233228c058e7d781ac3dbd1454c15866c8b119e0c2192f3669fe508894e4ae29

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06-04-2024 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-06_fe36d8ce492c3f40e76142f204eeb01a_goldeneye.exe
Size

408KB
MD5

fe36d8ce492c3f40e76142f204eeb01a
SHA1

f097c782dbde1070e893fcdbd1cc82daf56b05d9
SHA256

233228c058e7d781ac3dbd1454c15866c8b119e0c2192f3669fe508894e4ae29
SHA512

e960100f5c2ffed2e8a47777882ebd841d31c4b8db69936d6d1301d24c144f33e399ac23a07c9e142fc0c48f1e42ae964ef1c244f906015ff8180d1bbcb5b571
SSDEEP

3072:CEGh0oil3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGAldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000122ac-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001413f-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122ac-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000300000000b1f2-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000400000000b1f2-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000500000000b1f2-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000600000000b1f2-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E0C839C-E50E-4ce4-ADF2-62D20610DA3B}\stubpath = "C:\\Windows\\{8E0C839C-E50E-4ce4-ADF2-62D20610DA3B}.exe"	{4AD6E532-DE7D-4206-B775-09C0A57974AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A376C5FC-D153-4649-83FA-CDD77CC7A5CA}	{8E0C839C-E50E-4ce4-ADF2-62D20610DA3B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BA8E6C1-8C8C-4951-BD9B-AE6F86DDFD93}\stubpath = "C:\\Windows\\{5BA8E6C1-8C8C-4951-BD9B-AE6F86DDFD93}.exe"	{19415BF1-09AD-4c78-99D5-940D5777EA3F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F380B1E-D57E-4cbf-8D31-3B454C95194A}\stubpath = "C:\\Windows\\{6F380B1E-D57E-4cbf-8D31-3B454C95194A}.exe"	{0A32BB5B-B3FF-4353-8F1B-28B69B9922EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F380B1E-D57E-4cbf-8D31-3B454C95194A}	{0A32BB5B-B3FF-4353-8F1B-28B69B9922EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AD6E532-DE7D-4206-B775-09C0A57974AA}\stubpath = "C:\\Windows\\{4AD6E532-DE7D-4206-B775-09C0A57974AA}.exe"	2024-04-06_fe36d8ce492c3f40e76142f204eeb01a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BA8E6C1-8C8C-4951-BD9B-AE6F86DDFD93}	{19415BF1-09AD-4c78-99D5-940D5777EA3F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B456C7A-89FA-4b2c-A6CB-F9E88057A02F}	{5BA8E6C1-8C8C-4951-BD9B-AE6F86DDFD93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0E45406-9292-4701-A916-052D7D4BF54B}\stubpath = "C:\\Windows\\{C0E45406-9292-4701-A916-052D7D4BF54B}.exe"	{578E0ECC-BED9-4901-BEB6-982285429498}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19415BF1-09AD-4c78-99D5-940D5777EA3F}\stubpath = "C:\\Windows\\{19415BF1-09AD-4c78-99D5-940D5777EA3F}.exe"	{A376C5FC-D153-4649-83FA-CDD77CC7A5CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B456C7A-89FA-4b2c-A6CB-F9E88057A02F}\stubpath = "C:\\Windows\\{6B456C7A-89FA-4b2c-A6CB-F9E88057A02F}.exe"	{5BA8E6C1-8C8C-4951-BD9B-AE6F86DDFD93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{578E0ECC-BED9-4901-BEB6-982285429498}\stubpath = "C:\\Windows\\{578E0ECC-BED9-4901-BEB6-982285429498}.exe"	{6B456C7A-89FA-4b2c-A6CB-F9E88057A02F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0E45406-9292-4701-A916-052D7D4BF54B}	{578E0ECC-BED9-4901-BEB6-982285429498}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AD6E532-DE7D-4206-B775-09C0A57974AA}	2024-04-06_fe36d8ce492c3f40e76142f204eeb01a_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E0C839C-E50E-4ce4-ADF2-62D20610DA3B}	{4AD6E532-DE7D-4206-B775-09C0A57974AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A376C5FC-D153-4649-83FA-CDD77CC7A5CA}\stubpath = "C:\\Windows\\{A376C5FC-D153-4649-83FA-CDD77CC7A5CA}.exe"	{8E0C839C-E50E-4ce4-ADF2-62D20610DA3B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19415BF1-09AD-4c78-99D5-940D5777EA3F}	{A376C5FC-D153-4649-83FA-CDD77CC7A5CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A32BB5B-B3FF-4353-8F1B-28B69B9922EA}	{C0E45406-9292-4701-A916-052D7D4BF54B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A32BB5B-B3FF-4353-8F1B-28B69B9922EA}\stubpath = "C:\\Windows\\{0A32BB5B-B3FF-4353-8F1B-28B69B9922EA}.exe"	{C0E45406-9292-4701-A916-052D7D4BF54B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D6E1CAA-CC00-47a0-A51A-15007A931BEF}\stubpath = "C:\\Windows\\{2D6E1CAA-CC00-47a0-A51A-15007A931BEF}.exe"	{6F380B1E-D57E-4cbf-8D31-3B454C95194A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{578E0ECC-BED9-4901-BEB6-982285429498}	{6B456C7A-89FA-4b2c-A6CB-F9E88057A02F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D6E1CAA-CC00-47a0-A51A-15007A931BEF}	{6F380B1E-D57E-4cbf-8D31-3B454C95194A}.exe

Deletes itself 1 IoCs

pid	Process
2572	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1316	{4AD6E532-DE7D-4206-B775-09C0A57974AA}.exe
2700	{8E0C839C-E50E-4ce4-ADF2-62D20610DA3B}.exe
2596	{A376C5FC-D153-4649-83FA-CDD77CC7A5CA}.exe
2004	{19415BF1-09AD-4c78-99D5-940D5777EA3F}.exe
2804	{5BA8E6C1-8C8C-4951-BD9B-AE6F86DDFD93}.exe
1368	{6B456C7A-89FA-4b2c-A6CB-F9E88057A02F}.exe
744	{578E0ECC-BED9-4901-BEB6-982285429498}.exe
284	{C0E45406-9292-4701-A916-052D7D4BF54B}.exe
1764	{0A32BB5B-B3FF-4353-8F1B-28B69B9922EA}.exe
1108	{6F380B1E-D57E-4cbf-8D31-3B454C95194A}.exe
1952	{2D6E1CAA-CC00-47a0-A51A-15007A931BEF}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{A376C5FC-D153-4649-83FA-CDD77CC7A5CA}.exe	{8E0C839C-E50E-4ce4-ADF2-62D20610DA3B}.exe
File created	C:\Windows\{578E0ECC-BED9-4901-BEB6-982285429498}.exe	{6B456C7A-89FA-4b2c-A6CB-F9E88057A02F}.exe
File created	C:\Windows\{C0E45406-9292-4701-A916-052D7D4BF54B}.exe	{578E0ECC-BED9-4901-BEB6-982285429498}.exe
File created	C:\Windows\{0A32BB5B-B3FF-4353-8F1B-28B69B9922EA}.exe	{C0E45406-9292-4701-A916-052D7D4BF54B}.exe
File created	C:\Windows\{2D6E1CAA-CC00-47a0-A51A-15007A931BEF}.exe	{6F380B1E-D57E-4cbf-8D31-3B454C95194A}.exe
File created	C:\Windows\{4AD6E532-DE7D-4206-B775-09C0A57974AA}.exe	2024-04-06_fe36d8ce492c3f40e76142f204eeb01a_goldeneye.exe
File created	C:\Windows\{8E0C839C-E50E-4ce4-ADF2-62D20610DA3B}.exe	{4AD6E532-DE7D-4206-B775-09C0A57974AA}.exe
File created	C:\Windows\{19415BF1-09AD-4c78-99D5-940D5777EA3F}.exe	{A376C5FC-D153-4649-83FA-CDD77CC7A5CA}.exe
File created	C:\Windows\{5BA8E6C1-8C8C-4951-BD9B-AE6F86DDFD93}.exe	{19415BF1-09AD-4c78-99D5-940D5777EA3F}.exe
File created	C:\Windows\{6B456C7A-89FA-4b2c-A6CB-F9E88057A02F}.exe	{5BA8E6C1-8C8C-4951-BD9B-AE6F86DDFD93}.exe
File created	C:\Windows\{6F380B1E-D57E-4cbf-8D31-3B454C95194A}.exe	{0A32BB5B-B3FF-4353-8F1B-28B69B9922EA}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2516	2024-04-06_fe36d8ce492c3f40e76142f204eeb01a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1316	{4AD6E532-DE7D-4206-B775-09C0A57974AA}.exe
Token: SeIncBasePriorityPrivilege	2700	{8E0C839C-E50E-4ce4-ADF2-62D20610DA3B}.exe
Token: SeIncBasePriorityPrivilege	2596	{A376C5FC-D153-4649-83FA-CDD77CC7A5CA}.exe
Token: SeIncBasePriorityPrivilege	2004	{19415BF1-09AD-4c78-99D5-940D5777EA3F}.exe
Token: SeIncBasePriorityPrivilege	2804	{5BA8E6C1-8C8C-4951-BD9B-AE6F86DDFD93}.exe
Token: SeIncBasePriorityPrivilege	1368	{6B456C7A-89FA-4b2c-A6CB-F9E88057A02F}.exe
Token: SeIncBasePriorityPrivilege	744	{578E0ECC-BED9-4901-BEB6-982285429498}.exe
Token: SeIncBasePriorityPrivilege	284	{C0E45406-9292-4701-A916-052D7D4BF54B}.exe
Token: SeIncBasePriorityPrivilege	1764	{0A32BB5B-B3FF-4353-8F1B-28B69B9922EA}.exe
Token: SeIncBasePriorityPrivilege	1108	{6F380B1E-D57E-4cbf-8D31-3B454C95194A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 1316	2516	2024-04-06_fe36d8ce492c3f40e76142f204eeb01a_goldeneye.exe	28
PID 2516 wrote to memory of 1316	2516	2024-04-06_fe36d8ce492c3f40e76142f204eeb01a_goldeneye.exe	28
PID 2516 wrote to memory of 1316	2516	2024-04-06_fe36d8ce492c3f40e76142f204eeb01a_goldeneye.exe	28
PID 2516 wrote to memory of 1316	2516	2024-04-06_fe36d8ce492c3f40e76142f204eeb01a_goldeneye.exe	28
PID 2516 wrote to memory of 2572	2516	2024-04-06_fe36d8ce492c3f40e76142f204eeb01a_goldeneye.exe	29
PID 2516 wrote to memory of 2572	2516	2024-04-06_fe36d8ce492c3f40e76142f204eeb01a_goldeneye.exe	29
PID 2516 wrote to memory of 2572	2516	2024-04-06_fe36d8ce492c3f40e76142f204eeb01a_goldeneye.exe	29
PID 2516 wrote to memory of 2572	2516	2024-04-06_fe36d8ce492c3f40e76142f204eeb01a_goldeneye.exe	29
PID 1316 wrote to memory of 2700	1316	{4AD6E532-DE7D-4206-B775-09C0A57974AA}.exe	30
PID 1316 wrote to memory of 2700	1316	{4AD6E532-DE7D-4206-B775-09C0A57974AA}.exe	30
PID 1316 wrote to memory of 2700	1316	{4AD6E532-DE7D-4206-B775-09C0A57974AA}.exe	30
PID 1316 wrote to memory of 2700	1316	{4AD6E532-DE7D-4206-B775-09C0A57974AA}.exe	30
PID 1316 wrote to memory of 3028	1316	{4AD6E532-DE7D-4206-B775-09C0A57974AA}.exe	31
PID 1316 wrote to memory of 3028	1316	{4AD6E532-DE7D-4206-B775-09C0A57974AA}.exe	31
PID 1316 wrote to memory of 3028	1316	{4AD6E532-DE7D-4206-B775-09C0A57974AA}.exe	31
PID 1316 wrote to memory of 3028	1316	{4AD6E532-DE7D-4206-B775-09C0A57974AA}.exe	31
PID 2700 wrote to memory of 2596	2700	{8E0C839C-E50E-4ce4-ADF2-62D20610DA3B}.exe	32
PID 2700 wrote to memory of 2596	2700	{8E0C839C-E50E-4ce4-ADF2-62D20610DA3B}.exe	32
PID 2700 wrote to memory of 2596	2700	{8E0C839C-E50E-4ce4-ADF2-62D20610DA3B}.exe	32
PID 2700 wrote to memory of 2596	2700	{8E0C839C-E50E-4ce4-ADF2-62D20610DA3B}.exe	32
PID 2700 wrote to memory of 2480	2700	{8E0C839C-E50E-4ce4-ADF2-62D20610DA3B}.exe	33
PID 2700 wrote to memory of 2480	2700	{8E0C839C-E50E-4ce4-ADF2-62D20610DA3B}.exe	33
PID 2700 wrote to memory of 2480	2700	{8E0C839C-E50E-4ce4-ADF2-62D20610DA3B}.exe	33
PID 2700 wrote to memory of 2480	2700	{8E0C839C-E50E-4ce4-ADF2-62D20610DA3B}.exe	33
PID 2596 wrote to memory of 2004	2596	{A376C5FC-D153-4649-83FA-CDD77CC7A5CA}.exe	36
PID 2596 wrote to memory of 2004	2596	{A376C5FC-D153-4649-83FA-CDD77CC7A5CA}.exe	36
PID 2596 wrote to memory of 2004	2596	{A376C5FC-D153-4649-83FA-CDD77CC7A5CA}.exe	36
PID 2596 wrote to memory of 2004	2596	{A376C5FC-D153-4649-83FA-CDD77CC7A5CA}.exe	36
PID 2596 wrote to memory of 2772	2596	{A376C5FC-D153-4649-83FA-CDD77CC7A5CA}.exe	37
PID 2596 wrote to memory of 2772	2596	{A376C5FC-D153-4649-83FA-CDD77CC7A5CA}.exe	37
PID 2596 wrote to memory of 2772	2596	{A376C5FC-D153-4649-83FA-CDD77CC7A5CA}.exe	37
PID 2596 wrote to memory of 2772	2596	{A376C5FC-D153-4649-83FA-CDD77CC7A5CA}.exe	37
PID 2004 wrote to memory of 2804	2004	{19415BF1-09AD-4c78-99D5-940D5777EA3F}.exe	38
PID 2004 wrote to memory of 2804	2004	{19415BF1-09AD-4c78-99D5-940D5777EA3F}.exe	38
PID 2004 wrote to memory of 2804	2004	{19415BF1-09AD-4c78-99D5-940D5777EA3F}.exe	38
PID 2004 wrote to memory of 2804	2004	{19415BF1-09AD-4c78-99D5-940D5777EA3F}.exe	38
PID 2004 wrote to memory of 1216	2004	{19415BF1-09AD-4c78-99D5-940D5777EA3F}.exe	39
PID 2004 wrote to memory of 1216	2004	{19415BF1-09AD-4c78-99D5-940D5777EA3F}.exe	39
PID 2004 wrote to memory of 1216	2004	{19415BF1-09AD-4c78-99D5-940D5777EA3F}.exe	39
PID 2004 wrote to memory of 1216	2004	{19415BF1-09AD-4c78-99D5-940D5777EA3F}.exe	39
PID 2804 wrote to memory of 1368	2804	{5BA8E6C1-8C8C-4951-BD9B-AE6F86DDFD93}.exe	40
PID 2804 wrote to memory of 1368	2804	{5BA8E6C1-8C8C-4951-BD9B-AE6F86DDFD93}.exe	40
PID 2804 wrote to memory of 1368	2804	{5BA8E6C1-8C8C-4951-BD9B-AE6F86DDFD93}.exe	40
PID 2804 wrote to memory of 1368	2804	{5BA8E6C1-8C8C-4951-BD9B-AE6F86DDFD93}.exe	40
PID 2804 wrote to memory of 1028	2804	{5BA8E6C1-8C8C-4951-BD9B-AE6F86DDFD93}.exe	41
PID 2804 wrote to memory of 1028	2804	{5BA8E6C1-8C8C-4951-BD9B-AE6F86DDFD93}.exe	41
PID 2804 wrote to memory of 1028	2804	{5BA8E6C1-8C8C-4951-BD9B-AE6F86DDFD93}.exe	41
PID 2804 wrote to memory of 1028	2804	{5BA8E6C1-8C8C-4951-BD9B-AE6F86DDFD93}.exe	41
PID 1368 wrote to memory of 744	1368	{6B456C7A-89FA-4b2c-A6CB-F9E88057A02F}.exe	42
PID 1368 wrote to memory of 744	1368	{6B456C7A-89FA-4b2c-A6CB-F9E88057A02F}.exe	42
PID 1368 wrote to memory of 744	1368	{6B456C7A-89FA-4b2c-A6CB-F9E88057A02F}.exe	42
PID 1368 wrote to memory of 744	1368	{6B456C7A-89FA-4b2c-A6CB-F9E88057A02F}.exe	42
PID 1368 wrote to memory of 268	1368	{6B456C7A-89FA-4b2c-A6CB-F9E88057A02F}.exe	43
PID 1368 wrote to memory of 268	1368	{6B456C7A-89FA-4b2c-A6CB-F9E88057A02F}.exe	43
PID 1368 wrote to memory of 268	1368	{6B456C7A-89FA-4b2c-A6CB-F9E88057A02F}.exe	43
PID 1368 wrote to memory of 268	1368	{6B456C7A-89FA-4b2c-A6CB-F9E88057A02F}.exe	43
PID 744 wrote to memory of 284	744	{578E0ECC-BED9-4901-BEB6-982285429498}.exe	44
PID 744 wrote to memory of 284	744	{578E0ECC-BED9-4901-BEB6-982285429498}.exe	44
PID 744 wrote to memory of 284	744	{578E0ECC-BED9-4901-BEB6-982285429498}.exe	44
PID 744 wrote to memory of 284	744	{578E0ECC-BED9-4901-BEB6-982285429498}.exe	44
PID 744 wrote to memory of 1624	744	{578E0ECC-BED9-4901-BEB6-982285429498}.exe	45
PID 744 wrote to memory of 1624	744	{578E0ECC-BED9-4901-BEB6-982285429498}.exe	45
PID 744 wrote to memory of 1624	744	{578E0ECC-BED9-4901-BEB6-982285429498}.exe	45
PID 744 wrote to memory of 1624	744	{578E0ECC-BED9-4901-BEB6-982285429498}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-06_fe36d8ce492c3f40e76142f204eeb01a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-06_fe36d8ce492c3f40e76142f204eeb01a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\{4AD6E532-DE7D-4206-B775-09C0A57974AA}.exe
  C:\Windows\{4AD6E532-DE7D-4206-B775-09C0A57974AA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Windows\{8E0C839C-E50E-4ce4-ADF2-62D20610DA3B}.exe
    C:\Windows\{8E0C839C-E50E-4ce4-ADF2-62D20610DA3B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\{A376C5FC-D153-4649-83FA-CDD77CC7A5CA}.exe
      C:\Windows\{A376C5FC-D153-4649-83FA-CDD77CC7A5CA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2596
    - - C:\Windows\{19415BF1-09AD-4c78-99D5-940D5777EA3F}.exe
        
        C:\Windows\{19415BF1-09AD-4c78-99D5-940D5777EA3F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2004
      - C:\Windows\{5BA8E6C1-8C8C-4951-BD9B-AE6F86DDFD93}.exe
        
        C:\Windows\{5BA8E6C1-8C8C-4951-BD9B-AE6F86DDFD93}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\{6B456C7A-89FA-4b2c-A6CB-F9E88057A02F}.exe
        
        C:\Windows\{6B456C7A-89FA-4b2c-A6CB-F9E88057A02F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\{578E0ECC-BED9-4901-BEB6-982285429498}.exe
        
        C:\Windows\{578E0ECC-BED9-4901-BEB6-982285429498}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\{C0E45406-9292-4701-A916-052D7D4BF54B}.exe
        
        C:\Windows\{C0E45406-9292-4701-A916-052D7D4BF54B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:284
        
        C:\Windows\{0A32BB5B-B3FF-4353-8F1B-28B69B9922EA}.exe
        
        C:\Windows\{0A32BB5B-B3FF-4353-8F1B-28B69B9922EA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
        
        C:\Windows\{6F380B1E-D57E-4cbf-8D31-3B454C95194A}.exe
        
        C:\Windows\{6F380B1E-D57E-4cbf-8D31-3B454C95194A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1108
        
        C:\Windows\{2D6E1CAA-CC00-47a0-A51A-15007A931BEF}.exe
        
        C:\Windows\{2D6E1CAA-CC00-47a0-A51A-15007A931BEF}.exe
        12⤵
        Executes dropped EXE
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F380~1.EXE > nul
        12⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A32B~1.EXE > nul
        11⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0E45~1.EXE > nul
        10⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{578E0~1.EXE > nul
        9⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B456~1.EXE > nul
        8⤵
        
        PID:268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5BA8E~1.EXE > nul
        7⤵
        
        PID:1028
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19415~1.EXE > nul
        6⤵
        
        PID:1216
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A376C~1.EXE > nul
        5⤵
        
        PID:2772
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8E0C8~1.EXE > nul
      4⤵
      PID:2480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4AD6E~1.EXE > nul
    3⤵
    PID:3028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A32BB5B-B3FF-4353-8F1B-28B69B9922EA}.exe

Filesize
408KB

MD5
b499faecdb08b0c90423929b266a129b

SHA1
43225c99495276223457db06c46b1fcd2d2f7d43

SHA256
3496f5c7e63492ad48366d7c9f876916614d7a094b456ad4ceed1c19d3cb295b

SHA512
989adb77fabfde2c7334774a09f83f53fed1e36385f628ff8ec40e4ffe9bddc37b3a907c4870a363227fb5b4672191524eac9a1e4600206dee24180f638dc41b

Download Submit
C:\Windows\{19415BF1-09AD-4c78-99D5-940D5777EA3F}.exe

Filesize
408KB

MD5
7db6692ba73658fab91e7b4bb9471998

SHA1
9ab05a79366836c4d3859968c94bc09e0dbb6546

SHA256
ae9287ce7a0b476940cf75332e20e241dc6a9e93e85e58be017c7ef75f708233

SHA512
61eb9dc679ed5ca83a0f3f5b0b8422c2390239902a4d768f1032eb8644a37addeb06272ea8b4a478757b07d2f04032e9e0ca71b485ed32fb917e46aadc35d9a6

Download Submit
C:\Windows\{2D6E1CAA-CC00-47a0-A51A-15007A931BEF}.exe

Filesize
408KB

MD5
1720e35fca684d4dabd5bf771db020b9

SHA1
160341f14a5dcc736feacd53e2948c9e041181f6

SHA256
b9e1dc34dacfa1bec98a42028ee0d7bbd76dfbd9396040b7f3a73bedd85f9688

SHA512
4cad62bffe8178d9eed0cdfb81cd5550a88fe5704dfc809dfe35cd297e3e1e5593c37e36aa7b37bafe399aecf4254277e732134ea1b31543df4b1e8f846f7f44

Download Submit
C:\Windows\{4AD6E532-DE7D-4206-B775-09C0A57974AA}.exe

Filesize
408KB

MD5
ff2ce757e08902a26a514c6d037c8e4a

SHA1
f65f1b167e30dd038b73585b867edbb4c2ce4c5b

SHA256
b3002aa7a0bea75ab3f7b713fe3553275e8cc58cf512cbaa169964acdc1b3931

SHA512
29bbc4ff4500b6524d8a07c1ee3f507b3e43a5b5faef401ee0b93815d6906adf4060fb063601a83d051fcfed4e8d82aec8303d7a86c2a19530290adc99915548

Download Submit
C:\Windows\{578E0ECC-BED9-4901-BEB6-982285429498}.exe

Filesize
408KB

MD5
8842b77f7260cd3a4a52ce13d10118ef

SHA1
0ed421ccfaefed9dc83de9e908a465f432ce3c27

SHA256
2a966cb8cddbaadb04dfed1ba5b00f9c68d87800c434ae9fa8ad3e10b0a3c14e

SHA512
6ed20012afc9fd233aa454bf76120b3f6ec8f9d03dbd8772ec9cd170880896ab57f9b5ccabb94255c0c98251e16ffad6329786ca3b4816bd6e023596892d0226

Download Submit
C:\Windows\{5BA8E6C1-8C8C-4951-BD9B-AE6F86DDFD93}.exe

Filesize
408KB

MD5
ab62ea360a59bf37d68591008b854f30

SHA1
11b7d7cf24b52a9b90465f2004d62d5daf5e07c5

SHA256
807d114d08af7558a3dc396bd08d52fb2bd11a90eaaea05d1fd61930de06f783

SHA512
65556826c9346b239684eca2dc0898aeafcf7fa006d079d1e3dd1e3dfef8949965adf1c1b6fa50f42b61c57ba094ce33f41f53d4300da9bec1f16beed8064532

Download Submit
C:\Windows\{6B456C7A-89FA-4b2c-A6CB-F9E88057A02F}.exe

Filesize
408KB

MD5
47bff54aa9d0411a4640ec7db131f158

SHA1
1f24f17295be968e3c16d5a3ab0087f84eeafaf9

SHA256
b7a1ad1efcbcd1d91f4803d6124c9992557dfba5b6cb266b274924c392a4232e

SHA512
c65d7d2aebc0913b88af8210187ee4187d1f2cd117dde29e3cf635e0ae3f7ce3cce5f04d6df0bb94c35dabcefa91f455bb4ca5347b33981dd33b368a36d4780f

Download Submit
C:\Windows\{6F380B1E-D57E-4cbf-8D31-3B454C95194A}.exe

Filesize
408KB

MD5
45169b7e3ce04603433b808b657f8560

SHA1
84c799c2db2cde79f9948bd29cc663e4f2f83f93

SHA256
f7772e6047f1b3040356f071f3c258d60d89bc666dd65a687afad029ee9a1bdd

SHA512
d650cb695570977d4f76db83835aaab19faa6ddfe37fe90ac8467981b62dc5eaee33680ddafd93da54e6d1dfe410e5ae89428705595f0c5739a8ff771f973524

Download Submit
C:\Windows\{8E0C839C-E50E-4ce4-ADF2-62D20610DA3B}.exe

Filesize
408KB

MD5
6e770d35aa6f73ad4d1dfadc115fbc2f

SHA1
b35ccba5811b3e0eeaff15f241a7d08de815e21f

SHA256
46d39422b58f8185c33922201e269338614d9176bb98b0cdb62540bc81cefe2d

SHA512
8db6fcdb40d210d83ff8bce89b536f4719b32fcc5c228063ff2c6ca29b4fc29bb4806f655ca632f1641905d63442079c6e82c99fc976b92f98d1188501d6a980

Download Submit
C:\Windows\{A376C5FC-D153-4649-83FA-CDD77CC7A5CA}.exe

Filesize
408KB

MD5
274683a1a3c98f8e3261e72639b52912

SHA1
000bc98d7aacefcf9f9e92267ca8972848352a97

SHA256
1e80a77181828c5b0b56d5b400c3e4574783486c7d849d2b2145619dd7fb1be2

SHA512
a795189fd8f353c2ced533c90e678aedca66749063ece15057f5b7807c7f5b962d3af0320d8b401244a5e839a9999bf78f6bc54623127ca865c89d462d0e845e

Download Submit
C:\Windows\{C0E45406-9292-4701-A916-052D7D4BF54B}.exe

Filesize
408KB

MD5
7a1f2c062f7ee2c22e58673795623e47

SHA1
7bc2c257ad7361e3c966e11fc58476b7caa6cf2c

SHA256
00f01bd4bda7a28455b79e5a453285c7e43dd609673abfdc411481f8273b86da

SHA512
2c935b3c7c2984077f10d75234f38d019446752d66e892ecbe738f1304520c509d188987cadc41c7e784a7dc3e45cf2209593eb7815bf7e670ee94a7ce106840

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads