754f959db10d9891f97c49daa4e0cdffce6e3f2a8529af261ccb3b1ed0c7eaa5

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-25_c74306cb71308037f472dee8e52c96d5_goldeneye.exe
Size

380KB
MD5

c74306cb71308037f472dee8e52c96d5
SHA1

07df07b056492bab2e8ac7d1eacceac75db3bc6a
SHA256

754f959db10d9891f97c49daa4e0cdffce6e3f2a8529af261ccb3b1ed0c7eaa5
SHA512

b8073b4e9bf4161718ad4992798811db75564b6a982e00f72430e31de262e9f666b4a3429ca2f4a545d3d3bc2e833932da5281c996a4abe38f237df6b1c20029
SSDEEP

3072:mEGh0omZlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEct:mEGkl7Oe2MUVg3v2IneKcAEcARy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000f00000001226b-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0036000000016c71-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001000000001226b-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001100000001226b-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0036000000016c7a-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001200000001226b-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0037000000016c7a-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001300000001226b-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0038000000016c7a-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001400000001226b-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B975BBA-7A6E-4fab-B5FF-2B6C314DB774}\stubpath = "C:\\Windows\\{1B975BBA-7A6E-4fab-B5FF-2B6C314DB774}.exe"	2024-05-25_c74306cb71308037f472dee8e52c96d5_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EED63661-55C8-4079-8078-A44699DB4313}\stubpath = "C:\\Windows\\{EED63661-55C8-4079-8078-A44699DB4313}.exe"	{1B975BBA-7A6E-4fab-B5FF-2B6C314DB774}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBAE3171-709F-413e-B9EA-A23BB9CE06D1}\stubpath = "C:\\Windows\\{FBAE3171-709F-413e-B9EA-A23BB9CE06D1}.exe"	{EED63661-55C8-4079-8078-A44699DB4313}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C6C4BFC-B86F-4b3f-8E79-2D0A1FE8E94A}\stubpath = "C:\\Windows\\{6C6C4BFC-B86F-4b3f-8E79-2D0A1FE8E94A}.exe"	{FBAE3171-709F-413e-B9EA-A23BB9CE06D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEFE5D48-1B3E-4c78-AACA-F98714042D94}	{7FF8A852-5833-4c4e-BCAD-F2C98F609172}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FF8A852-5833-4c4e-BCAD-F2C98F609172}	{685345B0-3B3B-4190-A738-AB2BCC3494D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8D0E2E3-5445-4d56-8D97-CD20D562C478}	{EEFE5D48-1B3E-4c78-AACA-F98714042D94}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D006AC5-5B74-49f6-A307-C71CA03FC23B}\stubpath = "C:\\Windows\\{7D006AC5-5B74-49f6-A307-C71CA03FC23B}.exe"	{6F7B651B-2C70-4dfa-ADB6-A603110F28F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EED63661-55C8-4079-8078-A44699DB4313}	{1B975BBA-7A6E-4fab-B5FF-2B6C314DB774}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{685345B0-3B3B-4190-A738-AB2BCC3494D3}	{34F0C656-FA90-41e9-B8BC-C3BDD8FCB4D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{685345B0-3B3B-4190-A738-AB2BCC3494D3}\stubpath = "C:\\Windows\\{685345B0-3B3B-4190-A738-AB2BCC3494D3}.exe"	{34F0C656-FA90-41e9-B8BC-C3BDD8FCB4D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FF8A852-5833-4c4e-BCAD-F2C98F609172}\stubpath = "C:\\Windows\\{7FF8A852-5833-4c4e-BCAD-F2C98F609172}.exe"	{685345B0-3B3B-4190-A738-AB2BCC3494D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8D0E2E3-5445-4d56-8D97-CD20D562C478}\stubpath = "C:\\Windows\\{D8D0E2E3-5445-4d56-8D97-CD20D562C478}.exe"	{EEFE5D48-1B3E-4c78-AACA-F98714042D94}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D006AC5-5B74-49f6-A307-C71CA03FC23B}	{6F7B651B-2C70-4dfa-ADB6-A603110F28F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F7B651B-2C70-4dfa-ADB6-A603110F28F4}	{D8D0E2E3-5445-4d56-8D97-CD20D562C478}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F7B651B-2C70-4dfa-ADB6-A603110F28F4}\stubpath = "C:\\Windows\\{6F7B651B-2C70-4dfa-ADB6-A603110F28F4}.exe"	{D8D0E2E3-5445-4d56-8D97-CD20D562C478}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1B975BBA-7A6E-4fab-B5FF-2B6C314DB774}	2024-05-25_c74306cb71308037f472dee8e52c96d5_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FBAE3171-709F-413e-B9EA-A23BB9CE06D1}	{EED63661-55C8-4079-8078-A44699DB4313}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C6C4BFC-B86F-4b3f-8E79-2D0A1FE8E94A}	{FBAE3171-709F-413e-B9EA-A23BB9CE06D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34F0C656-FA90-41e9-B8BC-C3BDD8FCB4D5}	{6C6C4BFC-B86F-4b3f-8E79-2D0A1FE8E94A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34F0C656-FA90-41e9-B8BC-C3BDD8FCB4D5}\stubpath = "C:\\Windows\\{34F0C656-FA90-41e9-B8BC-C3BDD8FCB4D5}.exe"	{6C6C4BFC-B86F-4b3f-8E79-2D0A1FE8E94A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEFE5D48-1B3E-4c78-AACA-F98714042D94}\stubpath = "C:\\Windows\\{EEFE5D48-1B3E-4c78-AACA-F98714042D94}.exe"	{7FF8A852-5833-4c4e-BCAD-F2C98F609172}.exe

Deletes itself 1 IoCs

pid	Process
2644	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3040	{1B975BBA-7A6E-4fab-B5FF-2B6C314DB774}.exe
2776	{EED63661-55C8-4079-8078-A44699DB4313}.exe
2984	{FBAE3171-709F-413e-B9EA-A23BB9CE06D1}.exe
492	{6C6C4BFC-B86F-4b3f-8E79-2D0A1FE8E94A}.exe
316	{34F0C656-FA90-41e9-B8BC-C3BDD8FCB4D5}.exe
1500	{685345B0-3B3B-4190-A738-AB2BCC3494D3}.exe
2192	{7FF8A852-5833-4c4e-BCAD-F2C98F609172}.exe
572	{EEFE5D48-1B3E-4c78-AACA-F98714042D94}.exe
2940	{D8D0E2E3-5445-4d56-8D97-CD20D562C478}.exe
2452	{6F7B651B-2C70-4dfa-ADB6-A603110F28F4}.exe
1448	{7D006AC5-5B74-49f6-A307-C71CA03FC23B}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{34F0C656-FA90-41e9-B8BC-C3BDD8FCB4D5}.exe	{6C6C4BFC-B86F-4b3f-8E79-2D0A1FE8E94A}.exe
File created	C:\Windows\{7FF8A852-5833-4c4e-BCAD-F2C98F609172}.exe	{685345B0-3B3B-4190-A738-AB2BCC3494D3}.exe
File created	C:\Windows\{EEFE5D48-1B3E-4c78-AACA-F98714042D94}.exe	{7FF8A852-5833-4c4e-BCAD-F2C98F609172}.exe
File created	C:\Windows\{D8D0E2E3-5445-4d56-8D97-CD20D562C478}.exe	{EEFE5D48-1B3E-4c78-AACA-F98714042D94}.exe
File created	C:\Windows\{6F7B651B-2C70-4dfa-ADB6-A603110F28F4}.exe	{D8D0E2E3-5445-4d56-8D97-CD20D562C478}.exe
File created	C:\Windows\{1B975BBA-7A6E-4fab-B5FF-2B6C314DB774}.exe	2024-05-25_c74306cb71308037f472dee8e52c96d5_goldeneye.exe
File created	C:\Windows\{EED63661-55C8-4079-8078-A44699DB4313}.exe	{1B975BBA-7A6E-4fab-B5FF-2B6C314DB774}.exe
File created	C:\Windows\{FBAE3171-709F-413e-B9EA-A23BB9CE06D1}.exe	{EED63661-55C8-4079-8078-A44699DB4313}.exe
File created	C:\Windows\{6C6C4BFC-B86F-4b3f-8E79-2D0A1FE8E94A}.exe	{FBAE3171-709F-413e-B9EA-A23BB9CE06D1}.exe
File created	C:\Windows\{685345B0-3B3B-4190-A738-AB2BCC3494D3}.exe	{34F0C656-FA90-41e9-B8BC-C3BDD8FCB4D5}.exe
File created	C:\Windows\{7D006AC5-5B74-49f6-A307-C71CA03FC23B}.exe	{6F7B651B-2C70-4dfa-ADB6-A603110F28F4}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2344	2024-05-25_c74306cb71308037f472dee8e52c96d5_goldeneye.exe
Token: SeIncBasePriorityPrivilege	3040	{1B975BBA-7A6E-4fab-B5FF-2B6C314DB774}.exe
Token: SeIncBasePriorityPrivilege	2776	{EED63661-55C8-4079-8078-A44699DB4313}.exe
Token: SeIncBasePriorityPrivilege	2984	{FBAE3171-709F-413e-B9EA-A23BB9CE06D1}.exe
Token: SeIncBasePriorityPrivilege	492	{6C6C4BFC-B86F-4b3f-8E79-2D0A1FE8E94A}.exe
Token: SeIncBasePriorityPrivilege	316	{34F0C656-FA90-41e9-B8BC-C3BDD8FCB4D5}.exe
Token: SeIncBasePriorityPrivilege	1500	{685345B0-3B3B-4190-A738-AB2BCC3494D3}.exe
Token: SeIncBasePriorityPrivilege	2192	{7FF8A852-5833-4c4e-BCAD-F2C98F609172}.exe
Token: SeIncBasePriorityPrivilege	572	{EEFE5D48-1B3E-4c78-AACA-F98714042D94}.exe
Token: SeIncBasePriorityPrivilege	2940	{D8D0E2E3-5445-4d56-8D97-CD20D562C478}.exe
Token: SeIncBasePriorityPrivilege	2452	{6F7B651B-2C70-4dfa-ADB6-A603110F28F4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 3040	2344	2024-05-25_c74306cb71308037f472dee8e52c96d5_goldeneye.exe	28
PID 2344 wrote to memory of 3040	2344	2024-05-25_c74306cb71308037f472dee8e52c96d5_goldeneye.exe	28
PID 2344 wrote to memory of 3040	2344	2024-05-25_c74306cb71308037f472dee8e52c96d5_goldeneye.exe	28
PID 2344 wrote to memory of 3040	2344	2024-05-25_c74306cb71308037f472dee8e52c96d5_goldeneye.exe	28
PID 2344 wrote to memory of 2644	2344	2024-05-25_c74306cb71308037f472dee8e52c96d5_goldeneye.exe	29
PID 2344 wrote to memory of 2644	2344	2024-05-25_c74306cb71308037f472dee8e52c96d5_goldeneye.exe	29
PID 2344 wrote to memory of 2644	2344	2024-05-25_c74306cb71308037f472dee8e52c96d5_goldeneye.exe	29
PID 2344 wrote to memory of 2644	2344	2024-05-25_c74306cb71308037f472dee8e52c96d5_goldeneye.exe	29
PID 3040 wrote to memory of 2776	3040	{1B975BBA-7A6E-4fab-B5FF-2B6C314DB774}.exe	30
PID 3040 wrote to memory of 2776	3040	{1B975BBA-7A6E-4fab-B5FF-2B6C314DB774}.exe	30
PID 3040 wrote to memory of 2776	3040	{1B975BBA-7A6E-4fab-B5FF-2B6C314DB774}.exe	30
PID 3040 wrote to memory of 2776	3040	{1B975BBA-7A6E-4fab-B5FF-2B6C314DB774}.exe	30
PID 3040 wrote to memory of 3032	3040	{1B975BBA-7A6E-4fab-B5FF-2B6C314DB774}.exe	31
PID 3040 wrote to memory of 3032	3040	{1B975BBA-7A6E-4fab-B5FF-2B6C314DB774}.exe	31
PID 3040 wrote to memory of 3032	3040	{1B975BBA-7A6E-4fab-B5FF-2B6C314DB774}.exe	31
PID 3040 wrote to memory of 3032	3040	{1B975BBA-7A6E-4fab-B5FF-2B6C314DB774}.exe	31
PID 2776 wrote to memory of 2984	2776	{EED63661-55C8-4079-8078-A44699DB4313}.exe	32
PID 2776 wrote to memory of 2984	2776	{EED63661-55C8-4079-8078-A44699DB4313}.exe	32
PID 2776 wrote to memory of 2984	2776	{EED63661-55C8-4079-8078-A44699DB4313}.exe	32
PID 2776 wrote to memory of 2984	2776	{EED63661-55C8-4079-8078-A44699DB4313}.exe	32
PID 2776 wrote to memory of 2544	2776	{EED63661-55C8-4079-8078-A44699DB4313}.exe	33
PID 2776 wrote to memory of 2544	2776	{EED63661-55C8-4079-8078-A44699DB4313}.exe	33
PID 2776 wrote to memory of 2544	2776	{EED63661-55C8-4079-8078-A44699DB4313}.exe	33
PID 2776 wrote to memory of 2544	2776	{EED63661-55C8-4079-8078-A44699DB4313}.exe	33
PID 2984 wrote to memory of 492	2984	{FBAE3171-709F-413e-B9EA-A23BB9CE06D1}.exe	36
PID 2984 wrote to memory of 492	2984	{FBAE3171-709F-413e-B9EA-A23BB9CE06D1}.exe	36
PID 2984 wrote to memory of 492	2984	{FBAE3171-709F-413e-B9EA-A23BB9CE06D1}.exe	36
PID 2984 wrote to memory of 492	2984	{FBAE3171-709F-413e-B9EA-A23BB9CE06D1}.exe	36
PID 2984 wrote to memory of 300	2984	{FBAE3171-709F-413e-B9EA-A23BB9CE06D1}.exe	37
PID 2984 wrote to memory of 300	2984	{FBAE3171-709F-413e-B9EA-A23BB9CE06D1}.exe	37
PID 2984 wrote to memory of 300	2984	{FBAE3171-709F-413e-B9EA-A23BB9CE06D1}.exe	37
PID 2984 wrote to memory of 300	2984	{FBAE3171-709F-413e-B9EA-A23BB9CE06D1}.exe	37
PID 492 wrote to memory of 316	492	{6C6C4BFC-B86F-4b3f-8E79-2D0A1FE8E94A}.exe	38
PID 492 wrote to memory of 316	492	{6C6C4BFC-B86F-4b3f-8E79-2D0A1FE8E94A}.exe	38
PID 492 wrote to memory of 316	492	{6C6C4BFC-B86F-4b3f-8E79-2D0A1FE8E94A}.exe	38
PID 492 wrote to memory of 316	492	{6C6C4BFC-B86F-4b3f-8E79-2D0A1FE8E94A}.exe	38
PID 492 wrote to memory of 1760	492	{6C6C4BFC-B86F-4b3f-8E79-2D0A1FE8E94A}.exe	39
PID 492 wrote to memory of 1760	492	{6C6C4BFC-B86F-4b3f-8E79-2D0A1FE8E94A}.exe	39
PID 492 wrote to memory of 1760	492	{6C6C4BFC-B86F-4b3f-8E79-2D0A1FE8E94A}.exe	39
PID 492 wrote to memory of 1760	492	{6C6C4BFC-B86F-4b3f-8E79-2D0A1FE8E94A}.exe	39
PID 316 wrote to memory of 1500	316	{34F0C656-FA90-41e9-B8BC-C3BDD8FCB4D5}.exe	40
PID 316 wrote to memory of 1500	316	{34F0C656-FA90-41e9-B8BC-C3BDD8FCB4D5}.exe	40
PID 316 wrote to memory of 1500	316	{34F0C656-FA90-41e9-B8BC-C3BDD8FCB4D5}.exe	40
PID 316 wrote to memory of 1500	316	{34F0C656-FA90-41e9-B8BC-C3BDD8FCB4D5}.exe	40
PID 316 wrote to memory of 1524	316	{34F0C656-FA90-41e9-B8BC-C3BDD8FCB4D5}.exe	41
PID 316 wrote to memory of 1524	316	{34F0C656-FA90-41e9-B8BC-C3BDD8FCB4D5}.exe	41
PID 316 wrote to memory of 1524	316	{34F0C656-FA90-41e9-B8BC-C3BDD8FCB4D5}.exe	41
PID 316 wrote to memory of 1524	316	{34F0C656-FA90-41e9-B8BC-C3BDD8FCB4D5}.exe	41
PID 1500 wrote to memory of 2192	1500	{685345B0-3B3B-4190-A738-AB2BCC3494D3}.exe	42
PID 1500 wrote to memory of 2192	1500	{685345B0-3B3B-4190-A738-AB2BCC3494D3}.exe	42
PID 1500 wrote to memory of 2192	1500	{685345B0-3B3B-4190-A738-AB2BCC3494D3}.exe	42
PID 1500 wrote to memory of 2192	1500	{685345B0-3B3B-4190-A738-AB2BCC3494D3}.exe	42
PID 1500 wrote to memory of 1868	1500	{685345B0-3B3B-4190-A738-AB2BCC3494D3}.exe	43
PID 1500 wrote to memory of 1868	1500	{685345B0-3B3B-4190-A738-AB2BCC3494D3}.exe	43
PID 1500 wrote to memory of 1868	1500	{685345B0-3B3B-4190-A738-AB2BCC3494D3}.exe	43
PID 1500 wrote to memory of 1868	1500	{685345B0-3B3B-4190-A738-AB2BCC3494D3}.exe	43
PID 2192 wrote to memory of 572	2192	{7FF8A852-5833-4c4e-BCAD-F2C98F609172}.exe	44
PID 2192 wrote to memory of 572	2192	{7FF8A852-5833-4c4e-BCAD-F2C98F609172}.exe	44
PID 2192 wrote to memory of 572	2192	{7FF8A852-5833-4c4e-BCAD-F2C98F609172}.exe	44
PID 2192 wrote to memory of 572	2192	{7FF8A852-5833-4c4e-BCAD-F2C98F609172}.exe	44
PID 2192 wrote to memory of 2440	2192	{7FF8A852-5833-4c4e-BCAD-F2C98F609172}.exe	45
PID 2192 wrote to memory of 2440	2192	{7FF8A852-5833-4c4e-BCAD-F2C98F609172}.exe	45
PID 2192 wrote to memory of 2440	2192	{7FF8A852-5833-4c4e-BCAD-F2C98F609172}.exe	45
PID 2192 wrote to memory of 2440	2192	{7FF8A852-5833-4c4e-BCAD-F2C98F609172}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-05-25_c74306cb71308037f472dee8e52c96d5_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_c74306cb71308037f472dee8e52c96d5_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\{1B975BBA-7A6E-4fab-B5FF-2B6C314DB774}.exe
  C:\Windows\{1B975BBA-7A6E-4fab-B5FF-2B6C314DB774}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\{EED63661-55C8-4079-8078-A44699DB4313}.exe
    C:\Windows\{EED63661-55C8-4079-8078-A44699DB4313}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\{FBAE3171-709F-413e-B9EA-A23BB9CE06D1}.exe
      C:\Windows\{FBAE3171-709F-413e-B9EA-A23BB9CE06D1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2984
    - - C:\Windows\{6C6C4BFC-B86F-4b3f-8E79-2D0A1FE8E94A}.exe
        
        C:\Windows\{6C6C4BFC-B86F-4b3f-8E79-2D0A1FE8E94A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:492
      - C:\Windows\{34F0C656-FA90-41e9-B8BC-C3BDD8FCB4D5}.exe
        
        C:\Windows\{34F0C656-FA90-41e9-B8BC-C3BDD8FCB4D5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\{685345B0-3B3B-4190-A738-AB2BCC3494D3}.exe
        
        C:\Windows\{685345B0-3B3B-4190-A738-AB2BCC3494D3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\{7FF8A852-5833-4c4e-BCAD-F2C98F609172}.exe
        
        C:\Windows\{7FF8A852-5833-4c4e-BCAD-F2C98F609172}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\{EEFE5D48-1B3E-4c78-AACA-F98714042D94}.exe
        
        C:\Windows\{EEFE5D48-1B3E-4c78-AACA-F98714042D94}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
        
        C:\Windows\{D8D0E2E3-5445-4d56-8D97-CD20D562C478}.exe
        
        C:\Windows\{D8D0E2E3-5445-4d56-8D97-CD20D562C478}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
        
        C:\Windows\{6F7B651B-2C70-4dfa-ADB6-A603110F28F4}.exe
        
        C:\Windows\{6F7B651B-2C70-4dfa-ADB6-A603110F28F4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
        
        C:\Windows\{7D006AC5-5B74-49f6-A307-C71CA03FC23B}.exe
        
        C:\Windows\{7D006AC5-5B74-49f6-A307-C71CA03FC23B}.exe
        12⤵
        Executes dropped EXE
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F7B6~1.EXE > nul
        12⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8D0E~1.EXE > nul
        11⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EEFE5~1.EXE > nul
        10⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7FF8A~1.EXE > nul
        9⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68534~1.EXE > nul
        8⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34F0C~1.EXE > nul
        7⤵
        
        PID:1524
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C6C4~1.EXE > nul
        6⤵
        
        PID:1760
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FBAE3~1.EXE > nul
        5⤵
        
        PID:300
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EED63~1.EXE > nul
      4⤵
      PID:2544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1B975~1.EXE > nul
    3⤵
    PID:3032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1B975BBA-7A6E-4fab-B5FF-2B6C314DB774}.exe

Filesize
380KB

MD5
acb37211e911b2b7acccb046943ea4d5

SHA1
1bcaaa57edf0015f67a55af0a5cfa8d100c39a2f

SHA256
67aa943fba4c15f60c70c8458d83e5645b19714a076103edad2bad5664758350

SHA512
d71f7cecef045f0385ed2be654145a8729b9aeb4f6fc3ba47605a03bc09856185e5f41667815b52185b27e56fe6d85d053aace149208a93424f359e1960313c4

Download Submit
C:\Windows\{34F0C656-FA90-41e9-B8BC-C3BDD8FCB4D5}.exe

Filesize
380KB

MD5
a5ffc63cd9e26757d3914cbd4a88930d

SHA1
4e65ea6dde60e4c4cd9373674c337edc2e98de2d

SHA256
8735b1d118c0804fb5c3e7cb680e42bbfee1b57670ccf7d859c5da24d8f64aa8

SHA512
7878f40771f776fc842cc5cabd25d3efe836f8448956fe90ee1a5ab1d4a71e36d264c006628dac836a06fa28daa056daa8bbfb965aa57e09dc988b2fc8a8d733

Download Submit
C:\Windows\{685345B0-3B3B-4190-A738-AB2BCC3494D3}.exe

Filesize
380KB

MD5
4ed66f1cb786c3f985f79e352d391ad6

SHA1
8677d0c0db8dbf1809575226e53fd2caf8a1bcab

SHA256
59f4c4f3aa807587040924ff64572485d8901fd12859e934979b4dedbc0a7cbb

SHA512
e6b0f09cf075bcad9534dcfab43b1542c492690f4ebf5522baf7161accfeca08b6626da85b6d1addb616675c1650092b1df88047ef39370de58071eb2a2a32c2

Download Submit
C:\Windows\{6C6C4BFC-B86F-4b3f-8E79-2D0A1FE8E94A}.exe

Filesize
380KB

MD5
b6256e32b3fd0c8a1b07241448bdbdfe

SHA1
61a5ed06cbb2f6c3aa21e94f98e68df1f0323f78

SHA256
e93661e0769cd89423fc1c22876e840eb99f41c48a35c7bce2fefd4963894cfc

SHA512
b6fd09f3df95fd4d37cae0c6da5221ef66f571216fa50e153cfd1b4ca6102a25530bc55020d61f33f70c3758de11fda8b19ca2983061e4e8bca5e788965e55d1

Download Submit
C:\Windows\{6F7B651B-2C70-4dfa-ADB6-A603110F28F4}.exe

Filesize
380KB

MD5
2dd3f4943540380f49253972c0970b42

SHA1
409157715bf9ef8c8710921f6e7ab29c78df7a3b

SHA256
3429328f71770dd5d807c5b9a1c1baa3929310a8ca6b1dee162307b34aaa00bd

SHA512
98d8b66208155cd12385bae1a99ad87b8112b1c22c7a201317ac93ce8bc9bfd04da01668f9460acaa2ac45563f19ffcd083b200c060b53a324a614f807c1d1a9

Download Submit
C:\Windows\{7D006AC5-5B74-49f6-A307-C71CA03FC23B}.exe

Filesize
380KB

MD5
d90ba026ceb13631b1d56aef3d2a910e

SHA1
758ed361096f10fa1fe2c5aa4c721e83a9ad7638

SHA256
ba86c798c66444528448cf8c8e9c54d013eec88e5464ccd03d3cf6a8dc4345ba

SHA512
ae5979446f7ae9e75f2c6bf07ff2f0c4088b42d4f34d43657298ef6222b0583709554a0e658ebe1041a74c2ccbb4d0a1a04f5903bef1c7af648eb8ceec2747a3

Download Submit
C:\Windows\{7FF8A852-5833-4c4e-BCAD-F2C98F609172}.exe

Filesize
380KB

MD5
8b946613c2e667c0a881de2e7bb0df4e

SHA1
e3cef4f6c1f8f55f82bc80e19d1bb1cfa24c1ca8

SHA256
283748001a9cd965263e2dd9093b419dd95b690b969cbd4410d62cbb841d4c0b

SHA512
ef118ec7f6a2c61a525fcb1994804c256014273368d84a36b284cdeec41c79d0143ee9e1732006bd62f084998008d04af1bdbe796c84c7ca75ca92477d0fd6c3

Download Submit
C:\Windows\{D8D0E2E3-5445-4d56-8D97-CD20D562C478}.exe

Filesize
380KB

MD5
d36e826acddd552b476ad02a36e8f18b

SHA1
b8c53c113821f135d6bd11ee0d5e88786fe2a6c9

SHA256
cafa0bea55522a162e9371601c57e14e6e5ba2409081ba2639fe2b3c8d82bbd8

SHA512
3fc81e49db9058adffe824c458d3d507b359b8a7ad1be4d4285e468c8be2bb0f39a022e634583bc24ee64a126bd34cd5500c7d62c6d3f194ee645500080c659d

Download Submit
C:\Windows\{EED63661-55C8-4079-8078-A44699DB4313}.exe

Filesize
380KB

MD5
b36f59a65855fe51747e60004d096b20

SHA1
a3dd4e48d07e841bdd8498fa61d31f38687e66ae

SHA256
98a623073254cd21b0abc7792378c4b6051b50241af895d7068ba90eb6a2ae3a

SHA512
4666b9cab4ad8bb65bc53ec5441754bde8f21ed0fdf057834de121270b31d55b967df38cd56646d53b74095da5ace8cfe9e9e9c24fc3b9209bb8c8bc336542f6

Download Submit
C:\Windows\{EEFE5D48-1B3E-4c78-AACA-F98714042D94}.exe

Filesize
380KB

MD5
f497215581150764eece5c462027d6ec

SHA1
b46c387ccebe31797cf6fe444e968f225a6c89c8

SHA256
051df5876c8b79596d8d7c5fa4fdc1d3d7d056a6fe9a0f35c5e86b1f47b77d66

SHA512
14fa5b9b3a0c64bef053835bd13fabd1ff9bb438f762475f7082d8909b1420bfb3eb5adb7bdbd2a5887b5ffdcbcc9863402b64afd23af9558d0fdf8d9b2aa6c7

Download Submit
C:\Windows\{FBAE3171-709F-413e-B9EA-A23BB9CE06D1}.exe

Filesize
380KB

MD5
30a9bf600c674faf1f6d9ea72a07a341

SHA1
ae362d9799668dfbd6acf593743767d3a2055503

SHA256
ef18374db6e8171c54e5fc34d3c8506df7520f943a74fb3638f4c8b8fbc340fe

SHA512
40804ce0d0468f33f4c920793d7719e690144e459f6a7d10065294a9ec07b6af772066fa37e971256c964c645259cbd8ff50d035b135e34315ebd78aebf4a976

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads