96f7e901ba2792abb0c3fbe32cc482d1ffc180de8b9ddc4eeebe0c9338005e4a

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15-04-2024 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-15_e16cf07f15f6b57decdecc58a931a981_goldeneye.exe
Size

408KB
MD5

e16cf07f15f6b57decdecc58a931a981
SHA1

484c24779c9aec3c93c8981ad4a97b346fa15aa1
SHA256

96f7e901ba2792abb0c3fbe32cc482d1ffc180de8b9ddc4eeebe0c9338005e4a
SHA512

89e6fd7fc0f5e51528b0c4f82ecad145d93f7e1c92e2b741f6c446c55b4191c4df86fa9a54734b68c266cb1bbd46dc0dbf3c0e17f7f79c4805277348601a0c48
SSDEEP

3072:CEGh0oWl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEG0ldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d0000000126b7-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001b000000015c9d-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e0000000126b7-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f0000000126b7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001b000000015cce-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00100000000126b7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000015da9-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00110000000126b7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000015e9c-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000015f03-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6994969-4E83-4571-8D6A-5759558F08EB}	{4CAFB3B2-CD96-4dbc-8E06-B095017FA4C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0AF23EB-0EF3-46c7-AA6B-1D28547EC53B}	{9F1D58E2-4983-44b3-8662-AEEEB6F9FED4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52A943B7-34CC-431f-AFF4-1CE39A3A97D6}\stubpath = "C:\\Windows\\{52A943B7-34CC-431f-AFF4-1CE39A3A97D6}.exe"	{C65A08FC-98ED-424b-BDB2-BDB0E66EE9DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0299D0BA-58B7-4cff-AFB4-C23FE9B6C30F}	{52A943B7-34CC-431f-AFF4-1CE39A3A97D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6994969-4E83-4571-8D6A-5759558F08EB}\stubpath = "C:\\Windows\\{A6994969-4E83-4571-8D6A-5759558F08EB}.exe"	{4CAFB3B2-CD96-4dbc-8E06-B095017FA4C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BEA3EC4-D5F6-40a7-B519-2FEB303E3B74}	{A6994969-4E83-4571-8D6A-5759558F08EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CE017BA-CA2B-4979-BCB5-4BB737C8681D}	{1BEA3EC4-D5F6-40a7-B519-2FEB303E3B74}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0AF23EB-0EF3-46c7-AA6B-1D28547EC53B}\stubpath = "C:\\Windows\\{E0AF23EB-0EF3-46c7-AA6B-1D28547EC53B}.exe"	{9F1D58E2-4983-44b3-8662-AEEEB6F9FED4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B0FD517-4F1C-4084-84CB-3091777A4F4C}	2024-04-15_e16cf07f15f6b57decdecc58a931a981_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C65A08FC-98ED-424b-BDB2-BDB0E66EE9DA}	{5B0FD517-4F1C-4084-84CB-3091777A4F4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BEA3EC4-D5F6-40a7-B519-2FEB303E3B74}\stubpath = "C:\\Windows\\{1BEA3EC4-D5F6-40a7-B519-2FEB303E3B74}.exe"	{A6994969-4E83-4571-8D6A-5759558F08EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F1D58E2-4983-44b3-8662-AEEEB6F9FED4}	{7CE017BA-CA2B-4979-BCB5-4BB737C8681D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC4870E3-9C9B-441e-A6C7-8E604D840CA8}	{E0AF23EB-0EF3-46c7-AA6B-1D28547EC53B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C65A08FC-98ED-424b-BDB2-BDB0E66EE9DA}\stubpath = "C:\\Windows\\{C65A08FC-98ED-424b-BDB2-BDB0E66EE9DA}.exe"	{5B0FD517-4F1C-4084-84CB-3091777A4F4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CAFB3B2-CD96-4dbc-8E06-B095017FA4C5}	{0299D0BA-58B7-4cff-AFB4-C23FE9B6C30F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0299D0BA-58B7-4cff-AFB4-C23FE9B6C30F}\stubpath = "C:\\Windows\\{0299D0BA-58B7-4cff-AFB4-C23FE9B6C30F}.exe"	{52A943B7-34CC-431f-AFF4-1CE39A3A97D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4CAFB3B2-CD96-4dbc-8E06-B095017FA4C5}\stubpath = "C:\\Windows\\{4CAFB3B2-CD96-4dbc-8E06-B095017FA4C5}.exe"	{0299D0BA-58B7-4cff-AFB4-C23FE9B6C30F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CE017BA-CA2B-4979-BCB5-4BB737C8681D}\stubpath = "C:\\Windows\\{7CE017BA-CA2B-4979-BCB5-4BB737C8681D}.exe"	{1BEA3EC4-D5F6-40a7-B519-2FEB303E3B74}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F1D58E2-4983-44b3-8662-AEEEB6F9FED4}\stubpath = "C:\\Windows\\{9F1D58E2-4983-44b3-8662-AEEEB6F9FED4}.exe"	{7CE017BA-CA2B-4979-BCB5-4BB737C8681D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC4870E3-9C9B-441e-A6C7-8E604D840CA8}\stubpath = "C:\\Windows\\{BC4870E3-9C9B-441e-A6C7-8E604D840CA8}.exe"	{E0AF23EB-0EF3-46c7-AA6B-1D28547EC53B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B0FD517-4F1C-4084-84CB-3091777A4F4C}\stubpath = "C:\\Windows\\{5B0FD517-4F1C-4084-84CB-3091777A4F4C}.exe"	2024-04-15_e16cf07f15f6b57decdecc58a931a981_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52A943B7-34CC-431f-AFF4-1CE39A3A97D6}	{C65A08FC-98ED-424b-BDB2-BDB0E66EE9DA}.exe

Deletes itself 1 IoCs

pid	Process
3044	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1744	{5B0FD517-4F1C-4084-84CB-3091777A4F4C}.exe
2624	{C65A08FC-98ED-424b-BDB2-BDB0E66EE9DA}.exe
2732	{52A943B7-34CC-431f-AFF4-1CE39A3A97D6}.exe
1208	{0299D0BA-58B7-4cff-AFB4-C23FE9B6C30F}.exe
2648	{4CAFB3B2-CD96-4dbc-8E06-B095017FA4C5}.exe
2324	{A6994969-4E83-4571-8D6A-5759558F08EB}.exe
1880	{1BEA3EC4-D5F6-40a7-B519-2FEB303E3B74}.exe
760	{7CE017BA-CA2B-4979-BCB5-4BB737C8681D}.exe
1376	{9F1D58E2-4983-44b3-8662-AEEEB6F9FED4}.exe
2116	{E0AF23EB-0EF3-46c7-AA6B-1D28547EC53B}.exe
2148	{BC4870E3-9C9B-441e-A6C7-8E604D840CA8}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{0299D0BA-58B7-4cff-AFB4-C23FE9B6C30F}.exe	{52A943B7-34CC-431f-AFF4-1CE39A3A97D6}.exe
File created	C:\Windows\{4CAFB3B2-CD96-4dbc-8E06-B095017FA4C5}.exe	{0299D0BA-58B7-4cff-AFB4-C23FE9B6C30F}.exe
File created	C:\Windows\{1BEA3EC4-D5F6-40a7-B519-2FEB303E3B74}.exe	{A6994969-4E83-4571-8D6A-5759558F08EB}.exe
File created	C:\Windows\{E0AF23EB-0EF3-46c7-AA6B-1D28547EC53B}.exe	{9F1D58E2-4983-44b3-8662-AEEEB6F9FED4}.exe
File created	C:\Windows\{BC4870E3-9C9B-441e-A6C7-8E604D840CA8}.exe	{E0AF23EB-0EF3-46c7-AA6B-1D28547EC53B}.exe
File created	C:\Windows\{5B0FD517-4F1C-4084-84CB-3091777A4F4C}.exe	2024-04-15_e16cf07f15f6b57decdecc58a931a981_goldeneye.exe
File created	C:\Windows\{52A943B7-34CC-431f-AFF4-1CE39A3A97D6}.exe	{C65A08FC-98ED-424b-BDB2-BDB0E66EE9DA}.exe
File created	C:\Windows\{A6994969-4E83-4571-8D6A-5759558F08EB}.exe	{4CAFB3B2-CD96-4dbc-8E06-B095017FA4C5}.exe
File created	C:\Windows\{7CE017BA-CA2B-4979-BCB5-4BB737C8681D}.exe	{1BEA3EC4-D5F6-40a7-B519-2FEB303E3B74}.exe
File created	C:\Windows\{9F1D58E2-4983-44b3-8662-AEEEB6F9FED4}.exe	{7CE017BA-CA2B-4979-BCB5-4BB737C8681D}.exe
File created	C:\Windows\{C65A08FC-98ED-424b-BDB2-BDB0E66EE9DA}.exe	{5B0FD517-4F1C-4084-84CB-3091777A4F4C}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2108	2024-04-15_e16cf07f15f6b57decdecc58a931a981_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1744	{5B0FD517-4F1C-4084-84CB-3091777A4F4C}.exe
Token: SeIncBasePriorityPrivilege	2624	{C65A08FC-98ED-424b-BDB2-BDB0E66EE9DA}.exe
Token: SeIncBasePriorityPrivilege	2732	{52A943B7-34CC-431f-AFF4-1CE39A3A97D6}.exe
Token: SeIncBasePriorityPrivilege	1208	{0299D0BA-58B7-4cff-AFB4-C23FE9B6C30F}.exe
Token: SeIncBasePriorityPrivilege	2648	{4CAFB3B2-CD96-4dbc-8E06-B095017FA4C5}.exe
Token: SeIncBasePriorityPrivilege	2324	{A6994969-4E83-4571-8D6A-5759558F08EB}.exe
Token: SeIncBasePriorityPrivilege	1880	{1BEA3EC4-D5F6-40a7-B519-2FEB303E3B74}.exe
Token: SeIncBasePriorityPrivilege	760	{7CE017BA-CA2B-4979-BCB5-4BB737C8681D}.exe
Token: SeIncBasePriorityPrivilege	1376	{9F1D58E2-4983-44b3-8662-AEEEB6F9FED4}.exe
Token: SeIncBasePriorityPrivilege	2116	{E0AF23EB-0EF3-46c7-AA6B-1D28547EC53B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 1744	2108	2024-04-15_e16cf07f15f6b57decdecc58a931a981_goldeneye.exe	28
PID 2108 wrote to memory of 1744	2108	2024-04-15_e16cf07f15f6b57decdecc58a931a981_goldeneye.exe	28
PID 2108 wrote to memory of 1744	2108	2024-04-15_e16cf07f15f6b57decdecc58a931a981_goldeneye.exe	28
PID 2108 wrote to memory of 1744	2108	2024-04-15_e16cf07f15f6b57decdecc58a931a981_goldeneye.exe	28
PID 2108 wrote to memory of 3044	2108	2024-04-15_e16cf07f15f6b57decdecc58a931a981_goldeneye.exe	29
PID 2108 wrote to memory of 3044	2108	2024-04-15_e16cf07f15f6b57decdecc58a931a981_goldeneye.exe	29
PID 2108 wrote to memory of 3044	2108	2024-04-15_e16cf07f15f6b57decdecc58a931a981_goldeneye.exe	29
PID 2108 wrote to memory of 3044	2108	2024-04-15_e16cf07f15f6b57decdecc58a931a981_goldeneye.exe	29
PID 1744 wrote to memory of 2624	1744	{5B0FD517-4F1C-4084-84CB-3091777A4F4C}.exe	30
PID 1744 wrote to memory of 2624	1744	{5B0FD517-4F1C-4084-84CB-3091777A4F4C}.exe	30
PID 1744 wrote to memory of 2624	1744	{5B0FD517-4F1C-4084-84CB-3091777A4F4C}.exe	30
PID 1744 wrote to memory of 2624	1744	{5B0FD517-4F1C-4084-84CB-3091777A4F4C}.exe	30
PID 1744 wrote to memory of 2712	1744	{5B0FD517-4F1C-4084-84CB-3091777A4F4C}.exe	31
PID 1744 wrote to memory of 2712	1744	{5B0FD517-4F1C-4084-84CB-3091777A4F4C}.exe	31
PID 1744 wrote to memory of 2712	1744	{5B0FD517-4F1C-4084-84CB-3091777A4F4C}.exe	31
PID 1744 wrote to memory of 2712	1744	{5B0FD517-4F1C-4084-84CB-3091777A4F4C}.exe	31
PID 2624 wrote to memory of 2732	2624	{C65A08FC-98ED-424b-BDB2-BDB0E66EE9DA}.exe	32
PID 2624 wrote to memory of 2732	2624	{C65A08FC-98ED-424b-BDB2-BDB0E66EE9DA}.exe	32
PID 2624 wrote to memory of 2732	2624	{C65A08FC-98ED-424b-BDB2-BDB0E66EE9DA}.exe	32
PID 2624 wrote to memory of 2732	2624	{C65A08FC-98ED-424b-BDB2-BDB0E66EE9DA}.exe	32
PID 2624 wrote to memory of 2456	2624	{C65A08FC-98ED-424b-BDB2-BDB0E66EE9DA}.exe	33
PID 2624 wrote to memory of 2456	2624	{C65A08FC-98ED-424b-BDB2-BDB0E66EE9DA}.exe	33
PID 2624 wrote to memory of 2456	2624	{C65A08FC-98ED-424b-BDB2-BDB0E66EE9DA}.exe	33
PID 2624 wrote to memory of 2456	2624	{C65A08FC-98ED-424b-BDB2-BDB0E66EE9DA}.exe	33
PID 2732 wrote to memory of 1208	2732	{52A943B7-34CC-431f-AFF4-1CE39A3A97D6}.exe	36
PID 2732 wrote to memory of 1208	2732	{52A943B7-34CC-431f-AFF4-1CE39A3A97D6}.exe	36
PID 2732 wrote to memory of 1208	2732	{52A943B7-34CC-431f-AFF4-1CE39A3A97D6}.exe	36
PID 2732 wrote to memory of 1208	2732	{52A943B7-34CC-431f-AFF4-1CE39A3A97D6}.exe	36
PID 2732 wrote to memory of 2140	2732	{52A943B7-34CC-431f-AFF4-1CE39A3A97D6}.exe	37
PID 2732 wrote to memory of 2140	2732	{52A943B7-34CC-431f-AFF4-1CE39A3A97D6}.exe	37
PID 2732 wrote to memory of 2140	2732	{52A943B7-34CC-431f-AFF4-1CE39A3A97D6}.exe	37
PID 2732 wrote to memory of 2140	2732	{52A943B7-34CC-431f-AFF4-1CE39A3A97D6}.exe	37
PID 1208 wrote to memory of 2648	1208	{0299D0BA-58B7-4cff-AFB4-C23FE9B6C30F}.exe	38
PID 1208 wrote to memory of 2648	1208	{0299D0BA-58B7-4cff-AFB4-C23FE9B6C30F}.exe	38
PID 1208 wrote to memory of 2648	1208	{0299D0BA-58B7-4cff-AFB4-C23FE9B6C30F}.exe	38
PID 1208 wrote to memory of 2648	1208	{0299D0BA-58B7-4cff-AFB4-C23FE9B6C30F}.exe	38
PID 1208 wrote to memory of 2672	1208	{0299D0BA-58B7-4cff-AFB4-C23FE9B6C30F}.exe	39
PID 1208 wrote to memory of 2672	1208	{0299D0BA-58B7-4cff-AFB4-C23FE9B6C30F}.exe	39
PID 1208 wrote to memory of 2672	1208	{0299D0BA-58B7-4cff-AFB4-C23FE9B6C30F}.exe	39
PID 1208 wrote to memory of 2672	1208	{0299D0BA-58B7-4cff-AFB4-C23FE9B6C30F}.exe	39
PID 2648 wrote to memory of 2324	2648	{4CAFB3B2-CD96-4dbc-8E06-B095017FA4C5}.exe	40
PID 2648 wrote to memory of 2324	2648	{4CAFB3B2-CD96-4dbc-8E06-B095017FA4C5}.exe	40
PID 2648 wrote to memory of 2324	2648	{4CAFB3B2-CD96-4dbc-8E06-B095017FA4C5}.exe	40
PID 2648 wrote to memory of 2324	2648	{4CAFB3B2-CD96-4dbc-8E06-B095017FA4C5}.exe	40
PID 2648 wrote to memory of 1204	2648	{4CAFB3B2-CD96-4dbc-8E06-B095017FA4C5}.exe	41
PID 2648 wrote to memory of 1204	2648	{4CAFB3B2-CD96-4dbc-8E06-B095017FA4C5}.exe	41
PID 2648 wrote to memory of 1204	2648	{4CAFB3B2-CD96-4dbc-8E06-B095017FA4C5}.exe	41
PID 2648 wrote to memory of 1204	2648	{4CAFB3B2-CD96-4dbc-8E06-B095017FA4C5}.exe	41
PID 2324 wrote to memory of 1880	2324	{A6994969-4E83-4571-8D6A-5759558F08EB}.exe	42
PID 2324 wrote to memory of 1880	2324	{A6994969-4E83-4571-8D6A-5759558F08EB}.exe	42
PID 2324 wrote to memory of 1880	2324	{A6994969-4E83-4571-8D6A-5759558F08EB}.exe	42
PID 2324 wrote to memory of 1880	2324	{A6994969-4E83-4571-8D6A-5759558F08EB}.exe	42
PID 2324 wrote to memory of 676	2324	{A6994969-4E83-4571-8D6A-5759558F08EB}.exe	43
PID 2324 wrote to memory of 676	2324	{A6994969-4E83-4571-8D6A-5759558F08EB}.exe	43
PID 2324 wrote to memory of 676	2324	{A6994969-4E83-4571-8D6A-5759558F08EB}.exe	43
PID 2324 wrote to memory of 676	2324	{A6994969-4E83-4571-8D6A-5759558F08EB}.exe	43
PID 1880 wrote to memory of 760	1880	{1BEA3EC4-D5F6-40a7-B519-2FEB303E3B74}.exe	44
PID 1880 wrote to memory of 760	1880	{1BEA3EC4-D5F6-40a7-B519-2FEB303E3B74}.exe	44
PID 1880 wrote to memory of 760	1880	{1BEA3EC4-D5F6-40a7-B519-2FEB303E3B74}.exe	44
PID 1880 wrote to memory of 760	1880	{1BEA3EC4-D5F6-40a7-B519-2FEB303E3B74}.exe	44
PID 1880 wrote to memory of 1528	1880	{1BEA3EC4-D5F6-40a7-B519-2FEB303E3B74}.exe	45
PID 1880 wrote to memory of 1528	1880	{1BEA3EC4-D5F6-40a7-B519-2FEB303E3B74}.exe	45
PID 1880 wrote to memory of 1528	1880	{1BEA3EC4-D5F6-40a7-B519-2FEB303E3B74}.exe	45
PID 1880 wrote to memory of 1528	1880	{1BEA3EC4-D5F6-40a7-B519-2FEB303E3B74}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-15_e16cf07f15f6b57decdecc58a931a981_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-15_e16cf07f15f6b57decdecc58a931a981_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\{5B0FD517-4F1C-4084-84CB-3091777A4F4C}.exe
  C:\Windows\{5B0FD517-4F1C-4084-84CB-3091777A4F4C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\{C65A08FC-98ED-424b-BDB2-BDB0E66EE9DA}.exe
    C:\Windows\{C65A08FC-98ED-424b-BDB2-BDB0E66EE9DA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\{52A943B7-34CC-431f-AFF4-1CE39A3A97D6}.exe
      C:\Windows\{52A943B7-34CC-431f-AFF4-1CE39A3A97D6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\{0299D0BA-58B7-4cff-AFB4-C23FE9B6C30F}.exe
        
        C:\Windows\{0299D0BA-58B7-4cff-AFB4-C23FE9B6C30F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1208
      - C:\Windows\{4CAFB3B2-CD96-4dbc-8E06-B095017FA4C5}.exe
        
        C:\Windows\{4CAFB3B2-CD96-4dbc-8E06-B095017FA4C5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\{A6994969-4E83-4571-8D6A-5759558F08EB}.exe
        
        C:\Windows\{A6994969-4E83-4571-8D6A-5759558F08EB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\{1BEA3EC4-D5F6-40a7-B519-2FEB303E3B74}.exe
        
        C:\Windows\{1BEA3EC4-D5F6-40a7-B519-2FEB303E3B74}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\{7CE017BA-CA2B-4979-BCB5-4BB737C8681D}.exe
        
        C:\Windows\{7CE017BA-CA2B-4979-BCB5-4BB737C8681D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:760
        
        C:\Windows\{9F1D58E2-4983-44b3-8662-AEEEB6F9FED4}.exe
        
        C:\Windows\{9F1D58E2-4983-44b3-8662-AEEEB6F9FED4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
        
        C:\Windows\{E0AF23EB-0EF3-46c7-AA6B-1D28547EC53B}.exe
        
        C:\Windows\{E0AF23EB-0EF3-46c7-AA6B-1D28547EC53B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        C:\Windows\{BC4870E3-9C9B-441e-A6C7-8E604D840CA8}.exe
        
        C:\Windows\{BC4870E3-9C9B-441e-A6C7-8E604D840CA8}.exe
        12⤵
        Executes dropped EXE
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0AF2~1.EXE > nul
        12⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F1D5~1.EXE > nul
        11⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7CE01~1.EXE > nul
        10⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1BEA3~1.EXE > nul
        9⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6994~1.EXE > nul
        8⤵
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4CAFB~1.EXE > nul
        7⤵
        
        PID:1204
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0299D~1.EXE > nul
        6⤵
        
        PID:2672
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52A94~1.EXE > nul
        5⤵
        
        PID:2140
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C65A0~1.EXE > nul
      4⤵
      PID:2456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5B0FD~1.EXE > nul
    3⤵
    PID:2712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0299D0BA-58B7-4cff-AFB4-C23FE9B6C30F}.exe

Filesize
408KB

MD5
799a617a60b615334e029caa7ef98f50

SHA1
cb86f09f6c56834edb715c17862f2b629db0447d

SHA256
4776ad1db45ad1f43b877a850f490c8659edb0ce456e7956b2d18eeae7a1dbb9

SHA512
56fcd38c6de50c400a98bce1a2982237f08995f392dfcf136c533a04605eafcfcb08967d7bbe7e829c9f278616aaf215f08f4e47cf6adf8691b63fbede015110

Download Submit
C:\Windows\{1BEA3EC4-D5F6-40a7-B519-2FEB303E3B74}.exe

Filesize
408KB

MD5
198fe258737aebbfdce4bf70ac9ae4b3

SHA1
0491a951373d75c846f161e5b877591229cd75cd

SHA256
c08fb8eb783daa340ebc9de2e80f85bb9c0cd610f871b44e3ded8cdc21dbaab6

SHA512
e78ac307f2ed26088253164c910208ea30d2f472deb60f87e2a8175ead2a7cc77a841e2de724fc228676dc8356285bbb12d8a8a93c7d5fd960d57356721f8612

Download Submit
C:\Windows\{4CAFB3B2-CD96-4dbc-8E06-B095017FA4C5}.exe

Filesize
408KB

MD5
fe94af4b87298b6d9dc191e317de3021

SHA1
0a80fe2fe6c0eb0219f1b2b2a27327616235c89e

SHA256
5b6338a69baf8aca25f77555aa1f888769f6f9933df1c62b13c2065764cd50eb

SHA512
b24d93c602404711587be3a3020650e81e6738520ad5d4e678736daba16fd16f0ba7d7ea32ecec6950327ae192cd91a3573eff514da72352acb16f66909e2401

Download Submit
C:\Windows\{52A943B7-34CC-431f-AFF4-1CE39A3A97D6}.exe

Filesize
408KB

MD5
4917cce70ca32aed5ccff06cb34297b8

SHA1
0e47811fd04edf11c1c8642acc9ee4f77d6bafeb

SHA256
84c0c42401c5996ddffac27791fe86cfd1482606d742ab0a57fa8e0edf472612

SHA512
025e7209c0fb2b097dcfdffe0c2e8bcb5db16fd223622c77ce06212ae4bd722ffcafb9756f518a7770eeac3396b8934292da08f0e5d3feae87d174f827018e13

Download Submit
C:\Windows\{5B0FD517-4F1C-4084-84CB-3091777A4F4C}.exe

Filesize
408KB

MD5
dc7cb20e9c31f9ce506f0e0a767f53c3

SHA1
78100cbf7064644da1e49254095f7a5dc6af5886

SHA256
4df280bae32dc99cc526785714d7da31a17502b1498da854b6b007be1d89e72d

SHA512
708b63e1519c1eb955ba693335f18beb19943e1ee7803d2b1e2ef4f687fb6d16b71465442ed9cd8a3369a7d9850c13b4bc0f2a00885240de1d8cec6b58f5a7fc

Download Submit
C:\Windows\{7CE017BA-CA2B-4979-BCB5-4BB737C8681D}.exe

Filesize
408KB

MD5
d93e1acefe6b756534b07cb3e852aff3

SHA1
1a54e13254f03eb4f3da55e9d315fab491890ce2

SHA256
3375b9ab0e8d6b15f767a6a05547dac530ce1a08b40382e0a2b98ce8c997438c

SHA512
efa6b59650da0f1af211faedc698113c631e99955cd3b727a151ccf15ebcf7944f43fe421e8180705e6f8c29ca6c880eeb7a69006b7c810fbef1ebe9b931bd44

Download Submit
C:\Windows\{9F1D58E2-4983-44b3-8662-AEEEB6F9FED4}.exe

Filesize
408KB

MD5
2eb5d9dde8442ae0ab1122e70592ceb6

SHA1
84f950bafe6f3aae980cd0ed2693dbbf2f29e76e

SHA256
72a9d2bc81f70c49a80533e0333191158f077882632ebfb79d5e8aaeb891427b

SHA512
e3e42849fca4fa093c1c0bc04c7026bb6c753b796c447272f9dd3388b8b2b968705435b8efbabaaf37230552a4b89ec03b83250fe8df64e57c7a44476e9cf019

Download Submit
C:\Windows\{A6994969-4E83-4571-8D6A-5759558F08EB}.exe

Filesize
408KB

MD5
4bd02559e8ac4e71701b54966318b836

SHA1
817f874006227c0d226aac7c15aa0c2b78f82c40

SHA256
2683cd799a255759d75602e74c918b2b191f53175e2b2d933736a8b1cad33baa

SHA512
db31fa6ef30f649ed9a840a5e06997ae004bd2b78a3aa665f76f66806d6dbe28151a318026d6c670b449dceea752360cb72725e8a0b885c724f6258957187c03

Download Submit
C:\Windows\{BC4870E3-9C9B-441e-A6C7-8E604D840CA8}.exe

Filesize
408KB

MD5
358348f9210ceb4714e81b1391c7fb9f

SHA1
b0a0d21cde7bc826d9691a9cc03931ee67f2a8a4

SHA256
df2db92883e107a53ed6dcafebeb8016721b24505b678b105352cebcb395daf5

SHA512
0971237196af12be23634b610e075a487f5da331f33c6e240c2590ac0ca53f0b8482d4a33aebc303f9f8b6ed44d8a1d0e805b0e054d410d172c54b529a0dc347

Download Submit
C:\Windows\{C65A08FC-98ED-424b-BDB2-BDB0E66EE9DA}.exe

Filesize
408KB

MD5
92d050c0da6b0f87a942748714cf1a63

SHA1
3e5c6625466129fd187d592b7d620ab7d16c2e84

SHA256
83ad868db3e3cc782a91770f60ef383db51db1687b3811c88a4b2029072dcb45

SHA512
19942b7c85920897d70627bb343d96fd931ca222b66ee9a3472c4f2793db85e6bce95a1ea3ebad0a5c0c330f27b0976a04a2c399b3c246b5145d0ed880fbc104

Download Submit
C:\Windows\{E0AF23EB-0EF3-46c7-AA6B-1D28547EC53B}.exe

Filesize
408KB

MD5
9930915d4b2711b4b219ad18e339a107

SHA1
9f95fc407f7c3ef95e92432d982b417706a180a7

SHA256
f00d491160168a77707ef3b15be5ae8e9759b59e982b8252d8f1ba36b4887750

SHA512
d0888dd9e1d8c495af632de1321d1bd8a7f647ba3e43213f2dd2c0dc3cacc8ed3521e13e99727f2962ddc17a913e6a4c8d672c55fe73bbe969fe3d4aba322ced

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads