e7a5398dade3c1db8357828709cd901ac1ca45fd758efceef1b0c0bbda448965

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/04/2024, 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-19_c01132acadfc58190f4b725ec5e07193_goldeneye.exe
Size

344KB
MD5

c01132acadfc58190f4b725ec5e07193
SHA1

82fa244f8604425d5d8561046dee658120b2b3af
SHA256

e7a5398dade3c1db8357828709cd901ac1ca45fd758efceef1b0c0bbda448965
SHA512

d4f204d11865465697da6e5d6bcb0cf91ad042ab6a3898f8743a81ccd8904facc8b1b9e0fd2ba66fc676021a40f45e83f7c8275969137630cbc6c6f67ac32ae3
SSDEEP

3072:mEGh0oLlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGJlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012256-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012671-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000012256-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012256-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012256-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012256-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012256-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CAFCF36A-4DDA-44bd-A643-661ADDDF4E21}	{11A8F187-A52F-4a53-82E0-9F1CC8213BB4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9675CD42-A5D8-4f1f-B056-99399202A33B}\stubpath = "C:\\Windows\\{9675CD42-A5D8-4f1f-B056-99399202A33B}.exe"	{8F0D9B14-1969-44ce-9E67-57BEDA8804B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29FEDC24-31FB-4d6f-ACC5-1A65D6CBF423}	{CAFCF36A-4DDA-44bd-A643-661ADDDF4E21}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F0D9B14-1969-44ce-9E67-57BEDA8804B4}\stubpath = "C:\\Windows\\{8F0D9B14-1969-44ce-9E67-57BEDA8804B4}.exe"	{29FEDC24-31FB-4d6f-ACC5-1A65D6CBF423}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9675CD42-A5D8-4f1f-B056-99399202A33B}	{8F0D9B14-1969-44ce-9E67-57BEDA8804B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DE67B61-746E-462d-8D2E-F4995F56FE00}	{A90EFE5F-D737-4b1d-BA29-0CDB5351E6CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3FF44E4-4DD8-498d-AD0D-7408290C8595}	{144BCDE8-D6AC-4c08-816E-47E194D6A578}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DD80764-54C3-47ba-A79C-79E0E136AFBC}	{964D4C9A-C53E-4ff2-B113-5F9F805BBBDF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11A8F187-A52F-4a53-82E0-9F1CC8213BB4}	{4DD80764-54C3-47ba-A79C-79E0E136AFBC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CAFCF36A-4DDA-44bd-A643-661ADDDF4E21}\stubpath = "C:\\Windows\\{CAFCF36A-4DDA-44bd-A643-661ADDDF4E21}.exe"	{11A8F187-A52F-4a53-82E0-9F1CC8213BB4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{144BCDE8-D6AC-4c08-816E-47E194D6A578}	{9DE67B61-746E-462d-8D2E-F4995F56FE00}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{144BCDE8-D6AC-4c08-816E-47E194D6A578}\stubpath = "C:\\Windows\\{144BCDE8-D6AC-4c08-816E-47E194D6A578}.exe"	{9DE67B61-746E-462d-8D2E-F4995F56FE00}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{964D4C9A-C53E-4ff2-B113-5F9F805BBBDF}	2024-04-19_c01132acadfc58190f4b725ec5e07193_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F0D9B14-1969-44ce-9E67-57BEDA8804B4}	{29FEDC24-31FB-4d6f-ACC5-1A65D6CBF423}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DE67B61-746E-462d-8D2E-F4995F56FE00}\stubpath = "C:\\Windows\\{9DE67B61-746E-462d-8D2E-F4995F56FE00}.exe"	{A90EFE5F-D737-4b1d-BA29-0CDB5351E6CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29FEDC24-31FB-4d6f-ACC5-1A65D6CBF423}\stubpath = "C:\\Windows\\{29FEDC24-31FB-4d6f-ACC5-1A65D6CBF423}.exe"	{CAFCF36A-4DDA-44bd-A643-661ADDDF4E21}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A90EFE5F-D737-4b1d-BA29-0CDB5351E6CA}	{9675CD42-A5D8-4f1f-B056-99399202A33B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A90EFE5F-D737-4b1d-BA29-0CDB5351E6CA}\stubpath = "C:\\Windows\\{A90EFE5F-D737-4b1d-BA29-0CDB5351E6CA}.exe"	{9675CD42-A5D8-4f1f-B056-99399202A33B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3FF44E4-4DD8-498d-AD0D-7408290C8595}\stubpath = "C:\\Windows\\{A3FF44E4-4DD8-498d-AD0D-7408290C8595}.exe"	{144BCDE8-D6AC-4c08-816E-47E194D6A578}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{964D4C9A-C53E-4ff2-B113-5F9F805BBBDF}\stubpath = "C:\\Windows\\{964D4C9A-C53E-4ff2-B113-5F9F805BBBDF}.exe"	2024-04-19_c01132acadfc58190f4b725ec5e07193_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DD80764-54C3-47ba-A79C-79E0E136AFBC}\stubpath = "C:\\Windows\\{4DD80764-54C3-47ba-A79C-79E0E136AFBC}.exe"	{964D4C9A-C53E-4ff2-B113-5F9F805BBBDF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11A8F187-A52F-4a53-82E0-9F1CC8213BB4}\stubpath = "C:\\Windows\\{11A8F187-A52F-4a53-82E0-9F1CC8213BB4}.exe"	{4DD80764-54C3-47ba-A79C-79E0E136AFBC}.exe

Deletes itself 1 IoCs

pid	Process
840	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1780	{964D4C9A-C53E-4ff2-B113-5F9F805BBBDF}.exe
2612	{4DD80764-54C3-47ba-A79C-79E0E136AFBC}.exe
2540	{11A8F187-A52F-4a53-82E0-9F1CC8213BB4}.exe
2880	{CAFCF36A-4DDA-44bd-A643-661ADDDF4E21}.exe
2688	{29FEDC24-31FB-4d6f-ACC5-1A65D6CBF423}.exe
2896	{8F0D9B14-1969-44ce-9E67-57BEDA8804B4}.exe
804	{9675CD42-A5D8-4f1f-B056-99399202A33B}.exe
1720	{A90EFE5F-D737-4b1d-BA29-0CDB5351E6CA}.exe
2212	{9DE67B61-746E-462d-8D2E-F4995F56FE00}.exe
2088	{144BCDE8-D6AC-4c08-816E-47E194D6A578}.exe
2296	{A3FF44E4-4DD8-498d-AD0D-7408290C8595}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{9DE67B61-746E-462d-8D2E-F4995F56FE00}.exe	{A90EFE5F-D737-4b1d-BA29-0CDB5351E6CA}.exe
File created	C:\Windows\{144BCDE8-D6AC-4c08-816E-47E194D6A578}.exe	{9DE67B61-746E-462d-8D2E-F4995F56FE00}.exe
File created	C:\Windows\{A3FF44E4-4DD8-498d-AD0D-7408290C8595}.exe	{144BCDE8-D6AC-4c08-816E-47E194D6A578}.exe
File created	C:\Windows\{11A8F187-A52F-4a53-82E0-9F1CC8213BB4}.exe	{4DD80764-54C3-47ba-A79C-79E0E136AFBC}.exe
File created	C:\Windows\{A90EFE5F-D737-4b1d-BA29-0CDB5351E6CA}.exe	{9675CD42-A5D8-4f1f-B056-99399202A33B}.exe
File created	C:\Windows\{CAFCF36A-4DDA-44bd-A643-661ADDDF4E21}.exe	{11A8F187-A52F-4a53-82E0-9F1CC8213BB4}.exe
File created	C:\Windows\{29FEDC24-31FB-4d6f-ACC5-1A65D6CBF423}.exe	{CAFCF36A-4DDA-44bd-A643-661ADDDF4E21}.exe
File created	C:\Windows\{8F0D9B14-1969-44ce-9E67-57BEDA8804B4}.exe	{29FEDC24-31FB-4d6f-ACC5-1A65D6CBF423}.exe
File created	C:\Windows\{9675CD42-A5D8-4f1f-B056-99399202A33B}.exe	{8F0D9B14-1969-44ce-9E67-57BEDA8804B4}.exe
File created	C:\Windows\{964D4C9A-C53E-4ff2-B113-5F9F805BBBDF}.exe	2024-04-19_c01132acadfc58190f4b725ec5e07193_goldeneye.exe
File created	C:\Windows\{4DD80764-54C3-47ba-A79C-79E0E136AFBC}.exe	{964D4C9A-C53E-4ff2-B113-5F9F805BBBDF}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1464	2024-04-19_c01132acadfc58190f4b725ec5e07193_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1780	{964D4C9A-C53E-4ff2-B113-5F9F805BBBDF}.exe
Token: SeIncBasePriorityPrivilege	2612	{4DD80764-54C3-47ba-A79C-79E0E136AFBC}.exe
Token: SeIncBasePriorityPrivilege	2540	{11A8F187-A52F-4a53-82E0-9F1CC8213BB4}.exe
Token: SeIncBasePriorityPrivilege	2880	{CAFCF36A-4DDA-44bd-A643-661ADDDF4E21}.exe
Token: SeIncBasePriorityPrivilege	2688	{29FEDC24-31FB-4d6f-ACC5-1A65D6CBF423}.exe
Token: SeIncBasePriorityPrivilege	2896	{8F0D9B14-1969-44ce-9E67-57BEDA8804B4}.exe
Token: SeIncBasePriorityPrivilege	804	{9675CD42-A5D8-4f1f-B056-99399202A33B}.exe
Token: SeIncBasePriorityPrivilege	1720	{A90EFE5F-D737-4b1d-BA29-0CDB5351E6CA}.exe
Token: SeIncBasePriorityPrivilege	2212	{9DE67B61-746E-462d-8D2E-F4995F56FE00}.exe
Token: SeIncBasePriorityPrivilege	2088	{144BCDE8-D6AC-4c08-816E-47E194D6A578}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 1780	1464	2024-04-19_c01132acadfc58190f4b725ec5e07193_goldeneye.exe	28
PID 1464 wrote to memory of 1780	1464	2024-04-19_c01132acadfc58190f4b725ec5e07193_goldeneye.exe	28
PID 1464 wrote to memory of 1780	1464	2024-04-19_c01132acadfc58190f4b725ec5e07193_goldeneye.exe	28
PID 1464 wrote to memory of 1780	1464	2024-04-19_c01132acadfc58190f4b725ec5e07193_goldeneye.exe	28
PID 1464 wrote to memory of 840	1464	2024-04-19_c01132acadfc58190f4b725ec5e07193_goldeneye.exe	29
PID 1464 wrote to memory of 840	1464	2024-04-19_c01132acadfc58190f4b725ec5e07193_goldeneye.exe	29
PID 1464 wrote to memory of 840	1464	2024-04-19_c01132acadfc58190f4b725ec5e07193_goldeneye.exe	29
PID 1464 wrote to memory of 840	1464	2024-04-19_c01132acadfc58190f4b725ec5e07193_goldeneye.exe	29
PID 1780 wrote to memory of 2612	1780	{964D4C9A-C53E-4ff2-B113-5F9F805BBBDF}.exe	30
PID 1780 wrote to memory of 2612	1780	{964D4C9A-C53E-4ff2-B113-5F9F805BBBDF}.exe	30
PID 1780 wrote to memory of 2612	1780	{964D4C9A-C53E-4ff2-B113-5F9F805BBBDF}.exe	30
PID 1780 wrote to memory of 2612	1780	{964D4C9A-C53E-4ff2-B113-5F9F805BBBDF}.exe	30
PID 1780 wrote to memory of 2644	1780	{964D4C9A-C53E-4ff2-B113-5F9F805BBBDF}.exe	31
PID 1780 wrote to memory of 2644	1780	{964D4C9A-C53E-4ff2-B113-5F9F805BBBDF}.exe	31
PID 1780 wrote to memory of 2644	1780	{964D4C9A-C53E-4ff2-B113-5F9F805BBBDF}.exe	31
PID 1780 wrote to memory of 2644	1780	{964D4C9A-C53E-4ff2-B113-5F9F805BBBDF}.exe	31
PID 2612 wrote to memory of 2540	2612	{4DD80764-54C3-47ba-A79C-79E0E136AFBC}.exe	32
PID 2612 wrote to memory of 2540	2612	{4DD80764-54C3-47ba-A79C-79E0E136AFBC}.exe	32
PID 2612 wrote to memory of 2540	2612	{4DD80764-54C3-47ba-A79C-79E0E136AFBC}.exe	32
PID 2612 wrote to memory of 2540	2612	{4DD80764-54C3-47ba-A79C-79E0E136AFBC}.exe	32
PID 2612 wrote to memory of 2452	2612	{4DD80764-54C3-47ba-A79C-79E0E136AFBC}.exe	33
PID 2612 wrote to memory of 2452	2612	{4DD80764-54C3-47ba-A79C-79E0E136AFBC}.exe	33
PID 2612 wrote to memory of 2452	2612	{4DD80764-54C3-47ba-A79C-79E0E136AFBC}.exe	33
PID 2612 wrote to memory of 2452	2612	{4DD80764-54C3-47ba-A79C-79E0E136AFBC}.exe	33
PID 2540 wrote to memory of 2880	2540	{11A8F187-A52F-4a53-82E0-9F1CC8213BB4}.exe	36
PID 2540 wrote to memory of 2880	2540	{11A8F187-A52F-4a53-82E0-9F1CC8213BB4}.exe	36
PID 2540 wrote to memory of 2880	2540	{11A8F187-A52F-4a53-82E0-9F1CC8213BB4}.exe	36
PID 2540 wrote to memory of 2880	2540	{11A8F187-A52F-4a53-82E0-9F1CC8213BB4}.exe	36
PID 2540 wrote to memory of 1236	2540	{11A8F187-A52F-4a53-82E0-9F1CC8213BB4}.exe	37
PID 2540 wrote to memory of 1236	2540	{11A8F187-A52F-4a53-82E0-9F1CC8213BB4}.exe	37
PID 2540 wrote to memory of 1236	2540	{11A8F187-A52F-4a53-82E0-9F1CC8213BB4}.exe	37
PID 2540 wrote to memory of 1236	2540	{11A8F187-A52F-4a53-82E0-9F1CC8213BB4}.exe	37
PID 2880 wrote to memory of 2688	2880	{CAFCF36A-4DDA-44bd-A643-661ADDDF4E21}.exe	38
PID 2880 wrote to memory of 2688	2880	{CAFCF36A-4DDA-44bd-A643-661ADDDF4E21}.exe	38
PID 2880 wrote to memory of 2688	2880	{CAFCF36A-4DDA-44bd-A643-661ADDDF4E21}.exe	38
PID 2880 wrote to memory of 2688	2880	{CAFCF36A-4DDA-44bd-A643-661ADDDF4E21}.exe	38
PID 2880 wrote to memory of 2732	2880	{CAFCF36A-4DDA-44bd-A643-661ADDDF4E21}.exe	39
PID 2880 wrote to memory of 2732	2880	{CAFCF36A-4DDA-44bd-A643-661ADDDF4E21}.exe	39
PID 2880 wrote to memory of 2732	2880	{CAFCF36A-4DDA-44bd-A643-661ADDDF4E21}.exe	39
PID 2880 wrote to memory of 2732	2880	{CAFCF36A-4DDA-44bd-A643-661ADDDF4E21}.exe	39
PID 2688 wrote to memory of 2896	2688	{29FEDC24-31FB-4d6f-ACC5-1A65D6CBF423}.exe	40
PID 2688 wrote to memory of 2896	2688	{29FEDC24-31FB-4d6f-ACC5-1A65D6CBF423}.exe	40
PID 2688 wrote to memory of 2896	2688	{29FEDC24-31FB-4d6f-ACC5-1A65D6CBF423}.exe	40
PID 2688 wrote to memory of 2896	2688	{29FEDC24-31FB-4d6f-ACC5-1A65D6CBF423}.exe	40
PID 2688 wrote to memory of 1088	2688	{29FEDC24-31FB-4d6f-ACC5-1A65D6CBF423}.exe	41
PID 2688 wrote to memory of 1088	2688	{29FEDC24-31FB-4d6f-ACC5-1A65D6CBF423}.exe	41
PID 2688 wrote to memory of 1088	2688	{29FEDC24-31FB-4d6f-ACC5-1A65D6CBF423}.exe	41
PID 2688 wrote to memory of 1088	2688	{29FEDC24-31FB-4d6f-ACC5-1A65D6CBF423}.exe	41
PID 2896 wrote to memory of 804	2896	{8F0D9B14-1969-44ce-9E67-57BEDA8804B4}.exe	42
PID 2896 wrote to memory of 804	2896	{8F0D9B14-1969-44ce-9E67-57BEDA8804B4}.exe	42
PID 2896 wrote to memory of 804	2896	{8F0D9B14-1969-44ce-9E67-57BEDA8804B4}.exe	42
PID 2896 wrote to memory of 804	2896	{8F0D9B14-1969-44ce-9E67-57BEDA8804B4}.exe	42
PID 2896 wrote to memory of 1972	2896	{8F0D9B14-1969-44ce-9E67-57BEDA8804B4}.exe	43
PID 2896 wrote to memory of 1972	2896	{8F0D9B14-1969-44ce-9E67-57BEDA8804B4}.exe	43
PID 2896 wrote to memory of 1972	2896	{8F0D9B14-1969-44ce-9E67-57BEDA8804B4}.exe	43
PID 2896 wrote to memory of 1972	2896	{8F0D9B14-1969-44ce-9E67-57BEDA8804B4}.exe	43
PID 804 wrote to memory of 1720	804	{9675CD42-A5D8-4f1f-B056-99399202A33B}.exe	44
PID 804 wrote to memory of 1720	804	{9675CD42-A5D8-4f1f-B056-99399202A33B}.exe	44
PID 804 wrote to memory of 1720	804	{9675CD42-A5D8-4f1f-B056-99399202A33B}.exe	44
PID 804 wrote to memory of 1720	804	{9675CD42-A5D8-4f1f-B056-99399202A33B}.exe	44
PID 804 wrote to memory of 1060	804	{9675CD42-A5D8-4f1f-B056-99399202A33B}.exe	45
PID 804 wrote to memory of 1060	804	{9675CD42-A5D8-4f1f-B056-99399202A33B}.exe	45
PID 804 wrote to memory of 1060	804	{9675CD42-A5D8-4f1f-B056-99399202A33B}.exe	45
PID 804 wrote to memory of 1060	804	{9675CD42-A5D8-4f1f-B056-99399202A33B}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-19_c01132acadfc58190f4b725ec5e07193_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-19_c01132acadfc58190f4b725ec5e07193_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Windows\{964D4C9A-C53E-4ff2-B113-5F9F805BBBDF}.exe
  C:\Windows\{964D4C9A-C53E-4ff2-B113-5F9F805BBBDF}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\{4DD80764-54C3-47ba-A79C-79E0E136AFBC}.exe
    C:\Windows\{4DD80764-54C3-47ba-A79C-79E0E136AFBC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\{11A8F187-A52F-4a53-82E0-9F1CC8213BB4}.exe
      C:\Windows\{11A8F187-A52F-4a53-82E0-9F1CC8213BB4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Windows\{CAFCF36A-4DDA-44bd-A643-661ADDDF4E21}.exe
        
        C:\Windows\{CAFCF36A-4DDA-44bd-A643-661ADDDF4E21}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2880
      - C:\Windows\{29FEDC24-31FB-4d6f-ACC5-1A65D6CBF423}.exe
        
        C:\Windows\{29FEDC24-31FB-4d6f-ACC5-1A65D6CBF423}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\{8F0D9B14-1969-44ce-9E67-57BEDA8804B4}.exe
        
        C:\Windows\{8F0D9B14-1969-44ce-9E67-57BEDA8804B4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\{9675CD42-A5D8-4f1f-B056-99399202A33B}.exe
        
        C:\Windows\{9675CD42-A5D8-4f1f-B056-99399202A33B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:804
        
        C:\Windows\{A90EFE5F-D737-4b1d-BA29-0CDB5351E6CA}.exe
        
        C:\Windows\{A90EFE5F-D737-4b1d-BA29-0CDB5351E6CA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
        
        C:\Windows\{9DE67B61-746E-462d-8D2E-F4995F56FE00}.exe
        
        C:\Windows\{9DE67B61-746E-462d-8D2E-F4995F56FE00}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
        
        C:\Windows\{144BCDE8-D6AC-4c08-816E-47E194D6A578}.exe
        
        C:\Windows\{144BCDE8-D6AC-4c08-816E-47E194D6A578}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
        
        C:\Windows\{A3FF44E4-4DD8-498d-AD0D-7408290C8595}.exe
        
        C:\Windows\{A3FF44E4-4DD8-498d-AD0D-7408290C8595}.exe
        12⤵
        Executes dropped EXE
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{144BC~1.EXE > nul
        12⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DE67~1.EXE > nul
        11⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A90EF~1.EXE > nul
        10⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9675C~1.EXE > nul
        9⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F0D9~1.EXE > nul
        8⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29FED~1.EXE > nul
        7⤵
        
        PID:1088
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CAFCF~1.EXE > nul
        6⤵
        
        PID:2732
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11A8F~1.EXE > nul
        5⤵
        
        PID:1236
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4DD80~1.EXE > nul
      4⤵
      PID:2452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{964D4~1.EXE > nul
    3⤵
    PID:2644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{11A8F187-A52F-4a53-82E0-9F1CC8213BB4}.exe

Filesize
344KB

MD5
8ca4c4e1aac79096c145b2ac4f81a4b3

SHA1
f7cc88efe1b6b93184243b40359a29920eab5e58

SHA256
807cab17014e1cfd29af94d699d02de6b6f09d561440551ab867efcc77160185

SHA512
a4b2badec110f4d19654f5085635477a2c045a37fec5b1e9398292e5bb8f468a2a48c8f0d65974640cad52be8a13d973b974009dd48856aba486c8afd5081270

Download Submit
C:\Windows\{144BCDE8-D6AC-4c08-816E-47E194D6A578}.exe

Filesize
344KB

MD5
b8548a8b0ab68b5513f4989941566375

SHA1
52fd4f20919b5c64dccd9239975c83d3c7765e3d

SHA256
2cb719c5cd0c44f540b9deb7da824631c15c3534347bddd7702cd62319998f3d

SHA512
889fcd681d9602ffb66a0927468901dc63478b6ff53ffc66b8b3f3232dac4dd39ed6fa8623cd5ed911f07327a4fb0f45e092f7f91816e3be9c1a33e5a35d39f2

Download Submit
C:\Windows\{29FEDC24-31FB-4d6f-ACC5-1A65D6CBF423}.exe

Filesize
344KB

MD5
ed46ac9df6e219039446bf3b3a4fe475

SHA1
7b89321e880f8e909c2f3fb018a399893d95da61

SHA256
8b4f833217589407e965e3170972d455116e38fe8c42b63930a0e1f27e624300

SHA512
3271d205ab900ddc908d29d3eac092569feed1ea2b97e67750bdbb10d9321d2d5ed97baaf38ea40da518a813bc23121c2a42f85e9086ace2fee4eb260da7efec

Download Submit
C:\Windows\{4DD80764-54C3-47ba-A79C-79E0E136AFBC}.exe

Filesize
344KB

MD5
83d4caa9f3406f0fc0c6a946c090f480

SHA1
57762dcd024b087b5a7bef4868cbef8f48e73829

SHA256
4f1a632cf73e2bbf028ac04afab178eb0a322759bd4887977be75a7084ebe19d

SHA512
a325f7104df7ab0835f3df1b8285ce13a428ce1fbb94a8b6f18318eebc5240fb4277475b2aee7a5a7edfa172cc6863eef05f40d0668714b9f37a123b5e2969af

Download Submit
C:\Windows\{8F0D9B14-1969-44ce-9E67-57BEDA8804B4}.exe

Filesize
344KB

MD5
e46ea20404acbbde4a04f06f4641eb4b

SHA1
4a308c69495699dbd43b0996f7825b41e0b20500

SHA256
185c86d501a5aa8ae108dd841443886caca6e49ee8b58da6bf95903808c0b398

SHA512
b24dafe31984850bfc64031153009bbee85808565bad30bc35606ec382a47407959cd0934022064381f530b09628f6fcd679c50f461f23f938e3a0b9772093e7

Download Submit
C:\Windows\{964D4C9A-C53E-4ff2-B113-5F9F805BBBDF}.exe

Filesize
344KB

MD5
88485ec8fd34323c4a1af4b4d5acff08

SHA1
c2372db8d2d7d00de0f1fca4b0f5c1964d0e2568

SHA256
67e0abdd16373f8497dd758c7e47d52811383a6fb70d76bd6dda1b4301d2dca3

SHA512
47d7478d5bf1348f417ab8afc4d3d9dfcbafa92f09f9ceb4ef2251a7840e1d38c8d9a18235db28d88e2a41be0f2a580b40970b4ec396a9eb4b398c90f930e841

Download Submit
C:\Windows\{9675CD42-A5D8-4f1f-B056-99399202A33B}.exe

Filesize
344KB

MD5
6c5f9239b18b31d7bfd81e8053be3edb

SHA1
611d2c1d2f054d54179c8b5cc756ddc5b6a03cf5

SHA256
50c68a19a5fb45d6cfbcfd60bea9ed870f5567089c8d2a735c0d392f3ffabc32

SHA512
c86aeb2170cc326a930f49f430d125851df21bcf08be5f8d5b57c6aa72b0af06a24328b805484b32fb3fb21de51a08d3aa42913523b7b750da6cb1f978910419

Download Submit
C:\Windows\{9DE67B61-746E-462d-8D2E-F4995F56FE00}.exe

Filesize
344KB

MD5
0a50d3b778ce4f67f04b5b36aa99df68

SHA1
1faff15de61e29ca5ae49183283053c81088ce25

SHA256
f0577ad3d1cec14dcf1a88f1f1bc5bb7e2a93e786bc42cb42dc77025d5e71670

SHA512
d2333b7ac3e2ae96e0fc13d1bc8709ef51d4ad3f4777b364ce6eb15dadcc8660a0efcebd012dc9a529973edbbbdbac3aefd1f17a6ec9dfa16f047e03810dffff

Download Submit
C:\Windows\{A3FF44E4-4DD8-498d-AD0D-7408290C8595}.exe

Filesize
344KB

MD5
8a76308de8f04b1f131ea032f851155d

SHA1
f847e70f01c1276b6157431ac33bc025c7e2b881

SHA256
466c149e013b1ad6a8ffbaa3fc26a67d1f11b42ac88a6170984c60224f63b25c

SHA512
860d3697897e30ded9705b40a7fd7f878b69e84c4a097918c91cf5f27d528b287c00071f79f72cf501e41a8f8af2c1428a2f7083c23e23f48ffde3e8f7541aaa

Download Submit
C:\Windows\{A90EFE5F-D737-4b1d-BA29-0CDB5351E6CA}.exe

Filesize
344KB

MD5
e842d083b03175b5f39081053c7a8b7d

SHA1
79b2a7c9c40bba2a2bdc46cf12ca3095e72d204c

SHA256
95ef2816fcddbe6fc8df3bbb0a55e99211bbf77953850f33d95f039ccfd2b8d2

SHA512
914794504c7027fa6d5ce2add2eaf1636b0c5369c1b10b716df6d7fd22de9fc492957018e31969c147cd0956ec5440d29805925a95a2c29164b9b2bc333f11c9

Download Submit
C:\Windows\{CAFCF36A-4DDA-44bd-A643-661ADDDF4E21}.exe

Filesize
344KB

MD5
344c22cdcc8f943d5668cfec00463499

SHA1
3b2c24531d3fdbebab95200957ff46ea742fb366

SHA256
0abfa7064d4e2e777e178349408e4161006c2f92fb490881611e51c5e1dded88

SHA512
9fe21c8c702e5a5dff78df436321845e10b085120650c67ee1997532e25d15ef8f47d623e8adc9f1230da9a13c4d6dba797ea1e5f92532d793b4d33beece26ef

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads