63f79f5dbb1e9ffa96d0824da6f1d2053f299e341287aabe4290edfad7443b88

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
14/06/2024, 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-14_adfcd647fdda4ac0dd5ff34eb8fe3505_goldeneye.exe
Size

408KB
MD5

adfcd647fdda4ac0dd5ff34eb8fe3505
SHA1

1409694f76fe7f132e7a60721593e1059b949cee
SHA256

63f79f5dbb1e9ffa96d0824da6f1d2053f299e341287aabe4290edfad7443b88
SHA512

5dc6402e0cdc1130e419c1966efce0f39ff66c2e89fe1a74890b743befb9bd99264e3a30210a8482b7a2b1d9ca920181fa28f2d01fd0b37c2c71e2891928121f
SSDEEP

3072:CEGh0odl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG3ldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0035000000016d61-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0035000000016d65-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000016d69-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000016d71-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000016dda-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000016d71-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000016dda-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000016d71-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000016dde-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000016d71-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C927BC9F-7477-49c8-A0CF-6DAA4CAEE924}\stubpath = "C:\\Windows\\{C927BC9F-7477-49c8-A0CF-6DAA4CAEE924}.exe"	{DD60FA7A-749C-4f0e-B794-624DD86C1BAF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73DDB4C4-AAAF-4dec-9EFA-8444C66CCE33}\stubpath = "C:\\Windows\\{73DDB4C4-AAAF-4dec-9EFA-8444C66CCE33}.exe"	{87C3AB83-5B29-4cd2-8D40-8BDC733A646B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD60FA7A-749C-4f0e-B794-624DD86C1BAF}\stubpath = "C:\\Windows\\{DD60FA7A-749C-4f0e-B794-624DD86C1BAF}.exe"	{33FA081F-143E-45d4-9612-0BD6BDD11FE0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DD60FA7A-749C-4f0e-B794-624DD86C1BAF}	{33FA081F-143E-45d4-9612-0BD6BDD11FE0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBB9B80D-FC3B-4c64-AA50-8304F1C162DD}\stubpath = "C:\\Windows\\{DBB9B80D-FC3B-4c64-AA50-8304F1C162DD}.exe"	{C927BC9F-7477-49c8-A0CF-6DAA4CAEE924}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23E66BCA-4B3E-4317-A890-493394DE543D}	{9B8ADAB8-7C55-40c7-8E9C-E311530E12E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9A3D8D5-ACDE-4884-A910-145BDAD4532E}\stubpath = "C:\\Windows\\{E9A3D8D5-ACDE-4884-A910-145BDAD4532E}.exe"	{23E66BCA-4B3E-4317-A890-493394DE543D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB0BC7B9-4BD9-4717-B9B8-0D6B73DBEC5E}\stubpath = "C:\\Windows\\{DB0BC7B9-4BD9-4717-B9B8-0D6B73DBEC5E}.exe"	{E9A3D8D5-ACDE-4884-A910-145BDAD4532E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87C3AB83-5B29-4cd2-8D40-8BDC733A646B}	{DB0BC7B9-4BD9-4717-B9B8-0D6B73DBEC5E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87C3AB83-5B29-4cd2-8D40-8BDC733A646B}\stubpath = "C:\\Windows\\{87C3AB83-5B29-4cd2-8D40-8BDC733A646B}.exe"	{DB0BC7B9-4BD9-4717-B9B8-0D6B73DBEC5E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33FA081F-143E-45d4-9612-0BD6BDD11FE0}	2024-06-14_adfcd647fdda4ac0dd5ff34eb8fe3505_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{277B2947-035D-46ed-B804-C2C687A748B7}\stubpath = "C:\\Windows\\{277B2947-035D-46ed-B804-C2C687A748B7}.exe"	{73DDB4C4-AAAF-4dec-9EFA-8444C66CCE33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B8ADAB8-7C55-40c7-8E9C-E311530E12E3}\stubpath = "C:\\Windows\\{9B8ADAB8-7C55-40c7-8E9C-E311530E12E3}.exe"	{DBB9B80D-FC3B-4c64-AA50-8304F1C162DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9A3D8D5-ACDE-4884-A910-145BDAD4532E}	{23E66BCA-4B3E-4317-A890-493394DE543D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB0BC7B9-4BD9-4717-B9B8-0D6B73DBEC5E}	{E9A3D8D5-ACDE-4884-A910-145BDAD4532E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33FA081F-143E-45d4-9612-0BD6BDD11FE0}\stubpath = "C:\\Windows\\{33FA081F-143E-45d4-9612-0BD6BDD11FE0}.exe"	2024-06-14_adfcd647fdda4ac0dd5ff34eb8fe3505_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBB9B80D-FC3B-4c64-AA50-8304F1C162DD}	{C927BC9F-7477-49c8-A0CF-6DAA4CAEE924}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B8ADAB8-7C55-40c7-8E9C-E311530E12E3}	{DBB9B80D-FC3B-4c64-AA50-8304F1C162DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23E66BCA-4B3E-4317-A890-493394DE543D}\stubpath = "C:\\Windows\\{23E66BCA-4B3E-4317-A890-493394DE543D}.exe"	{9B8ADAB8-7C55-40c7-8E9C-E311530E12E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73DDB4C4-AAAF-4dec-9EFA-8444C66CCE33}	{87C3AB83-5B29-4cd2-8D40-8BDC733A646B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{277B2947-035D-46ed-B804-C2C687A748B7}	{73DDB4C4-AAAF-4dec-9EFA-8444C66CCE33}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C927BC9F-7477-49c8-A0CF-6DAA4CAEE924}	{DD60FA7A-749C-4f0e-B794-624DD86C1BAF}.exe

Deletes itself 1 IoCs

pid	Process
2256	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2160	{33FA081F-143E-45d4-9612-0BD6BDD11FE0}.exe
2620	{DD60FA7A-749C-4f0e-B794-624DD86C1BAF}.exe
2492	{C927BC9F-7477-49c8-A0CF-6DAA4CAEE924}.exe
1800	{DBB9B80D-FC3B-4c64-AA50-8304F1C162DD}.exe
2804	{9B8ADAB8-7C55-40c7-8E9C-E311530E12E3}.exe
1848	{23E66BCA-4B3E-4317-A890-493394DE543D}.exe
2028	{E9A3D8D5-ACDE-4884-A910-145BDAD4532E}.exe
1000	{DB0BC7B9-4BD9-4717-B9B8-0D6B73DBEC5E}.exe
804	{87C3AB83-5B29-4cd2-8D40-8BDC733A646B}.exe
2432	{73DDB4C4-AAAF-4dec-9EFA-8444C66CCE33}.exe
2656	{277B2947-035D-46ed-B804-C2C687A748B7}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{DB0BC7B9-4BD9-4717-B9B8-0D6B73DBEC5E}.exe	{E9A3D8D5-ACDE-4884-A910-145BDAD4532E}.exe
File created	C:\Windows\{73DDB4C4-AAAF-4dec-9EFA-8444C66CCE33}.exe	{87C3AB83-5B29-4cd2-8D40-8BDC733A646B}.exe
File created	C:\Windows\{277B2947-035D-46ed-B804-C2C687A748B7}.exe	{73DDB4C4-AAAF-4dec-9EFA-8444C66CCE33}.exe
File created	C:\Windows\{DBB9B80D-FC3B-4c64-AA50-8304F1C162DD}.exe	{C927BC9F-7477-49c8-A0CF-6DAA4CAEE924}.exe
File created	C:\Windows\{23E66BCA-4B3E-4317-A890-493394DE543D}.exe	{9B8ADAB8-7C55-40c7-8E9C-E311530E12E3}.exe
File created	C:\Windows\{E9A3D8D5-ACDE-4884-A910-145BDAD4532E}.exe	{23E66BCA-4B3E-4317-A890-493394DE543D}.exe
File created	C:\Windows\{9B8ADAB8-7C55-40c7-8E9C-E311530E12E3}.exe	{DBB9B80D-FC3B-4c64-AA50-8304F1C162DD}.exe
File created	C:\Windows\{87C3AB83-5B29-4cd2-8D40-8BDC733A646B}.exe	{DB0BC7B9-4BD9-4717-B9B8-0D6B73DBEC5E}.exe
File created	C:\Windows\{33FA081F-143E-45d4-9612-0BD6BDD11FE0}.exe	2024-06-14_adfcd647fdda4ac0dd5ff34eb8fe3505_goldeneye.exe
File created	C:\Windows\{DD60FA7A-749C-4f0e-B794-624DD86C1BAF}.exe	{33FA081F-143E-45d4-9612-0BD6BDD11FE0}.exe
File created	C:\Windows\{C927BC9F-7477-49c8-A0CF-6DAA4CAEE924}.exe	{DD60FA7A-749C-4f0e-B794-624DD86C1BAF}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2900	2024-06-14_adfcd647fdda4ac0dd5ff34eb8fe3505_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2160	{33FA081F-143E-45d4-9612-0BD6BDD11FE0}.exe
Token: SeIncBasePriorityPrivilege	2620	{DD60FA7A-749C-4f0e-B794-624DD86C1BAF}.exe
Token: SeIncBasePriorityPrivilege	2492	{C927BC9F-7477-49c8-A0CF-6DAA4CAEE924}.exe
Token: SeIncBasePriorityPrivilege	1800	{DBB9B80D-FC3B-4c64-AA50-8304F1C162DD}.exe
Token: SeIncBasePriorityPrivilege	2804	{9B8ADAB8-7C55-40c7-8E9C-E311530E12E3}.exe
Token: SeIncBasePriorityPrivilege	1848	{23E66BCA-4B3E-4317-A890-493394DE543D}.exe
Token: SeIncBasePriorityPrivilege	2028	{E9A3D8D5-ACDE-4884-A910-145BDAD4532E}.exe
Token: SeIncBasePriorityPrivilege	1000	{DB0BC7B9-4BD9-4717-B9B8-0D6B73DBEC5E}.exe
Token: SeIncBasePriorityPrivilege	804	{87C3AB83-5B29-4cd2-8D40-8BDC733A646B}.exe
Token: SeIncBasePriorityPrivilege	2432	{73DDB4C4-AAAF-4dec-9EFA-8444C66CCE33}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2160	2900	2024-06-14_adfcd647fdda4ac0dd5ff34eb8fe3505_goldeneye.exe	28
PID 2900 wrote to memory of 2160	2900	2024-06-14_adfcd647fdda4ac0dd5ff34eb8fe3505_goldeneye.exe	28
PID 2900 wrote to memory of 2160	2900	2024-06-14_adfcd647fdda4ac0dd5ff34eb8fe3505_goldeneye.exe	28
PID 2900 wrote to memory of 2160	2900	2024-06-14_adfcd647fdda4ac0dd5ff34eb8fe3505_goldeneye.exe	28
PID 2900 wrote to memory of 2256	2900	2024-06-14_adfcd647fdda4ac0dd5ff34eb8fe3505_goldeneye.exe	29
PID 2900 wrote to memory of 2256	2900	2024-06-14_adfcd647fdda4ac0dd5ff34eb8fe3505_goldeneye.exe	29
PID 2900 wrote to memory of 2256	2900	2024-06-14_adfcd647fdda4ac0dd5ff34eb8fe3505_goldeneye.exe	29
PID 2900 wrote to memory of 2256	2900	2024-06-14_adfcd647fdda4ac0dd5ff34eb8fe3505_goldeneye.exe	29
PID 2160 wrote to memory of 2620	2160	{33FA081F-143E-45d4-9612-0BD6BDD11FE0}.exe	30
PID 2160 wrote to memory of 2620	2160	{33FA081F-143E-45d4-9612-0BD6BDD11FE0}.exe	30
PID 2160 wrote to memory of 2620	2160	{33FA081F-143E-45d4-9612-0BD6BDD11FE0}.exe	30
PID 2160 wrote to memory of 2620	2160	{33FA081F-143E-45d4-9612-0BD6BDD11FE0}.exe	30
PID 2160 wrote to memory of 2476	2160	{33FA081F-143E-45d4-9612-0BD6BDD11FE0}.exe	31
PID 2160 wrote to memory of 2476	2160	{33FA081F-143E-45d4-9612-0BD6BDD11FE0}.exe	31
PID 2160 wrote to memory of 2476	2160	{33FA081F-143E-45d4-9612-0BD6BDD11FE0}.exe	31
PID 2160 wrote to memory of 2476	2160	{33FA081F-143E-45d4-9612-0BD6BDD11FE0}.exe	31
PID 2620 wrote to memory of 2492	2620	{DD60FA7A-749C-4f0e-B794-624DD86C1BAF}.exe	32
PID 2620 wrote to memory of 2492	2620	{DD60FA7A-749C-4f0e-B794-624DD86C1BAF}.exe	32
PID 2620 wrote to memory of 2492	2620	{DD60FA7A-749C-4f0e-B794-624DD86C1BAF}.exe	32
PID 2620 wrote to memory of 2492	2620	{DD60FA7A-749C-4f0e-B794-624DD86C1BAF}.exe	32
PID 2620 wrote to memory of 2632	2620	{DD60FA7A-749C-4f0e-B794-624DD86C1BAF}.exe	33
PID 2620 wrote to memory of 2632	2620	{DD60FA7A-749C-4f0e-B794-624DD86C1BAF}.exe	33
PID 2620 wrote to memory of 2632	2620	{DD60FA7A-749C-4f0e-B794-624DD86C1BAF}.exe	33
PID 2620 wrote to memory of 2632	2620	{DD60FA7A-749C-4f0e-B794-624DD86C1BAF}.exe	33
PID 2492 wrote to memory of 1800	2492	{C927BC9F-7477-49c8-A0CF-6DAA4CAEE924}.exe	36
PID 2492 wrote to memory of 1800	2492	{C927BC9F-7477-49c8-A0CF-6DAA4CAEE924}.exe	36
PID 2492 wrote to memory of 1800	2492	{C927BC9F-7477-49c8-A0CF-6DAA4CAEE924}.exe	36
PID 2492 wrote to memory of 1800	2492	{C927BC9F-7477-49c8-A0CF-6DAA4CAEE924}.exe	36
PID 2492 wrote to memory of 2536	2492	{C927BC9F-7477-49c8-A0CF-6DAA4CAEE924}.exe	37
PID 2492 wrote to memory of 2536	2492	{C927BC9F-7477-49c8-A0CF-6DAA4CAEE924}.exe	37
PID 2492 wrote to memory of 2536	2492	{C927BC9F-7477-49c8-A0CF-6DAA4CAEE924}.exe	37
PID 2492 wrote to memory of 2536	2492	{C927BC9F-7477-49c8-A0CF-6DAA4CAEE924}.exe	37
PID 1800 wrote to memory of 2804	1800	{DBB9B80D-FC3B-4c64-AA50-8304F1C162DD}.exe	38
PID 1800 wrote to memory of 2804	1800	{DBB9B80D-FC3B-4c64-AA50-8304F1C162DD}.exe	38
PID 1800 wrote to memory of 2804	1800	{DBB9B80D-FC3B-4c64-AA50-8304F1C162DD}.exe	38
PID 1800 wrote to memory of 2804	1800	{DBB9B80D-FC3B-4c64-AA50-8304F1C162DD}.exe	38
PID 1800 wrote to memory of 2924	1800	{DBB9B80D-FC3B-4c64-AA50-8304F1C162DD}.exe	39
PID 1800 wrote to memory of 2924	1800	{DBB9B80D-FC3B-4c64-AA50-8304F1C162DD}.exe	39
PID 1800 wrote to memory of 2924	1800	{DBB9B80D-FC3B-4c64-AA50-8304F1C162DD}.exe	39
PID 1800 wrote to memory of 2924	1800	{DBB9B80D-FC3B-4c64-AA50-8304F1C162DD}.exe	39
PID 2804 wrote to memory of 1848	2804	{9B8ADAB8-7C55-40c7-8E9C-E311530E12E3}.exe	40
PID 2804 wrote to memory of 1848	2804	{9B8ADAB8-7C55-40c7-8E9C-E311530E12E3}.exe	40
PID 2804 wrote to memory of 1848	2804	{9B8ADAB8-7C55-40c7-8E9C-E311530E12E3}.exe	40
PID 2804 wrote to memory of 1848	2804	{9B8ADAB8-7C55-40c7-8E9C-E311530E12E3}.exe	40
PID 2804 wrote to memory of 1268	2804	{9B8ADAB8-7C55-40c7-8E9C-E311530E12E3}.exe	41
PID 2804 wrote to memory of 1268	2804	{9B8ADAB8-7C55-40c7-8E9C-E311530E12E3}.exe	41
PID 2804 wrote to memory of 1268	2804	{9B8ADAB8-7C55-40c7-8E9C-E311530E12E3}.exe	41
PID 2804 wrote to memory of 1268	2804	{9B8ADAB8-7C55-40c7-8E9C-E311530E12E3}.exe	41
PID 1848 wrote to memory of 2028	1848	{23E66BCA-4B3E-4317-A890-493394DE543D}.exe	42
PID 1848 wrote to memory of 2028	1848	{23E66BCA-4B3E-4317-A890-493394DE543D}.exe	42
PID 1848 wrote to memory of 2028	1848	{23E66BCA-4B3E-4317-A890-493394DE543D}.exe	42
PID 1848 wrote to memory of 2028	1848	{23E66BCA-4B3E-4317-A890-493394DE543D}.exe	42
PID 1848 wrote to memory of 1592	1848	{23E66BCA-4B3E-4317-A890-493394DE543D}.exe	43
PID 1848 wrote to memory of 1592	1848	{23E66BCA-4B3E-4317-A890-493394DE543D}.exe	43
PID 1848 wrote to memory of 1592	1848	{23E66BCA-4B3E-4317-A890-493394DE543D}.exe	43
PID 1848 wrote to memory of 1592	1848	{23E66BCA-4B3E-4317-A890-493394DE543D}.exe	43
PID 2028 wrote to memory of 1000	2028	{E9A3D8D5-ACDE-4884-A910-145BDAD4532E}.exe	44
PID 2028 wrote to memory of 1000	2028	{E9A3D8D5-ACDE-4884-A910-145BDAD4532E}.exe	44
PID 2028 wrote to memory of 1000	2028	{E9A3D8D5-ACDE-4884-A910-145BDAD4532E}.exe	44
PID 2028 wrote to memory of 1000	2028	{E9A3D8D5-ACDE-4884-A910-145BDAD4532E}.exe	44
PID 2028 wrote to memory of 1336	2028	{E9A3D8D5-ACDE-4884-A910-145BDAD4532E}.exe	45
PID 2028 wrote to memory of 1336	2028	{E9A3D8D5-ACDE-4884-A910-145BDAD4532E}.exe	45
PID 2028 wrote to memory of 1336	2028	{E9A3D8D5-ACDE-4884-A910-145BDAD4532E}.exe	45
PID 2028 wrote to memory of 1336	2028	{E9A3D8D5-ACDE-4884-A910-145BDAD4532E}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-06-14_adfcd647fdda4ac0dd5ff34eb8fe3505_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-14_adfcd647fdda4ac0dd5ff34eb8fe3505_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Windows\{33FA081F-143E-45d4-9612-0BD6BDD11FE0}.exe
  C:\Windows\{33FA081F-143E-45d4-9612-0BD6BDD11FE0}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\{DD60FA7A-749C-4f0e-B794-624DD86C1BAF}.exe
    C:\Windows\{DD60FA7A-749C-4f0e-B794-624DD86C1BAF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\{C927BC9F-7477-49c8-A0CF-6DAA4CAEE924}.exe
      C:\Windows\{C927BC9F-7477-49c8-A0CF-6DAA4CAEE924}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2492
    - - C:\Windows\{DBB9B80D-FC3B-4c64-AA50-8304F1C162DD}.exe
        
        C:\Windows\{DBB9B80D-FC3B-4c64-AA50-8304F1C162DD}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1800
      - C:\Windows\{9B8ADAB8-7C55-40c7-8E9C-E311530E12E3}.exe
        
        C:\Windows\{9B8ADAB8-7C55-40c7-8E9C-E311530E12E3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\{23E66BCA-4B3E-4317-A890-493394DE543D}.exe
        
        C:\Windows\{23E66BCA-4B3E-4317-A890-493394DE543D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\{E9A3D8D5-ACDE-4884-A910-145BDAD4532E}.exe
        
        C:\Windows\{E9A3D8D5-ACDE-4884-A910-145BDAD4532E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\{DB0BC7B9-4BD9-4717-B9B8-0D6B73DBEC5E}.exe
        
        C:\Windows\{DB0BC7B9-4BD9-4717-B9B8-0D6B73DBEC5E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1000
        
        C:\Windows\{87C3AB83-5B29-4cd2-8D40-8BDC733A646B}.exe
        
        C:\Windows\{87C3AB83-5B29-4cd2-8D40-8BDC733A646B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:804
        
        C:\Windows\{73DDB4C4-AAAF-4dec-9EFA-8444C66CCE33}.exe
        
        C:\Windows\{73DDB4C4-AAAF-4dec-9EFA-8444C66CCE33}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
        
        C:\Windows\{277B2947-035D-46ed-B804-C2C687A748B7}.exe
        
        C:\Windows\{277B2947-035D-46ed-B804-C2C687A748B7}.exe
        12⤵
        Executes dropped EXE
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73DDB~1.EXE > nul
        12⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87C3A~1.EXE > nul
        11⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB0BC~1.EXE > nul
        10⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9A3D~1.EXE > nul
        9⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23E66~1.EXE > nul
        8⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B8AD~1.EXE > nul
        7⤵
        
        PID:1268
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DBB9B~1.EXE > nul
        6⤵
        
        PID:2924
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C927B~1.EXE > nul
        5⤵
        
        PID:2536
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DD60F~1.EXE > nul
      4⤵
      PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{33FA0~1.EXE > nul
    3⤵
    PID:2476
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{23E66BCA-4B3E-4317-A890-493394DE543D}.exe

Filesize
408KB

MD5
aeae79fa66cbfa1eaae5d318021deade

SHA1
247ddf1ba77f1998bdbef98fd38e27e18ba93d0f

SHA256
380ccc9066d3eb6d82ea6dfef5472d05b54540be7d83e0475a31e48223fd2bc5

SHA512
5b5ccdb898fc326d20578c2265491c4e3f6da189634a2a6bbee3b10caac468dc70c9be7e798bad19cef9f40016e4c25d767371d300a4d8e8fed69a8c5acccde9

Download Submit
C:\Windows\{277B2947-035D-46ed-B804-C2C687A748B7}.exe

Filesize
408KB

MD5
fa716dce0a9d129acf6f3c83fac72a28

SHA1
89a2a381d01b01c105d30d5ebf56c550ff077ae2

SHA256
f2c2bb3fc99d7b61ed2a487ec3b8c1acf845863fb1530041f21141a03fd2b8fd

SHA512
de19a8c59c452bbc4070fd35e82908daedaade5eb0ecd3316c11948db7bb8708fd942c5eaa015c3bcf26c4da4f3735c999bf7897a9725b0947edf6126a4a4c47

Download Submit
C:\Windows\{33FA081F-143E-45d4-9612-0BD6BDD11FE0}.exe

Filesize
408KB

MD5
bbdae82599ad66d085de156ef1b6f8d4

SHA1
76cecf35f5f4f274ae8a534aa51d3316f9f46def

SHA256
1b84960528981ed327608087a31a529ea4a472e405ee4c6b21a7c193a26b588e

SHA512
380a70253349914e6103ec227c0e688857a0d515a51fcba51a9c2ed0fe2fa088ed8208a5b59179e9bf6a00d6f7fc2d26ebe5a24c6eeec187fe4566b4adc2d383

Download Submit
C:\Windows\{73DDB4C4-AAAF-4dec-9EFA-8444C66CCE33}.exe

Filesize
408KB

MD5
2b43c714db57f85c99c21fab0ea6b8e9

SHA1
10a715b72aad0681c13bd00fb7bbf3bf78d30812

SHA256
ef5e60e7656ea3e9e0ce09136c1056e8499c5dc1eaf80d23fc96d9ac694d5265

SHA512
51ca64c6f4324c7ce98cd7f56e75c22106b74a7532147475320c1096d3b7272aee72c9638ff8e417ba4ef07d4077e19baf87143594bc563b7efb81a96d3cce35

Download Submit
C:\Windows\{87C3AB83-5B29-4cd2-8D40-8BDC733A646B}.exe

Filesize
408KB

MD5
da620df96c672925d90b3a35347436eb

SHA1
bdf636602662f2bf9854c54ddfcf07912bd23a56

SHA256
df107469f8323257e9781e0cd625d5b9a83b87e5b1eed01e88c5cddc93a76bee

SHA512
e897b963e8ca80e91a32a3a9768620f0f7d18ad8ea66c7c2c9c140d151d11dd4e02053b2f1bfe42964c1c662bc4cbdfdfbeac4e4f8c7f92a6aed2843e170be99

Download Submit
C:\Windows\{9B8ADAB8-7C55-40c7-8E9C-E311530E12E3}.exe

Filesize
408KB

MD5
e22c38727077919c2f6cbea6d9fdf0b9

SHA1
f11ea81dbc2552d75f41a2742f63ca2214b7dc66

SHA256
eb15812c66c22cb30d659021fa021ec6f9c949091b66461b7b3986f968dd19e9

SHA512
26b0d16404ce340e53e7705737e019a7df7c93b1e3457868b65f10accccb98e834386886317c602ae288d339c380caf4625541be74256aa05668337cb6ee166c

Download Submit
C:\Windows\{C927BC9F-7477-49c8-A0CF-6DAA4CAEE924}.exe

Filesize
408KB

MD5
789b7f066b334b58df9f76673c274af2

SHA1
8fec5dd19982753f9ab23762bfcee1271f5a69ea

SHA256
f7c4da5005abe79ba6c4ca2ebebe966d7962a6eeea68a8a22623704647c795d2

SHA512
27f8e860df95ac58902ef8b7cc146e0c521e23c691af4d6ed87ccc3a2259ba3a6616a37a81aa13568d85e29d360a6439db7f81ac158965a4a2f88cbdbbb0b6ff

Download Submit
C:\Windows\{DB0BC7B9-4BD9-4717-B9B8-0D6B73DBEC5E}.exe

Filesize
408KB

MD5
b724e7cc880e46e0237dc817fbc605b9

SHA1
78f2da2eede0507794599fa700727793a37d602c

SHA256
554f93a304bdc2d85b30a6b7bce761f6b891c966a6992d21714a48ddd63eb170

SHA512
5f2a17a7dc36bad35dfcad8267f9f0aa602e045a4644e35ca8b878370dc538cc9cbffa846a63bc3430f0d2c44b6920d47b55cf56aa8c254226380fab91f82255

Download Submit
C:\Windows\{DBB9B80D-FC3B-4c64-AA50-8304F1C162DD}.exe

Filesize
408KB

MD5
5b703ac25a33e52c0c196f8a5ab57f02

SHA1
31760939ba34b13c7a3439ae9006a3ba77daa72e

SHA256
4b18ab2f111cf1e6ef5f5318059c659016984177ee1f51f7cbaa9dc7154c7141

SHA512
7230bf690ef03c36d97066c0763801738d8bdc2121c20239634b5da8ff03a43d7a5073a09301df28ebe191dfa8e31e7bb6eef57f3366d64c27bd055771ceec8d

Download Submit
C:\Windows\{DD60FA7A-749C-4f0e-B794-624DD86C1BAF}.exe

Filesize
408KB

MD5
9c423229bd7a863f40d3f71ef01e3207

SHA1
b2608c1bd517d0f1e48cfa16223e2923a5e0d1ff

SHA256
00da2a84a172f8ff57221f2a0b281fa684393510685997f56744dc2e1ea3c42f

SHA512
311087551a84bdbc61da2aaf86009a0dd88c9c234ef959eec301aeeabb45e96a5eef8cad47055a0e17aa9c7ccda376be51413dd94597d65cdd43795d750403b2

Download Submit
C:\Windows\{E9A3D8D5-ACDE-4884-A910-145BDAD4532E}.exe

Filesize
408KB

MD5
a279b732cf20a9964531b9ecbc62628f

SHA1
5c9ba70cda58cd3995cdc678985c1688118e049c

SHA256
e048cfe70cd5703aa58ca3956f03de25ccc60bd6d848510db9fdc585b9c207dc

SHA512
bdf9ae99517e2b6307af605bceebad915908ecdd5950a07c801cc1f47978d61ef247b69e8044ff0140f56a9eca128a32d41818d229b332c76d9889256ffd03b0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads