b8f4d638900c7c075386abb10d9aec57890f060bef96c12ee055d7567dbca21a

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 16:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-09_94e70d382dfb94df3327c99697342e21_goldeneye.exe
Size

216KB
MD5

94e70d382dfb94df3327c99697342e21
SHA1

c32de2f0fe852425dd3c0bd8e5f456b1cfc3259d
SHA256

b8f4d638900c7c075386abb10d9aec57890f060bef96c12ee055d7567dbca21a
SHA512

30e996c5722fcfeab4c8d0404ba907fa51326578aa3df862052f9fb5d2bc2358db2b4953af55538c802abd9d32d185aa02d67afded9ebe83833c63101b59c1c4
SSDEEP

3072:jEGh0o+l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG8lEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000015df1-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000015f7a-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000015df1-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00090000000167d5-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000015df1-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000015df1-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000015df1-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{528E1C1C-29FC-4c3a-B356-133806E1F829}\stubpath = "C:\\Windows\\{528E1C1C-29FC-4c3a-B356-133806E1F829}.exe"	{D43F5FE8-0D02-47e7-A68C-A95180E81FA0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9755A3DA-D0E1-4644-B0F9-4EBDAAC18917}\stubpath = "C:\\Windows\\{9755A3DA-D0E1-4644-B0F9-4EBDAAC18917}.exe"	{BF2EFD60-231E-4c6b-9BF3-F9529DF04D0C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FC8FD08-17FC-4e3a-A890-8C50D12C19B3}	{FA69D703-746D-4d7c-B455-0B00B1560654}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FC8FD08-17FC-4e3a-A890-8C50D12C19B3}\stubpath = "C:\\Windows\\{7FC8FD08-17FC-4e3a-A890-8C50D12C19B3}.exe"	{FA69D703-746D-4d7c-B455-0B00B1560654}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B2E27F7-2D2B-42ab-8637-C544D3724072}	{3CA62297-E3E0-4037-9C5F-69E941A8FB31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D43F5FE8-0D02-47e7-A68C-A95180E81FA0}	{F685C220-B687-42ba-9479-91DFF9C501C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D43F5FE8-0D02-47e7-A68C-A95180E81FA0}\stubpath = "C:\\Windows\\{D43F5FE8-0D02-47e7-A68C-A95180E81FA0}.exe"	{F685C220-B687-42ba-9479-91DFF9C501C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{528E1C1C-29FC-4c3a-B356-133806E1F829}	{D43F5FE8-0D02-47e7-A68C-A95180E81FA0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB6E0AA3-561C-4d7d-911B-099CA9518CC6}	{4B2E27F7-2D2B-42ab-8637-C544D3724072}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF2EFD60-231E-4c6b-9BF3-F9529DF04D0C}\stubpath = "C:\\Windows\\{BF2EFD60-231E-4c6b-9BF3-F9529DF04D0C}.exe"	{528E1C1C-29FC-4c3a-B356-133806E1F829}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9755A3DA-D0E1-4644-B0F9-4EBDAAC18917}	{BF2EFD60-231E-4c6b-9BF3-F9529DF04D0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CA62297-E3E0-4037-9C5F-69E941A8FB31}\stubpath = "C:\\Windows\\{3CA62297-E3E0-4037-9C5F-69E941A8FB31}.exe"	{7FC8FD08-17FC-4e3a-A890-8C50D12C19B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA69D703-746D-4d7c-B455-0B00B1560654}\stubpath = "C:\\Windows\\{FA69D703-746D-4d7c-B455-0B00B1560654}.exe"	{9755A3DA-D0E1-4644-B0F9-4EBDAAC18917}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CD57E88-4CC6-4f44-87C2-BC6D4E28A57F}\stubpath = "C:\\Windows\\{3CD57E88-4CC6-4f44-87C2-BC6D4E28A57F}.exe"	{EB6E0AA3-561C-4d7d-911B-099CA9518CC6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F685C220-B687-42ba-9479-91DFF9C501C1}	2024-04-09_94e70d382dfb94df3327c99697342e21_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF2EFD60-231E-4c6b-9BF3-F9529DF04D0C}	{528E1C1C-29FC-4c3a-B356-133806E1F829}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA69D703-746D-4d7c-B455-0B00B1560654}	{9755A3DA-D0E1-4644-B0F9-4EBDAAC18917}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB6E0AA3-561C-4d7d-911B-099CA9518CC6}\stubpath = "C:\\Windows\\{EB6E0AA3-561C-4d7d-911B-099CA9518CC6}.exe"	{4B2E27F7-2D2B-42ab-8637-C544D3724072}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CD57E88-4CC6-4f44-87C2-BC6D4E28A57F}	{EB6E0AA3-561C-4d7d-911B-099CA9518CC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F685C220-B687-42ba-9479-91DFF9C501C1}\stubpath = "C:\\Windows\\{F685C220-B687-42ba-9479-91DFF9C501C1}.exe"	2024-04-09_94e70d382dfb94df3327c99697342e21_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CA62297-E3E0-4037-9C5F-69E941A8FB31}	{7FC8FD08-17FC-4e3a-A890-8C50D12C19B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B2E27F7-2D2B-42ab-8637-C544D3724072}\stubpath = "C:\\Windows\\{4B2E27F7-2D2B-42ab-8637-C544D3724072}.exe"	{3CA62297-E3E0-4037-9C5F-69E941A8FB31}.exe

Executes dropped EXE 11 IoCs

pid	Process
3056	{F685C220-B687-42ba-9479-91DFF9C501C1}.exe
1324	{D43F5FE8-0D02-47e7-A68C-A95180E81FA0}.exe
2712	{528E1C1C-29FC-4c3a-B356-133806E1F829}.exe
2440	{BF2EFD60-231E-4c6b-9BF3-F9529DF04D0C}.exe
2156	{9755A3DA-D0E1-4644-B0F9-4EBDAAC18917}.exe
2704	{FA69D703-746D-4d7c-B455-0B00B1560654}.exe
1956	{7FC8FD08-17FC-4e3a-A890-8C50D12C19B3}.exe
2772	{3CA62297-E3E0-4037-9C5F-69E941A8FB31}.exe
2844	{4B2E27F7-2D2B-42ab-8637-C544D3724072}.exe
1648	{EB6E0AA3-561C-4d7d-911B-099CA9518CC6}.exe
748	{3CD57E88-4CC6-4f44-87C2-BC6D4E28A57F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{3CD57E88-4CC6-4f44-87C2-BC6D4E28A57F}.exe	{EB6E0AA3-561C-4d7d-911B-099CA9518CC6}.exe
File created	C:\Windows\{F685C220-B687-42ba-9479-91DFF9C501C1}.exe	2024-04-09_94e70d382dfb94df3327c99697342e21_goldeneye.exe
File created	C:\Windows\{D43F5FE8-0D02-47e7-A68C-A95180E81FA0}.exe	{F685C220-B687-42ba-9479-91DFF9C501C1}.exe
File created	C:\Windows\{BF2EFD60-231E-4c6b-9BF3-F9529DF04D0C}.exe	{528E1C1C-29FC-4c3a-B356-133806E1F829}.exe
File created	C:\Windows\{4B2E27F7-2D2B-42ab-8637-C544D3724072}.exe	{3CA62297-E3E0-4037-9C5F-69E941A8FB31}.exe
File created	C:\Windows\{3CA62297-E3E0-4037-9C5F-69E941A8FB31}.exe	{7FC8FD08-17FC-4e3a-A890-8C50D12C19B3}.exe
File created	C:\Windows\{EB6E0AA3-561C-4d7d-911B-099CA9518CC6}.exe	{4B2E27F7-2D2B-42ab-8637-C544D3724072}.exe
File created	C:\Windows\{528E1C1C-29FC-4c3a-B356-133806E1F829}.exe	{D43F5FE8-0D02-47e7-A68C-A95180E81FA0}.exe
File created	C:\Windows\{9755A3DA-D0E1-4644-B0F9-4EBDAAC18917}.exe	{BF2EFD60-231E-4c6b-9BF3-F9529DF04D0C}.exe
File created	C:\Windows\{FA69D703-746D-4d7c-B455-0B00B1560654}.exe	{9755A3DA-D0E1-4644-B0F9-4EBDAAC18917}.exe
File created	C:\Windows\{7FC8FD08-17FC-4e3a-A890-8C50D12C19B3}.exe	{FA69D703-746D-4d7c-B455-0B00B1560654}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3060	2024-04-09_94e70d382dfb94df3327c99697342e21_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3056	{F685C220-B687-42ba-9479-91DFF9C501C1}.exe
Token: SeIncBasePriorityPrivilege	1324	{D43F5FE8-0D02-47e7-A68C-A95180E81FA0}.exe
Token: SeIncBasePriorityPrivilege	2712	{528E1C1C-29FC-4c3a-B356-133806E1F829}.exe
Token: SeIncBasePriorityPrivilege	2440	{BF2EFD60-231E-4c6b-9BF3-F9529DF04D0C}.exe
Token: SeIncBasePriorityPrivilege	2156	{9755A3DA-D0E1-4644-B0F9-4EBDAAC18917}.exe
Token: SeIncBasePriorityPrivilege	2704	{FA69D703-746D-4d7c-B455-0B00B1560654}.exe
Token: SeIncBasePriorityPrivilege	1956	{7FC8FD08-17FC-4e3a-A890-8C50D12C19B3}.exe
Token: SeIncBasePriorityPrivilege	2772	{3CA62297-E3E0-4037-9C5F-69E941A8FB31}.exe
Token: SeIncBasePriorityPrivilege	2844	{4B2E27F7-2D2B-42ab-8637-C544D3724072}.exe
Token: SeIncBasePriorityPrivilege	1648	{EB6E0AA3-561C-4d7d-911B-099CA9518CC6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 3056	3060	2024-04-09_94e70d382dfb94df3327c99697342e21_goldeneye.exe	28
PID 3060 wrote to memory of 3056	3060	2024-04-09_94e70d382dfb94df3327c99697342e21_goldeneye.exe	28
PID 3060 wrote to memory of 3056	3060	2024-04-09_94e70d382dfb94df3327c99697342e21_goldeneye.exe	28
PID 3060 wrote to memory of 3056	3060	2024-04-09_94e70d382dfb94df3327c99697342e21_goldeneye.exe	28
PID 3060 wrote to memory of 2748	3060	2024-04-09_94e70d382dfb94df3327c99697342e21_goldeneye.exe	29
PID 3060 wrote to memory of 2748	3060	2024-04-09_94e70d382dfb94df3327c99697342e21_goldeneye.exe	29
PID 3060 wrote to memory of 2748	3060	2024-04-09_94e70d382dfb94df3327c99697342e21_goldeneye.exe	29
PID 3060 wrote to memory of 2748	3060	2024-04-09_94e70d382dfb94df3327c99697342e21_goldeneye.exe	29
PID 3056 wrote to memory of 1324	3056	{F685C220-B687-42ba-9479-91DFF9C501C1}.exe	30
PID 3056 wrote to memory of 1324	3056	{F685C220-B687-42ba-9479-91DFF9C501C1}.exe	30
PID 3056 wrote to memory of 1324	3056	{F685C220-B687-42ba-9479-91DFF9C501C1}.exe	30
PID 3056 wrote to memory of 1324	3056	{F685C220-B687-42ba-9479-91DFF9C501C1}.exe	30
PID 3056 wrote to memory of 2996	3056	{F685C220-B687-42ba-9479-91DFF9C501C1}.exe	31
PID 3056 wrote to memory of 2996	3056	{F685C220-B687-42ba-9479-91DFF9C501C1}.exe	31
PID 3056 wrote to memory of 2996	3056	{F685C220-B687-42ba-9479-91DFF9C501C1}.exe	31
PID 3056 wrote to memory of 2996	3056	{F685C220-B687-42ba-9479-91DFF9C501C1}.exe	31
PID 1324 wrote to memory of 2712	1324	{D43F5FE8-0D02-47e7-A68C-A95180E81FA0}.exe	32
PID 1324 wrote to memory of 2712	1324	{D43F5FE8-0D02-47e7-A68C-A95180E81FA0}.exe	32
PID 1324 wrote to memory of 2712	1324	{D43F5FE8-0D02-47e7-A68C-A95180E81FA0}.exe	32
PID 1324 wrote to memory of 2712	1324	{D43F5FE8-0D02-47e7-A68C-A95180E81FA0}.exe	32
PID 1324 wrote to memory of 2864	1324	{D43F5FE8-0D02-47e7-A68C-A95180E81FA0}.exe	33
PID 1324 wrote to memory of 2864	1324	{D43F5FE8-0D02-47e7-A68C-A95180E81FA0}.exe	33
PID 1324 wrote to memory of 2864	1324	{D43F5FE8-0D02-47e7-A68C-A95180E81FA0}.exe	33
PID 1324 wrote to memory of 2864	1324	{D43F5FE8-0D02-47e7-A68C-A95180E81FA0}.exe	33
PID 2712 wrote to memory of 2440	2712	{528E1C1C-29FC-4c3a-B356-133806E1F829}.exe	36
PID 2712 wrote to memory of 2440	2712	{528E1C1C-29FC-4c3a-B356-133806E1F829}.exe	36
PID 2712 wrote to memory of 2440	2712	{528E1C1C-29FC-4c3a-B356-133806E1F829}.exe	36
PID 2712 wrote to memory of 2440	2712	{528E1C1C-29FC-4c3a-B356-133806E1F829}.exe	36
PID 2712 wrote to memory of 2472	2712	{528E1C1C-29FC-4c3a-B356-133806E1F829}.exe	37
PID 2712 wrote to memory of 2472	2712	{528E1C1C-29FC-4c3a-B356-133806E1F829}.exe	37
PID 2712 wrote to memory of 2472	2712	{528E1C1C-29FC-4c3a-B356-133806E1F829}.exe	37
PID 2712 wrote to memory of 2472	2712	{528E1C1C-29FC-4c3a-B356-133806E1F829}.exe	37
PID 2440 wrote to memory of 2156	2440	{BF2EFD60-231E-4c6b-9BF3-F9529DF04D0C}.exe	38
PID 2440 wrote to memory of 2156	2440	{BF2EFD60-231E-4c6b-9BF3-F9529DF04D0C}.exe	38
PID 2440 wrote to memory of 2156	2440	{BF2EFD60-231E-4c6b-9BF3-F9529DF04D0C}.exe	38
PID 2440 wrote to memory of 2156	2440	{BF2EFD60-231E-4c6b-9BF3-F9529DF04D0C}.exe	38
PID 2440 wrote to memory of 2964	2440	{BF2EFD60-231E-4c6b-9BF3-F9529DF04D0C}.exe	39
PID 2440 wrote to memory of 2964	2440	{BF2EFD60-231E-4c6b-9BF3-F9529DF04D0C}.exe	39
PID 2440 wrote to memory of 2964	2440	{BF2EFD60-231E-4c6b-9BF3-F9529DF04D0C}.exe	39
PID 2440 wrote to memory of 2964	2440	{BF2EFD60-231E-4c6b-9BF3-F9529DF04D0C}.exe	39
PID 2156 wrote to memory of 2704	2156	{9755A3DA-D0E1-4644-B0F9-4EBDAAC18917}.exe	40
PID 2156 wrote to memory of 2704	2156	{9755A3DA-D0E1-4644-B0F9-4EBDAAC18917}.exe	40
PID 2156 wrote to memory of 2704	2156	{9755A3DA-D0E1-4644-B0F9-4EBDAAC18917}.exe	40
PID 2156 wrote to memory of 2704	2156	{9755A3DA-D0E1-4644-B0F9-4EBDAAC18917}.exe	40
PID 2156 wrote to memory of 2332	2156	{9755A3DA-D0E1-4644-B0F9-4EBDAAC18917}.exe	41
PID 2156 wrote to memory of 2332	2156	{9755A3DA-D0E1-4644-B0F9-4EBDAAC18917}.exe	41
PID 2156 wrote to memory of 2332	2156	{9755A3DA-D0E1-4644-B0F9-4EBDAAC18917}.exe	41
PID 2156 wrote to memory of 2332	2156	{9755A3DA-D0E1-4644-B0F9-4EBDAAC18917}.exe	41
PID 2704 wrote to memory of 1956	2704	{FA69D703-746D-4d7c-B455-0B00B1560654}.exe	42
PID 2704 wrote to memory of 1956	2704	{FA69D703-746D-4d7c-B455-0B00B1560654}.exe	42
PID 2704 wrote to memory of 1956	2704	{FA69D703-746D-4d7c-B455-0B00B1560654}.exe	42
PID 2704 wrote to memory of 1956	2704	{FA69D703-746D-4d7c-B455-0B00B1560654}.exe	42
PID 2704 wrote to memory of 2024	2704	{FA69D703-746D-4d7c-B455-0B00B1560654}.exe	43
PID 2704 wrote to memory of 2024	2704	{FA69D703-746D-4d7c-B455-0B00B1560654}.exe	43
PID 2704 wrote to memory of 2024	2704	{FA69D703-746D-4d7c-B455-0B00B1560654}.exe	43
PID 2704 wrote to memory of 2024	2704	{FA69D703-746D-4d7c-B455-0B00B1560654}.exe	43
PID 1956 wrote to memory of 2772	1956	{7FC8FD08-17FC-4e3a-A890-8C50D12C19B3}.exe	44
PID 1956 wrote to memory of 2772	1956	{7FC8FD08-17FC-4e3a-A890-8C50D12C19B3}.exe	44
PID 1956 wrote to memory of 2772	1956	{7FC8FD08-17FC-4e3a-A890-8C50D12C19B3}.exe	44
PID 1956 wrote to memory of 2772	1956	{7FC8FD08-17FC-4e3a-A890-8C50D12C19B3}.exe	44
PID 1956 wrote to memory of 2016	1956	{7FC8FD08-17FC-4e3a-A890-8C50D12C19B3}.exe	45
PID 1956 wrote to memory of 2016	1956	{7FC8FD08-17FC-4e3a-A890-8C50D12C19B3}.exe	45
PID 1956 wrote to memory of 2016	1956	{7FC8FD08-17FC-4e3a-A890-8C50D12C19B3}.exe	45
PID 1956 wrote to memory of 2016	1956	{7FC8FD08-17FC-4e3a-A890-8C50D12C19B3}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-09_94e70d382dfb94df3327c99697342e21_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-09_94e70d382dfb94df3327c99697342e21_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\{F685C220-B687-42ba-9479-91DFF9C501C1}.exe
  C:\Windows\{F685C220-B687-42ba-9479-91DFF9C501C1}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\{D43F5FE8-0D02-47e7-A68C-A95180E81FA0}.exe
    C:\Windows\{D43F5FE8-0D02-47e7-A68C-A95180E81FA0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1324
  - - C:\Windows\{528E1C1C-29FC-4c3a-B356-133806E1F829}.exe
      C:\Windows\{528E1C1C-29FC-4c3a-B356-133806E1F829}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Windows\{BF2EFD60-231E-4c6b-9BF3-F9529DF04D0C}.exe
        
        C:\Windows\{BF2EFD60-231E-4c6b-9BF3-F9529DF04D0C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2440
      - C:\Windows\{9755A3DA-D0E1-4644-B0F9-4EBDAAC18917}.exe
        
        C:\Windows\{9755A3DA-D0E1-4644-B0F9-4EBDAAC18917}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\{FA69D703-746D-4d7c-B455-0B00B1560654}.exe
        
        C:\Windows\{FA69D703-746D-4d7c-B455-0B00B1560654}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\{7FC8FD08-17FC-4e3a-A890-8C50D12C19B3}.exe
        
        C:\Windows\{7FC8FD08-17FC-4e3a-A890-8C50D12C19B3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\{3CA62297-E3E0-4037-9C5F-69E941A8FB31}.exe
        
        C:\Windows\{3CA62297-E3E0-4037-9C5F-69E941A8FB31}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
        
        C:\Windows\{4B2E27F7-2D2B-42ab-8637-C544D3724072}.exe
        
        C:\Windows\{4B2E27F7-2D2B-42ab-8637-C544D3724072}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\{EB6E0AA3-561C-4d7d-911B-099CA9518CC6}.exe
        
        C:\Windows\{EB6E0AA3-561C-4d7d-911B-099CA9518CC6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Windows\{3CD57E88-4CC6-4f44-87C2-BC6D4E28A57F}.exe
        
        C:\Windows\{3CD57E88-4CC6-4f44-87C2-BC6D4E28A57F}.exe
        12⤵
        Executes dropped EXE
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB6E0~1.EXE > nul
        12⤵
        
        PID:288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B2E2~1.EXE > nul
        11⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3CA62~1.EXE > nul
        10⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7FC8F~1.EXE > nul
        9⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA69D~1.EXE > nul
        8⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9755A~1.EXE > nul
        7⤵
        
        PID:2332
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF2EF~1.EXE > nul
        6⤵
        
        PID:2964
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{528E1~1.EXE > nul
        5⤵
        
        PID:2472
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D43F5~1.EXE > nul
      4⤵
      PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F685C~1.EXE > nul
    3⤵
    PID:2996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3CA62297-E3E0-4037-9C5F-69E941A8FB31}.exe

Filesize
216KB

MD5
a6530462e163c375c13c4e68db7fa4bc

SHA1
1389530495147d3fbc651cf110b454dd8b790948

SHA256
4ec2ca0649c72755e2283e3b5b5546bf82d40bcb9028c0b0541b9aa21fc523f9

SHA512
3e0044438832c37e56fbce8c84b2fd057574791e01a78f88ed8a0dc47ee3a694ac55c29222dc8e025eafee69193ef29bf59fd84973e4614c8948ab6c22795fe6

Download Submit
C:\Windows\{3CD57E88-4CC6-4f44-87C2-BC6D4E28A57F}.exe

Filesize
216KB

MD5
61fb94772144af3b02148cc3eb9d822f

SHA1
5dcc79c0bc373d5cd169868abbe4800fc2cac369

SHA256
ef984174e376798aac19ce1f27d3a8f711403cc546c5d739e508011dfbde502f

SHA512
11277a330c997edc64560ed7de6f33591b5eb19d89519263e94f2e0b320710a6ee74917800ec875b5a97bc48c1f7ea53e07769a1a80f9a73ec7d6b4dd038ef3d

Download Submit
C:\Windows\{4B2E27F7-2D2B-42ab-8637-C544D3724072}.exe

Filesize
216KB

MD5
6f41a791a828d292f11837977ce70ed1

SHA1
7ad45801522aca7005567fd73424203ea8737660

SHA256
146704a0db44eb7809011322413e5237d07cfb0e64486c3b8092433c5bf00e70

SHA512
0b3981f0674aeb084b804cbca38b697614379390aa1debc13cb0c8fcaccb3911749fd13f2de30e9848bbad57f44c74503dee75b73f2adc4d2a455b703f1b1333

Download Submit
C:\Windows\{528E1C1C-29FC-4c3a-B356-133806E1F829}.exe

Filesize
216KB

MD5
5d0a74ae63710f395df8d52dd0092706

SHA1
78961b3ca4c4549fcd9a8defe79f376c60b2a611

SHA256
7ec60fef77736e307c2d11f30fb26e0e4fe218862fef8994f478d89529b187ac

SHA512
05c0c634df27cebc69829f97868b0d549b86e4fb8445e95edc7fc9d3cae559961a78c0591580071bc1ab45709c7904abbb14c4c5ccbbbdb45698225518a6c214

Download Submit
C:\Windows\{7FC8FD08-17FC-4e3a-A890-8C50D12C19B3}.exe

Filesize
216KB

MD5
546b8e8ebc8a7d91c33383a4042b7446

SHA1
65ea2f931197228825bd2d2d59d3ad43f4519594

SHA256
8aa0fe56033fa33d426938360ac16b2c0095cf0644dc58b0110d340425a95bcd

SHA512
eb6b880da31179178744ba064c0742bd94cda354e7fbe59855b7f4586280ee10eefa8daa39077db54cf5011b81c017660e711d3492655f44013b24adc937c531

Download Submit
C:\Windows\{9755A3DA-D0E1-4644-B0F9-4EBDAAC18917}.exe

Filesize
216KB

MD5
68a5dfc2f10f1d682450ad4034b5c5ed

SHA1
075abc953ceffba21a9d57930354ad34e7105246

SHA256
527efb0aaaf9d9e3f43cfac8bf9018b24f447297f05b023d709d7b99574a657d

SHA512
dad98f7ec40e961b48eaa0856d02453d72e798ec199893caff916aa565f37be262214a991ebf8ad8266b9549a453fb873dc6b53b4d75f9fc5af4cb31e69596a8

Download Submit
C:\Windows\{BF2EFD60-231E-4c6b-9BF3-F9529DF04D0C}.exe

Filesize
216KB

MD5
f0752747d3c3f74d9f812e07a3abe877

SHA1
3c684cbc47a68d2608a0ba7770f9b3c33051555c

SHA256
d96756e8b414cffe06f07b7be15206cbdec22684e501876e888a41380c3c6815

SHA512
f78c2effcabc3522ee1d1ff33dd9d9961c408d7709e4449b3313f0acc6fcbc75f4d66d28edebe7b0c2fd7e2a9ab4c885de1b507ed6e2e5fa3326f5cf7410b6d9

Download Submit
C:\Windows\{D43F5FE8-0D02-47e7-A68C-A95180E81FA0}.exe

Filesize
216KB

MD5
fae918bc32b5ab4ca509991c15629253

SHA1
4d3e0c306f11bba19fe49ee7c4c581f9635ca766

SHA256
1e065bbee052d63b41055cbd33f270c7b4c16c1c913e1cb091219bd6a041dd9e

SHA512
9f66a4240da256fe6a608ae0790f52a7487d54bafab0571141da747f2e541db5bfbce56a605f3cbb0796cff853b69e5961900bce04fec406ec1fdaa9844e186c

Download Submit
C:\Windows\{EB6E0AA3-561C-4d7d-911B-099CA9518CC6}.exe

Filesize
216KB

MD5
6296525d588a98c34552bafd32e07442

SHA1
194ad1e791cfd26d703fda7c49febaee49094c17

SHA256
850b3cb93fca4d3f2723f594dda97164636a64d7c9215619e8da9e1bd8269d03

SHA512
a7ac17825d60482542b2875082a713329e8938338567995002b4dd402a01394ce7def350f70f8e30e5011dfa161a8700ee565b8f437b481e7aa9dfd0d883ae02

Download Submit
C:\Windows\{F685C220-B687-42ba-9479-91DFF9C501C1}.exe

Filesize
216KB

MD5
dafd011bc1581ae34d572c0f30a12b29

SHA1
5093383842a105a7aa80db8d5a301eeee32a12a2

SHA256
ea520070fed9d3b26f785e8311437f3a5a9e1e4f1b7a2df18de34840154ac056

SHA512
c6cf07b8b9547ea4a5463187b146b70ac36106bdc4020c32a30821434c60b4e594121a01c66064143e79c4c4b9dc52b2ff3b775b5f1cf6851620510768fc8ecb

Download Submit
C:\Windows\{FA69D703-746D-4d7c-B455-0B00B1560654}.exe

Filesize
216KB

MD5
1426883e9594f794abe1967001f5abf0

SHA1
bf390457d7e3144d150428e5a9c5a58d7b9fdb93

SHA256
50b13cbf1f26c49edce6407447fffa5f714c334d1226d3d02d97f866cf10d1f9

SHA512
064d0eaea077db04c7ef94951254aa23aa92f1ffccb951f5ee84d9a51c87772ef510debe05ffd2149b0ebf93d648ddabc97159af19adb5d717b6576a1ac41e61

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads