5137cd80c55252a33768c8e798c753b722750

Download Submit
C:\Windows\{5871FDBE-E70B-4233-94E0-B79BA4593426}.exe

Filesize
216KB

MD5
297c1460ade4d4c897835d6527b1b2cf

SHA1
1e2fa98c2d2b4a92fd1fc3c5e3d78fdc12b84649

SHA256
14b8af9d7a7acc5fe9d1f6d3086dd1d51fa1c50e1c800fcebdedd90dd77fd42d

SHA512
af5be9e885a590a076691a9eb65f7c75bcd4256e123c33a90a06a6770282f8e62ddc34116872768471580305bf5b38f89086d3136d5d75b716fc7caa66d26820

Download Submit
C:\Windows\{66436934-2717-4ecc-908F-4DD98E833830}.exe

Filesize
216KB

MD5
269229c5b7f6bfd41b57050a7c071fe3

SHA1
a040d801cf765ed5e936461111b65e7c6d8deb0c

SHA256
3a7d6de0248c093a1a59b6e5526bfbf1e0e697b2e5fcfce5a2d1df102e45a8a0

SHA512
77f4c4a30096f0b90773e8689cd75448ae2120aadcd6161803b9e2ea89dc33113caf1a64a25f2cc10a54c53e8b2b299968ac46c57a92f95965226901ca6ed1a1

Download Submit
C:\Windows\{67116EF3-4CE6-446e-93F7-6E711E6B4CCB}.exe

Filesize
216KB

MD5
3232fc5f9995c6e68cb60e4579e160fb

SHA1
7ba6ac3d520b6d765e7850bb73cc77440a28543a

SHA256
dd1890bafcd4f70a18121aa8a5a984fc483a52ee19997ff4d875e1bf2f7f05ea

SHA512
c2ab368c85f23d49fcef4f5c17b814093deb7ba840b9778b42da42d055c0eeb74fa9f6ff45aa1f1900bfc45f7464e4ef1173b8ef29956baf92aab3be6bbb0050

Download Submit
C:\Windows\{6B85A894-07E1-4c16-BB04-0C9C68A0CD79}.exe

Filesize
216KB

MD5
9fcd4ed7bfe72dcf1e88c91b48d12c40

SHA1
9188920c6baebc559f6f8ac34cc4069fbe69eb02

SHA256
5965762908cba6bf281ccfd938ed13d0422d472dc2ef36b307c03f308a596397

SHA512
b10f2d0572a578a1d137654e0164448219c43f1a9002036d4e8007b656dd4e9dfaf98b1435b9606ee9840e67b2a4cf536b38cf1295d52cbaf69d377af3593845

Download Submit
C:\Windows\{A14F3BCF-AB4F-4993-9D75-4067D21C959F}.exe

Filesize
216KB

MD5
497e052eab19cf4a6ac9dd24db5e1626

SHA1
da140c4d88d1a7e831bfa57f3374a0905e85ecb9

SHA256
21fd9fc36107422a8b1cd801331c8f3a31a3c320c56df72a1cb383d44c90a291

SHA512
a30704ea7fec453d348eca80de7738eefcb9982b6374f8ebe0d998c26f830028501dd8bb7396abb55b283ef7cf3c678f245b98c098334cd7dec0df175735c4e0

Download Submit
C:\Windows\{C36C9603-D7CB-4c1e-915A-3AD7AE22535D}.exe

Filesize
216KB

MD5
bfd44206ee31ef825a7e664265d23e7b

SHA1
7a3b2f2185e3becf518424692eb8b665f22b3b5d

SHA256
c2122497c0935c81957827067b3cba926bd594efe8076e95b00457c68cecbf4b

SHA512
b27b19a9f610f45cfa9ac00aa7b9ed3134e36c5ad5447500811649fc7ae6e4efeab851f7070ee9cfb821e4bdb04a932689844f7fb172ec21dc1845ce71ce1ef0

Download Submit
C:\Windows\{CA0C1B83-E405-47e9-A4CA-FDC12A7569F1}.exe

Filesize
216KB

MD5
f164134d125a6feedd4b506a338a71dc

SHA1
5f3d0a9261fc5a1fc9ef2b6db4a84c1c632581d3

SHA256
28b6fc781c9cacd0091fc75a894afaac2452695786d4a93debb8d70ed6a55a81

SHA512
289d1eb00aa4aa64f0ff0b0a697f3843418c88ebfe8297566df1d2d84f01e9b92cd2b4b4e951c8298dfb920c6cacf8450f918ddfd64e711631a5cf5e2f4fb13b

Download Submit
C:\Windows\{D21CB5B2-4BA6-4d7d-A5A0-F9CB77AA51C6}.exe

Filesize
216KB

MD5
03028b038d0d0b7512afb69caa93ded7

SHA1
3c7e5e8cd72b004d2327f4ce017877198469f112

SHA256
9119479929daa5e9297a6f4100f1692bddf6784502b559239f03ddd9f0758544

SHA512
58b79fc62401ab0761b40c63669f0cb523f47a2c726b772974a8d481f559a89f84c8ac79ce62a59923edf2e2a8034db44ab8f6aebb2601cd5882717f9e4e459f

Download Submit
C:\Windows\{D26AB1BE-5EF9-4a5e-B545-EA8D20731EA9}.exe

Filesize
216KB

MD5
8529c5712d37b7f8ac8149c8d3ff1544

SHA1
b595be63252457137700946ea09834942bd64412

SHA256
758dfc4c17638aa98ba13c9df177206db2fc4254d11c2c38e256e485dedcb28d

SHA512
95a29411a0caf0f36d2ebbdb3dc9a179f969fcf7ce23a9f310f00c4869cbea95249323f0b8d20b2443743b52aabf28c654f9c74c242b0a8e9e111d05f03a2483

Download Submit
C:\Windows\{DAAD33F7-FCA0-47d1-826A-A4638BC1F715}.exe

Filesize
216KB

MD5
bbbb030e9bafc1cc5329bc16bbc1a9d6

SHA1
35cd1298b7f2f040769aa37b4e1b616291561566

SHA256
bd23faf30cd129627a9708cddfe297b7910c7027c5c0ae72d2bd4589a4ea1603

SHA512
0d79b5f047d9ca9f07b0cc1181dd6dc24585aa3af7f31db8380fbb9e4f3eb880101701b02d7a51f6db8749dfa4646a410efdf093dc4da54048f988d7e8132b33

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads