ea99ec7c2043a0aae92a7d8f86c15d43d3bb3cc2632aa61d6e4ebd130db275d7

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
29/05/2024, 04:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-29_a1d3aa2aedb1ae1218434f3358c415dc_goldeneye.exe
Size

204KB
MD5

a1d3aa2aedb1ae1218434f3358c415dc
SHA1

ec55cb7b1c4d568638587d4822872b891f723e3c
SHA256

ea99ec7c2043a0aae92a7d8f86c15d43d3bb3cc2632aa61d6e4ebd130db275d7
SHA512

bb4b6d2a9cbf8d62ee94173f94c17a49562ea56378b07ec9dfe4b748c99b3d6e6b424dc10863e694f34371e3ccbacea122ae5689989bcedccf24f7b3f59ca1fd
SSDEEP

1536:1EGh0o9l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o9l1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012286-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0031000000015d12-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000012286-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0030000000015d3b-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012286-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012286-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012286-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0380D8AA-0E94-4df4-B64B-546C9A4E78CB}	{1AD15911-2DF3-4cd2-92E3-70E0E22A3416}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AE99BF1-B944-41fc-8FD5-7133B68C72F0}	{44ADB6DA-3916-4362-A483-EA44088F087B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB91D4DA-C74D-496b-AEE6-920003639AB7}	{3AE99BF1-B944-41fc-8FD5-7133B68C72F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB91D4DA-C74D-496b-AEE6-920003639AB7}\stubpath = "C:\\Windows\\{FB91D4DA-C74D-496b-AEE6-920003639AB7}.exe"	{3AE99BF1-B944-41fc-8FD5-7133B68C72F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11C4B22E-C28D-4bff-96B2-189BE056830A}	{F25E8479-D0A5-47bc-BCCB-A29C243DE3A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F855B304-130E-4d6d-8D7A-A9670655F6D8}\stubpath = "C:\\Windows\\{F855B304-130E-4d6d-8D7A-A9670655F6D8}.exe"	{11C4B22E-C28D-4bff-96B2-189BE056830A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8162191A-594D-41a9-9EA8-6AAC2D2AB94E}	{F855B304-130E-4d6d-8D7A-A9670655F6D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1AD15911-2DF3-4cd2-92E3-70E0E22A3416}	2024-05-29_a1d3aa2aedb1ae1218434f3358c415dc_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44ADB6DA-3916-4362-A483-EA44088F087B}\stubpath = "C:\\Windows\\{44ADB6DA-3916-4362-A483-EA44088F087B}.exe"	{0380D8AA-0E94-4df4-B64B-546C9A4E78CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7F46DF3-BFE4-47bd-8895-863F26E6AB5F}	{BAC89CA5-EA55-445b-99DD-200CBEE41E17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F25E8479-D0A5-47bc-BCCB-A29C243DE3A4}\stubpath = "C:\\Windows\\{F25E8479-D0A5-47bc-BCCB-A29C243DE3A4}.exe"	{C7F46DF3-BFE4-47bd-8895-863F26E6AB5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F855B304-130E-4d6d-8D7A-A9670655F6D8}	{11C4B22E-C28D-4bff-96B2-189BE056830A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0380D8AA-0E94-4df4-B64B-546C9A4E78CB}\stubpath = "C:\\Windows\\{0380D8AA-0E94-4df4-B64B-546C9A4E78CB}.exe"	{1AD15911-2DF3-4cd2-92E3-70E0E22A3416}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7F46DF3-BFE4-47bd-8895-863F26E6AB5F}\stubpath = "C:\\Windows\\{C7F46DF3-BFE4-47bd-8895-863F26E6AB5F}.exe"	{BAC89CA5-EA55-445b-99DD-200CBEE41E17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11C4B22E-C28D-4bff-96B2-189BE056830A}\stubpath = "C:\\Windows\\{11C4B22E-C28D-4bff-96B2-189BE056830A}.exe"	{F25E8479-D0A5-47bc-BCCB-A29C243DE3A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8162191A-594D-41a9-9EA8-6AAC2D2AB94E}\stubpath = "C:\\Windows\\{8162191A-594D-41a9-9EA8-6AAC2D2AB94E}.exe"	{F855B304-130E-4d6d-8D7A-A9670655F6D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1AD15911-2DF3-4cd2-92E3-70E0E22A3416}\stubpath = "C:\\Windows\\{1AD15911-2DF3-4cd2-92E3-70E0E22A3416}.exe"	2024-05-29_a1d3aa2aedb1ae1218434f3358c415dc_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44ADB6DA-3916-4362-A483-EA44088F087B}	{0380D8AA-0E94-4df4-B64B-546C9A4E78CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AE99BF1-B944-41fc-8FD5-7133B68C72F0}\stubpath = "C:\\Windows\\{3AE99BF1-B944-41fc-8FD5-7133B68C72F0}.exe"	{44ADB6DA-3916-4362-A483-EA44088F087B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BAC89CA5-EA55-445b-99DD-200CBEE41E17}	{FB91D4DA-C74D-496b-AEE6-920003639AB7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BAC89CA5-EA55-445b-99DD-200CBEE41E17}\stubpath = "C:\\Windows\\{BAC89CA5-EA55-445b-99DD-200CBEE41E17}.exe"	{FB91D4DA-C74D-496b-AEE6-920003639AB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F25E8479-D0A5-47bc-BCCB-A29C243DE3A4}	{C7F46DF3-BFE4-47bd-8895-863F26E6AB5F}.exe

Deletes itself 1 IoCs

pid	Process
2972	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2312	{1AD15911-2DF3-4cd2-92E3-70E0E22A3416}.exe
2772	{0380D8AA-0E94-4df4-B64B-546C9A4E78CB}.exe
2784	{44ADB6DA-3916-4362-A483-EA44088F087B}.exe
2568	{3AE99BF1-B944-41fc-8FD5-7133B68C72F0}.exe
1568	{FB91D4DA-C74D-496b-AEE6-920003639AB7}.exe
1940	{BAC89CA5-EA55-445b-99DD-200CBEE41E17}.exe
1852	{C7F46DF3-BFE4-47bd-8895-863F26E6AB5F}.exe
2320	{F25E8479-D0A5-47bc-BCCB-A29C243DE3A4}.exe
2172	{11C4B22E-C28D-4bff-96B2-189BE056830A}.exe
2900	{F855B304-130E-4d6d-8D7A-A9670655F6D8}.exe
1308	{8162191A-594D-41a9-9EA8-6AAC2D2AB94E}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{3AE99BF1-B944-41fc-8FD5-7133B68C72F0}.exe	{44ADB6DA-3916-4362-A483-EA44088F087B}.exe
File created	C:\Windows\{FB91D4DA-C74D-496b-AEE6-920003639AB7}.exe	{3AE99BF1-B944-41fc-8FD5-7133B68C72F0}.exe
File created	C:\Windows\{BAC89CA5-EA55-445b-99DD-200CBEE41E17}.exe	{FB91D4DA-C74D-496b-AEE6-920003639AB7}.exe
File created	C:\Windows\{8162191A-594D-41a9-9EA8-6AAC2D2AB94E}.exe	{F855B304-130E-4d6d-8D7A-A9670655F6D8}.exe
File created	C:\Windows\{1AD15911-2DF3-4cd2-92E3-70E0E22A3416}.exe	2024-05-29_a1d3aa2aedb1ae1218434f3358c415dc_goldeneye.exe
File created	C:\Windows\{0380D8AA-0E94-4df4-B64B-546C9A4E78CB}.exe	{1AD15911-2DF3-4cd2-92E3-70E0E22A3416}.exe
File created	C:\Windows\{44ADB6DA-3916-4362-A483-EA44088F087B}.exe	{0380D8AA-0E94-4df4-B64B-546C9A4E78CB}.exe
File created	C:\Windows\{C7F46DF3-BFE4-47bd-8895-863F26E6AB5F}.exe	{BAC89CA5-EA55-445b-99DD-200CBEE41E17}.exe
File created	C:\Windows\{F25E8479-D0A5-47bc-BCCB-A29C243DE3A4}.exe	{C7F46DF3-BFE4-47bd-8895-863F26E6AB5F}.exe
File created	C:\Windows\{11C4B22E-C28D-4bff-96B2-189BE056830A}.exe	{F25E8479-D0A5-47bc-BCCB-A29C243DE3A4}.exe
File created	C:\Windows\{F855B304-130E-4d6d-8D7A-A9670655F6D8}.exe	{11C4B22E-C28D-4bff-96B2-189BE056830A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2156	2024-05-29_a1d3aa2aedb1ae1218434f3358c415dc_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2312	{1AD15911-2DF3-4cd2-92E3-70E0E22A3416}.exe
Token: SeIncBasePriorityPrivilege	2772	{0380D8AA-0E94-4df4-B64B-546C9A4E78CB}.exe
Token: SeIncBasePriorityPrivilege	2784	{44ADB6DA-3916-4362-A483-EA44088F087B}.exe
Token: SeIncBasePriorityPrivilege	2568	{3AE99BF1-B944-41fc-8FD5-7133B68C72F0}.exe
Token: SeIncBasePriorityPrivilege	1568	{FB91D4DA-C74D-496b-AEE6-920003639AB7}.exe
Token: SeIncBasePriorityPrivilege	1940	{BAC89CA5-EA55-445b-99DD-200CBEE41E17}.exe
Token: SeIncBasePriorityPrivilege	1852	{C7F46DF3-BFE4-47bd-8895-863F26E6AB5F}.exe
Token: SeIncBasePriorityPrivilege	2320	{F25E8479-D0A5-47bc-BCCB-A29C243DE3A4}.exe
Token: SeIncBasePriorityPrivilege	2172	{11C4B22E-C28D-4bff-96B2-189BE056830A}.exe
Token: SeIncBasePriorityPrivilege	2900	{F855B304-130E-4d6d-8D7A-A9670655F6D8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2312	2156	2024-05-29_a1d3aa2aedb1ae1218434f3358c415dc_goldeneye.exe	28
PID 2156 wrote to memory of 2312	2156	2024-05-29_a1d3aa2aedb1ae1218434f3358c415dc_goldeneye.exe	28
PID 2156 wrote to memory of 2312	2156	2024-05-29_a1d3aa2aedb1ae1218434f3358c415dc_goldeneye.exe	28
PID 2156 wrote to memory of 2312	2156	2024-05-29_a1d3aa2aedb1ae1218434f3358c415dc_goldeneye.exe	28
PID 2156 wrote to memory of 2972	2156	2024-05-29_a1d3aa2aedb1ae1218434f3358c415dc_goldeneye.exe	29
PID 2156 wrote to memory of 2972	2156	2024-05-29_a1d3aa2aedb1ae1218434f3358c415dc_goldeneye.exe	29
PID 2156 wrote to memory of 2972	2156	2024-05-29_a1d3aa2aedb1ae1218434f3358c415dc_goldeneye.exe	29
PID 2156 wrote to memory of 2972	2156	2024-05-29_a1d3aa2aedb1ae1218434f3358c415dc_goldeneye.exe	29
PID 2312 wrote to memory of 2772	2312	{1AD15911-2DF3-4cd2-92E3-70E0E22A3416}.exe	30
PID 2312 wrote to memory of 2772	2312	{1AD15911-2DF3-4cd2-92E3-70E0E22A3416}.exe	30
PID 2312 wrote to memory of 2772	2312	{1AD15911-2DF3-4cd2-92E3-70E0E22A3416}.exe	30
PID 2312 wrote to memory of 2772	2312	{1AD15911-2DF3-4cd2-92E3-70E0E22A3416}.exe	30
PID 2312 wrote to memory of 2876	2312	{1AD15911-2DF3-4cd2-92E3-70E0E22A3416}.exe	31
PID 2312 wrote to memory of 2876	2312	{1AD15911-2DF3-4cd2-92E3-70E0E22A3416}.exe	31
PID 2312 wrote to memory of 2876	2312	{1AD15911-2DF3-4cd2-92E3-70E0E22A3416}.exe	31
PID 2312 wrote to memory of 2876	2312	{1AD15911-2DF3-4cd2-92E3-70E0E22A3416}.exe	31
PID 2772 wrote to memory of 2784	2772	{0380D8AA-0E94-4df4-B64B-546C9A4E78CB}.exe	32
PID 2772 wrote to memory of 2784	2772	{0380D8AA-0E94-4df4-B64B-546C9A4E78CB}.exe	32
PID 2772 wrote to memory of 2784	2772	{0380D8AA-0E94-4df4-B64B-546C9A4E78CB}.exe	32
PID 2772 wrote to memory of 2784	2772	{0380D8AA-0E94-4df4-B64B-546C9A4E78CB}.exe	32
PID 2772 wrote to memory of 2696	2772	{0380D8AA-0E94-4df4-B64B-546C9A4E78CB}.exe	33
PID 2772 wrote to memory of 2696	2772	{0380D8AA-0E94-4df4-B64B-546C9A4E78CB}.exe	33
PID 2772 wrote to memory of 2696	2772	{0380D8AA-0E94-4df4-B64B-546C9A4E78CB}.exe	33
PID 2772 wrote to memory of 2696	2772	{0380D8AA-0E94-4df4-B64B-546C9A4E78CB}.exe	33
PID 2784 wrote to memory of 2568	2784	{44ADB6DA-3916-4362-A483-EA44088F087B}.exe	36
PID 2784 wrote to memory of 2568	2784	{44ADB6DA-3916-4362-A483-EA44088F087B}.exe	36
PID 2784 wrote to memory of 2568	2784	{44ADB6DA-3916-4362-A483-EA44088F087B}.exe	36
PID 2784 wrote to memory of 2568	2784	{44ADB6DA-3916-4362-A483-EA44088F087B}.exe	36
PID 2784 wrote to memory of 2960	2784	{44ADB6DA-3916-4362-A483-EA44088F087B}.exe	37
PID 2784 wrote to memory of 2960	2784	{44ADB6DA-3916-4362-A483-EA44088F087B}.exe	37
PID 2784 wrote to memory of 2960	2784	{44ADB6DA-3916-4362-A483-EA44088F087B}.exe	37
PID 2784 wrote to memory of 2960	2784	{44ADB6DA-3916-4362-A483-EA44088F087B}.exe	37
PID 2568 wrote to memory of 1568	2568	{3AE99BF1-B944-41fc-8FD5-7133B68C72F0}.exe	38
PID 2568 wrote to memory of 1568	2568	{3AE99BF1-B944-41fc-8FD5-7133B68C72F0}.exe	38
PID 2568 wrote to memory of 1568	2568	{3AE99BF1-B944-41fc-8FD5-7133B68C72F0}.exe	38
PID 2568 wrote to memory of 1568	2568	{3AE99BF1-B944-41fc-8FD5-7133B68C72F0}.exe	38
PID 2568 wrote to memory of 1796	2568	{3AE99BF1-B944-41fc-8FD5-7133B68C72F0}.exe	39
PID 2568 wrote to memory of 1796	2568	{3AE99BF1-B944-41fc-8FD5-7133B68C72F0}.exe	39
PID 2568 wrote to memory of 1796	2568	{3AE99BF1-B944-41fc-8FD5-7133B68C72F0}.exe	39
PID 2568 wrote to memory of 1796	2568	{3AE99BF1-B944-41fc-8FD5-7133B68C72F0}.exe	39
PID 1568 wrote to memory of 1940	1568	{FB91D4DA-C74D-496b-AEE6-920003639AB7}.exe	40
PID 1568 wrote to memory of 1940	1568	{FB91D4DA-C74D-496b-AEE6-920003639AB7}.exe	40
PID 1568 wrote to memory of 1940	1568	{FB91D4DA-C74D-496b-AEE6-920003639AB7}.exe	40
PID 1568 wrote to memory of 1940	1568	{FB91D4DA-C74D-496b-AEE6-920003639AB7}.exe	40
PID 1568 wrote to memory of 352	1568	{FB91D4DA-C74D-496b-AEE6-920003639AB7}.exe	41
PID 1568 wrote to memory of 352	1568	{FB91D4DA-C74D-496b-AEE6-920003639AB7}.exe	41
PID 1568 wrote to memory of 352	1568	{FB91D4DA-C74D-496b-AEE6-920003639AB7}.exe	41
PID 1568 wrote to memory of 352	1568	{FB91D4DA-C74D-496b-AEE6-920003639AB7}.exe	41
PID 1940 wrote to memory of 1852	1940	{BAC89CA5-EA55-445b-99DD-200CBEE41E17}.exe	42
PID 1940 wrote to memory of 1852	1940	{BAC89CA5-EA55-445b-99DD-200CBEE41E17}.exe	42
PID 1940 wrote to memory of 1852	1940	{BAC89CA5-EA55-445b-99DD-200CBEE41E17}.exe	42
PID 1940 wrote to memory of 1852	1940	{BAC89CA5-EA55-445b-99DD-200CBEE41E17}.exe	42
PID 1940 wrote to memory of 2408	1940	{BAC89CA5-EA55-445b-99DD-200CBEE41E17}.exe	43
PID 1940 wrote to memory of 2408	1940	{BAC89CA5-EA55-445b-99DD-200CBEE41E17}.exe	43
PID 1940 wrote to memory of 2408	1940	{BAC89CA5-EA55-445b-99DD-200CBEE41E17}.exe	43
PID 1940 wrote to memory of 2408	1940	{BAC89CA5-EA55-445b-99DD-200CBEE41E17}.exe	43
PID 1852 wrote to memory of 2320	1852	{C7F46DF3-BFE4-47bd-8895-863F26E6AB5F}.exe	44
PID 1852 wrote to memory of 2320	1852	{C7F46DF3-BFE4-47bd-8895-863F26E6AB5F}.exe	44
PID 1852 wrote to memory of 2320	1852	{C7F46DF3-BFE4-47bd-8895-863F26E6AB5F}.exe	44
PID 1852 wrote to memory of 2320	1852	{C7F46DF3-BFE4-47bd-8895-863F26E6AB5F}.exe	44
PID 1852 wrote to memory of 1508	1852	{C7F46DF3-BFE4-47bd-8895-863F26E6AB5F}.exe	45
PID 1852 wrote to memory of 1508	1852	{C7F46DF3-BFE4-47bd-8895-863F26E6AB5F}.exe	45
PID 1852 wrote to memory of 1508	1852	{C7F46DF3-BFE4-47bd-8895-863F26E6AB5F}.exe	45
PID 1852 wrote to memory of 1508	1852	{C7F46DF3-BFE4-47bd-8895-863F26E6AB5F}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-05-29_a1d3aa2aedb1ae1218434f3358c415dc_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_a1d3aa2aedb1ae1218434f3358c415dc_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\{1AD15911-2DF3-4cd2-92E3-70E0E22A3416}.exe
  C:\Windows\{1AD15911-2DF3-4cd2-92E3-70E0E22A3416}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Windows\{0380D8AA-0E94-4df4-B64B-546C9A4E78CB}.exe
    C:\Windows\{0380D8AA-0E94-4df4-B64B-546C9A4E78CB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\{44ADB6DA-3916-4362-A483-EA44088F087B}.exe
      C:\Windows\{44ADB6DA-3916-4362-A483-EA44088F087B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Windows\{3AE99BF1-B944-41fc-8FD5-7133B68C72F0}.exe
        
        C:\Windows\{3AE99BF1-B944-41fc-8FD5-7133B68C72F0}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2568
      - C:\Windows\{FB91D4DA-C74D-496b-AEE6-920003639AB7}.exe
        
        C:\Windows\{FB91D4DA-C74D-496b-AEE6-920003639AB7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\{BAC89CA5-EA55-445b-99DD-200CBEE41E17}.exe
        
        C:\Windows\{BAC89CA5-EA55-445b-99DD-200CBEE41E17}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\{C7F46DF3-BFE4-47bd-8895-863F26E6AB5F}.exe
        
        C:\Windows\{C7F46DF3-BFE4-47bd-8895-863F26E6AB5F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\{F25E8479-D0A5-47bc-BCCB-A29C243DE3A4}.exe
        
        C:\Windows\{F25E8479-D0A5-47bc-BCCB-A29C243DE3A4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
        
        C:\Windows\{11C4B22E-C28D-4bff-96B2-189BE056830A}.exe
        
        C:\Windows\{11C4B22E-C28D-4bff-96B2-189BE056830A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
        
        C:\Windows\{F855B304-130E-4d6d-8D7A-A9670655F6D8}.exe
        
        C:\Windows\{F855B304-130E-4d6d-8D7A-A9670655F6D8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Windows\{8162191A-594D-41a9-9EA8-6AAC2D2AB94E}.exe
        
        C:\Windows\{8162191A-594D-41a9-9EA8-6AAC2D2AB94E}.exe
        12⤵
        Executes dropped EXE
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F855B~1.EXE > nul
        12⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11C4B~1.EXE > nul
        11⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F25E8~1.EXE > nul
        10⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7F46~1.EXE > nul
        9⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BAC89~1.EXE > nul
        8⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB91D~1.EXE > nul
        7⤵
        
        PID:352
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3AE99~1.EXE > nul
        6⤵
        
        PID:1796
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44ADB~1.EXE > nul
        5⤵
        
        PID:2960
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0380D~1.EXE > nul
      4⤵
      PID:2696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1AD15~1.EXE > nul
    3⤵
    PID:2876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0380D8AA-0E94-4df4-B64B-546C9A4E78CB}.exe

Filesize
204KB

MD5
c3a53302d594e7f6de585dc603d694fb

SHA1
63e5b5dbd6d4027cba7b8287d88494f69f9a66f7

SHA256
9ae68791f46e8de40ece771cfbfd9979f5f5f12bdec554b441974dfc3969287b

SHA512
cb88c6ec58bc18f8f3172590af0d1ab9fd2dd96e943e80d0aaaa69e5f9eff55445180572b9731d26d36565551b01956eabfad932ab4a095b1aa928a527c11241

Download Submit
C:\Windows\{11C4B22E-C28D-4bff-96B2-189BE056830A}.exe

Filesize
204KB

MD5
130fcca8782e87c70ab2c9f9c39ce996

SHA1
c9834ef2a3c009c63cc9fe7a4bc5174a10c30e06

SHA256
e482a5f3647602bb5820adb4cbaefef9d3e782edcdf0264185ce8aabccd6504e

SHA512
91bcae60f93662a384372406b2fe0e77a1e9083a9e7a692557179a848809d8feebef35edd57c9b1f133f071a869c40190d73677740c7a410d880f4af7cf71244

Download Submit
C:\Windows\{1AD15911-2DF3-4cd2-92E3-70E0E22A3416}.exe

Filesize
204KB

MD5
841784e0abfa7bf5a860584a60bfc059

SHA1
5053284b9d677f13f682d8cff6790da969f736e8

SHA256
7c65388b0d05cb91b03ae3195ceeb0da9f9089821877385ca3aab75240a2b79b

SHA512
2eef6c0038f75e8f2e0b0b1c2059a307d35928bb712780797087cc8394aa07dae5718bf0dfb7d04a9fb49dc5d51304a9d69ef1e219f868649a9c3c546cca5d30

Download Submit
C:\Windows\{3AE99BF1-B944-41fc-8FD5-7133B68C72F0}.exe

Filesize
204KB

MD5
584fc506ae0a71d77dd853e49a298c11

SHA1
d947a033ce6a448e4cfe444478ff7c89cb4e2e75

SHA256
50afa1e9de81164d34290148339657cb0818dded4716e3d5ea6bf8b8a396e161

SHA512
389af13cb7e0593b4baceb3c7c7e751a8ed35ce6368934f70ce2437960f1fd9d686624809f46f88109cf109f041c98c03b8279fd053e16fcfcc68c3c8c7d8ae5

Download Submit
C:\Windows\{44ADB6DA-3916-4362-A483-EA44088F087B}.exe

Filesize
204KB

MD5
2440a49319dd0b8702cfcb535dc928fd

SHA1
93356ea8f37483fd37fae3fc104e76475d720fad

SHA256
e43384986e94651cb3d0f90f15802244c7a4aa6b5d81ad9838387366a523d69e

SHA512
b6b23ba513865ca928822c54bc6aed5a3f69fe3504822d930de8471730ee27428b8fd4a439ead3585f3d8dddf39222530bc255790c9d92a3b4a8874c9369d449

Download Submit
C:\Windows\{8162191A-594D-41a9-9EA8-6AAC2D2AB94E}.exe

Filesize
204KB

MD5
634727b5b2d980c75770ee8d8d4f0452

SHA1
e68cf7470757b92318954f6578b9ffd401e856c8

SHA256
94f95d984c8314a78eb29fa13ae08144bcb31ffd7a24974bdcf9ae37f515c9ba

SHA512
7cda522de4d62ee84e510aa8a2635c2aad735238a4534074d3949f0cf1ada7d7815f1a6e18a7fa8051a2073dd2107ef3bd12c7c9b3424c73163fdaff45d077a6

Download Submit
C:\Windows\{BAC89CA5-EA55-445b-99DD-200CBEE41E17}.exe

Filesize
204KB

MD5
968a0c6d9ff6627f97d228a6961ef5d5

SHA1
6379ae1ec29f5adc17e365c23f9bbda986a622ee

SHA256
3f7afdeea38d8c54fbe0d86c91c992e44aded83fa01cf9940e61fa829146416b

SHA512
99c2ddc365367e03c2a50346406b1944106d326e1a482f6f698939490a788c6c394954fe7429d95bd6e659ade40201a3964f36e98d6f905ad53e52f5b75754fa

Download Submit
C:\Windows\{C7F46DF3-BFE4-47bd-8895-863F26E6AB5F}.exe

Filesize
204KB

MD5
ae02696e246cc1bd4db25682b6c7e050

SHA1
78ec5bef517479060be43a41d4c3ef7db323077c

SHA256
86c64bb5872d7253d8e45f9fd2e0d79b440038ef7b3edecd0780c1c4bd421f3b

SHA512
f1b32c799e583c8fe4fc82a05e0ea7209129dd459a58057bb103dae7fb232112bb48724f2f8f5dd3c16a924d63ee295f20bef1fd01c3c5a6d97d08296e46f93d

Download Submit
C:\Windows\{F25E8479-D0A5-47bc-BCCB-A29C243DE3A4}.exe

Filesize
204KB

MD5
d72b7a02d1d9bb7b69bcf65bae7a2856

SHA1
a31a44244b9476e064850dda8449575397e2a29f

SHA256
68e433bb4b619c0d7d2d0ba5b0bbeef2b975000aac74ea1a1fe1e3ac2141bf6e

SHA512
49e315a50031bc101f82dc5bec71c92c7e5f3de130d1106c1015c4ca5dbf316eb6bec3e59f63b020dc5e4d41d22fece2653e5cebf29682a6a753c9d0636714fe

Download Submit
C:\Windows\{F855B304-130E-4d6d-8D7A-A9670655F6D8}.exe

Filesize
204KB

MD5
6034e5fc66408cc88031975182b3624c

SHA1
d30ec5753a44509c3cfa4b06c3f10c07c403e2c3

SHA256
6935633d18515431722b08f66d318c8ee7ed085c0020d605c54d537813274161

SHA512
cdd86604f806993bc41f17e3cfda137dac1e372cc4ab6eaae1ae3d123d9872394a717ea0cf6cc0584d59cfc75ed5666a3ca583fbc2b978d0120dda5058be7491

Download Submit
C:\Windows\{FB91D4DA-C74D-496b-AEE6-920003639AB7}.exe

Filesize
204KB

MD5
6f1c6b6e95c605787db056e7448faab8

SHA1
793b3db4dfb864dfa4a8312d5a06a4b1dcc72929

SHA256
87c213fb72dcbf4c56cfe07eee5a52902c19d2604e3651e43c66c8af428fe8aa

SHA512
711b2efde2b941d229dbb2af1ed28beb88819de2f5942066615dc49a85d6989ada3c7d32943a9071b514fcf33fbaf66b6c64925e629600b3832df93cc51b1916

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads