954b77ccae42f2c61b2ca819dd5337d58b33b52188978b623ee77dd5244552c7

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26-04-2024 05:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-26_0e47a90689afa51956f920c914848175_goldeneye.exe
Size

216KB
MD5

0e47a90689afa51956f920c914848175
SHA1

2acd5655d18097831d68dda57c359b8461603d2a
SHA256

954b77ccae42f2c61b2ca819dd5337d58b33b52188978b623ee77dd5244552c7
SHA512

d17a806ad6b1cce25a4799459ca098f24790a5786f8f7b031033b91c3024568f38e1777f147b4f2e3edc4809c702a60ce481c5ac596907f28ebfef598491f440
SSDEEP

3072:jEGh0obl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGFlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000015f01-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000016176-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000015f01-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000016a29-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000005a59-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000015f01-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000005a59-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000015f01-53.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000005a59-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000015f01-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000005a59-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{713AF22D-B538-4a0b-AF18-5FFEFA9B6346}	{03FB43C9-8D57-46ec-9FD0-6912A4A1D8D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A92EE74-36F4-4394-A2B3-D9C36C830B67}\stubpath = "C:\\Windows\\{9A92EE74-36F4-4394-A2B3-D9C36C830B67}.exe"	{E12DE1A6-8178-4e8e-990B-8EF558E866F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B72A072C-2B2D-45a1-A70D-70974C3FFA9C}\stubpath = "C:\\Windows\\{B72A072C-2B2D-45a1-A70D-70974C3FFA9C}.exe"	{B5AA31DD-FA06-48fa-AB23-591BDB9691B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03FB43C9-8D57-46ec-9FD0-6912A4A1D8D0}	{B72A072C-2B2D-45a1-A70D-70974C3FFA9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5490317-6171-48fa-AA59-1953546A099B}\stubpath = "C:\\Windows\\{E5490317-6171-48fa-AA59-1953546A099B}.exe"	{713AF22D-B538-4a0b-AF18-5FFEFA9B6346}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2700B0E4-70FB-4c40-9BDE-AA716B4B7A3E}	{E5490317-6171-48fa-AA59-1953546A099B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2700B0E4-70FB-4c40-9BDE-AA716B4B7A3E}\stubpath = "C:\\Windows\\{2700B0E4-70FB-4c40-9BDE-AA716B4B7A3E}.exe"	{E5490317-6171-48fa-AA59-1953546A099B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77DDCDFE-6559-4f00-ACC1-F5117DAB9FF5}	{2700B0E4-70FB-4c40-9BDE-AA716B4B7A3E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{009B6595-67F4-4749-8763-E46B89C0B340}	{DD20C602-2F9D-4475-8727-3BB8EB8645E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E12DE1A6-8178-4e8e-990B-8EF558E866F5}	{009B6595-67F4-4749-8763-E46B89C0B340}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5AA31DD-FA06-48fa-AB23-591BDB9691B8}\stubpath = "C:\\Windows\\{B5AA31DD-FA06-48fa-AB23-591BDB9691B8}.exe"	{9A92EE74-36F4-4394-A2B3-D9C36C830B67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A92EE74-36F4-4394-A2B3-D9C36C830B67}	{E12DE1A6-8178-4e8e-990B-8EF558E866F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B72A072C-2B2D-45a1-A70D-70974C3FFA9C}	{B5AA31DD-FA06-48fa-AB23-591BDB9691B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{713AF22D-B538-4a0b-AF18-5FFEFA9B6346}\stubpath = "C:\\Windows\\{713AF22D-B538-4a0b-AF18-5FFEFA9B6346}.exe"	{03FB43C9-8D57-46ec-9FD0-6912A4A1D8D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5490317-6171-48fa-AA59-1953546A099B}	{713AF22D-B538-4a0b-AF18-5FFEFA9B6346}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77DDCDFE-6559-4f00-ACC1-F5117DAB9FF5}\stubpath = "C:\\Windows\\{77DDCDFE-6559-4f00-ACC1-F5117DAB9FF5}.exe"	{2700B0E4-70FB-4c40-9BDE-AA716B4B7A3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD20C602-2F9D-4475-8727-3BB8EB8645E6}\stubpath = "C:\\Windows\\{DD20C602-2F9D-4475-8727-3BB8EB8645E6}.exe"	2024-04-26_0e47a90689afa51956f920c914848175_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{009B6595-67F4-4749-8763-E46B89C0B340}\stubpath = "C:\\Windows\\{009B6595-67F4-4749-8763-E46B89C0B340}.exe"	{DD20C602-2F9D-4475-8727-3BB8EB8645E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E12DE1A6-8178-4e8e-990B-8EF558E866F5}\stubpath = "C:\\Windows\\{E12DE1A6-8178-4e8e-990B-8EF558E866F5}.exe"	{009B6595-67F4-4749-8763-E46B89C0B340}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD20C602-2F9D-4475-8727-3BB8EB8645E6}	2024-04-26_0e47a90689afa51956f920c914848175_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5AA31DD-FA06-48fa-AB23-591BDB9691B8}	{9A92EE74-36F4-4394-A2B3-D9C36C830B67}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03FB43C9-8D57-46ec-9FD0-6912A4A1D8D0}\stubpath = "C:\\Windows\\{03FB43C9-8D57-46ec-9FD0-6912A4A1D8D0}.exe"	{B72A072C-2B2D-45a1-A70D-70974C3FFA9C}.exe

Deletes itself 1 IoCs

pid	Process
2220	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2164	{DD20C602-2F9D-4475-8727-3BB8EB8645E6}.exe
2908	{009B6595-67F4-4749-8763-E46B89C0B340}.exe
2628	{E12DE1A6-8178-4e8e-990B-8EF558E866F5}.exe
2432	{9A92EE74-36F4-4394-A2B3-D9C36C830B67}.exe
3052	{B5AA31DD-FA06-48fa-AB23-591BDB9691B8}.exe
2760	{B72A072C-2B2D-45a1-A70D-70974C3FFA9C}.exe
1944	{03FB43C9-8D57-46ec-9FD0-6912A4A1D8D0}.exe
2772	{713AF22D-B538-4a0b-AF18-5FFEFA9B6346}.exe
1676	{E5490317-6171-48fa-AA59-1953546A099B}.exe
2280	{2700B0E4-70FB-4c40-9BDE-AA716B4B7A3E}.exe
356	{77DDCDFE-6559-4f00-ACC1-F5117DAB9FF5}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{03FB43C9-8D57-46ec-9FD0-6912A4A1D8D0}.exe	{B72A072C-2B2D-45a1-A70D-70974C3FFA9C}.exe
File created	C:\Windows\{713AF22D-B538-4a0b-AF18-5FFEFA9B6346}.exe	{03FB43C9-8D57-46ec-9FD0-6912A4A1D8D0}.exe
File created	C:\Windows\{DD20C602-2F9D-4475-8727-3BB8EB8645E6}.exe	2024-04-26_0e47a90689afa51956f920c914848175_goldeneye.exe
File created	C:\Windows\{009B6595-67F4-4749-8763-E46B89C0B340}.exe	{DD20C602-2F9D-4475-8727-3BB8EB8645E6}.exe
File created	C:\Windows\{9A92EE74-36F4-4394-A2B3-D9C36C830B67}.exe	{E12DE1A6-8178-4e8e-990B-8EF558E866F5}.exe
File created	C:\Windows\{B5AA31DD-FA06-48fa-AB23-591BDB9691B8}.exe	{9A92EE74-36F4-4394-A2B3-D9C36C830B67}.exe
File created	C:\Windows\{77DDCDFE-6559-4f00-ACC1-F5117DAB9FF5}.exe	{2700B0E4-70FB-4c40-9BDE-AA716B4B7A3E}.exe
File created	C:\Windows\{E12DE1A6-8178-4e8e-990B-8EF558E866F5}.exe	{009B6595-67F4-4749-8763-E46B89C0B340}.exe
File created	C:\Windows\{B72A072C-2B2D-45a1-A70D-70974C3FFA9C}.exe	{B5AA31DD-FA06-48fa-AB23-591BDB9691B8}.exe
File created	C:\Windows\{E5490317-6171-48fa-AA59-1953546A099B}.exe	{713AF22D-B538-4a0b-AF18-5FFEFA9B6346}.exe
File created	C:\Windows\{2700B0E4-70FB-4c40-9BDE-AA716B4B7A3E}.exe	{E5490317-6171-48fa-AA59-1953546A099B}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1972	2024-04-26_0e47a90689afa51956f920c914848175_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2164	{DD20C602-2F9D-4475-8727-3BB8EB8645E6}.exe
Token: SeIncBasePriorityPrivilege	2908	{009B6595-67F4-4749-8763-E46B89C0B340}.exe
Token: SeIncBasePriorityPrivilege	2628	{E12DE1A6-8178-4e8e-990B-8EF558E866F5}.exe
Token: SeIncBasePriorityPrivilege	2432	{9A92EE74-36F4-4394-A2B3-D9C36C830B67}.exe
Token: SeIncBasePriorityPrivilege	3052	{B5AA31DD-FA06-48fa-AB23-591BDB9691B8}.exe
Token: SeIncBasePriorityPrivilege	2760	{B72A072C-2B2D-45a1-A70D-70974C3FFA9C}.exe
Token: SeIncBasePriorityPrivilege	1944	{03FB43C9-8D57-46ec-9FD0-6912A4A1D8D0}.exe
Token: SeIncBasePriorityPrivilege	2772	{713AF22D-B538-4a0b-AF18-5FFEFA9B6346}.exe
Token: SeIncBasePriorityPrivilege	1676	{E5490317-6171-48fa-AA59-1953546A099B}.exe
Token: SeIncBasePriorityPrivilege	2280	{2700B0E4-70FB-4c40-9BDE-AA716B4B7A3E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2164	1972	2024-04-26_0e47a90689afa51956f920c914848175_goldeneye.exe	28
PID 1972 wrote to memory of 2164	1972	2024-04-26_0e47a90689afa51956f920c914848175_goldeneye.exe	28
PID 1972 wrote to memory of 2164	1972	2024-04-26_0e47a90689afa51956f920c914848175_goldeneye.exe	28
PID 1972 wrote to memory of 2164	1972	2024-04-26_0e47a90689afa51956f920c914848175_goldeneye.exe	28
PID 1972 wrote to memory of 2220	1972	2024-04-26_0e47a90689afa51956f920c914848175_goldeneye.exe	29
PID 1972 wrote to memory of 2220	1972	2024-04-26_0e47a90689afa51956f920c914848175_goldeneye.exe	29
PID 1972 wrote to memory of 2220	1972	2024-04-26_0e47a90689afa51956f920c914848175_goldeneye.exe	29
PID 1972 wrote to memory of 2220	1972	2024-04-26_0e47a90689afa51956f920c914848175_goldeneye.exe	29
PID 2164 wrote to memory of 2908	2164	{DD20C602-2F9D-4475-8727-3BB8EB8645E6}.exe	30
PID 2164 wrote to memory of 2908	2164	{DD20C602-2F9D-4475-8727-3BB8EB8645E6}.exe	30
PID 2164 wrote to memory of 2908	2164	{DD20C602-2F9D-4475-8727-3BB8EB8645E6}.exe	30
PID 2164 wrote to memory of 2908	2164	{DD20C602-2F9D-4475-8727-3BB8EB8645E6}.exe	30
PID 2164 wrote to memory of 2540	2164	{DD20C602-2F9D-4475-8727-3BB8EB8645E6}.exe	31
PID 2164 wrote to memory of 2540	2164	{DD20C602-2F9D-4475-8727-3BB8EB8645E6}.exe	31
PID 2164 wrote to memory of 2540	2164	{DD20C602-2F9D-4475-8727-3BB8EB8645E6}.exe	31
PID 2164 wrote to memory of 2540	2164	{DD20C602-2F9D-4475-8727-3BB8EB8645E6}.exe	31
PID 2908 wrote to memory of 2628	2908	{009B6595-67F4-4749-8763-E46B89C0B340}.exe	32
PID 2908 wrote to memory of 2628	2908	{009B6595-67F4-4749-8763-E46B89C0B340}.exe	32
PID 2908 wrote to memory of 2628	2908	{009B6595-67F4-4749-8763-E46B89C0B340}.exe	32
PID 2908 wrote to memory of 2628	2908	{009B6595-67F4-4749-8763-E46B89C0B340}.exe	32
PID 2908 wrote to memory of 2708	2908	{009B6595-67F4-4749-8763-E46B89C0B340}.exe	33
PID 2908 wrote to memory of 2708	2908	{009B6595-67F4-4749-8763-E46B89C0B340}.exe	33
PID 2908 wrote to memory of 2708	2908	{009B6595-67F4-4749-8763-E46B89C0B340}.exe	33
PID 2908 wrote to memory of 2708	2908	{009B6595-67F4-4749-8763-E46B89C0B340}.exe	33
PID 2628 wrote to memory of 2432	2628	{E12DE1A6-8178-4e8e-990B-8EF558E866F5}.exe	36
PID 2628 wrote to memory of 2432	2628	{E12DE1A6-8178-4e8e-990B-8EF558E866F5}.exe	36
PID 2628 wrote to memory of 2432	2628	{E12DE1A6-8178-4e8e-990B-8EF558E866F5}.exe	36
PID 2628 wrote to memory of 2432	2628	{E12DE1A6-8178-4e8e-990B-8EF558E866F5}.exe	36
PID 2628 wrote to memory of 2496	2628	{E12DE1A6-8178-4e8e-990B-8EF558E866F5}.exe	37
PID 2628 wrote to memory of 2496	2628	{E12DE1A6-8178-4e8e-990B-8EF558E866F5}.exe	37
PID 2628 wrote to memory of 2496	2628	{E12DE1A6-8178-4e8e-990B-8EF558E866F5}.exe	37
PID 2628 wrote to memory of 2496	2628	{E12DE1A6-8178-4e8e-990B-8EF558E866F5}.exe	37
PID 2432 wrote to memory of 3052	2432	{9A92EE74-36F4-4394-A2B3-D9C36C830B67}.exe	38
PID 2432 wrote to memory of 3052	2432	{9A92EE74-36F4-4394-A2B3-D9C36C830B67}.exe	38
PID 2432 wrote to memory of 3052	2432	{9A92EE74-36F4-4394-A2B3-D9C36C830B67}.exe	38
PID 2432 wrote to memory of 3052	2432	{9A92EE74-36F4-4394-A2B3-D9C36C830B67}.exe	38
PID 2432 wrote to memory of 2392	2432	{9A92EE74-36F4-4394-A2B3-D9C36C830B67}.exe	39
PID 2432 wrote to memory of 2392	2432	{9A92EE74-36F4-4394-A2B3-D9C36C830B67}.exe	39
PID 2432 wrote to memory of 2392	2432	{9A92EE74-36F4-4394-A2B3-D9C36C830B67}.exe	39
PID 2432 wrote to memory of 2392	2432	{9A92EE74-36F4-4394-A2B3-D9C36C830B67}.exe	39
PID 3052 wrote to memory of 2760	3052	{B5AA31DD-FA06-48fa-AB23-591BDB9691B8}.exe	40
PID 3052 wrote to memory of 2760	3052	{B5AA31DD-FA06-48fa-AB23-591BDB9691B8}.exe	40
PID 3052 wrote to memory of 2760	3052	{B5AA31DD-FA06-48fa-AB23-591BDB9691B8}.exe	40
PID 3052 wrote to memory of 2760	3052	{B5AA31DD-FA06-48fa-AB23-591BDB9691B8}.exe	40
PID 3052 wrote to memory of 1976	3052	{B5AA31DD-FA06-48fa-AB23-591BDB9691B8}.exe	41
PID 3052 wrote to memory of 1976	3052	{B5AA31DD-FA06-48fa-AB23-591BDB9691B8}.exe	41
PID 3052 wrote to memory of 1976	3052	{B5AA31DD-FA06-48fa-AB23-591BDB9691B8}.exe	41
PID 3052 wrote to memory of 1976	3052	{B5AA31DD-FA06-48fa-AB23-591BDB9691B8}.exe	41
PID 2760 wrote to memory of 1944	2760	{B72A072C-2B2D-45a1-A70D-70974C3FFA9C}.exe	42
PID 2760 wrote to memory of 1944	2760	{B72A072C-2B2D-45a1-A70D-70974C3FFA9C}.exe	42
PID 2760 wrote to memory of 1944	2760	{B72A072C-2B2D-45a1-A70D-70974C3FFA9C}.exe	42
PID 2760 wrote to memory of 1944	2760	{B72A072C-2B2D-45a1-A70D-70974C3FFA9C}.exe	42
PID 2760 wrote to memory of 1324	2760	{B72A072C-2B2D-45a1-A70D-70974C3FFA9C}.exe	43
PID 2760 wrote to memory of 1324	2760	{B72A072C-2B2D-45a1-A70D-70974C3FFA9C}.exe	43
PID 2760 wrote to memory of 1324	2760	{B72A072C-2B2D-45a1-A70D-70974C3FFA9C}.exe	43
PID 2760 wrote to memory of 1324	2760	{B72A072C-2B2D-45a1-A70D-70974C3FFA9C}.exe	43
PID 1944 wrote to memory of 2772	1944	{03FB43C9-8D57-46ec-9FD0-6912A4A1D8D0}.exe	44
PID 1944 wrote to memory of 2772	1944	{03FB43C9-8D57-46ec-9FD0-6912A4A1D8D0}.exe	44
PID 1944 wrote to memory of 2772	1944	{03FB43C9-8D57-46ec-9FD0-6912A4A1D8D0}.exe	44
PID 1944 wrote to memory of 2772	1944	{03FB43C9-8D57-46ec-9FD0-6912A4A1D8D0}.exe	44
PID 1944 wrote to memory of 2016	1944	{03FB43C9-8D57-46ec-9FD0-6912A4A1D8D0}.exe	45
PID 1944 wrote to memory of 2016	1944	{03FB43C9-8D57-46ec-9FD0-6912A4A1D8D0}.exe	45
PID 1944 wrote to memory of 2016	1944	{03FB43C9-8D57-46ec-9FD0-6912A4A1D8D0}.exe	45
PID 1944 wrote to memory of 2016	1944	{03FB43C9-8D57-46ec-9FD0-6912A4A1D8D0}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-04-26_0e47a90689afa51956f920c914848175_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-26_0e47a90689afa51956f920c914848175_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\{DD20C602-2F9D-4475-8727-3BB8EB8645E6}.exe
  C:\Windows\{DD20C602-2F9D-4475-8727-3BB8EB8645E6}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\{009B6595-67F4-4749-8763-E46B89C0B340}.exe
    C:\Windows\{009B6595-67F4-4749-8763-E46B89C0B340}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\{E12DE1A6-8178-4e8e-990B-8EF558E866F5}.exe
      C:\Windows\{E12DE1A6-8178-4e8e-990B-8EF558E866F5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Windows\{9A92EE74-36F4-4394-A2B3-D9C36C830B67}.exe
        
        C:\Windows\{9A92EE74-36F4-4394-A2B3-D9C36C830B67}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2432
      - C:\Windows\{B5AA31DD-FA06-48fa-AB23-591BDB9691B8}.exe
        
        C:\Windows\{B5AA31DD-FA06-48fa-AB23-591BDB9691B8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\{B72A072C-2B2D-45a1-A70D-70974C3FFA9C}.exe
        
        C:\Windows\{B72A072C-2B2D-45a1-A70D-70974C3FFA9C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\{03FB43C9-8D57-46ec-9FD0-6912A4A1D8D0}.exe
        
        C:\Windows\{03FB43C9-8D57-46ec-9FD0-6912A4A1D8D0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\{713AF22D-B538-4a0b-AF18-5FFEFA9B6346}.exe
        
        C:\Windows\{713AF22D-B538-4a0b-AF18-5FFEFA9B6346}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
        
        C:\Windows\{E5490317-6171-48fa-AA59-1953546A099B}.exe
        
        C:\Windows\{E5490317-6171-48fa-AA59-1953546A099B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
        
        C:\Windows\{2700B0E4-70FB-4c40-9BDE-AA716B4B7A3E}.exe
        
        C:\Windows\{2700B0E4-70FB-4c40-9BDE-AA716B4B7A3E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\{77DDCDFE-6559-4f00-ACC1-F5117DAB9FF5}.exe
        
        C:\Windows\{77DDCDFE-6559-4f00-ACC1-F5117DAB9FF5}.exe
        12⤵
        Executes dropped EXE
        
        PID:356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2700B~1.EXE > nul
        12⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5490~1.EXE > nul
        11⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{713AF~1.EXE > nul
        10⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03FB4~1.EXE > nul
        9⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B72A0~1.EXE > nul
        8⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5AA3~1.EXE > nul
        7⤵
        
        PID:1976
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A92E~1.EXE > nul
        6⤵
        
        PID:2392
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E12DE~1.EXE > nul
        5⤵
        
        PID:2496
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{009B6~1.EXE > nul
      4⤵
      PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DD20C~1.EXE > nul
    3⤵
    PID:2540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{009B6595-67F4-4749-8763-E46B89C0B340}.exe

Filesize
216KB

MD5
72488f8768da8145f7b6668be44114ac

SHA1
d4c8f350da867c48c4bc3497bd8be27640c362b2

SHA256
633d2eab8eda7be3372da6b6755a6778f74cbf65732f37bbded1d0ee53c5b7ec

SHA512
c56724208097d87052c8d59dba3d0e0a7adcd5268a8939dbb14da443f11a2b1b6b1211a5ae6409dd970b71686cc52c6cb48b348a52f570f0fe5277af22a70a42

Download Submit
C:\Windows\{03FB43C9-8D57-46ec-9FD0-6912A4A1D8D0}.exe

Filesize
216KB

MD5
90953e41742ac7d5cf965b2dfd3322df

SHA1
9f8a0b8eafc7df6cc74120ba08e5dca45bf01a68

SHA256
51699a8afaae345110b1f3c87462bf7a78561d7f4036dda987ac54a7e156fde9

SHA512
a57b1b612b49f2b4d860414c3eed489bbce120a5a4828c019afcce52676119e7fe9a6731244bc23e12488309d4d15dc0343205fd475f6934a712d484077f36be

Download Submit
C:\Windows\{2700B0E4-70FB-4c40-9BDE-AA716B4B7A3E}.exe

Filesize
216KB

MD5
e7665b9e06a284bfe31bf945bac39d2d

SHA1
662c2769a3444ef01b68b034e23f3fa0d1b2363e

SHA256
af1aaae01248b7baa3b857e0234d320c23fe482817253474f2870a91d48c4688

SHA512
d1b1d063abd3d61c5383460325d53f64427c475bd1c7a80b7feb4bb8e405620a593a36044ef5f5893464e91a1040f9551b499c47438e353bf454484bc223b42a

Download Submit
C:\Windows\{713AF22D-B538-4a0b-AF18-5FFEFA9B6346}.exe

Filesize
216KB

MD5
9bd25d0dcfbf948653bd93bb65c8a249

SHA1
037c730c254e6bab6a98c482aede628408c38631

SHA256
e1f5c85e83e8f97499ff0fbe0b768ac836cf4d404a36b6a8620cc9111a06bf53

SHA512
d0f57e891d19fa4c5efd098e434f7918392d139c543d22542c6649b34b04c06f0eb46d430ca969afd3dea5a9154f417eeafcb692acc3b3741fc964b89895bdac

Download Submit
C:\Windows\{77DDCDFE-6559-4f00-ACC1-F5117DAB9FF5}.exe

Filesize
216KB

MD5
5a849c9453b43f8c7af861135cd67420

SHA1
3612c5c3561c9070e81e8f07e6077607b6c4c0cb

SHA256
d70cd7a6ded5fa3cca06a9cdd46e044670cf2401954f861eea738253eb479641

SHA512
9f487b913b3343a5a04f3eaf9136b2a602a2754664797bd75b1bcd71ff9abadc5985c7f201d758d3114409910f2be0c6eeca2f66289d88b32e5a64e862fc2f63

Download Submit
C:\Windows\{9A92EE74-36F4-4394-A2B3-D9C36C830B67}.exe

Filesize
216KB

MD5
37ba49754394de2ae4c564fc02d7e161

SHA1
17b31cf7d6104374793a1a6c3a12a1df2c309f3a

SHA256
fa0af1c518f7691ecf768c0557120412ed716d4ddb696adaeb18089377fd8e91

SHA512
db7664189002f6d04416de94edd7b8b432608a3c60756fde8666d17566b97dfe917cbdf0b00caf6dbe7c835f25cd2005a4fdc58515e799f2b4efc48013ecc968

Download Submit
C:\Windows\{B5AA31DD-FA06-48fa-AB23-591BDB9691B8}.exe

Filesize
216KB

MD5
b21b237a579af3e56107a6b2ad184b7f

SHA1
a7eeec8784aad93deefd4ff9e6bc1ac5bf3c1f6a

SHA256
fd2923ed64b92b4f375dcd5c1eeae48fa616beadec9adf10a746e9040c40e53d

SHA512
1adedc1d0823a981967e57e3dd7d8d9012a4ad553197fe76a8c5bcec584290ae69745c7b3910f88b56652cf0c3f8f99903d8f9a4031235ff30db3d18aa054041

Download Submit
C:\Windows\{B72A072C-2B2D-45a1-A70D-70974C3FFA9C}.exe

Filesize
216KB

MD5
f2647e48b7fca7bbf93887f40083e32f

SHA1
533225d59b1ebd55a863fc5b7cf23e172ab5ade5

SHA256
408abf978bf36b82745726f7a899d320c9ab5a685ddeb352572d485cbb4a3a08

SHA512
bdaa370f2fbc87ea99477632434f480904bb2536ebde1927bc8e66d1ae427bde252795567d2f1416023f2f464294e5f69e29d5bf88f20a3fc0e6854412d7a992

Download Submit
C:\Windows\{DD20C602-2F9D-4475-8727-3BB8EB8645E6}.exe

Filesize
216KB

MD5
e3f50a1c0778976101c35b3e2c87f7ff

SHA1
d9a578d1f8ef957e50f94a516656b2b237632b36

SHA256
98830a7e44a1187ef36997d1ab35336e068a76dda50dd5c974e71249c502e62e

SHA512
e0b32e6468e7e971a2aa8bd27d10728d8bdfae3d81b76a553ffa5e5f4be37e6484bec48035e98a2582e9f42f249278aaf6dd873dc9a6d0ccc4c18bf10796f10c

Download Submit
C:\Windows\{E12DE1A6-8178-4e8e-990B-8EF558E866F5}.exe

Filesize
216KB

MD5
b0b60ec73bb5a3d95e900dacbf6110b4

SHA1
b580596e80e5a89fdb252538ae43de7b2beeb458

SHA256
f25628ea0d6572a71aec817d529fb0f56fa828ac2f819a9e5f7ed2140ea962f3

SHA512
51555e9d1ddf6b75e7192bacb25e823ed09f46be7e16b700310973d15aff8322d239c8ced4f6ad6d34492431b3ba15379370a645cd08785e007afc5d2c7e9640

Download Submit
C:\Windows\{E5490317-6171-48fa-AA59-1953546A099B}.exe

Filesize
216KB

MD5
5a33b528127c2148e91530a234f90166

SHA1
7b8981774e7f6865ea0c0a86b2943876e9de5cd1

SHA256
0f2dc85a77a42d057d4d2c8e4dedd8ff7f2e51e8c663ddde551b882169e1daee

SHA512
bf6e5ece24c3887e172cb5a9751a63a60e6f47f75d7ae60ef424fd834f06b7cfa2ce69f9bd26b7174d44c10be775f1d67aaccfd6c60f9acb737ba30d84484cbb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads