25a6f49f0a49d7f7c087f141aaab6f340d98f0eee1775e2dcf826a178375ecd8

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
16/04/2024, 01:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-16_8bb3c6cd92f8d4ae4c0c426bb916601c_goldeneye.exe
Size

380KB
MD5

8bb3c6cd92f8d4ae4c0c426bb916601c
SHA1

5b4c09e255347d34792712e272857aa60ec97524
SHA256

25a6f49f0a49d7f7c087f141aaab6f340d98f0eee1775e2dcf826a178375ecd8
SHA512

488eceb91ecb363c9fcc09baedb37c0411e0d977817124202b47194cade6cf8d1f1825600fff2db56d13e9c771985e6124e74b7b25e11ab29d4baa3b016622d8
SSDEEP

3072:mEGh0oVlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGDl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012253-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000014890-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012253-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0033000000015083-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012253-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012253-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012253-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EFE1FD0B-6DCA-461e-AE02-2A5D7D302348}	{DAAB959C-E4E7-4404-9112-4CEB16DA3988}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE286B1B-FBAE-48fd-9717-9746F298C754}	{610CF535-4494-40b7-91DB-273E4CB7DF84}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AA98822-222F-4215-A909-1B9A921B34D4}	{BE286B1B-FBAE-48fd-9717-9746F298C754}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0806A449-FE9B-4e78-89DA-DDB0B8AF529B}	{8AA98822-222F-4215-A909-1B9A921B34D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1605E94-57E8-40f7-8C17-8FBDAF0D4E74}	{9B044ED2-F44F-40d1-8A53-7BA5900E4075}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DAAB959C-E4E7-4404-9112-4CEB16DA3988}\stubpath = "C:\\Windows\\{DAAB959C-E4E7-4404-9112-4CEB16DA3988}.exe"	{F11C40D8-70E3-45d0-B591-BB72325F0C1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EFE1FD0B-6DCA-461e-AE02-2A5D7D302348}\stubpath = "C:\\Windows\\{EFE1FD0B-6DCA-461e-AE02-2A5D7D302348}.exe"	{DAAB959C-E4E7-4404-9112-4CEB16DA3988}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{610CF535-4494-40b7-91DB-273E4CB7DF84}	{EFE1FD0B-6DCA-461e-AE02-2A5D7D302348}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B044ED2-F44F-40d1-8A53-7BA5900E4075}	2024-04-16_8bb3c6cd92f8d4ae4c0c426bb916601c_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1605E94-57E8-40f7-8C17-8FBDAF0D4E74}\stubpath = "C:\\Windows\\{A1605E94-57E8-40f7-8C17-8FBDAF0D4E74}.exe"	{9B044ED2-F44F-40d1-8A53-7BA5900E4075}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF6999A5-A9FB-4978-ABBD-B054243F2D1B}\stubpath = "C:\\Windows\\{DF6999A5-A9FB-4978-ABBD-B054243F2D1B}.exe"	{A1605E94-57E8-40f7-8C17-8FBDAF0D4E74}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA8BF366-FAF2-46a1-9101-BB5591420657}\stubpath = "C:\\Windows\\{EA8BF366-FAF2-46a1-9101-BB5591420657}.exe"	{DF6999A5-A9FB-4978-ABBD-B054243F2D1B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F11C40D8-70E3-45d0-B591-BB72325F0C1E}\stubpath = "C:\\Windows\\{F11C40D8-70E3-45d0-B591-BB72325F0C1E}.exe"	{EA8BF366-FAF2-46a1-9101-BB5591420657}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{610CF535-4494-40b7-91DB-273E4CB7DF84}\stubpath = "C:\\Windows\\{610CF535-4494-40b7-91DB-273E4CB7DF84}.exe"	{EFE1FD0B-6DCA-461e-AE02-2A5D7D302348}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AA98822-222F-4215-A909-1B9A921B34D4}\stubpath = "C:\\Windows\\{8AA98822-222F-4215-A909-1B9A921B34D4}.exe"	{BE286B1B-FBAE-48fd-9717-9746F298C754}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE286B1B-FBAE-48fd-9717-9746F298C754}\stubpath = "C:\\Windows\\{BE286B1B-FBAE-48fd-9717-9746F298C754}.exe"	{610CF535-4494-40b7-91DB-273E4CB7DF84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0806A449-FE9B-4e78-89DA-DDB0B8AF529B}\stubpath = "C:\\Windows\\{0806A449-FE9B-4e78-89DA-DDB0B8AF529B}.exe"	{8AA98822-222F-4215-A909-1B9A921B34D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B044ED2-F44F-40d1-8A53-7BA5900E4075}\stubpath = "C:\\Windows\\{9B044ED2-F44F-40d1-8A53-7BA5900E4075}.exe"	2024-04-16_8bb3c6cd92f8d4ae4c0c426bb916601c_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF6999A5-A9FB-4978-ABBD-B054243F2D1B}	{A1605E94-57E8-40f7-8C17-8FBDAF0D4E74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA8BF366-FAF2-46a1-9101-BB5591420657}	{DF6999A5-A9FB-4978-ABBD-B054243F2D1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F11C40D8-70E3-45d0-B591-BB72325F0C1E}	{EA8BF366-FAF2-46a1-9101-BB5591420657}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DAAB959C-E4E7-4404-9112-4CEB16DA3988}	{F11C40D8-70E3-45d0-B591-BB72325F0C1E}.exe

Deletes itself 1 IoCs

pid	Process
2560	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2464	{9B044ED2-F44F-40d1-8A53-7BA5900E4075}.exe
2380	{A1605E94-57E8-40f7-8C17-8FBDAF0D4E74}.exe
2508	{DF6999A5-A9FB-4978-ABBD-B054243F2D1B}.exe
1948	{EA8BF366-FAF2-46a1-9101-BB5591420657}.exe
2472	{F11C40D8-70E3-45d0-B591-BB72325F0C1E}.exe
2332	{DAAB959C-E4E7-4404-9112-4CEB16DA3988}.exe
1696	{EFE1FD0B-6DCA-461e-AE02-2A5D7D302348}.exe
1476	{610CF535-4494-40b7-91DB-273E4CB7DF84}.exe
1964	{BE286B1B-FBAE-48fd-9717-9746F298C754}.exe
1276	{8AA98822-222F-4215-A909-1B9A921B34D4}.exe
1412	{0806A449-FE9B-4e78-89DA-DDB0B8AF529B}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{EA8BF366-FAF2-46a1-9101-BB5591420657}.exe	{DF6999A5-A9FB-4978-ABBD-B054243F2D1B}.exe
File created	C:\Windows\{DAAB959C-E4E7-4404-9112-4CEB16DA3988}.exe	{F11C40D8-70E3-45d0-B591-BB72325F0C1E}.exe
File created	C:\Windows\{BE286B1B-FBAE-48fd-9717-9746F298C754}.exe	{610CF535-4494-40b7-91DB-273E4CB7DF84}.exe
File created	C:\Windows\{8AA98822-222F-4215-A909-1B9A921B34D4}.exe	{BE286B1B-FBAE-48fd-9717-9746F298C754}.exe
File created	C:\Windows\{9B044ED2-F44F-40d1-8A53-7BA5900E4075}.exe	2024-04-16_8bb3c6cd92f8d4ae4c0c426bb916601c_goldeneye.exe
File created	C:\Windows\{A1605E94-57E8-40f7-8C17-8FBDAF0D4E74}.exe	{9B044ED2-F44F-40d1-8A53-7BA5900E4075}.exe
File created	C:\Windows\{DF6999A5-A9FB-4978-ABBD-B054243F2D1B}.exe	{A1605E94-57E8-40f7-8C17-8FBDAF0D4E74}.exe
File created	C:\Windows\{F11C40D8-70E3-45d0-B591-BB72325F0C1E}.exe	{EA8BF366-FAF2-46a1-9101-BB5591420657}.exe
File created	C:\Windows\{EFE1FD0B-6DCA-461e-AE02-2A5D7D302348}.exe	{DAAB959C-E4E7-4404-9112-4CEB16DA3988}.exe
File created	C:\Windows\{610CF535-4494-40b7-91DB-273E4CB7DF84}.exe	{EFE1FD0B-6DCA-461e-AE02-2A5D7D302348}.exe
File created	C:\Windows\{0806A449-FE9B-4e78-89DA-DDB0B8AF529B}.exe	{8AA98822-222F-4215-A909-1B9A921B34D4}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2040	2024-04-16_8bb3c6cd92f8d4ae4c0c426bb916601c_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2464	{9B044ED2-F44F-40d1-8A53-7BA5900E4075}.exe
Token: SeIncBasePriorityPrivilege	2380	{A1605E94-57E8-40f7-8C17-8FBDAF0D4E74}.exe
Token: SeIncBasePriorityPrivilege	2508	{DF6999A5-A9FB-4978-ABBD-B054243F2D1B}.exe
Token: SeIncBasePriorityPrivilege	1948	{EA8BF366-FAF2-46a1-9101-BB5591420657}.exe
Token: SeIncBasePriorityPrivilege	2472	{F11C40D8-70E3-45d0-B591-BB72325F0C1E}.exe
Token: SeIncBasePriorityPrivilege	2332	{DAAB959C-E4E7-4404-9112-4CEB16DA3988}.exe
Token: SeIncBasePriorityPrivilege	1696	{EFE1FD0B-6DCA-461e-AE02-2A5D7D302348}.exe
Token: SeIncBasePriorityPrivilege	1476	{610CF535-4494-40b7-91DB-273E4CB7DF84}.exe
Token: SeIncBasePriorityPrivilege	1964	{BE286B1B-FBAE-48fd-9717-9746F298C754}.exe
Token: SeIncBasePriorityPrivilege	1276	{8AA98822-222F-4215-A909-1B9A921B34D4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2464	2040	2024-04-16_8bb3c6cd92f8d4ae4c0c426bb916601c_goldeneye.exe	28
PID 2040 wrote to memory of 2464	2040	2024-04-16_8bb3c6cd92f8d4ae4c0c426bb916601c_goldeneye.exe	28
PID 2040 wrote to memory of 2464	2040	2024-04-16_8bb3c6cd92f8d4ae4c0c426bb916601c_goldeneye.exe	28
PID 2040 wrote to memory of 2464	2040	2024-04-16_8bb3c6cd92f8d4ae4c0c426bb916601c_goldeneye.exe	28
PID 2040 wrote to memory of 2560	2040	2024-04-16_8bb3c6cd92f8d4ae4c0c426bb916601c_goldeneye.exe	29
PID 2040 wrote to memory of 2560	2040	2024-04-16_8bb3c6cd92f8d4ae4c0c426bb916601c_goldeneye.exe	29
PID 2040 wrote to memory of 2560	2040	2024-04-16_8bb3c6cd92f8d4ae4c0c426bb916601c_goldeneye.exe	29
PID 2040 wrote to memory of 2560	2040	2024-04-16_8bb3c6cd92f8d4ae4c0c426bb916601c_goldeneye.exe	29
PID 2464 wrote to memory of 2380	2464	{9B044ED2-F44F-40d1-8A53-7BA5900E4075}.exe	30
PID 2464 wrote to memory of 2380	2464	{9B044ED2-F44F-40d1-8A53-7BA5900E4075}.exe	30
PID 2464 wrote to memory of 2380	2464	{9B044ED2-F44F-40d1-8A53-7BA5900E4075}.exe	30
PID 2464 wrote to memory of 2380	2464	{9B044ED2-F44F-40d1-8A53-7BA5900E4075}.exe	30
PID 2464 wrote to memory of 2488	2464	{9B044ED2-F44F-40d1-8A53-7BA5900E4075}.exe	31
PID 2464 wrote to memory of 2488	2464	{9B044ED2-F44F-40d1-8A53-7BA5900E4075}.exe	31
PID 2464 wrote to memory of 2488	2464	{9B044ED2-F44F-40d1-8A53-7BA5900E4075}.exe	31
PID 2464 wrote to memory of 2488	2464	{9B044ED2-F44F-40d1-8A53-7BA5900E4075}.exe	31
PID 2380 wrote to memory of 2508	2380	{A1605E94-57E8-40f7-8C17-8FBDAF0D4E74}.exe	32
PID 2380 wrote to memory of 2508	2380	{A1605E94-57E8-40f7-8C17-8FBDAF0D4E74}.exe	32
PID 2380 wrote to memory of 2508	2380	{A1605E94-57E8-40f7-8C17-8FBDAF0D4E74}.exe	32
PID 2380 wrote to memory of 2508	2380	{A1605E94-57E8-40f7-8C17-8FBDAF0D4E74}.exe	32
PID 2380 wrote to memory of 2132	2380	{A1605E94-57E8-40f7-8C17-8FBDAF0D4E74}.exe	33
PID 2380 wrote to memory of 2132	2380	{A1605E94-57E8-40f7-8C17-8FBDAF0D4E74}.exe	33
PID 2380 wrote to memory of 2132	2380	{A1605E94-57E8-40f7-8C17-8FBDAF0D4E74}.exe	33
PID 2380 wrote to memory of 2132	2380	{A1605E94-57E8-40f7-8C17-8FBDAF0D4E74}.exe	33
PID 2508 wrote to memory of 1948	2508	{DF6999A5-A9FB-4978-ABBD-B054243F2D1B}.exe	36
PID 2508 wrote to memory of 1948	2508	{DF6999A5-A9FB-4978-ABBD-B054243F2D1B}.exe	36
PID 2508 wrote to memory of 1948	2508	{DF6999A5-A9FB-4978-ABBD-B054243F2D1B}.exe	36
PID 2508 wrote to memory of 1948	2508	{DF6999A5-A9FB-4978-ABBD-B054243F2D1B}.exe	36
PID 2508 wrote to memory of 2588	2508	{DF6999A5-A9FB-4978-ABBD-B054243F2D1B}.exe	37
PID 2508 wrote to memory of 2588	2508	{DF6999A5-A9FB-4978-ABBD-B054243F2D1B}.exe	37
PID 2508 wrote to memory of 2588	2508	{DF6999A5-A9FB-4978-ABBD-B054243F2D1B}.exe	37
PID 2508 wrote to memory of 2588	2508	{DF6999A5-A9FB-4978-ABBD-B054243F2D1B}.exe	37
PID 1948 wrote to memory of 2472	1948	{EA8BF366-FAF2-46a1-9101-BB5591420657}.exe	38
PID 1948 wrote to memory of 2472	1948	{EA8BF366-FAF2-46a1-9101-BB5591420657}.exe	38
PID 1948 wrote to memory of 2472	1948	{EA8BF366-FAF2-46a1-9101-BB5591420657}.exe	38
PID 1948 wrote to memory of 2472	1948	{EA8BF366-FAF2-46a1-9101-BB5591420657}.exe	38
PID 1948 wrote to memory of 288	1948	{EA8BF366-FAF2-46a1-9101-BB5591420657}.exe	39
PID 1948 wrote to memory of 288	1948	{EA8BF366-FAF2-46a1-9101-BB5591420657}.exe	39
PID 1948 wrote to memory of 288	1948	{EA8BF366-FAF2-46a1-9101-BB5591420657}.exe	39
PID 1948 wrote to memory of 288	1948	{EA8BF366-FAF2-46a1-9101-BB5591420657}.exe	39
PID 2472 wrote to memory of 2332	2472	{F11C40D8-70E3-45d0-B591-BB72325F0C1E}.exe	40
PID 2472 wrote to memory of 2332	2472	{F11C40D8-70E3-45d0-B591-BB72325F0C1E}.exe	40
PID 2472 wrote to memory of 2332	2472	{F11C40D8-70E3-45d0-B591-BB72325F0C1E}.exe	40
PID 2472 wrote to memory of 2332	2472	{F11C40D8-70E3-45d0-B591-BB72325F0C1E}.exe	40
PID 2472 wrote to memory of 1920	2472	{F11C40D8-70E3-45d0-B591-BB72325F0C1E}.exe	41
PID 2472 wrote to memory of 1920	2472	{F11C40D8-70E3-45d0-B591-BB72325F0C1E}.exe	41
PID 2472 wrote to memory of 1920	2472	{F11C40D8-70E3-45d0-B591-BB72325F0C1E}.exe	41
PID 2472 wrote to memory of 1920	2472	{F11C40D8-70E3-45d0-B591-BB72325F0C1E}.exe	41
PID 2332 wrote to memory of 1696	2332	{DAAB959C-E4E7-4404-9112-4CEB16DA3988}.exe	42
PID 2332 wrote to memory of 1696	2332	{DAAB959C-E4E7-4404-9112-4CEB16DA3988}.exe	42
PID 2332 wrote to memory of 1696	2332	{DAAB959C-E4E7-4404-9112-4CEB16DA3988}.exe	42
PID 2332 wrote to memory of 1696	2332	{DAAB959C-E4E7-4404-9112-4CEB16DA3988}.exe	42
PID 2332 wrote to memory of 2768	2332	{DAAB959C-E4E7-4404-9112-4CEB16DA3988}.exe	43
PID 2332 wrote to memory of 2768	2332	{DAAB959C-E4E7-4404-9112-4CEB16DA3988}.exe	43
PID 2332 wrote to memory of 2768	2332	{DAAB959C-E4E7-4404-9112-4CEB16DA3988}.exe	43
PID 2332 wrote to memory of 2768	2332	{DAAB959C-E4E7-4404-9112-4CEB16DA3988}.exe	43
PID 1696 wrote to memory of 1476	1696	{EFE1FD0B-6DCA-461e-AE02-2A5D7D302348}.exe	44
PID 1696 wrote to memory of 1476	1696	{EFE1FD0B-6DCA-461e-AE02-2A5D7D302348}.exe	44
PID 1696 wrote to memory of 1476	1696	{EFE1FD0B-6DCA-461e-AE02-2A5D7D302348}.exe	44
PID 1696 wrote to memory of 1476	1696	{EFE1FD0B-6DCA-461e-AE02-2A5D7D302348}.exe	44
PID 1696 wrote to memory of 1460	1696	{EFE1FD0B-6DCA-461e-AE02-2A5D7D302348}.exe	45
PID 1696 wrote to memory of 1460	1696	{EFE1FD0B-6DCA-461e-AE02-2A5D7D302348}.exe	45
PID 1696 wrote to memory of 1460	1696	{EFE1FD0B-6DCA-461e-AE02-2A5D7D302348}.exe	45
PID 1696 wrote to memory of 1460	1696	{EFE1FD0B-6DCA-461e-AE02-2A5D7D302348}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-16_8bb3c6cd92f8d4ae4c0c426bb916601c_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-16_8bb3c6cd92f8d4ae4c0c426bb916601c_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\{9B044ED2-F44F-40d1-8A53-7BA5900E4075}.exe
  C:\Windows\{9B044ED2-F44F-40d1-8A53-7BA5900E4075}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\{A1605E94-57E8-40f7-8C17-8FBDAF0D4E74}.exe
    C:\Windows\{A1605E94-57E8-40f7-8C17-8FBDAF0D4E74}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\Windows\{DF6999A5-A9FB-4978-ABBD-B054243F2D1B}.exe
      C:\Windows\{DF6999A5-A9FB-4978-ABBD-B054243F2D1B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2508
    - - C:\Windows\{EA8BF366-FAF2-46a1-9101-BB5591420657}.exe
        
        C:\Windows\{EA8BF366-FAF2-46a1-9101-BB5591420657}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1948
      - C:\Windows\{F11C40D8-70E3-45d0-B591-BB72325F0C1E}.exe
        
        C:\Windows\{F11C40D8-70E3-45d0-B591-BB72325F0C1E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\{DAAB959C-E4E7-4404-9112-4CEB16DA3988}.exe
        
        C:\Windows\{DAAB959C-E4E7-4404-9112-4CEB16DA3988}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\{EFE1FD0B-6DCA-461e-AE02-2A5D7D302348}.exe
        
        C:\Windows\{EFE1FD0B-6DCA-461e-AE02-2A5D7D302348}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\{610CF535-4494-40b7-91DB-273E4CB7DF84}.exe
        
        C:\Windows\{610CF535-4494-40b7-91DB-273E4CB7DF84}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
        
        C:\Windows\{BE286B1B-FBAE-48fd-9717-9746F298C754}.exe
        
        C:\Windows\{BE286B1B-FBAE-48fd-9717-9746F298C754}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\{8AA98822-222F-4215-A909-1B9A921B34D4}.exe
        
        C:\Windows\{8AA98822-222F-4215-A909-1B9A921B34D4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1276
        
        C:\Windows\{0806A449-FE9B-4e78-89DA-DDB0B8AF529B}.exe
        
        C:\Windows\{0806A449-FE9B-4e78-89DA-DDB0B8AF529B}.exe
        12⤵
        Executes dropped EXE
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8AA98~1.EXE > nul
        12⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE286~1.EXE > nul
        11⤵
        
        PID:696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{610CF~1.EXE > nul
        10⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EFE1F~1.EXE > nul
        9⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DAAB9~1.EXE > nul
        8⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F11C4~1.EXE > nul
        7⤵
        
        PID:1920
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA8BF~1.EXE > nul
        6⤵
        
        PID:288
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF699~1.EXE > nul
        5⤵
        
        PID:2588
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A1605~1.EXE > nul
      4⤵
      PID:2132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9B044~1.EXE > nul
    3⤵
    PID:2488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0806A449-FE9B-4e78-89DA-DDB0B8AF529B}.exe

Filesize
380KB

MD5
fcec33961051d1a1724fcf9d3966d01f

SHA1
1bf4ac4841b7dcaaf31f0444afa18d4d247d0c99

SHA256
e0df499d9239e4acac7bdea40a471affb7446467425206ea77f453fa595b2a3a

SHA512
5383887aab1e746e7bde619f45711ad377a987116d77f0971fa7f09e5cf3ef073d727a1b98c6929746e51f1b83f5ea4be4f91326388fe4016d566ec86cd17441

Download Submit
C:\Windows\{610CF535-4494-40b7-91DB-273E4CB7DF84}.exe

Filesize
380KB

MD5
fa177b0298fe1054aa28f9905b47ccad

SHA1
88f2203db4515af4dfb28332d81c16cce27039cb

SHA256
10780aa2f4f742f9b4eb3a461376968877c0973648ad36ac37f70aa0c3e06096

SHA512
45189116e3d841b890a22235e88581e071bf7832bb6ed94c96ece7b05ca49a659d51dbc79b0b7d0bdeb2a912c045b0024acf026f8832dd331c511015a630989b

Download Submit
C:\Windows\{8AA98822-222F-4215-A909-1B9A921B34D4}.exe

Filesize
380KB

MD5
225905eb7e85c5b7043da39cf562e46b

SHA1
d6ad4ebc164434453cda0ca0b1d758cef3ea24d6

SHA256
91e8b53f8ed09e77a6657402a5432257644ba1a23afd9015b520d7a208223520

SHA512
e4a61a840a82e5c692d027144771618f93fb4cfe170be88f2ad0834026a6a5f65b62b6d9aad78495c2af678793e4a0bda2902166b9a38ed8edf78a1a6f18057c

Download Submit
C:\Windows\{9B044ED2-F44F-40d1-8A53-7BA5900E4075}.exe

Filesize
380KB

MD5
679c172d591fd133601289bace3807b8

SHA1
a362c75a81698bc0a5f4c27cbd70cab9711235ca

SHA256
f30982f51e07bedf0b9b64117eb9b1314a568b52c9720b4f5f3373acce72b0fe

SHA512
99cf0b78bda4e429c7810f2a3ffc9de855d8fe231d49ca37f7dea173496a10020d0b8c5189fd443233d5e4cc65429838a0188e2533aae418472384bdb08fb1e8

Download Submit
C:\Windows\{A1605E94-57E8-40f7-8C17-8FBDAF0D4E74}.exe

Filesize
380KB

MD5
0f04bb930184abcd34b9c5c0760acaa8

SHA1
e41d4c5ef1dc68ad756a2f606239d666eaf5df1b

SHA256
0e2a4a055d116c23578c64dabb9fe6fff68f58252e1b7414ccdea9968325336a

SHA512
ddbc11ec0301c96e85bd32a356f6a786bd47ca141086793f83d4b5345106fe5655df504bc8f6decfe16bf67b2a6606e5876e814850799e7dff173f5dc8a624e9

Download Submit
C:\Windows\{BE286B1B-FBAE-48fd-9717-9746F298C754}.exe

Filesize
380KB

MD5
49882bbce98cdc2a793175c9380f9637

SHA1
5ee642757b351a55c275cdc64790f7c0b9cd316b

SHA256
4b3487c4169dfa9be266294a56e6964d672c9922a3a49a2f24ed28eb70bb35ad

SHA512
ceb27cd7bf93d77a152ae52c5638271c06461c98485db361460cb12a707583092bed6772196193120aa1aa9208e875aeab2e196f46d73a3b56be48edef75d0cc

Download Submit
C:\Windows\{DAAB959C-E4E7-4404-9112-4CEB16DA3988}.exe

Filesize
380KB

MD5
70106b885ea14ee1275e0651aa196bfe

SHA1
d07c4acf828f36cb4df9e3e0c7cb61d6949223c7

SHA256
0ba98fb96c07d0bf1bc40dc21d782a91167cd7578941c610ba7446515132b0e2

SHA512
ff5fdb3398df52df528458d926d62a1dcbfbdf4947b5d5157e2a99979280626398bc30abd43ebbebb470f9cdbe6853ee1a97ebf769c9f7063f6379efa8712ffa

Download Submit
C:\Windows\{DF6999A5-A9FB-4978-ABBD-B054243F2D1B}.exe

Filesize
380KB

MD5
dd95346608e35d61435c0f26d79fce26

SHA1
ce7315e86de0e83b02680470b8a0f997ee9c026f

SHA256
6e51467ba440d5ef0ec3277434462282fc7a112d6faf4987ace2b30d77702b9a

SHA512
58f8c0d96c42089683e70ccc28fba25b98bfb77f14160a56a5349b036268da3ea1c46bc0e4fc1d3fae02205ae06991628886f586c1a1379fa13ec9422e3668a9

Download Submit
C:\Windows\{EA8BF366-FAF2-46a1-9101-BB5591420657}.exe

Filesize
380KB

MD5
b535c05784940af5ca96a63ddd616741

SHA1
f7e389aa7760a41cb73a5ffc391797e000b88e02

SHA256
8c9539f84110a5bc534e8a3bed55465954ebe59877fdeb90a7638e6d316cc979

SHA512
710f3430458987eb80f49523f5d17393d111b0bc2eac92d74af2b8f211a23ed80a913b44d2d19909c4a6b5bb669c2f89660470e25cd6e4ece06063df4bc3f786

Download Submit
C:\Windows\{EFE1FD0B-6DCA-461e-AE02-2A5D7D302348}.exe

Filesize
380KB

MD5
4c092157658a3fad09e81733094d85ce

SHA1
8d4c51396ee2537978d40457c44e8c2c3c3ddf4e

SHA256
ca893adcf2494001740c0d0a5dc11bc4bddb59e1fee4ad992ac4a1c559a3fef6

SHA512
7691e850a675953c9f9ac9441dee00f51f305ca0e6310149faa9cdf0e9cc1455c536b399845674d1bdfbdb1edf8641e2b6d91b2faadd19507be7f4410cda25f9

Download Submit
C:\Windows\{F11C40D8-70E3-45d0-B591-BB72325F0C1E}.exe

Filesize
380KB

MD5
c8b1fdf9e0ddab0f308a0cd702158136

SHA1
07f9c1e6b5fb7ebf7f94b3c215043c0b6833f0f7

SHA256
912bb230780821e67900eb0d41a8110ffde2ef1959316c5249e089a66fe82c62

SHA512
a44356bc90457baa6b6a47167595b48e5bb7e59090b5c1c2e9d17c5fe033b257d6825df3428891fbb04a2ac9ac06555263ffdf67d51a9fda85e9d521c8a70149

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads