22366bee4d34b69b2df75b1ef20dee8f9ffc8fe85fbc6d0797b45a5170c7012a

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 18:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-09_5296b3114746b6ac3a26ef3a4cab693a_goldeneye.exe
Size

168KB
MD5

5296b3114746b6ac3a26ef3a4cab693a
SHA1

1d5fa424b036d266680733312e6c4ad0d8cdf72d
SHA256

22366bee4d34b69b2df75b1ef20dee8f9ffc8fe85fbc6d0797b45a5170c7012a
SHA512

e3f7d293e134fa34fa64735b84f77ebf8c8e8b4d2147551e8977e268d23bc947ce405e61be11213832947811d0524d6d446800aad30bc3b86b572d1f34e4b16d
SSDEEP

1536:1EGh0ozli5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0ozliOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012249-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001444f-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012249-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0035000000014701-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012249-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012249-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012249-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E22EE3E-B7C0-4a83-83CC-571A73271A23}	2024-04-09_5296b3114746b6ac3a26ef3a4cab693a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40B4A223-FB97-4547-8B17-CFD2C0A7D9F3}\stubpath = "C:\\Windows\\{40B4A223-FB97-4547-8B17-CFD2C0A7D9F3}.exe"	{B63F0980-3B2F-4aea-A144-5BFA693D780B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E363C75-04C3-4338-8F21-0441106C7DE3}\stubpath = "C:\\Windows\\{0E363C75-04C3-4338-8F21-0441106C7DE3}.exe"	{957BAF0F-24C4-4f30-A32A-D996CEA3036B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A51F2DEB-26F3-47dd-B666-6EF22EC5E28C}	{0E363C75-04C3-4338-8F21-0441106C7DE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E877C1EA-7AA0-42dd-A33D-1CA226E6AEE2}\stubpath = "C:\\Windows\\{E877C1EA-7AA0-42dd-A33D-1CA226E6AEE2}.exe"	{862587DF-290D-4503-B2B1-D8B1513C97E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24511067-85A8-4678-9203-D78E52AFA534}	{40B4A223-FB97-4547-8B17-CFD2C0A7D9F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{957BAF0F-24C4-4f30-A32A-D996CEA3036B}	{24511067-85A8-4678-9203-D78E52AFA534}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E363C75-04C3-4338-8F21-0441106C7DE3}	{957BAF0F-24C4-4f30-A32A-D996CEA3036B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E22EE3E-B7C0-4a83-83CC-571A73271A23}\stubpath = "C:\\Windows\\{8E22EE3E-B7C0-4a83-83CC-571A73271A23}.exe"	2024-04-09_5296b3114746b6ac3a26ef3a4cab693a_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37AA389D-2D66-4ed7-9B92-46B6B97B5BD3}\stubpath = "C:\\Windows\\{37AA389D-2D66-4ed7-9B92-46B6B97B5BD3}.exe"	{8E22EE3E-B7C0-4a83-83CC-571A73271A23}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBFC41EE-F754-40f1-BEBE-3E99BEC0BCC4}	{37AA389D-2D66-4ed7-9B92-46B6B97B5BD3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E877C1EA-7AA0-42dd-A33D-1CA226E6AEE2}	{862587DF-290D-4503-B2B1-D8B1513C97E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A51F2DEB-26F3-47dd-B666-6EF22EC5E28C}\stubpath = "C:\\Windows\\{A51F2DEB-26F3-47dd-B666-6EF22EC5E28C}.exe"	{0E363C75-04C3-4338-8F21-0441106C7DE3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37AA389D-2D66-4ed7-9B92-46B6B97B5BD3}	{8E22EE3E-B7C0-4a83-83CC-571A73271A23}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B63F0980-3B2F-4aea-A144-5BFA693D780B}	{E877C1EA-7AA0-42dd-A33D-1CA226E6AEE2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40B4A223-FB97-4547-8B17-CFD2C0A7D9F3}	{B63F0980-3B2F-4aea-A144-5BFA693D780B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24511067-85A8-4678-9203-D78E52AFA534}\stubpath = "C:\\Windows\\{24511067-85A8-4678-9203-D78E52AFA534}.exe"	{40B4A223-FB97-4547-8B17-CFD2C0A7D9F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{957BAF0F-24C4-4f30-A32A-D996CEA3036B}\stubpath = "C:\\Windows\\{957BAF0F-24C4-4f30-A32A-D996CEA3036B}.exe"	{24511067-85A8-4678-9203-D78E52AFA534}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBFC41EE-F754-40f1-BEBE-3E99BEC0BCC4}\stubpath = "C:\\Windows\\{DBFC41EE-F754-40f1-BEBE-3E99BEC0BCC4}.exe"	{37AA389D-2D66-4ed7-9B92-46B6B97B5BD3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{862587DF-290D-4503-B2B1-D8B1513C97E1}	{DBFC41EE-F754-40f1-BEBE-3E99BEC0BCC4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{862587DF-290D-4503-B2B1-D8B1513C97E1}\stubpath = "C:\\Windows\\{862587DF-290D-4503-B2B1-D8B1513C97E1}.exe"	{DBFC41EE-F754-40f1-BEBE-3E99BEC0BCC4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B63F0980-3B2F-4aea-A144-5BFA693D780B}\stubpath = "C:\\Windows\\{B63F0980-3B2F-4aea-A144-5BFA693D780B}.exe"	{E877C1EA-7AA0-42dd-A33D-1CA226E6AEE2}.exe

Executes dropped EXE 11 IoCs

pid	Process
2992	{8E22EE3E-B7C0-4a83-83CC-571A73271A23}.exe
2704	{37AA389D-2D66-4ed7-9B92-46B6B97B5BD3}.exe
2548	{DBFC41EE-F754-40f1-BEBE-3E99BEC0BCC4}.exe
1736	{862587DF-290D-4503-B2B1-D8B1513C97E1}.exe
2792	{E877C1EA-7AA0-42dd-A33D-1CA226E6AEE2}.exe
1696	{B63F0980-3B2F-4aea-A144-5BFA693D780B}.exe
1880	{40B4A223-FB97-4547-8B17-CFD2C0A7D9F3}.exe
1588	{24511067-85A8-4678-9203-D78E52AFA534}.exe
2508	{957BAF0F-24C4-4f30-A32A-D996CEA3036B}.exe
2852	{0E363C75-04C3-4338-8F21-0441106C7DE3}.exe
1396	{A51F2DEB-26F3-47dd-B666-6EF22EC5E28C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{8E22EE3E-B7C0-4a83-83CC-571A73271A23}.exe	2024-04-09_5296b3114746b6ac3a26ef3a4cab693a_goldeneye.exe
File created	C:\Windows\{DBFC41EE-F754-40f1-BEBE-3E99BEC0BCC4}.exe	{37AA389D-2D66-4ed7-9B92-46B6B97B5BD3}.exe
File created	C:\Windows\{E877C1EA-7AA0-42dd-A33D-1CA226E6AEE2}.exe	{862587DF-290D-4503-B2B1-D8B1513C97E1}.exe
File created	C:\Windows\{0E363C75-04C3-4338-8F21-0441106C7DE3}.exe	{957BAF0F-24C4-4f30-A32A-D996CEA3036B}.exe
File created	C:\Windows\{A51F2DEB-26F3-47dd-B666-6EF22EC5E28C}.exe	{0E363C75-04C3-4338-8F21-0441106C7DE3}.exe
File created	C:\Windows\{37AA389D-2D66-4ed7-9B92-46B6B97B5BD3}.exe	{8E22EE3E-B7C0-4a83-83CC-571A73271A23}.exe
File created	C:\Windows\{862587DF-290D-4503-B2B1-D8B1513C97E1}.exe	{DBFC41EE-F754-40f1-BEBE-3E99BEC0BCC4}.exe
File created	C:\Windows\{B63F0980-3B2F-4aea-A144-5BFA693D780B}.exe	{E877C1EA-7AA0-42dd-A33D-1CA226E6AEE2}.exe
File created	C:\Windows\{40B4A223-FB97-4547-8B17-CFD2C0A7D9F3}.exe	{B63F0980-3B2F-4aea-A144-5BFA693D780B}.exe
File created	C:\Windows\{24511067-85A8-4678-9203-D78E52AFA534}.exe	{40B4A223-FB97-4547-8B17-CFD2C0A7D9F3}.exe
File created	C:\Windows\{957BAF0F-24C4-4f30-A32A-D996CEA3036B}.exe	{24511067-85A8-4678-9203-D78E52AFA534}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2952	2024-04-09_5296b3114746b6ac3a26ef3a4cab693a_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2992	{8E22EE3E-B7C0-4a83-83CC-571A73271A23}.exe
Token: SeIncBasePriorityPrivilege	2704	{37AA389D-2D66-4ed7-9B92-46B6B97B5BD3}.exe
Token: SeIncBasePriorityPrivilege	2548	{DBFC41EE-F754-40f1-BEBE-3E99BEC0BCC4}.exe
Token: SeIncBasePriorityPrivilege	1736	{862587DF-290D-4503-B2B1-D8B1513C97E1}.exe
Token: SeIncBasePriorityPrivilege	2792	{E877C1EA-7AA0-42dd-A33D-1CA226E6AEE2}.exe
Token: SeIncBasePriorityPrivilege	1696	{B63F0980-3B2F-4aea-A144-5BFA693D780B}.exe
Token: SeIncBasePriorityPrivilege	1880	{40B4A223-FB97-4547-8B17-CFD2C0A7D9F3}.exe
Token: SeIncBasePriorityPrivilege	1588	{24511067-85A8-4678-9203-D78E52AFA534}.exe
Token: SeIncBasePriorityPrivilege	2508	{957BAF0F-24C4-4f30-A32A-D996CEA3036B}.exe
Token: SeIncBasePriorityPrivilege	2852	{0E363C75-04C3-4338-8F21-0441106C7DE3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2992	2952	2024-04-09_5296b3114746b6ac3a26ef3a4cab693a_goldeneye.exe	28
PID 2952 wrote to memory of 2992	2952	2024-04-09_5296b3114746b6ac3a26ef3a4cab693a_goldeneye.exe	28
PID 2952 wrote to memory of 2992	2952	2024-04-09_5296b3114746b6ac3a26ef3a4cab693a_goldeneye.exe	28
PID 2952 wrote to memory of 2992	2952	2024-04-09_5296b3114746b6ac3a26ef3a4cab693a_goldeneye.exe	28
PID 2952 wrote to memory of 2540	2952	2024-04-09_5296b3114746b6ac3a26ef3a4cab693a_goldeneye.exe	29
PID 2952 wrote to memory of 2540	2952	2024-04-09_5296b3114746b6ac3a26ef3a4cab693a_goldeneye.exe	29
PID 2952 wrote to memory of 2540	2952	2024-04-09_5296b3114746b6ac3a26ef3a4cab693a_goldeneye.exe	29
PID 2952 wrote to memory of 2540	2952	2024-04-09_5296b3114746b6ac3a26ef3a4cab693a_goldeneye.exe	29
PID 2992 wrote to memory of 2704	2992	{8E22EE3E-B7C0-4a83-83CC-571A73271A23}.exe	30
PID 2992 wrote to memory of 2704	2992	{8E22EE3E-B7C0-4a83-83CC-571A73271A23}.exe	30
PID 2992 wrote to memory of 2704	2992	{8E22EE3E-B7C0-4a83-83CC-571A73271A23}.exe	30
PID 2992 wrote to memory of 2704	2992	{8E22EE3E-B7C0-4a83-83CC-571A73271A23}.exe	30
PID 2992 wrote to memory of 2720	2992	{8E22EE3E-B7C0-4a83-83CC-571A73271A23}.exe	31
PID 2992 wrote to memory of 2720	2992	{8E22EE3E-B7C0-4a83-83CC-571A73271A23}.exe	31
PID 2992 wrote to memory of 2720	2992	{8E22EE3E-B7C0-4a83-83CC-571A73271A23}.exe	31
PID 2992 wrote to memory of 2720	2992	{8E22EE3E-B7C0-4a83-83CC-571A73271A23}.exe	31
PID 2704 wrote to memory of 2548	2704	{37AA389D-2D66-4ed7-9B92-46B6B97B5BD3}.exe	32
PID 2704 wrote to memory of 2548	2704	{37AA389D-2D66-4ed7-9B92-46B6B97B5BD3}.exe	32
PID 2704 wrote to memory of 2548	2704	{37AA389D-2D66-4ed7-9B92-46B6B97B5BD3}.exe	32
PID 2704 wrote to memory of 2548	2704	{37AA389D-2D66-4ed7-9B92-46B6B97B5BD3}.exe	32
PID 2704 wrote to memory of 2468	2704	{37AA389D-2D66-4ed7-9B92-46B6B97B5BD3}.exe	33
PID 2704 wrote to memory of 2468	2704	{37AA389D-2D66-4ed7-9B92-46B6B97B5BD3}.exe	33
PID 2704 wrote to memory of 2468	2704	{37AA389D-2D66-4ed7-9B92-46B6B97B5BD3}.exe	33
PID 2704 wrote to memory of 2468	2704	{37AA389D-2D66-4ed7-9B92-46B6B97B5BD3}.exe	33
PID 2548 wrote to memory of 1736	2548	{DBFC41EE-F754-40f1-BEBE-3E99BEC0BCC4}.exe	36
PID 2548 wrote to memory of 1736	2548	{DBFC41EE-F754-40f1-BEBE-3E99BEC0BCC4}.exe	36
PID 2548 wrote to memory of 1736	2548	{DBFC41EE-F754-40f1-BEBE-3E99BEC0BCC4}.exe	36
PID 2548 wrote to memory of 1736	2548	{DBFC41EE-F754-40f1-BEBE-3E99BEC0BCC4}.exe	36
PID 2548 wrote to memory of 2692	2548	{DBFC41EE-F754-40f1-BEBE-3E99BEC0BCC4}.exe	37
PID 2548 wrote to memory of 2692	2548	{DBFC41EE-F754-40f1-BEBE-3E99BEC0BCC4}.exe	37
PID 2548 wrote to memory of 2692	2548	{DBFC41EE-F754-40f1-BEBE-3E99BEC0BCC4}.exe	37
PID 2548 wrote to memory of 2692	2548	{DBFC41EE-F754-40f1-BEBE-3E99BEC0BCC4}.exe	37
PID 1736 wrote to memory of 2792	1736	{862587DF-290D-4503-B2B1-D8B1513C97E1}.exe	38
PID 1736 wrote to memory of 2792	1736	{862587DF-290D-4503-B2B1-D8B1513C97E1}.exe	38
PID 1736 wrote to memory of 2792	1736	{862587DF-290D-4503-B2B1-D8B1513C97E1}.exe	38
PID 1736 wrote to memory of 2792	1736	{862587DF-290D-4503-B2B1-D8B1513C97E1}.exe	38
PID 1736 wrote to memory of 332	1736	{862587DF-290D-4503-B2B1-D8B1513C97E1}.exe	39
PID 1736 wrote to memory of 332	1736	{862587DF-290D-4503-B2B1-D8B1513C97E1}.exe	39
PID 1736 wrote to memory of 332	1736	{862587DF-290D-4503-B2B1-D8B1513C97E1}.exe	39
PID 1736 wrote to memory of 332	1736	{862587DF-290D-4503-B2B1-D8B1513C97E1}.exe	39
PID 2792 wrote to memory of 1696	2792	{E877C1EA-7AA0-42dd-A33D-1CA226E6AEE2}.exe	40
PID 2792 wrote to memory of 1696	2792	{E877C1EA-7AA0-42dd-A33D-1CA226E6AEE2}.exe	40
PID 2792 wrote to memory of 1696	2792	{E877C1EA-7AA0-42dd-A33D-1CA226E6AEE2}.exe	40
PID 2792 wrote to memory of 1696	2792	{E877C1EA-7AA0-42dd-A33D-1CA226E6AEE2}.exe	40
PID 2792 wrote to memory of 1956	2792	{E877C1EA-7AA0-42dd-A33D-1CA226E6AEE2}.exe	41
PID 2792 wrote to memory of 1956	2792	{E877C1EA-7AA0-42dd-A33D-1CA226E6AEE2}.exe	41
PID 2792 wrote to memory of 1956	2792	{E877C1EA-7AA0-42dd-A33D-1CA226E6AEE2}.exe	41
PID 2792 wrote to memory of 1956	2792	{E877C1EA-7AA0-42dd-A33D-1CA226E6AEE2}.exe	41
PID 1696 wrote to memory of 1880	1696	{B63F0980-3B2F-4aea-A144-5BFA693D780B}.exe	42
PID 1696 wrote to memory of 1880	1696	{B63F0980-3B2F-4aea-A144-5BFA693D780B}.exe	42
PID 1696 wrote to memory of 1880	1696	{B63F0980-3B2F-4aea-A144-5BFA693D780B}.exe	42
PID 1696 wrote to memory of 1880	1696	{B63F0980-3B2F-4aea-A144-5BFA693D780B}.exe	42
PID 1696 wrote to memory of 2932	1696	{B63F0980-3B2F-4aea-A144-5BFA693D780B}.exe	43
PID 1696 wrote to memory of 2932	1696	{B63F0980-3B2F-4aea-A144-5BFA693D780B}.exe	43
PID 1696 wrote to memory of 2932	1696	{B63F0980-3B2F-4aea-A144-5BFA693D780B}.exe	43
PID 1696 wrote to memory of 2932	1696	{B63F0980-3B2F-4aea-A144-5BFA693D780B}.exe	43
PID 1880 wrote to memory of 1588	1880	{40B4A223-FB97-4547-8B17-CFD2C0A7D9F3}.exe	44
PID 1880 wrote to memory of 1588	1880	{40B4A223-FB97-4547-8B17-CFD2C0A7D9F3}.exe	44
PID 1880 wrote to memory of 1588	1880	{40B4A223-FB97-4547-8B17-CFD2C0A7D9F3}.exe	44
PID 1880 wrote to memory of 1588	1880	{40B4A223-FB97-4547-8B17-CFD2C0A7D9F3}.exe	44
PID 1880 wrote to memory of 1512	1880	{40B4A223-FB97-4547-8B17-CFD2C0A7D9F3}.exe	45
PID 1880 wrote to memory of 1512	1880	{40B4A223-FB97-4547-8B17-CFD2C0A7D9F3}.exe	45
PID 1880 wrote to memory of 1512	1880	{40B4A223-FB97-4547-8B17-CFD2C0A7D9F3}.exe	45
PID 1880 wrote to memory of 1512	1880	{40B4A223-FB97-4547-8B17-CFD2C0A7D9F3}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-09_5296b3114746b6ac3a26ef3a4cab693a_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-09_5296b3114746b6ac3a26ef3a4cab693a_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Windows\{8E22EE3E-B7C0-4a83-83CC-571A73271A23}.exe
  C:\Windows\{8E22EE3E-B7C0-4a83-83CC-571A73271A23}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\{37AA389D-2D66-4ed7-9B92-46B6B97B5BD3}.exe
    C:\Windows\{37AA389D-2D66-4ed7-9B92-46B6B97B5BD3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\{DBFC41EE-F754-40f1-BEBE-3E99BEC0BCC4}.exe
      C:\Windows\{DBFC41EE-F754-40f1-BEBE-3E99BEC0BCC4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2548
    - - C:\Windows\{862587DF-290D-4503-B2B1-D8B1513C97E1}.exe
        
        C:\Windows\{862587DF-290D-4503-B2B1-D8B1513C97E1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1736
      - C:\Windows\{E877C1EA-7AA0-42dd-A33D-1CA226E6AEE2}.exe
        
        C:\Windows\{E877C1EA-7AA0-42dd-A33D-1CA226E6AEE2}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\{B63F0980-3B2F-4aea-A144-5BFA693D780B}.exe
        
        C:\Windows\{B63F0980-3B2F-4aea-A144-5BFA693D780B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\{40B4A223-FB97-4547-8B17-CFD2C0A7D9F3}.exe
        
        C:\Windows\{40B4A223-FB97-4547-8B17-CFD2C0A7D9F3}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\{24511067-85A8-4678-9203-D78E52AFA534}.exe
        
        C:\Windows\{24511067-85A8-4678-9203-D78E52AFA534}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
        
        C:\Windows\{957BAF0F-24C4-4f30-A32A-D996CEA3036B}.exe
        
        C:\Windows\{957BAF0F-24C4-4f30-A32A-D996CEA3036B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
        
        C:\Windows\{0E363C75-04C3-4338-8F21-0441106C7DE3}.exe
        
        C:\Windows\{0E363C75-04C3-4338-8F21-0441106C7DE3}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
        
        C:\Windows\{A51F2DEB-26F3-47dd-B666-6EF22EC5E28C}.exe
        
        C:\Windows\{A51F2DEB-26F3-47dd-B666-6EF22EC5E28C}.exe
        12⤵
        Executes dropped EXE
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E363~1.EXE > nul
        12⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{957BA~1.EXE > nul
        11⤵
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24511~1.EXE > nul
        10⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40B4A~1.EXE > nul
        9⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B63F0~1.EXE > nul
        8⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E877C~1.EXE > nul
        7⤵
        
        PID:1956
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86258~1.EXE > nul
        6⤵
        
        PID:332
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DBFC4~1.EXE > nul
        5⤵
        
        PID:2692
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{37AA3~1.EXE > nul
      4⤵
      PID:2468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8E22E~1.EXE > nul
    3⤵
    PID:2720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0E363C75-04C3-4338-8F21-0441106C7DE3}.exe

Filesize
168KB

MD5
139f37e1c904cb209117caca8a917e91

SHA1
76abd7d84ba5472a07189d2977eae98202b557cd

SHA256
de5fe8ca6a5a63478dcdb94efcc7e0623e65dddf2d9f0488e6e67c780bc3b266

SHA512
67a0f829100e3b60a09d4ec0f97b655e6005c314b8d4c0c6136f49da5a66cf45fed3c430c4fea9f1ca99f536fd6804a09ff730819c2cb075212b1319f63c0ab0

Download Submit
C:\Windows\{24511067-85A8-4678-9203-D78E52AFA534}.exe

Filesize
168KB

MD5
fe5b415b9a6d35cc10863b5dbf43af09

SHA1
1eb4e2c2517f1933eaac77cb806d6f351c6a0151

SHA256
f25d204b74d57103836f4d39013dac7ff56d0fa7c768d048e142a3a5a40869dc

SHA512
5fddef58f779d2dc652744287337246bf18e8f2bd352037c3c04247c4263c4a84da0767db70b265cea7ecfb0cd9eedcd310e02410a906739b0a6386ae7b53913

Download Submit
C:\Windows\{37AA389D-2D66-4ed7-9B92-46B6B97B5BD3}.exe

Filesize
168KB

MD5
af35c8f78367fd8ad36f114bfc25409b

SHA1
3db1f0aac9a1d624f0c6afb953156b53459ccb4d

SHA256
72d29e25e4d71475c77b5751927914bc07029925e01f66350770f9adb0b7a1d2

SHA512
aebd54d31e1807719d2cff93bfa22f4aca9068e837aaf1215808b37e9c076b6061b842dfcab66a28b881b87cbb3b3f4db229be17bda74712506409faf14a8397

Download Submit
C:\Windows\{40B4A223-FB97-4547-8B17-CFD2C0A7D9F3}.exe

Filesize
168KB

MD5
4ebecd1b8d4cb12a7dee0bb5cb036e9c

SHA1
768c717d2b6212f7a8a6f8d33b2930f573d84960

SHA256
8a3a77239d4eec547ff3851d48c5c89db5cdf908e54fe8d491c304b3cfa5b17e

SHA512
11d1f90795194173d00025c371c5a62dcb6c3c3fd929533de91a7b3f0e140b309ef7eed4fa749b59a0064fb5a24bc542d32e7f0df1fd03122c095f2e64489558

Download Submit
C:\Windows\{862587DF-290D-4503-B2B1-D8B1513C97E1}.exe

Filesize
168KB

MD5
8e644654c751dc15016606a93bc1e821

SHA1
60b79a0a7323f8fec073d6dddd75b3eadcde25fa

SHA256
52d65e8c0ae7d74a730bf9d379f09fde6be59c7474f02799f402fea2a35fe568

SHA512
19b6ca88b1bc3606e8dbfff726c25f33671746bb6a084897f4d3b99a8c83fa72560f0a0b750c4ba504cb52a52b85679bcade105bba5bcc727a5646aa58e47cc1

Download Submit
C:\Windows\{8E22EE3E-B7C0-4a83-83CC-571A73271A23}.exe

Filesize
168KB

MD5
558c1c00aa8c2ca1081fca5ea5ad8ea1

SHA1
7a15f2b39b27dd8bc230c8d8f10082c0fe8508f8

SHA256
c1a522182ad456dd9761d73cd22e5f4ef3c4e98c0390d6b21cffa0242982d62e

SHA512
5d4b99f898f42b76e668ccf7120cba539e2d1e8fe0416aefddd2a7ef752cd1d2bdb5471a7839afb6d4205673cd2fa369f424965ff9e9355e2bedea67ddbf5fcb

Download Submit
C:\Windows\{957BAF0F-24C4-4f30-A32A-D996CEA3036B}.exe

Filesize
168KB

MD5
ca6712f837ae76e756d59abd6ed0113d

SHA1
a214bd144f4711b53a8da46a56e6fdf166e5272e

SHA256
411b7f9e04c2088bd5f04e1ab785754bd2800fed2b52d38101f430cf5ccd270f

SHA512
5e54c5638330bc72026de535c290e0f504102f01aa5d6adfd20dfa9366521e99012fd3114253d47d7f490e0c156cd1a90619e3d8a8a2f71fcea5cebbcd273e6a

Download Submit
C:\Windows\{A51F2DEB-26F3-47dd-B666-6EF22EC5E28C}.exe

Filesize
168KB

MD5
94161c883cb4d1509572c54fd3bf90b0

SHA1
a9a442df8f9d5fd18255cbfd348622617ecc09ff

SHA256
149508b13b6bb0623aad0414b37c357b0171c8fd5163c39d76f8381f5d99ae2b

SHA512
bb1d36adbfb4b74ad77d0133c7a003d59d4070119a628af2dac66883213f19ac83c818948d9724dd383f039313143ad3b2ec743b58657a5b7cc562b1048aa14a

Download Submit
C:\Windows\{B63F0980-3B2F-4aea-A144-5BFA693D780B}.exe

Filesize
168KB

MD5
c97651a9dbe2748648fe04ee8260a5e3

SHA1
c2871feb52dca3f418b57b964c54c436916d9411

SHA256
8159d11cf3189c482842fb703bdf15f6df9180e599abe473d61d8df6358117d6

SHA512
d0b5e8b9381eba3886600f21fa03fc09f69e11e9f2c5f8fe66419dc321658a6b9a05064fc0b7a907e01bffc984274ccdb0533c094510e746d171a76f4f27e500

Download Submit
C:\Windows\{DBFC41EE-F754-40f1-BEBE-3E99BEC0BCC4}.exe

Filesize
168KB

MD5
9c5af5495d9e711da0f2ba13d3c1eba2

SHA1
c876d89667034178a6b65c65d737f2aba00b3e70

SHA256
1cb3ea83cc707426b810c3b657b69ed22a64dcc1542ec638b8675ffe48c4f049

SHA512
9b424fd5aee59888266d6a209a6167ab9d78625ea30de03445db18cbdcb113fda29be8a9645c549b657bcee9fce2b90952d5d5139ed8e5e3fef6db2b21df5e5f

Download Submit
C:\Windows\{E877C1EA-7AA0-42dd-A33D-1CA226E6AEE2}.exe

Filesize
168KB

MD5
42e827612c4e038611852f13f5dc1331

SHA1
c5f824bdc663934da84c6744c35c9d2b4d81afaa

SHA256
64ccf2665e9f5b1e77eccdb07c9997b0028ed9717e8418866fe2517e7d12c792

SHA512
c34c870c3f2234c3002aaf2c5ba556513bd9c9b11c48d9a97810b10b15ff42301da6bc8081985f080c3ba008b45cb3857da3d267e15a2886e84b2f12390b9698

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads