fbff0538e269160091e723f0fcd080efc71435b443c775585d8e6aca9a3280c1

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
14/06/2024, 10:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-14_73809c92ced956e3951db1d789db4afe_goldeneye.exe
Size

216KB
MD5

73809c92ced956e3951db1d789db4afe
SHA1

1bcc10c25b3f91a3584427fe6cce10dc939df888
SHA256

fbff0538e269160091e723f0fcd080efc71435b443c775585d8e6aca9a3280c1
SHA512

e2c2d2a306f0bdec4f3a2374dbaef9c50e55e4ceb8d8bb1150a19cb0782fa36c26d003528866658d045a7c47dc82c57b6cac0f89fcf58907269d294a9ef40e93
SSDEEP

3072:jEGh0ovl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGZlEeKcAEcGy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000014400-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0055000000014651-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000a000000014400-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00560000000146dc-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000b000000014400-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c000000014400-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d000000014400-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE58F891-7A27-450f-8FAA-4A1DD3A4CA15}	{92CB9D89-A3CF-4fa5-A772-CC1CF88F74AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21057384-F77E-4962-9412-6D5AE6219E1C}\stubpath = "C:\\Windows\\{21057384-F77E-4962-9412-6D5AE6219E1C}.exe"	{969F724C-4A6F-4207-A44D-21DF5AEA3BC9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{889141D2-B102-4dc0-9426-11C604BD4D62}	{A76C2506-0832-43fb-8374-806371E68AA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{889141D2-B102-4dc0-9426-11C604BD4D62}\stubpath = "C:\\Windows\\{889141D2-B102-4dc0-9426-11C604BD4D62}.exe"	{A76C2506-0832-43fb-8374-806371E68AA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C740AA14-66C6-46a2-8475-8E5742280F4E}\stubpath = "C:\\Windows\\{C740AA14-66C6-46a2-8475-8E5742280F4E}.exe"	{889141D2-B102-4dc0-9426-11C604BD4D62}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1DE61B5-84B9-4e11-9155-9B652E65554F}\stubpath = "C:\\Windows\\{E1DE61B5-84B9-4e11-9155-9B652E65554F}.exe"	{E7A96761-EF1F-409a-AB53-A9B3450D1B56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AC459BC-F5D6-42d7-BD81-FCC0BA1A6D4C}\stubpath = "C:\\Windows\\{0AC459BC-F5D6-42d7-BD81-FCC0BA1A6D4C}.exe"	{E1DE61B5-84B9-4e11-9155-9B652E65554F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B94F040-534A-4ce4-A220-045DA78CF7FC}\stubpath = "C:\\Windows\\{9B94F040-534A-4ce4-A220-045DA78CF7FC}.exe"	{21057384-F77E-4962-9412-6D5AE6219E1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A76C2506-0832-43fb-8374-806371E68AA5}\stubpath = "C:\\Windows\\{A76C2506-0832-43fb-8374-806371E68AA5}.exe"	2024-06-14_73809c92ced956e3951db1d789db4afe_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C740AA14-66C6-46a2-8475-8E5742280F4E}	{889141D2-B102-4dc0-9426-11C604BD4D62}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7A96761-EF1F-409a-AB53-A9B3450D1B56}	{C740AA14-66C6-46a2-8475-8E5742280F4E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A76C2506-0832-43fb-8374-806371E68AA5}	2024-06-14_73809c92ced956e3951db1d789db4afe_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92CB9D89-A3CF-4fa5-A772-CC1CF88F74AA}\stubpath = "C:\\Windows\\{92CB9D89-A3CF-4fa5-A772-CC1CF88F74AA}.exe"	{0AC459BC-F5D6-42d7-BD81-FCC0BA1A6D4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{969F724C-4A6F-4207-A44D-21DF5AEA3BC9}	{CE58F891-7A27-450f-8FAA-4A1DD3A4CA15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92CB9D89-A3CF-4fa5-A772-CC1CF88F74AA}	{0AC459BC-F5D6-42d7-BD81-FCC0BA1A6D4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE58F891-7A27-450f-8FAA-4A1DD3A4CA15}\stubpath = "C:\\Windows\\{CE58F891-7A27-450f-8FAA-4A1DD3A4CA15}.exe"	{92CB9D89-A3CF-4fa5-A772-CC1CF88F74AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{969F724C-4A6F-4207-A44D-21DF5AEA3BC9}\stubpath = "C:\\Windows\\{969F724C-4A6F-4207-A44D-21DF5AEA3BC9}.exe"	{CE58F891-7A27-450f-8FAA-4A1DD3A4CA15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21057384-F77E-4962-9412-6D5AE6219E1C}	{969F724C-4A6F-4207-A44D-21DF5AEA3BC9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B94F040-534A-4ce4-A220-045DA78CF7FC}	{21057384-F77E-4962-9412-6D5AE6219E1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7A96761-EF1F-409a-AB53-A9B3450D1B56}\stubpath = "C:\\Windows\\{E7A96761-EF1F-409a-AB53-A9B3450D1B56}.exe"	{C740AA14-66C6-46a2-8475-8E5742280F4E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E1DE61B5-84B9-4e11-9155-9B652E65554F}	{E7A96761-EF1F-409a-AB53-A9B3450D1B56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AC459BC-F5D6-42d7-BD81-FCC0BA1A6D4C}	{E1DE61B5-84B9-4e11-9155-9B652E65554F}.exe

Deletes itself 1 IoCs

pid	Process
2148	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1512	{A76C2506-0832-43fb-8374-806371E68AA5}.exe
2928	{889141D2-B102-4dc0-9426-11C604BD4D62}.exe
2844	{C740AA14-66C6-46a2-8475-8E5742280F4E}.exe
3032	{E7A96761-EF1F-409a-AB53-A9B3450D1B56}.exe
2984	{E1DE61B5-84B9-4e11-9155-9B652E65554F}.exe
1664	{0AC459BC-F5D6-42d7-BD81-FCC0BA1A6D4C}.exe
1944	{92CB9D89-A3CF-4fa5-A772-CC1CF88F74AA}.exe
1644	{CE58F891-7A27-450f-8FAA-4A1DD3A4CA15}.exe
1336	{969F724C-4A6F-4207-A44D-21DF5AEA3BC9}.exe
1684	{21057384-F77E-4962-9412-6D5AE6219E1C}.exe
584	{9B94F040-534A-4ce4-A220-045DA78CF7FC}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{969F724C-4A6F-4207-A44D-21DF5AEA3BC9}.exe	{CE58F891-7A27-450f-8FAA-4A1DD3A4CA15}.exe
File created	C:\Windows\{A76C2506-0832-43fb-8374-806371E68AA5}.exe	2024-06-14_73809c92ced956e3951db1d789db4afe_goldeneye.exe
File created	C:\Windows\{C740AA14-66C6-46a2-8475-8E5742280F4E}.exe	{889141D2-B102-4dc0-9426-11C604BD4D62}.exe
File created	C:\Windows\{E7A96761-EF1F-409a-AB53-A9B3450D1B56}.exe	{C740AA14-66C6-46a2-8475-8E5742280F4E}.exe
File created	C:\Windows\{92CB9D89-A3CF-4fa5-A772-CC1CF88F74AA}.exe	{0AC459BC-F5D6-42d7-BD81-FCC0BA1A6D4C}.exe
File created	C:\Windows\{21057384-F77E-4962-9412-6D5AE6219E1C}.exe	{969F724C-4A6F-4207-A44D-21DF5AEA3BC9}.exe
File created	C:\Windows\{9B94F040-534A-4ce4-A220-045DA78CF7FC}.exe	{21057384-F77E-4962-9412-6D5AE6219E1C}.exe
File created	C:\Windows\{889141D2-B102-4dc0-9426-11C604BD4D62}.exe	{A76C2506-0832-43fb-8374-806371E68AA5}.exe
File created	C:\Windows\{E1DE61B5-84B9-4e11-9155-9B652E65554F}.exe	{E7A96761-EF1F-409a-AB53-A9B3450D1B56}.exe
File created	C:\Windows\{0AC459BC-F5D6-42d7-BD81-FCC0BA1A6D4C}.exe	{E1DE61B5-84B9-4e11-9155-9B652E65554F}.exe
File created	C:\Windows\{CE58F891-7A27-450f-8FAA-4A1DD3A4CA15}.exe	{92CB9D89-A3CF-4fa5-A772-CC1CF88F74AA}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2972	2024-06-14_73809c92ced956e3951db1d789db4afe_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1512	{A76C2506-0832-43fb-8374-806371E68AA5}.exe
Token: SeIncBasePriorityPrivilege	2928	{889141D2-B102-4dc0-9426-11C604BD4D62}.exe
Token: SeIncBasePriorityPrivilege	2844	{C740AA14-66C6-46a2-8475-8E5742280F4E}.exe
Token: SeIncBasePriorityPrivilege	3032	{E7A96761-EF1F-409a-AB53-A9B3450D1B56}.exe
Token: SeIncBasePriorityPrivilege	2984	{E1DE61B5-84B9-4e11-9155-9B652E65554F}.exe
Token: SeIncBasePriorityPrivilege	1664	{0AC459BC-F5D6-42d7-BD81-FCC0BA1A6D4C}.exe
Token: SeIncBasePriorityPrivilege	1944	{92CB9D89-A3CF-4fa5-A772-CC1CF88F74AA}.exe
Token: SeIncBasePriorityPrivilege	1644	{CE58F891-7A27-450f-8FAA-4A1DD3A4CA15}.exe
Token: SeIncBasePriorityPrivilege	1336	{969F724C-4A6F-4207-A44D-21DF5AEA3BC9}.exe
Token: SeIncBasePriorityPrivilege	1684	{21057384-F77E-4962-9412-6D5AE6219E1C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 1512	2972	2024-06-14_73809c92ced956e3951db1d789db4afe_goldeneye.exe	28
PID 2972 wrote to memory of 1512	2972	2024-06-14_73809c92ced956e3951db1d789db4afe_goldeneye.exe	28
PID 2972 wrote to memory of 1512	2972	2024-06-14_73809c92ced956e3951db1d789db4afe_goldeneye.exe	28
PID 2972 wrote to memory of 1512	2972	2024-06-14_73809c92ced956e3951db1d789db4afe_goldeneye.exe	28
PID 2972 wrote to memory of 2148	2972	2024-06-14_73809c92ced956e3951db1d789db4afe_goldeneye.exe	29
PID 2972 wrote to memory of 2148	2972	2024-06-14_73809c92ced956e3951db1d789db4afe_goldeneye.exe	29
PID 2972 wrote to memory of 2148	2972	2024-06-14_73809c92ced956e3951db1d789db4afe_goldeneye.exe	29
PID 2972 wrote to memory of 2148	2972	2024-06-14_73809c92ced956e3951db1d789db4afe_goldeneye.exe	29
PID 1512 wrote to memory of 2928	1512	{A76C2506-0832-43fb-8374-806371E68AA5}.exe	30
PID 1512 wrote to memory of 2928	1512	{A76C2506-0832-43fb-8374-806371E68AA5}.exe	30
PID 1512 wrote to memory of 2928	1512	{A76C2506-0832-43fb-8374-806371E68AA5}.exe	30
PID 1512 wrote to memory of 2928	1512	{A76C2506-0832-43fb-8374-806371E68AA5}.exe	30
PID 1512 wrote to memory of 2800	1512	{A76C2506-0832-43fb-8374-806371E68AA5}.exe	31
PID 1512 wrote to memory of 2800	1512	{A76C2506-0832-43fb-8374-806371E68AA5}.exe	31
PID 1512 wrote to memory of 2800	1512	{A76C2506-0832-43fb-8374-806371E68AA5}.exe	31
PID 1512 wrote to memory of 2800	1512	{A76C2506-0832-43fb-8374-806371E68AA5}.exe	31
PID 2928 wrote to memory of 2844	2928	{889141D2-B102-4dc0-9426-11C604BD4D62}.exe	32
PID 2928 wrote to memory of 2844	2928	{889141D2-B102-4dc0-9426-11C604BD4D62}.exe	32
PID 2928 wrote to memory of 2844	2928	{889141D2-B102-4dc0-9426-11C604BD4D62}.exe	32
PID 2928 wrote to memory of 2844	2928	{889141D2-B102-4dc0-9426-11C604BD4D62}.exe	32
PID 2928 wrote to memory of 1096	2928	{889141D2-B102-4dc0-9426-11C604BD4D62}.exe	33
PID 2928 wrote to memory of 1096	2928	{889141D2-B102-4dc0-9426-11C604BD4D62}.exe	33
PID 2928 wrote to memory of 1096	2928	{889141D2-B102-4dc0-9426-11C604BD4D62}.exe	33
PID 2928 wrote to memory of 1096	2928	{889141D2-B102-4dc0-9426-11C604BD4D62}.exe	33
PID 2844 wrote to memory of 3032	2844	{C740AA14-66C6-46a2-8475-8E5742280F4E}.exe	36
PID 2844 wrote to memory of 3032	2844	{C740AA14-66C6-46a2-8475-8E5742280F4E}.exe	36
PID 2844 wrote to memory of 3032	2844	{C740AA14-66C6-46a2-8475-8E5742280F4E}.exe	36
PID 2844 wrote to memory of 3032	2844	{C740AA14-66C6-46a2-8475-8E5742280F4E}.exe	36
PID 2844 wrote to memory of 1084	2844	{C740AA14-66C6-46a2-8475-8E5742280F4E}.exe	37
PID 2844 wrote to memory of 1084	2844	{C740AA14-66C6-46a2-8475-8E5742280F4E}.exe	37
PID 2844 wrote to memory of 1084	2844	{C740AA14-66C6-46a2-8475-8E5742280F4E}.exe	37
PID 2844 wrote to memory of 1084	2844	{C740AA14-66C6-46a2-8475-8E5742280F4E}.exe	37
PID 3032 wrote to memory of 2984	3032	{E7A96761-EF1F-409a-AB53-A9B3450D1B56}.exe	38
PID 3032 wrote to memory of 2984	3032	{E7A96761-EF1F-409a-AB53-A9B3450D1B56}.exe	38
PID 3032 wrote to memory of 2984	3032	{E7A96761-EF1F-409a-AB53-A9B3450D1B56}.exe	38
PID 3032 wrote to memory of 2984	3032	{E7A96761-EF1F-409a-AB53-A9B3450D1B56}.exe	38
PID 3032 wrote to memory of 2100	3032	{E7A96761-EF1F-409a-AB53-A9B3450D1B56}.exe	39
PID 3032 wrote to memory of 2100	3032	{E7A96761-EF1F-409a-AB53-A9B3450D1B56}.exe	39
PID 3032 wrote to memory of 2100	3032	{E7A96761-EF1F-409a-AB53-A9B3450D1B56}.exe	39
PID 3032 wrote to memory of 2100	3032	{E7A96761-EF1F-409a-AB53-A9B3450D1B56}.exe	39
PID 2984 wrote to memory of 1664	2984	{E1DE61B5-84B9-4e11-9155-9B652E65554F}.exe	40
PID 2984 wrote to memory of 1664	2984	{E1DE61B5-84B9-4e11-9155-9B652E65554F}.exe	40
PID 2984 wrote to memory of 1664	2984	{E1DE61B5-84B9-4e11-9155-9B652E65554F}.exe	40
PID 2984 wrote to memory of 1664	2984	{E1DE61B5-84B9-4e11-9155-9B652E65554F}.exe	40
PID 2984 wrote to memory of 2012	2984	{E1DE61B5-84B9-4e11-9155-9B652E65554F}.exe	41
PID 2984 wrote to memory of 2012	2984	{E1DE61B5-84B9-4e11-9155-9B652E65554F}.exe	41
PID 2984 wrote to memory of 2012	2984	{E1DE61B5-84B9-4e11-9155-9B652E65554F}.exe	41
PID 2984 wrote to memory of 2012	2984	{E1DE61B5-84B9-4e11-9155-9B652E65554F}.exe	41
PID 1664 wrote to memory of 1944	1664	{0AC459BC-F5D6-42d7-BD81-FCC0BA1A6D4C}.exe	42
PID 1664 wrote to memory of 1944	1664	{0AC459BC-F5D6-42d7-BD81-FCC0BA1A6D4C}.exe	42
PID 1664 wrote to memory of 1944	1664	{0AC459BC-F5D6-42d7-BD81-FCC0BA1A6D4C}.exe	42
PID 1664 wrote to memory of 1944	1664	{0AC459BC-F5D6-42d7-BD81-FCC0BA1A6D4C}.exe	42
PID 1664 wrote to memory of 1736	1664	{0AC459BC-F5D6-42d7-BD81-FCC0BA1A6D4C}.exe	43
PID 1664 wrote to memory of 1736	1664	{0AC459BC-F5D6-42d7-BD81-FCC0BA1A6D4C}.exe	43
PID 1664 wrote to memory of 1736	1664	{0AC459BC-F5D6-42d7-BD81-FCC0BA1A6D4C}.exe	43
PID 1664 wrote to memory of 1736	1664	{0AC459BC-F5D6-42d7-BD81-FCC0BA1A6D4C}.exe	43
PID 1944 wrote to memory of 1644	1944	{92CB9D89-A3CF-4fa5-A772-CC1CF88F74AA}.exe	44
PID 1944 wrote to memory of 1644	1944	{92CB9D89-A3CF-4fa5-A772-CC1CF88F74AA}.exe	44
PID 1944 wrote to memory of 1644	1944	{92CB9D89-A3CF-4fa5-A772-CC1CF88F74AA}.exe	44
PID 1944 wrote to memory of 1644	1944	{92CB9D89-A3CF-4fa5-A772-CC1CF88F74AA}.exe	44
PID 1944 wrote to memory of 1576	1944	{92CB9D89-A3CF-4fa5-A772-CC1CF88F74AA}.exe	45
PID 1944 wrote to memory of 1576	1944	{92CB9D89-A3CF-4fa5-A772-CC1CF88F74AA}.exe	45
PID 1944 wrote to memory of 1576	1944	{92CB9D89-A3CF-4fa5-A772-CC1CF88F74AA}.exe	45
PID 1944 wrote to memory of 1576	1944	{92CB9D89-A3CF-4fa5-A772-CC1CF88F74AA}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-06-14_73809c92ced956e3951db1d789db4afe_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-14_73809c92ced956e3951db1d789db4afe_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\{A76C2506-0832-43fb-8374-806371E68AA5}.exe
  C:\Windows\{A76C2506-0832-43fb-8374-806371E68AA5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\{889141D2-B102-4dc0-9426-11C604BD4D62}.exe
    C:\Windows\{889141D2-B102-4dc0-9426-11C604BD4D62}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Windows\{C740AA14-66C6-46a2-8475-8E5742280F4E}.exe
      C:\Windows\{C740AA14-66C6-46a2-8475-8E5742280F4E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2844
    - - C:\Windows\{E7A96761-EF1F-409a-AB53-A9B3450D1B56}.exe
        
        C:\Windows\{E7A96761-EF1F-409a-AB53-A9B3450D1B56}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3032
      - C:\Windows\{E1DE61B5-84B9-4e11-9155-9B652E65554F}.exe
        
        C:\Windows\{E1DE61B5-84B9-4e11-9155-9B652E65554F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\{0AC459BC-F5D6-42d7-BD81-FCC0BA1A6D4C}.exe
        
        C:\Windows\{0AC459BC-F5D6-42d7-BD81-FCC0BA1A6D4C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\{92CB9D89-A3CF-4fa5-A772-CC1CF88F74AA}.exe
        
        C:\Windows\{92CB9D89-A3CF-4fa5-A772-CC1CF88F74AA}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\{CE58F891-7A27-450f-8FAA-4A1DD3A4CA15}.exe
        
        C:\Windows\{CE58F891-7A27-450f-8FAA-4A1DD3A4CA15}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Windows\{969F724C-4A6F-4207-A44D-21DF5AEA3BC9}.exe
        
        C:\Windows\{969F724C-4A6F-4207-A44D-21DF5AEA3BC9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1336
        
        C:\Windows\{21057384-F77E-4962-9412-6D5AE6219E1C}.exe
        
        C:\Windows\{21057384-F77E-4962-9412-6D5AE6219E1C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
        
        C:\Windows\{9B94F040-534A-4ce4-A220-045DA78CF7FC}.exe
        
        C:\Windows\{9B94F040-534A-4ce4-A220-045DA78CF7FC}.exe
        12⤵
        Executes dropped EXE
        
        PID:584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21057~1.EXE > nul
        12⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{969F7~1.EXE > nul
        11⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE58F~1.EXE > nul
        10⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92CB9~1.EXE > nul
        9⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0AC45~1.EXE > nul
        8⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1DE6~1.EXE > nul
        7⤵
        
        PID:2012
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7A96~1.EXE > nul
        6⤵
        
        PID:2100
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C740A~1.EXE > nul
        5⤵
        
        PID:1084
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{88914~1.EXE > nul
      4⤵
      PID:1096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A76C2~1.EXE > nul
    3⤵
    PID:2800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0AC459BC-F5D6-42d7-BD81-FCC0BA1A6D4C}.exe

Filesize
216KB

MD5
1233fb9cf1ece5e88c0964bbf7efdfcf

SHA1
b61fd525b6e8d76847a51f097aa26fc707fa3625

SHA256
0074fa29f5ef415251f3372e2a2571959ceae72784fac848e1ae9527a6b217c1

SHA512
b4462adef2d7c3854ece34dd6a6e0925cbc3a2682affa6be63a9a37bbac5786412350bac539793efb3679ebcfdbd19046fc7d9f15ac1b12b3532f291830741be

Download Submit
C:\Windows\{21057384-F77E-4962-9412-6D5AE6219E1C}.exe

Filesize
216KB

MD5
4add2a0edcb52ef27dd0b87c5a46e998

SHA1
7db0e4b55b22ccf844ad35ca1ff8252c286ea119

SHA256
92dc07f4541192d8d9260c4e4c15dad5559e27f5d32e56f9040e660861956829

SHA512
18996e3205bf89fb042dc91919e62dafd795e9abaf79cf176b53f05418ff0c20426e2f0c6ce1f0f9f6efb4ab833744d46d9212f35efef341fd29cc8192a926ff

Download Submit
C:\Windows\{889141D2-B102-4dc0-9426-11C604BD4D62}.exe

Filesize
216KB

MD5
1da087d561c210555918daecd0d1fbb1

SHA1
4989c7fae550379b45a1b707030ff8ffa18a8410

SHA256
f4067fbae4e033e6424a51358eced4b9dcbeea8edd3e460ae442e5dce0729d37

SHA512
8dde4e7e8782e12b7dfccc1576e4b994f8bee535c6d4a447a9699d15863bf3869006c6d4864f758f488fd782103e268210a5a91d6d66784bc3173b60835f4cd5

Download Submit
C:\Windows\{92CB9D89-A3CF-4fa5-A772-CC1CF88F74AA}.exe

Filesize
216KB

MD5
883f83bc1bb5a1658c5623d836beeb0e

SHA1
200726193cfaa1335fca2b2f2ee741f9fecab65e

SHA256
a3be16fd3d3e057ca985ef0773f21ba22580479cd67ffd1c2822b9ded58b44b7

SHA512
05159d792dd246bb8dc340b4cbc6bfe6ce387ecfb29eb789c1720cd621faa8380e886e292f9663fcf6c8f3fd313e6d3d2705d0a87f5ed9f0ce404f73aa54e59c

Download Submit
C:\Windows\{969F724C-4A6F-4207-A44D-21DF5AEA3BC9}.exe

Filesize
216KB

MD5
8db39c3b764f80bad5b406753d230fec

SHA1
cc59a88f83c8de81365bca91e3d85d1f2c6e5578

SHA256
e3425aa3a572b7b7ea8b245c634cf48eea0daaf9fa79a20faea336f5d8062643

SHA512
4a08ea45023a7fbcb4465375de4f179d75d03c02baeee9d738d88ece96c90b79b48a7f1ab35bd099b8bfc4cb911285feafbf526e3c17f9c1777ad0e02f4b0772

Download Submit
C:\Windows\{9B94F040-534A-4ce4-A220-045DA78CF7FC}.exe

Filesize
216KB

MD5
efbdc068a74aa7e30feaecb1bd56204c

SHA1
c38296ae4aaa8b9adcf332a8b35d0d0873909756

SHA256
55d1e1d6534141f3ad98bc05f7d5a5002893e64e0d4e90ef99c84543201bc2c3

SHA512
5946827a1a6b5c1bd2557c1bd8e684de42a774d7ac235213252b182ccec7d07451a247ee5acb1b51ec431dea01c58d690e05b1dc3b8aef8bacbc3b74a79bfb6e

Download Submit
C:\Windows\{A76C2506-0832-43fb-8374-806371E68AA5}.exe

Filesize
216KB

MD5
19c12ade6ab396b6bb6aa91d86c8f8e9

SHA1
ad0f7b170dec7db0e258f0956a1ea8f1d3f5b9fa

SHA256
0a9354b61e98d945d049f2c82ac8c826e3af1e10bcf32a667a9d4f387b6570e0

SHA512
2f25e69a5d38e4844e4e1b6c1e79e18b8cd98dc79ab77addfc10ccfc052732c9ae4e7519fb3a5302f75e98c7674770e207fe8ee81820ff8ae11f7f1606283ecf

Download Submit
C:\Windows\{C740AA14-66C6-46a2-8475-8E5742280F4E}.exe

Filesize
216KB

MD5
092e2f68aa8996fbb45dc8c10c768dd3

SHA1
30fcccc067d3998ff68096fd73deb0c0ba01fb70

SHA256
5d123d22926f8f0b2031b47ca0f3553924dfaf12689d7ffe5e8ec98ce868084a

SHA512
20c233f344b4b17f3262ab34ee37a61258583da93ecfd6621fa52e05f85e3fc8b1ba95b73cd0dd27b0b08540d2d9bd689816ef841e42e5917a1e913efa4ecf71

Download Submit
C:\Windows\{CE58F891-7A27-450f-8FAA-4A1DD3A4CA15}.exe

Filesize
216KB

MD5
7172a34761c7a596e9e4a5434eecb422

SHA1
30a286926c053e9e7016eaba274c117c8e02b1b2

SHA256
97961ad072dfc59078b65e625275ee91ace88bccd38e9d9b6be0cd88f29def92

SHA512
800aac51e7ab2847f37d4f0b597719d8d54bfbb39cf7c0517307cc12b7d0918a55598ec07c1f2a067a9877d3d343fdeae4172f0b5c37fa587d44a9c77a380d98

Download Submit
C:\Windows\{E1DE61B5-84B9-4e11-9155-9B652E65554F}.exe

Filesize
216KB

MD5
00aa00b73ffa515b6d2efedea372347b

SHA1
d01968caf35eef2632982bcde8474e2a46f8c429

SHA256
fc42ec791e74c26245ea460e6a31ff6cccd8cd11e0bee61a0fb05a8b6e128157

SHA512
5a2f474f14bb376813248499accb9d0202054661d5ddfb71b0f85b19d28a5e1b65ac72a3123ede225e450cb8f1207ce028119ce4d89b9ce74672ee4429bd099f

Download Submit
C:\Windows\{E7A96761-EF1F-409a-AB53-A9B3450D1B56}.exe

Filesize
216KB

MD5
bf14444ae958c97c1997c0a5e0efd4b9

SHA1
be874e59e24e8c5f848b0f06b3549cc4bc657f87

SHA256
6e1b3d2284d9d6cb034c300e438b63eac3aca80ceeefb2512933874be59b4035

SHA512
425969d63f9736d31f1a4d0761b30e831e4b1d27ffdc3a0e58c799ef94dadd4dae2075805f9fd82ad6bf7a75af0a0cc43885bcc9c726197ccd9c3997c14ceb36

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads