ac82d9ed35eb5b8d86515b3b02e3523bc79b4907ced33a7ad99f0e5051276929

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
16-06-2024 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-16_be846c3f6acf2fab3192cdc122e35a47_goldeneye.exe
Size

344KB
MD5

be846c3f6acf2fab3192cdc122e35a47
SHA1

74fc9fc49b650a1987babe47a65df7288df1a69e
SHA256

ac82d9ed35eb5b8d86515b3b02e3523bc79b4907ced33a7ad99f0e5051276929
SHA512

61f44853bbd9853de66d2bd0f4b7d36d005d9c44e55bd81c09545126f605123f0f9c57eb065cc22f3db1bb055f74bf56146c8a75ee964d02a142319ace4bc13a
SSDEEP

3072:mEGh0oFlEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGHlqOe2MUVg3v2IneKcAEcA

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000d000000012324-4.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0021000000013522-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e000000012324-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x001f00000001386d-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f000000012324-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012324-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0011000000012324-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44A0AF0B-4167-45c6-BAF3-F0CAE0246082}\stubpath = "C:\\Windows\\{44A0AF0B-4167-45c6-BAF3-F0CAE0246082}.exe"	{B8A2E638-31E4-4791-8478-45A82445A7FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F7BEE67-3402-4954-A2D9-9A44865055FC}	{44A0AF0B-4167-45c6-BAF3-F0CAE0246082}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F7BEE67-3402-4954-A2D9-9A44865055FC}\stubpath = "C:\\Windows\\{3F7BEE67-3402-4954-A2D9-9A44865055FC}.exe"	{44A0AF0B-4167-45c6-BAF3-F0CAE0246082}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2EA28D4-2107-4706-AF36-D235000B0C80}	{B105E8C3-3D6A-448e-937F-F0808AD7018E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2EA28D4-2107-4706-AF36-D235000B0C80}\stubpath = "C:\\Windows\\{D2EA28D4-2107-4706-AF36-D235000B0C80}.exe"	{B105E8C3-3D6A-448e-937F-F0808AD7018E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C11FFD3-F961-4e5a-B617-9373BBA3994A}\stubpath = "C:\\Windows\\{2C11FFD3-F961-4e5a-B617-9373BBA3994A}.exe"	{F89CCEAF-E5E2-4580-ABBC-8C5BA4D1B49A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB881E4F-E51D-4f1a-947D-76C3868B3E84}\stubpath = "C:\\Windows\\{EB881E4F-E51D-4f1a-947D-76C3868B3E84}.exe"	{2C11FFD3-F961-4e5a-B617-9373BBA3994A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44A0AF0B-4167-45c6-BAF3-F0CAE0246082}	{B8A2E638-31E4-4791-8478-45A82445A7FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35680F61-FF4E-49ca-84B5-70D7B92A9AEA}	{3F7BEE67-3402-4954-A2D9-9A44865055FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35680F61-FF4E-49ca-84B5-70D7B92A9AEA}\stubpath = "C:\\Windows\\{35680F61-FF4E-49ca-84B5-70D7B92A9AEA}.exe"	{3F7BEE67-3402-4954-A2D9-9A44865055FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1287BE72-54FC-4130-B2AD-761D0946AEF9}	2024-06-16_be846c3f6acf2fab3192cdc122e35a47_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7BF1049B-CFE0-47c8-A876-BFB81BC2BBF2}	{1287BE72-54FC-4130-B2AD-761D0946AEF9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F89CCEAF-E5E2-4580-ABBC-8C5BA4D1B49A}	{D2EA28D4-2107-4706-AF36-D235000B0C80}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F89CCEAF-E5E2-4580-ABBC-8C5BA4D1B49A}\stubpath = "C:\\Windows\\{F89CCEAF-E5E2-4580-ABBC-8C5BA4D1B49A}.exe"	{D2EA28D4-2107-4706-AF36-D235000B0C80}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8A2E638-31E4-4791-8478-45A82445A7FE}\stubpath = "C:\\Windows\\{B8A2E638-31E4-4791-8478-45A82445A7FE}.exe"	{EB881E4F-E51D-4f1a-947D-76C3868B3E84}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B105E8C3-3D6A-448e-937F-F0808AD7018E}	{7BF1049B-CFE0-47c8-A876-BFB81BC2BBF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C11FFD3-F961-4e5a-B617-9373BBA3994A}	{F89CCEAF-E5E2-4580-ABBC-8C5BA4D1B49A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB881E4F-E51D-4f1a-947D-76C3868B3E84}	{2C11FFD3-F961-4e5a-B617-9373BBA3994A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8A2E638-31E4-4791-8478-45A82445A7FE}	{EB881E4F-E51D-4f1a-947D-76C3868B3E84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1287BE72-54FC-4130-B2AD-761D0946AEF9}\stubpath = "C:\\Windows\\{1287BE72-54FC-4130-B2AD-761D0946AEF9}.exe"	2024-06-16_be846c3f6acf2fab3192cdc122e35a47_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7BF1049B-CFE0-47c8-A876-BFB81BC2BBF2}\stubpath = "C:\\Windows\\{7BF1049B-CFE0-47c8-A876-BFB81BC2BBF2}.exe"	{1287BE72-54FC-4130-B2AD-761D0946AEF9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B105E8C3-3D6A-448e-937F-F0808AD7018E}\stubpath = "C:\\Windows\\{B105E8C3-3D6A-448e-937F-F0808AD7018E}.exe"	{7BF1049B-CFE0-47c8-A876-BFB81BC2BBF2}.exe

Deletes itself 1 IoCs

pid	Process
1728	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2236	{1287BE72-54FC-4130-B2AD-761D0946AEF9}.exe
2728	{7BF1049B-CFE0-47c8-A876-BFB81BC2BBF2}.exe
2644	{B105E8C3-3D6A-448e-937F-F0808AD7018E}.exe
2640	{D2EA28D4-2107-4706-AF36-D235000B0C80}.exe
1432	{F89CCEAF-E5E2-4580-ABBC-8C5BA4D1B49A}.exe
2216	{2C11FFD3-F961-4e5a-B617-9373BBA3994A}.exe
1304	{EB881E4F-E51D-4f1a-947D-76C3868B3E84}.exe
1612	{B8A2E638-31E4-4791-8478-45A82445A7FE}.exe
2616	{44A0AF0B-4167-45c6-BAF3-F0CAE0246082}.exe
2924	{3F7BEE67-3402-4954-A2D9-9A44865055FC}.exe
1136	{35680F61-FF4E-49ca-84B5-70D7B92A9AEA}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{7BF1049B-CFE0-47c8-A876-BFB81BC2BBF2}.exe	{1287BE72-54FC-4130-B2AD-761D0946AEF9}.exe
File created	C:\Windows\{B105E8C3-3D6A-448e-937F-F0808AD7018E}.exe	{7BF1049B-CFE0-47c8-A876-BFB81BC2BBF2}.exe
File created	C:\Windows\{B8A2E638-31E4-4791-8478-45A82445A7FE}.exe	{EB881E4F-E51D-4f1a-947D-76C3868B3E84}.exe
File created	C:\Windows\{EB881E4F-E51D-4f1a-947D-76C3868B3E84}.exe	{2C11FFD3-F961-4e5a-B617-9373BBA3994A}.exe
File created	C:\Windows\{44A0AF0B-4167-45c6-BAF3-F0CAE0246082}.exe	{B8A2E638-31E4-4791-8478-45A82445A7FE}.exe
File created	C:\Windows\{3F7BEE67-3402-4954-A2D9-9A44865055FC}.exe	{44A0AF0B-4167-45c6-BAF3-F0CAE0246082}.exe
File created	C:\Windows\{35680F61-FF4E-49ca-84B5-70D7B92A9AEA}.exe	{3F7BEE67-3402-4954-A2D9-9A44865055FC}.exe
File created	C:\Windows\{1287BE72-54FC-4130-B2AD-761D0946AEF9}.exe	2024-06-16_be846c3f6acf2fab3192cdc122e35a47_goldeneye.exe
File created	C:\Windows\{D2EA28D4-2107-4706-AF36-D235000B0C80}.exe	{B105E8C3-3D6A-448e-937F-F0808AD7018E}.exe
File created	C:\Windows\{F89CCEAF-E5E2-4580-ABBC-8C5BA4D1B49A}.exe	{D2EA28D4-2107-4706-AF36-D235000B0C80}.exe
File created	C:\Windows\{2C11FFD3-F961-4e5a-B617-9373BBA3994A}.exe	{F89CCEAF-E5E2-4580-ABBC-8C5BA4D1B49A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1748	2024-06-16_be846c3f6acf2fab3192cdc122e35a47_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2236	{1287BE72-54FC-4130-B2AD-761D0946AEF9}.exe
Token: SeIncBasePriorityPrivilege	2728	{7BF1049B-CFE0-47c8-A876-BFB81BC2BBF2}.exe
Token: SeIncBasePriorityPrivilege	2644	{B105E8C3-3D6A-448e-937F-F0808AD7018E}.exe
Token: SeIncBasePriorityPrivilege	2640	{D2EA28D4-2107-4706-AF36-D235000B0C80}.exe
Token: SeIncBasePriorityPrivilege	1432	{F89CCEAF-E5E2-4580-ABBC-8C5BA4D1B49A}.exe
Token: SeIncBasePriorityPrivilege	2216	{2C11FFD3-F961-4e5a-B617-9373BBA3994A}.exe
Token: SeIncBasePriorityPrivilege	1304	{EB881E4F-E51D-4f1a-947D-76C3868B3E84}.exe
Token: SeIncBasePriorityPrivilege	1612	{B8A2E638-31E4-4791-8478-45A82445A7FE}.exe
Token: SeIncBasePriorityPrivilege	2616	{44A0AF0B-4167-45c6-BAF3-F0CAE0246082}.exe
Token: SeIncBasePriorityPrivilege	2924	{3F7BEE67-3402-4954-A2D9-9A44865055FC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 2236	1748	2024-06-16_be846c3f6acf2fab3192cdc122e35a47_goldeneye.exe	28
PID 1748 wrote to memory of 2236	1748	2024-06-16_be846c3f6acf2fab3192cdc122e35a47_goldeneye.exe	28
PID 1748 wrote to memory of 2236	1748	2024-06-16_be846c3f6acf2fab3192cdc122e35a47_goldeneye.exe	28
PID 1748 wrote to memory of 2236	1748	2024-06-16_be846c3f6acf2fab3192cdc122e35a47_goldeneye.exe	28
PID 1748 wrote to memory of 1728	1748	2024-06-16_be846c3f6acf2fab3192cdc122e35a47_goldeneye.exe	29
PID 1748 wrote to memory of 1728	1748	2024-06-16_be846c3f6acf2fab3192cdc122e35a47_goldeneye.exe	29
PID 1748 wrote to memory of 1728	1748	2024-06-16_be846c3f6acf2fab3192cdc122e35a47_goldeneye.exe	29
PID 1748 wrote to memory of 1728	1748	2024-06-16_be846c3f6acf2fab3192cdc122e35a47_goldeneye.exe	29
PID 2236 wrote to memory of 2728	2236	{1287BE72-54FC-4130-B2AD-761D0946AEF9}.exe	30
PID 2236 wrote to memory of 2728	2236	{1287BE72-54FC-4130-B2AD-761D0946AEF9}.exe	30
PID 2236 wrote to memory of 2728	2236	{1287BE72-54FC-4130-B2AD-761D0946AEF9}.exe	30
PID 2236 wrote to memory of 2728	2236	{1287BE72-54FC-4130-B2AD-761D0946AEF9}.exe	30
PID 2236 wrote to memory of 2752	2236	{1287BE72-54FC-4130-B2AD-761D0946AEF9}.exe	31
PID 2236 wrote to memory of 2752	2236	{1287BE72-54FC-4130-B2AD-761D0946AEF9}.exe	31
PID 2236 wrote to memory of 2752	2236	{1287BE72-54FC-4130-B2AD-761D0946AEF9}.exe	31
PID 2236 wrote to memory of 2752	2236	{1287BE72-54FC-4130-B2AD-761D0946AEF9}.exe	31
PID 2728 wrote to memory of 2644	2728	{7BF1049B-CFE0-47c8-A876-BFB81BC2BBF2}.exe	32
PID 2728 wrote to memory of 2644	2728	{7BF1049B-CFE0-47c8-A876-BFB81BC2BBF2}.exe	32
PID 2728 wrote to memory of 2644	2728	{7BF1049B-CFE0-47c8-A876-BFB81BC2BBF2}.exe	32
PID 2728 wrote to memory of 2644	2728	{7BF1049B-CFE0-47c8-A876-BFB81BC2BBF2}.exe	32
PID 2728 wrote to memory of 2636	2728	{7BF1049B-CFE0-47c8-A876-BFB81BC2BBF2}.exe	33
PID 2728 wrote to memory of 2636	2728	{7BF1049B-CFE0-47c8-A876-BFB81BC2BBF2}.exe	33
PID 2728 wrote to memory of 2636	2728	{7BF1049B-CFE0-47c8-A876-BFB81BC2BBF2}.exe	33
PID 2728 wrote to memory of 2636	2728	{7BF1049B-CFE0-47c8-A876-BFB81BC2BBF2}.exe	33
PID 2644 wrote to memory of 2640	2644	{B105E8C3-3D6A-448e-937F-F0808AD7018E}.exe	36
PID 2644 wrote to memory of 2640	2644	{B105E8C3-3D6A-448e-937F-F0808AD7018E}.exe	36
PID 2644 wrote to memory of 2640	2644	{B105E8C3-3D6A-448e-937F-F0808AD7018E}.exe	36
PID 2644 wrote to memory of 2640	2644	{B105E8C3-3D6A-448e-937F-F0808AD7018E}.exe	36
PID 2644 wrote to memory of 2796	2644	{B105E8C3-3D6A-448e-937F-F0808AD7018E}.exe	37
PID 2644 wrote to memory of 2796	2644	{B105E8C3-3D6A-448e-937F-F0808AD7018E}.exe	37
PID 2644 wrote to memory of 2796	2644	{B105E8C3-3D6A-448e-937F-F0808AD7018E}.exe	37
PID 2644 wrote to memory of 2796	2644	{B105E8C3-3D6A-448e-937F-F0808AD7018E}.exe	37
PID 2640 wrote to memory of 1432	2640	{D2EA28D4-2107-4706-AF36-D235000B0C80}.exe	38
PID 2640 wrote to memory of 1432	2640	{D2EA28D4-2107-4706-AF36-D235000B0C80}.exe	38
PID 2640 wrote to memory of 1432	2640	{D2EA28D4-2107-4706-AF36-D235000B0C80}.exe	38
PID 2640 wrote to memory of 1432	2640	{D2EA28D4-2107-4706-AF36-D235000B0C80}.exe	38
PID 2640 wrote to memory of 2620	2640	{D2EA28D4-2107-4706-AF36-D235000B0C80}.exe	39
PID 2640 wrote to memory of 2620	2640	{D2EA28D4-2107-4706-AF36-D235000B0C80}.exe	39
PID 2640 wrote to memory of 2620	2640	{D2EA28D4-2107-4706-AF36-D235000B0C80}.exe	39
PID 2640 wrote to memory of 2620	2640	{D2EA28D4-2107-4706-AF36-D235000B0C80}.exe	39
PID 1432 wrote to memory of 2216	1432	{F89CCEAF-E5E2-4580-ABBC-8C5BA4D1B49A}.exe	40
PID 1432 wrote to memory of 2216	1432	{F89CCEAF-E5E2-4580-ABBC-8C5BA4D1B49A}.exe	40
PID 1432 wrote to memory of 2216	1432	{F89CCEAF-E5E2-4580-ABBC-8C5BA4D1B49A}.exe	40
PID 1432 wrote to memory of 2216	1432	{F89CCEAF-E5E2-4580-ABBC-8C5BA4D1B49A}.exe	40
PID 1432 wrote to memory of 1440	1432	{F89CCEAF-E5E2-4580-ABBC-8C5BA4D1B49A}.exe	41
PID 1432 wrote to memory of 1440	1432	{F89CCEAF-E5E2-4580-ABBC-8C5BA4D1B49A}.exe	41
PID 1432 wrote to memory of 1440	1432	{F89CCEAF-E5E2-4580-ABBC-8C5BA4D1B49A}.exe	41
PID 1432 wrote to memory of 1440	1432	{F89CCEAF-E5E2-4580-ABBC-8C5BA4D1B49A}.exe	41
PID 2216 wrote to memory of 1304	2216	{2C11FFD3-F961-4e5a-B617-9373BBA3994A}.exe	42
PID 2216 wrote to memory of 1304	2216	{2C11FFD3-F961-4e5a-B617-9373BBA3994A}.exe	42
PID 2216 wrote to memory of 1304	2216	{2C11FFD3-F961-4e5a-B617-9373BBA3994A}.exe	42
PID 2216 wrote to memory of 1304	2216	{2C11FFD3-F961-4e5a-B617-9373BBA3994A}.exe	42
PID 2216 wrote to memory of 1680	2216	{2C11FFD3-F961-4e5a-B617-9373BBA3994A}.exe	43
PID 2216 wrote to memory of 1680	2216	{2C11FFD3-F961-4e5a-B617-9373BBA3994A}.exe	43
PID 2216 wrote to memory of 1680	2216	{2C11FFD3-F961-4e5a-B617-9373BBA3994A}.exe	43
PID 2216 wrote to memory of 1680	2216	{2C11FFD3-F961-4e5a-B617-9373BBA3994A}.exe	43
PID 1304 wrote to memory of 1612	1304	{EB881E4F-E51D-4f1a-947D-76C3868B3E84}.exe	44
PID 1304 wrote to memory of 1612	1304	{EB881E4F-E51D-4f1a-947D-76C3868B3E84}.exe	44
PID 1304 wrote to memory of 1612	1304	{EB881E4F-E51D-4f1a-947D-76C3868B3E84}.exe	44
PID 1304 wrote to memory of 1612	1304	{EB881E4F-E51D-4f1a-947D-76C3868B3E84}.exe	44
PID 1304 wrote to memory of 2868	1304	{EB881E4F-E51D-4f1a-947D-76C3868B3E84}.exe	45
PID 1304 wrote to memory of 2868	1304	{EB881E4F-E51D-4f1a-947D-76C3868B3E84}.exe	45
PID 1304 wrote to memory of 2868	1304	{EB881E4F-E51D-4f1a-947D-76C3868B3E84}.exe	45
PID 1304 wrote to memory of 2868	1304	{EB881E4F-E51D-4f1a-947D-76C3868B3E84}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-06-16_be846c3f6acf2fab3192cdc122e35a47_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-16_be846c3f6acf2fab3192cdc122e35a47_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Windows\{1287BE72-54FC-4130-B2AD-761D0946AEF9}.exe
  C:\Windows\{1287BE72-54FC-4130-B2AD-761D0946AEF9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\{7BF1049B-CFE0-47c8-A876-BFB81BC2BBF2}.exe
    C:\Windows\{7BF1049B-CFE0-47c8-A876-BFB81BC2BBF2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\{B105E8C3-3D6A-448e-937F-F0808AD7018E}.exe
      C:\Windows\{B105E8C3-3D6A-448e-937F-F0808AD7018E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Windows\{D2EA28D4-2107-4706-AF36-D235000B0C80}.exe
        
        C:\Windows\{D2EA28D4-2107-4706-AF36-D235000B0C80}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2640
      - C:\Windows\{F89CCEAF-E5E2-4580-ABBC-8C5BA4D1B49A}.exe
        
        C:\Windows\{F89CCEAF-E5E2-4580-ABBC-8C5BA4D1B49A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\{2C11FFD3-F961-4e5a-B617-9373BBA3994A}.exe
        
        C:\Windows\{2C11FFD3-F961-4e5a-B617-9373BBA3994A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\{EB881E4F-E51D-4f1a-947D-76C3868B3E84}.exe
        
        C:\Windows\{EB881E4F-E51D-4f1a-947D-76C3868B3E84}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\{B8A2E638-31E4-4791-8478-45A82445A7FE}.exe
        
        C:\Windows\{B8A2E638-31E4-4791-8478-45A82445A7FE}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
        
        C:\Windows\{44A0AF0B-4167-45c6-BAF3-F0CAE0246082}.exe
        
        C:\Windows\{44A0AF0B-4167-45c6-BAF3-F0CAE0246082}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
        
        C:\Windows\{3F7BEE67-3402-4954-A2D9-9A44865055FC}.exe
        
        C:\Windows\{3F7BEE67-3402-4954-A2D9-9A44865055FC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
        
        C:\Windows\{35680F61-FF4E-49ca-84B5-70D7B92A9AEA}.exe
        
        C:\Windows\{35680F61-FF4E-49ca-84B5-70D7B92A9AEA}.exe
        12⤵
        Executes dropped EXE
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F7BE~1.EXE > nul
        12⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44A0A~1.EXE > nul
        11⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8A2E~1.EXE > nul
        10⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB881~1.EXE > nul
        9⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C11F~1.EXE > nul
        8⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F89CC~1.EXE > nul
        7⤵
        
        PID:1440
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2EA2~1.EXE > nul
        6⤵
        
        PID:2620
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B105E~1.EXE > nul
        5⤵
        
        PID:2796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7BF10~1.EXE > nul
      4⤵
      PID:2636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1287B~1.EXE > nul
    3⤵
    PID:2752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1287BE72-54FC-4130-B2AD-761D0946AEF9}.exe

Filesize
344KB

MD5
4fd8ecb41a1156e675dffdd7c8e4ef5e

SHA1
f782a362130af763a2cb52a362a1cf8c2896c871

SHA256
61761c63ab6bded77054173b81f4db30c7efedf2d3e5b7672296dc404b6eb6c3

SHA512
38cba39b7ded1a581344dee454509fec5527e48cc4f13c85301e8f9a2876e176eab15ea1658ca95d30a11b0c5b81a5dbd9f44b6ed06ea9545054a20e102747d1

Download Submit
C:\Windows\{2C11FFD3-F961-4e5a-B617-9373BBA3994A}.exe

Filesize
344KB

MD5
a56e80cade3e20d28fa25b3525b85904

SHA1
f9b54117ef920f57902868fb8d5e411bed117736

SHA256
d90cfb3ef6a628e196db1beed8e015fac5696807f25fec37c55bf7e36b03eecf

SHA512
10b983ba8c187e166af50489258e79633ae73735da6925770be2e8e090a1b92d7e89a2833a53059aeb878be167b0b1e547c5b38363cc3ecec4227cd598d62237

Download Submit
C:\Windows\{35680F61-FF4E-49ca-84B5-70D7B92A9AEA}.exe

Filesize
344KB

MD5
1d1b4b9f72cf27a51a9e84d3a0e7914a

SHA1
430f58d17fe441218073bef18999c00617757fdb

SHA256
202902c033164f0f722a6cff139a0e3a94c820f363473d77d28af0cc26256353

SHA512
34974cdf5560ea72b3ad48296d3284e13ad228613fe7819fc68f4f82e1c26bf51da1e5e4bfb650ce5347c2ed68f1a3289547daed4411873dde3f5b5ec2c8cd2c

Download Submit
C:\Windows\{3F7BEE67-3402-4954-A2D9-9A44865055FC}.exe

Filesize
344KB

MD5
6fc53a54617b5931d74d634b8e77035f

SHA1
935aca9aa90ac50a30b1a95517aad362d83b7e39

SHA256
f397cd8692ad87fd30d8befc2cbdc20d615541bc4d14f46745f22627ecefeb17

SHA512
00a040b9d3ddc64af97ee74afaa9ef4b127991fd83cd35fa9fe859b567cd08d0f14d827f02ee8c89f8812d3d5866d8b75f093fa0cd67a14ef4e5b195dc5ce467

Download Submit
C:\Windows\{44A0AF0B-4167-45c6-BAF3-F0CAE0246082}.exe

Filesize
344KB

MD5
99faadda20b364b39429ec2f7e283db2

SHA1
45900bc4f93a2159e6ff2483e77e0a02235c3efc

SHA256
3f8a0e5973b89651df6620a73183166dea1d69f2f0f15cf37b90bb0484ce14fe

SHA512
ffec555da04792010f3cc62bc3f5359facb628ebd0591a80ba7e2ed3071fc0e01dcfe2015bb9055673868b15a5c0647d9be7aa21d25ed8c6c3c2ad8887c3a0f3

Download Submit
C:\Windows\{7BF1049B-CFE0-47c8-A876-BFB81BC2BBF2}.exe

Filesize
344KB

MD5
ea0210505ddcf6289af6ba4b31d8da80

SHA1
4662cf581ae55d6e497b9f1e72a425be6b160407

SHA256
a0f8f2f3ce645d0807c2c42ffd90c6f42ff7e265aa7b10e8e018f27c2fa58566

SHA512
51959542d019204a1678ac8d286269d0c5e728b1a57f35903a5f3213ac08d9f27708b06796d6cec146b76c962c73edc44368c3bcec0e144f2c58740a6e0f33be

Download Submit
C:\Windows\{B105E8C3-3D6A-448e-937F-F0808AD7018E}.exe

Filesize
344KB

MD5
c199c90a5440da6c770fa67bda482a0f

SHA1
55d0957049e084d86c7441905abb7c4d3c651c6f

SHA256
bb5f0df309df904925ffa19811a6bafab2b46e16e3729e7b466caa8533c7e278

SHA512
8607b94138ee1acfdf661438ee2455025a12ca429c0f815c9f1e263ff4b181442d5b7dd7a872e9f3867de0df6a3e24a5f440df0c01b7006266ae7008d849294b

Download Submit
C:\Windows\{B8A2E638-31E4-4791-8478-45A82445A7FE}.exe

Filesize
344KB

MD5
26d76b1c8cce3052a0bafd40abe893b8

SHA1
31810da046a843ce5a7472478a606d3f3654f3e2

SHA256
de3f368b3e93e5bdf316596828377957d3f61f561619fc264148a8c72fd4d4ad

SHA512
98daf5031339cb23bfe1ec33c3cdbfbd0c903d1a1d50814185d55c4945c25a7513f0497f064e450d5950ab36432deca08f14ce6b268dd73e7b625356434fa735

Download Submit
C:\Windows\{D2EA28D4-2107-4706-AF36-D235000B0C80}.exe

Filesize
344KB

MD5
74e678b3348575af5bec404cd4118c0f

SHA1
367a7358351fdf456a90ebbeb9ec0b6d503003c8

SHA256
e7ec6c2624b28569902183df51919ba2fabb5842b5e9de67633d46002b9ecd22

SHA512
801ffb6f34bda40ac65ed3dc427db209beed4eae1c53f987a00090828f28a12b6a70e1e8d7aa1608a844e47e1fcb00cf6a3cb51c071ef61494ac630a1dc707ad

Download Submit
C:\Windows\{EB881E4F-E51D-4f1a-947D-76C3868B3E84}.exe

Filesize
344KB

MD5
6e4b0cc5390edfd6f563e4f6b4a36649

SHA1
beaf60ccf3bf4751984de7dd26c7ad58adfe51ae

SHA256
608fb4aedc43b22aa4dcec97a2e9aa2f230a2dd14684e6d0b45c174e9feb89fc

SHA512
16ed0a3ec530764a3a30435512006f31e92199347e5f39c8c0d482cb24f2bc89a417c72281ab8887fa8f69552c168c8212b7e1d08641d603deedd25b8051b475

Download Submit
C:\Windows\{F89CCEAF-E5E2-4580-ABBC-8C5BA4D1B49A}.exe

Filesize
344KB

MD5
b7cd8157486916f4f417d39b91260642

SHA1
43ba113b3c139f9d837d4d46f351583a1c0844ff

SHA256
f425bdb56c25115d134c073e6eecc0690ffd49341d56f1f035702dd9eb954ffd

SHA512
d317699f8d532c8ced476b14a4fc1af93b2ff9767aa9b370063394977e1ce24a3f4e5f796c58d353668dbd40cec83acad194e6e37a64581aaa8a51f269d59146

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads