9ca513d9cac3b635578fe370f25e495bfffb14b6c1d59d0d0d4821d5fb5b47d1

Analysis

max time kernel
144s
max time network
117s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
03/05/2024, 05:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-03_8688031bfd82e7066eb671e98204f1bd_goldeneye.exe
Size

380KB
MD5

8688031bfd82e7066eb671e98204f1bd
SHA1

7ed38933891867e42fbd19e3df2dbefd2c7dd8ff
SHA256

9ca513d9cac3b635578fe370f25e495bfffb14b6c1d59d0d0d4821d5fb5b47d1
SHA512

32fa43aaf137a802a23ab7d1d2563cd36e047dfb0932b62ce1f4c6d28afb451de58d121c49cee06d85fdf0bf290d15312b6a7ba52957b5920ad60ce36699f9de
SSDEEP

3072:mEGh0omlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGgl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000015cce-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002a000000015d4c-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000015cce-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0028000000015e09-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000015cce-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000015cce-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000015cce-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0029000000015e09-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4312A824-7194-419b-94BA-0716995B0E37}	{53BFC73D-78AC-4477-8CD3-62C91B72B2B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32BF1556-116F-42e1-8769-9A54F49AF229}\stubpath = "C:\\Windows\\{32BF1556-116F-42e1-8769-9A54F49AF229}.exe"	{4312A824-7194-419b-94BA-0716995B0E37}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D7A8E85-AD38-405c-BF5B-7BCD625D0AFC}\stubpath = "C:\\Windows\\{2D7A8E85-AD38-405c-BF5B-7BCD625D0AFC}.exe"	{32BF1556-116F-42e1-8769-9A54F49AF229}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{959740E1-29DC-4ee6-B145-0DCD65E49068}\stubpath = "C:\\Windows\\{959740E1-29DC-4ee6-B145-0DCD65E49068}.exe"	{4D245A5C-0A44-4ead-8C78-613EB24E8AFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8D03E9A-C5EF-4456-A97B-F092D245A1A2}\stubpath = "C:\\Windows\\{E8D03E9A-C5EF-4456-A97B-F092D245A1A2}.exe"	{69840FD4-E9AE-4078-862B-A9799156EEBB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D567AA9-B45C-4ff6-985B-43EED8D1D401}	{E8D03E9A-C5EF-4456-A97B-F092D245A1A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E34C9CF-C855-454d-A48B-797662315D56}\stubpath = "C:\\Windows\\{6E34C9CF-C855-454d-A48B-797662315D56}.exe"	2024-05-03_8688031bfd82e7066eb671e98204f1bd_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53BFC73D-78AC-4477-8CD3-62C91B72B2B3}\stubpath = "C:\\Windows\\{53BFC73D-78AC-4477-8CD3-62C91B72B2B3}.exe"	{00FEC319-3F83-4306-A94D-2C1F0DFEBE28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53BFC73D-78AC-4477-8CD3-62C91B72B2B3}	{00FEC319-3F83-4306-A94D-2C1F0DFEBE28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69840FD4-E9AE-4078-862B-A9799156EEBB}	{959740E1-29DC-4ee6-B145-0DCD65E49068}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8D03E9A-C5EF-4456-A97B-F092D245A1A2}	{69840FD4-E9AE-4078-862B-A9799156EEBB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E34C9CF-C855-454d-A48B-797662315D56}	2024-05-03_8688031bfd82e7066eb671e98204f1bd_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00FEC319-3F83-4306-A94D-2C1F0DFEBE28}	{6E34C9CF-C855-454d-A48B-797662315D56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D245A5C-0A44-4ead-8C78-613EB24E8AFD}\stubpath = "C:\\Windows\\{4D245A5C-0A44-4ead-8C78-613EB24E8AFD}.exe"	{2D7A8E85-AD38-405c-BF5B-7BCD625D0AFC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{959740E1-29DC-4ee6-B145-0DCD65E49068}	{4D245A5C-0A44-4ead-8C78-613EB24E8AFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D567AA9-B45C-4ff6-985B-43EED8D1D401}\stubpath = "C:\\Windows\\{2D567AA9-B45C-4ff6-985B-43EED8D1D401}.exe"	{E8D03E9A-C5EF-4456-A97B-F092D245A1A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00FEC319-3F83-4306-A94D-2C1F0DFEBE28}\stubpath = "C:\\Windows\\{00FEC319-3F83-4306-A94D-2C1F0DFEBE28}.exe"	{6E34C9CF-C855-454d-A48B-797662315D56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4312A824-7194-419b-94BA-0716995B0E37}\stubpath = "C:\\Windows\\{4312A824-7194-419b-94BA-0716995B0E37}.exe"	{53BFC73D-78AC-4477-8CD3-62C91B72B2B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D245A5C-0A44-4ead-8C78-613EB24E8AFD}	{2D7A8E85-AD38-405c-BF5B-7BCD625D0AFC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69840FD4-E9AE-4078-862B-A9799156EEBB}\stubpath = "C:\\Windows\\{69840FD4-E9AE-4078-862B-A9799156EEBB}.exe"	{959740E1-29DC-4ee6-B145-0DCD65E49068}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32BF1556-116F-42e1-8769-9A54F49AF229}	{4312A824-7194-419b-94BA-0716995B0E37}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D7A8E85-AD38-405c-BF5B-7BCD625D0AFC}	{32BF1556-116F-42e1-8769-9A54F49AF229}.exe

Deletes itself 1 IoCs

pid	Process
2056	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2204	{6E34C9CF-C855-454d-A48B-797662315D56}.exe
2672	{00FEC319-3F83-4306-A94D-2C1F0DFEBE28}.exe
2408	{53BFC73D-78AC-4477-8CD3-62C91B72B2B3}.exe
2964	{4312A824-7194-419b-94BA-0716995B0E37}.exe
2932	{32BF1556-116F-42e1-8769-9A54F49AF229}.exe
1624	{2D7A8E85-AD38-405c-BF5B-7BCD625D0AFC}.exe
1960	{4D245A5C-0A44-4ead-8C78-613EB24E8AFD}.exe
1296	{959740E1-29DC-4ee6-B145-0DCD65E49068}.exe
2036	{69840FD4-E9AE-4078-862B-A9799156EEBB}.exe
2068	{E8D03E9A-C5EF-4456-A97B-F092D245A1A2}.exe
2640	{2D567AA9-B45C-4ff6-985B-43EED8D1D401}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{53BFC73D-78AC-4477-8CD3-62C91B72B2B3}.exe	{00FEC319-3F83-4306-A94D-2C1F0DFEBE28}.exe
File created	C:\Windows\{2D7A8E85-AD38-405c-BF5B-7BCD625D0AFC}.exe	{32BF1556-116F-42e1-8769-9A54F49AF229}.exe
File created	C:\Windows\{959740E1-29DC-4ee6-B145-0DCD65E49068}.exe	{4D245A5C-0A44-4ead-8C78-613EB24E8AFD}.exe
File created	C:\Windows\{E8D03E9A-C5EF-4456-A97B-F092D245A1A2}.exe	{69840FD4-E9AE-4078-862B-A9799156EEBB}.exe
File created	C:\Windows\{2D567AA9-B45C-4ff6-985B-43EED8D1D401}.exe	{E8D03E9A-C5EF-4456-A97B-F092D245A1A2}.exe
File created	C:\Windows\{00FEC319-3F83-4306-A94D-2C1F0DFEBE28}.exe	{6E34C9CF-C855-454d-A48B-797662315D56}.exe
File created	C:\Windows\{4312A824-7194-419b-94BA-0716995B0E37}.exe	{53BFC73D-78AC-4477-8CD3-62C91B72B2B3}.exe
File created	C:\Windows\{32BF1556-116F-42e1-8769-9A54F49AF229}.exe	{4312A824-7194-419b-94BA-0716995B0E37}.exe
File created	C:\Windows\{4D245A5C-0A44-4ead-8C78-613EB24E8AFD}.exe	{2D7A8E85-AD38-405c-BF5B-7BCD625D0AFC}.exe
File created	C:\Windows\{69840FD4-E9AE-4078-862B-A9799156EEBB}.exe	{959740E1-29DC-4ee6-B145-0DCD65E49068}.exe
File created	C:\Windows\{6E34C9CF-C855-454d-A48B-797662315D56}.exe	2024-05-03_8688031bfd82e7066eb671e98204f1bd_goldeneye.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3028	2024-05-03_8688031bfd82e7066eb671e98204f1bd_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2204	{6E34C9CF-C855-454d-A48B-797662315D56}.exe
Token: SeIncBasePriorityPrivilege	2672	{00FEC319-3F83-4306-A94D-2C1F0DFEBE28}.exe
Token: SeIncBasePriorityPrivilege	2408	{53BFC73D-78AC-4477-8CD3-62C91B72B2B3}.exe
Token: SeIncBasePriorityPrivilege	2964	{4312A824-7194-419b-94BA-0716995B0E37}.exe
Token: SeIncBasePriorityPrivilege	2932	{32BF1556-116F-42e1-8769-9A54F49AF229}.exe
Token: SeIncBasePriorityPrivilege	1624	{2D7A8E85-AD38-405c-BF5B-7BCD625D0AFC}.exe
Token: SeIncBasePriorityPrivilege	1960	{4D245A5C-0A44-4ead-8C78-613EB24E8AFD}.exe
Token: SeIncBasePriorityPrivilege	1296	{959740E1-29DC-4ee6-B145-0DCD65E49068}.exe
Token: SeIncBasePriorityPrivilege	2036	{69840FD4-E9AE-4078-862B-A9799156EEBB}.exe
Token: SeIncBasePriorityPrivilege	2068	{E8D03E9A-C5EF-4456-A97B-F092D245A1A2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2204	3028	2024-05-03_8688031bfd82e7066eb671e98204f1bd_goldeneye.exe	28
PID 3028 wrote to memory of 2204	3028	2024-05-03_8688031bfd82e7066eb671e98204f1bd_goldeneye.exe	28
PID 3028 wrote to memory of 2204	3028	2024-05-03_8688031bfd82e7066eb671e98204f1bd_goldeneye.exe	28
PID 3028 wrote to memory of 2204	3028	2024-05-03_8688031bfd82e7066eb671e98204f1bd_goldeneye.exe	28
PID 3028 wrote to memory of 2056	3028	2024-05-03_8688031bfd82e7066eb671e98204f1bd_goldeneye.exe	29
PID 3028 wrote to memory of 2056	3028	2024-05-03_8688031bfd82e7066eb671e98204f1bd_goldeneye.exe	29
PID 3028 wrote to memory of 2056	3028	2024-05-03_8688031bfd82e7066eb671e98204f1bd_goldeneye.exe	29
PID 3028 wrote to memory of 2056	3028	2024-05-03_8688031bfd82e7066eb671e98204f1bd_goldeneye.exe	29
PID 2204 wrote to memory of 2672	2204	{6E34C9CF-C855-454d-A48B-797662315D56}.exe	30
PID 2204 wrote to memory of 2672	2204	{6E34C9CF-C855-454d-A48B-797662315D56}.exe	30
PID 2204 wrote to memory of 2672	2204	{6E34C9CF-C855-454d-A48B-797662315D56}.exe	30
PID 2204 wrote to memory of 2672	2204	{6E34C9CF-C855-454d-A48B-797662315D56}.exe	30
PID 2204 wrote to memory of 2604	2204	{6E34C9CF-C855-454d-A48B-797662315D56}.exe	31
PID 2204 wrote to memory of 2604	2204	{6E34C9CF-C855-454d-A48B-797662315D56}.exe	31
PID 2204 wrote to memory of 2604	2204	{6E34C9CF-C855-454d-A48B-797662315D56}.exe	31
PID 2204 wrote to memory of 2604	2204	{6E34C9CF-C855-454d-A48B-797662315D56}.exe	31
PID 2672 wrote to memory of 2408	2672	{00FEC319-3F83-4306-A94D-2C1F0DFEBE28}.exe	32
PID 2672 wrote to memory of 2408	2672	{00FEC319-3F83-4306-A94D-2C1F0DFEBE28}.exe	32
PID 2672 wrote to memory of 2408	2672	{00FEC319-3F83-4306-A94D-2C1F0DFEBE28}.exe	32
PID 2672 wrote to memory of 2408	2672	{00FEC319-3F83-4306-A94D-2C1F0DFEBE28}.exe	32
PID 2672 wrote to memory of 2824	2672	{00FEC319-3F83-4306-A94D-2C1F0DFEBE28}.exe	33
PID 2672 wrote to memory of 2824	2672	{00FEC319-3F83-4306-A94D-2C1F0DFEBE28}.exe	33
PID 2672 wrote to memory of 2824	2672	{00FEC319-3F83-4306-A94D-2C1F0DFEBE28}.exe	33
PID 2672 wrote to memory of 2824	2672	{00FEC319-3F83-4306-A94D-2C1F0DFEBE28}.exe	33
PID 2408 wrote to memory of 2964	2408	{53BFC73D-78AC-4477-8CD3-62C91B72B2B3}.exe	36
PID 2408 wrote to memory of 2964	2408	{53BFC73D-78AC-4477-8CD3-62C91B72B2B3}.exe	36
PID 2408 wrote to memory of 2964	2408	{53BFC73D-78AC-4477-8CD3-62C91B72B2B3}.exe	36
PID 2408 wrote to memory of 2964	2408	{53BFC73D-78AC-4477-8CD3-62C91B72B2B3}.exe	36
PID 2408 wrote to memory of 1408	2408	{53BFC73D-78AC-4477-8CD3-62C91B72B2B3}.exe	37
PID 2408 wrote to memory of 1408	2408	{53BFC73D-78AC-4477-8CD3-62C91B72B2B3}.exe	37
PID 2408 wrote to memory of 1408	2408	{53BFC73D-78AC-4477-8CD3-62C91B72B2B3}.exe	37
PID 2408 wrote to memory of 1408	2408	{53BFC73D-78AC-4477-8CD3-62C91B72B2B3}.exe	37
PID 2964 wrote to memory of 2932	2964	{4312A824-7194-419b-94BA-0716995B0E37}.exe	38
PID 2964 wrote to memory of 2932	2964	{4312A824-7194-419b-94BA-0716995B0E37}.exe	38
PID 2964 wrote to memory of 2932	2964	{4312A824-7194-419b-94BA-0716995B0E37}.exe	38
PID 2964 wrote to memory of 2932	2964	{4312A824-7194-419b-94BA-0716995B0E37}.exe	38
PID 2964 wrote to memory of 2996	2964	{4312A824-7194-419b-94BA-0716995B0E37}.exe	39
PID 2964 wrote to memory of 2996	2964	{4312A824-7194-419b-94BA-0716995B0E37}.exe	39
PID 2964 wrote to memory of 2996	2964	{4312A824-7194-419b-94BA-0716995B0E37}.exe	39
PID 2964 wrote to memory of 2996	2964	{4312A824-7194-419b-94BA-0716995B0E37}.exe	39
PID 2932 wrote to memory of 1624	2932	{32BF1556-116F-42e1-8769-9A54F49AF229}.exe	40
PID 2932 wrote to memory of 1624	2932	{32BF1556-116F-42e1-8769-9A54F49AF229}.exe	40
PID 2932 wrote to memory of 1624	2932	{32BF1556-116F-42e1-8769-9A54F49AF229}.exe	40
PID 2932 wrote to memory of 1624	2932	{32BF1556-116F-42e1-8769-9A54F49AF229}.exe	40
PID 2932 wrote to memory of 1524	2932	{32BF1556-116F-42e1-8769-9A54F49AF229}.exe	41
PID 2932 wrote to memory of 1524	2932	{32BF1556-116F-42e1-8769-9A54F49AF229}.exe	41
PID 2932 wrote to memory of 1524	2932	{32BF1556-116F-42e1-8769-9A54F49AF229}.exe	41
PID 2932 wrote to memory of 1524	2932	{32BF1556-116F-42e1-8769-9A54F49AF229}.exe	41
PID 1624 wrote to memory of 1960	1624	{2D7A8E85-AD38-405c-BF5B-7BCD625D0AFC}.exe	42
PID 1624 wrote to memory of 1960	1624	{2D7A8E85-AD38-405c-BF5B-7BCD625D0AFC}.exe	42
PID 1624 wrote to memory of 1960	1624	{2D7A8E85-AD38-405c-BF5B-7BCD625D0AFC}.exe	42
PID 1624 wrote to memory of 1960	1624	{2D7A8E85-AD38-405c-BF5B-7BCD625D0AFC}.exe	42
PID 1624 wrote to memory of 2740	1624	{2D7A8E85-AD38-405c-BF5B-7BCD625D0AFC}.exe	43
PID 1624 wrote to memory of 2740	1624	{2D7A8E85-AD38-405c-BF5B-7BCD625D0AFC}.exe	43
PID 1624 wrote to memory of 2740	1624	{2D7A8E85-AD38-405c-BF5B-7BCD625D0AFC}.exe	43
PID 1624 wrote to memory of 2740	1624	{2D7A8E85-AD38-405c-BF5B-7BCD625D0AFC}.exe	43
PID 1960 wrote to memory of 1296	1960	{4D245A5C-0A44-4ead-8C78-613EB24E8AFD}.exe	44
PID 1960 wrote to memory of 1296	1960	{4D245A5C-0A44-4ead-8C78-613EB24E8AFD}.exe	44
PID 1960 wrote to memory of 1296	1960	{4D245A5C-0A44-4ead-8C78-613EB24E8AFD}.exe	44
PID 1960 wrote to memory of 1296	1960	{4D245A5C-0A44-4ead-8C78-613EB24E8AFD}.exe	44
PID 1960 wrote to memory of 1516	1960	{4D245A5C-0A44-4ead-8C78-613EB24E8AFD}.exe	45
PID 1960 wrote to memory of 1516	1960	{4D245A5C-0A44-4ead-8C78-613EB24E8AFD}.exe	45
PID 1960 wrote to memory of 1516	1960	{4D245A5C-0A44-4ead-8C78-613EB24E8AFD}.exe	45
PID 1960 wrote to memory of 1516	1960	{4D245A5C-0A44-4ead-8C78-613EB24E8AFD}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-05-03_8688031bfd82e7066eb671e98204f1bd_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-03_8688031bfd82e7066eb671e98204f1bd_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\{6E34C9CF-C855-454d-A48B-797662315D56}.exe
  C:\Windows\{6E34C9CF-C855-454d-A48B-797662315D56}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\{00FEC319-3F83-4306-A94D-2C1F0DFEBE28}.exe
    C:\Windows\{00FEC319-3F83-4306-A94D-2C1F0DFEBE28}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\{53BFC73D-78AC-4477-8CD3-62C91B72B2B3}.exe
      C:\Windows\{53BFC73D-78AC-4477-8CD3-62C91B72B2B3}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2408
    - - C:\Windows\{4312A824-7194-419b-94BA-0716995B0E37}.exe
        
        C:\Windows\{4312A824-7194-419b-94BA-0716995B0E37}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2964
      - C:\Windows\{32BF1556-116F-42e1-8769-9A54F49AF229}.exe
        
        C:\Windows\{32BF1556-116F-42e1-8769-9A54F49AF229}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\{2D7A8E85-AD38-405c-BF5B-7BCD625D0AFC}.exe
        
        C:\Windows\{2D7A8E85-AD38-405c-BF5B-7BCD625D0AFC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\{4D245A5C-0A44-4ead-8C78-613EB24E8AFD}.exe
        
        C:\Windows\{4D245A5C-0A44-4ead-8C78-613EB24E8AFD}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\{959740E1-29DC-4ee6-B145-0DCD65E49068}.exe
        
        C:\Windows\{959740E1-29DC-4ee6-B145-0DCD65E49068}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
        
        C:\Windows\{69840FD4-E9AE-4078-862B-A9799156EEBB}.exe
        
        C:\Windows\{69840FD4-E9AE-4078-862B-A9799156EEBB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
        
        C:\Windows\{E8D03E9A-C5EF-4456-A97B-F092D245A1A2}.exe
        
        C:\Windows\{E8D03E9A-C5EF-4456-A97B-F092D245A1A2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\{2D567AA9-B45C-4ff6-985B-43EED8D1D401}.exe
        
        C:\Windows\{2D567AA9-B45C-4ff6-985B-43EED8D1D401}.exe
        12⤵
        Executes dropped EXE
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8D03~1.EXE > nul
        12⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69840~1.EXE > nul
        11⤵
        
        PID:672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95974~1.EXE > nul
        10⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D245~1.EXE > nul
        9⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D7A8~1.EXE > nul
        8⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32BF1~1.EXE > nul
        7⤵
        
        PID:1524
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4312A~1.EXE > nul
        6⤵
        
        PID:2996
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53BFC~1.EXE > nul
        5⤵
        
        PID:1408
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{00FEC~1.EXE > nul
      4⤵
      PID:2824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6E34C~1.EXE > nul
    3⤵
    PID:2604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00FEC319-3F83-4306-A94D-2C1F0DFEBE28}.exe

Filesize
380KB

MD5
c61f13764d05be48e7ed25f112a8dac1

SHA1
85cd93e01bf6a00933b97c83fa1a7f810982e31c

SHA256
43f6a0390ebee12873fded44690bb043261a0f3d0e67c971e8d39794c5819034

SHA512
f2bc6625f6e294c08237a499392bd5e46e6cb4a616b3c30dc8a3391bf150ea94b44afd49f9e74a6c4d3dcde52d5b856a0f4bf656ce2fda2d76100ff3d86efb7e

Download Submit
C:\Windows\{2D567AA9-B45C-4ff6-985B-43EED8D1D401}.exe

Filesize
380KB

MD5
096260ed59b2443338ef349e274de728

SHA1
1b2231f5247e201ac5a48e5e49e0ddbd300f3a49

SHA256
ca2319d9dd7f54d0fb76d4d8106f3eef062dd9960e206d82fb3083183f3de992

SHA512
f46a9a00e119c073cd2965d043cda420c60920e220da8f99f303e62695e13095845a4b4ffcef9fddc22e56121f988d73bf78badc4823513ad1cd452b135daa1f

Download Submit
C:\Windows\{2D7A8E85-AD38-405c-BF5B-7BCD625D0AFC}.exe

Filesize
380KB

MD5
9322e018daee2e1d0367647e0fe02013

SHA1
0457ae5e795e605342e7d10cf646ce34ebb7b56d

SHA256
0642464e039575fb366bcb07f6da94daebfef8090eac5d2a07f6d4bd54c3089a

SHA512
b0205733a760b35a65ca5a89d781f25cffaf9b4e945fe7ba200ee83826a5cf01a61bb284e2169373640137c20d2d6b1a209959beedc54dc20d523c959dc911fb

Download Submit
C:\Windows\{32BF1556-116F-42e1-8769-9A54F49AF229}.exe

Filesize
380KB

MD5
3997a83cb5a8d9ae5306bc8fd6765bc0

SHA1
fd4469d926501138099e90bd07e99f90ef48b766

SHA256
8cafd830861f96581d229e75495db2b32e486a93e96890346d2d43eed04a95fe

SHA512
8c13cbdcbdb2c2c8c7ed9289bb0ddc5b523d2299223d9e82ba9f1a18e461844101789e45a59316a669045720f924d489e357e4a7885d2138e538e7a435488feb

Download Submit
C:\Windows\{4312A824-7194-419b-94BA-0716995B0E37}.exe

Filesize
380KB

MD5
45c2fda9f5dd819b0a96257d30c002d7

SHA1
78b77079e607d7926a0657d53b421b1bfa1bb214

SHA256
6b6fe8fc731f023179223009609acdb2b4fefc5016e2fc81235415bc89a20029

SHA512
05ffe2626bed307946b02c120f3bc101863013958181adaa676fab22458cdddc3ed7c0977044f27f6b3f5886f5b226ff6e88549a820b6708ef85bac6abf0a198

Download Submit
C:\Windows\{4D245A5C-0A44-4ead-8C78-613EB24E8AFD}.exe

Filesize
380KB

MD5
be597de71abd7e405e421b39099d6579

SHA1
49f43cc25fd4914a400f489779c4e8bd7aaeee49

SHA256
bb36f78777541cd1cb0a386e4b8df12f1496c39acc9860b7a7c646856811e388

SHA512
c3f95c175f2b4e0053786ebdb37a5ebb5ead086bd18b8eb33bfb9beab0f613cdb73557ba4e08003f451e78346e81941488d61fb99f057c11e93e80224f9d3244

Download Submit
C:\Windows\{53BFC73D-78AC-4477-8CD3-62C91B72B2B3}.exe

Filesize
380KB

MD5
5f53031d0e11123f66fcdfc619c5b9a3

SHA1
bbbae8e6864b9338e24a4d10c51e3a732dac3964

SHA256
87422cdf842eb8dfac42d71c7625ca8d9d1fa10aaabd562e2f888f51a3c9dca1

SHA512
2671606bf70466dd667d3c1bfafdb94396dd4f3d52f757c3d3f0de0971c279ece1ba1348ca5cdb2f4f3c7cb973c84ae7c40990904207993ab8884e3974f415b7

Download Submit
C:\Windows\{69840FD4-E9AE-4078-862B-A9799156EEBB}.exe

Filesize
380KB

MD5
e1ddd0e526860d9cdd39b97951628a37

SHA1
cbf23269bbb979e62f10b7da6796ac0baea67616

SHA256
3f950364b04929230eaa5a19169a34a54ae8f14202b52c86c1100a7864af0794

SHA512
4954d096682b0016a2e28f9266190419015760b630556c15f20e92f4be333adef3359ce9756b4d11f6d543634b40c941065f3a6dd97631fa30e8c02a752858a0

Download Submit
C:\Windows\{6E34C9CF-C855-454d-A48B-797662315D56}.exe

Filesize
380KB

MD5
d214249dcb31d3d7a838eca97a9d6e99

SHA1
928b80750606de8f711a25ac725f64293a0493d1

SHA256
6f4aed9cb919bd69f1fd7a3a61a9037e66ce915ea464523c54a91acfca3ebd68

SHA512
18919e00435fa65f85cd1cf406df8fe76b9b21339bb80b528b7f798e08a40401281b74705a324a72ae317cf209500e85f30a1efbcb48b1bd5e8ed1fadc99a29e

Download Submit
C:\Windows\{959740E1-29DC-4ee6-B145-0DCD65E49068}.exe

Filesize
380KB

MD5
277b413ee4bb1e41b25ecf44b3ddd5d2

SHA1
480d029b212f9309d422267194cf106a12945cd8

SHA256
42b868593378b679170d60edbd592543694154981ce9a1a56870e72599a812a4

SHA512
51185c6cbe4f02f9069b79cb58123e91b9eb725bac2d4f6e2bfeba7e25464201b64ebcfe0b257c34209ecf3751e21ac35115eaaa09ba5bb04dcb06a969def335

Download Submit
C:\Windows\{E8D03E9A-C5EF-4456-A97B-F092D245A1A2}.exe

Filesize
380KB

MD5
6dbe6395c81b1925685b3958294fb9b3

SHA1
c6b2e62cd12ca57338a7bfb699f4ad720b55ae2b

SHA256
a8a0b7f458cbe0b850708570606227af51ace42a6f5e0afdf1e3bd36eb15df67

SHA512
20fa9e3c60745d832f348cf422d120eb9f4049c9220afdd116723bbb11c800fcbe5261bd4f19fb230aa9a1017201318a438b0be82bf91745ef6f8693c11a2c6c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads