555b949a1fbf6d18675ca04322bab6263db004012241c5f737f5eed8368d4591

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
14/06/2024, 10:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-14_0b7bf98d54d3f7dcd707f49ec0cbd1bf_goldeneye.exe
Size

216KB
MD5

0b7bf98d54d3f7dcd707f49ec0cbd1bf
SHA1

ae9ef191593d70e46d39894959ee57560c1bac4b
SHA256

555b949a1fbf6d18675ca04322bab6263db004012241c5f737f5eed8368d4591
SHA512

0563a95bc87f2b2a0e510a54b17523b92c6a17a324705fcf12e68c473a3286df45a082e1342051dee18335ac4321216454a06401d1d14850cbc8c3a46393143d
SSDEEP

3072:jEGh0o2l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGolEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012280-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0037000000016581-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000012280-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000016835-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000016c6f-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000016835-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0009000000016c6f-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000016c78-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000016c6f-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0008000000016c78-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{432EA898-A7F9-4aae-88E0-048B790705ED}\stubpath = "C:\\Windows\\{432EA898-A7F9-4aae-88E0-048B790705ED}.exe"	{DF65D68C-9FFD-4ce1-AFC3-D636A5D47836}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B67663D7-9FE7-479f-9F64-5E2405F9446E}\stubpath = "C:\\Windows\\{B67663D7-9FE7-479f-9F64-5E2405F9446E}.exe"	{1E14C591-9E7E-430f-A7BF-2A3694B645B4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44A420FA-8E55-4665-8EE1-3708AB87783F}\stubpath = "C:\\Windows\\{44A420FA-8E55-4665-8EE1-3708AB87783F}.exe"	{EC295472-CE36-419a-8E40-2D982B7B73F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7956CF55-E257-4bab-A4A8-D9DAAD9A6079}	{8D7B079F-DC08-44a9-9711-B9A789D1C593}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FF16BB8-54E5-4bfb-A876-B65F05A4C49D}	{7956CF55-E257-4bab-A4A8-D9DAAD9A6079}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B100AAB8-114B-49b1-AC68-A289FD4697B8}	2024-06-14_0b7bf98d54d3f7dcd707f49ec0cbd1bf_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B79C73B3-8149-4981-A81D-2065F58E575A}	{B100AAB8-114B-49b1-AC68-A289FD4697B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF65D68C-9FFD-4ce1-AFC3-D636A5D47836}\stubpath = "C:\\Windows\\{DF65D68C-9FFD-4ce1-AFC3-D636A5D47836}.exe"	{B79C73B3-8149-4981-A81D-2065F58E575A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E14C591-9E7E-430f-A7BF-2A3694B645B4}	{432EA898-A7F9-4aae-88E0-048B790705ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E14C591-9E7E-430f-A7BF-2A3694B645B4}\stubpath = "C:\\Windows\\{1E14C591-9E7E-430f-A7BF-2A3694B645B4}.exe"	{432EA898-A7F9-4aae-88E0-048B790705ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC295472-CE36-419a-8E40-2D982B7B73F7}	{B67663D7-9FE7-479f-9F64-5E2405F9446E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC295472-CE36-419a-8E40-2D982B7B73F7}\stubpath = "C:\\Windows\\{EC295472-CE36-419a-8E40-2D982B7B73F7}.exe"	{B67663D7-9FE7-479f-9F64-5E2405F9446E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D7B079F-DC08-44a9-9711-B9A789D1C593}\stubpath = "C:\\Windows\\{8D7B079F-DC08-44a9-9711-B9A789D1C593}.exe"	{44A420FA-8E55-4665-8EE1-3708AB87783F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B100AAB8-114B-49b1-AC68-A289FD4697B8}\stubpath = "C:\\Windows\\{B100AAB8-114B-49b1-AC68-A289FD4697B8}.exe"	2024-06-14_0b7bf98d54d3f7dcd707f49ec0cbd1bf_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B79C73B3-8149-4981-A81D-2065F58E575A}\stubpath = "C:\\Windows\\{B79C73B3-8149-4981-A81D-2065F58E575A}.exe"	{B100AAB8-114B-49b1-AC68-A289FD4697B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF65D68C-9FFD-4ce1-AFC3-D636A5D47836}	{B79C73B3-8149-4981-A81D-2065F58E575A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FF16BB8-54E5-4bfb-A876-B65F05A4C49D}\stubpath = "C:\\Windows\\{7FF16BB8-54E5-4bfb-A876-B65F05A4C49D}.exe"	{7956CF55-E257-4bab-A4A8-D9DAAD9A6079}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B67663D7-9FE7-479f-9F64-5E2405F9446E}	{1E14C591-9E7E-430f-A7BF-2A3694B645B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D7B079F-DC08-44a9-9711-B9A789D1C593}	{44A420FA-8E55-4665-8EE1-3708AB87783F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7956CF55-E257-4bab-A4A8-D9DAAD9A6079}\stubpath = "C:\\Windows\\{7956CF55-E257-4bab-A4A8-D9DAAD9A6079}.exe"	{8D7B079F-DC08-44a9-9711-B9A789D1C593}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{432EA898-A7F9-4aae-88E0-048B790705ED}	{DF65D68C-9FFD-4ce1-AFC3-D636A5D47836}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44A420FA-8E55-4665-8EE1-3708AB87783F}	{EC295472-CE36-419a-8E40-2D982B7B73F7}.exe

Deletes itself 1 IoCs

pid	Process
3028	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2276	{B100AAB8-114B-49b1-AC68-A289FD4697B8}.exe
2556	{B79C73B3-8149-4981-A81D-2065F58E575A}.exe
2648	{DF65D68C-9FFD-4ce1-AFC3-D636A5D47836}.exe
2148	{432EA898-A7F9-4aae-88E0-048B790705ED}.exe
2488	{1E14C591-9E7E-430f-A7BF-2A3694B645B4}.exe
1504	{B67663D7-9FE7-479f-9F64-5E2405F9446E}.exe
1696	{EC295472-CE36-419a-8E40-2D982B7B73F7}.exe
1020	{44A420FA-8E55-4665-8EE1-3708AB87783F}.exe
1304	{8D7B079F-DC08-44a9-9711-B9A789D1C593}.exe
2184	{7956CF55-E257-4bab-A4A8-D9DAAD9A6079}.exe
2280	{7FF16BB8-54E5-4bfb-A876-B65F05A4C49D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{44A420FA-8E55-4665-8EE1-3708AB87783F}.exe	{EC295472-CE36-419a-8E40-2D982B7B73F7}.exe
File created	C:\Windows\{7956CF55-E257-4bab-A4A8-D9DAAD9A6079}.exe	{8D7B079F-DC08-44a9-9711-B9A789D1C593}.exe
File created	C:\Windows\{7FF16BB8-54E5-4bfb-A876-B65F05A4C49D}.exe	{7956CF55-E257-4bab-A4A8-D9DAAD9A6079}.exe
File created	C:\Windows\{B100AAB8-114B-49b1-AC68-A289FD4697B8}.exe	2024-06-14_0b7bf98d54d3f7dcd707f49ec0cbd1bf_goldeneye.exe
File created	C:\Windows\{DF65D68C-9FFD-4ce1-AFC3-D636A5D47836}.exe	{B79C73B3-8149-4981-A81D-2065F58E575A}.exe
File created	C:\Windows\{432EA898-A7F9-4aae-88E0-048B790705ED}.exe	{DF65D68C-9FFD-4ce1-AFC3-D636A5D47836}.exe
File created	C:\Windows\{1E14C591-9E7E-430f-A7BF-2A3694B645B4}.exe	{432EA898-A7F9-4aae-88E0-048B790705ED}.exe
File created	C:\Windows\{EC295472-CE36-419a-8E40-2D982B7B73F7}.exe	{B67663D7-9FE7-479f-9F64-5E2405F9446E}.exe
File created	C:\Windows\{B79C73B3-8149-4981-A81D-2065F58E575A}.exe	{B100AAB8-114B-49b1-AC68-A289FD4697B8}.exe
File created	C:\Windows\{B67663D7-9FE7-479f-9F64-5E2405F9446E}.exe	{1E14C591-9E7E-430f-A7BF-2A3694B645B4}.exe
File created	C:\Windows\{8D7B079F-DC08-44a9-9711-B9A789D1C593}.exe	{44A420FA-8E55-4665-8EE1-3708AB87783F}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2400	2024-06-14_0b7bf98d54d3f7dcd707f49ec0cbd1bf_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2276	{B100AAB8-114B-49b1-AC68-A289FD4697B8}.exe
Token: SeIncBasePriorityPrivilege	2556	{B79C73B3-8149-4981-A81D-2065F58E575A}.exe
Token: SeIncBasePriorityPrivilege	2648	{DF65D68C-9FFD-4ce1-AFC3-D636A5D47836}.exe
Token: SeIncBasePriorityPrivilege	2148	{432EA898-A7F9-4aae-88E0-048B790705ED}.exe
Token: SeIncBasePriorityPrivilege	2488	{1E14C591-9E7E-430f-A7BF-2A3694B645B4}.exe
Token: SeIncBasePriorityPrivilege	1504	{B67663D7-9FE7-479f-9F64-5E2405F9446E}.exe
Token: SeIncBasePriorityPrivilege	1696	{EC295472-CE36-419a-8E40-2D982B7B73F7}.exe
Token: SeIncBasePriorityPrivilege	1020	{44A420FA-8E55-4665-8EE1-3708AB87783F}.exe
Token: SeIncBasePriorityPrivilege	1304	{8D7B079F-DC08-44a9-9711-B9A789D1C593}.exe
Token: SeIncBasePriorityPrivilege	2184	{7956CF55-E257-4bab-A4A8-D9DAAD9A6079}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2276	2400	2024-06-14_0b7bf98d54d3f7dcd707f49ec0cbd1bf_goldeneye.exe	28
PID 2400 wrote to memory of 2276	2400	2024-06-14_0b7bf98d54d3f7dcd707f49ec0cbd1bf_goldeneye.exe	28
PID 2400 wrote to memory of 2276	2400	2024-06-14_0b7bf98d54d3f7dcd707f49ec0cbd1bf_goldeneye.exe	28
PID 2400 wrote to memory of 2276	2400	2024-06-14_0b7bf98d54d3f7dcd707f49ec0cbd1bf_goldeneye.exe	28
PID 2400 wrote to memory of 3028	2400	2024-06-14_0b7bf98d54d3f7dcd707f49ec0cbd1bf_goldeneye.exe	29
PID 2400 wrote to memory of 3028	2400	2024-06-14_0b7bf98d54d3f7dcd707f49ec0cbd1bf_goldeneye.exe	29
PID 2400 wrote to memory of 3028	2400	2024-06-14_0b7bf98d54d3f7dcd707f49ec0cbd1bf_goldeneye.exe	29
PID 2400 wrote to memory of 3028	2400	2024-06-14_0b7bf98d54d3f7dcd707f49ec0cbd1bf_goldeneye.exe	29
PID 2276 wrote to memory of 2556	2276	{B100AAB8-114B-49b1-AC68-A289FD4697B8}.exe	30
PID 2276 wrote to memory of 2556	2276	{B100AAB8-114B-49b1-AC68-A289FD4697B8}.exe	30
PID 2276 wrote to memory of 2556	2276	{B100AAB8-114B-49b1-AC68-A289FD4697B8}.exe	30
PID 2276 wrote to memory of 2556	2276	{B100AAB8-114B-49b1-AC68-A289FD4697B8}.exe	30
PID 2276 wrote to memory of 2312	2276	{B100AAB8-114B-49b1-AC68-A289FD4697B8}.exe	31
PID 2276 wrote to memory of 2312	2276	{B100AAB8-114B-49b1-AC68-A289FD4697B8}.exe	31
PID 2276 wrote to memory of 2312	2276	{B100AAB8-114B-49b1-AC68-A289FD4697B8}.exe	31
PID 2276 wrote to memory of 2312	2276	{B100AAB8-114B-49b1-AC68-A289FD4697B8}.exe	31
PID 2556 wrote to memory of 2648	2556	{B79C73B3-8149-4981-A81D-2065F58E575A}.exe	32
PID 2556 wrote to memory of 2648	2556	{B79C73B3-8149-4981-A81D-2065F58E575A}.exe	32
PID 2556 wrote to memory of 2648	2556	{B79C73B3-8149-4981-A81D-2065F58E575A}.exe	32
PID 2556 wrote to memory of 2648	2556	{B79C73B3-8149-4981-A81D-2065F58E575A}.exe	32
PID 2556 wrote to memory of 2628	2556	{B79C73B3-8149-4981-A81D-2065F58E575A}.exe	33
PID 2556 wrote to memory of 2628	2556	{B79C73B3-8149-4981-A81D-2065F58E575A}.exe	33
PID 2556 wrote to memory of 2628	2556	{B79C73B3-8149-4981-A81D-2065F58E575A}.exe	33
PID 2556 wrote to memory of 2628	2556	{B79C73B3-8149-4981-A81D-2065F58E575A}.exe	33
PID 2648 wrote to memory of 2148	2648	{DF65D68C-9FFD-4ce1-AFC3-D636A5D47836}.exe	36
PID 2648 wrote to memory of 2148	2648	{DF65D68C-9FFD-4ce1-AFC3-D636A5D47836}.exe	36
PID 2648 wrote to memory of 2148	2648	{DF65D68C-9FFD-4ce1-AFC3-D636A5D47836}.exe	36
PID 2648 wrote to memory of 2148	2648	{DF65D68C-9FFD-4ce1-AFC3-D636A5D47836}.exe	36
PID 2648 wrote to memory of 1596	2648	{DF65D68C-9FFD-4ce1-AFC3-D636A5D47836}.exe	37
PID 2648 wrote to memory of 1596	2648	{DF65D68C-9FFD-4ce1-AFC3-D636A5D47836}.exe	37
PID 2648 wrote to memory of 1596	2648	{DF65D68C-9FFD-4ce1-AFC3-D636A5D47836}.exe	37
PID 2648 wrote to memory of 1596	2648	{DF65D68C-9FFD-4ce1-AFC3-D636A5D47836}.exe	37
PID 2148 wrote to memory of 2488	2148	{432EA898-A7F9-4aae-88E0-048B790705ED}.exe	38
PID 2148 wrote to memory of 2488	2148	{432EA898-A7F9-4aae-88E0-048B790705ED}.exe	38
PID 2148 wrote to memory of 2488	2148	{432EA898-A7F9-4aae-88E0-048B790705ED}.exe	38
PID 2148 wrote to memory of 2488	2148	{432EA898-A7F9-4aae-88E0-048B790705ED}.exe	38
PID 2148 wrote to memory of 2520	2148	{432EA898-A7F9-4aae-88E0-048B790705ED}.exe	39
PID 2148 wrote to memory of 2520	2148	{432EA898-A7F9-4aae-88E0-048B790705ED}.exe	39
PID 2148 wrote to memory of 2520	2148	{432EA898-A7F9-4aae-88E0-048B790705ED}.exe	39
PID 2148 wrote to memory of 2520	2148	{432EA898-A7F9-4aae-88E0-048B790705ED}.exe	39
PID 2488 wrote to memory of 1504	2488	{1E14C591-9E7E-430f-A7BF-2A3694B645B4}.exe	40
PID 2488 wrote to memory of 1504	2488	{1E14C591-9E7E-430f-A7BF-2A3694B645B4}.exe	40
PID 2488 wrote to memory of 1504	2488	{1E14C591-9E7E-430f-A7BF-2A3694B645B4}.exe	40
PID 2488 wrote to memory of 1504	2488	{1E14C591-9E7E-430f-A7BF-2A3694B645B4}.exe	40
PID 2488 wrote to memory of 1692	2488	{1E14C591-9E7E-430f-A7BF-2A3694B645B4}.exe	41
PID 2488 wrote to memory of 1692	2488	{1E14C591-9E7E-430f-A7BF-2A3694B645B4}.exe	41
PID 2488 wrote to memory of 1692	2488	{1E14C591-9E7E-430f-A7BF-2A3694B645B4}.exe	41
PID 2488 wrote to memory of 1692	2488	{1E14C591-9E7E-430f-A7BF-2A3694B645B4}.exe	41
PID 1504 wrote to memory of 1696	1504	{B67663D7-9FE7-479f-9F64-5E2405F9446E}.exe	42
PID 1504 wrote to memory of 1696	1504	{B67663D7-9FE7-479f-9F64-5E2405F9446E}.exe	42
PID 1504 wrote to memory of 1696	1504	{B67663D7-9FE7-479f-9F64-5E2405F9446E}.exe	42
PID 1504 wrote to memory of 1696	1504	{B67663D7-9FE7-479f-9F64-5E2405F9446E}.exe	42
PID 1504 wrote to memory of 784	1504	{B67663D7-9FE7-479f-9F64-5E2405F9446E}.exe	43
PID 1504 wrote to memory of 784	1504	{B67663D7-9FE7-479f-9F64-5E2405F9446E}.exe	43
PID 1504 wrote to memory of 784	1504	{B67663D7-9FE7-479f-9F64-5E2405F9446E}.exe	43
PID 1504 wrote to memory of 784	1504	{B67663D7-9FE7-479f-9F64-5E2405F9446E}.exe	43
PID 1696 wrote to memory of 1020	1696	{EC295472-CE36-419a-8E40-2D982B7B73F7}.exe	44
PID 1696 wrote to memory of 1020	1696	{EC295472-CE36-419a-8E40-2D982B7B73F7}.exe	44
PID 1696 wrote to memory of 1020	1696	{EC295472-CE36-419a-8E40-2D982B7B73F7}.exe	44
PID 1696 wrote to memory of 1020	1696	{EC295472-CE36-419a-8E40-2D982B7B73F7}.exe	44
PID 1696 wrote to memory of 568	1696	{EC295472-CE36-419a-8E40-2D982B7B73F7}.exe	45
PID 1696 wrote to memory of 568	1696	{EC295472-CE36-419a-8E40-2D982B7B73F7}.exe	45
PID 1696 wrote to memory of 568	1696	{EC295472-CE36-419a-8E40-2D982B7B73F7}.exe	45
PID 1696 wrote to memory of 568	1696	{EC295472-CE36-419a-8E40-2D982B7B73F7}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-06-14_0b7bf98d54d3f7dcd707f49ec0cbd1bf_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-14_0b7bf98d54d3f7dcd707f49ec0cbd1bf_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\{B100AAB8-114B-49b1-AC68-A289FD4697B8}.exe
  C:\Windows\{B100AAB8-114B-49b1-AC68-A289FD4697B8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\{B79C73B3-8149-4981-A81D-2065F58E575A}.exe
    C:\Windows\{B79C73B3-8149-4981-A81D-2065F58E575A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\{DF65D68C-9FFD-4ce1-AFC3-D636A5D47836}.exe
      C:\Windows\{DF65D68C-9FFD-4ce1-AFC3-D636A5D47836}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Windows\{432EA898-A7F9-4aae-88E0-048B790705ED}.exe
        
        C:\Windows\{432EA898-A7F9-4aae-88E0-048B790705ED}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2148
      - C:\Windows\{1E14C591-9E7E-430f-A7BF-2A3694B645B4}.exe
        
        C:\Windows\{1E14C591-9E7E-430f-A7BF-2A3694B645B4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\{B67663D7-9FE7-479f-9F64-5E2405F9446E}.exe
        
        C:\Windows\{B67663D7-9FE7-479f-9F64-5E2405F9446E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\{EC295472-CE36-419a-8E40-2D982B7B73F7}.exe
        
        C:\Windows\{EC295472-CE36-419a-8E40-2D982B7B73F7}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\{44A420FA-8E55-4665-8EE1-3708AB87783F}.exe
        
        C:\Windows\{44A420FA-8E55-4665-8EE1-3708AB87783F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1020
        
        C:\Windows\{8D7B079F-DC08-44a9-9711-B9A789D1C593}.exe
        
        C:\Windows\{8D7B079F-DC08-44a9-9711-B9A789D1C593}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
        
        C:\Windows\{7956CF55-E257-4bab-A4A8-D9DAAD9A6079}.exe
        
        C:\Windows\{7956CF55-E257-4bab-A4A8-D9DAAD9A6079}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
        
        C:\Windows\{7FF16BB8-54E5-4bfb-A876-B65F05A4C49D}.exe
        
        C:\Windows\{7FF16BB8-54E5-4bfb-A876-B65F05A4C49D}.exe
        12⤵
        Executes dropped EXE
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7956C~1.EXE > nul
        12⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D7B0~1.EXE > nul
        11⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44A42~1.EXE > nul
        10⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC295~1.EXE > nul
        9⤵
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6766~1.EXE > nul
        8⤵
        
        PID:784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E14C~1.EXE > nul
        7⤵
        
        PID:1692
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{432EA~1.EXE > nul
        6⤵
        
        PID:2520
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF65D~1.EXE > nul
        5⤵
        
        PID:1596
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B79C7~1.EXE > nul
      4⤵
      PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B100A~1.EXE > nul
    3⤵
    PID:2312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1E14C591-9E7E-430f-A7BF-2A3694B645B4}.exe

Filesize
216KB

MD5
c2a8ba6ea54630ffa0e35aff3b361744

SHA1
ce2e38165d866c8c4d4681be15b1c6ca71b71549

SHA256
ad468f779515001181ad9acd9a1633c0e69e2b4539a456f0f028398fe1e9b6be

SHA512
77c17e5f725b45cd5c2fc4429ca8de72e1f28a0305d69084207b3abba4a23daa06f643076ca5e9b959db635b140331c76f024300c7afeadb12d851133feef8ae

Download Submit
C:\Windows\{432EA898-A7F9-4aae-88E0-048B790705ED}.exe

Filesize
216KB

MD5
8df6b77ecf56ae2608a2aaca067cb103

SHA1
42d4654880699a8bba4bac8724062a95207e51a2

SHA256
34b7e5db3d6c093c9c8785534846983856c3c58fd73c70e16191c67f3260e8de

SHA512
d6b279fa9831a669f7a3336ced764a019781803ccc91007ea21bebcd0fe4381947927213330b9f0030fc2e3d95782c6685a9907a8330979c006d4eec5b545996

Download Submit
C:\Windows\{44A420FA-8E55-4665-8EE1-3708AB87783F}.exe

Filesize
216KB

MD5
de2ccf39855858547e6bb48d7b0bf2d3

SHA1
e1132268f03a4e752fe296a94661c93e74c8fad5

SHA256
b9b5b3df87be2e07b79ec725e623b1612bd88398e0c6d758dca902dad77b9282

SHA512
3b9a73d830125654f4afe32b1c0e39ad8ea0d99828c52106cb7454c083e95da7044ddf545ac1067e36551746fe3af35e5a99fad8bdbf123445ad4f074955cd22

Download Submit
C:\Windows\{7956CF55-E257-4bab-A4A8-D9DAAD9A6079}.exe

Filesize
216KB

MD5
85c52d150be230302f32c26f3552f3b6

SHA1
6804289bceb3bcea0a52ec299fdcbcbc0085a20b

SHA256
acef5e85c2ddca2975192abab37054d00b93deefd75fa352a8819c9c952a653e

SHA512
35f8e515c1ca136bcda6c1b89eefa916520785a81cd218cc45719f9f0a41c6947b8e2311a60dc12ce9b21c1107c502b9d75b8139c206ac33feed30d60a864c01

Download Submit
C:\Windows\{7FF16BB8-54E5-4bfb-A876-B65F05A4C49D}.exe

Filesize
216KB

MD5
668204d71dc6eb8701ee25a9965291cb

SHA1
8e2e0644d29fd2a8b1a5df85d85ee25d2b0a3110

SHA256
65a06e9478f871039a181d26012607c4d6895f655fa944840aa208d95aec3b35

SHA512
dee3a2e666ba99e3c226a430fb6c04b1e7be962d9bea9ca78582b807fa5a8f87b0caa1fdfff2ab34f0e6760643ec415096e625de8738cc44ed8f4933524f9563

Download Submit
C:\Windows\{8D7B079F-DC08-44a9-9711-B9A789D1C593}.exe

Filesize
216KB

MD5
6bbd4c4955ae872e7c8a5bb26d1489dd

SHA1
86599efe90fcc840464f5b2c9bccd425b5633018

SHA256
22be1374c64243bb0f36439a2c02fe0b1f447cd48b7a3a5c351a2ac924c997af

SHA512
c3cb10250dbcf8e1fb717e66ee997cfc2e520d6fe2f4688a0b720d3b97987ff4ae959f8c5c5148908a8acdcd09b669ee4a6ad011e5148f3b4e64ee56bcaa97f6

Download Submit
C:\Windows\{B100AAB8-114B-49b1-AC68-A289FD4697B8}.exe

Filesize
216KB

MD5
4635ffb4777883b654a20ed396729a81

SHA1
98f34948d9d94c89d72234901d307db881971692

SHA256
17f943355fa5d49032d2b4d86d251a0464660fd8a24ec81c80af212cbd8a88fb

SHA512
f567cd3c27af2e58851c1fe077f72d51a885f9973dabf9447c20cf487c62db3b1401cf70e4fc0f205e5efc9080c4e9cc2edb2a5802e695ba0352d80d0037ddcb

Download Submit
C:\Windows\{B67663D7-9FE7-479f-9F64-5E2405F9446E}.exe

Filesize
216KB

MD5
070a5094d5a2793a6b917c0424e5f001

SHA1
6bbec30781e3c5337b1d9f6e2674f000c8660053

SHA256
d8cd3b6fdfbbba2da84eef12ee95101c349a666fdffb7999ea484fcb74634311

SHA512
bbd1361f407f53e05a203239ed2078999c4c58777460c505b08b923c1b26582e596e26acd874caed5042a8978b92d8ec0fbaa75ac047ea026e2a41663e5835b7

Download Submit
C:\Windows\{B79C73B3-8149-4981-A81D-2065F58E575A}.exe

Filesize
216KB

MD5
28ff0fd520469e5608368547fc2130e9

SHA1
2a8eb7d988190b1380f764a8aef1fd03a3d5a8af

SHA256
647df63f78293dbc7df59d8b8156406f1c0e4c630271327e5e1cb5fa8fbe5192

SHA512
551e0e87bf25b77503fe6267d9c30b7c3f0ece3c401be534ee6315f5f907b6496b0cfa892ee436ec988b525a0a870e8cd2c5286832e99a1ed8438ac2788df784

Download Submit
C:\Windows\{DF65D68C-9FFD-4ce1-AFC3-D636A5D47836}.exe

Filesize
216KB

MD5
f257a7e98de9fb5ad2cb904e93f1b3fc

SHA1
dfa936c1ac8cf3035ca3b4f44e38fa5404ac90e5

SHA256
a6846ef623292d00eecc4a5a0da5bb2f64a1db3e7e79201789ac6f07b4178939

SHA512
c33a98aa7eac926deb79f1664716b10190b49c77922858465aac5091c9b6ef248b91addd0b20ce21d6221191683ce1a29384be3955c9303b7f4d14a0ee46b803

Download Submit
C:\Windows\{EC295472-CE36-419a-8E40-2D982B7B73F7}.exe

Filesize
216KB

MD5
ca2122f45ea441b94a16b3f3d10e6283

SHA1
a8a5dfccda3a80c6a4ffc072d112b866b86bb374

SHA256
fd78562fc05ab81dae46b654a0f4b3b327007e71040ca849ca8cdde2d89adc13

SHA512
23fbcb6973c3d03008ca205e144c304f82da6268c6f9a57db7b88371dc085cc6ceafda865753a48cb22f0a31e56d5e76dcc5c2e360dc5a7dc786bcf969230268

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads