cec2be1e18e0985e7aeff55b7f893e7ca079bdc65cf6dd2d0a206f2c255ffac0

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-04-2024 14:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-24_ef4e0a15e9f824ace1e60de38c6d705d_goldeneye.exe
Size

197KB
MD5

ef4e0a15e9f824ace1e60de38c6d705d
SHA1

61455e4d67b350fe51efda84725b96e7e784b0fc
SHA256

cec2be1e18e0985e7aeff55b7f893e7ca079bdc65cf6dd2d0a206f2c255ffac0
SHA512

cde0b37012dc091829eadd467e2959b8c2d705d1a9c92eeab868450d00eeaf9bb9be771c0cf9a9e82fe79ef1c57e5c7d536db1b63aad1e2d65d63c267c00d488
SSDEEP

3072:jEGh0oZl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGjlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012247-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001445e-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000000f680-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000014738-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000014a55-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000014738-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000014aec-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000014b6d-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000014aec-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000014b6d-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000014aec-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BACBA8E-7098-49d0-8D62-8FDD6142A52B}	{4B5CDB21-DB1B-44e1-897D-8DF38A4841AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BACBA8E-7098-49d0-8D62-8FDD6142A52B}\stubpath = "C:\\Windows\\{0BACBA8E-7098-49d0-8D62-8FDD6142A52B}.exe"	{4B5CDB21-DB1B-44e1-897D-8DF38A4841AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1811311C-31E4-48cd-A21D-D5B1AAAC88D6}\stubpath = "C:\\Windows\\{1811311C-31E4-48cd-A21D-D5B1AAAC88D6}.exe"	{0BACBA8E-7098-49d0-8D62-8FDD6142A52B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECD30EF6-0934-4bb7-8460-B8E3AC0B3899}	2024-04-24_ef4e0a15e9f824ace1e60de38c6d705d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81648AF5-8597-4055-A1A1-B600A8D53F6E}	{ECD30EF6-0934-4bb7-8460-B8E3AC0B3899}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EEB4E45-4F59-4955-986E-04DD487935CF}\stubpath = "C:\\Windows\\{8EEB4E45-4F59-4955-986E-04DD487935CF}.exe"	{DA4D05BB-3D37-4a32-94FE-CE1FB60D7649}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B95A81C-36E0-4c8a-A535-85A58AE7A134}\stubpath = "C:\\Windows\\{7B95A81C-36E0-4c8a-A535-85A58AE7A134}.exe"	{8EEB4E45-4F59-4955-986E-04DD487935CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B5CDB21-DB1B-44e1-897D-8DF38A4841AE}	{AF658651-0DA0-41e3-96FF-467ABA68AF0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA4D05BB-3D37-4a32-94FE-CE1FB60D7649}\stubpath = "C:\\Windows\\{DA4D05BB-3D37-4a32-94FE-CE1FB60D7649}.exe"	{81648AF5-8597-4055-A1A1-B600A8D53F6E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF658651-0DA0-41e3-96FF-467ABA68AF0C}\stubpath = "C:\\Windows\\{AF658651-0DA0-41e3-96FF-467ABA68AF0C}.exe"	{532160FC-46DB-457c-A5E2-1B4DDB32BD7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1811311C-31E4-48cd-A21D-D5B1AAAC88D6}	{0BACBA8E-7098-49d0-8D62-8FDD6142A52B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECD30EF6-0934-4bb7-8460-B8E3AC0B3899}\stubpath = "C:\\Windows\\{ECD30EF6-0934-4bb7-8460-B8E3AC0B3899}.exe"	2024-04-24_ef4e0a15e9f824ace1e60de38c6d705d_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B95A81C-36E0-4c8a-A535-85A58AE7A134}	{8EEB4E45-4F59-4955-986E-04DD487935CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{075D9D7C-A226-4d02-96E8-D272F6C0F19D}	{7B95A81C-36E0-4c8a-A535-85A58AE7A134}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{532160FC-46DB-457c-A5E2-1B4DDB32BD7B}\stubpath = "C:\\Windows\\{532160FC-46DB-457c-A5E2-1B4DDB32BD7B}.exe"	{075D9D7C-A226-4d02-96E8-D272F6C0F19D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF658651-0DA0-41e3-96FF-467ABA68AF0C}	{532160FC-46DB-457c-A5E2-1B4DDB32BD7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B5CDB21-DB1B-44e1-897D-8DF38A4841AE}\stubpath = "C:\\Windows\\{4B5CDB21-DB1B-44e1-897D-8DF38A4841AE}.exe"	{AF658651-0DA0-41e3-96FF-467ABA68AF0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81648AF5-8597-4055-A1A1-B600A8D53F6E}\stubpath = "C:\\Windows\\{81648AF5-8597-4055-A1A1-B600A8D53F6E}.exe"	{ECD30EF6-0934-4bb7-8460-B8E3AC0B3899}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA4D05BB-3D37-4a32-94FE-CE1FB60D7649}	{81648AF5-8597-4055-A1A1-B600A8D53F6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EEB4E45-4F59-4955-986E-04DD487935CF}	{DA4D05BB-3D37-4a32-94FE-CE1FB60D7649}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{075D9D7C-A226-4d02-96E8-D272F6C0F19D}\stubpath = "C:\\Windows\\{075D9D7C-A226-4d02-96E8-D272F6C0F19D}.exe"	{7B95A81C-36E0-4c8a-A535-85A58AE7A134}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{532160FC-46DB-457c-A5E2-1B4DDB32BD7B}	{075D9D7C-A226-4d02-96E8-D272F6C0F19D}.exe

Deletes itself 1 IoCs

pid	Process
2548	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3016	{ECD30EF6-0934-4bb7-8460-B8E3AC0B3899}.exe
2588	{81648AF5-8597-4055-A1A1-B600A8D53F6E}.exe
2528	{DA4D05BB-3D37-4a32-94FE-CE1FB60D7649}.exe
760	{8EEB4E45-4F59-4955-986E-04DD487935CF}.exe
1728	{7B95A81C-36E0-4c8a-A535-85A58AE7A134}.exe
2468	{075D9D7C-A226-4d02-96E8-D272F6C0F19D}.exe
1248	{532160FC-46DB-457c-A5E2-1B4DDB32BD7B}.exe
1952	{AF658651-0DA0-41e3-96FF-467ABA68AF0C}.exe
2204	{4B5CDB21-DB1B-44e1-897D-8DF38A4841AE}.exe
3040	{0BACBA8E-7098-49d0-8D62-8FDD6142A52B}.exe
3000	{1811311C-31E4-48cd-A21D-D5B1AAAC88D6}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{AF658651-0DA0-41e3-96FF-467ABA68AF0C}.exe	{532160FC-46DB-457c-A5E2-1B4DDB32BD7B}.exe
File created	C:\Windows\{1811311C-31E4-48cd-A21D-D5B1AAAC88D6}.exe	{0BACBA8E-7098-49d0-8D62-8FDD6142A52B}.exe
File created	C:\Windows\{ECD30EF6-0934-4bb7-8460-B8E3AC0B3899}.exe	2024-04-24_ef4e0a15e9f824ace1e60de38c6d705d_goldeneye.exe
File created	C:\Windows\{81648AF5-8597-4055-A1A1-B600A8D53F6E}.exe	{ECD30EF6-0934-4bb7-8460-B8E3AC0B3899}.exe
File created	C:\Windows\{DA4D05BB-3D37-4a32-94FE-CE1FB60D7649}.exe	{81648AF5-8597-4055-A1A1-B600A8D53F6E}.exe
File created	C:\Windows\{075D9D7C-A226-4d02-96E8-D272F6C0F19D}.exe	{7B95A81C-36E0-4c8a-A535-85A58AE7A134}.exe
File created	C:\Windows\{0BACBA8E-7098-49d0-8D62-8FDD6142A52B}.exe	{4B5CDB21-DB1B-44e1-897D-8DF38A4841AE}.exe
File created	C:\Windows\{8EEB4E45-4F59-4955-986E-04DD487935CF}.exe	{DA4D05BB-3D37-4a32-94FE-CE1FB60D7649}.exe
File created	C:\Windows\{7B95A81C-36E0-4c8a-A535-85A58AE7A134}.exe	{8EEB4E45-4F59-4955-986E-04DD487935CF}.exe
File created	C:\Windows\{532160FC-46DB-457c-A5E2-1B4DDB32BD7B}.exe	{075D9D7C-A226-4d02-96E8-D272F6C0F19D}.exe
File created	C:\Windows\{4B5CDB21-DB1B-44e1-897D-8DF38A4841AE}.exe	{AF658651-0DA0-41e3-96FF-467ABA68AF0C}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2244	2024-04-24_ef4e0a15e9f824ace1e60de38c6d705d_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3016	{ECD30EF6-0934-4bb7-8460-B8E3AC0B3899}.exe
Token: SeIncBasePriorityPrivilege	2588	{81648AF5-8597-4055-A1A1-B600A8D53F6E}.exe
Token: SeIncBasePriorityPrivilege	2528	{DA4D05BB-3D37-4a32-94FE-CE1FB60D7649}.exe
Token: SeIncBasePriorityPrivilege	760	{8EEB4E45-4F59-4955-986E-04DD487935CF}.exe
Token: SeIncBasePriorityPrivilege	1728	{7B95A81C-36E0-4c8a-A535-85A58AE7A134}.exe
Token: SeIncBasePriorityPrivilege	2468	{075D9D7C-A226-4d02-96E8-D272F6C0F19D}.exe
Token: SeIncBasePriorityPrivilege	1248	{532160FC-46DB-457c-A5E2-1B4DDB32BD7B}.exe
Token: SeIncBasePriorityPrivilege	1952	{AF658651-0DA0-41e3-96FF-467ABA68AF0C}.exe
Token: SeIncBasePriorityPrivilege	2204	{4B5CDB21-DB1B-44e1-897D-8DF38A4841AE}.exe
Token: SeIncBasePriorityPrivilege	3040	{0BACBA8E-7098-49d0-8D62-8FDD6142A52B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 3016	2244	2024-04-24_ef4e0a15e9f824ace1e60de38c6d705d_goldeneye.exe	28
PID 2244 wrote to memory of 3016	2244	2024-04-24_ef4e0a15e9f824ace1e60de38c6d705d_goldeneye.exe	28
PID 2244 wrote to memory of 3016	2244	2024-04-24_ef4e0a15e9f824ace1e60de38c6d705d_goldeneye.exe	28
PID 2244 wrote to memory of 3016	2244	2024-04-24_ef4e0a15e9f824ace1e60de38c6d705d_goldeneye.exe	28
PID 2244 wrote to memory of 2548	2244	2024-04-24_ef4e0a15e9f824ace1e60de38c6d705d_goldeneye.exe	29
PID 2244 wrote to memory of 2548	2244	2024-04-24_ef4e0a15e9f824ace1e60de38c6d705d_goldeneye.exe	29
PID 2244 wrote to memory of 2548	2244	2024-04-24_ef4e0a15e9f824ace1e60de38c6d705d_goldeneye.exe	29
PID 2244 wrote to memory of 2548	2244	2024-04-24_ef4e0a15e9f824ace1e60de38c6d705d_goldeneye.exe	29
PID 3016 wrote to memory of 2588	3016	{ECD30EF6-0934-4bb7-8460-B8E3AC0B3899}.exe	30
PID 3016 wrote to memory of 2588	3016	{ECD30EF6-0934-4bb7-8460-B8E3AC0B3899}.exe	30
PID 3016 wrote to memory of 2588	3016	{ECD30EF6-0934-4bb7-8460-B8E3AC0B3899}.exe	30
PID 3016 wrote to memory of 2588	3016	{ECD30EF6-0934-4bb7-8460-B8E3AC0B3899}.exe	30
PID 3016 wrote to memory of 1932	3016	{ECD30EF6-0934-4bb7-8460-B8E3AC0B3899}.exe	31
PID 3016 wrote to memory of 1932	3016	{ECD30EF6-0934-4bb7-8460-B8E3AC0B3899}.exe	31
PID 3016 wrote to memory of 1932	3016	{ECD30EF6-0934-4bb7-8460-B8E3AC0B3899}.exe	31
PID 3016 wrote to memory of 1932	3016	{ECD30EF6-0934-4bb7-8460-B8E3AC0B3899}.exe	31
PID 2588 wrote to memory of 2528	2588	{81648AF5-8597-4055-A1A1-B600A8D53F6E}.exe	34
PID 2588 wrote to memory of 2528	2588	{81648AF5-8597-4055-A1A1-B600A8D53F6E}.exe	34
PID 2588 wrote to memory of 2528	2588	{81648AF5-8597-4055-A1A1-B600A8D53F6E}.exe	34
PID 2588 wrote to memory of 2528	2588	{81648AF5-8597-4055-A1A1-B600A8D53F6E}.exe	34
PID 2588 wrote to memory of 2852	2588	{81648AF5-8597-4055-A1A1-B600A8D53F6E}.exe	35
PID 2588 wrote to memory of 2852	2588	{81648AF5-8597-4055-A1A1-B600A8D53F6E}.exe	35
PID 2588 wrote to memory of 2852	2588	{81648AF5-8597-4055-A1A1-B600A8D53F6E}.exe	35
PID 2588 wrote to memory of 2852	2588	{81648AF5-8597-4055-A1A1-B600A8D53F6E}.exe	35
PID 2528 wrote to memory of 760	2528	{DA4D05BB-3D37-4a32-94FE-CE1FB60D7649}.exe	36
PID 2528 wrote to memory of 760	2528	{DA4D05BB-3D37-4a32-94FE-CE1FB60D7649}.exe	36
PID 2528 wrote to memory of 760	2528	{DA4D05BB-3D37-4a32-94FE-CE1FB60D7649}.exe	36
PID 2528 wrote to memory of 760	2528	{DA4D05BB-3D37-4a32-94FE-CE1FB60D7649}.exe	36
PID 2528 wrote to memory of 924	2528	{DA4D05BB-3D37-4a32-94FE-CE1FB60D7649}.exe	37
PID 2528 wrote to memory of 924	2528	{DA4D05BB-3D37-4a32-94FE-CE1FB60D7649}.exe	37
PID 2528 wrote to memory of 924	2528	{DA4D05BB-3D37-4a32-94FE-CE1FB60D7649}.exe	37
PID 2528 wrote to memory of 924	2528	{DA4D05BB-3D37-4a32-94FE-CE1FB60D7649}.exe	37
PID 760 wrote to memory of 1728	760	{8EEB4E45-4F59-4955-986E-04DD487935CF}.exe	38
PID 760 wrote to memory of 1728	760	{8EEB4E45-4F59-4955-986E-04DD487935CF}.exe	38
PID 760 wrote to memory of 1728	760	{8EEB4E45-4F59-4955-986E-04DD487935CF}.exe	38
PID 760 wrote to memory of 1728	760	{8EEB4E45-4F59-4955-986E-04DD487935CF}.exe	38
PID 760 wrote to memory of 2320	760	{8EEB4E45-4F59-4955-986E-04DD487935CF}.exe	39
PID 760 wrote to memory of 2320	760	{8EEB4E45-4F59-4955-986E-04DD487935CF}.exe	39
PID 760 wrote to memory of 2320	760	{8EEB4E45-4F59-4955-986E-04DD487935CF}.exe	39
PID 760 wrote to memory of 2320	760	{8EEB4E45-4F59-4955-986E-04DD487935CF}.exe	39
PID 1728 wrote to memory of 2468	1728	{7B95A81C-36E0-4c8a-A535-85A58AE7A134}.exe	40
PID 1728 wrote to memory of 2468	1728	{7B95A81C-36E0-4c8a-A535-85A58AE7A134}.exe	40
PID 1728 wrote to memory of 2468	1728	{7B95A81C-36E0-4c8a-A535-85A58AE7A134}.exe	40
PID 1728 wrote to memory of 2468	1728	{7B95A81C-36E0-4c8a-A535-85A58AE7A134}.exe	40
PID 1728 wrote to memory of 2604	1728	{7B95A81C-36E0-4c8a-A535-85A58AE7A134}.exe	41
PID 1728 wrote to memory of 2604	1728	{7B95A81C-36E0-4c8a-A535-85A58AE7A134}.exe	41
PID 1728 wrote to memory of 2604	1728	{7B95A81C-36E0-4c8a-A535-85A58AE7A134}.exe	41
PID 1728 wrote to memory of 2604	1728	{7B95A81C-36E0-4c8a-A535-85A58AE7A134}.exe	41
PID 2468 wrote to memory of 1248	2468	{075D9D7C-A226-4d02-96E8-D272F6C0F19D}.exe	42
PID 2468 wrote to memory of 1248	2468	{075D9D7C-A226-4d02-96E8-D272F6C0F19D}.exe	42
PID 2468 wrote to memory of 1248	2468	{075D9D7C-A226-4d02-96E8-D272F6C0F19D}.exe	42
PID 2468 wrote to memory of 1248	2468	{075D9D7C-A226-4d02-96E8-D272F6C0F19D}.exe	42
PID 2468 wrote to memory of 932	2468	{075D9D7C-A226-4d02-96E8-D272F6C0F19D}.exe	43
PID 2468 wrote to memory of 932	2468	{075D9D7C-A226-4d02-96E8-D272F6C0F19D}.exe	43
PID 2468 wrote to memory of 932	2468	{075D9D7C-A226-4d02-96E8-D272F6C0F19D}.exe	43
PID 2468 wrote to memory of 932	2468	{075D9D7C-A226-4d02-96E8-D272F6C0F19D}.exe	43
PID 1248 wrote to memory of 1952	1248	{532160FC-46DB-457c-A5E2-1B4DDB32BD7B}.exe	44
PID 1248 wrote to memory of 1952	1248	{532160FC-46DB-457c-A5E2-1B4DDB32BD7B}.exe	44
PID 1248 wrote to memory of 1952	1248	{532160FC-46DB-457c-A5E2-1B4DDB32BD7B}.exe	44
PID 1248 wrote to memory of 1952	1248	{532160FC-46DB-457c-A5E2-1B4DDB32BD7B}.exe	44
PID 1248 wrote to memory of 2236	1248	{532160FC-46DB-457c-A5E2-1B4DDB32BD7B}.exe	45
PID 1248 wrote to memory of 2236	1248	{532160FC-46DB-457c-A5E2-1B4DDB32BD7B}.exe	45
PID 1248 wrote to memory of 2236	1248	{532160FC-46DB-457c-A5E2-1B4DDB32BD7B}.exe	45
PID 1248 wrote to memory of 2236	1248	{532160FC-46DB-457c-A5E2-1B4DDB32BD7B}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-24_ef4e0a15e9f824ace1e60de38c6d705d_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-24_ef4e0a15e9f824ace1e60de38c6d705d_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\{ECD30EF6-0934-4bb7-8460-B8E3AC0B3899}.exe
  C:\Windows\{ECD30EF6-0934-4bb7-8460-B8E3AC0B3899}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\{81648AF5-8597-4055-A1A1-B600A8D53F6E}.exe
    C:\Windows\{81648AF5-8597-4055-A1A1-B600A8D53F6E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\{DA4D05BB-3D37-4a32-94FE-CE1FB60D7649}.exe
      C:\Windows\{DA4D05BB-3D37-4a32-94FE-CE1FB60D7649}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2528
    - - C:\Windows\{8EEB4E45-4F59-4955-986E-04DD487935CF}.exe
        
        C:\Windows\{8EEB4E45-4F59-4955-986E-04DD487935CF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:760
      - C:\Windows\{7B95A81C-36E0-4c8a-A535-85A58AE7A134}.exe
        
        C:\Windows\{7B95A81C-36E0-4c8a-A535-85A58AE7A134}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\{075D9D7C-A226-4d02-96E8-D272F6C0F19D}.exe
        
        C:\Windows\{075D9D7C-A226-4d02-96E8-D272F6C0F19D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\{532160FC-46DB-457c-A5E2-1B4DDB32BD7B}.exe
        
        C:\Windows\{532160FC-46DB-457c-A5E2-1B4DDB32BD7B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\{AF658651-0DA0-41e3-96FF-467ABA68AF0C}.exe
        
        C:\Windows\{AF658651-0DA0-41e3-96FF-467ABA68AF0C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
        
        C:\Windows\{4B5CDB21-DB1B-44e1-897D-8DF38A4841AE}.exe
        
        C:\Windows\{4B5CDB21-DB1B-44e1-897D-8DF38A4841AE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
        
        C:\Windows\{0BACBA8E-7098-49d0-8D62-8FDD6142A52B}.exe
        
        C:\Windows\{0BACBA8E-7098-49d0-8D62-8FDD6142A52B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
        
        C:\Windows\{1811311C-31E4-48cd-A21D-D5B1AAAC88D6}.exe
        
        C:\Windows\{1811311C-31E4-48cd-A21D-D5B1AAAC88D6}.exe
        12⤵
        Executes dropped EXE
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0BACB~1.EXE > nul
        12⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B5CD~1.EXE > nul
        11⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF658~1.EXE > nul
        10⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53216~1.EXE > nul
        9⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{075D9~1.EXE > nul
        8⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B95A~1.EXE > nul
        7⤵
        
        PID:2604
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8EEB4~1.EXE > nul
        6⤵
        
        PID:2320
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA4D0~1.EXE > nul
        5⤵
        
        PID:924
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{81648~1.EXE > nul
      4⤵
      PID:2852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{ECD30~1.EXE > nul
    3⤵
    PID:1932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{075D9D7C-A226-4d02-96E8-D272F6C0F19D}.exe

Filesize
197KB

MD5
66247c17881400370db4954ce708977b

SHA1
4c64e65b236382cb04889a80ee0250bb34e5513b

SHA256
65aedcc8eeee57d64755fa83912dba11ee95b4853766fb11264def4baee7b750

SHA512
feaf37777d8d1f4e99d777c524fe505c3d300a49128ee24152e1a621f8045aa0801c56d1582cd2ecf950daf85b55c0f000b3d68ab83b583d63ff45adfbc26438

Download Submit
C:\Windows\{0BACBA8E-7098-49d0-8D62-8FDD6142A52B}.exe

Filesize
197KB

MD5
2202e6050464497fd64814b212b3ac9b

SHA1
8c3bb9a403b1802ebb458f0092c130dc05fe33fb

SHA256
1c6417837dfc6a686954cf2a56be666ec0ca69872393b7bef834ef1fd4a679ee

SHA512
a79e30fe73e971aee8a9c3426be485deb49ee645aab81189fb89ea9a3a119d0eb959663da822b49da7b22f016d462447bf160161efde0fff8cfeaca6a7934bd9

Download Submit
C:\Windows\{1811311C-31E4-48cd-A21D-D5B1AAAC88D6}.exe

Filesize
197KB

MD5
190ea02ffcc47fb163ecd8a2a1524ffa

SHA1
b89bc090940d99163bc0183cf53ca514fe0a977f

SHA256
017f1388dea6a6292efbb9577cd22be06c5e7e686a004ce4fc1247cdacd40882

SHA512
d4770c8ce507d64f9f4708e37ab2f57cfca19821eb99be23ea5479abfa851d6e16e66d14fef5257f3a48eb94696ceddb0ebd3a919793c3c96082bff69c53f34f

Download Submit
C:\Windows\{4B5CDB21-DB1B-44e1-897D-8DF38A4841AE}.exe

Filesize
197KB

MD5
6535dadbbe8e296ba589587e0e595233

SHA1
2780fc9ed5735d506d3e1f658c6ce60535a180b1

SHA256
4e93857a7d81b9a84c9e6563a25e7bf1dcf1e5e07b717ff478b56afacfa7b05e

SHA512
fde6ea94edaa7376f7e3d198e71de40ed7a8cd813dbc717bd0b2dd77553fd1c150940949d0ec4f31939005f5000979d09c175394f38545f35fd264fa8c4d1e99

Download Submit
C:\Windows\{532160FC-46DB-457c-A5E2-1B4DDB32BD7B}.exe

Filesize
197KB

MD5
883fa3abf8d2ce1da83f92e063a8e01b

SHA1
5ddd0a04efc01909128eddf8c2ac54a6b309a8e2

SHA256
acb100db01136461b6a9ec93fc3c077f804360a8d5d1db6450cd8aeb40f672d3

SHA512
16aa0e935f1e55bca526e477dfa305f104efd6246dcc085e9b59a8e8192137436120db10057a8ab8833e97c6fe2f7f080f4c8fdd795d2cd1df8d6bf987e023ae

Download Submit
C:\Windows\{7B95A81C-36E0-4c8a-A535-85A58AE7A134}.exe

Filesize
197KB

MD5
f2672657f364a2577415f65b0fe0ebf2

SHA1
2a4d2b495a07475b5cebb92c1ae3e4c3d5b033ae

SHA256
6b33e5f8ff6fc0decd2e2e1c1265f2559d29da646bb7d99212ec6e4b244f31f3

SHA512
adde02a1148ff72ac5be03c2a608e1e1530f51696b182f25c7fa1711cbe98c81603584cf2a20553fc2a8581edc42d0748aa673fccd2506fffb43cf47b23067dd

Download Submit
C:\Windows\{81648AF5-8597-4055-A1A1-B600A8D53F6E}.exe

Filesize
197KB

MD5
d79b2e03dac29bb6cec972be7b2c3539

SHA1
cc9dba15f73f9aa9a9e9ba14682c1a3d91e67fb7

SHA256
1c8e8a1acf8f59e9e0cadac9ea30bbbc76a5708be33f70bf4cfb6f8ba38f9839

SHA512
a06332807e436b4b326a10d750312f90bae92b911f954c613e61a43b4e13526520105ed66847a1260f77d723902b71d3bb8f0d1215abee02ec0eee7aa5b04506

Download Submit
C:\Windows\{8EEB4E45-4F59-4955-986E-04DD487935CF}.exe

Filesize
197KB

MD5
64d5f30f44437480560a885c1c05bec5

SHA1
bd09ae44239fec0f4bb73619853e32795b704335

SHA256
2d2cb5a5ab847da1bb6282df04828ebd0f0d3d4eddad0ff836018804cdfccc5f

SHA512
54a944ce758b70528465cfd5f97746353e861216b4290ca672d0a929ba57cbf7681da3a874c17138b9547f131ed5df37bb03a6325dc83744fa446a8a7fc8cccb

Download Submit
C:\Windows\{AF658651-0DA0-41e3-96FF-467ABA68AF0C}.exe

Filesize
197KB

MD5
8ead9e4326c0e5e728f47616d4cc02be

SHA1
3c0f59f62094c2a37f02891c522272556c5c9316

SHA256
72ec112140bf643c4fe9254b05002f82e3d01a772f2ac46a36cac8c9d3e899b8

SHA512
b71d851932efbd1acbfa3e162cf7269a54d22aa5f3a9f7f8a7344e59ecc5d66299bb73a512f3470e7b9ae3a67a7afddd91e0e59ebe6e770a0972f22c720de952

Download Submit
C:\Windows\{DA4D05BB-3D37-4a32-94FE-CE1FB60D7649}.exe

Filesize
197KB

MD5
64e569ba17719a61710f8dad96c641b2

SHA1
be58f87d5858c281f9c4fd520c31a112f633fca4

SHA256
b5dda2eb2a4e4af0866426a108ddfcd44cdc9241e48c196442a5e73b02ed9894

SHA512
2f4f8ae2267975f38b60fcf1a7fe505ed6ddbdc51fbd2ad9fecfaa472c0230689f818484ff00a2c75acd0ae5e87b69fe12c6711bc72617fae44260ed1a89fd11

Download Submit
C:\Windows\{ECD30EF6-0934-4bb7-8460-B8E3AC0B3899}.exe

Filesize
197KB

MD5
fe8f069cda3d9757ff60cc91acb2d06b

SHA1
bf7aecced57f5b2136d9760935c1ced5759dbfc8

SHA256
8b661ec7582aac0bee4caa7d2b979b840f24117f71864c092c1b48f951b562bd

SHA512
ebdcaf11adca608caa612a088f9ce51e85b62c49db653c009a2cddf04fd8af7c630dd84e45b36e9e420f97b6e10bd393be66167b14599bb2574da946cfdb296f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads