723c10ec1c6b6b331f17fa08437acfc0485ae4ee8a2d3c8197dccbfd4bcd5352

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
04/05/2024, 03:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-04_7903fb89198ede416f03b7dfffbf6228_goldeneye.exe
Size

372KB
MD5

7903fb89198ede416f03b7dfffbf6228
SHA1

d22d316a50a6323ebbfa2ef24e8c762dad0f769b
SHA256

723c10ec1c6b6b331f17fa08437acfc0485ae4ee8a2d3c8197dccbfd4bcd5352
SHA512

096942af0e319547f266be887020799e6b225705364396d4438ee3217f32a62759d9ffe7bc275dd6918de6d145c46a855e70e97ce3b8cb9ff649de3dbfadcdb7
SSDEEP

3072:CEGh0oClMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEG8lkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d00000001342e-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x002a000000013a88-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001342e-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0029000000013adc-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001342e-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001342e-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000001342e-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D411F759-55C6-4cb5-8B39-DAAC311F2316}	{6E5498AF-BF43-4376-8F55-6B985CF1EC7E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9825087-1FDB-4d87-88BD-44227C934875}	{11AD0977-0917-47fa-9EB1-76DC371A4B8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89076302-AE51-430c-A136-3807821088C8}	{F0840DCB-E6D7-497e-949A-FA83FF88444A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89076302-AE51-430c-A136-3807821088C8}\stubpath = "C:\\Windows\\{89076302-AE51-430c-A136-3807821088C8}.exe"	{F0840DCB-E6D7-497e-949A-FA83FF88444A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E5498AF-BF43-4376-8F55-6B985CF1EC7E}\stubpath = "C:\\Windows\\{6E5498AF-BF43-4376-8F55-6B985CF1EC7E}.exe"	2024-05-04_7903fb89198ede416f03b7dfffbf6228_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D411F759-55C6-4cb5-8B39-DAAC311F2316}\stubpath = "C:\\Windows\\{D411F759-55C6-4cb5-8B39-DAAC311F2316}.exe"	{6E5498AF-BF43-4376-8F55-6B985CF1EC7E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB7A977A-97AF-439f-A5ED-F15B95D4B509}	{D411F759-55C6-4cb5-8B39-DAAC311F2316}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F31AD809-E8EA-4760-80A3-E0D4FAB70A04}\stubpath = "C:\\Windows\\{F31AD809-E8EA-4760-80A3-E0D4FAB70A04}.exe"	{DB7A977A-97AF-439f-A5ED-F15B95D4B509}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52926E05-0AC6-4d31-A238-D92D0430A676}	{7B05E34D-2A6A-4b57-98AC-578DA694352F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52926E05-0AC6-4d31-A238-D92D0430A676}\stubpath = "C:\\Windows\\{52926E05-0AC6-4d31-A238-D92D0430A676}.exe"	{7B05E34D-2A6A-4b57-98AC-578DA694352F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11AD0977-0917-47fa-9EB1-76DC371A4B8F}	{52926E05-0AC6-4d31-A238-D92D0430A676}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0840DCB-E6D7-497e-949A-FA83FF88444A}	{D9825087-1FDB-4d87-88BD-44227C934875}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E5498AF-BF43-4376-8F55-6B985CF1EC7E}	2024-05-04_7903fb89198ede416f03b7dfffbf6228_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76B6A7B5-C0AB-4f9e-A711-6E76B5AB895D}	{F31AD809-E8EA-4760-80A3-E0D4FAB70A04}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76B6A7B5-C0AB-4f9e-A711-6E76B5AB895D}\stubpath = "C:\\Windows\\{76B6A7B5-C0AB-4f9e-A711-6E76B5AB895D}.exe"	{F31AD809-E8EA-4760-80A3-E0D4FAB70A04}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B05E34D-2A6A-4b57-98AC-578DA694352F}	{76B6A7B5-C0AB-4f9e-A711-6E76B5AB895D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B05E34D-2A6A-4b57-98AC-578DA694352F}\stubpath = "C:\\Windows\\{7B05E34D-2A6A-4b57-98AC-578DA694352F}.exe"	{76B6A7B5-C0AB-4f9e-A711-6E76B5AB895D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11AD0977-0917-47fa-9EB1-76DC371A4B8F}\stubpath = "C:\\Windows\\{11AD0977-0917-47fa-9EB1-76DC371A4B8F}.exe"	{52926E05-0AC6-4d31-A238-D92D0430A676}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9825087-1FDB-4d87-88BD-44227C934875}\stubpath = "C:\\Windows\\{D9825087-1FDB-4d87-88BD-44227C934875}.exe"	{11AD0977-0917-47fa-9EB1-76DC371A4B8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB7A977A-97AF-439f-A5ED-F15B95D4B509}\stubpath = "C:\\Windows\\{DB7A977A-97AF-439f-A5ED-F15B95D4B509}.exe"	{D411F759-55C6-4cb5-8B39-DAAC311F2316}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F31AD809-E8EA-4760-80A3-E0D4FAB70A04}	{DB7A977A-97AF-439f-A5ED-F15B95D4B509}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0840DCB-E6D7-497e-949A-FA83FF88444A}\stubpath = "C:\\Windows\\{F0840DCB-E6D7-497e-949A-FA83FF88444A}.exe"	{D9825087-1FDB-4d87-88BD-44227C934875}.exe

Deletes itself 1 IoCs

pid	Process
2488	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2948	{6E5498AF-BF43-4376-8F55-6B985CF1EC7E}.exe
2388	{D411F759-55C6-4cb5-8B39-DAAC311F2316}.exe
2916	{DB7A977A-97AF-439f-A5ED-F15B95D4B509}.exe
856	{F31AD809-E8EA-4760-80A3-E0D4FAB70A04}.exe
2680	{76B6A7B5-C0AB-4f9e-A711-6E76B5AB895D}.exe
1644	{7B05E34D-2A6A-4b57-98AC-578DA694352F}.exe
1352	{52926E05-0AC6-4d31-A238-D92D0430A676}.exe
1320	{11AD0977-0917-47fa-9EB1-76DC371A4B8F}.exe
2036	{D9825087-1FDB-4d87-88BD-44227C934875}.exe
268	{F0840DCB-E6D7-497e-949A-FA83FF88444A}.exe
1712	{89076302-AE51-430c-A136-3807821088C8}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D411F759-55C6-4cb5-8B39-DAAC311F2316}.exe	{6E5498AF-BF43-4376-8F55-6B985CF1EC7E}.exe
File created	C:\Windows\{52926E05-0AC6-4d31-A238-D92D0430A676}.exe	{7B05E34D-2A6A-4b57-98AC-578DA694352F}.exe
File created	C:\Windows\{F0840DCB-E6D7-497e-949A-FA83FF88444A}.exe	{D9825087-1FDB-4d87-88BD-44227C934875}.exe
File created	C:\Windows\{89076302-AE51-430c-A136-3807821088C8}.exe	{F0840DCB-E6D7-497e-949A-FA83FF88444A}.exe
File created	C:\Windows\{6E5498AF-BF43-4376-8F55-6B985CF1EC7E}.exe	2024-05-04_7903fb89198ede416f03b7dfffbf6228_goldeneye.exe
File created	C:\Windows\{DB7A977A-97AF-439f-A5ED-F15B95D4B509}.exe	{D411F759-55C6-4cb5-8B39-DAAC311F2316}.exe
File created	C:\Windows\{F31AD809-E8EA-4760-80A3-E0D4FAB70A04}.exe	{DB7A977A-97AF-439f-A5ED-F15B95D4B509}.exe
File created	C:\Windows\{76B6A7B5-C0AB-4f9e-A711-6E76B5AB895D}.exe	{F31AD809-E8EA-4760-80A3-E0D4FAB70A04}.exe
File created	C:\Windows\{7B05E34D-2A6A-4b57-98AC-578DA694352F}.exe	{76B6A7B5-C0AB-4f9e-A711-6E76B5AB895D}.exe
File created	C:\Windows\{11AD0977-0917-47fa-9EB1-76DC371A4B8F}.exe	{52926E05-0AC6-4d31-A238-D92D0430A676}.exe
File created	C:\Windows\{D9825087-1FDB-4d87-88BD-44227C934875}.exe	{11AD0977-0917-47fa-9EB1-76DC371A4B8F}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2336	2024-05-04_7903fb89198ede416f03b7dfffbf6228_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2948	{6E5498AF-BF43-4376-8F55-6B985CF1EC7E}.exe
Token: SeIncBasePriorityPrivilege	2388	{D411F759-55C6-4cb5-8B39-DAAC311F2316}.exe
Token: SeIncBasePriorityPrivilege	2916	{DB7A977A-97AF-439f-A5ED-F15B95D4B509}.exe
Token: SeIncBasePriorityPrivilege	856	{F31AD809-E8EA-4760-80A3-E0D4FAB70A04}.exe
Token: SeIncBasePriorityPrivilege	2680	{76B6A7B5-C0AB-4f9e-A711-6E76B5AB895D}.exe
Token: SeIncBasePriorityPrivilege	1644	{7B05E34D-2A6A-4b57-98AC-578DA694352F}.exe
Token: SeIncBasePriorityPrivilege	1352	{52926E05-0AC6-4d31-A238-D92D0430A676}.exe
Token: SeIncBasePriorityPrivilege	1320	{11AD0977-0917-47fa-9EB1-76DC371A4B8F}.exe
Token: SeIncBasePriorityPrivilege	2036	{D9825087-1FDB-4d87-88BD-44227C934875}.exe
Token: SeIncBasePriorityPrivilege	268	{F0840DCB-E6D7-497e-949A-FA83FF88444A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2948	2336	2024-05-04_7903fb89198ede416f03b7dfffbf6228_goldeneye.exe	28
PID 2336 wrote to memory of 2948	2336	2024-05-04_7903fb89198ede416f03b7dfffbf6228_goldeneye.exe	28
PID 2336 wrote to memory of 2948	2336	2024-05-04_7903fb89198ede416f03b7dfffbf6228_goldeneye.exe	28
PID 2336 wrote to memory of 2948	2336	2024-05-04_7903fb89198ede416f03b7dfffbf6228_goldeneye.exe	28
PID 2336 wrote to memory of 2488	2336	2024-05-04_7903fb89198ede416f03b7dfffbf6228_goldeneye.exe	29
PID 2336 wrote to memory of 2488	2336	2024-05-04_7903fb89198ede416f03b7dfffbf6228_goldeneye.exe	29
PID 2336 wrote to memory of 2488	2336	2024-05-04_7903fb89198ede416f03b7dfffbf6228_goldeneye.exe	29
PID 2336 wrote to memory of 2488	2336	2024-05-04_7903fb89198ede416f03b7dfffbf6228_goldeneye.exe	29
PID 2948 wrote to memory of 2388	2948	{6E5498AF-BF43-4376-8F55-6B985CF1EC7E}.exe	30
PID 2948 wrote to memory of 2388	2948	{6E5498AF-BF43-4376-8F55-6B985CF1EC7E}.exe	30
PID 2948 wrote to memory of 2388	2948	{6E5498AF-BF43-4376-8F55-6B985CF1EC7E}.exe	30
PID 2948 wrote to memory of 2388	2948	{6E5498AF-BF43-4376-8F55-6B985CF1EC7E}.exe	30
PID 2948 wrote to memory of 2700	2948	{6E5498AF-BF43-4376-8F55-6B985CF1EC7E}.exe	31
PID 2948 wrote to memory of 2700	2948	{6E5498AF-BF43-4376-8F55-6B985CF1EC7E}.exe	31
PID 2948 wrote to memory of 2700	2948	{6E5498AF-BF43-4376-8F55-6B985CF1EC7E}.exe	31
PID 2948 wrote to memory of 2700	2948	{6E5498AF-BF43-4376-8F55-6B985CF1EC7E}.exe	31
PID 2388 wrote to memory of 2916	2388	{D411F759-55C6-4cb5-8B39-DAAC311F2316}.exe	32
PID 2388 wrote to memory of 2916	2388	{D411F759-55C6-4cb5-8B39-DAAC311F2316}.exe	32
PID 2388 wrote to memory of 2916	2388	{D411F759-55C6-4cb5-8B39-DAAC311F2316}.exe	32
PID 2388 wrote to memory of 2916	2388	{D411F759-55C6-4cb5-8B39-DAAC311F2316}.exe	32
PID 2388 wrote to memory of 2492	2388	{D411F759-55C6-4cb5-8B39-DAAC311F2316}.exe	33
PID 2388 wrote to memory of 2492	2388	{D411F759-55C6-4cb5-8B39-DAAC311F2316}.exe	33
PID 2388 wrote to memory of 2492	2388	{D411F759-55C6-4cb5-8B39-DAAC311F2316}.exe	33
PID 2388 wrote to memory of 2492	2388	{D411F759-55C6-4cb5-8B39-DAAC311F2316}.exe	33
PID 2916 wrote to memory of 856	2916	{DB7A977A-97AF-439f-A5ED-F15B95D4B509}.exe	36
PID 2916 wrote to memory of 856	2916	{DB7A977A-97AF-439f-A5ED-F15B95D4B509}.exe	36
PID 2916 wrote to memory of 856	2916	{DB7A977A-97AF-439f-A5ED-F15B95D4B509}.exe	36
PID 2916 wrote to memory of 856	2916	{DB7A977A-97AF-439f-A5ED-F15B95D4B509}.exe	36
PID 2916 wrote to memory of 1364	2916	{DB7A977A-97AF-439f-A5ED-F15B95D4B509}.exe	37
PID 2916 wrote to memory of 1364	2916	{DB7A977A-97AF-439f-A5ED-F15B95D4B509}.exe	37
PID 2916 wrote to memory of 1364	2916	{DB7A977A-97AF-439f-A5ED-F15B95D4B509}.exe	37
PID 2916 wrote to memory of 1364	2916	{DB7A977A-97AF-439f-A5ED-F15B95D4B509}.exe	37
PID 856 wrote to memory of 2680	856	{F31AD809-E8EA-4760-80A3-E0D4FAB70A04}.exe	38
PID 856 wrote to memory of 2680	856	{F31AD809-E8EA-4760-80A3-E0D4FAB70A04}.exe	38
PID 856 wrote to memory of 2680	856	{F31AD809-E8EA-4760-80A3-E0D4FAB70A04}.exe	38
PID 856 wrote to memory of 2680	856	{F31AD809-E8EA-4760-80A3-E0D4FAB70A04}.exe	38
PID 856 wrote to memory of 2340	856	{F31AD809-E8EA-4760-80A3-E0D4FAB70A04}.exe	39
PID 856 wrote to memory of 2340	856	{F31AD809-E8EA-4760-80A3-E0D4FAB70A04}.exe	39
PID 856 wrote to memory of 2340	856	{F31AD809-E8EA-4760-80A3-E0D4FAB70A04}.exe	39
PID 856 wrote to memory of 2340	856	{F31AD809-E8EA-4760-80A3-E0D4FAB70A04}.exe	39
PID 2680 wrote to memory of 1644	2680	{76B6A7B5-C0AB-4f9e-A711-6E76B5AB895D}.exe	40
PID 2680 wrote to memory of 1644	2680	{76B6A7B5-C0AB-4f9e-A711-6E76B5AB895D}.exe	40
PID 2680 wrote to memory of 1644	2680	{76B6A7B5-C0AB-4f9e-A711-6E76B5AB895D}.exe	40
PID 2680 wrote to memory of 1644	2680	{76B6A7B5-C0AB-4f9e-A711-6E76B5AB895D}.exe	40
PID 2680 wrote to memory of 1856	2680	{76B6A7B5-C0AB-4f9e-A711-6E76B5AB895D}.exe	41
PID 2680 wrote to memory of 1856	2680	{76B6A7B5-C0AB-4f9e-A711-6E76B5AB895D}.exe	41
PID 2680 wrote to memory of 1856	2680	{76B6A7B5-C0AB-4f9e-A711-6E76B5AB895D}.exe	41
PID 2680 wrote to memory of 1856	2680	{76B6A7B5-C0AB-4f9e-A711-6E76B5AB895D}.exe	41
PID 1644 wrote to memory of 1352	1644	{7B05E34D-2A6A-4b57-98AC-578DA694352F}.exe	42
PID 1644 wrote to memory of 1352	1644	{7B05E34D-2A6A-4b57-98AC-578DA694352F}.exe	42
PID 1644 wrote to memory of 1352	1644	{7B05E34D-2A6A-4b57-98AC-578DA694352F}.exe	42
PID 1644 wrote to memory of 1352	1644	{7B05E34D-2A6A-4b57-98AC-578DA694352F}.exe	42
PID 1644 wrote to memory of 1436	1644	{7B05E34D-2A6A-4b57-98AC-578DA694352F}.exe	43
PID 1644 wrote to memory of 1436	1644	{7B05E34D-2A6A-4b57-98AC-578DA694352F}.exe	43
PID 1644 wrote to memory of 1436	1644	{7B05E34D-2A6A-4b57-98AC-578DA694352F}.exe	43
PID 1644 wrote to memory of 1436	1644	{7B05E34D-2A6A-4b57-98AC-578DA694352F}.exe	43
PID 1352 wrote to memory of 1320	1352	{52926E05-0AC6-4d31-A238-D92D0430A676}.exe	44
PID 1352 wrote to memory of 1320	1352	{52926E05-0AC6-4d31-A238-D92D0430A676}.exe	44
PID 1352 wrote to memory of 1320	1352	{52926E05-0AC6-4d31-A238-D92D0430A676}.exe	44
PID 1352 wrote to memory of 1320	1352	{52926E05-0AC6-4d31-A238-D92D0430A676}.exe	44
PID 1352 wrote to memory of 2768	1352	{52926E05-0AC6-4d31-A238-D92D0430A676}.exe	45
PID 1352 wrote to memory of 2768	1352	{52926E05-0AC6-4d31-A238-D92D0430A676}.exe	45
PID 1352 wrote to memory of 2768	1352	{52926E05-0AC6-4d31-A238-D92D0430A676}.exe	45
PID 1352 wrote to memory of 2768	1352	{52926E05-0AC6-4d31-A238-D92D0430A676}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-05-04_7903fb89198ede416f03b7dfffbf6228_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-04_7903fb89198ede416f03b7dfffbf6228_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\{6E5498AF-BF43-4376-8F55-6B985CF1EC7E}.exe
  C:\Windows\{6E5498AF-BF43-4376-8F55-6B985CF1EC7E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\{D411F759-55C6-4cb5-8B39-DAAC311F2316}.exe
    C:\Windows\{D411F759-55C6-4cb5-8B39-DAAC311F2316}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Windows\{DB7A977A-97AF-439f-A5ED-F15B95D4B509}.exe
      C:\Windows\{DB7A977A-97AF-439f-A5ED-F15B95D4B509}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2916
    - - C:\Windows\{F31AD809-E8EA-4760-80A3-E0D4FAB70A04}.exe
        
        C:\Windows\{F31AD809-E8EA-4760-80A3-E0D4FAB70A04}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:856
      - C:\Windows\{76B6A7B5-C0AB-4f9e-A711-6E76B5AB895D}.exe
        
        C:\Windows\{76B6A7B5-C0AB-4f9e-A711-6E76B5AB895D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\{7B05E34D-2A6A-4b57-98AC-578DA694352F}.exe
        
        C:\Windows\{7B05E34D-2A6A-4b57-98AC-578DA694352F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\{52926E05-0AC6-4d31-A238-D92D0430A676}.exe
        
        C:\Windows\{52926E05-0AC6-4d31-A238-D92D0430A676}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\{11AD0977-0917-47fa-9EB1-76DC371A4B8F}.exe
        
        C:\Windows\{11AD0977-0917-47fa-9EB1-76DC371A4B8F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
        
        C:\Windows\{D9825087-1FDB-4d87-88BD-44227C934875}.exe
        
        C:\Windows\{D9825087-1FDB-4d87-88BD-44227C934875}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
        
        C:\Windows\{F0840DCB-E6D7-497e-949A-FA83FF88444A}.exe
        
        C:\Windows\{F0840DCB-E6D7-497e-949A-FA83FF88444A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:268
        
        C:\Windows\{89076302-AE51-430c-A136-3807821088C8}.exe
        
        C:\Windows\{89076302-AE51-430c-A136-3807821088C8}.exe
        12⤵
        Executes dropped EXE
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0840~1.EXE > nul
        12⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9825~1.EXE > nul
        11⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11AD0~1.EXE > nul
        10⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52926~1.EXE > nul
        9⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B05E~1.EXE > nul
        8⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76B6A~1.EXE > nul
        7⤵
        
        PID:1856
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F31AD~1.EXE > nul
        6⤵
        
        PID:2340
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB7A9~1.EXE > nul
        5⤵
        
        PID:1364
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D411F~1.EXE > nul
      4⤵
      PID:2492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6E549~1.EXE > nul
    3⤵
    PID:2700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{11AD0977-0917-47fa-9EB1-76DC371A4B8F}.exe

Filesize
372KB

MD5
9c3e362278f55fc985b64fdf873fe042

SHA1
1d3ac4e3659d67387645acf7a4a8afc0eb41557f

SHA256
ede4430b57f838567e8dcbd424480520f4d959e801044207946b3f041d3ce246

SHA512
6747a740a89b17d13ec44330136cebc83f4459a67762dc04005c2609d83c741fd020e33292afcb16b16a63d723e189a6b429851bd46b45452adbebdf195aa5a2

Download Submit
C:\Windows\{52926E05-0AC6-4d31-A238-D92D0430A676}.exe

Filesize
372KB

MD5
5144b77aabaf4424358a53baf8274f11

SHA1
d15a1f1707f8696276cb19062da08151a6988491

SHA256
e06d42a7321dbd884f83895fe1e247169a86f177c1bd07a2938a669321be6e74

SHA512
bb4ffbe2f79dc7ddf04b827a23f046f859efb38ce602b53e52d299adbc22a277692ba583ae665b5bb826a66b2def499f62c7079471d23ae719d76a9e2f767086

Download Submit
C:\Windows\{6E5498AF-BF43-4376-8F55-6B985CF1EC7E}.exe

Filesize
372KB

MD5
ce8fa70256a68b28ea37a16a91219560

SHA1
f98bfed37d17912d21d731cd3be8095c8a9afa56

SHA256
755b0d1e6376df8866793291d325573fa129af36774c257a5deb977aadbebd02

SHA512
43bb44805869ce3e31bae385e9672e6af6ebfaa04dc47f99339a0313da2fecd4d45c3f4aa3c188b72535a669993600ba271e3e0f219c22f67e74be89427ed210

Download Submit
C:\Windows\{76B6A7B5-C0AB-4f9e-A711-6E76B5AB895D}.exe

Filesize
372KB

MD5
1625dc1284933fe6fc5ec589b3321d15

SHA1
2c5864814c13715cfe26380e38b9ab40b7331f0f

SHA256
2a9644f060b6983e44c4371369200a67b895118358a6444336b55b521c1accf1

SHA512
1305520eb75fb83119a9f40c8081dbb0bb7ca024894f861604e1982da90cb805f5b0656b48b074c8fdd4490b7253a283e4134238fdee2436c9194ea590a14d22

Download Submit
C:\Windows\{7B05E34D-2A6A-4b57-98AC-578DA694352F}.exe

Filesize
372KB

MD5
e7bfb759464fe0c4328a614f86770ee5

SHA1
7922d3301634bc212a826dc7cef1523b133c3510

SHA256
00453ba702d7e7f8842717ed2808044031b01e08eca77805b59ebf9f00a32e44

SHA512
8ca23def628a69dc484fdfd69f883dbd13bb5d872183c956db2474bbd9221aab1f58f4a5da5299a38cb594c817b8e6f40d5072208da4ea9dcffee99df27335e0

Download Submit
C:\Windows\{89076302-AE51-430c-A136-3807821088C8}.exe

Filesize
372KB

MD5
1e5aab232bfe62ca36256ed336016d16

SHA1
a17881375911baa512cd700372e69846d29c3c52

SHA256
cf2ca910b2bf25196248494fd244749598ff9db766d927949231c19c924b2fcd

SHA512
66980f5632fc26a0c5e0d6506e3451c6ef28a3ecd553b0d2e891533ea975b46c46d97284decb0a4e97a8fa930f0c39e692db2f7a00afa974004e9a736a1241ed

Download Submit
C:\Windows\{D411F759-55C6-4cb5-8B39-DAAC311F2316}.exe

Filesize
372KB

MD5
a6297ac87fb2f9cc6efb93f9e3dc10a6

SHA1
bd89c044ccfdb9fce0a1a86008280dec230fd520

SHA256
86ef6d3076f044c7098536d8301858d5882646d1c72a605b3713b8e521941c91

SHA512
8bf76b8511591824dffe7d3437413f2f6bdc8de0e2df0fc511c82635327440161083b4cd687b87c5cd269d09bf81f9c75f18d783304bf6c22b533697443b5725

Download Submit
C:\Windows\{D9825087-1FDB-4d87-88BD-44227C934875}.exe

Filesize
372KB

MD5
1f4144893f166ab50cbea9f08ad57bc5

SHA1
267c400f3461c88cae0784b5782868043adb4f7a

SHA256
0ae04a96c6be6eb55a1a0228927979b072f05632c60cfb2b43ef46c3a686adbb

SHA512
331679db8501fdc3aada8a38c0b5958f84ec6debdf0cc4a2a666d9f8b9a15dc74df3fb785a55ce56595e8e5a34433e01b28255e0a5c692c0f733a4f31ac4e5b7

Download Submit
C:\Windows\{DB7A977A-97AF-439f-A5ED-F15B95D4B509}.exe

Filesize
372KB

MD5
67dfafd7de4039567f06a53e7a343407

SHA1
efcf5d845bee6cf8a218b63581462a2b0f2d6f5a

SHA256
bd787db00fa5d99b81cfe3c6ae7cef9298434f66a913671dc448fa7602a5bc9e

SHA512
cdf9724eafa26c6cac5e0ecf428e4ae7e10835d22cef8a89fb8201fde08a65bbd3e7280e00007b1c04ad1b55f8850d6dcdca684fb70b99254b02f48e00ff0c37

Download Submit
C:\Windows\{F0840DCB-E6D7-497e-949A-FA83FF88444A}.exe

Filesize
372KB

MD5
af837af2f4406adfacebaef52a2e517f

SHA1
cca0c50c24f98f564c8900504921019f6c09995b

SHA256
47fa6c170ca823f7f405aa89d8aeac76189abe1a958053ef3294a6e54d734dcb

SHA512
f9ae38ecbc521269f3505855073ce9de42be855069e64872ac20a412d851991cf8a50bf0e9b62a95a9555c1e8cb37153ad0cb73f739f9261c264e57c733aa88a

Download Submit
C:\Windows\{F31AD809-E8EA-4760-80A3-E0D4FAB70A04}.exe

Filesize
372KB

MD5
ce09d1df70e42647ec54d567cbe56af4

SHA1
af3536eb198deec1b96f4ec4a35a81053cb66a56

SHA256
94e433904f3a230a760086cfffc7dfafdc6b56bd22a98356f562cff97a876f59

SHA512
db35995527bc5119f4b5a00dca5d335f77a761e052a8f6f9aea9a2354dc93ef7f7fc13e22f8766bf62544baccdf4465615dabf599b000eba07283e5f5e1078c0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads