d38dd6ef619e38bba454bec31aaa0b830984f5eb7113b6064f4ba40f30685360

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 23:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-09_1e1f5ae7e17cc5c78c654c6d89b671f9_goldeneye.exe
Size

197KB
MD5

1e1f5ae7e17cc5c78c654c6d89b671f9
SHA1

7b52227d8c0a95d6d23e1b91c8e36c300a449cbf
SHA256

d38dd6ef619e38bba454bec31aaa0b830984f5eb7113b6064f4ba40f30685360
SHA512

a4f14430d8f51ae70954a2ed8db62efab7fbf32b5952d5f620424df3b63c9fb3c0e5645450ed854e6fbf6179529917f185be2476c0e868978941774c4683e1ed
SSDEEP

3072:jEGh0o4l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGqlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001227e-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0034000000015ccf-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001227e-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001227e-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001227e-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001227e-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000001227e-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7BEF93D2-B48E-426d-8955-805D5A22FA2D}	{D62A0C85-360B-495e-B32C-7697D17FC83C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{168549C8-9B29-4e31-A528-908FEC80519E}\stubpath = "C:\\Windows\\{168549C8-9B29-4e31-A528-908FEC80519E}.exe"	{7BEF93D2-B48E-426d-8955-805D5A22FA2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68F09993-0F4B-4aa9-B8D8-1D67EAF17AA4}\stubpath = "C:\\Windows\\{68F09993-0F4B-4aa9-B8D8-1D67EAF17AA4}.exe"	2024-05-09_1e1f5ae7e17cc5c78c654c6d89b671f9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0916EFE3-3159-4bc8-B25F-A10846FBBAE7}	{706F163C-4434-43e5-A230-6A14E728AF1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8989269-D6F0-4369-B5BF-8C72270B69E5}\stubpath = "C:\\Windows\\{C8989269-D6F0-4369-B5BF-8C72270B69E5}.exe"	{ED82A344-1424-44cd-9B0F-9C369172FF18}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D62A0C85-360B-495e-B32C-7697D17FC83C}\stubpath = "C:\\Windows\\{D62A0C85-360B-495e-B32C-7697D17FC83C}.exe"	{C8989269-D6F0-4369-B5BF-8C72270B69E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1C12B3F-D2C5-4b21-9FD7-FC54B6121EE0}	{168549C8-9B29-4e31-A528-908FEC80519E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1C12B3F-D2C5-4b21-9FD7-FC54B6121EE0}\stubpath = "C:\\Windows\\{F1C12B3F-D2C5-4b21-9FD7-FC54B6121EE0}.exe"	{168549C8-9B29-4e31-A528-908FEC80519E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68F09993-0F4B-4aa9-B8D8-1D67EAF17AA4}	2024-05-09_1e1f5ae7e17cc5c78c654c6d89b671f9_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{706F163C-4434-43e5-A230-6A14E728AF1A}	{4E5C6F84-1A57-46bc-A3B4-7B6070764309}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D62A0C85-360B-495e-B32C-7697D17FC83C}	{C8989269-D6F0-4369-B5BF-8C72270B69E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{168549C8-9B29-4e31-A528-908FEC80519E}	{7BEF93D2-B48E-426d-8955-805D5A22FA2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E5C6F84-1A57-46bc-A3B4-7B6070764309}\stubpath = "C:\\Windows\\{4E5C6F84-1A57-46bc-A3B4-7B6070764309}.exe"	{68F09993-0F4B-4aa9-B8D8-1D67EAF17AA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8989269-D6F0-4369-B5BF-8C72270B69E5}	{ED82A344-1424-44cd-9B0F-9C369172FF18}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDCF6AB2-8B64-4ce9-9A1D-C2BA7B38DA9C}\stubpath = "C:\\Windows\\{DDCF6AB2-8B64-4ce9-9A1D-C2BA7B38DA9C}.exe"	{0916EFE3-3159-4bc8-B25F-A10846FBBAE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED82A344-1424-44cd-9B0F-9C369172FF18}	{DDCF6AB2-8B64-4ce9-9A1D-C2BA7B38DA9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED82A344-1424-44cd-9B0F-9C369172FF18}\stubpath = "C:\\Windows\\{ED82A344-1424-44cd-9B0F-9C369172FF18}.exe"	{DDCF6AB2-8B64-4ce9-9A1D-C2BA7B38DA9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7BEF93D2-B48E-426d-8955-805D5A22FA2D}\stubpath = "C:\\Windows\\{7BEF93D2-B48E-426d-8955-805D5A22FA2D}.exe"	{D62A0C85-360B-495e-B32C-7697D17FC83C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E5C6F84-1A57-46bc-A3B4-7B6070764309}	{68F09993-0F4B-4aa9-B8D8-1D67EAF17AA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{706F163C-4434-43e5-A230-6A14E728AF1A}\stubpath = "C:\\Windows\\{706F163C-4434-43e5-A230-6A14E728AF1A}.exe"	{4E5C6F84-1A57-46bc-A3B4-7B6070764309}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0916EFE3-3159-4bc8-B25F-A10846FBBAE7}\stubpath = "C:\\Windows\\{0916EFE3-3159-4bc8-B25F-A10846FBBAE7}.exe"	{706F163C-4434-43e5-A230-6A14E728AF1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDCF6AB2-8B64-4ce9-9A1D-C2BA7B38DA9C}	{0916EFE3-3159-4bc8-B25F-A10846FBBAE7}.exe

Deletes itself 1 IoCs

pid	Process
2620	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2072	{68F09993-0F4B-4aa9-B8D8-1D67EAF17AA4}.exe
2876	{4E5C6F84-1A57-46bc-A3B4-7B6070764309}.exe
2536	{706F163C-4434-43e5-A230-6A14E728AF1A}.exe
1932	{0916EFE3-3159-4bc8-B25F-A10846FBBAE7}.exe
2960	{DDCF6AB2-8B64-4ce9-9A1D-C2BA7B38DA9C}.exe
960	{ED82A344-1424-44cd-9B0F-9C369172FF18}.exe
1796	{C8989269-D6F0-4369-B5BF-8C72270B69E5}.exe
2408	{D62A0C85-360B-495e-B32C-7697D17FC83C}.exe
2608	{7BEF93D2-B48E-426d-8955-805D5A22FA2D}.exe
2900	{168549C8-9B29-4e31-A528-908FEC80519E}.exe
1184	{F1C12B3F-D2C5-4b21-9FD7-FC54B6121EE0}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{7BEF93D2-B48E-426d-8955-805D5A22FA2D}.exe	{D62A0C85-360B-495e-B32C-7697D17FC83C}.exe
File created	C:\Windows\{F1C12B3F-D2C5-4b21-9FD7-FC54B6121EE0}.exe	{168549C8-9B29-4e31-A528-908FEC80519E}.exe
File created	C:\Windows\{706F163C-4434-43e5-A230-6A14E728AF1A}.exe	{4E5C6F84-1A57-46bc-A3B4-7B6070764309}.exe
File created	C:\Windows\{ED82A344-1424-44cd-9B0F-9C369172FF18}.exe	{DDCF6AB2-8B64-4ce9-9A1D-C2BA7B38DA9C}.exe
File created	C:\Windows\{D62A0C85-360B-495e-B32C-7697D17FC83C}.exe	{C8989269-D6F0-4369-B5BF-8C72270B69E5}.exe
File created	C:\Windows\{DDCF6AB2-8B64-4ce9-9A1D-C2BA7B38DA9C}.exe	{0916EFE3-3159-4bc8-B25F-A10846FBBAE7}.exe
File created	C:\Windows\{C8989269-D6F0-4369-B5BF-8C72270B69E5}.exe	{ED82A344-1424-44cd-9B0F-9C369172FF18}.exe
File created	C:\Windows\{168549C8-9B29-4e31-A528-908FEC80519E}.exe	{7BEF93D2-B48E-426d-8955-805D5A22FA2D}.exe
File created	C:\Windows\{68F09993-0F4B-4aa9-B8D8-1D67EAF17AA4}.exe	2024-05-09_1e1f5ae7e17cc5c78c654c6d89b671f9_goldeneye.exe
File created	C:\Windows\{4E5C6F84-1A57-46bc-A3B4-7B6070764309}.exe	{68F09993-0F4B-4aa9-B8D8-1D67EAF17AA4}.exe
File created	C:\Windows\{0916EFE3-3159-4bc8-B25F-A10846FBBAE7}.exe	{706F163C-4434-43e5-A230-6A14E728AF1A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1956	2024-05-09_1e1f5ae7e17cc5c78c654c6d89b671f9_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2072	{68F09993-0F4B-4aa9-B8D8-1D67EAF17AA4}.exe
Token: SeIncBasePriorityPrivilege	2876	{4E5C6F84-1A57-46bc-A3B4-7B6070764309}.exe
Token: SeIncBasePriorityPrivilege	2536	{706F163C-4434-43e5-A230-6A14E728AF1A}.exe
Token: SeIncBasePriorityPrivilege	1932	{0916EFE3-3159-4bc8-B25F-A10846FBBAE7}.exe
Token: SeIncBasePriorityPrivilege	2960	{DDCF6AB2-8B64-4ce9-9A1D-C2BA7B38DA9C}.exe
Token: SeIncBasePriorityPrivilege	960	{ED82A344-1424-44cd-9B0F-9C369172FF18}.exe
Token: SeIncBasePriorityPrivilege	1796	{C8989269-D6F0-4369-B5BF-8C72270B69E5}.exe
Token: SeIncBasePriorityPrivilege	2408	{D62A0C85-360B-495e-B32C-7697D17FC83C}.exe
Token: SeIncBasePriorityPrivilege	2608	{7BEF93D2-B48E-426d-8955-805D5A22FA2D}.exe
Token: SeIncBasePriorityPrivilege	2900	{168549C8-9B29-4e31-A528-908FEC80519E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 2072	1956	2024-05-09_1e1f5ae7e17cc5c78c654c6d89b671f9_goldeneye.exe	28
PID 1956 wrote to memory of 2072	1956	2024-05-09_1e1f5ae7e17cc5c78c654c6d89b671f9_goldeneye.exe	28
PID 1956 wrote to memory of 2072	1956	2024-05-09_1e1f5ae7e17cc5c78c654c6d89b671f9_goldeneye.exe	28
PID 1956 wrote to memory of 2072	1956	2024-05-09_1e1f5ae7e17cc5c78c654c6d89b671f9_goldeneye.exe	28
PID 1956 wrote to memory of 2620	1956	2024-05-09_1e1f5ae7e17cc5c78c654c6d89b671f9_goldeneye.exe	29
PID 1956 wrote to memory of 2620	1956	2024-05-09_1e1f5ae7e17cc5c78c654c6d89b671f9_goldeneye.exe	29
PID 1956 wrote to memory of 2620	1956	2024-05-09_1e1f5ae7e17cc5c78c654c6d89b671f9_goldeneye.exe	29
PID 1956 wrote to memory of 2620	1956	2024-05-09_1e1f5ae7e17cc5c78c654c6d89b671f9_goldeneye.exe	29
PID 2072 wrote to memory of 2876	2072	{68F09993-0F4B-4aa9-B8D8-1D67EAF17AA4}.exe	30
PID 2072 wrote to memory of 2876	2072	{68F09993-0F4B-4aa9-B8D8-1D67EAF17AA4}.exe	30
PID 2072 wrote to memory of 2876	2072	{68F09993-0F4B-4aa9-B8D8-1D67EAF17AA4}.exe	30
PID 2072 wrote to memory of 2876	2072	{68F09993-0F4B-4aa9-B8D8-1D67EAF17AA4}.exe	30
PID 2072 wrote to memory of 1692	2072	{68F09993-0F4B-4aa9-B8D8-1D67EAF17AA4}.exe	31
PID 2072 wrote to memory of 1692	2072	{68F09993-0F4B-4aa9-B8D8-1D67EAF17AA4}.exe	31
PID 2072 wrote to memory of 1692	2072	{68F09993-0F4B-4aa9-B8D8-1D67EAF17AA4}.exe	31
PID 2072 wrote to memory of 1692	2072	{68F09993-0F4B-4aa9-B8D8-1D67EAF17AA4}.exe	31
PID 2876 wrote to memory of 2536	2876	{4E5C6F84-1A57-46bc-A3B4-7B6070764309}.exe	32
PID 2876 wrote to memory of 2536	2876	{4E5C6F84-1A57-46bc-A3B4-7B6070764309}.exe	32
PID 2876 wrote to memory of 2536	2876	{4E5C6F84-1A57-46bc-A3B4-7B6070764309}.exe	32
PID 2876 wrote to memory of 2536	2876	{4E5C6F84-1A57-46bc-A3B4-7B6070764309}.exe	32
PID 2876 wrote to memory of 2780	2876	{4E5C6F84-1A57-46bc-A3B4-7B6070764309}.exe	33
PID 2876 wrote to memory of 2780	2876	{4E5C6F84-1A57-46bc-A3B4-7B6070764309}.exe	33
PID 2876 wrote to memory of 2780	2876	{4E5C6F84-1A57-46bc-A3B4-7B6070764309}.exe	33
PID 2876 wrote to memory of 2780	2876	{4E5C6F84-1A57-46bc-A3B4-7B6070764309}.exe	33
PID 2536 wrote to memory of 1932	2536	{706F163C-4434-43e5-A230-6A14E728AF1A}.exe	36
PID 2536 wrote to memory of 1932	2536	{706F163C-4434-43e5-A230-6A14E728AF1A}.exe	36
PID 2536 wrote to memory of 1932	2536	{706F163C-4434-43e5-A230-6A14E728AF1A}.exe	36
PID 2536 wrote to memory of 1932	2536	{706F163C-4434-43e5-A230-6A14E728AF1A}.exe	36
PID 2536 wrote to memory of 2256	2536	{706F163C-4434-43e5-A230-6A14E728AF1A}.exe	37
PID 2536 wrote to memory of 2256	2536	{706F163C-4434-43e5-A230-6A14E728AF1A}.exe	37
PID 2536 wrote to memory of 2256	2536	{706F163C-4434-43e5-A230-6A14E728AF1A}.exe	37
PID 2536 wrote to memory of 2256	2536	{706F163C-4434-43e5-A230-6A14E728AF1A}.exe	37
PID 1932 wrote to memory of 2960	1932	{0916EFE3-3159-4bc8-B25F-A10846FBBAE7}.exe	38
PID 1932 wrote to memory of 2960	1932	{0916EFE3-3159-4bc8-B25F-A10846FBBAE7}.exe	38
PID 1932 wrote to memory of 2960	1932	{0916EFE3-3159-4bc8-B25F-A10846FBBAE7}.exe	38
PID 1932 wrote to memory of 2960	1932	{0916EFE3-3159-4bc8-B25F-A10846FBBAE7}.exe	38
PID 1932 wrote to memory of 2932	1932	{0916EFE3-3159-4bc8-B25F-A10846FBBAE7}.exe	39
PID 1932 wrote to memory of 2932	1932	{0916EFE3-3159-4bc8-B25F-A10846FBBAE7}.exe	39
PID 1932 wrote to memory of 2932	1932	{0916EFE3-3159-4bc8-B25F-A10846FBBAE7}.exe	39
PID 1932 wrote to memory of 2932	1932	{0916EFE3-3159-4bc8-B25F-A10846FBBAE7}.exe	39
PID 2960 wrote to memory of 960	2960	{DDCF6AB2-8B64-4ce9-9A1D-C2BA7B38DA9C}.exe	40
PID 2960 wrote to memory of 960	2960	{DDCF6AB2-8B64-4ce9-9A1D-C2BA7B38DA9C}.exe	40
PID 2960 wrote to memory of 960	2960	{DDCF6AB2-8B64-4ce9-9A1D-C2BA7B38DA9C}.exe	40
PID 2960 wrote to memory of 960	2960	{DDCF6AB2-8B64-4ce9-9A1D-C2BA7B38DA9C}.exe	40
PID 2960 wrote to memory of 872	2960	{DDCF6AB2-8B64-4ce9-9A1D-C2BA7B38DA9C}.exe	41
PID 2960 wrote to memory of 872	2960	{DDCF6AB2-8B64-4ce9-9A1D-C2BA7B38DA9C}.exe	41
PID 2960 wrote to memory of 872	2960	{DDCF6AB2-8B64-4ce9-9A1D-C2BA7B38DA9C}.exe	41
PID 2960 wrote to memory of 872	2960	{DDCF6AB2-8B64-4ce9-9A1D-C2BA7B38DA9C}.exe	41
PID 960 wrote to memory of 1796	960	{ED82A344-1424-44cd-9B0F-9C369172FF18}.exe	42
PID 960 wrote to memory of 1796	960	{ED82A344-1424-44cd-9B0F-9C369172FF18}.exe	42
PID 960 wrote to memory of 1796	960	{ED82A344-1424-44cd-9B0F-9C369172FF18}.exe	42
PID 960 wrote to memory of 1796	960	{ED82A344-1424-44cd-9B0F-9C369172FF18}.exe	42
PID 960 wrote to memory of 2180	960	{ED82A344-1424-44cd-9B0F-9C369172FF18}.exe	43
PID 960 wrote to memory of 2180	960	{ED82A344-1424-44cd-9B0F-9C369172FF18}.exe	43
PID 960 wrote to memory of 2180	960	{ED82A344-1424-44cd-9B0F-9C369172FF18}.exe	43
PID 960 wrote to memory of 2180	960	{ED82A344-1424-44cd-9B0F-9C369172FF18}.exe	43
PID 1796 wrote to memory of 2408	1796	{C8989269-D6F0-4369-B5BF-8C72270B69E5}.exe	44
PID 1796 wrote to memory of 2408	1796	{C8989269-D6F0-4369-B5BF-8C72270B69E5}.exe	44
PID 1796 wrote to memory of 2408	1796	{C8989269-D6F0-4369-B5BF-8C72270B69E5}.exe	44
PID 1796 wrote to memory of 2408	1796	{C8989269-D6F0-4369-B5BF-8C72270B69E5}.exe	44
PID 1796 wrote to memory of 1516	1796	{C8989269-D6F0-4369-B5BF-8C72270B69E5}.exe	45
PID 1796 wrote to memory of 1516	1796	{C8989269-D6F0-4369-B5BF-8C72270B69E5}.exe	45
PID 1796 wrote to memory of 1516	1796	{C8989269-D6F0-4369-B5BF-8C72270B69E5}.exe	45
PID 1796 wrote to memory of 1516	1796	{C8989269-D6F0-4369-B5BF-8C72270B69E5}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-05-09_1e1f5ae7e17cc5c78c654c6d89b671f9_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-09_1e1f5ae7e17cc5c78c654c6d89b671f9_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\{68F09993-0F4B-4aa9-B8D8-1D67EAF17AA4}.exe
  C:\Windows\{68F09993-0F4B-4aa9-B8D8-1D67EAF17AA4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\{4E5C6F84-1A57-46bc-A3B4-7B6070764309}.exe
    C:\Windows\{4E5C6F84-1A57-46bc-A3B4-7B6070764309}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Windows\{706F163C-4434-43e5-A230-6A14E728AF1A}.exe
      C:\Windows\{706F163C-4434-43e5-A230-6A14E728AF1A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2536
    - - C:\Windows\{0916EFE3-3159-4bc8-B25F-A10846FBBAE7}.exe
        
        C:\Windows\{0916EFE3-3159-4bc8-B25F-A10846FBBAE7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1932
      - C:\Windows\{DDCF6AB2-8B64-4ce9-9A1D-C2BA7B38DA9C}.exe
        
        C:\Windows\{DDCF6AB2-8B64-4ce9-9A1D-C2BA7B38DA9C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\{ED82A344-1424-44cd-9B0F-9C369172FF18}.exe
        
        C:\Windows\{ED82A344-1424-44cd-9B0F-9C369172FF18}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Windows\{C8989269-D6F0-4369-B5BF-8C72270B69E5}.exe
        
        C:\Windows\{C8989269-D6F0-4369-B5BF-8C72270B69E5}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\{D62A0C85-360B-495e-B32C-7697D17FC83C}.exe
        
        C:\Windows\{D62A0C85-360B-495e-B32C-7697D17FC83C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
        
        C:\Windows\{7BEF93D2-B48E-426d-8955-805D5A22FA2D}.exe
        
        C:\Windows\{7BEF93D2-B48E-426d-8955-805D5A22FA2D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
        
        C:\Windows\{168549C8-9B29-4e31-A528-908FEC80519E}.exe
        
        C:\Windows\{168549C8-9B29-4e31-A528-908FEC80519E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Windows\{F1C12B3F-D2C5-4b21-9FD7-FC54B6121EE0}.exe
        
        C:\Windows\{F1C12B3F-D2C5-4b21-9FD7-FC54B6121EE0}.exe
        12⤵
        Executes dropped EXE
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16854~1.EXE > nul
        12⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7BEF9~1.EXE > nul
        11⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D62A0~1.EXE > nul
        10⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8989~1.EXE > nul
        9⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED82A~1.EXE > nul
        8⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DDCF6~1.EXE > nul
        7⤵
        
        PID:872
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0916E~1.EXE > nul
        6⤵
        
        PID:2932
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{706F1~1.EXE > nul
        5⤵
        
        PID:2256
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4E5C6~1.EXE > nul
      4⤵
      PID:2780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{68F09~1.EXE > nul
    3⤵
    PID:1692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0916EFE3-3159-4bc8-B25F-A10846FBBAE7}.exe

Filesize
197KB

MD5
ff5b3721686babf350dedee4d1f6e758

SHA1
974c52239dfa8172c4cc83edbd8b075b6f0f01fd

SHA256
03c15676f4a8ed32fd8ecfcca2dc6be587a1bfadca1dd2e50ade957d596eeca0

SHA512
b938317b81943e97cbbe94f83b372e875dc3a223437c45a1f1a0583af28b2411743b01e60a22082230619c0e1c323876dfd9a1a7d886daf2b15b11d48e6f23db

Download Submit
C:\Windows\{168549C8-9B29-4e31-A528-908FEC80519E}.exe

Filesize
197KB

MD5
37e48e61243a03b0bc1415cc381b458e

SHA1
6a404076dd7a41d1064e4aedc846857445041196

SHA256
4804a80859d20b25e758b922688697f82f68219d411e577ee8663cca638e4375

SHA512
08087937fc99c29ce48b4e10b7c8f6a8c7c5c791c0354146f45971549f45d19d290f5e6481f89ee6eef6e8c0aff285df21f703d9361664884a25085ccd53539b

Download Submit
C:\Windows\{4E5C6F84-1A57-46bc-A3B4-7B6070764309}.exe

Filesize
197KB

MD5
bbcf13cc35dccfa6631261f81dddb0d3

SHA1
bb0b2da1cc05f67945ae593dc2ebd04dfd71b66a

SHA256
43f356d326a4c5283621a21cf5510168f08110967c5630c49162483b8088c90b

SHA512
2df72a6c6e24b19787d7e96ced627e834f8f3e7add337ef1333ff6b6909a590bbb16b46d2588d3eb97bb8800a5aa07f2751141bf6d2753e48777e38409c45e23

Download Submit
C:\Windows\{68F09993-0F4B-4aa9-B8D8-1D67EAF17AA4}.exe

Filesize
197KB

MD5
4dee0a3b7382a0b2b6e4cefde040db2e

SHA1
8bb607214ece1b0c41af0e7ce7b357ce02fc3541

SHA256
a7775e30a4bb7c263843e9e2d8b77de395f02117d6bf9cc50e7e2347197a5e89

SHA512
d75812f2db75a5363f1b03cd00c18b501a70a70db604fd86dca7ffc73bb930ba453ce75b9ae6a4458d2758d79fa357851b1ed5a1012da1bfbfa7e4a872c61667

Download Submit
C:\Windows\{706F163C-4434-43e5-A230-6A14E728AF1A}.exe

Filesize
197KB

MD5
4cfe6a0aba8710182ac21a60b413f67c

SHA1
9f1e542fdb1dd58f4799b9cd8c45d77108ef26a2

SHA256
8a7cfc2c0addacdcd026f3737cdd0990221056e5d5baf41fc48d0664a37f00f1

SHA512
24474d7c22e4c5f553475763e311aca94494c4ed04f9dcb91d0f47de4563d81513e225b779499190d574416fadc3587e2dcda3f5d9de0c4eee687e47e1abcdae

Download Submit
C:\Windows\{7BEF93D2-B48E-426d-8955-805D5A22FA2D}.exe

Filesize
197KB

MD5
fe0ebddd5b02b9a21dca6ab9fa161f4c

SHA1
600d229016489e4edb44abc40f7e98a9e853a198

SHA256
86116aef0e6a6cb34f90be5e8f1ae6f44c68fd6f48e0c70ee1748924243a5fd5

SHA512
538ac83b9f9a2b954f12df3ae7f56f444666f93f385d0b70d91326d5deba62a4f78e812ea7a4c7910cf6d5ee6e36958b8c3e41b93ec9638c71f3873d86b62a7d

Download Submit
C:\Windows\{C8989269-D6F0-4369-B5BF-8C72270B69E5}.exe

Filesize
197KB

MD5
d47752f99df80db32517c172a96bf7ae

SHA1
e22818ae51f5532ef029fde983a6ceb644050a19

SHA256
0a30eed6fe02a225ffab0f53dd1854b79ea623d0acd309926a74d5d01a55ee7f

SHA512
a93d9947b8fa58cd1563499ac00c901ba5d7940ee0e04ade63dd75fce85ebf0c8714c47cbd359b79d7eea18868f7f07e467b3c04a974b16bd36537b582a4f00d

Download Submit
C:\Windows\{D62A0C85-360B-495e-B32C-7697D17FC83C}.exe

Filesize
197KB

MD5
9533aafa2d67600c73490546a5dd637b

SHA1
613518b778c9e87002147dba7065e20544986a78

SHA256
54f055cc233d895259cbb804e77eee14f23f2e3f579e59b8b3dadc9e34594b96

SHA512
ff6c392d8b0c5acfc6780c59475891c15e0def50e8730d1223b044330cc4ec9e16b24e85c175234e3d76a07953790c0dee3ea5189f47c00c7b55391f814225ec

Download Submit
C:\Windows\{DDCF6AB2-8B64-4ce9-9A1D-C2BA7B38DA9C}.exe

Filesize
197KB

MD5
3c3091f506359eef825ef32f3242754b

SHA1
d14610da0a934f40dcb0707d0925133908896840

SHA256
a14f233a89a948311b02c5fc71133268ef33f0400ea346f06143876d6fcede3e

SHA512
1ad319634bf21fac08320ce8a6a88a9a838899bf8fe8c880a608f80f8cb85f2369cc59732ea3b88c47ea9a5287897ee694d606a0087f4b30122faee28db1ec68

Download Submit
C:\Windows\{ED82A344-1424-44cd-9B0F-9C369172FF18}.exe

Filesize
197KB

MD5
c818e4a48a41c9e87cee111059ad513d

SHA1
68da6b3a79c5981a700ea0235d1b16c81aeacae6

SHA256
15e223d39e741385da63bfaf40c54da18e7efa2a75e743fa6b38fe1c06c3bbe8

SHA512
8d4460860d6d12b93853e706d3ccd140599657cf0791612e2183d4e3fddc396175e496200478e4a8da800ecd457da0069460ed8a6b0e64d59a9f06632df13ab0

Download Submit
C:\Windows\{F1C12B3F-D2C5-4b21-9FD7-FC54B6121EE0}.exe

Filesize
197KB

MD5
b0e50a2ee10518499930781e2f1e152d

SHA1
01bbdf2ee8d15028488ba30c7d03e639babbe51e

SHA256
cc7b53ff9edabf5c7447280a16b9e2d5cc1c935b8e8cab9edf12476633831136

SHA512
505faa7410a5fb17c0d441e5844d1fcf8516f60740d6719b3da29d21287c7f950fa9ec6746ce3369f9f5ae35b18c0908affccff46085221fc8bfc34df746bc6e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads