c171573c9603124924e6fbf9dde6c0d634a2dbd9f30c88bb2fd0fd942298477a

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
21/04/2024, 04:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-21_d2257723b6d00864e5c6d2eed6058edd_goldeneye.exe
Size

408KB
MD5

d2257723b6d00864e5c6d2eed6058edd
SHA1

be3eb3063be252417d52517e991bc416f3ea4013
SHA256

c171573c9603124924e6fbf9dde6c0d634a2dbd9f30c88bb2fd0fd942298477a
SHA512

dc3a26374f76958dbdf1336261bb20b86331dd416f8e6a9837d27337300160dde3580fd139f30a3debeaf5ac9465af3c92fbc103f43104194fcff62269a62482
SSDEEP

3072:CEGh0okl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBft:CEGWldOe2MUVg3vTeKcAEciTBqr3jy9

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x00090000000122be-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000014323-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a0000000122be-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0038000000014502-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b0000000122be-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c0000000122be-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d0000000122be-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14962145-DE6F-48b3-86C9-04256363A487}	{A9624FAC-213C-4bd8-865C-489FB1258DE2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F44E2EFC-0D43-4ad5-99DD-7B0FF08B3C19}\stubpath = "C:\\Windows\\{F44E2EFC-0D43-4ad5-99DD-7B0FF08B3C19}.exe"	{3EEFB18E-E836-4cde-BA3B-D7A51A540F4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EEB20FB-73B3-4b16-8899-68A0F054C3D4}	{611F21A8-C9DD-42e8-8B30-F4FC9B7695D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFC70246-EFAD-4ab2-9F41-BD87838CBB48}	{603FA970-0C5B-4b9a-8AC5-AE4CE6CCC6D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EEFB18E-E836-4cde-BA3B-D7A51A540F4F}\stubpath = "C:\\Windows\\{3EEFB18E-E836-4cde-BA3B-D7A51A540F4F}.exe"	{CFC70246-EFAD-4ab2-9F41-BD87838CBB48}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9624FAC-213C-4bd8-865C-489FB1258DE2}	2024-04-21_d2257723b6d00864e5c6d2eed6058edd_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9624FAC-213C-4bd8-865C-489FB1258DE2}\stubpath = "C:\\Windows\\{A9624FAC-213C-4bd8-865C-489FB1258DE2}.exe"	2024-04-21_d2257723b6d00864e5c6d2eed6058edd_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14962145-DE6F-48b3-86C9-04256363A487}\stubpath = "C:\\Windows\\{14962145-DE6F-48b3-86C9-04256363A487}.exe"	{A9624FAC-213C-4bd8-865C-489FB1258DE2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DAB4BD1-7584-465f-9ABD-FD38E165006A}\stubpath = "C:\\Windows\\{1DAB4BD1-7584-465f-9ABD-FD38E165006A}.exe"	{14962145-DE6F-48b3-86C9-04256363A487}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{603FA970-0C5B-4b9a-8AC5-AE4CE6CCC6D6}	{1C751E2D-6D4D-4edb-973A-B3C566CC2C79}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{603FA970-0C5B-4b9a-8AC5-AE4CE6CCC6D6}\stubpath = "C:\\Windows\\{603FA970-0C5B-4b9a-8AC5-AE4CE6CCC6D6}.exe"	{1C751E2D-6D4D-4edb-973A-B3C566CC2C79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1DAB4BD1-7584-465f-9ABD-FD38E165006A}	{14962145-DE6F-48b3-86C9-04256363A487}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F44E2EFC-0D43-4ad5-99DD-7B0FF08B3C19}	{3EEFB18E-E836-4cde-BA3B-D7A51A540F4F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EEB20FB-73B3-4b16-8899-68A0F054C3D4}\stubpath = "C:\\Windows\\{1EEB20FB-73B3-4b16-8899-68A0F054C3D4}.exe"	{611F21A8-C9DD-42e8-8B30-F4FC9B7695D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{611F21A8-C9DD-42e8-8B30-F4FC9B7695D9}	{9E80A1BC-221C-42fc-8C5B-C9812002A656}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{611F21A8-C9DD-42e8-8B30-F4FC9B7695D9}\stubpath = "C:\\Windows\\{611F21A8-C9DD-42e8-8B30-F4FC9B7695D9}.exe"	{9E80A1BC-221C-42fc-8C5B-C9812002A656}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C751E2D-6D4D-4edb-973A-B3C566CC2C79}	{1DAB4BD1-7584-465f-9ABD-FD38E165006A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C751E2D-6D4D-4edb-973A-B3C566CC2C79}\stubpath = "C:\\Windows\\{1C751E2D-6D4D-4edb-973A-B3C566CC2C79}.exe"	{1DAB4BD1-7584-465f-9ABD-FD38E165006A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFC70246-EFAD-4ab2-9F41-BD87838CBB48}\stubpath = "C:\\Windows\\{CFC70246-EFAD-4ab2-9F41-BD87838CBB48}.exe"	{603FA970-0C5B-4b9a-8AC5-AE4CE6CCC6D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EEFB18E-E836-4cde-BA3B-D7A51A540F4F}	{CFC70246-EFAD-4ab2-9F41-BD87838CBB48}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E80A1BC-221C-42fc-8C5B-C9812002A656}	{F44E2EFC-0D43-4ad5-99DD-7B0FF08B3C19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E80A1BC-221C-42fc-8C5B-C9812002A656}\stubpath = "C:\\Windows\\{9E80A1BC-221C-42fc-8C5B-C9812002A656}.exe"	{F44E2EFC-0D43-4ad5-99DD-7B0FF08B3C19}.exe

Executes dropped EXE 11 IoCs

pid	Process
2756	{A9624FAC-213C-4bd8-865C-489FB1258DE2}.exe
2616	{14962145-DE6F-48b3-86C9-04256363A487}.exe
2492	{1DAB4BD1-7584-465f-9ABD-FD38E165006A}.exe
2984	{1C751E2D-6D4D-4edb-973A-B3C566CC2C79}.exe
2836	{603FA970-0C5B-4b9a-8AC5-AE4CE6CCC6D6}.exe
1828	{CFC70246-EFAD-4ab2-9F41-BD87838CBB48}.exe
2184	{3EEFB18E-E836-4cde-BA3B-D7A51A540F4F}.exe
640	{F44E2EFC-0D43-4ad5-99DD-7B0FF08B3C19}.exe
2252	{9E80A1BC-221C-42fc-8C5B-C9812002A656}.exe
2328	{611F21A8-C9DD-42e8-8B30-F4FC9B7695D9}.exe
1324	{1EEB20FB-73B3-4b16-8899-68A0F054C3D4}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{A9624FAC-213C-4bd8-865C-489FB1258DE2}.exe	2024-04-21_d2257723b6d00864e5c6d2eed6058edd_goldeneye.exe
File created	C:\Windows\{1DAB4BD1-7584-465f-9ABD-FD38E165006A}.exe	{14962145-DE6F-48b3-86C9-04256363A487}.exe
File created	C:\Windows\{1C751E2D-6D4D-4edb-973A-B3C566CC2C79}.exe	{1DAB4BD1-7584-465f-9ABD-FD38E165006A}.exe
File created	C:\Windows\{CFC70246-EFAD-4ab2-9F41-BD87838CBB48}.exe	{603FA970-0C5B-4b9a-8AC5-AE4CE6CCC6D6}.exe
File created	C:\Windows\{9E80A1BC-221C-42fc-8C5B-C9812002A656}.exe	{F44E2EFC-0D43-4ad5-99DD-7B0FF08B3C19}.exe
File created	C:\Windows\{1EEB20FB-73B3-4b16-8899-68A0F054C3D4}.exe	{611F21A8-C9DD-42e8-8B30-F4FC9B7695D9}.exe
File created	C:\Windows\{14962145-DE6F-48b3-86C9-04256363A487}.exe	{A9624FAC-213C-4bd8-865C-489FB1258DE2}.exe
File created	C:\Windows\{603FA970-0C5B-4b9a-8AC5-AE4CE6CCC6D6}.exe	{1C751E2D-6D4D-4edb-973A-B3C566CC2C79}.exe
File created	C:\Windows\{3EEFB18E-E836-4cde-BA3B-D7A51A540F4F}.exe	{CFC70246-EFAD-4ab2-9F41-BD87838CBB48}.exe
File created	C:\Windows\{F44E2EFC-0D43-4ad5-99DD-7B0FF08B3C19}.exe	{3EEFB18E-E836-4cde-BA3B-D7A51A540F4F}.exe
File created	C:\Windows\{611F21A8-C9DD-42e8-8B30-F4FC9B7695D9}.exe	{9E80A1BC-221C-42fc-8C5B-C9812002A656}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2396	2024-04-21_d2257723b6d00864e5c6d2eed6058edd_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2756	{A9624FAC-213C-4bd8-865C-489FB1258DE2}.exe
Token: SeIncBasePriorityPrivilege	2616	{14962145-DE6F-48b3-86C9-04256363A487}.exe
Token: SeIncBasePriorityPrivilege	2492	{1DAB4BD1-7584-465f-9ABD-FD38E165006A}.exe
Token: SeIncBasePriorityPrivilege	2984	{1C751E2D-6D4D-4edb-973A-B3C566CC2C79}.exe
Token: SeIncBasePriorityPrivilege	2836	{603FA970-0C5B-4b9a-8AC5-AE4CE6CCC6D6}.exe
Token: SeIncBasePriorityPrivilege	1828	{CFC70246-EFAD-4ab2-9F41-BD87838CBB48}.exe
Token: SeIncBasePriorityPrivilege	2184	{3EEFB18E-E836-4cde-BA3B-D7A51A540F4F}.exe
Token: SeIncBasePriorityPrivilege	640	{F44E2EFC-0D43-4ad5-99DD-7B0FF08B3C19}.exe
Token: SeIncBasePriorityPrivilege	2252	{9E80A1BC-221C-42fc-8C5B-C9812002A656}.exe
Token: SeIncBasePriorityPrivilege	2328	{611F21A8-C9DD-42e8-8B30-F4FC9B7695D9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2756	2396	2024-04-21_d2257723b6d00864e5c6d2eed6058edd_goldeneye.exe	28
PID 2396 wrote to memory of 2756	2396	2024-04-21_d2257723b6d00864e5c6d2eed6058edd_goldeneye.exe	28
PID 2396 wrote to memory of 2756	2396	2024-04-21_d2257723b6d00864e5c6d2eed6058edd_goldeneye.exe	28
PID 2396 wrote to memory of 2756	2396	2024-04-21_d2257723b6d00864e5c6d2eed6058edd_goldeneye.exe	28
PID 2396 wrote to memory of 2036	2396	2024-04-21_d2257723b6d00864e5c6d2eed6058edd_goldeneye.exe	29
PID 2396 wrote to memory of 2036	2396	2024-04-21_d2257723b6d00864e5c6d2eed6058edd_goldeneye.exe	29
PID 2396 wrote to memory of 2036	2396	2024-04-21_d2257723b6d00864e5c6d2eed6058edd_goldeneye.exe	29
PID 2396 wrote to memory of 2036	2396	2024-04-21_d2257723b6d00864e5c6d2eed6058edd_goldeneye.exe	29
PID 2756 wrote to memory of 2616	2756	{A9624FAC-213C-4bd8-865C-489FB1258DE2}.exe	30
PID 2756 wrote to memory of 2616	2756	{A9624FAC-213C-4bd8-865C-489FB1258DE2}.exe	30
PID 2756 wrote to memory of 2616	2756	{A9624FAC-213C-4bd8-865C-489FB1258DE2}.exe	30
PID 2756 wrote to memory of 2616	2756	{A9624FAC-213C-4bd8-865C-489FB1258DE2}.exe	30
PID 2756 wrote to memory of 2472	2756	{A9624FAC-213C-4bd8-865C-489FB1258DE2}.exe	31
PID 2756 wrote to memory of 2472	2756	{A9624FAC-213C-4bd8-865C-489FB1258DE2}.exe	31
PID 2756 wrote to memory of 2472	2756	{A9624FAC-213C-4bd8-865C-489FB1258DE2}.exe	31
PID 2756 wrote to memory of 2472	2756	{A9624FAC-213C-4bd8-865C-489FB1258DE2}.exe	31
PID 2616 wrote to memory of 2492	2616	{14962145-DE6F-48b3-86C9-04256363A487}.exe	32
PID 2616 wrote to memory of 2492	2616	{14962145-DE6F-48b3-86C9-04256363A487}.exe	32
PID 2616 wrote to memory of 2492	2616	{14962145-DE6F-48b3-86C9-04256363A487}.exe	32
PID 2616 wrote to memory of 2492	2616	{14962145-DE6F-48b3-86C9-04256363A487}.exe	32
PID 2616 wrote to memory of 2600	2616	{14962145-DE6F-48b3-86C9-04256363A487}.exe	33
PID 2616 wrote to memory of 2600	2616	{14962145-DE6F-48b3-86C9-04256363A487}.exe	33
PID 2616 wrote to memory of 2600	2616	{14962145-DE6F-48b3-86C9-04256363A487}.exe	33
PID 2616 wrote to memory of 2600	2616	{14962145-DE6F-48b3-86C9-04256363A487}.exe	33
PID 2492 wrote to memory of 2984	2492	{1DAB4BD1-7584-465f-9ABD-FD38E165006A}.exe	36
PID 2492 wrote to memory of 2984	2492	{1DAB4BD1-7584-465f-9ABD-FD38E165006A}.exe	36
PID 2492 wrote to memory of 2984	2492	{1DAB4BD1-7584-465f-9ABD-FD38E165006A}.exe	36
PID 2492 wrote to memory of 2984	2492	{1DAB4BD1-7584-465f-9ABD-FD38E165006A}.exe	36
PID 2492 wrote to memory of 1616	2492	{1DAB4BD1-7584-465f-9ABD-FD38E165006A}.exe	37
PID 2492 wrote to memory of 1616	2492	{1DAB4BD1-7584-465f-9ABD-FD38E165006A}.exe	37
PID 2492 wrote to memory of 1616	2492	{1DAB4BD1-7584-465f-9ABD-FD38E165006A}.exe	37
PID 2492 wrote to memory of 1616	2492	{1DAB4BD1-7584-465f-9ABD-FD38E165006A}.exe	37
PID 2984 wrote to memory of 2836	2984	{1C751E2D-6D4D-4edb-973A-B3C566CC2C79}.exe	38
PID 2984 wrote to memory of 2836	2984	{1C751E2D-6D4D-4edb-973A-B3C566CC2C79}.exe	38
PID 2984 wrote to memory of 2836	2984	{1C751E2D-6D4D-4edb-973A-B3C566CC2C79}.exe	38
PID 2984 wrote to memory of 2836	2984	{1C751E2D-6D4D-4edb-973A-B3C566CC2C79}.exe	38
PID 2984 wrote to memory of 2948	2984	{1C751E2D-6D4D-4edb-973A-B3C566CC2C79}.exe	39
PID 2984 wrote to memory of 2948	2984	{1C751E2D-6D4D-4edb-973A-B3C566CC2C79}.exe	39
PID 2984 wrote to memory of 2948	2984	{1C751E2D-6D4D-4edb-973A-B3C566CC2C79}.exe	39
PID 2984 wrote to memory of 2948	2984	{1C751E2D-6D4D-4edb-973A-B3C566CC2C79}.exe	39
PID 2836 wrote to memory of 1828	2836	{603FA970-0C5B-4b9a-8AC5-AE4CE6CCC6D6}.exe	40
PID 2836 wrote to memory of 1828	2836	{603FA970-0C5B-4b9a-8AC5-AE4CE6CCC6D6}.exe	40
PID 2836 wrote to memory of 1828	2836	{603FA970-0C5B-4b9a-8AC5-AE4CE6CCC6D6}.exe	40
PID 2836 wrote to memory of 1828	2836	{603FA970-0C5B-4b9a-8AC5-AE4CE6CCC6D6}.exe	40
PID 2836 wrote to memory of 2440	2836	{603FA970-0C5B-4b9a-8AC5-AE4CE6CCC6D6}.exe	41
PID 2836 wrote to memory of 2440	2836	{603FA970-0C5B-4b9a-8AC5-AE4CE6CCC6D6}.exe	41
PID 2836 wrote to memory of 2440	2836	{603FA970-0C5B-4b9a-8AC5-AE4CE6CCC6D6}.exe	41
PID 2836 wrote to memory of 2440	2836	{603FA970-0C5B-4b9a-8AC5-AE4CE6CCC6D6}.exe	41
PID 1828 wrote to memory of 2184	1828	{CFC70246-EFAD-4ab2-9F41-BD87838CBB48}.exe	42
PID 1828 wrote to memory of 2184	1828	{CFC70246-EFAD-4ab2-9F41-BD87838CBB48}.exe	42
PID 1828 wrote to memory of 2184	1828	{CFC70246-EFAD-4ab2-9F41-BD87838CBB48}.exe	42
PID 1828 wrote to memory of 2184	1828	{CFC70246-EFAD-4ab2-9F41-BD87838CBB48}.exe	42
PID 1828 wrote to memory of 2524	1828	{CFC70246-EFAD-4ab2-9F41-BD87838CBB48}.exe	43
PID 1828 wrote to memory of 2524	1828	{CFC70246-EFAD-4ab2-9F41-BD87838CBB48}.exe	43
PID 1828 wrote to memory of 2524	1828	{CFC70246-EFAD-4ab2-9F41-BD87838CBB48}.exe	43
PID 1828 wrote to memory of 2524	1828	{CFC70246-EFAD-4ab2-9F41-BD87838CBB48}.exe	43
PID 2184 wrote to memory of 640	2184	{3EEFB18E-E836-4cde-BA3B-D7A51A540F4F}.exe	44
PID 2184 wrote to memory of 640	2184	{3EEFB18E-E836-4cde-BA3B-D7A51A540F4F}.exe	44
PID 2184 wrote to memory of 640	2184	{3EEFB18E-E836-4cde-BA3B-D7A51A540F4F}.exe	44
PID 2184 wrote to memory of 640	2184	{3EEFB18E-E836-4cde-BA3B-D7A51A540F4F}.exe	44
PID 2184 wrote to memory of 1548	2184	{3EEFB18E-E836-4cde-BA3B-D7A51A540F4F}.exe	45
PID 2184 wrote to memory of 1548	2184	{3EEFB18E-E836-4cde-BA3B-D7A51A540F4F}.exe	45
PID 2184 wrote to memory of 1548	2184	{3EEFB18E-E836-4cde-BA3B-D7A51A540F4F}.exe	45
PID 2184 wrote to memory of 1548	2184	{3EEFB18E-E836-4cde-BA3B-D7A51A540F4F}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-21_d2257723b6d00864e5c6d2eed6058edd_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-21_d2257723b6d00864e5c6d2eed6058edd_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\{A9624FAC-213C-4bd8-865C-489FB1258DE2}.exe
  C:\Windows\{A9624FAC-213C-4bd8-865C-489FB1258DE2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\{14962145-DE6F-48b3-86C9-04256363A487}.exe
    C:\Windows\{14962145-DE6F-48b3-86C9-04256363A487}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\{1DAB4BD1-7584-465f-9ABD-FD38E165006A}.exe
      C:\Windows\{1DAB4BD1-7584-465f-9ABD-FD38E165006A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2492
    - - C:\Windows\{1C751E2D-6D4D-4edb-973A-B3C566CC2C79}.exe
        
        C:\Windows\{1C751E2D-6D4D-4edb-973A-B3C566CC2C79}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2984
      - C:\Windows\{603FA970-0C5B-4b9a-8AC5-AE4CE6CCC6D6}.exe
        
        C:\Windows\{603FA970-0C5B-4b9a-8AC5-AE4CE6CCC6D6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\{CFC70246-EFAD-4ab2-9F41-BD87838CBB48}.exe
        
        C:\Windows\{CFC70246-EFAD-4ab2-9F41-BD87838CBB48}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\{3EEFB18E-E836-4cde-BA3B-D7A51A540F4F}.exe
        
        C:\Windows\{3EEFB18E-E836-4cde-BA3B-D7A51A540F4F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\{F44E2EFC-0D43-4ad5-99DD-7B0FF08B3C19}.exe
        
        C:\Windows\{F44E2EFC-0D43-4ad5-99DD-7B0FF08B3C19}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:640
        
        C:\Windows\{9E80A1BC-221C-42fc-8C5B-C9812002A656}.exe
        
        C:\Windows\{9E80A1BC-221C-42fc-8C5B-C9812002A656}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\{611F21A8-C9DD-42e8-8B30-F4FC9B7695D9}.exe
        
        C:\Windows\{611F21A8-C9DD-42e8-8B30-F4FC9B7695D9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
        
        C:\Windows\{1EEB20FB-73B3-4b16-8899-68A0F054C3D4}.exe
        
        C:\Windows\{1EEB20FB-73B3-4b16-8899-68A0F054C3D4}.exe
        12⤵
        Executes dropped EXE
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{611F2~1.EXE > nul
        12⤵
        
        PID:600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E80A~1.EXE > nul
        11⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F44E2~1.EXE > nul
        10⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3EEFB~1.EXE > nul
        9⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CFC70~1.EXE > nul
        8⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{603FA~1.EXE > nul
        7⤵
        
        PID:2440
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C751~1.EXE > nul
        6⤵
        
        PID:2948
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1DAB4~1.EXE > nul
        5⤵
        
        PID:1616
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{14962~1.EXE > nul
      4⤵
      PID:2600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A9624~1.EXE > nul
    3⤵
    PID:2472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{14962145-DE6F-48b3-86C9-04256363A487}.exe

Filesize
408KB

MD5
fe0f2365a5498a241b4dc947722ce785

SHA1
43ba4d9b26a4f0aa4e3f4b9b0e405a62f791b61b

SHA256
805a93c19750858bf165c35caeeae74aa10355cebbac2f8b8bcbf927cc234203

SHA512
ab177a1b7aa53077defc896103bdd5273600cff803226c31639c9d4d8e47591b166349a1dd83b4ebfd309d35a9234bed3f49d620775c103a3173f997dd9a749c

Download Submit
C:\Windows\{1C751E2D-6D4D-4edb-973A-B3C566CC2C79}.exe

Filesize
408KB

MD5
9bb22cd367f19d279a18e05e84fdb264

SHA1
d9cebf321637d9fb6008174c8c4dab41ab70599f

SHA256
66def906b401cb19e40790f716ac119a02656dfb6c4646910a6992aa97071912

SHA512
06e2028735a1f6be3e4ca386cdfcd38e9f7cf100399474ee6187c28d4a605351665f8633570b1b764aaf8729070c3d1f2cd4dbee825db415cde13520e335425c

Download Submit
C:\Windows\{1DAB4BD1-7584-465f-9ABD-FD38E165006A}.exe

Filesize
408KB

MD5
d60467dd826d4d286d828fb1a9410c48

SHA1
9f59a20368195815df45a9a12fa213f6e468c22c

SHA256
0cddd813fdcc55df8d81f97ee12bcde42077b557aee60e818edce69c9ac3967c

SHA512
3d27e5034433c6233768d59b5339ac139b3a9e2072b29931663a6f0c2fefcdada74e4239f6f3b911404fe5827e9ee572bbf4f14f29131b9a9919310ea7ef07cd

Download Submit
C:\Windows\{1EEB20FB-73B3-4b16-8899-68A0F054C3D4}.exe

Filesize
408KB

MD5
eda51a53c7a335894a8fe0c7586bb05d

SHA1
65a11d400ca67e967115d1f5319d7d3778d19751

SHA256
1d09cf1c70be8551b4e877a5147e8a540061ac791805a1063fbd9938bd4bf0f3

SHA512
87d216c331fff197e940d79bfd4cdda3245925e5e1b6d5ea5fe8515c5e24d41fa8f02d9bd83df3839a592ee2cc4a81c664e528d4eb54922b748fbc581a1695bb

Download Submit
C:\Windows\{3EEFB18E-E836-4cde-BA3B-D7A51A540F4F}.exe

Filesize
408KB

MD5
00dd2a5d0578ceaf04ef51a7b6d49407

SHA1
2f31c1b31d0d55ac24c394aa2813f09eaabe98f4

SHA256
b549977faa7df93c3a0dce9447da989e7f47331ee6daa3dcb3a3a477bccccb63

SHA512
12c96dc6f708c795f317e92da5bf67795b059e3b6733e09622bd2917d28d4438945be1ca18b76ae199b85962436e8606cdbfcfa6cc4c0cad4dc70a825a8e4f8e

Download Submit
C:\Windows\{603FA970-0C5B-4b9a-8AC5-AE4CE6CCC6D6}.exe

Filesize
408KB

MD5
81a2d937944544ed32a28f5679b26565

SHA1
644946faf0557732864dc76ed965e01f43b20f81

SHA256
19d9119585fb47db73a4d5fc9d7189265895e42087d593ac7c3b442fa8b28b56

SHA512
57f5c03b95b61f5e5be2110e3900a92730a377e6d88ae8a2d355acd7d70a03accfe8cc4eb999b5929575211ab983d8da5d5ffab424065f8498c9d8031e6f1095

Download Submit
C:\Windows\{611F21A8-C9DD-42e8-8B30-F4FC9B7695D9}.exe

Filesize
408KB

MD5
6490f1cebbf5bf9a1dca5e0f960ed35f

SHA1
9a3384bb80143af7d3e03f59fd9026b396d091dd

SHA256
43a229a0265dc068f1d062639eb203bd4fb0ab9149da110ba2d3d5c936319f00

SHA512
c28a71623fac98ec3ec9636c13eb2f2ec9f7ef7ff612618adf8d59cc9ababdd29aba66316c2281e503b30857a251a05e4af09058a37a05988eb43f179ae9b496

Download Submit
C:\Windows\{9E80A1BC-221C-42fc-8C5B-C9812002A656}.exe

Filesize
408KB

MD5
588ee8c74c0ebec8a257ef614e003245

SHA1
7e841ecc06c16bc54a4cfa1ee9cc7e11555b970f

SHA256
7d78e5c3dab2204fd100173d5a086bc237debc25355065a337312c20b3a2ba68

SHA512
0c79708a2ababfdcb9b11fe76b6f93f3bdd3217f240d4e4cc11e04db7a3d59b7258380e81bbaf7f99d7d9a9c809617eef70a2f1a975c6f86d12e4f7d8290efb1

Download Submit
C:\Windows\{A9624FAC-213C-4bd8-865C-489FB1258DE2}.exe

Filesize
408KB

MD5
8fd44a4108669d760fa8f3d25a20ad27

SHA1
a5cdf5e395d4f7345c7bc698ca4f8303c39549dc

SHA256
e02a5512c8fc068adcf59702657dc75f0a6c0198ecb3ffa0b4a1a844a29c2f8d

SHA512
aabbb5ae0551e25f845bd9dc27c1c851e4c48d99faf8e1cd1425f354d7bbc009e2fad6c5035c69d4a44e192f1289eae447cf33433f27e42f9f596316a1a6d880

Download Submit
C:\Windows\{CFC70246-EFAD-4ab2-9F41-BD87838CBB48}.exe

Filesize
408KB

MD5
c37538dcac598760a2abcebc93ef5bf6

SHA1
766604376e60dd024887a2b89b22b8f41ac32eaa

SHA256
29e9789094c57488f12864af602adc25cf32d9a355a46b8b0543e1f5befd0e7e

SHA512
b06303764798a498fc3ec3a2af11d3bc633c4f19755e03722de7679e0a3193fa22129cb6fd80a0777efe40432f46205b1afff3db0d603a333b7983f27bb896ee

Download Submit
C:\Windows\{F44E2EFC-0D43-4ad5-99DD-7B0FF08B3C19}.exe

Filesize
408KB

MD5
b7c5234ff42681ef7dbce03ce076f79e

SHA1
300e21417cbd4ff09cdec8089ca8eb09bd6d3657

SHA256
5b9a7191f6e161dcb5189222c0f9c1aa30cdbf844b9155a3bcc2d1037fa4de31

SHA512
d4f86c06670cf951449e7f4b6ad19785aac53044829dc655cd91a967002efd79b478a78319f95f3390f967ea069e98746dd30dc0c10ddaf8596cf7a3a54f48b4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads