3da2b8cc6707369228265543a9cbde3301a58486b2d384e6ec3b0a4e4fb9bcf1

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-04-2024 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-20_6f7e4d0ca2a2a7adc651d43bbbdc871e_goldeneye.exe
Size

408KB
MD5

6f7e4d0ca2a2a7adc651d43bbbdc871e
SHA1

d8a9ae1b0f5f1b29b58a74f19f036bffd6d8e876
SHA256

3da2b8cc6707369228265543a9cbde3301a58486b2d384e6ec3b0a4e4fb9bcf1
SHA512

046b6a0db95e68fbc925a2b1467ee921f505a07211fbb08c741d15c1e024b005aaad73d220e6377b43ddce35431fce27377df8296a8c9faa788baabfb5a904b3
SSDEEP

3072:CEGh0oil3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGMldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d000000014267-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000900000001441e-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000001441e-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000f680-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001441e-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000f680-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001441e-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000f680-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001441e-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000000f680-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E33CCBF-D1C4-42e0-8A88-AD9F843DF0EF}\stubpath = "C:\\Windows\\{9E33CCBF-D1C4-42e0-8A88-AD9F843DF0EF}.exe"	{D9B5313F-4307-4fae-BCEF-B51034AE7956}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0931241-D57F-476c-B037-B30C4D8673CF}	{CACFA1E5-3266-49c9-8EE9-C68D39E6CCB3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0931241-D57F-476c-B037-B30C4D8673CF}\stubpath = "C:\\Windows\\{E0931241-D57F-476c-B037-B30C4D8673CF}.exe"	{CACFA1E5-3266-49c9-8EE9-C68D39E6CCB3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71A11E10-6EEB-4890-9F73-7835FCE3A7FC}	{B1C014EE-6690-4470-83C4-402705265DCA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94DFAE62-CAB0-4a40-8B8F-85A31317AC76}	{71A11E10-6EEB-4890-9F73-7835FCE3A7FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF553909-77CB-41c9-A88D-A70540E78B8F}	{8F0B68FD-F32D-4ee0-8163-2F9A1340937C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CACFA1E5-3266-49c9-8EE9-C68D39E6CCB3}	2024-04-20_6f7e4d0ca2a2a7adc651d43bbbdc871e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4C8F3D8-46E5-432d-AB86-03BA4374C02D}	{E0931241-D57F-476c-B037-B30C4D8673CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF553909-77CB-41c9-A88D-A70540E78B8F}\stubpath = "C:\\Windows\\{AF553909-77CB-41c9-A88D-A70540E78B8F}.exe"	{8F0B68FD-F32D-4ee0-8163-2F9A1340937C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9B5313F-4307-4fae-BCEF-B51034AE7956}	{AF553909-77CB-41c9-A88D-A70540E78B8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9B5313F-4307-4fae-BCEF-B51034AE7956}\stubpath = "C:\\Windows\\{D9B5313F-4307-4fae-BCEF-B51034AE7956}.exe"	{AF553909-77CB-41c9-A88D-A70540E78B8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F0B68FD-F32D-4ee0-8163-2F9A1340937C}	{94DFAE62-CAB0-4a40-8B8F-85A31317AC76}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E33CCBF-D1C4-42e0-8A88-AD9F843DF0EF}	{D9B5313F-4307-4fae-BCEF-B51034AE7956}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11FE6A58-726C-4fa2-89B3-337B7990F1A4}\stubpath = "C:\\Windows\\{11FE6A58-726C-4fa2-89B3-337B7990F1A4}.exe"	{9E33CCBF-D1C4-42e0-8A88-AD9F843DF0EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CACFA1E5-3266-49c9-8EE9-C68D39E6CCB3}\stubpath = "C:\\Windows\\{CACFA1E5-3266-49c9-8EE9-C68D39E6CCB3}.exe"	2024-04-20_6f7e4d0ca2a2a7adc651d43bbbdc871e_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1C014EE-6690-4470-83C4-402705265DCA}	{F4C8F3D8-46E5-432d-AB86-03BA4374C02D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1C014EE-6690-4470-83C4-402705265DCA}\stubpath = "C:\\Windows\\{B1C014EE-6690-4470-83C4-402705265DCA}.exe"	{F4C8F3D8-46E5-432d-AB86-03BA4374C02D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71A11E10-6EEB-4890-9F73-7835FCE3A7FC}\stubpath = "C:\\Windows\\{71A11E10-6EEB-4890-9F73-7835FCE3A7FC}.exe"	{B1C014EE-6690-4470-83C4-402705265DCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94DFAE62-CAB0-4a40-8B8F-85A31317AC76}\stubpath = "C:\\Windows\\{94DFAE62-CAB0-4a40-8B8F-85A31317AC76}.exe"	{71A11E10-6EEB-4890-9F73-7835FCE3A7FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4C8F3D8-46E5-432d-AB86-03BA4374C02D}\stubpath = "C:\\Windows\\{F4C8F3D8-46E5-432d-AB86-03BA4374C02D}.exe"	{E0931241-D57F-476c-B037-B30C4D8673CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F0B68FD-F32D-4ee0-8163-2F9A1340937C}\stubpath = "C:\\Windows\\{8F0B68FD-F32D-4ee0-8163-2F9A1340937C}.exe"	{94DFAE62-CAB0-4a40-8B8F-85A31317AC76}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11FE6A58-726C-4fa2-89B3-337B7990F1A4}	{9E33CCBF-D1C4-42e0-8A88-AD9F843DF0EF}.exe

Deletes itself 1 IoCs

pid	Process
1720	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1384	{CACFA1E5-3266-49c9-8EE9-C68D39E6CCB3}.exe
524	{E0931241-D57F-476c-B037-B30C4D8673CF}.exe
2812	{F4C8F3D8-46E5-432d-AB86-03BA4374C02D}.exe
2420	{B1C014EE-6690-4470-83C4-402705265DCA}.exe
2360	{71A11E10-6EEB-4890-9F73-7835FCE3A7FC}.exe
1344	{94DFAE62-CAB0-4a40-8B8F-85A31317AC76}.exe
1444	{8F0B68FD-F32D-4ee0-8163-2F9A1340937C}.exe
620	{AF553909-77CB-41c9-A88D-A70540E78B8F}.exe
1764	{D9B5313F-4307-4fae-BCEF-B51034AE7956}.exe
1636	{9E33CCBF-D1C4-42e0-8A88-AD9F843DF0EF}.exe
2228	{11FE6A58-726C-4fa2-89B3-337B7990F1A4}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{CACFA1E5-3266-49c9-8EE9-C68D39E6CCB3}.exe	2024-04-20_6f7e4d0ca2a2a7adc651d43bbbdc871e_goldeneye.exe
File created	C:\Windows\{E0931241-D57F-476c-B037-B30C4D8673CF}.exe	{CACFA1E5-3266-49c9-8EE9-C68D39E6CCB3}.exe
File created	C:\Windows\{F4C8F3D8-46E5-432d-AB86-03BA4374C02D}.exe	{E0931241-D57F-476c-B037-B30C4D8673CF}.exe
File created	C:\Windows\{8F0B68FD-F32D-4ee0-8163-2F9A1340937C}.exe	{94DFAE62-CAB0-4a40-8B8F-85A31317AC76}.exe
File created	C:\Windows\{9E33CCBF-D1C4-42e0-8A88-AD9F843DF0EF}.exe	{D9B5313F-4307-4fae-BCEF-B51034AE7956}.exe
File created	C:\Windows\{11FE6A58-726C-4fa2-89B3-337B7990F1A4}.exe	{9E33CCBF-D1C4-42e0-8A88-AD9F843DF0EF}.exe
File created	C:\Windows\{B1C014EE-6690-4470-83C4-402705265DCA}.exe	{F4C8F3D8-46E5-432d-AB86-03BA4374C02D}.exe
File created	C:\Windows\{71A11E10-6EEB-4890-9F73-7835FCE3A7FC}.exe	{B1C014EE-6690-4470-83C4-402705265DCA}.exe
File created	C:\Windows\{94DFAE62-CAB0-4a40-8B8F-85A31317AC76}.exe	{71A11E10-6EEB-4890-9F73-7835FCE3A7FC}.exe
File created	C:\Windows\{AF553909-77CB-41c9-A88D-A70540E78B8F}.exe	{8F0B68FD-F32D-4ee0-8163-2F9A1340937C}.exe
File created	C:\Windows\{D9B5313F-4307-4fae-BCEF-B51034AE7956}.exe	{AF553909-77CB-41c9-A88D-A70540E78B8F}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2032	2024-04-20_6f7e4d0ca2a2a7adc651d43bbbdc871e_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1384	{CACFA1E5-3266-49c9-8EE9-C68D39E6CCB3}.exe
Token: SeIncBasePriorityPrivilege	524	{E0931241-D57F-476c-B037-B30C4D8673CF}.exe
Token: SeIncBasePriorityPrivilege	2812	{F4C8F3D8-46E5-432d-AB86-03BA4374C02D}.exe
Token: SeIncBasePriorityPrivilege	2420	{B1C014EE-6690-4470-83C4-402705265DCA}.exe
Token: SeIncBasePriorityPrivilege	2360	{71A11E10-6EEB-4890-9F73-7835FCE3A7FC}.exe
Token: SeIncBasePriorityPrivilege	1344	{94DFAE62-CAB0-4a40-8B8F-85A31317AC76}.exe
Token: SeIncBasePriorityPrivilege	1444	{8F0B68FD-F32D-4ee0-8163-2F9A1340937C}.exe
Token: SeIncBasePriorityPrivilege	620	{AF553909-77CB-41c9-A88D-A70540E78B8F}.exe
Token: SeIncBasePriorityPrivilege	1764	{D9B5313F-4307-4fae-BCEF-B51034AE7956}.exe
Token: SeIncBasePriorityPrivilege	1636	{9E33CCBF-D1C4-42e0-8A88-AD9F843DF0EF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1384	2032	2024-04-20_6f7e4d0ca2a2a7adc651d43bbbdc871e_goldeneye.exe	28
PID 2032 wrote to memory of 1384	2032	2024-04-20_6f7e4d0ca2a2a7adc651d43bbbdc871e_goldeneye.exe	28
PID 2032 wrote to memory of 1384	2032	2024-04-20_6f7e4d0ca2a2a7adc651d43bbbdc871e_goldeneye.exe	28
PID 2032 wrote to memory of 1384	2032	2024-04-20_6f7e4d0ca2a2a7adc651d43bbbdc871e_goldeneye.exe	28
PID 2032 wrote to memory of 1720	2032	2024-04-20_6f7e4d0ca2a2a7adc651d43bbbdc871e_goldeneye.exe	29
PID 2032 wrote to memory of 1720	2032	2024-04-20_6f7e4d0ca2a2a7adc651d43bbbdc871e_goldeneye.exe	29
PID 2032 wrote to memory of 1720	2032	2024-04-20_6f7e4d0ca2a2a7adc651d43bbbdc871e_goldeneye.exe	29
PID 2032 wrote to memory of 1720	2032	2024-04-20_6f7e4d0ca2a2a7adc651d43bbbdc871e_goldeneye.exe	29
PID 1384 wrote to memory of 524	1384	{CACFA1E5-3266-49c9-8EE9-C68D39E6CCB3}.exe	30
PID 1384 wrote to memory of 524	1384	{CACFA1E5-3266-49c9-8EE9-C68D39E6CCB3}.exe	30
PID 1384 wrote to memory of 524	1384	{CACFA1E5-3266-49c9-8EE9-C68D39E6CCB3}.exe	30
PID 1384 wrote to memory of 524	1384	{CACFA1E5-3266-49c9-8EE9-C68D39E6CCB3}.exe	30
PID 1384 wrote to memory of 2572	1384	{CACFA1E5-3266-49c9-8EE9-C68D39E6CCB3}.exe	31
PID 1384 wrote to memory of 2572	1384	{CACFA1E5-3266-49c9-8EE9-C68D39E6CCB3}.exe	31
PID 1384 wrote to memory of 2572	1384	{CACFA1E5-3266-49c9-8EE9-C68D39E6CCB3}.exe	31
PID 1384 wrote to memory of 2572	1384	{CACFA1E5-3266-49c9-8EE9-C68D39E6CCB3}.exe	31
PID 524 wrote to memory of 2812	524	{E0931241-D57F-476c-B037-B30C4D8673CF}.exe	34
PID 524 wrote to memory of 2812	524	{E0931241-D57F-476c-B037-B30C4D8673CF}.exe	34
PID 524 wrote to memory of 2812	524	{E0931241-D57F-476c-B037-B30C4D8673CF}.exe	34
PID 524 wrote to memory of 2812	524	{E0931241-D57F-476c-B037-B30C4D8673CF}.exe	34
PID 524 wrote to memory of 2604	524	{E0931241-D57F-476c-B037-B30C4D8673CF}.exe	35
PID 524 wrote to memory of 2604	524	{E0931241-D57F-476c-B037-B30C4D8673CF}.exe	35
PID 524 wrote to memory of 2604	524	{E0931241-D57F-476c-B037-B30C4D8673CF}.exe	35
PID 524 wrote to memory of 2604	524	{E0931241-D57F-476c-B037-B30C4D8673CF}.exe	35
PID 2812 wrote to memory of 2420	2812	{F4C8F3D8-46E5-432d-AB86-03BA4374C02D}.exe	36
PID 2812 wrote to memory of 2420	2812	{F4C8F3D8-46E5-432d-AB86-03BA4374C02D}.exe	36
PID 2812 wrote to memory of 2420	2812	{F4C8F3D8-46E5-432d-AB86-03BA4374C02D}.exe	36
PID 2812 wrote to memory of 2420	2812	{F4C8F3D8-46E5-432d-AB86-03BA4374C02D}.exe	36
PID 2812 wrote to memory of 2168	2812	{F4C8F3D8-46E5-432d-AB86-03BA4374C02D}.exe	37
PID 2812 wrote to memory of 2168	2812	{F4C8F3D8-46E5-432d-AB86-03BA4374C02D}.exe	37
PID 2812 wrote to memory of 2168	2812	{F4C8F3D8-46E5-432d-AB86-03BA4374C02D}.exe	37
PID 2812 wrote to memory of 2168	2812	{F4C8F3D8-46E5-432d-AB86-03BA4374C02D}.exe	37
PID 2420 wrote to memory of 2360	2420	{B1C014EE-6690-4470-83C4-402705265DCA}.exe	38
PID 2420 wrote to memory of 2360	2420	{B1C014EE-6690-4470-83C4-402705265DCA}.exe	38
PID 2420 wrote to memory of 2360	2420	{B1C014EE-6690-4470-83C4-402705265DCA}.exe	38
PID 2420 wrote to memory of 2360	2420	{B1C014EE-6690-4470-83C4-402705265DCA}.exe	38
PID 2420 wrote to memory of 920	2420	{B1C014EE-6690-4470-83C4-402705265DCA}.exe	39
PID 2420 wrote to memory of 920	2420	{B1C014EE-6690-4470-83C4-402705265DCA}.exe	39
PID 2420 wrote to memory of 920	2420	{B1C014EE-6690-4470-83C4-402705265DCA}.exe	39
PID 2420 wrote to memory of 920	2420	{B1C014EE-6690-4470-83C4-402705265DCA}.exe	39
PID 2360 wrote to memory of 1344	2360	{71A11E10-6EEB-4890-9F73-7835FCE3A7FC}.exe	40
PID 2360 wrote to memory of 1344	2360	{71A11E10-6EEB-4890-9F73-7835FCE3A7FC}.exe	40
PID 2360 wrote to memory of 1344	2360	{71A11E10-6EEB-4890-9F73-7835FCE3A7FC}.exe	40
PID 2360 wrote to memory of 1344	2360	{71A11E10-6EEB-4890-9F73-7835FCE3A7FC}.exe	40
PID 2360 wrote to memory of 1372	2360	{71A11E10-6EEB-4890-9F73-7835FCE3A7FC}.exe	41
PID 2360 wrote to memory of 1372	2360	{71A11E10-6EEB-4890-9F73-7835FCE3A7FC}.exe	41
PID 2360 wrote to memory of 1372	2360	{71A11E10-6EEB-4890-9F73-7835FCE3A7FC}.exe	41
PID 2360 wrote to memory of 1372	2360	{71A11E10-6EEB-4890-9F73-7835FCE3A7FC}.exe	41
PID 1344 wrote to memory of 1444	1344	{94DFAE62-CAB0-4a40-8B8F-85A31317AC76}.exe	42
PID 1344 wrote to memory of 1444	1344	{94DFAE62-CAB0-4a40-8B8F-85A31317AC76}.exe	42
PID 1344 wrote to memory of 1444	1344	{94DFAE62-CAB0-4a40-8B8F-85A31317AC76}.exe	42
PID 1344 wrote to memory of 1444	1344	{94DFAE62-CAB0-4a40-8B8F-85A31317AC76}.exe	42
PID 1344 wrote to memory of 1928	1344	{94DFAE62-CAB0-4a40-8B8F-85A31317AC76}.exe	43
PID 1344 wrote to memory of 1928	1344	{94DFAE62-CAB0-4a40-8B8F-85A31317AC76}.exe	43
PID 1344 wrote to memory of 1928	1344	{94DFAE62-CAB0-4a40-8B8F-85A31317AC76}.exe	43
PID 1344 wrote to memory of 1928	1344	{94DFAE62-CAB0-4a40-8B8F-85A31317AC76}.exe	43
PID 1444 wrote to memory of 620	1444	{8F0B68FD-F32D-4ee0-8163-2F9A1340937C}.exe	44
PID 1444 wrote to memory of 620	1444	{8F0B68FD-F32D-4ee0-8163-2F9A1340937C}.exe	44
PID 1444 wrote to memory of 620	1444	{8F0B68FD-F32D-4ee0-8163-2F9A1340937C}.exe	44
PID 1444 wrote to memory of 620	1444	{8F0B68FD-F32D-4ee0-8163-2F9A1340937C}.exe	44
PID 1444 wrote to memory of 1084	1444	{8F0B68FD-F32D-4ee0-8163-2F9A1340937C}.exe	45
PID 1444 wrote to memory of 1084	1444	{8F0B68FD-F32D-4ee0-8163-2F9A1340937C}.exe	45
PID 1444 wrote to memory of 1084	1444	{8F0B68FD-F32D-4ee0-8163-2F9A1340937C}.exe	45
PID 1444 wrote to memory of 1084	1444	{8F0B68FD-F32D-4ee0-8163-2F9A1340937C}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-20_6f7e4d0ca2a2a7adc651d43bbbdc871e_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-20_6f7e4d0ca2a2a7adc651d43bbbdc871e_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\{CACFA1E5-3266-49c9-8EE9-C68D39E6CCB3}.exe
  C:\Windows\{CACFA1E5-3266-49c9-8EE9-C68D39E6CCB3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Windows\{E0931241-D57F-476c-B037-B30C4D8673CF}.exe
    C:\Windows\{E0931241-D57F-476c-B037-B30C4D8673CF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:524
  - - C:\Windows\{F4C8F3D8-46E5-432d-AB86-03BA4374C02D}.exe
      C:\Windows\{F4C8F3D8-46E5-432d-AB86-03BA4374C02D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Windows\{B1C014EE-6690-4470-83C4-402705265DCA}.exe
        
        C:\Windows\{B1C014EE-6690-4470-83C4-402705265DCA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2420
      - C:\Windows\{71A11E10-6EEB-4890-9F73-7835FCE3A7FC}.exe
        
        C:\Windows\{71A11E10-6EEB-4890-9F73-7835FCE3A7FC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\{94DFAE62-CAB0-4a40-8B8F-85A31317AC76}.exe
        
        C:\Windows\{94DFAE62-CAB0-4a40-8B8F-85A31317AC76}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\{8F0B68FD-F32D-4ee0-8163-2F9A1340937C}.exe
        
        C:\Windows\{8F0B68FD-F32D-4ee0-8163-2F9A1340937C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\{AF553909-77CB-41c9-A88D-A70540E78B8F}.exe
        
        C:\Windows\{AF553909-77CB-41c9-A88D-A70540E78B8F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:620
        
        C:\Windows\{D9B5313F-4307-4fae-BCEF-B51034AE7956}.exe
        
        C:\Windows\{D9B5313F-4307-4fae-BCEF-B51034AE7956}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
        
        C:\Windows\{9E33CCBF-D1C4-42e0-8A88-AD9F843DF0EF}.exe
        
        C:\Windows\{9E33CCBF-D1C4-42e0-8A88-AD9F843DF0EF}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
        
        C:\Windows\{11FE6A58-726C-4fa2-89B3-337B7990F1A4}.exe
        
        C:\Windows\{11FE6A58-726C-4fa2-89B3-337B7990F1A4}.exe
        12⤵
        Executes dropped EXE
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E33C~1.EXE > nul
        12⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9B53~1.EXE > nul
        11⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF553~1.EXE > nul
        10⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F0B6~1.EXE > nul
        9⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94DFA~1.EXE > nul
        8⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71A11~1.EXE > nul
        7⤵
        
        PID:1372
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1C01~1.EXE > nul
        6⤵
        
        PID:920
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F4C8F~1.EXE > nul
        5⤵
        
        PID:2168
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E0931~1.EXE > nul
      4⤵
      PID:2604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CACFA~1.EXE > nul
    3⤵
    PID:2572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{11FE6A58-726C-4fa2-89B3-337B7990F1A4}.exe

Filesize
408KB

MD5
8209e20c88bcb92cfea8d8d43d60a7af

SHA1
e1e25d275c47baf67159da48b0107853872dbe6d

SHA256
725b21b260a2050436c53fd840aecaa4becc827084701fa84bb75f2f14336070

SHA512
6d0cf9e5231be79465371a49cdbbc70ac99a0a1da8d03efd599eb9f85a6b82fa03f425f6449ef3bbbd9a577bbafaa83eaba4a8641f1455424a5903435084cb05

Download Submit
C:\Windows\{71A11E10-6EEB-4890-9F73-7835FCE3A7FC}.exe

Filesize
408KB

MD5
5416d233a679f8c92b3adbb4a5c554b7

SHA1
c4905befba6d17f482a185695ca65ed70942b79e

SHA256
fce3435c2e6b72c4626a046371a155da81b6bad25b2a48c127d6f7d106fe03c5

SHA512
0d9b74bdd0618bb03034f11be6f2a54ef5c5438b9dce8c6464cfc2259ac20402a795ead4d344a0733de38f1294ff4ae0f660678568073f7e352de069aa890d70

Download Submit
C:\Windows\{8F0B68FD-F32D-4ee0-8163-2F9A1340937C}.exe

Filesize
408KB

MD5
bb97b0367aac6fc81a43b4f8baeb0a1b

SHA1
889979c7eafb1f02fa007a6be658e24787942084

SHA256
198d0c2557af21e3b3d0decdeb49714b6d3d7c98d21252f46c5733305b257503

SHA512
41c951bf04b82e855e3150a5cc1e92a653a967ba2b35c5739f344aadd3f056dcf942959d1f73144b82f0c57ce83e144cd5f5da7ff5a59256ec6d0fe038edef5b

Download Submit
C:\Windows\{94DFAE62-CAB0-4a40-8B8F-85A31317AC76}.exe

Filesize
408KB

MD5
f57c159b5c3f712ce49bba423d584015

SHA1
e1b8fd590880addd6e012c3c4196b2eaa9aee2e5

SHA256
487185527c13d865d400b75b71ba85bac4d6eb737dc1a5598641d60380f78610

SHA512
d7ebac6ba02f33dae03103c452fe0eb7135097b5ec37601f2e189d31a321315989b9d06fe1010ed849302055cb6ca5b5387fea9215dec9a079e237232bbcb100

Download Submit
C:\Windows\{9E33CCBF-D1C4-42e0-8A88-AD9F843DF0EF}.exe

Filesize
408KB

MD5
641ee6c5d07c0a83226f7d7f37326b76

SHA1
cd8b2d607c9b4125f9f6443335c4e7a0d1a76a8f

SHA256
ab378874e233ff7095910a2c2c69b4712bf740f31f9cc83dd2ad7bf79eccc684

SHA512
fff033f99f9c93e09b79a34e33d8e32e4e2ba89e5e2b26e12e5faec20ba0a4d622974dade8cae7b7d026125a317d9e6f66c3260a7df15f3051d0b7f4d59bc130

Download Submit
C:\Windows\{AF553909-77CB-41c9-A88D-A70540E78B8F}.exe

Filesize
408KB

MD5
0d4613ed525a35124a799376a86ee00f

SHA1
247a0b933fcd4caf11d02b818209b4cd2d1c7ac4

SHA256
d13ac456d287635d7184e42056b2df09880422e0a99dc60cd983fe74b8dd894a

SHA512
d0acb440158731301390eb3f4e4007827246bc5ca64bb117a3e2ffeebd8db292002ae70bdd185a6650882422aa0145cd7e372392f4e602d66567fc344cc69379

Download Submit
C:\Windows\{B1C014EE-6690-4470-83C4-402705265DCA}.exe

Filesize
408KB

MD5
2f4878567828b82a21bba27690fb2d52

SHA1
2fa41646c77c7c49d67c8047ea207e9aaa756ecb

SHA256
f17deefa5aef9caefa716563903b395888df9b1a64b206a7e7ab92b41b75dce0

SHA512
8591c023135cc8e62be47c186cec0a6ff55b1306a706ce14aee0d518b48c32c2c09dd417d9cc8653764ba7c9a3a11fc40c6de3e16567be22844f42252ba19482

Download Submit
C:\Windows\{CACFA1E5-3266-49c9-8EE9-C68D39E6CCB3}.exe

Filesize
408KB

MD5
4646a2c2653f4eac9b93586cbee0834b

SHA1
0bf610afdc5406a59161b66e35a15c6a03ec1b1b

SHA256
da7619cc5505bbd457c19d205f2e6e9d77a6b40203e8c3f9676dd5900a48523b

SHA512
5bcf8f546904b939c692ff9c5427cf1bdf77deecd892e5ea125e0af909578cdacf617719e3b7b126c86ae9385468b6faec782d4bf281669d6d3188440001fcef

Download Submit
C:\Windows\{D9B5313F-4307-4fae-BCEF-B51034AE7956}.exe

Filesize
408KB

MD5
0db8f496424510e14c27331bf98b5391

SHA1
c12345ae7b2e711264b1b166060f04d4edc4b88c

SHA256
8f344cc751ebefc5971afaf9823f830a6fb91fc114eca89a87154822b9339885

SHA512
88e617ce23994b32e1b17158a34c313fac3f7c793fd99c6cb00756ad0465de5b7d42a4a0d23612e2ab640e97b763f53e6746eea4ee81b13757599ecfdbed1c91

Download Submit
C:\Windows\{E0931241-D57F-476c-B037-B30C4D8673CF}.exe

Filesize
408KB

MD5
b47ca5c31da5bc610cd21b6abe57a698

SHA1
5fda5592c4e417e0606387eb2ffa1b7266d6dd11

SHA256
60bb6075ad92e6f2d4553669571fbfcbd60dd812a623abd89268dee211796a92

SHA512
c81b003535379522b886190caa9dea6f92a4ee80e87135cf176db160d7b05151f006f23c2e076d91172feb86f3502d8735d1eeb4c56273d8be4ff545870b415f

Download Submit
C:\Windows\{F4C8F3D8-46E5-432d-AB86-03BA4374C02D}.exe

Filesize
408KB

MD5
2b19fa7163af503f06dc513182c4ebad

SHA1
27b3d08ad027b3f9bf986d6f1c3230ec50c1573f

SHA256
451985c6c33103d58bb2000e8553a9ec15e9c2baf356ab0c71574e2b040656ae

SHA512
e6ef4d38c59b0f310cff455fd08c77600c07e2e92735d09c4ed48a6dcfaf70fd6344deca606efcc404d0ad780e221798b299a7e6ee005384fbaa72b7e99745dc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads