751c1f905ce13fa682fec131efac1a10ad89469b02bdeb4ed24fc3942c971967

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/04/2024, 03:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-24_ef696fb03edc89ff18c46e62ebd47797_goldeneye.exe
Size

168KB
MD5

ef696fb03edc89ff18c46e62ebd47797
SHA1

e6ffa917a454fe9d9f2300ee5f2ce600a1cc42d0
SHA256

751c1f905ce13fa682fec131efac1a10ad89469b02bdeb4ed24fc3942c971967
SHA512

43ecd9319a2feb08bccd0527015ce2a8bc3cc17c5159faa844d70006b081a076ef1aa35ff6619c71ed9770dffce13142a321689cdbad4465f48c8761d77c3efc
SSDEEP

1536:1EGh0oflq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oflqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000900000001223d-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a00000001223d-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000000f680-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b00000001223d-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000000f680-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001223d-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000000f680-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001223d-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000000f680-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001223d-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1FEEBE6-837C-43fb-BC2E-353C1E4C7DB8}\stubpath = "C:\\Windows\\{B1FEEBE6-837C-43fb-BC2E-353C1E4C7DB8}.exe"	2024-04-24_ef696fb03edc89ff18c46e62ebd47797_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{058D3F04-FC8A-40a1-A0FF-A0865D368304}	{B1FEEBE6-837C-43fb-BC2E-353C1E4C7DB8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4F1BB66-661B-4f3f-B120-9D35947FC52A}\stubpath = "C:\\Windows\\{F4F1BB66-661B-4f3f-B120-9D35947FC52A}.exe"	{058D3F04-FC8A-40a1-A0FF-A0865D368304}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{044F7A22-6349-4325-A0B9-757CC7CA94C9}	{4919F917-963B-4b6a-BB03-93A1126FC157}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F9B4041-EA02-46c7-8938-7A8C17655868}	{044F7A22-6349-4325-A0B9-757CC7CA94C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{273E2BAD-B779-45ce-B073-3840AC086C6A}\stubpath = "C:\\Windows\\{273E2BAD-B779-45ce-B073-3840AC086C6A}.exe"	{3F9B4041-EA02-46c7-8938-7A8C17655868}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46A3A319-988B-496b-ADEF-7B5025CAD825}\stubpath = "C:\\Windows\\{46A3A319-988B-496b-ADEF-7B5025CAD825}.exe"	{273E2BAD-B779-45ce-B073-3840AC086C6A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1FEEBE6-837C-43fb-BC2E-353C1E4C7DB8}	2024-04-24_ef696fb03edc89ff18c46e62ebd47797_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71569FD6-C0CD-4811-94DB-D0A29C367BFB}\stubpath = "C:\\Windows\\{71569FD6-C0CD-4811-94DB-D0A29C367BFB}.exe"	{46A3A319-988B-496b-ADEF-7B5025CAD825}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{273E2BAD-B779-45ce-B073-3840AC086C6A}	{3F9B4041-EA02-46c7-8938-7A8C17655868}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{044F7A22-6349-4325-A0B9-757CC7CA94C9}\stubpath = "C:\\Windows\\{044F7A22-6349-4325-A0B9-757CC7CA94C9}.exe"	{4919F917-963B-4b6a-BB03-93A1126FC157}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F9B4041-EA02-46c7-8938-7A8C17655868}\stubpath = "C:\\Windows\\{3F9B4041-EA02-46c7-8938-7A8C17655868}.exe"	{044F7A22-6349-4325-A0B9-757CC7CA94C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71569FD6-C0CD-4811-94DB-D0A29C367BFB}	{46A3A319-988B-496b-ADEF-7B5025CAD825}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDA83AF0-7EBF-4e50-BC38-2BAFE6A3D29B}	{71569FD6-C0CD-4811-94DB-D0A29C367BFB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4919F917-963B-4b6a-BB03-93A1126FC157}\stubpath = "C:\\Windows\\{4919F917-963B-4b6a-BB03-93A1126FC157}.exe"	{F4F1BB66-661B-4f3f-B120-9D35947FC52A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4F1BB66-661B-4f3f-B120-9D35947FC52A}	{058D3F04-FC8A-40a1-A0FF-A0865D368304}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4919F917-963B-4b6a-BB03-93A1126FC157}	{F4F1BB66-661B-4f3f-B120-9D35947FC52A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46A3A319-988B-496b-ADEF-7B5025CAD825}	{273E2BAD-B779-45ce-B073-3840AC086C6A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDA83AF0-7EBF-4e50-BC38-2BAFE6A3D29B}\stubpath = "C:\\Windows\\{EDA83AF0-7EBF-4e50-BC38-2BAFE6A3D29B}.exe"	{71569FD6-C0CD-4811-94DB-D0A29C367BFB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4B5443B-C2C3-4201-B2AC-FD4B839BF224}	{EDA83AF0-7EBF-4e50-BC38-2BAFE6A3D29B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F4B5443B-C2C3-4201-B2AC-FD4B839BF224}\stubpath = "C:\\Windows\\{F4B5443B-C2C3-4201-B2AC-FD4B839BF224}.exe"	{EDA83AF0-7EBF-4e50-BC38-2BAFE6A3D29B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{058D3F04-FC8A-40a1-A0FF-A0865D368304}\stubpath = "C:\\Windows\\{058D3F04-FC8A-40a1-A0FF-A0865D368304}.exe"	{B1FEEBE6-837C-43fb-BC2E-353C1E4C7DB8}.exe

Deletes itself 1 IoCs

pid	Process
2832	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2300	{B1FEEBE6-837C-43fb-BC2E-353C1E4C7DB8}.exe
2960	{058D3F04-FC8A-40a1-A0FF-A0865D368304}.exe
2512	{F4F1BB66-661B-4f3f-B120-9D35947FC52A}.exe
2624	{4919F917-963B-4b6a-BB03-93A1126FC157}.exe
2424	{044F7A22-6349-4325-A0B9-757CC7CA94C9}.exe
1020	{3F9B4041-EA02-46c7-8938-7A8C17655868}.exe
1192	{273E2BAD-B779-45ce-B073-3840AC086C6A}.exe
908	{46A3A319-988B-496b-ADEF-7B5025CAD825}.exe
540	{71569FD6-C0CD-4811-94DB-D0A29C367BFB}.exe
548	{EDA83AF0-7EBF-4e50-BC38-2BAFE6A3D29B}.exe
2692	{F4B5443B-C2C3-4201-B2AC-FD4B839BF224}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{46A3A319-988B-496b-ADEF-7B5025CAD825}.exe	{273E2BAD-B779-45ce-B073-3840AC086C6A}.exe
File created	C:\Windows\{71569FD6-C0CD-4811-94DB-D0A29C367BFB}.exe	{46A3A319-988B-496b-ADEF-7B5025CAD825}.exe
File created	C:\Windows\{F4B5443B-C2C3-4201-B2AC-FD4B839BF224}.exe	{EDA83AF0-7EBF-4e50-BC38-2BAFE6A3D29B}.exe
File created	C:\Windows\{EDA83AF0-7EBF-4e50-BC38-2BAFE6A3D29B}.exe	{71569FD6-C0CD-4811-94DB-D0A29C367BFB}.exe
File created	C:\Windows\{B1FEEBE6-837C-43fb-BC2E-353C1E4C7DB8}.exe	2024-04-24_ef696fb03edc89ff18c46e62ebd47797_goldeneye.exe
File created	C:\Windows\{058D3F04-FC8A-40a1-A0FF-A0865D368304}.exe	{B1FEEBE6-837C-43fb-BC2E-353C1E4C7DB8}.exe
File created	C:\Windows\{F4F1BB66-661B-4f3f-B120-9D35947FC52A}.exe	{058D3F04-FC8A-40a1-A0FF-A0865D368304}.exe
File created	C:\Windows\{4919F917-963B-4b6a-BB03-93A1126FC157}.exe	{F4F1BB66-661B-4f3f-B120-9D35947FC52A}.exe
File created	C:\Windows\{044F7A22-6349-4325-A0B9-757CC7CA94C9}.exe	{4919F917-963B-4b6a-BB03-93A1126FC157}.exe
File created	C:\Windows\{3F9B4041-EA02-46c7-8938-7A8C17655868}.exe	{044F7A22-6349-4325-A0B9-757CC7CA94C9}.exe
File created	C:\Windows\{273E2BAD-B779-45ce-B073-3840AC086C6A}.exe	{3F9B4041-EA02-46c7-8938-7A8C17655868}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1556	2024-04-24_ef696fb03edc89ff18c46e62ebd47797_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2300	{B1FEEBE6-837C-43fb-BC2E-353C1E4C7DB8}.exe
Token: SeIncBasePriorityPrivilege	2960	{058D3F04-FC8A-40a1-A0FF-A0865D368304}.exe
Token: SeIncBasePriorityPrivilege	2512	{F4F1BB66-661B-4f3f-B120-9D35947FC52A}.exe
Token: SeIncBasePriorityPrivilege	2624	{4919F917-963B-4b6a-BB03-93A1126FC157}.exe
Token: SeIncBasePriorityPrivilege	2424	{044F7A22-6349-4325-A0B9-757CC7CA94C9}.exe
Token: SeIncBasePriorityPrivilege	1020	{3F9B4041-EA02-46c7-8938-7A8C17655868}.exe
Token: SeIncBasePriorityPrivilege	1192	{273E2BAD-B779-45ce-B073-3840AC086C6A}.exe
Token: SeIncBasePriorityPrivilege	908	{46A3A319-988B-496b-ADEF-7B5025CAD825}.exe
Token: SeIncBasePriorityPrivilege	540	{71569FD6-C0CD-4811-94DB-D0A29C367BFB}.exe
Token: SeIncBasePriorityPrivilege	548	{EDA83AF0-7EBF-4e50-BC38-2BAFE6A3D29B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 2300	1556	2024-04-24_ef696fb03edc89ff18c46e62ebd47797_goldeneye.exe	28
PID 1556 wrote to memory of 2300	1556	2024-04-24_ef696fb03edc89ff18c46e62ebd47797_goldeneye.exe	28
PID 1556 wrote to memory of 2300	1556	2024-04-24_ef696fb03edc89ff18c46e62ebd47797_goldeneye.exe	28
PID 1556 wrote to memory of 2300	1556	2024-04-24_ef696fb03edc89ff18c46e62ebd47797_goldeneye.exe	28
PID 1556 wrote to memory of 2832	1556	2024-04-24_ef696fb03edc89ff18c46e62ebd47797_goldeneye.exe	29
PID 1556 wrote to memory of 2832	1556	2024-04-24_ef696fb03edc89ff18c46e62ebd47797_goldeneye.exe	29
PID 1556 wrote to memory of 2832	1556	2024-04-24_ef696fb03edc89ff18c46e62ebd47797_goldeneye.exe	29
PID 1556 wrote to memory of 2832	1556	2024-04-24_ef696fb03edc89ff18c46e62ebd47797_goldeneye.exe	29
PID 2300 wrote to memory of 2960	2300	{B1FEEBE6-837C-43fb-BC2E-353C1E4C7DB8}.exe	32
PID 2300 wrote to memory of 2960	2300	{B1FEEBE6-837C-43fb-BC2E-353C1E4C7DB8}.exe	32
PID 2300 wrote to memory of 2960	2300	{B1FEEBE6-837C-43fb-BC2E-353C1E4C7DB8}.exe	32
PID 2300 wrote to memory of 2960	2300	{B1FEEBE6-837C-43fb-BC2E-353C1E4C7DB8}.exe	32
PID 2300 wrote to memory of 2532	2300	{B1FEEBE6-837C-43fb-BC2E-353C1E4C7DB8}.exe	33
PID 2300 wrote to memory of 2532	2300	{B1FEEBE6-837C-43fb-BC2E-353C1E4C7DB8}.exe	33
PID 2300 wrote to memory of 2532	2300	{B1FEEBE6-837C-43fb-BC2E-353C1E4C7DB8}.exe	33
PID 2300 wrote to memory of 2532	2300	{B1FEEBE6-837C-43fb-BC2E-353C1E4C7DB8}.exe	33
PID 2960 wrote to memory of 2512	2960	{058D3F04-FC8A-40a1-A0FF-A0865D368304}.exe	34
PID 2960 wrote to memory of 2512	2960	{058D3F04-FC8A-40a1-A0FF-A0865D368304}.exe	34
PID 2960 wrote to memory of 2512	2960	{058D3F04-FC8A-40a1-A0FF-A0865D368304}.exe	34
PID 2960 wrote to memory of 2512	2960	{058D3F04-FC8A-40a1-A0FF-A0865D368304}.exe	34
PID 2960 wrote to memory of 2956	2960	{058D3F04-FC8A-40a1-A0FF-A0865D368304}.exe	35
PID 2960 wrote to memory of 2956	2960	{058D3F04-FC8A-40a1-A0FF-A0865D368304}.exe	35
PID 2960 wrote to memory of 2956	2960	{058D3F04-FC8A-40a1-A0FF-A0865D368304}.exe	35
PID 2960 wrote to memory of 2956	2960	{058D3F04-FC8A-40a1-A0FF-A0865D368304}.exe	35
PID 2512 wrote to memory of 2624	2512	{F4F1BB66-661B-4f3f-B120-9D35947FC52A}.exe	36
PID 2512 wrote to memory of 2624	2512	{F4F1BB66-661B-4f3f-B120-9D35947FC52A}.exe	36
PID 2512 wrote to memory of 2624	2512	{F4F1BB66-661B-4f3f-B120-9D35947FC52A}.exe	36
PID 2512 wrote to memory of 2624	2512	{F4F1BB66-661B-4f3f-B120-9D35947FC52A}.exe	36
PID 2512 wrote to memory of 2604	2512	{F4F1BB66-661B-4f3f-B120-9D35947FC52A}.exe	37
PID 2512 wrote to memory of 2604	2512	{F4F1BB66-661B-4f3f-B120-9D35947FC52A}.exe	37
PID 2512 wrote to memory of 2604	2512	{F4F1BB66-661B-4f3f-B120-9D35947FC52A}.exe	37
PID 2512 wrote to memory of 2604	2512	{F4F1BB66-661B-4f3f-B120-9D35947FC52A}.exe	37
PID 2624 wrote to memory of 2424	2624	{4919F917-963B-4b6a-BB03-93A1126FC157}.exe	38
PID 2624 wrote to memory of 2424	2624	{4919F917-963B-4b6a-BB03-93A1126FC157}.exe	38
PID 2624 wrote to memory of 2424	2624	{4919F917-963B-4b6a-BB03-93A1126FC157}.exe	38
PID 2624 wrote to memory of 2424	2624	{4919F917-963B-4b6a-BB03-93A1126FC157}.exe	38
PID 2624 wrote to memory of 2244	2624	{4919F917-963B-4b6a-BB03-93A1126FC157}.exe	39
PID 2624 wrote to memory of 2244	2624	{4919F917-963B-4b6a-BB03-93A1126FC157}.exe	39
PID 2624 wrote to memory of 2244	2624	{4919F917-963B-4b6a-BB03-93A1126FC157}.exe	39
PID 2624 wrote to memory of 2244	2624	{4919F917-963B-4b6a-BB03-93A1126FC157}.exe	39
PID 2424 wrote to memory of 1020	2424	{044F7A22-6349-4325-A0B9-757CC7CA94C9}.exe	40
PID 2424 wrote to memory of 1020	2424	{044F7A22-6349-4325-A0B9-757CC7CA94C9}.exe	40
PID 2424 wrote to memory of 1020	2424	{044F7A22-6349-4325-A0B9-757CC7CA94C9}.exe	40
PID 2424 wrote to memory of 1020	2424	{044F7A22-6349-4325-A0B9-757CC7CA94C9}.exe	40
PID 2424 wrote to memory of 1884	2424	{044F7A22-6349-4325-A0B9-757CC7CA94C9}.exe	41
PID 2424 wrote to memory of 1884	2424	{044F7A22-6349-4325-A0B9-757CC7CA94C9}.exe	41
PID 2424 wrote to memory of 1884	2424	{044F7A22-6349-4325-A0B9-757CC7CA94C9}.exe	41
PID 2424 wrote to memory of 1884	2424	{044F7A22-6349-4325-A0B9-757CC7CA94C9}.exe	41
PID 1020 wrote to memory of 1192	1020	{3F9B4041-EA02-46c7-8938-7A8C17655868}.exe	42
PID 1020 wrote to memory of 1192	1020	{3F9B4041-EA02-46c7-8938-7A8C17655868}.exe	42
PID 1020 wrote to memory of 1192	1020	{3F9B4041-EA02-46c7-8938-7A8C17655868}.exe	42
PID 1020 wrote to memory of 1192	1020	{3F9B4041-EA02-46c7-8938-7A8C17655868}.exe	42
PID 1020 wrote to memory of 1652	1020	{3F9B4041-EA02-46c7-8938-7A8C17655868}.exe	43
PID 1020 wrote to memory of 1652	1020	{3F9B4041-EA02-46c7-8938-7A8C17655868}.exe	43
PID 1020 wrote to memory of 1652	1020	{3F9B4041-EA02-46c7-8938-7A8C17655868}.exe	43
PID 1020 wrote to memory of 1652	1020	{3F9B4041-EA02-46c7-8938-7A8C17655868}.exe	43
PID 1192 wrote to memory of 908	1192	{273E2BAD-B779-45ce-B073-3840AC086C6A}.exe	44
PID 1192 wrote to memory of 908	1192	{273E2BAD-B779-45ce-B073-3840AC086C6A}.exe	44
PID 1192 wrote to memory of 908	1192	{273E2BAD-B779-45ce-B073-3840AC086C6A}.exe	44
PID 1192 wrote to memory of 908	1192	{273E2BAD-B779-45ce-B073-3840AC086C6A}.exe	44
PID 1192 wrote to memory of 1728	1192	{273E2BAD-B779-45ce-B073-3840AC086C6A}.exe	45
PID 1192 wrote to memory of 1728	1192	{273E2BAD-B779-45ce-B073-3840AC086C6A}.exe	45
PID 1192 wrote to memory of 1728	1192	{273E2BAD-B779-45ce-B073-3840AC086C6A}.exe	45
PID 1192 wrote to memory of 1728	1192	{273E2BAD-B779-45ce-B073-3840AC086C6A}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-24_ef696fb03edc89ff18c46e62ebd47797_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-24_ef696fb03edc89ff18c46e62ebd47797_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Windows\{B1FEEBE6-837C-43fb-BC2E-353C1E4C7DB8}.exe
  C:\Windows\{B1FEEBE6-837C-43fb-BC2E-353C1E4C7DB8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\{058D3F04-FC8A-40a1-A0FF-A0865D368304}.exe
    C:\Windows\{058D3F04-FC8A-40a1-A0FF-A0865D368304}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Windows\{F4F1BB66-661B-4f3f-B120-9D35947FC52A}.exe
      C:\Windows\{F4F1BB66-661B-4f3f-B120-9D35947FC52A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2512
    - - C:\Windows\{4919F917-963B-4b6a-BB03-93A1126FC157}.exe
        
        C:\Windows\{4919F917-963B-4b6a-BB03-93A1126FC157}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2624
      - C:\Windows\{044F7A22-6349-4325-A0B9-757CC7CA94C9}.exe
        
        C:\Windows\{044F7A22-6349-4325-A0B9-757CC7CA94C9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\{3F9B4041-EA02-46c7-8938-7A8C17655868}.exe
        
        C:\Windows\{3F9B4041-EA02-46c7-8938-7A8C17655868}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\{273E2BAD-B779-45ce-B073-3840AC086C6A}.exe
        
        C:\Windows\{273E2BAD-B779-45ce-B073-3840AC086C6A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\{46A3A319-988B-496b-ADEF-7B5025CAD825}.exe
        
        C:\Windows\{46A3A319-988B-496b-ADEF-7B5025CAD825}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:908
        
        C:\Windows\{71569FD6-C0CD-4811-94DB-D0A29C367BFB}.exe
        
        C:\Windows\{71569FD6-C0CD-4811-94DB-D0A29C367BFB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
        
        C:\Windows\{EDA83AF0-7EBF-4e50-BC38-2BAFE6A3D29B}.exe
        
        C:\Windows\{EDA83AF0-7EBF-4e50-BC38-2BAFE6A3D29B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:548
        
        C:\Windows\{F4B5443B-C2C3-4201-B2AC-FD4B839BF224}.exe
        
        C:\Windows\{F4B5443B-C2C3-4201-B2AC-FD4B839BF224}.exe
        12⤵
        Executes dropped EXE
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EDA83~1.EXE > nul
        12⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71569~1.EXE > nul
        11⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46A3A~1.EXE > nul
        10⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{273E2~1.EXE > nul
        9⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F9B4~1.EXE > nul
        8⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{044F7~1.EXE > nul
        7⤵
        
        PID:1884
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4919F~1.EXE > nul
        6⤵
        
        PID:2244
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F4F1B~1.EXE > nul
        5⤵
        
        PID:2604
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{058D3~1.EXE > nul
      4⤵
      PID:2956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B1FEE~1.EXE > nul
    3⤵
    PID:2532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{044F7A22-6349-4325-A0B9-757CC7CA94C9}.exe

Filesize
168KB

MD5
eaec25652b939f4988b1db2ee9d64044

SHA1
2e8d22b42f323de06f1b0bcbcff89b70f54ae280

SHA256
26956afe7684d80b08a190ac216678e12e06b06cf5966db7d19acfbac9723262

SHA512
b5e72b14639430dcb94e680409884e7aba8f9285d0ad99e9d7339e8d1d8c7d73baabf86d53324ac40e39cefd7d9642cfccfcfd3511d3ca14766e2f354c2f0cd5

Download Submit
C:\Windows\{058D3F04-FC8A-40a1-A0FF-A0865D368304}.exe

Filesize
168KB

MD5
4e7c0ee3945378291d130a073eb5cf08

SHA1
075daa1f9e18a04aeff4f68258c2d304c3ae2231

SHA256
2a1ed82304e2d3f2bd96b6feb6c482ab20c26fee0311db4b83eabd2ccd047650

SHA512
d1773487469e47b7168bc3424f9dffd4ad4543afb3fc122586ef6f5cfbb5b332b6baf525f3c6c4c4514c7b9c1ca7d14766d7830ac9f55f792c3f5f1053f2f8f3

Download Submit
C:\Windows\{273E2BAD-B779-45ce-B073-3840AC086C6A}.exe

Filesize
168KB

MD5
2b6a837a5b6369a432d381d7f4f34fb6

SHA1
83da69ad3ce2535c9dda0ad9967f7f76e43771e1

SHA256
f4fcb295d8a7bbf76601a2963cf7be40f5266a238125c8432ae09e688d45b5fc

SHA512
50f03fb9dc13676c1c019cf1ef0f372f0e48e51b179518a0331f74ec0e5cc23f08fabaf5627cded88111a6583ba24661c7e0c6b144a3bea52fd7813e4993295d

Download Submit
C:\Windows\{3F9B4041-EA02-46c7-8938-7A8C17655868}.exe

Filesize
168KB

MD5
7becb7deb5ea804a2a20f61b1d997217

SHA1
34098b20b125f7d4f442948de151d47422dd2b5c

SHA256
7bde0394dd98854fc2c6fc89e75bd001fd21a66e7812a0607aedc4bbbb817aa8

SHA512
946f939ba3bc91cb1ed35d16a2a3b6a37ebe026fdf2b7c777efb5b01a76027a79a50b6ab26caa69b509884b2858c8df35fd853cc3767801c6e604030bf9a7513

Download Submit
C:\Windows\{46A3A319-988B-496b-ADEF-7B5025CAD825}.exe

Filesize
168KB

MD5
9cd86f6dde3e1fb6a67043cc7a2985a2

SHA1
55ad2576e22b66878fe48c408f298f26f7e00e05

SHA256
9262ede6331ec51ef0dd58a8298ca39392db63c8ee83e96c8ab590aab5067a14

SHA512
58b61c0ad04127a61f5fed6c059f43214ff05af523c6c1f13fd9c0d5466c9183d93c7357a140edabdcdc41ad671ddeb2f026aada4bfaf47bd990749f6ad31ddb

Download Submit
C:\Windows\{4919F917-963B-4b6a-BB03-93A1126FC157}.exe

Filesize
168KB

MD5
7e07d2fb10f6751a329494fe89e17b03

SHA1
1aa4021a6c553d5410bb70f94ced93a01233f699

SHA256
85adf46aa56439ce66c14fb38374293c7767e64137ae22c4fee1541c2277d81e

SHA512
2ffbf45adbb1f0995a2c66c601671ec6906c49a191f4be8084783ce69559b320da8665cdb750e84ac7e06993cbb9f36393f83a2d84b900b2465f9a08bde2f111

Download Submit
C:\Windows\{71569FD6-C0CD-4811-94DB-D0A29C367BFB}.exe

Filesize
168KB

MD5
b90534e2c6623882e34631039d39370c

SHA1
d547b621fb628de2264d91a08150c57622afe943

SHA256
0fdda84499d96e8ce75d18c8361785d8098683a813ae6ca2ddc5f9fa849db482

SHA512
04778781ed2166a2adfaad385b45e2fb8e8efee5f93dcabb61d83c1214432f42352d222febebafe1e369c29b71042fd0f35984267b6804697ac9ac9b56d5810f

Download Submit
C:\Windows\{B1FEEBE6-837C-43fb-BC2E-353C1E4C7DB8}.exe

Filesize
168KB

MD5
1c956e59d8a12c76f94a6d9d5a50da41

SHA1
faaec58e93573f57dbaa30b57966434b2cca4ea3

SHA256
58c39161ef5b9faf50db5c9a88ff1c2927ecd4738b2b2934486f09ffcfbe87a6

SHA512
5e9b6e0c44100a1ea157d0d26c3e5b6c519c8a60d1c0255a6ce5e5841d76336b579845d5a44316d42edaf901c61737ac8ad904ad8b85ccea57eb98e4af70148b

Download Submit
C:\Windows\{EDA83AF0-7EBF-4e50-BC38-2BAFE6A3D29B}.exe

Filesize
168KB

MD5
b89493fc73c4c7ea2c9f8d58c68c2af1

SHA1
056ea5df6143822c65f69558322ead4d866e384e

SHA256
71bbd9dc913a1f3bb36b42f3a110b21361fe258852c541c0e377137faa01093d

SHA512
aaaaa5f5b1358c6975cbe167ce643ebda239a571b22f072141e5ea4185b1d22153b3753e37f035b1b5d3b3957e1e5d19bc1dee4c343f28f484cd54187182e78d

Download Submit
C:\Windows\{F4B5443B-C2C3-4201-B2AC-FD4B839BF224}.exe

Filesize
168KB

MD5
523706fc7cd90ee73813850a0399a070

SHA1
60c8387d9a3d19d6676527a0563fe459d1142021

SHA256
041728befe14112281ef5a9699600011734b374e9e7db8ef518a34ca30ed8e0a

SHA512
dfe3229cbd9a4b397a54b59c09fe245bcaff373df1643e5fb102354386d2954078e3754eae019bb69ba138bc40bb08c11cbe91db300bedd812b13dcdd7b965a3

Download Submit
C:\Windows\{F4F1BB66-661B-4f3f-B120-9D35947FC52A}.exe

Filesize
168KB

MD5
7fa2b7f98d2485a98eb9b081e97f9fa1

SHA1
e90f3a988aed6645758f043251ad51ae073a2d3e

SHA256
7b23af727c520b20411c1a8180fbeaf79368474c8ae266b2a8c2daba8512a40a

SHA512
9772173c1ae338981fbf8a2a546fa2c492572d059fb9bace79b06b70ee1ce0056f184d0f67a390ce95dc707d783ca4b7eae5895898ed34cccf6e5f8780607a28

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads