7ba3e30fb89574a50debd780e72e07c51758c32145bc6943238c5cacf6410224

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
16-06-2024 11:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-16_3ba63a96f74a5344101ee993e96a2518_goldeneye.exe
Size

408KB
MD5

3ba63a96f74a5344101ee993e96a2518
SHA1

6466ca9ada758ae8334a9bee398cd0ab1b04abc7
SHA256

7ba3e30fb89574a50debd780e72e07c51758c32145bc6943238c5cacf6410224
SHA512

4d39d83487ae4db73929bb749ae62b64abdb1f7178c5531afe649df8a98a4fef3f832e82eda729d0c03eab340f752703aa6521731dd9f5c8da33ac3405fa8c9f
SSDEEP

3072:CEGh0ojl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGJldOe2MUVg3vTeKcAEciTBqr3jy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001226d-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00350000000149d0-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000c00000001226d-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0035000000014b18-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000d00000001226d-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000e00000001226d-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0036000000014b18-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x000f00000001226d-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0037000000014b18-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AECB694-2D21-40b5-AC1E-3BCB036B896D}	{C3C26D7E-6969-453d-AC01-FAA1C310DD92}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3B03FDD-587C-41e8-B932-41FE9BC38F8B}\stubpath = "C:\\Windows\\{C3B03FDD-587C-41e8-B932-41FE9BC38F8B}.exe"	{2C3D332E-618A-43c9-9855-045B6AF31425}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94EF6C46-DD5D-47af-9555-77A23C721715}	{C3B03FDD-587C-41e8-B932-41FE9BC38F8B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DC73454-7712-454b-9980-B2B64B8E5234}\stubpath = "C:\\Windows\\{8DC73454-7712-454b-9980-B2B64B8E5234}.exe"	{1E563E50-0AA7-4dc1-A49D-4E3BDB4C3084}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9197491B-02F8-48d9-99D9-5BED2C179F9E}	{8DC73454-7712-454b-9980-B2B64B8E5234}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4B01FD5-60EF-432a-A482-B668F9E704D7}	{9197491B-02F8-48d9-99D9-5BED2C179F9E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4B01FD5-60EF-432a-A482-B668F9E704D7}\stubpath = "C:\\Windows\\{C4B01FD5-60EF-432a-A482-B668F9E704D7}.exe"	{9197491B-02F8-48d9-99D9-5BED2C179F9E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C3D332E-618A-43c9-9855-045B6AF31425}	{3AECB694-2D21-40b5-AC1E-3BCB036B896D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C3D332E-618A-43c9-9855-045B6AF31425}\stubpath = "C:\\Windows\\{2C3D332E-618A-43c9-9855-045B6AF31425}.exe"	{3AECB694-2D21-40b5-AC1E-3BCB036B896D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94EF6C46-DD5D-47af-9555-77A23C721715}\stubpath = "C:\\Windows\\{94EF6C46-DD5D-47af-9555-77A23C721715}.exe"	{C3B03FDD-587C-41e8-B932-41FE9BC38F8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DC73454-7712-454b-9980-B2B64B8E5234}	{1E563E50-0AA7-4dc1-A49D-4E3BDB4C3084}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9197491B-02F8-48d9-99D9-5BED2C179F9E}\stubpath = "C:\\Windows\\{9197491B-02F8-48d9-99D9-5BED2C179F9E}.exe"	{8DC73454-7712-454b-9980-B2B64B8E5234}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DBBB39D-980D-4045-B1AE-29B7F570FE59}\stubpath = "C:\\Windows\\{6DBBB39D-980D-4045-B1AE-29B7F570FE59}.exe"	{C4B01FD5-60EF-432a-A482-B668F9E704D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3C26D7E-6969-453d-AC01-FAA1C310DD92}	2024-06-16_3ba63a96f74a5344101ee993e96a2518_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3C26D7E-6969-453d-AC01-FAA1C310DD92}\stubpath = "C:\\Windows\\{C3C26D7E-6969-453d-AC01-FAA1C310DD92}.exe"	2024-06-16_3ba63a96f74a5344101ee993e96a2518_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71C1E044-B7B8-4a5c-8E0D-AE917913C401}\stubpath = "C:\\Windows\\{71C1E044-B7B8-4a5c-8E0D-AE917913C401}.exe"	{6DBBB39D-980D-4045-B1AE-29B7F570FE59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AECB694-2D21-40b5-AC1E-3BCB036B896D}\stubpath = "C:\\Windows\\{3AECB694-2D21-40b5-AC1E-3BCB036B896D}.exe"	{C3C26D7E-6969-453d-AC01-FAA1C310DD92}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C3B03FDD-587C-41e8-B932-41FE9BC38F8B}	{2C3D332E-618A-43c9-9855-045B6AF31425}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E563E50-0AA7-4dc1-A49D-4E3BDB4C3084}	{94EF6C46-DD5D-47af-9555-77A23C721715}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E563E50-0AA7-4dc1-A49D-4E3BDB4C3084}\stubpath = "C:\\Windows\\{1E563E50-0AA7-4dc1-A49D-4E3BDB4C3084}.exe"	{94EF6C46-DD5D-47af-9555-77A23C721715}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DBBB39D-980D-4045-B1AE-29B7F570FE59}	{C4B01FD5-60EF-432a-A482-B668F9E704D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71C1E044-B7B8-4a5c-8E0D-AE917913C401}	{6DBBB39D-980D-4045-B1AE-29B7F570FE59}.exe

Deletes itself 1 IoCs

pid	Process
2628	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1228	{C3C26D7E-6969-453d-AC01-FAA1C310DD92}.exe
2784	{3AECB694-2D21-40b5-AC1E-3BCB036B896D}.exe
2724	{2C3D332E-618A-43c9-9855-045B6AF31425}.exe
2364	{C3B03FDD-587C-41e8-B932-41FE9BC38F8B}.exe
2860	{94EF6C46-DD5D-47af-9555-77A23C721715}.exe
2356	{1E563E50-0AA7-4dc1-A49D-4E3BDB4C3084}.exe
1768	{8DC73454-7712-454b-9980-B2B64B8E5234}.exe
2460	{9197491B-02F8-48d9-99D9-5BED2C179F9E}.exe
2080	{C4B01FD5-60EF-432a-A482-B668F9E704D7}.exe
2936	{6DBBB39D-980D-4045-B1AE-29B7F570FE59}.exe
1260	{71C1E044-B7B8-4a5c-8E0D-AE917913C401}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{6DBBB39D-980D-4045-B1AE-29B7F570FE59}.exe	{C4B01FD5-60EF-432a-A482-B668F9E704D7}.exe
File created	C:\Windows\{71C1E044-B7B8-4a5c-8E0D-AE917913C401}.exe	{6DBBB39D-980D-4045-B1AE-29B7F570FE59}.exe
File created	C:\Windows\{C3C26D7E-6969-453d-AC01-FAA1C310DD92}.exe	2024-06-16_3ba63a96f74a5344101ee993e96a2518_goldeneye.exe
File created	C:\Windows\{3AECB694-2D21-40b5-AC1E-3BCB036B896D}.exe	{C3C26D7E-6969-453d-AC01-FAA1C310DD92}.exe
File created	C:\Windows\{1E563E50-0AA7-4dc1-A49D-4E3BDB4C3084}.exe	{94EF6C46-DD5D-47af-9555-77A23C721715}.exe
File created	C:\Windows\{8DC73454-7712-454b-9980-B2B64B8E5234}.exe	{1E563E50-0AA7-4dc1-A49D-4E3BDB4C3084}.exe
File created	C:\Windows\{9197491B-02F8-48d9-99D9-5BED2C179F9E}.exe	{8DC73454-7712-454b-9980-B2B64B8E5234}.exe
File created	C:\Windows\{C4B01FD5-60EF-432a-A482-B668F9E704D7}.exe	{9197491B-02F8-48d9-99D9-5BED2C179F9E}.exe
File created	C:\Windows\{2C3D332E-618A-43c9-9855-045B6AF31425}.exe	{3AECB694-2D21-40b5-AC1E-3BCB036B896D}.exe
File created	C:\Windows\{C3B03FDD-587C-41e8-B932-41FE9BC38F8B}.exe	{2C3D332E-618A-43c9-9855-045B6AF31425}.exe
File created	C:\Windows\{94EF6C46-DD5D-47af-9555-77A23C721715}.exe	{C3B03FDD-587C-41e8-B932-41FE9BC38F8B}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1704	2024-06-16_3ba63a96f74a5344101ee993e96a2518_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1228	{C3C26D7E-6969-453d-AC01-FAA1C310DD92}.exe
Token: SeIncBasePriorityPrivilege	2784	{3AECB694-2D21-40b5-AC1E-3BCB036B896D}.exe
Token: SeIncBasePriorityPrivilege	2724	{2C3D332E-618A-43c9-9855-045B6AF31425}.exe
Token: SeIncBasePriorityPrivilege	2364	{C3B03FDD-587C-41e8-B932-41FE9BC38F8B}.exe
Token: SeIncBasePriorityPrivilege	2860	{94EF6C46-DD5D-47af-9555-77A23C721715}.exe
Token: SeIncBasePriorityPrivilege	2356	{1E563E50-0AA7-4dc1-A49D-4E3BDB4C3084}.exe
Token: SeIncBasePriorityPrivilege	1768	{8DC73454-7712-454b-9980-B2B64B8E5234}.exe
Token: SeIncBasePriorityPrivilege	2460	{9197491B-02F8-48d9-99D9-5BED2C179F9E}.exe
Token: SeIncBasePriorityPrivilege	2080	{C4B01FD5-60EF-432a-A482-B668F9E704D7}.exe
Token: SeIncBasePriorityPrivilege	2936	{6DBBB39D-980D-4045-B1AE-29B7F570FE59}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 1228	1704	2024-06-16_3ba63a96f74a5344101ee993e96a2518_goldeneye.exe	28
PID 1704 wrote to memory of 1228	1704	2024-06-16_3ba63a96f74a5344101ee993e96a2518_goldeneye.exe	28
PID 1704 wrote to memory of 1228	1704	2024-06-16_3ba63a96f74a5344101ee993e96a2518_goldeneye.exe	28
PID 1704 wrote to memory of 1228	1704	2024-06-16_3ba63a96f74a5344101ee993e96a2518_goldeneye.exe	28
PID 1704 wrote to memory of 2628	1704	2024-06-16_3ba63a96f74a5344101ee993e96a2518_goldeneye.exe	29
PID 1704 wrote to memory of 2628	1704	2024-06-16_3ba63a96f74a5344101ee993e96a2518_goldeneye.exe	29
PID 1704 wrote to memory of 2628	1704	2024-06-16_3ba63a96f74a5344101ee993e96a2518_goldeneye.exe	29
PID 1704 wrote to memory of 2628	1704	2024-06-16_3ba63a96f74a5344101ee993e96a2518_goldeneye.exe	29
PID 1228 wrote to memory of 2784	1228	{C3C26D7E-6969-453d-AC01-FAA1C310DD92}.exe	30
PID 1228 wrote to memory of 2784	1228	{C3C26D7E-6969-453d-AC01-FAA1C310DD92}.exe	30
PID 1228 wrote to memory of 2784	1228	{C3C26D7E-6969-453d-AC01-FAA1C310DD92}.exe	30
PID 1228 wrote to memory of 2784	1228	{C3C26D7E-6969-453d-AC01-FAA1C310DD92}.exe	30
PID 1228 wrote to memory of 2672	1228	{C3C26D7E-6969-453d-AC01-FAA1C310DD92}.exe	31
PID 1228 wrote to memory of 2672	1228	{C3C26D7E-6969-453d-AC01-FAA1C310DD92}.exe	31
PID 1228 wrote to memory of 2672	1228	{C3C26D7E-6969-453d-AC01-FAA1C310DD92}.exe	31
PID 1228 wrote to memory of 2672	1228	{C3C26D7E-6969-453d-AC01-FAA1C310DD92}.exe	31
PID 2784 wrote to memory of 2724	2784	{3AECB694-2D21-40b5-AC1E-3BCB036B896D}.exe	32
PID 2784 wrote to memory of 2724	2784	{3AECB694-2D21-40b5-AC1E-3BCB036B896D}.exe	32
PID 2784 wrote to memory of 2724	2784	{3AECB694-2D21-40b5-AC1E-3BCB036B896D}.exe	32
PID 2784 wrote to memory of 2724	2784	{3AECB694-2D21-40b5-AC1E-3BCB036B896D}.exe	32
PID 2784 wrote to memory of 2556	2784	{3AECB694-2D21-40b5-AC1E-3BCB036B896D}.exe	33
PID 2784 wrote to memory of 2556	2784	{3AECB694-2D21-40b5-AC1E-3BCB036B896D}.exe	33
PID 2784 wrote to memory of 2556	2784	{3AECB694-2D21-40b5-AC1E-3BCB036B896D}.exe	33
PID 2784 wrote to memory of 2556	2784	{3AECB694-2D21-40b5-AC1E-3BCB036B896D}.exe	33
PID 2724 wrote to memory of 2364	2724	{2C3D332E-618A-43c9-9855-045B6AF31425}.exe	36
PID 2724 wrote to memory of 2364	2724	{2C3D332E-618A-43c9-9855-045B6AF31425}.exe	36
PID 2724 wrote to memory of 2364	2724	{2C3D332E-618A-43c9-9855-045B6AF31425}.exe	36
PID 2724 wrote to memory of 2364	2724	{2C3D332E-618A-43c9-9855-045B6AF31425}.exe	36
PID 2724 wrote to memory of 1976	2724	{2C3D332E-618A-43c9-9855-045B6AF31425}.exe	37
PID 2724 wrote to memory of 1976	2724	{2C3D332E-618A-43c9-9855-045B6AF31425}.exe	37
PID 2724 wrote to memory of 1976	2724	{2C3D332E-618A-43c9-9855-045B6AF31425}.exe	37
PID 2724 wrote to memory of 1976	2724	{2C3D332E-618A-43c9-9855-045B6AF31425}.exe	37
PID 2364 wrote to memory of 2860	2364	{C3B03FDD-587C-41e8-B932-41FE9BC38F8B}.exe	38
PID 2364 wrote to memory of 2860	2364	{C3B03FDD-587C-41e8-B932-41FE9BC38F8B}.exe	38
PID 2364 wrote to memory of 2860	2364	{C3B03FDD-587C-41e8-B932-41FE9BC38F8B}.exe	38
PID 2364 wrote to memory of 2860	2364	{C3B03FDD-587C-41e8-B932-41FE9BC38F8B}.exe	38
PID 2364 wrote to memory of 2856	2364	{C3B03FDD-587C-41e8-B932-41FE9BC38F8B}.exe	39
PID 2364 wrote to memory of 2856	2364	{C3B03FDD-587C-41e8-B932-41FE9BC38F8B}.exe	39
PID 2364 wrote to memory of 2856	2364	{C3B03FDD-587C-41e8-B932-41FE9BC38F8B}.exe	39
PID 2364 wrote to memory of 2856	2364	{C3B03FDD-587C-41e8-B932-41FE9BC38F8B}.exe	39
PID 2860 wrote to memory of 2356	2860	{94EF6C46-DD5D-47af-9555-77A23C721715}.exe	40
PID 2860 wrote to memory of 2356	2860	{94EF6C46-DD5D-47af-9555-77A23C721715}.exe	40
PID 2860 wrote to memory of 2356	2860	{94EF6C46-DD5D-47af-9555-77A23C721715}.exe	40
PID 2860 wrote to memory of 2356	2860	{94EF6C46-DD5D-47af-9555-77A23C721715}.exe	40
PID 2860 wrote to memory of 1188	2860	{94EF6C46-DD5D-47af-9555-77A23C721715}.exe	41
PID 2860 wrote to memory of 1188	2860	{94EF6C46-DD5D-47af-9555-77A23C721715}.exe	41
PID 2860 wrote to memory of 1188	2860	{94EF6C46-DD5D-47af-9555-77A23C721715}.exe	41
PID 2860 wrote to memory of 1188	2860	{94EF6C46-DD5D-47af-9555-77A23C721715}.exe	41
PID 2356 wrote to memory of 1768	2356	{1E563E50-0AA7-4dc1-A49D-4E3BDB4C3084}.exe	42
PID 2356 wrote to memory of 1768	2356	{1E563E50-0AA7-4dc1-A49D-4E3BDB4C3084}.exe	42
PID 2356 wrote to memory of 1768	2356	{1E563E50-0AA7-4dc1-A49D-4E3BDB4C3084}.exe	42
PID 2356 wrote to memory of 1768	2356	{1E563E50-0AA7-4dc1-A49D-4E3BDB4C3084}.exe	42
PID 2356 wrote to memory of 780	2356	{1E563E50-0AA7-4dc1-A49D-4E3BDB4C3084}.exe	43
PID 2356 wrote to memory of 780	2356	{1E563E50-0AA7-4dc1-A49D-4E3BDB4C3084}.exe	43
PID 2356 wrote to memory of 780	2356	{1E563E50-0AA7-4dc1-A49D-4E3BDB4C3084}.exe	43
PID 2356 wrote to memory of 780	2356	{1E563E50-0AA7-4dc1-A49D-4E3BDB4C3084}.exe	43
PID 1768 wrote to memory of 2460	1768	{8DC73454-7712-454b-9980-B2B64B8E5234}.exe	44
PID 1768 wrote to memory of 2460	1768	{8DC73454-7712-454b-9980-B2B64B8E5234}.exe	44
PID 1768 wrote to memory of 2460	1768	{8DC73454-7712-454b-9980-B2B64B8E5234}.exe	44
PID 1768 wrote to memory of 2460	1768	{8DC73454-7712-454b-9980-B2B64B8E5234}.exe	44
PID 1768 wrote to memory of 1664	1768	{8DC73454-7712-454b-9980-B2B64B8E5234}.exe	45
PID 1768 wrote to memory of 1664	1768	{8DC73454-7712-454b-9980-B2B64B8E5234}.exe	45
PID 1768 wrote to memory of 1664	1768	{8DC73454-7712-454b-9980-B2B64B8E5234}.exe	45
PID 1768 wrote to memory of 1664	1768	{8DC73454-7712-454b-9980-B2B64B8E5234}.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-06-16_3ba63a96f74a5344101ee993e96a2518_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-16_3ba63a96f74a5344101ee993e96a2518_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\{C3C26D7E-6969-453d-AC01-FAA1C310DD92}.exe
  C:\Windows\{C3C26D7E-6969-453d-AC01-FAA1C310DD92}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Windows\{3AECB694-2D21-40b5-AC1E-3BCB036B896D}.exe
    C:\Windows\{3AECB694-2D21-40b5-AC1E-3BCB036B896D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\{2C3D332E-618A-43c9-9855-045B6AF31425}.exe
      C:\Windows\{2C3D332E-618A-43c9-9855-045B6AF31425}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\{C3B03FDD-587C-41e8-B932-41FE9BC38F8B}.exe
        
        C:\Windows\{C3B03FDD-587C-41e8-B932-41FE9BC38F8B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2364
      - C:\Windows\{94EF6C46-DD5D-47af-9555-77A23C721715}.exe
        
        C:\Windows\{94EF6C46-DD5D-47af-9555-77A23C721715}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\{1E563E50-0AA7-4dc1-A49D-4E3BDB4C3084}.exe
        
        C:\Windows\{1E563E50-0AA7-4dc1-A49D-4E3BDB4C3084}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\{8DC73454-7712-454b-9980-B2B64B8E5234}.exe
        
        C:\Windows\{8DC73454-7712-454b-9980-B2B64B8E5234}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\{9197491B-02F8-48d9-99D9-5BED2C179F9E}.exe
        
        C:\Windows\{9197491B-02F8-48d9-99D9-5BED2C179F9E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
        
        C:\Windows\{C4B01FD5-60EF-432a-A482-B668F9E704D7}.exe
        
        C:\Windows\{C4B01FD5-60EF-432a-A482-B668F9E704D7}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
        
        C:\Windows\{6DBBB39D-980D-4045-B1AE-29B7F570FE59}.exe
        
        C:\Windows\{6DBBB39D-980D-4045-B1AE-29B7F570FE59}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Windows\{71C1E044-B7B8-4a5c-8E0D-AE917913C401}.exe
        
        C:\Windows\{71C1E044-B7B8-4a5c-8E0D-AE917913C401}.exe
        12⤵
        Executes dropped EXE
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6DBBB~1.EXE > nul
        12⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4B01~1.EXE > nul
        11⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91974~1.EXE > nul
        10⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8DC73~1.EXE > nul
        9⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E563~1.EXE > nul
        8⤵
        
        PID:780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94EF6~1.EXE > nul
        7⤵
        
        PID:1188
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3B03~1.EXE > nul
        6⤵
        
        PID:2856
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C3D3~1.EXE > nul
        5⤵
        
        PID:1976
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3AECB~1.EXE > nul
      4⤵
      PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C3C26~1.EXE > nul
    3⤵
    PID:2672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1E563E50-0AA7-4dc1-A49D-4E3BDB4C3084}.exe

Filesize
408KB

MD5
149a6a2d41a294f38c3e8b30b405b857

SHA1
c9cebdb7a2f1174d883f0f903947e5e31552011f

SHA256
fb98c5e29491e2c5400745074cb1e3dd427e7820b8b77d188249e0346409d373

SHA512
6a1879a21a869f598df13240dcf136c5f984e69d9214d21ebd658c8bd548a32c000aaf092e54ff5110f90ce3f7fa19d5b599258d3e8ef5e66fcae0b458e5d2e4

Download Submit
C:\Windows\{2C3D332E-618A-43c9-9855-045B6AF31425}.exe

Filesize
408KB

MD5
c8162bada8c3915d2ba31e845f01c8af

SHA1
1a4c4421e73ff91259016f3333d42df305a9bfb9

SHA256
2822c727995b486e88879f0f9bb11783b4b750f6b7ab92281dfabb59fccb8670

SHA512
137ce2a6381d8b19a88da7d2ae7efbed3081d728a8943354c3977cbe1b2b254cb84dc796160e23fc33a6a06dcabefccf0815290de122e189ec810c333e4e5200

Download Submit
C:\Windows\{3AECB694-2D21-40b5-AC1E-3BCB036B896D}.exe

Filesize
408KB

MD5
e1fab764f1fa94fd564f65c626671e21

SHA1
04a0a70274df85bc437e2ea70104a2525233b378

SHA256
02d489cebc926f213fb59a2c2d325276e2dc53990484f6bd6476d40ca260c749

SHA512
04ea986abe732d8c4d073ccebf12cc6f6a051dc8d42405186c763a7d3ef7d98b379ebe5ab713b3d253c2edc5dc81d3139ad70b141e7a62d36b5e02107c8b72e4

Download Submit
C:\Windows\{6DBBB39D-980D-4045-B1AE-29B7F570FE59}.exe

Filesize
408KB

MD5
a5b1cda5b43313652707cecb9eff74ca

SHA1
3a743fdae50922c07fffdc3dac6ee61d2a944276

SHA256
fca7af4f3cb040b10f4e3bf6f0ce637b61ea45777d15c1e430a2a3c67e4ecf54

SHA512
77220eb886339537f393c20742fdde522832da71286962f60d1146fafb2b7027c223ac0dbee9f799b1bed41b946e592b7abe4ab575745834089923e1e95a1feb

Download Submit
C:\Windows\{71C1E044-B7B8-4a5c-8E0D-AE917913C401}.exe

Filesize
408KB

MD5
076553908768d4546bab2f06c0b1bef3

SHA1
6ed92bb5f6fef64a80cf93abaf1bf41d0b3c231d

SHA256
1e2571dc982ee30586a11891d86de4339b9171859e5dab25855667d20e0732a2

SHA512
38cdb5f4170c9ea8c758944ee92c2b2d23118f9eb305790ce08f02b32df83106a5cc4593824092f63d385451c7b92f5ac700aab404aa5fce4be2e3a509fa7f36

Download Submit
C:\Windows\{8DC73454-7712-454b-9980-B2B64B8E5234}.exe

Filesize
408KB

MD5
1ab926c143ee8e62ed9a2ae9d9d48cc8

SHA1
5429c0477ed04c9fbbd1ffe77a7c5a5f5d56874f

SHA256
977c21000aaed14a32b8035767c8b67c5a06259db4205e84e2b1cc0781bbb604

SHA512
570e06da0ad4660b7bd104cefe720dfb24fb747eab8364f354b82294fee09c68c92f6981528d199e3b1da719149a758df4f74d1de69feac5aedefb5858ee16c4

Download Submit
C:\Windows\{9197491B-02F8-48d9-99D9-5BED2C179F9E}.exe

Filesize
408KB

MD5
82de1b2db9d4728cdd2cbf67286eb773

SHA1
14a98567b8118020d825755f406cfee85df34c4d

SHA256
6ff70b6f1c82c68854cefc5a1e654c115ebb98ab1cdcd170a0507e6e93d0f82e

SHA512
143165ed8801ffe025084f97cff97933d23d73b13ad5d82242ee2d1be7ab58d9a3a0b4c5e158f477435f5a917929f5c0b96f9a65e453a3a927c25679bc851ca7

Download Submit
C:\Windows\{94EF6C46-DD5D-47af-9555-77A23C721715}.exe

Filesize
408KB

MD5
83e96bbd6f01ac9d51ebf3031ea2fdfd

SHA1
252a6d073edbe124cc87e1c1a1c50313124c5be6

SHA256
986a4bedc138fbfbb0b9958089a07c60949feb949a03f4d71e89df7d83fc725b

SHA512
71ebb404fe493d614c63fa207136b8df0b870f3f4151654c1c1f958b5fdf33075439152c3589eb8e3728119375560a89d193f94c994c78f478a9ebec8b6ed973

Download Submit
C:\Windows\{C3B03FDD-587C-41e8-B932-41FE9BC38F8B}.exe

Filesize
408KB

MD5
429e3c8c0cd31d3c00d20e33923c61ba

SHA1
06191c6b8c4ac73635fb3900c8cb38da39dd7670

SHA256
18a393991e4f8ef31d58a256a82cf62ae4a7a187382651eb79775cf38fe2b58f

SHA512
13791a03e22c920671cccaa0d72389f3f14075ea42e7b433d7a3c8531bb7ab497a2636aa485981b1266bb64c567c70de4032cd3f7354afbc1925128036634505

Download Submit
C:\Windows\{C3C26D7E-6969-453d-AC01-FAA1C310DD92}.exe

Filesize
408KB

MD5
3df3e097d8b78b4c57a2884f7aacce0d

SHA1
9a13644e22480ad30e5feb22690be5f4bdbd433c

SHA256
5bf2523d88e1784ca1f056d2c60644159ded659065f21acc86f1c2060f5a9270

SHA512
27ad13ee3b0c98830f257e0d05d5dd37fb47f61804d7a4222177ed917a0921c9e3edc3336069c9db0bc542394bc76776f0c0821cc5cd0314df1c1ba64eb21a64

Download Submit
C:\Windows\{C4B01FD5-60EF-432a-A482-B668F9E704D7}.exe

Filesize
408KB

MD5
3de3f2fda58f8b5e6a7ab8a5a783dfa1

SHA1
e26f40c5b78994067d990a4b3ab45650263be219

SHA256
7a2075121c19290cad68630f0d0a85d4b30ec14f942825920173f63b546c278a

SHA512
149cbebc9ba2ceda6dd2a2774d7f5a45730ba18d49feffab3a22fc18793e273480e387bedb0068dd9e9c4d8bebbb6be0a57549611b4e343c3a32511315e0c090

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads