9aac134dd9dd5d970b7918e780af7c021244224e9bdada17015443e899e9c71b

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
09/06/2024, 04:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-09_b0006072baa8c8c4fe691641a9a86307_goldeneye.exe
Size

372KB
MD5

b0006072baa8c8c4fe691641a9a86307
SHA1

23b80079b12a57b323945ccf912f294765bc31b3
SHA256

9aac134dd9dd5d970b7918e780af7c021244224e9bdada17015443e899e9c71b
SHA512

c06be15224fb413c0b969c60bb8829a128472b187df0f82c36f422b9a7e3ff599c711f1e6f9abf376943dea8bf4a34f5c2f60df298324dbba1511a6f038de738
SSDEEP

3072:CEGh0oolMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGqlkOe2MUVg3vTeKcAEciTBqr3

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d000000013adc-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003400000001431b-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000013adc-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003400000001432f-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000013adc-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000013adc-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x003500000001432f-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBB5B69C-6DEC-4f63-A809-79711D7ED3CE}	{29980419-85DE-4b94-A4F3-F08D0329E58E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E75AE6F5-F5A4-41b9-AA7D-E832145A908E}\stubpath = "C:\\Windows\\{E75AE6F5-F5A4-41b9-AA7D-E832145A908E}.exe"	{CBB5B69C-6DEC-4f63-A809-79711D7ED3CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F632D90-FBC0-44e1-938C-B5EFF743E336}\stubpath = "C:\\Windows\\{2F632D90-FBC0-44e1-938C-B5EFF743E336}.exe"	{06981EDC-60DD-4269-8EBD-7EBDC5D4411E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68E33C3E-22C0-4dfa-953E-2EF21EE8DF95}	{2F632D90-FBC0-44e1-938C-B5EFF743E336}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61982B45-0B82-4e59-8209-EE2D23203A3A}	{AA4DDAAC-5A47-46f0-AC4C-67E1A2455CAF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F358FDD2-BE83-4f6b-B5E6-30C0BA296025}\stubpath = "C:\\Windows\\{F358FDD2-BE83-4f6b-B5E6-30C0BA296025}.exe"	{61982B45-0B82-4e59-8209-EE2D23203A3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29980419-85DE-4b94-A4F3-F08D0329E58E}\stubpath = "C:\\Windows\\{29980419-85DE-4b94-A4F3-F08D0329E58E}.exe"	{89CDA3B7-839C-466f-99CE-15B135AEAF88}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDC0890C-1C46-498b-84C5-5A8FDD58F3CE}\stubpath = "C:\\Windows\\{CDC0890C-1C46-498b-84C5-5A8FDD58F3CE}.exe"	{E75AE6F5-F5A4-41b9-AA7D-E832145A908E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68E33C3E-22C0-4dfa-953E-2EF21EE8DF95}\stubpath = "C:\\Windows\\{68E33C3E-22C0-4dfa-953E-2EF21EE8DF95}.exe"	{2F632D90-FBC0-44e1-938C-B5EFF743E336}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA4DDAAC-5A47-46f0-AC4C-67E1A2455CAF}	{68E33C3E-22C0-4dfa-953E-2EF21EE8DF95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89CDA3B7-839C-466f-99CE-15B135AEAF88}\stubpath = "C:\\Windows\\{89CDA3B7-839C-466f-99CE-15B135AEAF88}.exe"	{F358FDD2-BE83-4f6b-B5E6-30C0BA296025}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E75AE6F5-F5A4-41b9-AA7D-E832145A908E}	{CBB5B69C-6DEC-4f63-A809-79711D7ED3CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDC0890C-1C46-498b-84C5-5A8FDD58F3CE}	{E75AE6F5-F5A4-41b9-AA7D-E832145A908E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06981EDC-60DD-4269-8EBD-7EBDC5D4411E}	2024-06-09_b0006072baa8c8c4fe691641a9a86307_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61982B45-0B82-4e59-8209-EE2D23203A3A}\stubpath = "C:\\Windows\\{61982B45-0B82-4e59-8209-EE2D23203A3A}.exe"	{AA4DDAAC-5A47-46f0-AC4C-67E1A2455CAF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F358FDD2-BE83-4f6b-B5E6-30C0BA296025}	{61982B45-0B82-4e59-8209-EE2D23203A3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBB5B69C-6DEC-4f63-A809-79711D7ED3CE}\stubpath = "C:\\Windows\\{CBB5B69C-6DEC-4f63-A809-79711D7ED3CE}.exe"	{29980419-85DE-4b94-A4F3-F08D0329E58E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06981EDC-60DD-4269-8EBD-7EBDC5D4411E}\stubpath = "C:\\Windows\\{06981EDC-60DD-4269-8EBD-7EBDC5D4411E}.exe"	2024-06-09_b0006072baa8c8c4fe691641a9a86307_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F632D90-FBC0-44e1-938C-B5EFF743E336}	{06981EDC-60DD-4269-8EBD-7EBDC5D4411E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA4DDAAC-5A47-46f0-AC4C-67E1A2455CAF}\stubpath = "C:\\Windows\\{AA4DDAAC-5A47-46f0-AC4C-67E1A2455CAF}.exe"	{68E33C3E-22C0-4dfa-953E-2EF21EE8DF95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89CDA3B7-839C-466f-99CE-15B135AEAF88}	{F358FDD2-BE83-4f6b-B5E6-30C0BA296025}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{29980419-85DE-4b94-A4F3-F08D0329E58E}	{89CDA3B7-839C-466f-99CE-15B135AEAF88}.exe

Deletes itself 1 IoCs

pid	Process
2900	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2696	{06981EDC-60DD-4269-8EBD-7EBDC5D4411E}.exe
2508	{2F632D90-FBC0-44e1-938C-B5EFF743E336}.exe
2472	{68E33C3E-22C0-4dfa-953E-2EF21EE8DF95}.exe
1608	{AA4DDAAC-5A47-46f0-AC4C-67E1A2455CAF}.exe
2372	{61982B45-0B82-4e59-8209-EE2D23203A3A}.exe
1012	{F358FDD2-BE83-4f6b-B5E6-30C0BA296025}.exe
1724	{89CDA3B7-839C-466f-99CE-15B135AEAF88}.exe
2172	{29980419-85DE-4b94-A4F3-F08D0329E58E}.exe
2120	{CBB5B69C-6DEC-4f63-A809-79711D7ED3CE}.exe
1192	{E75AE6F5-F5A4-41b9-AA7D-E832145A908E}.exe
1516	{CDC0890C-1C46-498b-84C5-5A8FDD58F3CE}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{06981EDC-60DD-4269-8EBD-7EBDC5D4411E}.exe	2024-06-09_b0006072baa8c8c4fe691641a9a86307_goldeneye.exe
File created	C:\Windows\{2F632D90-FBC0-44e1-938C-B5EFF743E336}.exe	{06981EDC-60DD-4269-8EBD-7EBDC5D4411E}.exe
File created	C:\Windows\{68E33C3E-22C0-4dfa-953E-2EF21EE8DF95}.exe	{2F632D90-FBC0-44e1-938C-B5EFF743E336}.exe
File created	C:\Windows\{AA4DDAAC-5A47-46f0-AC4C-67E1A2455CAF}.exe	{68E33C3E-22C0-4dfa-953E-2EF21EE8DF95}.exe
File created	C:\Windows\{61982B45-0B82-4e59-8209-EE2D23203A3A}.exe	{AA4DDAAC-5A47-46f0-AC4C-67E1A2455CAF}.exe
File created	C:\Windows\{F358FDD2-BE83-4f6b-B5E6-30C0BA296025}.exe	{61982B45-0B82-4e59-8209-EE2D23203A3A}.exe
File created	C:\Windows\{89CDA3B7-839C-466f-99CE-15B135AEAF88}.exe	{F358FDD2-BE83-4f6b-B5E6-30C0BA296025}.exe
File created	C:\Windows\{29980419-85DE-4b94-A4F3-F08D0329E58E}.exe	{89CDA3B7-839C-466f-99CE-15B135AEAF88}.exe
File created	C:\Windows\{CBB5B69C-6DEC-4f63-A809-79711D7ED3CE}.exe	{29980419-85DE-4b94-A4F3-F08D0329E58E}.exe
File created	C:\Windows\{E75AE6F5-F5A4-41b9-AA7D-E832145A908E}.exe	{CBB5B69C-6DEC-4f63-A809-79711D7ED3CE}.exe
File created	C:\Windows\{CDC0890C-1C46-498b-84C5-5A8FDD58F3CE}.exe	{E75AE6F5-F5A4-41b9-AA7D-E832145A908E}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2072	2024-06-09_b0006072baa8c8c4fe691641a9a86307_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2696	{06981EDC-60DD-4269-8EBD-7EBDC5D4411E}.exe
Token: SeIncBasePriorityPrivilege	2508	{2F632D90-FBC0-44e1-938C-B5EFF743E336}.exe
Token: SeIncBasePriorityPrivilege	2472	{68E33C3E-22C0-4dfa-953E-2EF21EE8DF95}.exe
Token: SeIncBasePriorityPrivilege	1608	{AA4DDAAC-5A47-46f0-AC4C-67E1A2455CAF}.exe
Token: SeIncBasePriorityPrivilege	2372	{61982B45-0B82-4e59-8209-EE2D23203A3A}.exe
Token: SeIncBasePriorityPrivilege	1012	{F358FDD2-BE83-4f6b-B5E6-30C0BA296025}.exe
Token: SeIncBasePriorityPrivilege	1724	{89CDA3B7-839C-466f-99CE-15B135AEAF88}.exe
Token: SeIncBasePriorityPrivilege	2172	{29980419-85DE-4b94-A4F3-F08D0329E58E}.exe
Token: SeIncBasePriorityPrivilege	2120	{CBB5B69C-6DEC-4f63-A809-79711D7ED3CE}.exe
Token: SeIncBasePriorityPrivilege	1192	{E75AE6F5-F5A4-41b9-AA7D-E832145A908E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2696	2072	2024-06-09_b0006072baa8c8c4fe691641a9a86307_goldeneye.exe	28
PID 2072 wrote to memory of 2696	2072	2024-06-09_b0006072baa8c8c4fe691641a9a86307_goldeneye.exe	28
PID 2072 wrote to memory of 2696	2072	2024-06-09_b0006072baa8c8c4fe691641a9a86307_goldeneye.exe	28
PID 2072 wrote to memory of 2696	2072	2024-06-09_b0006072baa8c8c4fe691641a9a86307_goldeneye.exe	28
PID 2072 wrote to memory of 2900	2072	2024-06-09_b0006072baa8c8c4fe691641a9a86307_goldeneye.exe	29
PID 2072 wrote to memory of 2900	2072	2024-06-09_b0006072baa8c8c4fe691641a9a86307_goldeneye.exe	29
PID 2072 wrote to memory of 2900	2072	2024-06-09_b0006072baa8c8c4fe691641a9a86307_goldeneye.exe	29
PID 2072 wrote to memory of 2900	2072	2024-06-09_b0006072baa8c8c4fe691641a9a86307_goldeneye.exe	29
PID 2696 wrote to memory of 2508	2696	{06981EDC-60DD-4269-8EBD-7EBDC5D4411E}.exe	30
PID 2696 wrote to memory of 2508	2696	{06981EDC-60DD-4269-8EBD-7EBDC5D4411E}.exe	30
PID 2696 wrote to memory of 2508	2696	{06981EDC-60DD-4269-8EBD-7EBDC5D4411E}.exe	30
PID 2696 wrote to memory of 2508	2696	{06981EDC-60DD-4269-8EBD-7EBDC5D4411E}.exe	30
PID 2696 wrote to memory of 2544	2696	{06981EDC-60DD-4269-8EBD-7EBDC5D4411E}.exe	31
PID 2696 wrote to memory of 2544	2696	{06981EDC-60DD-4269-8EBD-7EBDC5D4411E}.exe	31
PID 2696 wrote to memory of 2544	2696	{06981EDC-60DD-4269-8EBD-7EBDC5D4411E}.exe	31
PID 2696 wrote to memory of 2544	2696	{06981EDC-60DD-4269-8EBD-7EBDC5D4411E}.exe	31
PID 2508 wrote to memory of 2472	2508	{2F632D90-FBC0-44e1-938C-B5EFF743E336}.exe	32
PID 2508 wrote to memory of 2472	2508	{2F632D90-FBC0-44e1-938C-B5EFF743E336}.exe	32
PID 2508 wrote to memory of 2472	2508	{2F632D90-FBC0-44e1-938C-B5EFF743E336}.exe	32
PID 2508 wrote to memory of 2472	2508	{2F632D90-FBC0-44e1-938C-B5EFF743E336}.exe	32
PID 2508 wrote to memory of 2428	2508	{2F632D90-FBC0-44e1-938C-B5EFF743E336}.exe	33
PID 2508 wrote to memory of 2428	2508	{2F632D90-FBC0-44e1-938C-B5EFF743E336}.exe	33
PID 2508 wrote to memory of 2428	2508	{2F632D90-FBC0-44e1-938C-B5EFF743E336}.exe	33
PID 2508 wrote to memory of 2428	2508	{2F632D90-FBC0-44e1-938C-B5EFF743E336}.exe	33
PID 2472 wrote to memory of 1608	2472	{68E33C3E-22C0-4dfa-953E-2EF21EE8DF95}.exe	36
PID 2472 wrote to memory of 1608	2472	{68E33C3E-22C0-4dfa-953E-2EF21EE8DF95}.exe	36
PID 2472 wrote to memory of 1608	2472	{68E33C3E-22C0-4dfa-953E-2EF21EE8DF95}.exe	36
PID 2472 wrote to memory of 1608	2472	{68E33C3E-22C0-4dfa-953E-2EF21EE8DF95}.exe	36
PID 2472 wrote to memory of 804	2472	{68E33C3E-22C0-4dfa-953E-2EF21EE8DF95}.exe	37
PID 2472 wrote to memory of 804	2472	{68E33C3E-22C0-4dfa-953E-2EF21EE8DF95}.exe	37
PID 2472 wrote to memory of 804	2472	{68E33C3E-22C0-4dfa-953E-2EF21EE8DF95}.exe	37
PID 2472 wrote to memory of 804	2472	{68E33C3E-22C0-4dfa-953E-2EF21EE8DF95}.exe	37
PID 1608 wrote to memory of 2372	1608	{AA4DDAAC-5A47-46f0-AC4C-67E1A2455CAF}.exe	38
PID 1608 wrote to memory of 2372	1608	{AA4DDAAC-5A47-46f0-AC4C-67E1A2455CAF}.exe	38
PID 1608 wrote to memory of 2372	1608	{AA4DDAAC-5A47-46f0-AC4C-67E1A2455CAF}.exe	38
PID 1608 wrote to memory of 2372	1608	{AA4DDAAC-5A47-46f0-AC4C-67E1A2455CAF}.exe	38
PID 1608 wrote to memory of 1536	1608	{AA4DDAAC-5A47-46f0-AC4C-67E1A2455CAF}.exe	39
PID 1608 wrote to memory of 1536	1608	{AA4DDAAC-5A47-46f0-AC4C-67E1A2455CAF}.exe	39
PID 1608 wrote to memory of 1536	1608	{AA4DDAAC-5A47-46f0-AC4C-67E1A2455CAF}.exe	39
PID 1608 wrote to memory of 1536	1608	{AA4DDAAC-5A47-46f0-AC4C-67E1A2455CAF}.exe	39
PID 2372 wrote to memory of 1012	2372	{61982B45-0B82-4e59-8209-EE2D23203A3A}.exe	40
PID 2372 wrote to memory of 1012	2372	{61982B45-0B82-4e59-8209-EE2D23203A3A}.exe	40
PID 2372 wrote to memory of 1012	2372	{61982B45-0B82-4e59-8209-EE2D23203A3A}.exe	40
PID 2372 wrote to memory of 1012	2372	{61982B45-0B82-4e59-8209-EE2D23203A3A}.exe	40
PID 2372 wrote to memory of 2288	2372	{61982B45-0B82-4e59-8209-EE2D23203A3A}.exe	41
PID 2372 wrote to memory of 2288	2372	{61982B45-0B82-4e59-8209-EE2D23203A3A}.exe	41
PID 2372 wrote to memory of 2288	2372	{61982B45-0B82-4e59-8209-EE2D23203A3A}.exe	41
PID 2372 wrote to memory of 2288	2372	{61982B45-0B82-4e59-8209-EE2D23203A3A}.exe	41
PID 1012 wrote to memory of 1724	1012	{F358FDD2-BE83-4f6b-B5E6-30C0BA296025}.exe	42
PID 1012 wrote to memory of 1724	1012	{F358FDD2-BE83-4f6b-B5E6-30C0BA296025}.exe	42
PID 1012 wrote to memory of 1724	1012	{F358FDD2-BE83-4f6b-B5E6-30C0BA296025}.exe	42
PID 1012 wrote to memory of 1724	1012	{F358FDD2-BE83-4f6b-B5E6-30C0BA296025}.exe	42
PID 1012 wrote to memory of 1732	1012	{F358FDD2-BE83-4f6b-B5E6-30C0BA296025}.exe	43
PID 1012 wrote to memory of 1732	1012	{F358FDD2-BE83-4f6b-B5E6-30C0BA296025}.exe	43
PID 1012 wrote to memory of 1732	1012	{F358FDD2-BE83-4f6b-B5E6-30C0BA296025}.exe	43
PID 1012 wrote to memory of 1732	1012	{F358FDD2-BE83-4f6b-B5E6-30C0BA296025}.exe	43
PID 1724 wrote to memory of 2172	1724	{89CDA3B7-839C-466f-99CE-15B135AEAF88}.exe	44
PID 1724 wrote to memory of 2172	1724	{89CDA3B7-839C-466f-99CE-15B135AEAF88}.exe	44
PID 1724 wrote to memory of 2172	1724	{89CDA3B7-839C-466f-99CE-15B135AEAF88}.exe	44
PID 1724 wrote to memory of 2172	1724	{89CDA3B7-839C-466f-99CE-15B135AEAF88}.exe	44
PID 1724 wrote to memory of 1552	1724	{89CDA3B7-839C-466f-99CE-15B135AEAF88}.exe	45
PID 1724 wrote to memory of 1552	1724	{89CDA3B7-839C-466f-99CE-15B135AEAF88}.exe	45
PID 1724 wrote to memory of 1552	1724	{89CDA3B7-839C-466f-99CE-15B135AEAF88}.exe	45
PID 1724 wrote to memory of 1552	1724	{89CDA3B7-839C-466f-99CE-15B135AEAF88}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-06-09_b0006072baa8c8c4fe691641a9a86307_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_b0006072baa8c8c4fe691641a9a86307_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\{06981EDC-60DD-4269-8EBD-7EBDC5D4411E}.exe
  C:\Windows\{06981EDC-60DD-4269-8EBD-7EBDC5D4411E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\{2F632D90-FBC0-44e1-938C-B5EFF743E336}.exe
    C:\Windows\{2F632D90-FBC0-44e1-938C-B5EFF743E336}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Windows\{68E33C3E-22C0-4dfa-953E-2EF21EE8DF95}.exe
      C:\Windows\{68E33C3E-22C0-4dfa-953E-2EF21EE8DF95}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2472
    - - C:\Windows\{AA4DDAAC-5A47-46f0-AC4C-67E1A2455CAF}.exe
        
        C:\Windows\{AA4DDAAC-5A47-46f0-AC4C-67E1A2455CAF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1608
      - C:\Windows\{61982B45-0B82-4e59-8209-EE2D23203A3A}.exe
        
        C:\Windows\{61982B45-0B82-4e59-8209-EE2D23203A3A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\{F358FDD2-BE83-4f6b-B5E6-30C0BA296025}.exe
        
        C:\Windows\{F358FDD2-BE83-4f6b-B5E6-30C0BA296025}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\{89CDA3B7-839C-466f-99CE-15B135AEAF88}.exe
        
        C:\Windows\{89CDA3B7-839C-466f-99CE-15B135AEAF88}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\{29980419-85DE-4b94-A4F3-F08D0329E58E}.exe
        
        C:\Windows\{29980419-85DE-4b94-A4F3-F08D0329E58E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
        
        C:\Windows\{CBB5B69C-6DEC-4f63-A809-79711D7ED3CE}.exe
        
        C:\Windows\{CBB5B69C-6DEC-4f63-A809-79711D7ED3CE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
        
        C:\Windows\{E75AE6F5-F5A4-41b9-AA7D-E832145A908E}.exe
        
        C:\Windows\{E75AE6F5-F5A4-41b9-AA7D-E832145A908E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1192
        
        C:\Windows\{CDC0890C-1C46-498b-84C5-5A8FDD58F3CE}.exe
        
        C:\Windows\{CDC0890C-1C46-498b-84C5-5A8FDD58F3CE}.exe
        12⤵
        Executes dropped EXE
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E75AE~1.EXE > nul
        12⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CBB5B~1.EXE > nul
        11⤵
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29980~1.EXE > nul
        10⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89CDA~1.EXE > nul
        9⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F358F~1.EXE > nul
        8⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61982~1.EXE > nul
        7⤵
        
        PID:2288
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA4DD~1.EXE > nul
        6⤵
        
        PID:1536
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68E33~1.EXE > nul
        5⤵
        
        PID:804
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2F632~1.EXE > nul
      4⤵
      PID:2428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{06981~1.EXE > nul
    3⤵
    PID:2544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06981EDC-60DD-4269-8EBD-7EBDC5D4411E}.exe

Filesize
372KB

MD5
066de4b39335bbb63650459f4e64abc4

SHA1
b22bb567121fdd2499ce1e7853cd8b6e2553f9d2

SHA256
bc3ccd20eca2f9de83fdecfa67a1e177c0c2ea43ed55a3c7194c79cbd1bc08bc

SHA512
8b25e2be109166b4a249d1d594616a508c623531d7a286ef207fba07130dd508831770b3c3202e6fd8494ad54cc5e4cb202f0e13518d14501402beac5367385a

Download Submit
C:\Windows\{29980419-85DE-4b94-A4F3-F08D0329E58E}.exe

Filesize
372KB

MD5
35908086aca1d25212d00a9b746aea26

SHA1
7225fb2667a082cf3349c737d55686b515ebadc7

SHA256
b49bbbe252fa87572111244e63306d7b5f35ba9ef7f15fce1a23440b54372d21

SHA512
d12cf445f022acd518de893fb1b645c6f25794f98610b0c4b506af4bed761cbedea75c83c59d951bbee86353fdffd60db9201b6e7e86f2f7c5aa3dc705330352

Download Submit
C:\Windows\{2F632D90-FBC0-44e1-938C-B5EFF743E336}.exe

Filesize
372KB

MD5
856321cda20f9bfa09c5078116af8b71

SHA1
ef2bbc8ae40af9cad2b5067a80f6469d11e6cbb7

SHA256
5e561fa75232092625edf95a4218f1e151721bd5cb7ab5181dfc50fdcd040db1

SHA512
f4e4a975dffa10b2c37197c2ff68901e53765d96f9515feb1b3d23a7339dc180a982740c43075130a22249cf2c93ec51ba186b23da45d02e2b4eff34111fdf95

Download Submit
C:\Windows\{61982B45-0B82-4e59-8209-EE2D23203A3A}.exe

Filesize
372KB

MD5
300b1756b7c290040986c2b3ea1be974

SHA1
5c66ed88ea90f8e19c3ccb2d0924bf753541e31d

SHA256
4f65437508b1fd571f329f9370d16ff7a33732621727cff4c6121c65f8e30ae3

SHA512
2b193026c2f2c236c7be972565a17f3e9164cf760abdbd6846383dc64a47f53db8eda5f2a0e9e75b3088290e86118282306ecfe79ef8ae2cb2cd01405a63ae0a

Download Submit
C:\Windows\{68E33C3E-22C0-4dfa-953E-2EF21EE8DF95}.exe

Filesize
372KB

MD5
de4711adcbd814ed507d79ca87429fa7

SHA1
121f84153d5283051cbdc325bad9e986912fdfc7

SHA256
dfe1f050e8ca0c510905a46ecb8c0b0a925825c5498994e6db8f990e2ed247ec

SHA512
6e6f8e93c0a3e4beb27bfdd3d1bebf8f5f6cc602eeef2cd2e66db4eaee4fb61e93852fb401f86d41e177488526f088aec2058a9894ea0fade5e838c52b021aba

Download Submit
C:\Windows\{89CDA3B7-839C-466f-99CE-15B135AEAF88}.exe

Filesize
372KB

MD5
8737437d04541e28574d922d4c764d38

SHA1
18fb560168a2b51d1d4c91b58707bc311dd27463

SHA256
d3c0c2e491f36816e21b1d96b8700b2601b89a1653a56056c38bbbb9587e77ae

SHA512
694c617c4202d00976e3049012c80df9272d25a286f2dc098277c0725d24859a3345aecbce5c2439f573c5e8ac680fb4fa142c56dcd36c117e4a4c37af904d1b

Download Submit
C:\Windows\{AA4DDAAC-5A47-46f0-AC4C-67E1A2455CAF}.exe

Filesize
372KB

MD5
c708b8ed080c1e382f3bd21f13f162f2

SHA1
649c5148e8af69632820bb7219edcb582a5d9735

SHA256
9c1f7c475e6deac0ba64c8dae2cd483b9a38ec7d59d06ec9c74dad8f50db3e41

SHA512
274e318aa0e23ed88081a429a4a4c0dfcfd66b680128be501167cddc453e3ccae039952d0ada78618a49d64d93e258d9e0138edb0d582e7e245ecc1f31c2fb09

Download Submit
C:\Windows\{CBB5B69C-6DEC-4f63-A809-79711D7ED3CE}.exe

Filesize
372KB

MD5
896d1ba20db2c1f3cde35357c4bf684b

SHA1
4bb1a5879433d95df1683abfcf75909e26ff9652

SHA256
9cbe033ae644d3074b1cc8baa673ec4b27c441e4d4623dc7e4abb568593fd686

SHA512
db5e6f800d34c08f5b71cf9d71acbf2b864054f2910259fee9c6c628081d7b6ffa2a69bd4ff2cd01964140ec307f2ede9666cbdf8b0471b21cefcddcb9aa1481

Download Submit
C:\Windows\{CDC0890C-1C46-498b-84C5-5A8FDD58F3CE}.exe

Filesize
372KB

MD5
15711d9ec8d58ef6de45423b184934a8

SHA1
31ba0b1bfdba46bc646ead5273f0820c8e14752d

SHA256
cf7d37dabdff9d1ab3ea50dd51a2c78b6ea5a3b31066648630124b79ed70a1fb

SHA512
44b47e95497e517dcc930a8c254612afb06bd22dbc3a2f2cc57a291547092c0cb3d6b6eb1b328143e1ee3e2c5e632140269d4729960cbcd5675edc4be8fcf323

Download Submit
C:\Windows\{E75AE6F5-F5A4-41b9-AA7D-E832145A908E}.exe

Filesize
372KB

MD5
3f52bb0905413a57ea4a7f48bbcb6c8f

SHA1
3d7e3906df5bc1d514501a4438243bf3a889a0d8

SHA256
70e678a8c485b2bd19a58c5b9a6120df84889326dd162ab74c1b63abb41c5cc3

SHA512
ed01589a378618eb13f8f325ece3ebf97f3ffd993f53e6c3bcf02164a43d20eef73849ec8f5f44aaf488e520047b8886316a7d0116275beb7c3fdfa6adf3b004

Download Submit
C:\Windows\{F358FDD2-BE83-4f6b-B5E6-30C0BA296025}.exe

Filesize
372KB

MD5
8ab34efe007fb43246643169dd87e844

SHA1
6ae82b6f30b79021838d502627ab07bbd27182b8

SHA256
4ca16a1d7adca016a7c8cf5ddb6926250f8ee14d3e44ae1a6e5327ddaa74911a

SHA512
28e144e5c49065056c006808716f9449f89d8375c3d9bb8001532e140cbee632caeb7120dc562332e70ac7b2ffedc8544ecf53ed7103753e5163cc837de01f0b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads